How Does Arpio's Network Sandbox Work

To prevent unintended interaction with production workloads during a disaster recovery test, Arpio can block the DR environment from communicating externally.


When it's time to test your disaster recovery setup, you will need to consider the implications of launching a full replica of your environment. 

Launching a test using Arpio's test capability will turn up your recovery resources in isolation in your recovery environment, while your production environment continues to serve traffic.  However, you need to ensure that the workloads under test do not interact in any conflicting manner with the production workloads.

Unless you have configured network connectivity between your primary environment and your recovery environment, your recovery environment systems cannot interact directly with your primary environment.  But, if your workload actively connects outbound to resources on the internet, your recovery environment could interact with those same resources in ways that could impact your production services. 

To eliminate this risk, Arpio can isolate your recovery environment and block outbound access to the internet.  Inbound access is still permitted, so you can still test your systems by connecting through load balancers, bastion hosts, or other publicly-exposed resources. To do this, you will need to enable the Network Sandbox capability before running your failover test.

How It Works:

To enable the Network Sandbox feature, begin by launching a test for your Arpio application by clicking the “Test” button in the Arpio console. Then, click the checkbox for "Enable Network Sandbox" in the Test Recovery dialog in Arpio.


Once enabled, Arpio will apply a filter to all egress rules on all security groups that it replicates.  This filter will reduce the scope of egress rules that reference IP addresses and prefix lists to only allow access to the internal network destinations of your VPCs.  Egress destinations that overlap with your VPCs (i.e. will be scoped down to internal destinations; egress destinations that fall outside of your VPCs will be eliminated entirely; and egress destinations within your VPCs will be left intact.

Because security groups offer stateful traffic filtering, outbound responses to inbound traffic are not impacted.  You can still initiate the same application requests that you would expect and receive legitimate application responses.

Arpio's network sandbox will impact the ability for your application components to communicate with the AWS API.  If your application needs to communicate with the AWS API during recovery tests, you can manually add VPC endpoints to the networks that Arpio has set up for you.

When you conclude your test, these changes will be reverted. 

Security Group Limits

The Network Sandbox feature re-writes your egress rules on security groups.  In some cases what is a single rule in your primary environment can become multiple rules in the recovery environment.  Because of this, it is possible to hit the AWS-imposed limit on the number of rules allowed per security group.  

If this limit is hit, Arpio will halt the recovery and raise an appropriate issue in the Arpio console.  You can then navigate to the "Service Quotas” section of the AWS console, find the quotas for the Amazon VPC service, and request an increase of the "Inbound or outbound rules per security group" quota.

Note: the Network Sandbox feature is available to Enterprise customers only.