New Application Setup
      Back to home
      1. Arpio Documentation
      2. Getting Started
      3. New Application Setup

      Pre-flight checklist

      Use the following checklist to prepare for setting up a new Arpio application.

      We have prepared this checklist assuming this is your first time setting up an Arpio application, or you are participating in a proof of concept (POC), using Arpio for the first time. However if you find this checklist helpful, feel free to use it for all your Arpio applications.

      1. Choose an application

      • An application is a set of AWS resources that work together in a single AWS account and region.
      • An application may work together with other applications in other AWS accounts and regions as part of an end-to-end workload.
      • Arpio will let you configure all the applications you need, but for a given POC we will focus on just one
      • Select a name to use in Arpio for this application to refer to this application.

      2. Source AWS account and region

      • Make note of the AWS account (12-digit number) and AWS region (e.g. us-east-1, eu-west-2) that the application currently operates in.
      • For a POC, some customers like to set up a test copy of their application. In this case you would provide the source information for that test instance of the application.

      3.   Destination AWS account and region

      • Determine the AWS account and AWS region where we will recover this application.
      • This ideally should be an account reserved for application recovery, and not running any other production workloads.

      4.   IAM credentials to setup source and destination AWS accounts

      • To setup this application, you will need to run CloudFormation templates that Arpio will supply.
      • Ensure you have IAM credentials with authorization to create the AWS resources listed in Appendix A.
      • You will need credentials for both the source and destination environments.
      • These CloudFormation stacks are used to give Arpio limited access to your AWS accounts, so that it can protect and recover your AWS workloads.

      5.   IAM credentials to examine and debug source and destination applications

      • This is not necessary for everyday Arpio usage, but is useful when setting up Arpio for the first time with your first application.
      • Ensure you have IAM credentials that you can use to access the AWS console and/or run AWS CLI commands in the source and destination regions.
      • Ensure that you have connectivity to these source and destination accounts.
      • This is useful to see what Arpio has done, and adjust if necessary.
      • The PowerUserAccess AWS managed policy is well suited for this.

      6.   Identify the feature resources of your application

      • You will identify the feature resources your application is comprised of. Based on this Arpio will not only know how to backup those resources, but will also identify all the other resources necessary for your application.
      • [Optional] If you have a tagging strategy to identify the resources that comprise your application, then please note the tag name and value.

      [Optional] Worksheet

      If it is useful to you, please use this worksheet to collect the required information.

      Field

      Description

      Your Value

      1 - Application Name

      An internally recognizable name that describes the workload that you’ll be testing for the POC.

       

      2a- Primary AWS Account ID

      In which AWS account do you currently operate this application?

       

      2b - Primary Region

      Which region hosts the core resources?

       

      3a - Recovery AWS Account ID

      Where do you want to recover this application? This should be distinct from the primary account for ransomware resiliency.

       

      3b - Recovery Region

      This should be distinct from the primary region for regional resiliency.

       

      4 - IAM credentials to set up primary and recovery AWS accounts

      If you are meeting with Arpio staff to run a POC, will someone with access to these credentials be at the meeting?

       

      5 - IAM credentials to examine and debug primary and recovery applications

      If you are meeting with Arpio staff to run a POC, will someone with access to these credentials be at the meeting?

       

       

      6a - Identify the feature resources of your application

      What are the featured compute and storage resources in this application that you will protect and recovery with Arpio.

      You do not need to list every resource - once you select the key ones, Arpio can figure out the rest.

      Choose from featured resources to the right.

      Autoscaling Group

      AWS SFTP (TransferServer)

      Cognito

      DocumentDB

      DynamoDB

      EC2 that are not in an auto scaling group or node group

      ECR

      ECS Cluster

      EFS

      EKS Cluster

      ElastiCache

      Fargate

      FSX (which type?)

      Lambda

      OpenSearch

      RDS (non-Aurora)

      RDS Aurora

      S3

      Spot by Netapp Elastigroup on AWS


       

       

      6b - List any relevant AWS tag names and values

      Arpio can automatically select resources for replication by matching against tag rules in your app settings. This is optional.

       

      Resource-specific checklists

      If you have more time to invest, the following items will also help make onboarding your Arpio application a smooth experience.

      1.   Amazon EKS

      If one of your feature resources is an Amazon EKS cluster then:

      1. If you can do so, set your cluster's authentication mode to API or API_AND_CONFIG_MAP.
      2. If using API authentication, then ensure you have access to IAM credentials to run aws eks create-access-entry and aws eks associate-access-policy. During initial application setup, you will use these commands to assign the AmazonEKSClusterAdminPolicy access policy to the Arpio Kubernetes delegate IAM role.
      3. If you want to access EKS resources for validation or debugging via the AWS console or CLI, you will need to access to an IAM principal that has a cluster access policy.

      2.   Amazon Dynamo DB

      If your application include one or more DynamoDB tables then:

      1. Enable Advanced DynamoDB backup features in AWS Backup if they are not already enabled on any DynamoDB tables that are included in your Arpio application.
      2. If your source and recovery environments are in different AWS account, then you should enable cross-account backup for AWS Backup. This must be done in the management account of your AWS Organization.

      3. Amazon EFS and Amazon FSx

      If you are using an EFS or FSx file system in your application then:

      1. If your source and recovery environments are in different AWS account, then you should enable cross-account backup for AWS Backup. This must be done in the management account of your AWS Organization.

      Appendix A. Permissions to setup source and destination AWS accounts for Arpio 

      The CloudFormation templates you run in the source and destination AWS accounts will create or update the following resource types:

      • AWS::CloudFormation::CustomResource
      • AWS::IAM::ManagedPolicy
      • AWS::IAM::Policy
      • AWS::IAM::Role
      • AWS::Lambda::Function
      • AWS::Lambda::LayerVersion
      • AWS::S3::Bucket
      • AWS::Events::EventBus
      • AWS::KMS::Alias
      • AWS::KMS::Key

      The following AWS IAM policy will allow you to deploy the templates:

      {
         "Version": "2012-10-17",
         "Statement": [
             {
                 "Sid": "ArpioTemplates",
                 "Effect": "Allow",
                 "Action": [
                     "lambda:*",
                     "cloudformation:*",
                     "iam:*",
                     "s3:*",
                     "kms:*",
                     "events:*"
                 ],
                 "Resource": "*"
             }
         ]
      }