Cyber Recovery on AWS

Questions Frequently Asked Questions

 How do we access the AMI and
CloudFormation template?
How do we access the AMI and CloudFormation template?
 What are the prerequisites before Send email to:
deploying the CloudFormation
stack? Cyber Recovery Cloud Request at cyberrecoverycloudrequest@dell.com
 As a part of the stack
deployment, which AMI instances Include the following information:
are deployed?
• Customer name (for identification)
 What do we need to configure
manually in AWS after a • Salesforce Opportunity ID/Sales Order number
successful stack deployment?
 Why do we use S3 instead of • AWS region in which to deploy the Cyber Recovery solution (required to provide
sending the yaml file to the correct AMI and CloudFormation template)
PS/Consulting?
• AWS Account ID (required for access to the Cyber Recovery AMI)
 Where do I run sudo
crsetup.sh? • AWS User Canonical ID (for access to the S3 bucket where the CloudFormation
 What happens when I click template is stored)
Secure Vault?
 Has the CyberSense feature What are the prerequisites before deploying the
been tested with Cyber Recovery
CloudFormation stack?
on AWS?
 Has there been third-party 1. Create key pairs for the:
penetration testing for Cyber
Recovery on AWS? • DDVE instance
 Will Sheltered Harbor certify • Cyber Recovery management host instance
Cyber Recovery on AWS?
 Are we waiting for finalization of • Jump host instance
Sheltered Harbor testing and
certification before version 19.7 is Create a single key pair for all the instances or individual key pairs for each instance.
released?
2. Subscribe to DDVE 7.4.0.5 and the jump host (Windows Server 2019 CIS Level 2).
 Which accounts/hosts have
access to the Cyber Recovery
vault after deployment? As a part of the stack deployment, which AMI instances are
 Can the crso dynamically add deployed?
accounts and hosts that have
access to the Cyber Recovery • Cyber Recovery Management Host (SUSE Linux Enterprise Server 12)
vault?
• Data Domain Virtual Edition (DDVE DDOS 7.4.0.5)
 Is a public IP address required to
set up Cyber Recovery on AWS? • Jump Host CIS Microsoft Windows Server 2019 Benchmark - Level 2

SOLUTION BRIEF 1
 What do we need to configure manually in AWS after a
Questions successful stack deployment?
 Is the Cyber Recovery solution
supported on Azure? After the stack deployment installs the Cyber Recovery software, reset the Cyber
Recovery security account (crso) user, MongoDB, and lockbox passwords:
 Are Avamar, Networker, or
PowerProtect Data Manager crsetup.sh --reset
integrated into the architecture?
 Which accounts can modify the Configure DDVE manually to enable the object store profile, add a disk to the active
configuration? tier, and create the file system. See the PowerProtect DD Virtual Edition on Amazon
Web Services Installation and Administration Guide.
 Can the crso modify the
configuration?
 Is Cyber Recovery on AWS Why do we use S3 instead of sending the yaml file to
supported in AWS GovCloud? PS/Consulting?
 Why does the Cyber Recovery
software run on SUSE Linux? We want to keep the distribution consistent to AMI sharing and to track the accounts
enrolling for the Cyber Recovery on AWS solution.
 Do we provide recommendations
for bandwidth between the on-
premises and AWS Where do I run sudo crsetup.sh?
environments?
 Must we have the same DDVE
The Cyber Recovery software is installed silently when the stack is deployed. Run the
code for the on-premises and the
crsetup.sh --reset command from the Cyber Recovery instance in AWS using
AWS environments? the command prompt on the jump host. The stack deployment installs the jump host.
 Do we recommend using Cyber
Recovery on AWS over Cyber What happens when I click Secure Vault?
Recovery deployed on-premises?
The Cyber Recovery vault is isolated because the replication context and replication
 What regions are supported for
Cyber Recovery on AWS? interface on the VPC Data Domain system is disabled. Also, the security groups and
network ACLs isolate the vault by not accepting traffic from the production Data
 Do we support using existing
Domain system running on-premises or on AWS.
AWS VPCs?
 Do we have separate data and
management IP addresses for
Has the CyberSense feature been tested with Cyber
the DDVE instance in the Cyber Recovery on AWS?
Recovery vault?
For this release, the CyberSense feature is not supported. Support is planned for the
 Does the stack deployment
next release in FY-22Q1.
provide Data Domain hardening?
 Does the stack deployment
provide connectivity between the Has there been third-party penetration testing for Cyber
DDVE instance and the S3 Recovery on AWS?
bucket?
 Can we have more than two No.
subnets in the Cyber Recovery
vault?
 Do we support Data Domain HA
with the Cyber Recovery vault?

2
 Will Sheltered Harbor certify Cyber Recovery on AWS?
Questions
No. The Sheltered Harbor specification requires the equivalent of Retention Lock
 Do we support Data Domain HA
Compliance mode. Because DDVE on AWS does not support Retention Lock
with Cloud Vault?
Compliance mode, Sheltered Harbor is not supported with Cyber Recovery on AWS.
 Must customers use a new AWS
account or an existing account to
deploy the CloudFormation Are we waiting for finalization of Sheltered Harbor testing and
stack? certification before version 19.7 is released?
 Do we support AWS Simple
Yes. We have confirmation for Sheltered Harbor support with Cyber Recovery on AWS
Email Service (SES)?
before 19.7 RTS (2/2).
 Does the replication traffic go
over the AWS VPN to the private
subnet that contains DDVE? Which accounts/hosts have access to the Cyber Recovery
 Can we use CloudFormation to vault after deployment?
create CloudWatch policies to
monitor the Cyber Recovery Hosts—During stack deployment, production clients are specified using a single IP
environment? address or a range of IP addresses.
 How does recovery work in Cyber Users—After the jump host is deployed, create other user accounts that can log in to
Recovery on AWS?
the jump host from one of the hosts.

