AWS Storage Blog
Recovering AWS GovCloud (US) workloads using CloudEndure Disaster Recovery
AWS GovCloud (US) hosts sensitive data and regulated workloads. It also addresses the most stringent U.S government security and compliance requirements. For customers using AWS GovCloud (US), the ability to recover workloads is a top priority in order to keep business running as usual and adhere to relevant compliance requirements. Getting quickly back up and running after an outage often requires a business continuity solution. CloudEndure Disaster Recovery is an example of this type of business continuity solution.
In this blog post, I discuss the differences in setting up a CloudEndure Disaster Recovery project for replication to AWS GovCloud (US) Regions compared to other AWS Regions. There are specific changes to the required IAM policy and CloudEndure blueprint settings necessary for the solution to work in AWS GovCloud (US) Regions. For additional instructions on setting up CloudEndure Disaster Recovery and recovering workloads, reference the CloudEndure documentation portal.
What is CloudEndure Disaster Recovery?
CloudEndure Disaster Recovery provides scalable, cost-effective business continuity for physical, virtual, and cloud servers. It uses continuous block level replication in order to achieve a business recovery point objective (RPO) of seconds. This architecture can also be used to recover on-premises workloads that require failover capabilities to the AWS GovCloud (US) Regions.
CloudEndure Disaster Recovery replicates data directly from a source operating system into these highly specialized Regions over an encrypted Transmission Control Protocol (TCP) connection. The data can also be encrypted at rest in AWS GovCloud (US) using AWS Key Management Service (AWS KMS) encryption. Once a failover event is initiated, replicated instances spin up within minutes in either AWS GovCloud (US) Region.
Architecture
The following architecture diagram depicts a typical CloudEndure Disaster Recovery deployment to provide a business RPO of seconds. For GovCloud Regions, the only differences are changes to the IAM policy and specific blueprint considerations, covered in the following sections.
AWS Identity and Access Management policy
CloudEndure requires AWS Identity and Access Management (IAM) credentials to make API calls into the AWS GovCloud (US) Region that is the target for replication. These credentials are used to provision the staging area, and perform the orchestration of Disaster Recovery instances in a failover event.
The standard CloudEndure IAM policy has to be changed to be compatible with AWS GovCloud (US) Regions. The Amazon Resource Names (ARNs) within the policy have to be changed to look like this: arn:aws-us-gov:ec2 instead of the standard: arn:aws:ec2.
The AWS Migration Hub components of the policy also must be removed as that service is not present in AWS GovCloud (US) Regions.
The full AWS GovCloud (US) compatible IAM policy should look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws-us-gov:ec2:*:*:*/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "RunInstances"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws-us-gov:ec2:*:*:*/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateVolume"
}
}
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"ec2:RevokeSecurityGroupIngress",
"ec2:AttachVolume",
"ec2:DeleteVolume",
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:RevokeSecurityGroupEgress",
"ec2:StopInstances"
],
"Resource": [
"arn:aws-us-gov:ec2:*:*:dhcp-options/*",
"arn:aws-us-gov:ec2:*:*:instance/*",
"arn:aws-us-gov:ec2:*:*:volume/*",
"arn:aws-us-gov:ec2:*:*:security-group/*"
],
"Condition": {
"StringLike": {
"ec2:ResourceTag/Name": "CloudEndure*"
}
}
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"ec2:RevokeSecurityGroupIngress",
"ec2:AttachVolume",
"ec2:DeleteVolume",
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:RevokeSecurityGroupEgress",
"ec2:StopInstances"
],
"Resource": [
"arn:aws-us-gov:ec2:*:*:dhcp-options/*",
"arn:aws-us-gov:ec2:*:*:instance/*",
"arn:aws-us-gov:ec2:*:*:volume/*",
"arn:aws-us-gov:ec2:*:*:security-group/*"
],
"Condition": {
"StringLike": {
"ec2:ResourceTag/CloudEndure creation time": "*"
}
}
},
{
"Sid": "AllowGovCloudVolumeDetach",
"Effect": "Allow",
"Action": [
"ec2:DetachVolume",
"ec2:AttachVolume",
"ec2:DeleteVolume"
],
"Resource": [
"arn:aws-us-gov:ec2:*:*:instance/*",
"arn:aws-us-gov:ec2:*:*:volume/*"
]
},
{
"Sid": "VisualEditor4",
"Effect": "Allow",
"Action": [
"ec2:DisassociateAddress",
"ec2:CreateDhcpOptions",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeregisterImage",
"ec2:DeleteSubnet",
