> Commvault Cloud > Database > Amazon Web Services > Amazon RDS > Amazon RDS Using Export > Configuring Backups > Configuring Export-Based Backups

Configuring Export-Based Backups for Amazon RDS Instances with STS Assume Role Authentication

You can configure export-based backups for Amazon RDS instances using STS assume role authentication. First, configure the AWS admin account in Commvault Cloud. Then, configure the AWS tenant accounts.

Configure the AWS Admin Account

Start the Configuration Wizard

  1. From the Command Center navigation pane, go to Protect > Databases.

    The Overview page appears.

  2. In the upper-right area of the page, click Add instance, and then select Cloud database service.

    The Add Cloud DB Instance dialog box appears.

  3. Select Amazon Web Services and then click Next.

    The Configure Amazon Database dialog box appears.

  4. Select RDS (Export) and then click Next.

    The Select Database page appears.

  5. Select the database type, and then click Next.

    The Configure Permissions page appears.

Configure Permissions

  1. From the Authentication method list, select AWS STS AssumeRole (recommended).

  2. Verify an existing CommvaultAdminRole IAM role or create a new CommvaultAdminRole IAM role in the AWS admin account:

    • If the CommvaultAdminRole IAM role was previously created for another AWS workload, do the following:

      1. Verify that the CommvaultAdminRole-STSAssumePolicy IAM policy for the AWS workload is attached to the CommvaultAdminRole IAM role.

      2. At the bottom of the page, select the confirmation check box.

      3. Click Next.

        The Region page of the configuration wizard appears.

    • If the CommvaultAdminRole IAM role does not exist yet, create it in AWS.

      Steps to create CommvaultAdminRole IAM role

      1. Click the Launch CloudFormation Stack link to open the AWS console for the AWS admin account.

        Important

        If you do not have permission to create a role in the AWS account, copy the Launch CloudFormation Stack link and share it with your AWS IAM administrator.

      2. Log on to the AWS console.

        The Quick create stack page appears.

      3. Under Capabilities, read the information about the template, and then select the acknowledgment check box.

      4. Click Create stack.

        Wait for the CloudFormation Stack to finish creating the CommvaultAdminRole IAM role. The CloudFormation Stack creates an IAM policy called CommvaultAdminRole-STSAssumePolicy for STS Assume Role authentication, and then attaches the policy to CommvaultAdminRole.

      5. Return to the Commvault Cloud configuration wizard.

  3. Under Configure Credential, from the Credentials list, select CommvaultUserGroup credential.

  4. Click Next.

    The Access Node page of the configuration wizard appears.

  1. Select Use your access nodes for backups.

  2. From the Authentication method list, select AWS STS AssumeRole (recommended).

  3. Verify an existing CommvaultAdminRole IAM role or create a new CommvaultAdminRole IAM role in the AWS admin account:

    • If the CommvaultAdminRole IAM role was previously created for another AWS workload, do the following:

      1. Verify that the CommvaultAdminRole-STSAssumePolicy IAM policy for the AWS workload is attached to the CommvaultAdminRole IAM role.

      2. At the bottom of the page, select the confirmation check box.

      3. Click Next.

        The Region page of the configuration wizard appears.

    • If the CommvaultAdminRole IAM role does not exist yet, create it in AWS.

      Steps to create CommvaultAdminRole IAM role

      1. Click the Launch CloudFormation Stack link to open the AWS console for the AWS admin account.

        Important

        If you do not have permission to create a role in the AWS account, copy the Launch CloudFormation Stack link and share it with your AWS IAM administrator.

      2. Log on to the AWS console.

        The Quick create stack page appears.

      3. Under Capabilities, read the information about the template, and then select the acknowledgment check box.

      4. Click Create stack.

        Wait for the CloudFormation Stack to finish creating the CommvaultAdminRole IAM role. The CloudFormation Stack creates an IAM policy called CommvaultAdminRole-STSAssumePolicy for STS Assume Role authentication, and then attaches the policy to CommvaultAdminRole.

      5. Return to the Commvault Cloud configuration wizard.

  4. Under Configure Credential, from the Credentials list, select CommvaultUserGroup credential.

  5. Click Next.

    The Access Node page of the configuration wizard appears.

Access Node

An access node or backup gateway is required to back up instances without egress charges.

Considerations

Because this is a cross-account environment, if you create a new backup gateway, install it in an AWS admin account.

  • If AWS EBS encryption is enabled for your region in your AWS account, the user who uses the access node template must be a key user for the default encryption key. To see if EBS encryption is enabled, in your AWS account, go to EC2 > EC2 Dashboard > Settings > EBS encryption. To see a list of key users for the default encryption key, in your AWS account, go to Key Management Service > Customer managed keys. If you do not have the correct level of access to use the template, you can copy the Launch Cloud Formation Stack link and share it with someone who has the correct level of access, such as your security administrator.

