Skip to content
English
Customer portal
Go to arpio.io
  • There are no suggestions because the search field is empty.

Testing Your Application Recovery

Your disaster readiness is only as good as your testing, so it's important that you periodically test your disaster recovery.

Jump to:

Initiate the Test
Choose Applications To Test
Using the Network Sandbox
Arpio Updates the Recovery Environment
Perform Additional Validation
Conclude Test


Below, we will walk through the steps to test the disaster recovery for your Arpio workloads. You can test application recovery individually or you can test many applications together.

While you are testing application recovery, your production workloads continue to operate in your primary environment. Any data changes that happen in your recovery environment will be discarded at the end of the test.

Initiate the Test

To begin a test, navigate to the application you intend to test by clicking on the application name in the sidebar menu of the Arpio console. Once on the application landing page, click the "Test" button in the upper righthand corner.

test_button_small

Choose Applications To Test

The "launch test of" dialog appears next. You can launch a test of a single application or many applications as long as they share the same primary environment and the same recovery environment. If you need to test applications in different environments, you can launch tests of them separately.

test_launch_test

Select the applications you'd like to test. 

Next, select a Recovery Point to recover. Arpio's flexible retention policies let you recover not only the latest Recovery Point, but one from a previous point in time. This is essential for ransomware recovery, where you'll want to choose a point before the attack occurred.

Once you've selected your Recovery Point, click Test Recovery.

Using the Network Sandbox

When testing your disaster recovery, you should consider the implications of launching a full replica of your environment. Your production environment continues to serve traffic during a test, but if your recovery workloads connect outbound to resources on the internet, they could interact with those resources in ways that impact your production services. To eliminate this risk, Arpio can isolate your recovery environment and block outbound access to the internet while still permitting inbound access for testing.

Enabling the Network Sandbox

To enable the Network Sandbox, check the "Enable Network Sandbox" checkbox in the Test Recovery dialog when launching your test. Network Sandbox is enabled per Region Pair as a proactive measure, since AWS accounts can have networking dependencies on one another within the same region.

Screenshot 2025-03-04 at 4.21.22 PM

How It Works

When enabled, Arpio creates an AWS Network Firewall in the recovery environment that sits between your workloads and your Internet Gateways. All default routes (0.0.0.0/0) are updated to route through the firewall instead of directly to the internet gateway. If a VPC does not have its own Internet Gateway but routes through a Transit Gateway, Arpio will either create a Network Firewall in the shared VPC or rewrite the default route to only allow traffic to internal/private networks. All changes are reverted when you conclude your test.

Allowing Some Outbound Access

If your application relies on sending traffic outside your internal network to function, you can add allowed domains and/or public CIDR blocks to an allowlist in the Test Recovery dialog. These are translated into Network Firewall rules to permit the specified traffic to reach the internet.

Tips for configuring allowed outbound access:

  • Arpio remembers your sandbox settings, including allow lists, so they will be pre-filled next time you test.
  • To allow all domains with a common suffix, prepend a '.' to the domain (e.g., ".amazonaws.com" to allow all AWS services).
  • Only IPv4 CIDR blocks are currently supported. To specify a single IP, add the /32 suffix.
  • If you have an application already in RECOVERY TEST and want to test a second application sharing the same recovery environment, the existing sandbox settings cannot be changed. Conclude the first test to modify settings, or initiate both tests at the same time with the same sandbox settings.

Monitoring Blocked Traffic

The Network Firewall is configured to send block events to CloudWatch, helping you identify additional domains or CIDR blocks that need to be allowlisted. You can view these events directly in the Arpio console by clicking "See most recent events," or in CloudWatch under the "NetworkSandboxFirewallLogs" log group. A list of commonly blocked domains is available in the Common Network Patterns reference.

For full details on the Network Sandbox, including the original security-group-based sandbox option, see the Network Sandbox documentation.

Arpio Updates the Recovery Environment

Arpio will now re-configure the recovery environment by applying the selected recovery point. In most cases, the latest recovery point was already applied, but AWS resources that have compute or storage charges are kept in a pilot-light state to save on costs. This time, those resources will be created to create a fully-functional environment.

Instantiating resources takes a few minutes, depending on how long it takes AWS to boot any servers or recover any databases. You can monitor progress in the Arpio console, or you can log into the AWS console to see additional details.

The UI updates once everything has been setup.

Test Success Screenshot

Notice that the "Last successful recovery test" message has not updated. The current test is not deemed successful until you perform any additional validation and conclude the test.

Perform Additional Validation

You now have a recovery environment running. You can perform any additional validation you deem necessary to validate that the recovery environment is functional. Arpio presents important details of resources such as DNS names and IP addresses so that you connect as necessary to validate that the application is running.

Resource Details Screenshot

Conclude Test

When you're done validating the recovery environment, click the "Conclude Test" button. The "Conclude Test" dialog appears.

Conclude Test Screenshot

Complete the dialog by selecting applications that should be concluded and specifying whether or not this test was successful. You can optionally provide notes for future reporting on test activity.

If you're testing multiple applications, and you had mixed testing results, you can conclude the applications separately and provide different details as necessary.

Once you conclude your test, Arpio will turn down AWS resources that cost money and update other resources to the latest recovery point.