1. How do we
Deploy a secure backup
to the Cloud
Lahav Savir, lahavs@emind.co

2. Lahav Savir
• 15 years in on-line industry
• Architect and CEO @ Emind Systems (est. 2006)
• AWS solution provider
• Over 30 AWS customers
Hobbies (that’s the . . .)
• MTB cycling
• Mountain hiking

3. Backup scenarios
On premises to off-site On the cloud to other site
• File servers • File servers
• Backup files • Large data volumes
• Data base dumps • Data base dumps
archiving • Large S3 buckets
• Disaster recovery

4. Storage scenarios
Storage appliances Disks & Servers
• NFS • Windows shares
• CIFS • Linux exports
• Linux servers
• Sun exports

5. Requirements
Backup
• Keep a replica of the data off-site
• Keep history of the data for X previous months
• Secure transfer
• Encryption of data sets
• Large files
• Delta transfer
Deployment
• Don’t impact existing setup
• Don’t install any SW on servers
• No additional hardware

6. Few more . . .
• Control bandwidth throughput
• Visibility and monitoring
• Simplicity
• Keep the costs down
– License
– Traffic
– Storage

7. Alternatives
• Windows • Storage built-in
– Virtual drive to S3 integration tos3
– Sync application – No monitoring
– Cygwin / delta copy – No visibility to status
– No bandwidth control
• Linux – No feedback
– s3fs (fuse)
– s3cmd

8. Simple solution
• Sync Manager
– Linux appliance
– cifs-utils
– rsync
– s3cmd
– tc (traffic controller)
– net-snmp
– curl

9. Sync Configuration
• rsync (filer to filer)
rsync;/filer/data1/; sync@192.168.61.130:/data1/{A}
rsync;/filer/data2/; sync@porticor_vpd:/data2
• s3 (filer to s3 with / without VPD)
s3;/var/www/wordpress/;s3://bucket1/wordpress-{d}/;-
-no-delete-removed
s3;/mnt/srv1/;s3://bucket2/

10. Bandwidth control
• Tag user traffic
iptables -t mangle -A OUTPUT -m owner --uid-owner $SYNCMGR_UID -j MARK
--set-mark 0x1
• Create root qdisc for eth0
$TC qdisc add dev $IF root handle 1: htb default 30
• Add a class (bucket) with bandwidth restrictions
$TC class add dev $IF parent 1: classid 1:2 htb rate $MAXRATE
• Then add a filter to force packets through the class
$TC filter add dev $IF protocol ip parent 1:0 prio 1 handle 1 fw
classid 1:2
Tip: use iftop to see it in action

11. Monitoring
## SNMP params
SNMPTRAP=true
SNMPTRAP_HOST=nms_server
SNMPTRAP_PORT=162
SNMPTRAP_COMMUNITY=public
SNMPTRAP_OID=.1.3.6.1.4.1.39731.2101
## support_router
SUPPRTR_NOTIF=true
SUPPRTR_PROJECT="SupportDispatcher“
SUPPRTR_SYNCMGR_CLIENT=Emind
SUPPRTR_BASEURL=https://support.emind.co/support_router/public/api.php
## snmpd.conf
rocommunity public
# send all Emind Enterprise ID requests to the subagent
pass .1.3.6.1.4.1.39731 /usr/local/emind/snmp_subagent

12. Cloud backup hosts
• ec2 instance (Linux server)
– EBS volumes
• s3 buckets
• Porticor VPB
– EBS volumes
– S3 proxy

13. Hosting on the cloud
• Public cloud
– Instance behind security groups with SSH keys
• VPC
– Instance behind VPN
• AWS VPN Gateway
• IPSec with CheckPoint in the VPC
• IPSec with Swan in the VPC
• SSL VPN with OpenVPN in the VPC

14. Restoring
• rsync back from storage
rsync ; sync@192.168.61.130:/data1/{A} ; /filer/data1/
• 3scmd
s3cmd get s3://bucket2/file /path/to/restore/file

15. Summary
• Simple and open solution
• No impact on customer infrastructure
• No additional HW required
• Control with full visibility
• Fully integrated with NMS
• Reliable
• Secure

16. AWS Tips
• Don’t forget to set AWS console to MFA
• Setup a VPN to your AWS server
• No public SSH
• Monitor traffic coming into your servers
• Multi-region / AZ for high availability
• Use ec2 tools
• Backup backup backup . . .

17. Questions ???
Thank you,
Mail me: lahavs@emind.co
Lahav Savir
LinkedIn / Twitter / Facebook