  • Determine the region of your AWS S3 storage. The access node must reside in the same region as the primary storage.

Procedure

  1. Select an existing access node or create a new access node.

    Steps to create a access node

    1. Click the add button add/plus button - gray - no border.

      The Add a new backup gateway dialog box appears.

    2. For Platform, select the OS for the backup gateway.

      Note

      You cannot use a Linux backup gateway to protect RDS SQL Server instances.

    3. From the Region list, select the region that the databases reside in.

      The system will ensure that your database and the primary copy reside in the same region as your backup gateway to prevent inter-region charges or performance impacts due to inter-region latencies.

    4. Click Generate link.

      An AWS CloudFormation template is created based on the region and the operating system that you selected.

    5. Click the Launch CloudFormation Template link to open the AWS console.

      Note

      If AWS EBS encryption is enabled for your region in your AWS account, to use the template, you must be a key user for the default encryption key. If you are not a key user for the default encryption key, copy the Launch Cloud Formation Template link and share it with someone who is a key user, such as your security administrator.

    6. Log on to the AWS console.

      The Quick create stack page appears.

    7. Under Parameters, enter the following information:

      1. From the EC2 Instance Type list, select the type of EC2 instance to use for the backup gateway.

      2. From the EC2 Key Pair list, select a key pair to use to access the Commvault Cloud backup gateway.

      3. From the VPC ID list, select an Amazon Virtual Private Cloud (VPC).

      4. From the Subnet ID list, select a subnet.

      5. From the VPC CIDR list, select a VPC CIDR.

      Note

      Port 8403 opens on backup gateways only when the request comes from the IP ranges that are listed in the VPC CIDR field.

    8. Click Create stack.

      Wait for the Commvault Cloud backup gateway to be created.

    9. Return to the Commvault Cloud configuration wizard.

    10. Refresh the list of backup gateways, and then select the backup gateway that you created.

  2. Click Next.

    The Plan page of the configuration wizard appears.

Plan

A backup plan specifies the storage to back up the data to and other settings such as recovery point objective (RPO) settings.

  1. Select an existing backup plan or create a new backup plan.

    Steps to create a backup plan

    1. Click the add button add/plus button - gray - no border.

      The Add plan dialog box appears.

    2. In the Plan name box, enter a descriptive name for the backup plan.

    3. From the Storage list, select an existing storage or add any of the following storages:

    4. For the backup plan settings, select pre-defined settings or create custom settings:

      • To select pre-defined settings, under Retention rules, select one of the following:

        • Select 1 month retention plan to retain the incremental backups for 1 month.

        • Select 1 year retention plan to retain the incremental backups for 1 year.

        • Select 3 year retention plan to retain the incremental backups for 3 years.

      • To create custom settings, select Custom plan, and then specify the following:

        • For Retention, specify the amount of time to retain the backup jobs.

        • For Backups run every, specify how often to run backups.

    5. To create a plan with all the advanced options, click the Advanced options click here link, and then create a new plan.

    6. Click Done.

  2. Click Next.

    The Cloud Account page of the configuration wizard appears.

  1. Select an existing backup plan or create a new backup plan.

    Steps to create a backup plan

    1. Click the add button add/plus button - gray - no border.

      The Add plan dialog box appears.

    2. In the Plan name box, enter a descriptive name for the backup plan.

    3. From the Storage list, select an existing storage or add any of the following storages:

    4. For the backup plan settings, select pre-defined settings or create custom settings:

      • To select pre-defined settings, under Retention rules, select one of the following:

        • Select Standard retention to retain the incremental backups for 1 month.

      • To create custom settings, select Custom plan, and then specify the following:

        • For Retention, specify the amount of time to retain the backup jobs.

        • For Backups run every, specify how often to run backups.

    5. Click Done.

  2. Click Next.

    The Cloud Account page of the configuration wizard appears.

Cloud Account

The cloud account is used to access the databases for discovery, backups, and other operations.

  1. Select an existing cloud account or create a new cloud account.

    Steps to create a cloud account

    1. Select Add cloud account.

    2. In Name, enter a descriptive name for the account.

    3. Under Advanced options, from the Regional endpoints list, select a region for the endpoint.

    4. Click Save.

  2. Click Next.

    The Backup Content page of the configuration wizard appears.

Backup Content

  1. From the Instance name list, select the instance to back up.

  2. For all the other input fields, based on the database type selected, provide the relevant connection information to access the database instance. For more information, see Backup Content Configuration Properties.

  3. To verify that you can connect to the database, click Test connection.

  4. Click Next.

    The Summary page appears.

Summary

  1. Review the summary.

  2. Click Finish.

Configure the AWS Tenant Account

Start the Configuration Wizard

  1. From the Command Center navigation pane, go to Protect > Databases.

    The Overview page appears.

