Amazon Redshift Resource Replication with Arpio
Arpio supports the following Redshift services:
Redshift Provisioned Clusters
Arpio replicates the following Amazon Redshift provisioned cluster resource types:
- Redshift Cluster
- Redshift Cluster Parameter Group
- Redshift Cluster Subnet Group
Redshift Cluster
The following attributes are translated during replication:
Attribute | Translation |
VPC VPC Security Groups Parameter Groups IAM Roles Default IAM Role ARN Subnet Group Names |
Translated to corresponding entities that Arpio manages in the recovery environment |
Availability Zones | Arpio translates to a compatible availability zone in the recovery region, maintaining diversity across availability zones in that region |
KMS Key Master Password Secret KMS |
If using encryption at rest, Arpio creates new KMS keys in the recovery environment that it uses to encrypt snapshots and authorize master user access |
Custom Domain Certificate | Arpio creates an ACM certificate in the recovery environment to use with the custom domain and associates that to the cluster. |
The following resources are automatically selected into recovery points when an Redshift Cluster is selected:
- IAM Roles listed as associated roles and the default cluster role
- Associated Redshift Cluster Parameter Groups
- Associated Redshift Cluster Subnet Groups
- Associated VPC
- Associated VPC Security Groups
- Any Secrets Manager secrets referenced by the cluster
- Any ACM certificates associated with the custom domain for the cluster
Redshift Cluster Parameter Group
Arpio replicates Redshift Cluster Parameter Groups to the recovery environment.
No fields require translation during replication.
Redshift Cluster Subnet Group
Arpio replicates Redshift Cluster Subnet Groups to the recovery environment.
The following attributes are translated during replication:
Attribute | Translation |
Subnets | Translated to corresponding subnets that Arpio manages in the recovery environment |
VPC | Translated to corresponding VPC that Arpio manages in the recovery environment |
The following resources are automatically selected into recovery points when an Redshift Subnet Group is selected:
- The VPC Subnets referenced by the subnet group
Redshift Cluster Implementation Details:
Due to Redshift limitations, replication for Redshift clusters happens in the following ways:
- For same region recovery:
- Taking a snapshot and sharing with the recovery account
- For cross-region recovery:
- Enabling cross-region snapshots on the source account to the target region
- Taking a snapshot and waiting for it to be replicated on the target region (still on the source account)
- Sharing the replicated snapshot to the recovery account
Snapshots of Redshift Clusters are incremental from the previous snapshot on the source, but enabling cross-region snapshots makes for an initial full copy of the snapshot on the new region. Subsequent snapshots will be incremental as long as the KMS key used to encrypt the snapshot is the same.
Amazon Redshift Serverless
Arpio replicates the following Amazon Redshift Serverless resource types:
- Redshift Serverless Namespace
- Redshift Serverless Workgroup
Redshift Serverless Namespace
The following attributes are translated during replication:
Attribute |
Translation |
IAM Roles Default IAM Role ARN |
Translated to corresponding entities that Arpio manages in the recovery environment |
KMS Key Admin Password Secret ARN Admin Password Secret KMS Key |
If using encryption at rest, Arpio creates new KMS keys in the recovery environment that it uses to encrypt snapshots and authorize master user access |
The following resources are automatically selected into recovery points when an Redshift Serverless Namespace is selected:
- Redshift Serverless Workgroup associated with the namespace
- IAM Roles listed as associated roles and the default namespace role
- Any Secrets Manager secrets referenced by the namespace
- Any KMS Key referenced by the namespace
Redshift Serverless Workgroup
Arpio replicates Redshift Serverless Workgroup to the recovery environment.
The following attributes are translated during replication:
Attribute |
Translation |
Subnets VPC Security Groups |
Translated to corresponding entities that Arpio manages in the recovery environment |
Custom Domain Certificate |
Arpio creates an ACM certificate in the recovery environment to use with the custom domain and associates that to the workgroup. |
The following resources are automatically selected into recovery points when an Redshift Subnet Group is selected:
- The Redshift Serverless Namespace associated with
- The VPC Subnets referenced by the subnet group
- Associated VPC Security Groups
- Any ACM Certificate associated with the workgroup
Redshift Serverless Implementation Details:
Due to Redshift Serverless limitations, Arpio only handles namespaces that have a workgroup associated with it as it is not possible to take and restore snapshots without a workgroup.
Due to Redshift Serverless limitations, replication happens by:
- For same region recovery:
- Taking a snapshot and sharing with the recovery account
- For cross-region recovery:
- Enabling cross-region snapshots on the source account to the target region
- Taking a snapshot and waiting for it to be replicated on the target region (still on the source account)
- Sharing the replicated snapshot to the recovery account
Snapshots of Redshift Serverless Namespaces are incremental from the previous snapshot on the source, but enabling cross-region snapshots makes for an initial full copy of the snapshot on the new region. Subsequent snapshots will be incremental as long as the KMS key used to encrypt the snapshot is the same.
If you are using Redshift Serverless encryption at rest, Arpio handles provisioning an appropriate KMS key in the recovery environment, and AWS re-encrypts the namespace with this key during the restore operation.