Scenarios
      Back to home
      1. Arpio Documentation
      2. Concepts and Scenarios
      3. Scenarios

      FSX OnTap Onboarding Instructions

      Setup Arpio replication for FSX OnTap instances

      Introduction

      Arpio leverages NetApp's SnapMirror technology to perform backups of your data.  Arpio handles the SnapMirror configuration for you and also creates the volumes and storage virtual machines in your recovery environment.  However, this process requires some prerequisite setup steps.  At a high level, these are:

      SnapMirror requires that the recovery filesystem and storage virtual machines be available full-time, not just during a failover event.  For this reason, your recovery filesystem must exist in a VPC that uses a different range of IP addresses from your primary.  

      The primary and recovery filesystems and SVMs must also be able to communicate with each other full-time.  You must use VPC peering, Transit Gateway, or other networking technology to establish this connectivity.  In this document, we will cover using VPC peering.

      Establish the Recovery VPC:

      Your recovery filesystem must exist in a VPC that uses a different range of IP addresses from your primary.  Arpio can create this VPC for you, but you must set the arpio-config:renumber tag to make the IP ranges different.

      To have Arpio create the recovery VPC for you, do the following steps prior to selecting any FSx ONTAP resources into your app:

      1. From the AWS console, find the primary VPC
      2. Add an arpio-config:renumber:<primary-cidr-block> tag with the value of your recovery CIDR block.  For example, if your primary IP range is 10.1.0.0/16, you might add arpio-config:renumber:10.1.0.0/16=10.2.0.0/16
      3. Onboard the VPC to Arpio by selecting it into your application, and allow Arpio to create a new recovery point with the VPC.
      4. Once the recovery point has been applied, the new VPC should exist with the updated IP range.
      5. Note: If the desired VPC is already selected into an Arpio application and created in the target environment, repeat steps 1-2 above and then navigate to the gear icon in the relevant Arpio application. Click the gear and then click "Save" without making changes. This will force Arpio to launch a new Recovery Point creation process. When the Recovery Point is applied to the Target environment, Arpio will recreate the VPC with the new IP range.

      Alternatively, you may create a recovery VPC for the new filesystem directly in the recovery environment. In this case, you must ensure the correct numbering using the AWS console or other means.

      Create the Recovery Filesystem:

      Now that you've established your recovery VPC, you'll need to deploy a new FSX OnTap filesystem in this VPC.

      Using the AWS console to create the filesystem creates unneeded storage VMs and volumes.  It is easiest to do from the AWS command line (or CloudShell):

      aws --region us-east-2 fsx create-file-system --file-system-type ONTAP --storage-capacity 1024 --subnet-ids your_subnet_id --ontap-configuration '{"DeploymentType":"SINGLE_AZ_2","ThroughputCapacity":384, "FsxAdminPassword":"your_password"}'


      Adjust these values as desired. 

      Tip: The deployment type does not need to match your primary filesystem, you can use a single AZ for cost savings as described here.  The password can be different from your primary, but keep a copy of it as you will need it later.

      Establish Connectivity Between the Primary and Recovery VPCs:

      Now that you have a recovery filesystem in a recovery VPC, you'll need to establish network connectivity between those two VPCs. One common way to establish this connectivity is via a VPC Peering connection. To create that:

      1. From the primary environment's AWS console, navigate to the VPC Dashboard
      2. Select "Peering Connections" on the left side
      3. Click "Create Peering Connection"
      4. Under "Select a local VPC to peer with", choose the VPC containing your FSx filesystem
      5. Under "Select another VPC to peer with", choose your recovery account and region.
      6. Enter the ID of the recovery VPC into the "VPC ID (Accepter)" box
      7. Click "Create Peering Connection"
      8. From the recovery environment's AWS console, navigate to the VPC Dashboard
      9. Select "Peering Connections" on the left side
      10. The peering connection you created earlier should appear.  Select it.
      11. Press the "Actions" button and choose "Accept Request"
      12. Select "Subnets" on the left side
      13. For each subnet in use by your recovery FSx filesystem:
        1. Select the subnet
        2. Navigate to the "Route Table" tab at the bottom of the screen
        3. Insert a route from the primary CIDR to the VPC peering connection
        4. Navigate to the "Security Groups" section and choose the default SG for this subnet
        5. Make sure the SG will allow inbound (and outbound) traffic from (and to) the primary VPC.  If it was created by the AWS portal, It likely has a single rule accepting all traffic from 0.0.0.0/0 that is further restricted to the security group.  That will not work because the primary VPC is not part of the SG.  Add a new rule to allow inbound traffic from the primary VPC's CIDR block.  (If you desire further restrictions, you can limit it to the intercluster IPs of the primary FSx server)
      14. From the primary environment's AWS console, repeat step 13 for each subnet used by the primary FSx fileserver.  Allow access to the recovery CIDRs.

      Establish Connectivity to AWS Services:

      Arpio needs to be able to contact the AWS FSx and Secrets Manager services to gain access to your FSx fileservers.  If your VPCs are internet connected, they may already have this.  If not, you will need to add VPC endpoints to allow this connectivity:

      1. From the primary environment's AWS console, navigate to the VPC dashboard.
      2. Choose "Endpoints" from the left hand side
      3. If a com.amazonaws.region.fsx endpoint does not already exist:
        1. Click "Create Endpoint"
        2. Choose "AWS Services"
        3. Type "fsx" into the search box
        4. Choose com.amazonaws.region.fsx 
        5. Ensure the "Enable DNS name" box is checked
        6. Click "Create Endpoint"
      4. If a com.amazonaws.region.secretsmanager endpoint does not already exist.
        1. Click "Create Endpoint"
        2. Choose "AWS Services"
        3. Type "secrets" into the search box
        4. Choose com.amazonaws.region.secretsmanager and click "Create Endpoint"
      5. Repeat the above steps for the recovery environment VPC
      6. For the primary VPC, make sure the VPC endpoints are excluded from your Arpio application.  Otherwise VPC restores will fail.

      Provide Arpio with ONTAP credentials

      Arpio needs access to your ONTAP administration credentials for both your primary and recovery environments.  You will need to know this password.  If you do not have it, you can reset it by following these steps:

      1. Open your FSx filesystem in the AWS console.
      2. Navigate to the "Administration" tab
      3. Underneath "ONTAP administrator password", click Update
      4. Securely generate a new password and paste it in.  Save a copy for the next step.

      This CloudShell command will deposit the credentials into the correct place in Secrets Manager.  Be sure to run it from the primary account and region:

      aws secretsmanager create-secret --name /Arpio/FSxFileSystem/primary_filesystem_id/OntapUser --secret-string '{"username":"fsxadmin", "password":"primary_filesystem_password"}'


      And run this command in the recovery account and region:

      aws secretsmanager create-secret --name /Arpio/FSxFileSystem/recovery_filesystem_id/OntapUser --secret-string '{"username":"fsxadmin", "password":"recovery_filesystem_password"}'

      Add the Arpio Peer config tag to your source filesystem

      In order for Arpio to understand the relationship between your source filesystem and your recovery filesystem, add the following Arpio config tag to the source filesystem in AWS:

      arpio-config:fsx:ontap:peer = <recovery-filesystem-id>

      Include FSx ONTAP Volumes in your Arpio application:

      Now you've established connectivity, it's time to onboard your FSX OnTap resources to Arpio, if you haven't already.

      Open your application in the Arpio UI.  Click the "gear" icon and select one or more FSx ONTAP volumes from your primary account.  Arpio will automatically select the FSx Storage Virtual Machine and Filesystem.