Lädt...


🔧 AWS EDR step by step (on premise to AWS and back)


Nachrichtenbereich: 🔧 Programmierung
🔗 Quelle: dev.to

Recently I was tasked to do a POC and training of AWS Disaster recovery services AWS EDR (being an AWS partner) and while doing the POC and testing, realized that though there is good bit of documentation from AWS, however a few points were not clearly explained. I came up with the below procedure to make the process simpler for customer to understand and follow. Kindly consult AWS partner if you are planning to do any other setup, as there can be many architectural and budgetary benefits if you plan to do a deployment and go with AWS or AWS partners, instead of trying it. Feel free to contact me too, if any clarification assistance needed.

In our scenario we have picked an VM on VMware and have tested a failover from and failback to on premise and have captured steps and details on configurations. We have used steps which you might need in actual setups and also provided explanations where necessary.

First things first, assumptions and pre-requisites:

  1. Assumption is you know and understand and have setup the VPN site-2-site tunnels and have configured connectivity
  2. You understand security groups and routes and configured rules and routes between on premise and AWS VPC (in my case I had assistance from my internal security team)
  3. You must test connectivity between on premise and VPC by creating a test machine 4.Create a key, which you can use to login to AWS EC2, which can be used to login to the VM after failover (this is not clearly mentioned in the document)
  4. Create VPC and mark Staging and Target subnets (if you don't know what is staging an Target subnets we will discuss briefly and also the below image can be referred for more details)

First let's do some copy-paste :) I see many bloggers do that to make article look lengthy, however I am putting basic information and lesser texts and will go to actual steps after that.

What is AWS EDR (Elastic disaster recovery service)

AWS Elastic Disaster Recovery (AWS DRS) minimizes downtime and data loss with fast, reliable recovery of on-premises and cloud-based applications using affordable storage, minimal compute, and point-in-time recovery.

You can increase IT resilience when you use AWS Elastic Disaster Recovery to replicate on-premises or cloud-based applications running on supported operating systems. Use the AWS Management Console to configure replication and launch settings, monitor data replication, and launch instances for drills or recovery.

Set up AWS Elastic Disaster Recovery on your source servers to initiate secure data replication. Your data is replicated to a staging area subnet in your AWS account, in the AWS Region you select. The staging area design reduces costs by using affordable storage and minimal compute resources to maintain ongoing replication.

You can perform non-disruptive tests to confirm that implementation is complete. During normal operation, maintain readiness by monitoring replication and periodically performing non-disruptive recovery and failback drills. AWS Elastic Disaster Recovery automatically converts your servers to boot and run natively on AWS when you launch instances for drills or recovery. If you need to recover applications, you can launch recovery instances on AWS within minutes, using the most up-to-date server state or a previous point in time. After your applications are running on AWS, you can choose to keep them there, or you can initiate data replication back to your primary site when the issue is resolved. You can fail back to your primary site whenever you’re ready.

How it works

AWS Elastic Disaster Recovery (AWS DRS) minimizes downtime and data loss with fast, reliable recovery of on-premises and cloud-based applications using affordable storage, minimal compute, and point-in-time recovery.

Image description

Now without wasting anytime lets get to our setup

Architectural explanation

Below is a diagram of connectivity from if you are doing replication from on premise to AWS

Image description

Components as per diagram:

  1. On premise Datacentre On premise datacenter will have original source server (I said original, because after failover the AWS EC2 becomes source server)
  2. Site to Site VPN or DirectConnect connectivity to send data to AWS
  3. AWS region API's endpoints (which can be found here https://docs.aws.amazon.com/general/latest/gr/rande.html)
  4. AWS staging subnet, where replication server is created, and data disks will be kept along with snapshots

There are two options and architecture based on the options I have seen. Second option is not specifically discussed in any documentation and Second option is what I have demonstrated and explained here.

There is slight difference between Option 1 and Option 2 which I will explain, once we have seen both options:

Option 1

Below is the architecture diagram for Option 1. Here we have VPN connectivity, however the AWS regional endpoints are connected using AWS privatelink and endpoint reginal endpoints will be created and some of the endpoints will incur extra costs. There won't be internet access on source or replication server in this case. More details are on this below URL. Since the topic is covered here well and I have tested it to be working, hence didn't covered, however please let me know if you need demonstration/documentation for this option too.

https://aws.amazon.com/blogs/storage/cross-region-aws-elastic-disaster-recovery-agent-installation-in-a-secured-network/

Image description

Option 2

This scenario we have demonstrated here is this option. Below are points to be mentioned:

  1. We will enable Public IP on Replication server and keep replication server in Internet/public subnet
  2. Source servers should have access to internet and use port 443 to connect to DRS server endpoint in AWS over internet and Replication server will also access AWS regional endpoints using Internet Public IP, but the replication data transfer will happen over private network, using site-to site VPN. We can give/open ports only for the endpoints with support from internal security team

Below is the reference diagram for the architecture

https://docs.aws.amazon.com/drs/latest/userguide/Network-Requirements.html

Above ICMP is added just to ping and last two are added to allow traffic between VPN for data transfer consistency

Right sizing vm and select vm type

Download the software for windows

Run installation

For Linux, download and copy from your laptop to linux machine and run installer

Failover from On-premise to AWS
Select the instance under “source server” to failover and select “initiate recovery job” and initiate recovery

See details in the job as the process will follow automaticlly and instance will get launche in AWS target subnet with same data as on premise

We can connect to target/recovery instance which was failed over to AWS and confirm data and make changes

Failback from AWS to on premise
Follow the below links for more details:
https://docs.aws.amazon.com/drs/latest/userguide/failback-performing-main.html

We need to download and attach the “failback iso” to original VM on premise, depending on region you select download relevant installer

https://aws-elastic-disaster-recovery-eu-north-1.s3.eu-north-1.amazonaws.com/latest/failback_livecd/aws-failback-livecd-64bit.iso

Change boot option to boot from ISO, for physical servers attach the ISO as USB etc.

