Ec2 helper appliance security group rules

[rstickney]

Hey all,

I've successfully restored a vm from our on-prem infrastructure to an EC2 instance, but to do that I had to create a security group that allows port 22 and 443 from 0.0.0.0/0. This kind of freaks me out because that is way to permissive, is there a way to restrict those rules to specific subnets?

Thanks!

[Mildur]

Hy Ryan

"from 0.0.0.0/0" is not mandatory. May I ask where did you find that information?
You can manually pre-create a security group with the public ip address of your backup server + backup repository as the source address. More in our port guide. The security group can then be selected in the Restore Wizard.

Best,
Fabian

[rstickney]

Hi Fabian,

Does the backup server need a public IP address? I f I were to allow 22 and 443 within the security group or within the private subnet would that be sufficient?

Thanks!

[Mildur]

Hi Ryan,

Are you using AWS PrivateLink or Direct Connect for the restore? If so, then no, the backup server doesn't require direct internet access or a public IP address.

Without AWS PrivateLink or Direct Connect, your backup server/backup repository connects over the internet to the Archiver appliance. When using the internet, a public IP is always involved. Please ensure that the public IP of your on-premises internet is allowed to connect to ports 22 and 443 on the Archiver appliance (configure the security group).

Best regards,
Fabian

[rstickney]

Hi Fabian,

Everything with this configuration will be in AWS; the VBR server, helper appliance, backup repository(S3) and restore point will be in AWS. My plan is to have a documented process for restoring our VMs in the event our on-prem systems are taken down by ransomware or an explosion or something that leaves our on-prem environment unusable.