  2. In the upper-right area of the page, click Add instance, and then select Cloud database service.

    The Add Cloud DB Instance dialog box appears.

  3. Select Amazon Web Services and then click Next.

    The Configure Amazon Database dialog box appears.

  4. Select RDS (Export) and then click Next.

    The Select Database page appears.

  5. Select the database type, and then click Next.

    The Configure Permissions page appears.

Configure Permissions

  1. From the Authentication method list, select IAM Role.

  2. Verify an existing CommvaultRole IAM role or create a new CommvaultRole IAM role in the AWS tenant account:

    • If the CommvaultRole IAM role was previously created for another AWS workload, do the following:

      1. Verify that the IAM policies for the AWS workload is attached to the CommvaultRole IAM role.

      2. Verify that the trust relationship is set with the CommvaultAdminRole IAM Role in the AWS admin account.

    • If the CommvaultRole IAM role does not exist yet, create it in AWS.

      Steps to create CommvaultRole IAM role

      1. Click the Launch CloudFormation Stack link to open the AWS console for the AWS tenant account.

        Important

        If you do not have permission to create a role in the AWS account, copy the Launch CloudFormation Stack link and share it with your AWS IAM administrator.

      2. Log on to the AWS console.

        The Quick create stack page appears.

      3. Under Capabilities, read the information about the template, and then select the acknowledgment check box.

      4. Click Create stack.

        Wait for the CloudFormation Stack to finish creating the CommvaultRole IAM Role. The CloudFormation Stack creates IAM policies for all supported AWS workloads, and then attaches the policies to CommvaultRole.

      5. Go to IAM, select the IAM Role, and then edit the Trust relationship.

      6. Add the ARN of the CommvaultAdminRole in the AWS admin account.

         {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111111111111:role/Commvault/CommvaultAdminRole",
                "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]}

      7. Return to the Commvault Cloud configuration wizard.

  3. Under Configure Credential, from the Credentials list, select CommvaultAdminRole credential.

  4. Click Next.

    The Region page of the configuration wizard appears.

  1. Select Use your access nodes for backups.

  2. From the Authentication method list, select IAM Role.

  3. Verify an existing CommvaultRole IAM role or create a new CommvaultRole IAM role in the AWS tenant account:

    • If the CommvaultRole IAM role was previously created for another AWS workload, do the following:

      1. Verify that the IAM policies for the AWS workload is attached to the CommvaultRole IAM role.

      2. Verify that the trust relationship is set with the CommvaultAdminRole IAM Role in the AWS admin account.

    • If the CommvaultRole IAM role does not exist yet, create it in AWS.

      Steps to create CommvaultRole IAM role

      1. Click the Launch CloudFormation Stack link to open the AWS console for the AWS tenant account.

        Important

        If you do not have permission to create a role in the AWS account, copy the Launch CloudFormation Stack link and share it with your AWS IAM administrator.

      2. Log on to the AWS console.

        The Quick create stack page appears.

      3. Under Capabilities, read the information about the template, and then select the acknowledgment check box.

      4. Click Create stack.

        Wait for the CloudFormation Stack to finish creating the CommvaultRole IAM Role. The CloudFormation Stack creates IAM policies for all supported AWS workloads, and then attaches the policies to CommvaultRole.

      5. Go to IAM, select the IAM Role, and then edit the Trust relationship.

      6. Add the ARN of the CommvaultAdminRole in the AWS admin account.

         {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111111111111:role/Commvault/CommvaultAdminRole",
                "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]}

      7. Return to the Commvault Cloud configuration wizard.

  4. Under Configure Credential, from the Credentials list, select CommvaultAdminRole credential.

  5. Click Next.

    The Access Node page of the configuration wizard appears.

Access Node

  1. Select the access node that was created when the AWS admin account was configured.

  2. Click Next.

    The Plan page of the configuration wizard appears.

Plan

  1. Select the backup plan that was created when the AWS admin account was configured.

  2. Click Next.

    The Cloud Account page of the configuration wizard appears.

Cloud Account

  1. Select an existing cloud account or create a new cloud account.

    Steps to create a cloud account

    1. Select Add cloud account.

    2. In Name, enter a descriptive name for the account.

    3. Under Advanced options, from the Regional endpoints list, select a region for the endpoint.

    4. Click Save.

  2. Click Next.

    The Backup Content page of the configuration wizard appears.

Backup Content

  1. From the Instance name list, select the instance to back up.

  2. For all the other input fields, based on the database type selected, provide the relevant connection information to access the database instance. For more information, see Backup Content Configuration Properties.

  3. To verify that you can connect to the database, click Test connection.

  4. Click Next.

    The Summary page of the configuration wizard appears.

Summary

  1. Review the summary.

  2. Click Finish.

Loading...