To connect to S3 bucket as cloud library from Media Agent (on-premises) we can use below options:
1.AWS Direct Connect
2.VPN Gateway
3. Internet
My query is if we are using option 3 internet to connect to S3 bucket how can we protect/secure S3 bucket from outside attackers or any non authorized users accessing the S3 bucket over internet.
Are those the exact names of the selections? I’m working with our docs team and developers on getting this updated and answered, so any clarity you can provide will help!!
The 3 options a have checked from Commvault documents.
My client wants to backup there on-premises Datacenter direct onto the Amazon S3 Cloud Storage.
We nee help to provide networking how data will securely and faster travel to S3 bucket.
If we are using internet i know we will use HTTPS which is a secure connection. To access S3 bucket in AWS i am not sure as I have little knowledge on AWS do we need to make it Public or Private will work.
If we make it public will it not make S3 Bucket vulnerable to outside world and can get attacked by hackers etc.
Need help how can we secure the S3 bucket from AWS end with out effecting the backup and restore feature at Commvault end.
Our Datacenters are at Poland, Romania, czech republic and Hungry. Were should we create our S3 bucket in Frankfurt or Ireland. As our AWS is deployed in UK.
Hope you understood my query in case of any concern we can connect please provide u r email address.
Appreciate the clarity! I’ve been talking to our devs and docs team about clarifying the documentation, though in the meantime, one of our senior devs provided this for me to share with you:
For security purposes, Commvault uses SSL connection to connect to the cloud. (Service Host option available during library configuration and seen in the Mount Path properties after configuration.)
@Mike Struening Please check the below and provide your feedback. Does below makes sense and is other option that can be used to connect to S3 Bucket from on-premises. Please suggest.
As per the above diagram provided by Commvault regarding Backup and Archive data send to Amazon S3 services can be achieved as below:-
AWS Direct Connect
VPN Gateway
Internet
VPN Connection :- Network Traffic is routed between network segments over Public Internet, encapsulated in a secure, encrypted tunnel over the customer’s existing Internet Connection. As the connection is shared, bandwidth is limited, and regular data transfer fee applies as per the Customer’s current contract with their ISP
AWS Direct Connect :- A dedicated network link is provided at the customer’s edge network at an existing on-premises location that provides secure routing into an AWS VPC Network.
Typically, these links are less expensive when compared to a customer’s regular internet connection, as pricing is charged on a monthly dual-port fee, with all inbound and outbound data transfers included free of charge, with bandwidth from 10 Mbit/s to 10 Gbit/s.
Internet :- SD- WAN can be used to connect Amazon S3 bucket using internet. By default, data is transferred through secured channels using HTTPS protocol. We can use below link to IAM user in your AWS Account. We can use below link to create S3 buckets. For Authentication you can choose Access & Secret Keys and enter the service host specifying the region.
For security purposes, Commvault uses SSL connection to connect to the cloud. (Service Host option available during library configuration and seen in the Mount Path properties after configuration.)
If we want additional security, we can enable Software Encryption, either at the client level or storage policy level.
For this approach we need to make sure how to protect/secure S3 bucket from outside attackers or any non-authorized users accessing the S3 bucket over internet. This can be achieved by restricting access to Amazon S3 bucket using specific VPC endpoints or IP addresses. Below link can be used to achieve this.
We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.