Configure CSM Proxy Network

Using Cloud Snapshot Manager, you can copy snapshots to PowerProtect DD Virtual Edition (DDVE) if you have DDVE deployed in your AWS or Azure cloud environment.

Prerequisites

CSM Proxy must be configured in the following cases:
  • The source account region from which the snapshot should be copied to DDVE.
  • The target account region where you want to restore the DDVE copy.

About this task

AWS

For AWS, configure CSM Proxy Network to specify the network where Cloud Snapshot Manager creates an AWS Fargate temporary container service, to copy snapshots to DDVE. The proxy is created in the AWS account region where the snapshots to be copied reside. The AWS cloud account used must be a role based account.

NOTE:  If you are concerned about the cost of data transfer across zones, make sure that the subnet selected within the CSM Proxy configuration is within the same DDVE zone.
Azure

For Azure, configure CSM Proxy Network to specify the network where Cloud Snapshot Manager creates an Azure container instance, to copy snapshots to DDVE. see https://learn.microsoft.com/en-us/azure/container-registry/anonymous-pull-access. Here too, the proxy is created in the Azure account region where the snapshots to be copied reside. A storage account is required to create a storage queue and to store temporary restored page blobs.

NOTE: It is recommended that you apply a firewall (in the Azure portal) for this storage account. While applying the firewall or if you already have one, do the following for DDVE copy, expiry, and restore operations to work:
  • Allow the VNet and the subnet chosen in CSM Proxy configuration within the region to access the account. This allows CSM Proxy created within the VNet and the subnet, to access storage queues within this storage account, so that it can communicate with Cloud Snapshot Manager for commands and status. Also, it enables CSM Proxy to create temporary page blobs during restore time.
  • Include Cloud Snapshot Manager's public IP address range, within the storage account's firewall IP address range. Raise a ticket with Cloud Snapshot Manager to get this public IP address range. This enables Cloud Snapshot Manager to communicate with CSM Proxy using storage queues within this storage account.

You can provide the configuration details for AWS or Azure in the CSM Proxy Network page of the Cloud Snapshot Manager portal. To understand how Cloud Snapshot Manager can be integrated with DDVE, for AWS, see Cloud Snapshot Manager integration with PowerProtect DD Virtual Edition (AWS) and for Azure, see Cloud Snapshot Manager integration with PowerProtect DD Virtual Edition (Azure).

Steps

  1. Go to Infrastructure > Cloud Accounts.
  2. In the Cloud Accounts page, do one of the following based on your requirements:
    • Click CSM Proxy next to the AWS cloud account for which you want to include proxy configuration.
    • Click CSM Proxy next to the Azure cloud account for which you want to include proxy configuration.
  3. For AWS, in the CSM Proxy Network page displayed, enter the proxy network details such as the region, Image URI (optional), VPC ID, subnet ID, and security groups (optional). Then click Add.
    See CSM Proxy Image details for more information about the Image URI field.
    You can add CSM Proxy Network for each region where you have snapshots. Shared VPCs are also supported. For shared VPC, the account might not have access to the default security group. So, the associated security group for the shared VPC must be added.
    NOTE: 

    Consider the following:

    • The subnet must either be a public or a private subnet with Network Address Translation (NAT) settings which has Internet access as CSM Proxy has to communicate with direct AWS APIs to read snapshot data.
    • If your site is using custom DNS, make sure outbound access to DNS (UDP and TCP) on port 54 and HTTPS on port 443 is allowed.
    • For the CSM Proxy Network to be able to access the DDVE Network, the security group must allow outbound connection to DDVE over port 2049 and 111.
    • For CSM Proxy to be able to access AWS EBS and SQS services, the security group must allow outbound connection to the Internet over port 443.
  4. For Azure, in the CSM Proxy Network page displayed, enter the region, resource group, Image URI (optional), network profile, and storage account. Then click Add.
    If a network profile does not exist, do the following:
    1. In the drop-down list for Network Profile, click Create new Network Profile to create a network profile.
    2. After entering the required details, click Create.
    NOTE: 
    • To copy snapshots from the Azure managed account, CSM Proxy requires a storage service endpoint. The CSM Proxy subnet must be delegated to the service Microsoft.ContainerInstance/ContainerGroups since a dedicated subnet is required for the container instance.
    • Network Profile and Storage Account must be part of same Resource Group.
  5. After adding the required proxy network details, click Save.
    After the CSM Proxy Network has been configured, you can add the DDVE appliance details to copy snapshots to.