Setup Arpio replication for Amazon FSx ONTAP instances
Introduction
Arpio leverages NetApp's SnapMirror technology to perform backups of your data. Arpio handles the SnapMirror configuration for you and also creates the volumes and storage virtual machines in your recovery environment. However, this process requires some prerequisite setup steps. At a high level, these are:
- Establish the FSx recovery VPC
- Create the recovery filesystem
- Establish network connectivity between the primary and recovery VPCs
- Establish connectivity to core AWS services
- Provide Arpio with ONTAP credentials
- Add the Arpio Peer config tag to your source filesystem
- Include FSx volume your Arpio application
- Establish Connectivity between Recovery VPCs
SnapMirror requires direct IP connectivity between the primary and the recovery filesystems. For this reason, your recovery filesystem must exist in a VPC that uses a different range of IP addresses from your primary.
The primary and recovery filesystems and SVMs must also be able to communicate with each other full-time. You must use Amazon VPC peering, Amazon Transit Gateway, or other networking technology to establish this connectivity. In this document, we will cover using VPC peering.
Establish the Recovery VPC:
Your recovery FSx On Tap filesystem must exist in an Amazon VPC that uses a different range of IP addresses from your primary. This VPC should be created prior to attempting to back up your filesystem.
Create the Recovery Filesystem:
Now that you've established your recovery Amazon VPC, you'll need to deploy a new Amazon FSx ONTAP filesystem in this VPC.
Using the AWS console to create the filesystem creates unneeded storage VMs and volumes. It is easiest to do from the AWS command line (or CloudShell):
aws --region your-recovery-region fsx create-file-system --file-system-type ONTAP --storage-capacity 1024 --subnet-ids your_subnet_id --ontap-configuration '{"DeploymentType":"SINGLE_AZ_1","ThroughputCapacity":128, "FsxAdminPassword":"your_password"}'
Adjust these values as desired.
Tip: The deployment type does not need to match your primary filesystem, you can use a single AZ for cost savings as described here. The password can be different from your primary, but keep a copy of it as you will need it later.
Establish Connectivity Between the Primary and Recovery Amazon VPCs:
Now that you have a recovery filesystem in a recovery VPC, you'll need to establish network connectivity between those two VPCs. One common way to establish connectivity is via a VPC Peering connection, which we have outlined below.
Note: These instructions cover how to connect all ports and IPs of both VPCs to each other. If you wish to restrict by IP or ports, please follow these requirements from ONTAP.
To create a new VPC peering connection between your source VPC and your recovery FSx VPC:
- From the primary environment's AWS console, navigate to the VPC Dashboard
- Select "Peering Connections" on the left side
- Click "Create Peering Connection"
- Under "Select a local VPC to peer with", choose the VPC containing your FSx filesystem
- Under "Select another VPC to peer with", choose your recovery account and region.
- Enter the ID of the recovery VPC into the "VPC ID (Accepter)" box
- Click "Create Peering Connection"
- From the recovery environment's AWS console, navigate to the VPC Dashboard
- Select "Peering Connections" on the left side
- The peering connection you created earlier should appear. Select it.
- Press the "Actions" button and choose "Accept Request"
- Select "Subnets" on the left side
- For each subnet in use by your recovery FSx filesystem:
- Select the subnet
- Navigate to the "Route Table" tab at the bottom of the screen
- For each Intercluster IP (found under the "Network and Security" tab of the AWS console page for the FSx file system, inside of the "Endpoints" box), insert a route with the destination = the intercluster IP and target = the VPC peering id
- Navigate to the "Security Groups" section and choose the default SG for this subnet
- Make sure the SG will allow inbound (and outbound) traffic from (and to) the primary VPC. If it was created by the AWS portal, It likely has a single rule accepting all traffic from 0.0.0.0/0 that is further restricted to the security group. That will not work because the primary VPC is not part of the SG. Add a new rule to allow inbound traffic from the primary VPC's CIDR block. (If you desire further restrictions, you can limit it to the intercluster IPs of the primary FSx server)
- From the primary environment's AWS console, repeat step 13 for each recovery account subnet used by the primary FSx fileserver. Allow access to the recovery filesystem's intercluster IPs.
