AWS Cloud Accreditation

201- Cloud-out/Cloud-on

Scenario:

The task is to configure the lab for Rubrik CDM to archive out backups to AWS S3 bucket,
migrate VMs to AWS and instantiate it. Then by leveraging Rubrik’s template for
CloudFormation we will try automated configuration of CloudOut and CloudOn on AWS.

This Lab Guide Section includes the following tasks to successfully complete the scenario.

● Task 1: Configuring AWS S3

● Task 2: Configuring CloudOut
● Task 3: AWS - Configuring CloudOn
● Task 4: Rubrik - Configuring CloudOn
● Task 5: Configuring Cloud Consolidation
● Task 6: Rubrik Cloud Conversion
● Task 7: AWS CloudFormation

Rubrik Confidential 1
Table of Contents

Lab Portal 3
Task 1: Configuring AWS S3 4
Task 1a: Login to AWS account 4
Task 1b: Create the S3 Bucket for the Rubrik Archival Location 4
Task 1c: Create a Security Policy for the Bucket 5
Task 1d: Create IAM User to Manage Archive Bucket 10
Task 1e: Create KMS Encryption Key 13
Task 2: Configuring Rubrik CloudOut 17
Task 2b: Configuring SLA Domain 21
Task 3: AWS - Configure Rubrik CloudOn 26
Task 3a: CloudOn – IAM Policy/User/Role 26
Task 3b: CloudOn - AWS Security Group 36
Task 3c: Collect AWS information 39
Task 4: Rubrik - Configure Rubrik CloudOn 42
Task 4a: Configure Compute Settings on Rubrik 42
Task 4b: Rubrik Launch CloudOn 44
Task 5: Cloud Consolidation 50
Task 6: Cloud Conversion 51
On Demand Cloud Conversion 51
Automatic Cloud Conversion 51
Task 7: AWS CloudFormation 53
Task 7a: Configure CloudOut with CloudFormation 53
Task 7b: Configure CloudOn with CloudFormation 59

Rubrik Confidential 2
Accessing Simulators
Instead of using real cloud accounts, we have provided simulated labs that allow you to work
through the workflow and get hands on experience in a faster and more repeatable manner.
The current look, feel, and functionality of the cloud providers may have changed slightly since
they were captured, but the general concepts are still relevant to any RCIE.

To make the simulators more engaging, they have been configured to work with a lab guide,
but we have automated some tasks like copying and pasting information and typing long
strings. This also helps with the fact that people do these tasks differently and we are just
providing a single path here.

These simulators are available only during the class from the following location:

http://ec2-18-191-29-230.us-east-2.compute.amazonaws.com/

If you wish to repeat these simulators later, please contact a Channel SE with the public IP
address you will be using to access them and you will be added to the whitelist.

Please let us know if there are any issues with the simulators or lab guide so we can improve
them.

Rubrik Confidential 3
Task 1: Configuring AWS S3
The Rubrik cluster supports Amazon S3 as an archival location and provides data encryption by
using an RSA key or an AWS KMS Key.
● AWS KMS Key provides extra benefit of key rotation if that is required
An Amazon S3 archival location can be configured to use one of the following storage classes:
● Standard
● Standard Infrequent Access
● Reduced Redundancy
The storage class can be edited after the archival location is added.

Task 1a: Login to AWS account

(This task is already completed in the simulators)

1. Use the Portal Console Controls or from the Jumpbox, sign into AWS console
- Use your username/password provided by the lab

• Account ID or alias: oasis-aws-pod-<X> - Will be provided with Oasis Lab Console

Panel, Key Icon
• IAM username: Will be provided with Oasis Lab Console Panel, Key Icon.
• Password: Will be provided with Oasis Lab Console Panel, Key Icon.
• Region: Will be provided with Oasis Lab Console Panel, Key Icon, Password. <Show
Password>

Task 1b: Create the S3 Bucket for the Rubrik Archival Location

1. Change the Region. Use the Region Pull down on the right of the screen to change the
Region to US East (Ohio).

2. Select the Find Services field in the middle of the home page, search for S3, then choose
S3 in the dropdown to bring up the Amazon S3 console.

3. Click on the Create bucket button to bring up the Create bucket dialogue box

Rubrik Confidential 4
 4. Add a bucket name and confirm the Region
The bucket name must be globally unique across all S3 buckets for all AWS accounts
• Bucket name: rubrik-cloudout-bucket
• Example: oasis-aws-pod-4-20190701a
• Region: US East (Ohio) us-east-2
(Under Advanced settings there are properties where users can optionally configure
logging and tags and permissions.)
• Note these properties are not required for the bucket to be used as a Rubrik
archive target. It is not necessary to enable Default encryption since Rubrik will
encrypt all data client-side prior to upload to S3.

