Dell PowerProtect Cyber Recovery 19.15 AWS Deployment Guide

Deploying additional DDVE appliances in the Cyber Recovery vault

Multiple production DD systems can replicate data to multiple DD Virtual Edition (DDVE) appliances in the Cyber Recovery vault. After the Cyber Recovery solution is deployed on Amazon Web Services (AWS), you can add additional DDVE appliances to the Cyber Recovery vault.

1. In the AWS Management Console, go to Services > VPC.
2. Under SECURITY on the left side menu, click Network ACLs.
3. Under Network ACLs in the main window, click <your prefix>_PPCR Jump Host Subnet ACL.
4. Edit the jump host ACL:
   1. Click the Inbound rules tab, and then click Edit Inbound Rules.
   2. In the Edit Inbound Rules window, click Add new rule.
   3. Add a rule that includes the ephemeral range 1024-65535 for the destination IP address of the newly added DDVE, and then click Save changes.
      NOTE:The default value for the Allow/Deny field is Allow. This field indicates that the port range from the source IP address, which is the newly added DDVE, is allowed.
   4. Click the Outbound rules tab, and then click Edit Outbound Rules.
   5. In the Edit Outbound Rules window, click Add new rule.
   6. Add a rule that includes the ephemeral range 1024-65535 for the destination IP address of the newly added DDVE.
   7. Click Add new rule again.
   8. Add a rule that includes https port 443 for the destination IP address of the newly added DDVE, and then click Save changes.
5. Under SECURITY on the left side menu, click Security Groups.
6. Under Security Groups in the main window, click <your prefix>_PPCR Mgmt Host SG.
7. Edit the management host security group:
   1. Click the Outbound rules tab, and then click Edit Outbound Rules.
   2. In the Edit Outbound Rules window, click Add rule.
   3. Add the following four rules for the destination IP address of the new DDVE:
      • Add SSH port 22
      • Add Custom TCP port 2052
      • Add Custom TCP port 2049
      • Add Custom TCP port 111
   4. Click Save rules.
8. Under VIRTUAL PRIVATE CLOUD on the left side menu, click Endpoints.
9. Select the endpoint that corresponds to the S3 Gateway endpoint that was created during the initial CloudFormation deployment.
   NOTE:The endpoint type is displayed as Gateway.
10. Click the Policy tab, and then click Edit Policy.
11. In the Edit Policy window, under the Resource section of the policy, add the Amazon Resource Name (ARN) for the S3 bucket that was created for the newly added DDVE.

    The following example shows the required changes in boldface:

    • dds3bucket is the original bucket that was created during the initial CloudFormation deployment.
    • secondary-dds3bucket is the new bucket that is created for the additional DDVE in the Cyber Recovery vault.

    NOTE:Ensure that you add the bucket name as a resource on one line, and then repeat on the second line with the trailing /*. You must include both lines.

    {
        "Version": "2012-10-17",
        "Id": "Policy1603765487446",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": "*",
                "Action": "s3:*",
                "Resource": [
                    "arn:aws:s3:::dds3bucket",
                    "arn:aws:s3:::dds3bucket",
                    "arn:aws:s3:::secondary-dds3bucket",
                    "arn:aws:s3:::secondary-dds3bucket/*"
                ]
            }
        ]
    }
    

12. Click Save.
    You can now access the Cyber Recovery jump host on AWS and connect to the newly added DDVE.
13. Return to the PowerProtect DD Virtual Edition on Amazon Web Services Installation and Administration Guide instructions to create a file system on S3 object storage on the newly added DDVE.