Installing the agent on a secured network - AWS Elastic Disaster Recovery
Create a VPC Endpoint for AWS Elastic Disaster RecoveryUse the created VPC Endpoint for AWS Elastic Disaster RecoveryCreate a S3 Endpoint for AWS Elastic Disaster RecoveryUse the created S3 Endpoint for AWS Elastic Disaster RecoveryPreparing the AWS VPC

Installing the agent on a secured network

The AWS DRS AWS Replication Agent installer needs network access to AWS Elastic Disaster Recovery and S3 endpoints. If your on premise network is not open to Elastic Disaster Recovery and S3 endpoints, then you can install the Agent with the aid of PrivateLink.

You can connect your on premise network to the subnet in your staging area VPC using AWS VPN or DirectConnect. To use the AWS VPN or DirectConnect, you must activate private IP in the replication settings

Note

This feature is not supported in the Asia Pacific (Hyderabad), Asia Pacific (Jakarta), Asia Pacific (Melbourne), Asia Pacific (Osaka), Europe (Spain), Europe (Zurich), and Middle East (UAE) Regions.

Create a VPC Endpoint for AWS Elastic Disaster Recovery

To allow the AWS Replication Agent installer to communicate with AWS Elastic Disaster Recovery, create an interface VPC endpoint for AWS Elastic Disaster Recovery in your staging area subnet. For more information, see Creating an Interface Endpoint in the Amazon VPC User Guide.

If the AWS replication agents are installed with a principal using AWSElasticDisasterRecoveryAgentInstallationPolicy and a VPCE policy is used (to scope down access), add the following statement to your policy:

{
          "Effect": "Allow",
          "Principal": "*",
          "Action": "execute-api:Invoke",
          "Resource": "arn:aws:execute-api:<region>::*/POST/CreateSessionForDrs"
          }

Use the created VPC Endpoint for AWS Elastic Disaster Recovery

Once you have created the VPC Endpoint, the AWS Replication Agent can connect to Elastic Disaster Recovery via VPN/DirectConnect by using the --endpoint installation parameter. Learn more about Private DNS for interface endpoints in the Amazon VPC User Guide.

Run the AWS Replication Agent installer with the --endpoint parameter. Enter your endpoint-specific DNS hostname within the parameter. The installer will then be able to connect to AWS Elastic Disaster Recovery via the endpoint over your VPN/DirectConnect connection.

Example of an interface endpoint DNS name: vpce-0123456789-abcdef.drs.<REGION>.vpce.amazonaws.com

Create a S3 Endpoint for AWS Elastic Disaster Recovery

To allow the AWS Replication Agent installer to communicate with S3, create an interface S3 endpoint for AWS Elastic Disaster Recovery in your staging area subnet. For more information, see Endpoints for Amazon S3 in the Amazon VPC User Guide.

Use the created S3 Endpoint for AWS Elastic Disaster Recovery

Once you have created the interface VPC Endpoint, the AWS Replication Agent can connect to S3 via VPN/DirectConnect by using the --s3-endpoint installation parameter. Learn more about Private DNS for interface endpoints in the Amazon VPC User Guide.

Run the AWS Replication Agent installer with the --s3-endpoint parameter. Enter your endpoint-specific DNS hostname. The installer will then be able to connect to Elastic Disaster Recovery via the endpoint over your VPN/DirectConnect connection.

Example of an interface endpoint DNS name: vpce-0123456789-abcdef.s3.<REGION>.vpce.amazonaws.com

Preparing the AWS VPC

To prepare the staging area subnet in a private subnet, two more endpoints have to be created to ensure the successful creation of the replication servers.

  • EC2 Interface Endpoint: used to establish connectivity to EC2 endpoint from the staging area subnet

  • S3 Gateway Endpoint: used by the replication servers to download the replication software from S3

For more information about setting up AWS Elastic Disaster Recovery with a site-to-site VPN connection, visit this blog post.