Establish Connectivity to AWS Services:
Arpio needs to be able to contact the Amazon FSx and AWS Secrets Manager services to gain access to your FSx fileservers. If your Amazon VPCs are internet connected, they may already have this. If not, you will need to add VPC endpoints to allow this connectivity:
- From the primary environment's AWS console, navigate to the VPC dashboard.
- Choose "Endpoints" from the left hand side
- If a com.amazonaws.region.fsx endpoint does not already exist:
- Click "Create Endpoint"
- Choose "AWS Services"
- Type "fsx" into the search box
- Choose com.amazonaws.region.fsx
- Choose the VPC, Subnet, and Security Group for your FSx Ontap instance
- Ensure the "Enable DNS name" box is checked
- Click "Create Endpoint"
- If a com.amazonaws.region.secretsmanager endpoint does not already exist.
- Click "Create Endpoint"
- Choose "AWS Services"
- Type "secrets" into the search box
- Choose com.amazonaws.region.secretsmanager and click "Create Endpoint"
- Repeat the above steps for the recovery environment VPC
- For the primary VPC, make sure the VPC endpoints are excluded from your Arpio application. Otherwise VPC restores will fail.
Provide Arpio with ONTAP credentials
Arpio needs access to your ONTAP administration credentials for both your primary and recovery environments. You will need to know this password. If you do not have it, you can reset it by following these steps:
- Open your FSx filesystem in the AWS console.
- Navigate to the "Administration" tab
- Underneath "ONTAP administrator password", click Update
- Securely generate a new password and paste it in. Save a copy for the next step.
This CloudShell command will deposit the credentials into the correct place in Secrets Manager. Be sure to run it from the primary account and region:
aws --region your-primary-region secretsmanager create-secret --name /Arpio/FSxFileSystem/primary_filesystem_id/OntapUser --secret-string '{"username":"fsxadmin", "password":"primary_filesystem_password"}'
And run this command in the recovery account and region:
aws --region your-recovery-region secretsmanager create-secret --name /Arpio/FSxFileSystem/recovery_filesystem_id/OntapUser --secret-string '{"username":"fsxadmin", "password":"recovery_filesystem_password"}'
Lastly, if any of your SVMs are using Active Directory integration, you must provide the password for a service account used to join the domain. This password should correspond to the user name listed in the "Service account username" section of the AWS console page for the SVM.
Run this command in the recovery account and region:
aws --region your-recovery-region secretsmanager create-secret --name /Arpio/FSxStorageVirtualMachine/primary_svm_id/SelfManagedActiveDirectoryPassword --secret-string 'ad_service_account_password'
Add the Arpio Peer config tag to your source filesystem
In order for Arpio to understand the relationship between your source filesystem and your recovery filesystem, add the following Arpio config tag to the source filesystem in AWS:
arpio-config:fsx:ontap:peer = <recovery-filesystem-id>
Include FSx ONTAP Volumes in your Arpio application:
Now you've established connectivity, it's time to onboard your FSx ONTAP resources to Arpio, if you haven't already.
Open your application in the Arpio UI. Click the "gear" icon and select one or more FSx ONTAP volumes from your primary account. Arpio will automatically select the FSx Storage Virtual Machine and Filesystem.
Establish Connectivity between the Recovery VPC and Recovery FSx ONTAP VPC:
Once Arpio has backed up your application, it will create another VPC in the recovery account/region that contains the remainder of your application. You will need to build connectivity between this VPC (which has identical numbering to your source environment) and the FSx VPC you created earlier.
This can be done using a number of different technologies:
- VPC peering
- Transit Gateway
- VPC lattice
- CloudWAN
To do this with VPC peering:
- Navigate to the VPC section of the AWS console.
- Choose "Peering Connections" on the left
- Choose "Create Peering Connection".
- Choose the Arpio-created recovery VPC as "Select a local VPC to peer with" and the FSx VPC under "Select another VPC to peer with". Since these are in the same region/account, the radio buttons can be left alone.
- Click "Create Peering Connection" and then return to the main page and accept the connection.
- Next, modify each route table in the Recovery VPC to route traffic for the FSx VPC's CIDR to the peering connection.
-
Repeat the same process for the FSx VPC, routing traffic for the recovery CIDR to the peering connection. Note - The entries you created above for the intercluster IPs will override the more generic CIDR entry, causing traffic for the primary FSx to be routed correctly.