Can the crso dynamically add accounts and hosts that have
access to the Cyber Recovery vault?
The Cyber Recovery security account (crso) is created automatically after the Cyber
Recovery software installation. The crso can create multiple admin accounts to access
the Cyber Recovery UI and CLI. Those accounts can only access the Cyber Recovery
software.

For hosts to access the Cyber Recovery vault through the jump host, provide
information under the Production Client option during stack deployment. For users,
other than default administrator, to access the Cyber Recovery vault through the jump
host, create the user locally on the jump host.

Is a public IP address required to set up Cyber Recovery on

AWS?
No. A public IP address is not advised and is not required. We recommend that the
customer has a VPN connection between the on-premises and AWS environments to
access the jump host.

Is the Cyber Recovery solution supported on Azure?

No. Currently, the Cyber Recovery solution is not supported on Azure.

3
Are Avamar, Networker, or PowerProtect Data Manager
integrated into the architecture?
Yes. The customer can deploy and use the Avamar, Networker, and PowerProtect
Data Manager applications.

The reverse Sync feature allows customers to transfer a copy to the on-premises
environment and restore it.

Which accounts can modify the configuration?

The only way to access the Cyber Recovery vault and software is through the jump
host. By default, only the administrator user can use RDP to access the jump host from
the defined production workstation and access the Cyber Recovery vault.

Can the crso modify the configuration?

Yes, the Cyber Recovery security account (crso) user can modify the Cyber Recovery
configuration. The crso cannot delete any copies from the Data Domain system that
are retention locked.

Is Cyber Recovery on AWS supported in AWS GovCloud?

No.

Why does the Cyber Recovery software run on SUSE Linux?

DPS OVAs are based on SUSE Linux.

Do we provide recommendations for bandwidth between the

on-premises and AWS environments?
We need the BRDC team’s approval or recommendations when designing the solution.

Must we have the same DDVE code for the on-premises and
the AWS environments?
Ensure that you check the MTree replication compatibility between the on-premises
Data Domain system and the DDVE running in the Cyber Recovery vault.

Do we recommend using Cyber Recovery on AWS over

Cyber Recovery deployed on-premises?
No. Cyber Recovery on AWS is an additional option that customers have for designing
their isolated vault environment.

4
What regions are supported for Cyber Recovery on AWS?
Currently, the CloudFormation template and AMI can only be deployed in northern
Virginia and Ohio. In the future, we will be limited to the regions to which DDVE is
limited.

We recommend that customers use the closest region if possible.

Do we support using existing AWS VPCs?

No. You cannot use existing VPCs and existing subnets in the customer environment.

The stack deployment creates a new VPC and subnets that are dedicated to the Cyber
Recovery vault.

Do we have separate data and management IP addresses for

the DDVE instance in the Cyber Recovery vault?
Yes. Two IP addresses in the same subnet are assigned to the DDVE instance in the
Cyber Recovery vault:

• ethV0—Management traffic

• ethV1—Replication traffic

Does the stack deployment provide Data Domain hardening?

Required security groups and network ACLs, which provide restrictive access to DDVE,
are automatically created. You can perform additional hardening manually on the
DDVE instance after initial setup.

Does the stack deployment provide connectivity between the

DDVE instance and the S3 bucket?
Yes.

Can we have more than two subnets in the Cyber Recovery

vault?
No. We provide only two subnets in the Cyber Recovery vault:

• One subnet for the jump host

• One subnet for DDVE and the Cyber Recovery management host

Do we support Data Domain HA with the Cyber Recovery

vault?
No. Data Domain HA is only supported on physical Data Domain systems.

5
Must customers use a new AWS account or an existing
account to deploy the CloudFormation stack?
You can use existing accounts; however, we recommend that you use new accounts
so that root accounts are not used in the Cyber Recovery vault.

Do we support AWS Simple Email Service (SES)?

Yes. Amazon SES sends one-way email notifications to customers for any alert
notifications.

Does the replication traffic go over the AWS VPN to the

private subnet that contains DDVE?
Yes. Replication traffic goes over the VPN to DDVE ethV1.

Can we use CloudFormation to create CloudWatch policies to

monitor the Cyber Recovery environment?
No. This functionality is planned for future releases.

How does recovery work in Cyber Recovery on AWS?

Use the reverse Sync feature to send data to the on-premises Data Domain system
and then recover it. If the on-premises Data Domain system is unavailable, you can
use any alternate Data Domain system to perform a reverse to move the data from the
Cyber Recovery vault.

6
 You can find a comprehensive list of documentation for this solution at the Dell EMC
PowerProtect Cyber Recovery Info Hub.

Dell Technologies welcomes your feedback on the solution and the solution documentation.
Contact the Dell Technologies Solutions team by email or provide your comments by completing
our documentation survey.

Contact us
To learn more, contact your local
representative or authorized reseller.

The information in this publication is provided as is. Dell Inc. makes no representations or warranties of any kind with respect to the information in this
publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Use, copying, and distribution of any
software described in this publication requires an applicable software license.
Copyright © 2021 Dell Inc. or its subsidiaries. All Rights Reserved. Dell Technologies, Dell, EMC, Dell EMC and other trademarks are trademarks of Dell
Inc. or its subsidiaries. Intel, the Intel logo, the Intel Inside logo and Xeon are trademarks of Intel Corporation in the U.S. and/or other countries. Other
trademarks may be trademarks of their respective owners. Published in the USA February 2020 FAQ H18638.
Dell Inc. believes the information in this document is accurate as of its publication date. The information is subject to change without notice.
Author: Raghav Sachdeva
Contributor: Penelope Howe-Mailly
7