AWS Cross-Tenant Configuration

AWS Cross-Tenant Configuration

Cloud Connection

For doing a Cross-tenant recovery the user should have two Cloud Connections, one pointing to the primary AWS account and another one pointing to the recovery AWS account.

To add a new AWS Cloud Connection in Appranix, follow the below steps:

  1. Navigate to "Cloud Connections" and click "Add Cloud Connection"

  2. Fill the Name and Description for the connection, choose AWS as the cloud provider

  3. Select the primary and recovery regions

  4. Enable the services required

  5. Launch the CloudFormation template in your AWS console

  6. After the execution, copy the ARN number from the output section of the CloudFormation screen

  7. Register the cloud and wait for the progress of the connection to see the discovered resources

Once the required Cloud Connection is created, the recovery AWS account's Cloud Connection need to be shared with the primary AWS account's Cloud Connection.

Steps to add shared Cloud Connection:

  1. Choose the primary AWS Cloud Connection. Click on “Actions” button and select “Shared Cloud Connection” 

  2. In the Shared Accounts dashboard, click on “SHARE TO CLOUD CONNECTION” and select the recovery AWS account's Cloud Connection. Save the chosen Cloud Connection

A discovery sync will be triggered immediately after adding the shared Cloud Connection. Proceed with the Cloud Assembly creation once the sync gets completed.

Assembly creation:

To create a new AWS Cloud Assembly in Appranix, follow the below steps:

In General Information,

  1. Enter the Cloud Assembly name and description

  2. Select the primary AWS account Cloud Connection for which the resources have to be protected

  3. Select the desired recovery regions

  4. Turn on the “Allow cross-account protection” toggle for enabling cross account protection.

In Resources,

  1. For AWS, select the VPC that has to be protected in this Cloud Assembly

  2. The resource can be chosen by the entire VPC or from the selected resources or using the Tags

  3. Selection using tags can be made by matching all the tags or matching at least one tag

NOTE: If "Entire VPC" is selected during this step, option to edit the resources after the assembly creation will not be available.

In Protection Policy,

  1. Select a protection policy to protect the resources

  2. Protection policy can be used to define the time at which the snapshot has to be taken and the number of snapshots to be retained using a retention count

  3. A policy template can be created to fit the protection needs best

  4. To create a new protection policy template, click here

  5. The policy can be activated as by the scheduled policy, immediately triggering one policy or by delaying to the specific time

In Review,

  1. Review the general information, resource information, and the protection policy details provided

  2. Edit the details if required and proceed to finish and create a Cloud Assembly

AWS Recovery

To create the recovery from Cloud Assembly, follow the steps below.

  1. Navigate to "Cloud Assemblies" and click one assembly you want to recover

  2. Select the timeline tab then select a protected timeline

  3. From timeline view, in the header section click "RECOVER"

  4. Fill the name and select the recovery type

  5. Select the recovery type as Cross Account for performing a Cross-tenant recovery

  6. Choose the resources to recover

  7. Click "Recover" to create a new recoveryno

          1. RDS encrypted DB instances, RDS cluster and EFS are yet to be supported.
          2. EBS volume with default AWS encryption key cannot be recovered. We do support the ones with custom keys.
          3. For cross-account replication, it is mandatory to share the Encryption KMS key from the primary AWS account to the Recovery AWS account.
                  To share the KMS key,
                     * Login to your primary AWS account.
                     * Open the KMS dashboard and select the KMS key which is used for encrypting the EBS volume.
                     * Share it by entering the recovery AWS account ID.
          4. Cross region replication can't be done if the EBS volume is encrypted using the default AWS encryption key.
    • Related Articles

    • Appranix Route 53 Recovery Guide for AWS Shared VPC Environments

      Appranix has expanded its support for Route 53 recovery in AWS-shared VPC environments. This document provides valuable insights into the various types of shared VPC setups that Appranix can recover. Explore the configuration details and step-by-step ...
    • What permissions does Appranix service account need to protect AWS resources?

      Appranix service account requires the following permissions to successfully discover and protect your cloud infrastructure in AWS and recover it in the DR/Recovery regions. The Role name and the purpose of the asking is explained in the below table. ...
    • AWS Cloud Connections FAQ

      When we add an AWS account to Appranix does it take into account the default resources of the AWS account as well? - No, only the dependent resources of the selected resource(EC2, RDS Instance) While discovering assemblies, Appranix does show the VPC ...
    • AWS Environment Onboarding

      Subscribe from AWS Marketplace Search for "Appranix" in the AWS Marketplace Subscribe for "Appranix Cloud Application Resilience" from the search result Subscribe to the service Register your account with Appranix AWS Onboarding Prerequisites For ...
    • Does Appranix support all the target type in an AWS Application Loadbalancer?

      Yes, Appranix supports Application Loadbalancer end to end irrespective of its target type configuration. AWS Application Loadbalancer has three target types in the target group: Instance ID IP Address Lambda