Amazon Redshift

Amazon Redshift Resource Replication with Arpio

Arpio supports the following Redshift services:

Redshift Provisioned Clusters

Arpio replicates the following Amazon Redshift provisioned cluster resource types:

  • Redshift Cluster
  • Redshift Cluster Parameter Group
  • Redshift Cluster Subnet Group

Redshift Cluster

The following attributes are translated during replication:

Attribute Translation

VPC

VPC Security Groups

Parameter Groups

IAM Roles

Default IAM Role ARN

Subnet Group Names

Translated to corresponding entities that Arpio manages in the recovery environment
Availability Zones Arpio translates to a compatible availability zone in the recovery region, maintaining diversity across availability zones in that region

KMS Key

Master Password Secret KMS

If using encryption at rest, Arpio creates new KMS keys in the recovery environment that it uses to encrypt snapshots and authorize master user access
Custom Domain Certificate Arpio creates an ACM certificate in the recovery environment to use with the custom domain and associates that to the cluster.

 

The following resources are automatically selected into recovery points when an Redshift Cluster is selected:

  • IAM Roles listed as associated roles and the default cluster role
  • Associated Redshift Cluster Parameter Groups
  • Associated Redshift Cluster Subnet Groups
  • Associated VPC
  • Associated VPC Security Groups
  • Any Secrets Manager secrets referenced by the cluster
  • Any ACM certificates associated with the custom domain for the cluster

Redshift Cluster Parameter Group

Arpio replicates Redshift Cluster Parameter Groups to the recovery environment.

No fields require translation during replication.

Redshift Cluster Subnet Group

Arpio replicates Redshift Cluster Subnet Groups to the recovery environment.

The following attributes are translated during replication:

Attribute Translation
Subnets Translated to corresponding subnets that Arpio manages in the recovery environment
VPC Translated to corresponding VPC that Arpio manages in the recovery environment

The following resources are automatically selected into recovery points when an Redshift Subnet Group is selected:

  • The VPC Subnets referenced by the subnet group

Redshift Cluster Implementation Details:

Due to Redshift limitations, replication for Redshift clusters happens in the following ways:

  • For same region recovery:
    • Taking a snapshot and sharing with the recovery account
  • For cross-region recovery:
    • Enabling cross-region snapshots on the source account to the target region
    • Taking a snapshot and waiting for it to be replicated on the target region (still on the source account)
    • Sharing the replicated snapshot to the recovery account

Snapshots of Redshift Clusters are incremental from the previous snapshot on the source, but  enabling cross-region snapshots makes for an initial full copy of the snapshot on the new region. Subsequent snapshots will be incremental as long as the KMS key used to encrypt the snapshot is the same.

Amazon Redshift Serverless

Arpio replicates the following Amazon Redshift Serverless resource types:

  • Redshift Serverless Namespace
  • Redshift Serverless Workgroup

Redshift Serverless Namespace

The following attributes are translated during replication:

Attribute

Translation

IAM Roles


Default IAM Role ARN

Translated to corresponding entities that Arpio manages in the recovery environment

KMS Key


Admin Password Secret ARN


Admin Password Secret KMS Key

If using encryption at rest, Arpio creates new KMS keys in the recovery environment that it uses to encrypt snapshots and authorize master user access

 

The following resources are automatically selected into recovery points when an Redshift Serverless Namespace is selected:

  • Redshift Serverless Workgroup associated with the namespace
  • IAM Roles listed as associated roles and the default namespace role
  • Any Secrets Manager secrets referenced by the namespace
  • Any KMS Key referenced by the namespace

Redshift Serverless Workgroup

Arpio replicates Redshift Serverless Workgroup to the recovery environment.

The following attributes are translated during replication:

Attribute

Translation

Subnets

VPC Security Groups

Translated to corresponding entities that Arpio manages in the recovery environment

Custom Domain Certificate

Arpio creates an ACM certificate in the recovery environment to use with the custom domain and associates that to the workgroup.

The following resources are automatically selected into recovery points when an Redshift Subnet Group is selected:

  • The Redshift Serverless Namespace associated with
  • The VPC Subnets referenced by the subnet group
  • Associated VPC Security Groups
  • Any ACM Certificate associated with the workgroup

Redshift Serverless Implementation Details:

Due to Redshift Serverless limitations, Arpio only handles namespaces that have a workgroup associated with it as it is not possible to take and restore snapshots without a workgroup.

Due to Redshift Serverless limitations, replication happens by:

  • For same region recovery:
    • Taking a snapshot and sharing with the recovery account
  • For cross-region recovery:
    • Enabling cross-region snapshots on the source account to the target region
    • Taking a snapshot and waiting for it to be replicated on the target region (still on the source account)
    • Sharing the replicated snapshot to the recovery account

Snapshots of Redshift Serverless Namespaces are incremental from the previous snapshot on the source, but  enabling cross-region snapshots makes for an initial full copy of the snapshot on the new region. Subsequent snapshots will be incremental as long as the KMS key used to encrypt the snapshot is the same.

If you are using Redshift Serverless encryption at rest, Arpio handles provisioning an appropriate KMS key in the recovery environment, and AWS re-encrypts the namespace with this key during the restore operation.