Data Protection for AWS Outposts
In this article
Now that you are considering (or have workloads running on) AWS Outposts, have you invested any time contemplating how best to protect those workloads? We'll look at some questions to consider when it comes to data protection for AWS Outposts.
The first consideration may be the easiest. Do you have an existing solution that is currently backing up AWS resources? If yes, is it "AWS Outposts Ready"?
To increase customer confidence in a solution, AWS created the AWS Outposts Ready designation to recognize solutions that have been tested and validated by AWS to work on AWS Outposts. As part of the AWS Service Ready Program, several data protection vendors such as CommVault, Veritas, Cohesity, Rubrik and N2WS have received the AWS Outposts Ready designation. Using a data protection solution that has been thoroughly tested by AWS to achieve the AWS Outposts Ready designation will provide a customer with the assurance of knowing their AWS Outposts resources can be protected effectively.
Another question to ask, or a consideration to evaluate as you select a data protection solution for AWS Outposts, is what types of services you will need to protect. Will you deploy EC2 instances to your Outpost? Amazon RDS? Amazon EKS? A mixture of these services, or perhaps all of them?
Personally, I would be surprised if any AWS Outposts Ready solution did not backup Outposts-based EC2 instances, and if running EC2 instances on Outposts is your solitary use case, any data protection solution will likely suffice. However, will you host Amazon RDS databases on your Outpost? If so, a data protection solution that is unable to back up RDS databases will not be sufficient.
You can ask the same question if you will be using, and need to protect, Amazon EKS resources. The underlying point is that prior to deploying a data protection solution for your Outpost(s), research its capabilities to ensure it aligns with your service/resource deployment strategy.
With the first two questions addressed, I'm going to assume that you have narrowed your data protection choices to those that are AWS Outposts Ready and will back up the services you plan to deploy on your Outpost. In terms of considering comprehensive data protection capabilities, take the time to scrutinize the specifics of any solution and determine the following:
- Does the solution have a centralized management and licensing structure to support ease of use with multiple AWS accounts and/or Outposts? It has been our experience that a centralized management solution is preferred, especially as an environment and organization grow over time.
- Does the solution support an RBAC-type access model? As in the previous case, the importance of this capability increases as an organizations cloud presence increases. An RBAC-type access model will allow you to assign users the specific rights they need to the specific accounts they manage to the specific data they must protect.
- Can the solutions integrate with existing authentication sources like Active Directory or Okta? We have seen many of our customers benefit from this type of integration as an existing, and likely very mature, skill within an organization that can be leveraged to manage access to the data and protection platform.
- Does the solution support flexible scheduling/policy models? Different resources will have different protection requirements. Does your solution allow you to back up your RDS or SQL databases every 15 minutes while also backing up domain controllers once a day? Make sure the solution can comply with your data protection policies.
- Does the solution have the capability to perform periodic tag scanning to automatically add resources to backup jobs? The last thing you want to do is create resources and then figure out, when you need to perform a restore, that you forgot to add it to a backup job or policy. A data protection solution that can perform tag scanning will spare you much heartache here. If this capability is supported, you simply assign a backup tag to a resource and upon execution of the tag scan process, that resource will be identified and then automatically added to a backup job or policy. Take N2WS for example: it can be configured to periodically scan AWS resources for the tag "cpm backup" and assuming the key has a value matching an N2WS backup policy, that resource (or resources) would automatically be added to that backup policy and protected. You would just need to make sure that you make the "cpm backup" tag mandatory for your AWS organization/environment.
- Does the solution support sending backups to other regions and/or accounts? This question, when used with AWS Outposts, may be "tricky." Why? Because some customers purchase an Outpost to keep their data within the local data center. If this is your case, then copying backups to other accounts or regions may not be allowed. Other customers obtain an Outpost to support application performance goals and if this is your use case, you may want to copy backup data to other accounts/regions. In the unlikely event that something was to happen to your local data center or Outpost, you may rather have an application up and available, though "slow," rather than it not being up at all.
- Does the solution provide good reporting/logging? Insight into the data protection solution is paramount. You must know how your data protection tasks are performing.
- Does the solution provide API/CLI access to support automation? It is no secret that automation is becoming increasingly popular within the IT community. Review the API/CLI capabilities of any data protection solution to see what can be done apart from the management GUI.
- Does the solution support data tiering/archiving? Can the solution utilize S3 and Glacier to reduce storage costs while also meeting the long-term data retention policies of your organization? Can the solution use something other than S3/Glacier as a data tiering solution? As with the question of the ability to support the copying of backups to other accounts/regions, this question could be tricky for the same reasons. Though if data locality is an important concern, Amazon S3 is now supported on AWS Outposts, which means you'll be able to take advantage of S3 while also ensuring your data remains local.
- Does the solution support crash and application-consistent backups? EC2 instance backups performed with an agent are crash consistent. Is that acceptable for your organization or do you require application-consistent backups for some workloads? There are data protection solutions that will allow you to deploy an agent onto EC2 instances should you require application-consistent backups.
In addition to evaluating what a data protection solution can protect, also consider the restoration capabilities of a given solution. As an example, there are data protection solutions that are able to restore individual EBS volumes and entire EC2 instances and there are solutions able to restore individual files, EBS volumes and EC2 instances. What data restoration capabilities are most important to you and your organization?
Also, consider questions/concerns related to a disaster recovery scenario:
- Do you need to have a plan for the loss of your local data center?
- Do you need a solution that can easily restore resources that were hosted on your AWS Outpost to another AWS region and/or account? Typically, the answer to these questions is "yes." In preparation for such a scenario, you will need to identify the AWS Outpost-based resources, workloads or applications that you would need to restore or recover to the AWS cloud while also defining their RPO and RTO objectives. Once defined, does your data protection solution provide a means to achieve or exceed your recovery goals?
- Do you require a solution that allows you to automate and test disaster recovery scenarios? As stated above, there are solutions that support the restoration of AWS Outpost resources to a different AWS region or a separate AWS account altogether, which enables an organization to support a pilot light or a warm standby continuity or recovery scenario. But would you like to test that capability before a DR event occurs? I would bet the answer to that question is also yes, so examine any data protection solution from the perspective of how effectively it can help you test the readiness of your disaster recovery plan. There are data protection solutions capable of performing dry run and scheduled recovery scenarios to validate the recovery process and give you confidence in your DR plan.
To summarize, consider the following when evaluating data protection solutions for AWS Outposts:
- When evaluating data protection solutions to protect AWS Outposts resources, ensure any platform you are considering is certified as AWS Outposts Ready.
- What services will be deployed on your AWS Outpost? Can your data protection solution protect those services?
- While you are evaluating data protection solutions, really scrutinize the specifics of the tool to determine its management methodology, authentication integration options, scheduling capabilities, reporting capabilities, its support for cross-account operations and its ability to use S3 and Glacier for data tiering, etc., to ensure the solution aligns with your standard operation procedures and data retention policies. Do you have a data locality policy that requires AWS Outposts hosted S3?
- If protecting EC2 instances, are crash-consistent backups sufficient or do you have workloads requiring application-consistent backups? If you require application-consistent backups, ensure your data protection solution provides a means to support this.
- What restore and/or disaster recovery capabilities do you require from your data protection solution?
Though the considerations detailed above may not be all-inclusive, they are presented as a starting point to get you thinking about data protection for AWS Outposts resources. If you would like more information or to see an AWS Outposts in action within the WWT Advanced Technology Center (ATC), contact us at firstname.lastname@example.org.