Minimum Required AWS Permissions
For the AWS account used by the ZCA, there must be permission to use both S3 and EC2, including importing data from S3 to EC2. Specifically, this means the Zerto Cloud Appliance users must have a minimum set of permissions in order to perform certain actions with ZVM and AWS. These can be set in the AWS Access Management (IAM) service. Permissions for IAM roles can be specified by creating a policy in JSON format. See Setting EC2 Instance Permissions in AWS.
Permissions are required for:
|
•
|
Installing Zerto in AWS |
|
•
|
Collection of environment data |
The following table lists the minimum required permissions, and what each permission is required for:
|
Permission
|
Required FOR:
|
| Minimum Required Permissions for EC2
|
|
AttachNetworkInterface
|
Failover to AWS
|
|
AttachVolume
|
Failover to AWS
|
|
AuthorizeSecurityGroupIngress
|
Failover to AWS
|
|
CancelConversionTask
|
Failover to AWS
|
|
CancelImportTask
|
Failover to AWS
|
|
CreateNetworkInterface
|
Failover to AWS
|
|
CreateSecurityGroup
|
Basic functionality
|
|
CreateSnapshot
|
Failover from AWS
|
|
CreateTags
|
Basic functionality
|
|
CreateVolume
|
Failover to AWS
|
|
DeleteNetworkInterface
|
Basic functionality
|
|
DeleteSecurityGroup
|
Basic functionality
|
|
DeleteSnapshot
|
Failover from AWS
|
|
DeleteTags
|
Basic functionality
|
|
DeleteVolume
|
Failover to AWS
|
|
DescribeAvailabilityZones
|
Collection of environment data
|
|
DescribeConversionTasks
|
Failover to AWS
|
|
DescribeImages
|
Basic functionality
Failover from AWS
|
|
DescribeInstanceAttribute
|
Failover from AWS
|
|
DescribeInstances
|
Collection of environment data
|
|
DescribeInstanceStatus
|
Basic functionality
|
|
DescribeNetworkInterfaces
|
Basic functionality
|
|
DescribeRegions
|
Collection of environment data
|
|
DescribeSnapshots
|
Failover from AWS
|
|
DescribeSecurityGroups
|
Collection of environment data
|
|
DescribeSubnets
|
Collection of environment data
|
|
DescribeTags
|
Failover from AWS
|
|
DescribeVolumes
|
Collection of environment data
|
|
DescribeVolumeStatus
|
Failover from AWS
|
|
DescribeVpcEndpoints
|
Failover from AWS
|
|
DescribeVpcs
|
Collection of environment data
|
|
DetachNetworkInterface
|
Failover from AWS
|
|
DetachVolume
|
Failover to AWS
|
|
ImportInstance
|
Failover to AWS
|
|
ImportVolume
|
Failover to AWS
|
|
ModifyVolume
|
Failover from AWS
|
|
ModifyInstanceAttribute
|
Basic functionality
|
| ModifyNetworkInterfaceAttribute |
Failover from AWS |
|
RunInstances
|
Basic functionality
|
|
StartInstances
|
Failover to AWS
|
|
StopInstances
|
Failover to AWS
|
|
TerminateInstances
|
Basic functionality
|
| Minimum Required Permissions for S3
|
|
CreateBucket
|
Basic functionality
|
|
DeleteBucket
|
Basic functionality
|
|
DeleteObject
|
Basic functionality
|
|
GetBucketLocation
|
Basic functionality
|
| GetBucketPolicy |
Collection of environment data |
|
GetObject
|
Basic functionality
|
|
GetObjectVersion
|
Basic functionality
|
|
ListAllMyBuckets
|
Basic functionality
|
|
ListBucket
|
Basic functionality
|
|
ListBucketMultipartUploads
|
Basic functionality
Failover from AWS
|
|
ListBucketVersions
|
Basic functionality
|
| PutBucketTagging |
Basic functionality
|
|
PutObject
|
Basic functionality
|
| PutLifecycleConfiguration |
Basic functionality |
| DeleteObjectVersion |
Basic functionality |
| HeadBucket |
Collection of environment data |
| Minimum Required Permissions for IAM
|
|
| GetPolicyVersion |
Install Zerto in AWS |
| ListAttachedRolePolicies |
Install Zerto in AWS |
| ListPolicyVersions |
Install Zerto in AWS |
| PassRole |
Install Zerto in AWS |
| Optional Permissions for CloudTrail
|
| DescribeTrails |
Collection of environment data |
| GetTrailStatus |
Collection of environment data |
| LookupEvents |
Collection of environment data |
See also:
Requirements for Replication To AWS
AWS Minimum Quota Requirements for Recovery in AWS
Default AWS Limitations which Affect Recovery in AWS
AWS Minimum Quota Requirements for Recovery in AWS
The following is a list of the minimum quota requirements when replicating to AWS, activating Reverse Protection and also failing back from AWS.