"ec2:DeleteSnapshot",
"ec2:ModifySnapshotAttribute",
"ec2:ModifyVolumeAttribute",
"ec2:CreateVpc",
"ec2:AttachInternetGateway",
"ec2:GetConsoleScreenshot",
"ec2:GetConsoleOutput",
"elasticloadbalancing:DescribeLoadBalancer*",
"ec2:CreateRoute",
"ec2:CreateInternetGateway",
"ec2:CreateSecurityGroup",
"ec2:CreateSnapshot",
"ec2:ModifyVpcAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:ReleaseAddress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AssociateDhcpOptions",
"ec2:ImportKeyPair",
"ec2:CreateTags",
"ec2:RegisterImage",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:AssociateRouteTable",
"ec2:CreateRouteTable",
"ec2:DetachInternetGateway",
"iam:ListInstanceProfiles",
"ec2:AllocateAddress",
"ec2:ReplaceNetworkAclAssociation",
"ec2:CreateVolume",
"kms:ListKeys",
"ec2:Describe*",
"ec2:DeleteVpc",
"iam:GetUser",
"ec2:CreateSubnet",
"ec2:AssociateAddress",
"ec2:DeleteKeyPair",
"ec2:CreateNetworkAclEntry"
],
"Resource": "*"
},
{
"Sid": "VisualEditor5",
"Effect": "Allow",
"Action": [
"ec2:RevokeSecurityGroupIngress",
"kms:Decrypt",
"kms:Encrypt",
"ec2:RevokeSecurityGroupEgress",
"ec2:DeleteDhcpOptions",
"ec2:RunInstances",
"kms:DescribeKey",
"kms:CreateGrant",
"ec2:DeleteNetworkAclEntry",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Resource": [
"arn:aws-us-gov:ec2:*:*:subnet/*",
"arn:aws-us-gov:ec2:*:*:key-pair/*",
"arn:aws-us-gov:ec2:*:*:dhcp-options/*",
"arn:aws-us-gov:ec2:*:*:instance/*",
"arn:aws-us-gov:ec2:*:*:volume/*",
"arn:aws-us-gov:ec2:*:*:security-group/*",
"arn:aws-us-gov:ec2:*:*:network-acl/*",
"arn:aws-us-gov:ec2:*:*:placement-group/*",
"arn:aws-us-gov:ec2:*:*:vpc/*",
"arn:aws-us-gov:ec2:*:*:network-interface/*",
"arn:aws-us-gov:ec2:*::image/*",
"arn:aws-us-gov:ec2:*:*:snapshot/*",
"arn:aws-us-gov:kms:*:*:key/*"
]
},
{
"Sid": "VisualEditor6",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws-us-gov:ec2:*:*:subnet/*",
"arn:aws-us-gov:ec2:*::network-interface/*",
"arn:aws-us-gov:ec2:*:*:dhcp-options/*",
"arn:aws-us-gov:ec2:*::snapshot/*",
"arn:aws-us-gov:ec2:*:*:security-group/*",
"arn:aws-us-gov:ec2:*::image/*"
]
},
{
"Sid": "VisualEditor7",
"Effect": "Allow",
"Action": "ec2:Delete*",
"Resource": [
"arn:aws-us-gov:ec2:*:*:route-table/*",
"arn:aws-us-gov:ec2:*:*:dhcp-options/*",
"arn:aws-us-gov:ec2:*:*:instance/*",
"arn:aws-us-gov:ec2:*:*:volume/*",
"arn:aws-us-gov:ec2:*:*:security-group/*",
"arn:aws-us-gov:ec2:*:*:internet-gateway/*"
],
"Condition": {
"StringLike": {
"ec2:ResourceTag/Name": "CloudEndure*"
}
}
},
{
"Sid": "VisualEditor8",
"Effect": "Allow",
"Action": "ec2:Delete*",
"Resource": [
"arn:aws-us-gov:ec2:*:*:route-table/*",
"arn:aws-us-gov:ec2:*:*:dhcp-options/*",
"arn:aws-us-gov:ec2:*:*:instance/*",
"arn:aws-us-gov:ec2:*:*:volume/*",
"arn:aws-us-gov:ec2:*:*:security-group/*",
"arn:aws-us-gov:ec2:*:*:internet-gateway/*"
],
"Condition": {
"StringLike": {
"ec2:ResourceTag/CloudEndure creation time": "*"
}
}
}
]
}Blueprint settings
The CloudEndure blueprint is the configuration for how your instance will be provisioned in a failover event. There are certain differences in Amazon Elastic Compute Cloud (Amazon EC2) between AWS GovCloud (US) and standard Regions. These changes must be considered to ensure that the recovered instances are successfully created.
Provisioned solid state drives (SSD) io2 volumes are not supported in AWS GovCloud (US) Regions. Therefore, selecting it in the CloudEndure blueprint will cause a launch failure. Machines requiring provisioned I/O performance should use io1 or gp3 volume types.
The EC2 serial console is not available in AWS GovCloud (US) Regions. To allow the failed over instance to be accessible, properly configure security groups and subnet routing. Security groups should have the proper ports open to allow the connection. The subnet chosen for launch should have the proper routing and Network Access Control List (NACL) in place to facilitate the traffic.
Summary and next steps
In this blog post, I covered the differences between setting up CloudEndure Disaster Recovery in AWS GovCloud (US) Regions versus standard AWS Regions. Using CloudEndure Disaster Recovery in AWS GovCloud (US) is an effective way to recover sensitive workloads with near-zero data loss and recovery in minutes. This is a top priority for AWS GovCloud (US) users in order to keep business running as usual and adhere to relevant compliance requirements. To get started with CloudEndure Disaster Recovery, register on the AWS Marketplace today.
Thanks for reading this blog post on recovering AWS GovCloud (US) workloads using CloudEndure Disaster Recovery. If you have any comments or questions, feel free to leave them in the comments section.