Provide region and IP details (same as original server before failover)

The key will be for “failback user” with below permissions

The disks will be detected and instance will start replication

Once replication have finished we will see message to complete Failback

The original (on premise) server will reboot and the data can be confirmed and the server is back as original

...

🔧 AWS EDR step by step (on premise to AWS and back)


📈 58.5 Punkte
🔧 Programmierung

⚠️ Industrial Secure Routers EDR-810 / EDR-G902 / EDR-G903 Access Bypass


📈 39.02 Punkte
⚠️ PoC

⚠️ [webapps] - Industrial Secure Routers EDR-810 / EDR-G902 / EDR-G903 - Insecure Configuration Management


📈 39.02 Punkte
⚠️ PoC

⚠️ Industrial Secure Routers EDR-810 / EDR-G902 / EDR-G903 Access Bypass


📈 39.02 Punkte
⚠️ PoC

⚠️ [webapps] - Industrial Secure Routers EDR-810 / EDR-G902 / EDR-G903 - Insecure Configuration Management


📈 39.02 Punkte
⚠️ PoC

🕵️ Moxa EDR-810/EDR-G902/EDR-G903 Remote Privilege Escalation [CVE-2020-28144]


📈 39.02 Punkte
🕵️ Sicherheitslücken

🕵️ CVE-2023-4452 | Moxa EDR-810/EDR G902/EDR G903 URI Validator buffer overflow


📈 39.02 Punkte
🕵️ Sicherheitslücken

🔧 How To Apply The GCP Service Account Into On-premise K8S Step By Step


📈 29.18 Punkte
🔧 Programmierung

📰 EDR Importance: Why Is EDR Important? (With Use Cases)


📈 26.01 Punkte
📰 IT Security Nachrichten

🎥 The Dark Side of EDR: Repurpose EDR as an Offensive Tool


📈 26.01 Punkte
🎥 IT Security Video

🎥 EDR Is Dead, EDR Is Not Dead - PSW #849


📈 26.01 Punkte
🎥 IT Security Video

🔧 Why Companies Are Moving Back to On-Premise From the Cloud


📈 23.5 Punkte
🔧 Programmierung

📰 How AitM Phishing Attacks Bypass MFA and EDR—and How to Fight Back


📈 22.06 Punkte
📰 IT Security Nachrichten

🔧 Step-by-Step Guide to Setting Up Terraform, AWS CLI, and Your AWS Environment.


📈 22 Punkte
🔧 Programmierung

📰 AWS announces GA of ECS Anywhere for on-premise container management


📈 21.2 Punkte
📰 IT Nachrichten

🔧 On-premise & AWS Hybrid Migration Project


📈 21.2 Punkte
🔧 Programmierung

🔧 Migrating from AWS Cloud9 to AWS CloudShell: A Step-by-Step Guide


📈 20.74 Punkte
🔧 Programmierung

📰 Energy Company Fights Back with MVISION EDR as Covid-19 Increases Threat Campaigns


📈 19.56 Punkte
📰 IT Security Nachrichten

📰 Get started quickly with AWS Trainium and AWS Inferentia using AWS Neuron DLAMI and AWS Neuron DLC


📈 19.52 Punkte
🔧 AI Nachrichten

🔧 How I Crushed My AWS Certification Renewals Back-to-Back (and Why It Was a Bad Idea)


📈 18.62 Punkte
🔧 Programmierung

🔧 Elevate User Experience: Step-by-Step Guide to Multi-Step Forms Using HTML, CSS & JavaScript


📈 18.35 Punkte
🔧 Programmierung

📰 Cloudian HyperIQ: Efficiently managing storage across on-premise and hybrid cloud


📈 18.2 Punkte
📰 IT Security Nachrichten

📰 DFLabs IncMan SOAR to be available both on-premise and as a cloud package


📈 18.2 Punkte
📰 IT Security Nachrichten

📰 FIDO launches protocol to secure IoT onboarding to cloud and on-premise management platforms


📈 18.2 Punkte
📰 IT Security Nachrichten

📰 Atempo Miria 4.0 interoperates with any file HPC storage on-premise and cloud


📈 18.2 Punkte
📰 IT Security Nachrichten

📰 Futureproofing Cybersecurity With On-Premise Video And Access Control Systems


📈 18.2 Punkte
📰 IT Security Nachrichten

📰 Delinea unveils granular privilege elevation workflow for on-premise and cloud servers


📈 18.2 Punkte
📰 IT Security Nachrichten

🔧 Overcoming Challenges and Best Practices for Data Migration From On-Premise to Cloud


📈 18.2 Punkte
🔧 Programmierung

matomo