Simplifying AWS Native Protection with Rubrik Polaris
Why Polaris for AWS?
Last year, Rubrik introduced the world to Polaris, our innovative SaaS offering for a new breed of data management apps. Our first Polaris app was Polaris GPS, which provides customers with centralized management and monitoring of their globally-distributed Rubrik infrastructure. We quickly followed that up with our second application, Polaris Radar, which leverages machine learning to help customers detect and recover from ransomware.
However, with organizations driving cloud adoption more and more, we always knew protecting workloads running in the cloud would be a key focus of Polaris. We spearheaded these efforts with Office 365 protection in our Andes release. This was just the beginning, and I’m happy to announce that Rubrik has now released native protection for Amazon Web Service (AWS) workloads using Polaris. Building on the capabilities of our flagship Cloud Data Management (CDM) product, Polaris integrates with the native snapshot capabilities and APIs provided by AWS for protecting Amazon EC2 instances and Amazon EBS volumes. This tight integration provides Rubrik customers with a central point of management to address various data protection use cases.
Why should customers use Polaris to protect Amazon EC2 and Amazon EBS? As a SaaS solution, Polaris provides many of the same benefits that make cloud platforms like AWS so attractive to a growing number of users:
- Managed service: Cloud providers understand the importance of relieving customers from the undifferentiated heavy lifting of hardware and infrastructure management so they can focus on the tasks that provide business value. Similarly, Rubrik wants customers to focus on core data management tasks and not have to deal with mundane duties like servicing hardware, upgrading software, or managing backup jobs. Polaris with AWS native protection provides a managed service to help get customers out of the backup appliance treadmill.
- Rapid innovation: All cloud users are familiar with the pace of innovation in the public cloud. In 2018, AWS rolled out dozens of new services and thousands of new features, and the pace is only accelerating in 2019. Keeping up with these changes and what they mean for workload and data protection can only be done via a SaaS solution like Polaris that enables rapid release cycles.
- Simplicity: Cloud adoption has grown so quickly because it makes deploying new servers and applications as simple as a click of a button or running a script. Polaris simplifies everything that has to do with data management, including deploying to new workloads and automating manual tasks.
If you are already a Polaris and AWS user, getting started is as simple as telling Polaris what AWS account to manage and which Regions to manage for that account and giving permission to download and launch a Rubrik-provided CloudFormation stack.
In adherence with AWS recommended practices for connecting AWS resources to a SaaS application, launching the Rubrik-provided CloudFormation stack will perform the following steps:
- Create a cross-account IAM role, with the specific permissions required to protect and recover Amazon EC2 and Amazon EBS, in the specified customer account
- Grant the Rubrik AWS account access to the newly created role as a trusted entity
- Send the Rubrik AWS account an Amazon SNS notification about the new role with the role’s Amazon Resource Number (ARN)
- Rubrik will create a new IAM user dedicated to the customer account, which Polaris will use to assume the new role when needed
Once the new account has been added and configured in Polaris, existing Amazon EC2 instances and Amazon EBS volumes will be discovered and displayed in the Polaris dashboard.
Protecting Amazon EC2 and Amazon EBS
Rubrik CDM initially focused on protecting Amazon EC2 instances and their attached Amazon EBS volumes. But our customers quickly shared their desire to protect Amazon EBS volumes as first-class objects without the requirement to protect the instances to which they are attached. The use cases for protecting stand-alone volumes include:
- Preserving a persistent data volume that has no dependencies on an instance or its root disk.
- Protecting volumes that are configured to be used by “stateless” compute, which are launched and active only as needed.
Protecting Amazon EC2 instances and Amazon EBS volumes with Polaris begins with SLA Domains. If you’re unfamiliar with SLA domains, check out my blog post on AWS native protection and how SLA Domains apply to AWS workloads. To perform automated and scheduled snapshots of Amazon EC2 instances and Amazon EBS Volumes, you just need to associate those resources with an SLA Domain.
You can also take on-demand snapshots at any time by drilling into an instance or a volume within the Polaris dashboard and choosing the on-demand snapshot option, as shown below. Note that I am only showing an Amazon EBS volume being protected, but the UI looks the same for both instances and volumes.
The biggest differences between protecting an Amazon EC2 instance and an Amazon EBS volume are that protecting an instance:
- Automatically creates snapshots of all attached volumes that have not been explicitly excluded.
- Creates a new Amazon Machine Image (AMI) that is associated with the snapshots.
Recovering Amazon EC2 and Amazon EBS
Recovering a protected instance or volume starts by drilling down into the date with the snapshot from which you want to recover.
For an Amazon EBS snapshot, you will have the option of doing an Export, which will create a new volume from the selected snapshot. You will have the option of changing properties for the new volume, including type, size, and the geographic location where the volume will be created. Once the new volume is created, you can attach it as a new disk to the same or a different instance. You can also manually detach the original volume and replace it with the new volume.
For an Amazon EC2 instance, you have the option of doing an Export or a Restore. We’ll explain the difference between the two options.
When you Initiate the export of an instance, Polaris orchestrates the following:
Within the same Region:
- Creates new volume from the specified snapshot
- Launches a new instance using the newly created volume and AMI associated with the snapshot
In another Region:
- Copies snapshot to new Region
- Copies AMI to new Region
- Creates new volume from copied snapshot
- Launches new instance using newly-created volume and copied AMI
When you Initiate the restore of an instance, Polaris orchestrates the following:
- Creates new volumes from the specified snapshot
- Stops the instance being restored
- Detaches old volumes
- Attaches newly created volumes
- Starts instance
Since encryption is rapidly becoming standard operation in the cloud, Polaris integrates fully with the AWS Key Management Service (KMS) to give customers the flexibility to create new volumes from snapshots and launch new instances from AMIs, using different encryption key options. As you may have already noted, this includes using the default Amazon EBS key, the same Customer Master Key (CMK) as the source volume, or a new CMK. In a future blog post, I’ll walk through Amazon EBS encryption in detail and how Polaris leverages it to protect customer data.
As we continue to innovate, expect more to come in the future. In the meantime, check out our partner page for more information about how Rubrik integrates and partners with AWS.