Druva makes cloud disaster recovery more secure with AWS PrivateLink

Jude Daniel, Sr. Product Manager and Dheeraj Madawat, Senior Software Engineer

We are happy to announce that Druva Phoenix now supports AWS PrivateLink for its cloud-based disaster recovery-as-a-service (DRaaS) solution. Druva is the first SaaS data protection vendor to leverage AWS PrivateLink. This means communication between customer AWS accounts and Druva services now occurs through AWS PrivateLink, ensuring that network traffic always stays securely within the AWS network and traffic is never exposed to the public internet. Druva also automates the entire DRaaS configuration with AWS PrivateLink and customers can now use a one-click process to deploy CF templates, deploying the entire configuration infrastructure within the customer’s AWS account. This enhancement is included with all tiers of service. 

Druva’s DRaaS functionality extends its cloud data protection solution for enterprise infrastructure by enabling customers to failover backups of VMware virtual machines (VMs) from the Druva Cloud into their AWS virtual private cloud (VPC). In case of a disaster or similar high-stakes event, this capability ensures business continuity without the need for additional dedicated on-premise software, storage, or hardware, helping to reduce costs and improve agility. VMs are recovered on-demand in the cloud in minutes (typically less than 30 minutes). 

What is AWS PrivateLink?

AWS PrivateLink provides a private connectivity between VPCs and services hosted on AWS or on-premises, securely on the Amazon network. By providing a private endpoint to access your services, AWS PrivateLink ensures your traffic is not exposed to the public internet. AWS PrivateLink makes it easy to connect services across different accounts and VPCs to significantly simplify your network architecture in addition to the following key benefits: 

  • Fast and secure data transfer over AWS prevents use of public internet
  • Simplifies network configurations
  • Uses private IP addresses 

Integrating PrivateLink with Druva Phoenix 

The following diagram shows an overview of the Druva Phoenix architecture, including its security capabilities and the implementation of AWS PrivateLink. 

Druva Phoenix and Private Link

By integrating PrivateLink, Druva is able to offer customers enhanced functionality and deployment advantages, including:

  • Ease of use – Customers do not need to deploy an Internet gateway or a NAT gateway to connect to Druva Phoenix cloud. 
  • Druva automates deployment of AWS PrivateLink – The AWS CloudFormation template automatically deploys the necessary infrastructure (VPC endpoints, DNS zones etc.) to enable AWS PrivateLink, and the Druva DR proxy connects via PrivateLink to Druva Cloud.
  • Increased security for cloud failover – Data now flows over the AWS Privatelink infrastructure, ensuring traffic stays within AWS network.
  • Reduced complexity – Complicated network configurations and involvement of cross functional teams is reduced significantly.

DRaaS components

Phoenix DRaaS consists of three operations, namely, DR Restore, DR Failover, and DR Failback. Refer to the Druva Phoenix DR workflow for details. 

  • DR restore with AWS PrivateLink – With the integration of AWS PrivateLink, DR restore is initiated by a Druva service which communicates to the Phoenix AWS proxy in the customer’s VPC through Druva VPC endpoints. Data blocks are fetched via an AWS S3 VPC endpoint. Additionally, all communication to write on EBS volumes and create snapshots is accomplished via AWS S3 and EC2 VPC endpoints (data never leaves the AWS network). 
  • DR failover with AWS PrivateLink – Similarly, in the case of an actual disaster or testing one’s DR plan, the request is initiated by a Druva service which communicates to the Phoenix AWS Proxy in the customer’s VPC through Druva VPC endpoints. Connection and data transfer from Phoenix AWS proxy to AWS services, such as S3, EBS, and SQS, happens over the VPC endpoints, ensuring that data never leaves the AWS network.
  • DR failback – Customers can leverage AWS Direct Connect to enable a private, dedicated connection between their intranet and their AWS VPC for failback operations. 

Under the hood

The diagram below illustrates the components involved in Druva Phoenix and AWS PrivateLink integration.

Druva Phoenix and Private Link

Druva Phoenix uses six VPC endpoints, four AWS VPC endpoints, and two custom endpoints to privately connect to the Druva VPC, as well as AWS services including S3: 

  • S3 endpoint
  • SQS endpoint
  • EC2 endpoint
  • CloudFormation endpoint
  • Custom Druva endpoints:
    • Druva endpoint service
    • Druva node endpoint service

A network load balancer is implemented on Druva VPC and receives all communication to private services, redirecting to Druva services. Route 53 helps to resolve the private link URL to the endpoint’s DNS entry and establish a communication path. Implementing the DR solution with PrivateLink is further simplified using AWS CloudFormation, which takes care of implementing the infrastructure in your AWS VPC.

Next steps

Looking to learn more about cloud disaster recovery with Druva’s proven cloud-native approach? Read my recent article on the AWS blog, which discusses how to configure and implement Druva Phoenix for the cloud-based backup and recovery of your VM workloads, and watch the Druva DRaaS demo for a look at Phoenix in action.