|
Resource
|
Resource Usage (Purpose)
|
|
|
m5.large instances*
|
Virtual Machines when preparing for recovery to AWS |
Number of instances should be the number of protected VMs that are configured in the VM settings in the VPG configuration to recover in AWS as m5.large instances. |
| zSAT instances |
When replicating to AWS: | • | 2x the number of protected disks that are planned to be recovered in an AWS region. |
When replicating from AWS: | • | 2x the number of protected EBS disks within the region. |
|
| zASA instance |
1 per ZCA |
| *For information about AWS Instance Type limits, refer to AWS documentation. |
|
Storage from gp2 disk type*
|
zSAT instances |
gp2 EBS disks total size (in GiB)
When replicating to AWS:
|
•
|
2x the total size of protected disks that are planned to be recovered in an AWS region. |
When replicating from AWS: | • | 2x the total size of protected EBS disks within the region. |
|
| zASA instance |
gp2 EBS disk size (in GiB) |
| *For information about default limits, refer to AWS documentation. |
| Network interfaces
|
| ENIs |
Virtual Machines when preparing for recovery to AWS |
Number of ENIs should correspond to the number of protected VMs that are configured to recover in AWS. |
| zSAT instances |
When replicating to AWS:
|
•
|
2x the total size of protected disks that are planned to be recovered in an AWS region. |
When replicating from AWS:
|
•
|
2x the number of protected EBS disks within the region. |
|
| zASA instance |
1 ENI |
| Available IPs within the ZCA subnet |
zSAT instances |
SATs, zASA and zImporters are connected to the ZCA's subnet. |
| zASA instance |
| zImporters |
|
|
See also: AWS Defaults which Affect Installation, Protection and Recoverability
Default AWS Limitations which Affect Recovery in AWS
|
•
|
Only virtual machines that are supported by AWS can be protected by Zerto. Refer to AWS documentation for the supported operating systems. |
|
•
|
A VPC must exist, and a security group and subnet must be assigned to it and to all other VPCs you want to use for recovered virtual machines. |
|
•
|
AWS allocates EBS volumes by multiplications 1 GiB. When recovering VMs to AWS, whose volume sizes are not multiplications of GiB, AWS rounds the recovered volumes to the closest GiB, resulting in a size mismatch between the recovered and protected volumes. In this case, the original protected disks cannot be used for preseed and the VMs are recovered in Needs Configuration state. |
|
•
|
The following limitations apply when protecting to AWS: |
|
•
|
For Linux, AWS supports virtual machines with up to 40 volumes, including the boot volume. |
|
•
|
For Windows, AWS supports virtual machines with up to 26 volumes, including the boot volume. |
|
•
|
Note that C5/M5 instances have 28 available devices and each volume/NIC utilizes one device. Windows supports up to 26 volumes. For more information, see Elastic Network Interfaces. |
| OS |
Boot Volumes |
Additional Volumes |
| Linux
|
2047 GiB* |
16 TB |
| Windows
|
2047 GiB* |
16 TB |
| * Some VMs use the MBR partitioning scheme, which only supports up to 2047 GiB boot volumes. If your instance does not boot with a boot volume that is 2 TB or larger, the VM you are using may be limited to a 2047 GiB boot volume. See the relevant AWS documentation for more information: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html |
It is strongly recommended to perform a Failover Test to ensure that the recovered instance is successfully running on AWS.
Requirements for Replication From AWS
AWS Minimum Quota Requirements for Replication From AWS
Limitations when Replicating From AWS
AWS Minimum Quota Requirements for Replication From AWS
The following is a list of the minimum quota requirements when protecting your workload in AWS.
| Resource |
Resource Usage (Purpose) |
|
| m5.large instances*
|
zSAT instances |
When replicating from AWS: | • | 2x the number of protected EBS disks within the region. |
|
| zASA instance |
1 per ZCA |
| *For information about AWS Instance Type limits, refer to AWS documentation. |
|
Storage from gp2 disk type*
|
zSAT instances |
gp2 EBS disks total size (in GiB)
When replicating from AWS:
|
•
|
2x the total size of protected EBS disks within the region. |
|
| zASA instance |
gp2 EBS disk size (in GiB) |
| *For information about default limits, refer to AWS documentation. |
|
Network interfaces
|
| ENIs |
zSAT instances |
When replicating from AWS: | • | 2x the number of protected EBS disks within the region. |
|
| zASA instance |
1 ENI |
| Available IPs within the ZCA subnet |
zSAT instances |
SATs, zASA and zImporters are connected to the ZCA's subnet. |
| zASA instance |
| zImporters |
|
|
See also: AWS Defaults which Affect Installation, Protection and Recoverability
Limitations when Replicating From AWS
|
•
|
Zerto cannot protect AWS Instance Store disks (Temp disks). |
|
•
|
AWS limits cross volumes consistency. Cross-volume consistency is guaranteed only when applications are paused or snapshots are taken on a powered-off instance. Therefore, the Move operation should be used for ensuring cross-volume consistency when recovering workloads from AWS. To test use Move before the Commit functionality. |
AWS Defaults which Affect Installation, Protection and Recoverability
Below are the default AWS limitations which affect installation and recovery.
Default AWS Limitations which Affect Installation
Default AWS Limitations which Affect Protection and Recoverability
Default AWS Limitations which Affect Installation
|
•
|
Number of buckets: 100 per account |
Default AWS Limitations which Affect Protection and Recoverability
|
•
|
EC2 and VPC limitations:
|
|
•
|
Network interfaces per region: 350 |
|
•
|
NICs per instance: depends on instance size |
|
•
|
EBS disks per account: 5,000 |
|
•
|
Total volume storage of Magnetic volumes: 20 TiB |
|
•
|
Max EBS volume size - magnetic type: |
|
•
|
Max: 1024 GiB (1 GiB == 1024^3 bytes) |
|
•
|
Concurrent Import-Instance tasks: 5 tasks per account |