deploying secure backup on to the cloud
DESCRIPTION
TRANSCRIPT
![Page 2: Deploying secure backup on to the Cloud](https://reader034.vdocuments.site/reader034/viewer/2022051323/547e9083b379595e2b8b5513/html5/thumbnails/2.jpg)
Lahav Savir
• 15 years in on-line industry
• Architect and CEO @ Emind Systems (est. 2006)
• AWS solution provider
• Over 30 AWS customers
Hobbies (that’s the . . .)
• MTB cycling
• Mountain hiking
![Page 3: Deploying secure backup on to the Cloud](https://reader034.vdocuments.site/reader034/viewer/2022051323/547e9083b379595e2b8b5513/html5/thumbnails/3.jpg)
Backup scenarios
On premises to off-site
• File servers
• Backup files
• Data base dumps archiving
• Disaster recovery
On the cloud to other site
• File servers
• Large data volumes
• Data base dumps
• Large S3 buckets
![Page 4: Deploying secure backup on to the Cloud](https://reader034.vdocuments.site/reader034/viewer/2022051323/547e9083b379595e2b8b5513/html5/thumbnails/4.jpg)
Storage scenarios
Storage appliances
• NFS
• CIFS
Disks & Servers
• Windows shares
• Linux exports
• Linux servers
• Sun exports
![Page 5: Deploying secure backup on to the Cloud](https://reader034.vdocuments.site/reader034/viewer/2022051323/547e9083b379595e2b8b5513/html5/thumbnails/5.jpg)
Requirements
Backup • Keep a replica of the data off-site • Keep history of the data for X previous months • Secure transfer • Encryption of data sets • Large files • Delta transfer Deployment • Don’t impact existing setup • Don’t install any SW on servers • No additional hardware
![Page 6: Deploying secure backup on to the Cloud](https://reader034.vdocuments.site/reader034/viewer/2022051323/547e9083b379595e2b8b5513/html5/thumbnails/6.jpg)
Few more . . .
• Control bandwidth throughput
• Visibility and monitoring
• Simplicity
• Keep the costs down
– License
– Traffic
– Storage
![Page 7: Deploying secure backup on to the Cloud](https://reader034.vdocuments.site/reader034/viewer/2022051323/547e9083b379595e2b8b5513/html5/thumbnails/7.jpg)
Alternatives
• Windows
– Virtual drive to S3
– Sync application
– Cygwin / delta copy
• Linux
– s3fs (fuse)
– s3cmd
• Storage built-in integration tos3
– No monitoring
– No visibility to status
– No bandwidth control
– No feedback
![Page 8: Deploying secure backup on to the Cloud](https://reader034.vdocuments.site/reader034/viewer/2022051323/547e9083b379595e2b8b5513/html5/thumbnails/8.jpg)
Simple solution
• Sync Manager
– Linux appliance
– cifs-utils
– rsync
– s3cmd
– tc (traffic controller)
– net-snmp
– curl
![Page 9: Deploying secure backup on to the Cloud](https://reader034.vdocuments.site/reader034/viewer/2022051323/547e9083b379595e2b8b5513/html5/thumbnails/9.jpg)
Sync Configuration
• rsync (filer to filer) rsync;/filer/data1/; [email protected]:/data1/A
rsync;/filer/data2/; sync@porticor_vpd:/data2
• s3 (filer to s3 with / without VPD) s3;/var/www/wordpress/;s3://bucket1/wordpress-d/;-
-no-delete-removed
s3;/mnt/srv1/;s3://bucket2/
![Page 10: Deploying secure backup on to the Cloud](https://reader034.vdocuments.site/reader034/viewer/2022051323/547e9083b379595e2b8b5513/html5/thumbnails/10.jpg)
Bandwidth control
• Tag user traffic iptables -t mangle -A OUTPUT -m owner --uid-owner $SYNCMGR_UID -j MARK --set-mark 0x1
• Create root qdisc for eth0 $TC qdisc add dev $IF root handle 1: htb default 30
• Add a class (bucket) with bandwidth restrictions $TC class add dev $IF parent 1: classid 1:2 htb rate $MAXRATE
• Then add a filter to force packets through the class $TC filter add dev $IF protocol ip parent 1:0 prio 1 handle 1 fw classid 1:2
Tip: use iftop to see it in action
![Page 11: Deploying secure backup on to the Cloud](https://reader034.vdocuments.site/reader034/viewer/2022051323/547e9083b379595e2b8b5513/html5/thumbnails/11.jpg)
Monitoring
## SNMP params
SNMPTRAP=true
SNMPTRAP_HOST=nms_server
SNMPTRAP_PORT=162
SNMPTRAP_COMMUNITY=public
SNMPTRAP_OID=.1.3.6.1.4.1.39731.2101
## support_router
SUPPRTR_NOTIF=true
SUPPRTR_PROJECT="SupportDispatcher“
SUPPRTR_SYNCMGR_CLIENT=Emind
SUPPRTR_BASEURL=https://support.emind.co/support_router/public/api.php
## snmpd.conf
rocommunity public
# send all Emind Enterprise ID requests to the subagent
pass .1.3.6.1.4.1.39731 /usr/local/emind/snmp_subagent
![Page 12: Deploying secure backup on to the Cloud](https://reader034.vdocuments.site/reader034/viewer/2022051323/547e9083b379595e2b8b5513/html5/thumbnails/12.jpg)
Cloud backup hosts
• ec2 instance (Linux server)
– EBS volumes
• s3 buckets
• Porticor VPB
– EBS volumes
– S3 proxy
![Page 13: Deploying secure backup on to the Cloud](https://reader034.vdocuments.site/reader034/viewer/2022051323/547e9083b379595e2b8b5513/html5/thumbnails/13.jpg)
Hosting on the cloud
• Public cloud
– Instance behind security groups with SSH keys
• VPC
– Instance behind VPN
• AWS VPN Gateway
• IPSec with CheckPoint in the VPC
• IPSec with Swan in the VPC
• SSL VPN with OpenVPN in the VPC
![Page 14: Deploying secure backup on to the Cloud](https://reader034.vdocuments.site/reader034/viewer/2022051323/547e9083b379595e2b8b5513/html5/thumbnails/14.jpg)
Restoring
• rsync back from storage rsync ; [email protected]:/data1/A ; /filer/data1/
• 3scmd s3cmd get s3://bucket2/file /path/to/restore/file
![Page 15: Deploying secure backup on to the Cloud](https://reader034.vdocuments.site/reader034/viewer/2022051323/547e9083b379595e2b8b5513/html5/thumbnails/15.jpg)
Summary
• Simple and open solution
• No impact on customer infrastructure
• No additional HW required
• Control with full visibility
• Fully integrated with NMS
• Reliable
• Secure
![Page 16: Deploying secure backup on to the Cloud](https://reader034.vdocuments.site/reader034/viewer/2022051323/547e9083b379595e2b8b5513/html5/thumbnails/16.jpg)
AWS Tips
• Don’t forget to set AWS console to MFA
• Setup a VPN to your AWS server
• No public SSH
• Monitor traffic coming into your servers
• Multi-region / AZ for high availability
• Use ec2 tools
• Backup backup backup . . .