How Does Arpio's Network Sandbox Work

To prevent unintended interaction with production workloads during a disaster recovery test, Arpio can block the DR environment from communicating externally.


When it's time to test your disaster recovery setup, you will need to consider the implications of launching a full replica of your environment. 

Launching a test using Arpio's test capability will turn up your recovery resources in isolation in your recovery environment, while your production environment continues to serve traffic.  However, you need to ensure that the workloads under test do not interact in any conflicting manner with the production workloads.

Unless you have configured network connectivity between your primary environment and your recovery environment, your recovery environment systems cannot interact directly with your primary environment.  But, if your workload actively connects outbound to resources on the internet, your recovery environment could interact with those same resources in ways that could impact your production services. 

To eliminate this risk, Arpio can isolate your recovery environment and block outbound access to the internet.  Inbound access is still permitted, so you can still test your systems by connecting through load balancers, bastion hosts, or other publicly-exposed resources. To do this, you will need to enable the Network Sandbox capability before running your failover test.

How It Works:

To enable the Network Sandbox feature, begin by launching a test for your Arpio application by clicking the “Test” button in the Arpio console. Then, click the checkbox for "Enable Network Sandbox" in the Test Recovery dialog in Arpio.


Once enabled, Arpio will apply a filter to all egress rules on all security groups that it replicates.  This filter will reduce the scope of egress rules that reference IP addresses and prefix lists to only allow access to the internal network destinations of your VPCs.  Egress destinations that overlap with your VPCs (i.e. will be scoped down to internal destinations; egress destinations that fall outside of your VPCs will be eliminated entirely; and egress destinations within your VPCs will be left intact.

Because security groups offer stateful traffic filtering, outbound responses to inbound traffic are not impacted.  You can still initiate the same application requests that you would expect and receive legitimate application responses.

Arpio's network sandbox will impact the ability for your application components to communicate with the AWS API.  If your application needs to communicate with the AWS API during recovery tests, you can manually add VPC endpoints to the networks that Arpio has set up for you.

When you conclude your test, these changes will be reverted. 

Security Group Limits

The Network Sandbox feature re-writes your egress rules on security groups.  In some cases what is a single rule in your primary environment can become multiple rules in the recovery environment.  Because of this, it is possible to hit the AWS-imposed limit on the number of rules allowed per security group.  

If this limit is hit, Arpio will halt the recovery and raise an appropriate issue in the Arpio console.  You can then navigate to the "Service Quotas” section of the AWS console, find the quotas for the Amazon VPC service, and request an increase of the "Inbound or outbound rules per security group" quota.

Allowing Some Outbound Access

If your application relies on sending traffic outside your internal network to function, Arpio does allow you to whitelist specific IP addresses and CIDR blocks to grant outbound access when the network sandbox is enabled.

To enable some outbound access to specific IPs, first select enable the network sandbox. Once selected, you will have the option to to fill out the IP addresses and ranges in the dialog:

Whitelist IPs for Network Sandbox

IP Whitelist FAQs:

  • Arpio will remember your sandbox settings, including outbound access CIDR blocks. So the next time you want to test your recovery, the values will be pre-filled for you.
  • To specify a single IP, you add the /32 suffix.
  • Arpio will apply the CIDR blocks you specify directly to your security groups, without modifying, de-duplicating, or other complex logic.
  • Like the network sandbox itself, the outbound access settings are compared with your existing security group rules. Arpio will only allow access to ports and IP addresses that allow outbound access in your primary environment.
  • Only IPv4 CIDR blocks are currently supported.
  • If you have another application with the same primary & recovery environments already in RECOVERY TEST then the sandbox settings cannot be changed. This is to prevent conflicting, or surprising results in your recovery environment. In order to change them you will need to conclude the test in your other application.
    • If you want to test multiple applications with the same primary & recovery environments, we recommend initiating both tests at the same time, with the same network sandbox settings.