The following article walks you through the needed steps to configure Data Domain cloud tier capabilities with amazon aws S3.
This guide is mainly divided into 4 main parts:
First :Adding "IAM" user credentials
The first step in integrating Data Domain cloud tier with amazon AWS S3 is to add the required AWS user credentials from aws "IAM" . This user credentials will be imported to the data domain system to authorize the communicate with the amazon S3
The AWS user credentials must have permissions to :
S3FullAccess is preferred, but these are the minimum requirements :
A. Go to https://aws.amazon.com/ and log in to the AWS console or create a new account if this is your first time:
B. From the top left corner choose services, and search for IAM (AWS Identity and Access Management ), so we can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources:
C. From the IAM page select "users" from the left menu then select " add user":
D. Give your new user a name, for example: "DD_S3_cloudtier" .
Select the access type to give it programmatic access, then click Next:
E. Give this user the required permissions to use S3 resources. Select add user to group , and then select create group:
F. Give a unique name for the group. For example: "S3FullAccess_DD_cloudtier" and then search for "AmazonS3FullAccess". When the option appears in the result menu select it and then click Create group:
G. You will be prompted back to previous menu. Select the group we just created "S3FullAccess_DD_cloudtier" then click Next Tags:
H. On the Review menu, double check that the details you entered are correct then click "Create user ":
I. we reach an important page:
You have now the user "access key ID" and "secret access key". You will use them to integrate the Data Domain with your S3 resources. Click "download .csv" and save this CSV file in a secure place and copy the access key ID and secret access key because we will use them in Data Domain:
Second: Importing CA certificate
You must import the CA certificate to enable the communication between your Data Domain system and amazon S3.
A. To download the AWS root certificate, go to https://www.digicert.com/digicert-root-certificates.htm and select the Baltimore CyberTrust Root certificate:
B. Go to the Data Domain GUI and follow the following procedure:
Copy the contents of the .pem file to your copy buffer.
Paste the buffer into the dialog.
We are done with adding the CA certificate. Next we are going to add our S3 cloud unit from Data Domain GUI.
Third: Adding the clout unit to Data Domain
Here is a quick comparison of some of the differences between DDOS releases and their cloud tier options available:
DDOS Versio | Capabilites |
---|---|
6.0 |
|
6.1 |
|
6.2 |
|
from Data domain GUI , follow this procedure to add the S3 cloud unit:
Learn more details about different supported S3 storage classes from the following link to choose the storage class best suitable for your backup needs:
https://aws.amazon.com/s3/storage-classes/
More details about Data Domain cloud verification tool could be found here: https://support.emc.com/kb/521796
If your DDOS version is 6.0 then click add as the cloud verification option is not available in this release.
Note: You can update the S3 cloud unit access key and secret access key ID afterwards from Data Domain GUI easily if needed.
Third: Naming of the cloud unit
If we go back now to amazon S3, we will find that the Data Domain system created 3 buckets for this cloud unit:
The naming convention for the 3 buckets are as follows:
You are now done with creating S3 cloud unit that is integrated with your Data Domain system, and are ready to start applying data movement policies for your Mtrees to migrate the data to the newly created cloud tier unit .
Check the following KB for more details :https://support.emc.com/kb/522706
Check the following admin guide (starting from page 427 for the data-movement policy configuration) :
https://support.emc.com/docu78746_Data-Domain-Operating-System-6.0-Administration-Guide.pdf?language=en_US