Configure private VPC endpoints for Cloud Snapshot Manager (CSM) Proxy

About this task

A CSM Proxy Container is created in the cloud account and region where the snapshot to be copied is present. In the CSM Proxy configuration of the region, the proxy container is created within the VPC and specified subnet. The VPC can also be a shared VPC from another account.

If internet access is denied to the CSM Proxy VPC, private endpoints for specific AWS services can be enabled on the VPC to gain appropriate access.

Private endpoints:

Following are the list of private endpoints that must be configured:

SQS, ECS, S3, ECR.API, ECR.DRK, and EBS
- SQS endpoint: To communicate back with CSM
- ECS, S3, ECR.API, ECR.DRK endpoint: To download docker image from AWS ECR private repository
- EBS endpoint: To read/write using EBS direct API

NOTE: If you are using a private ECS repository from the same region as that of the CSM proxy configuration. all the private endpoints are supported. If you use the default CSM Proxy image from the Dell public repository or a private image from another AWS region, private endpoints would not work.

Following are the steps to be performed while configuring private endpoints:

Steps

Pull the docker image with latest tag.
Upload the docker image to a private repository within the same region of CMS Proxy configuration.
Update the CSM Proxy configuration with private image.

Create an ECS endpoint:

Create an AWS Private Link interface endpoint for ECS.
Example: com.amazonaws.us-west-1.ecs

Create a custom policy to perform specific operations on ECS with resource restrictions.

       
{
  "Statement": [
    {
      "Action": [
        "ecs:CreateCluster",
        "ecs:CreateService",
        "ecs:DeleteCluster",
        "ecs:DeleteService",
        "ecs:DescribeClusters",
        "ecs:DescribeServices",
        "ecs:DescribeTaskDefinition",
        "ecs:DeregisterTaskDefinition",
        "ecs:RegisterTaskDefinition",
        "ecs:TagResource"
      ],
      "Effect": "Allow",
      "Principal": "*",
      "Resource": [
        "arn:aws:ecs:*:*:cluster/csm*",
        "arn:aws:ecs:*:*:service/csm*/csm*"
      ]
    }
  ]
}

Create an ECR.API endpoint:

Create an AWS Private Link interface endpoint for ECR.API.
Example: com.amazonaws.us-west-1.ecr.api

Create a custom policy to perform specific operations on ECR.API.


{
  "Statement": [
    {
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer",
        "ecr:GetAuthorizationToken",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Effect": "Allow",
      "Principal": "*",
      "Resource": "*"
    }
  ]
}

Create an ECR.DRK endpoint:

Create an AWS Private Link interface endpoint for ECR.DKR.
Example: com.amazonaws.us-west-1.ecr.dkr

Create a custom policy to perform specific operations on ECR.DKR.

  
{
  "Statement": [
    {
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer",
        "ecr:GetAuthorizationToken",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Effect": "Allow",
      "Principal": "*",
      "Resource": "*"
    }
  ]
}

Create S3 endpoint:
1. Create an AWS Private Link gateway endpoint for S3.
  Example: com.amazonaws.us-west-1.s3

Create SQS endpoint:

Create an AWS Private Link interface endpoint for SQS.
Example: com.amazonaws.us-west-1.sqs

Create a custom policy to perform specific operations on SQS with resource restrictions.


{
  "Statement": [
    {
      "Action": [
        "sqs:CreateQueue",
        "sqs:DeleteMessage",
        "sqs:DeleteQueue",
        "sqs:ReceiveMessage",
        "sqs:SendMessage"
      ],
      "Effect": "Allow",
      "Principal": "*",
      "Resource": [
        "arn:aws:sqs:*:*:csm*"
      ]
    }
  ]
}

Create an EBS endpoint:
1. Create an AWS Private Link interface endpoint for EBS.
  Example: com.amazonaws.us-west-1.ebs