5. After reviewing the bucket configuration, click on the Create bucket button

6. Search for the newly created bucket in the S3 Console, then click on its radio button,
and click Copy ARN.

7. Paste the ARN for the bucket into Notepad or another location for later use.

Task 1c: Create a Security Policy for the Bucket

1. Go back up to the Services drop down menu, search for and select IAM.

2. Select Policies from the left side of the menu and click on the Create policy button

3. This brings up the Create policy page. This walkthrough will use the Visual editor tab to
create the bucket policy

Rubrik Confidential 5
 4. In the Service section, click on the Choose a service below hyperlink

5. In the search box, type s3 and then click on the S3 service hyperlink

Rubrik Confidential 6
 6. In the Actions section, select All S3 actions (s3.*) under Manual actions.
All boxes under Access level will be automatically selected. This will grant any user with
this security policy attached, the necessary access to manage any buckets associated
with this policy

7. Click on the icon next the Resources section

Rubrik Confidential 7
 8. This will expand the Resources section. Leave Specific as the default and click on the
Add ARN hyperlink for bucket

9. In the Add ARN(s) dialogue box for bucket section, add the name of the bucket name
previously created into the Bucket name field and leave the Any box unchecked and
Click the Add button.
a) This will grant any user, with this security policy attached, permission to access
this bucket only
b) Bucket name: oasis-aws-pod-[Pod#]-[Date+letter]

10. Skip the job section as it’s not required.

Note: A warning will display, which is safe to avoid as it’s not needed

11. Click on the Add ARN hyperlink for object

Rubrik Confidential 8
 12. In the Add ARN(s) dialogue box, add the name of the bucket previously created into the
Bucket name field and leave the Any box unchecked.
13. Check the Any box for Object name so that an * is displayed.
This will grant any user, with this security policy attached, permission to read from and
write to the bucket.
14. Click the Add button and then the Review policy button on the main screen

15. Once bucket and object settings have been configured, click on Review policy

16. Give the new policy a name and a description. Confirm that there are no warning flags in
the Summary section and click the Create policy button

Rubrik Confidential 9
Task 1d: Create IAM User to Manage Archive Bucket

1. Select Users from the left side of the menu and click on the Add user button

2. This brings up the Add User page. Enter RubrikArchive for the User name.
3. Select Programmatic Access.

Rubrik Confidential 10
 4. Leave AWS Management Console access unchecked and click the Next: Permissions
button.
● This special IAM user will be able to access specified services using AWS APIs but
cannot be used to log in to the AWS console, thus reducing a potential attack surface

5. In the Set permissions... page, select Attach existing policies directly

6. In the Policy type search box, start typing in the name of the previously created bucket
policy. Select the new policy, scroll down and click on the

7. Next: Tags button

8. A Tag can be added but is not required. Click the Next: Review button

9. After confirming details, click on the Create user button.

Rubrik Confidential 11
 • This creates a special IAM user that has full access to the newly created Rubrik
S3 archive bucket but no access to any other AWS resources. Rubrik will use this
IAM user to access the S3 bucket as an archival location

10. After the service account user is created and the Success page appears, click on the
Download .csv button above the user name. Download and save the credentials.csv file
to a secure location. It contains the Access key ID and Secret access key for this IAM
user. The credentials will be used later to configure the Rubrik archival location.

11. Click the Close button to end

Rubrik Confidential 12
Task 1e: Create KMS Encryption Key
Rubrik uses client-side encryption to ensure that all data is encrypted prior to being uploaded
to Amazon S3. Users have the choice of using a master encryption key provided via Amazon’s
Key Management Service (KMS) or providing their own RSA-2048 encryption key. In this
exercise we are going to use KMS. One benefit of using KMS is that the keys can be rotated via
AWS. With RSA keys the keys are fixed and cannot be changed.The master key will be used by
the IAM user created above for encryption prior to data being uploaded to S3
1. Go back to Service drop down menu on top and search form KMS, then select Key
Management Service

2. Select Customer managed keys and Then click on the Create key button

3. This brings up the Configure Key page. Ensure Symmetric is selected and click Next.

4. On the Add Labels screen create an alias and description for the master key. Optionally
expand the Advanced Options section and confirm that KMS has been selected as the
Key Material Origin. Click the Next button.

Rubrik Confidential 13
 5. This brings up the Define Key Administrative Permissions page.

It defines which IAM users will be able to perform key management functions on the
master key, including key deletions. Do not assign this permission to the previously
created IAM user since that user does not have rights to login to the AWS console and
since there should be clean separation of duties and resource permissions.

6. Choose one or more valid IAM users and click the Next Step button

Rubrik Confidential 14
 7. This brings up the Define Key Usage Permissions page. It defines which IAM users will
be able to use the master key to encrypt and decrypt data, Choose the previously
created IAM user that has full access to the Rubrik archive bucket. Leave the External
Accounts section unconfigured and click the Next Step button

8. This brings up the Review Key Policy page. Review the json file to confirm the key policy
has been configured correctly and then click the Finish button

Rubrik Confidential 15
 9. The newly created key will appear in the IAM dashboard. Make note of the Key ID which
will be used for configuring the Rubrik archival location.

The key ID is a unique identifier for the master key and allows the master key to be used
without having to export the actual key material. The key ID stays constant for the life of
the key so that the underlying key material can be rotated without the key ID having to
be changed every time

Rubrik Confidential 16
Task 2: Configuring Rubrik CloudOut

Create a Rubrik archive location using the newly created S3 bucket. Configure Rubrik to archive
data based on SLA Domain Policies. SLA Domain Policy allows users to define a protection
scheme for their data, including how often the data should be protected and how long the
protected data should be retained.
Task 2s: Creating Rubrik Archival Location
1. If in the simulator, click on the first tab which is already logged into Rubrik CDM,
otherwise:
Open a new tab on Google Chrome and use the shortcut for Rubrik, then use the
credentials provided to log in to Rubrik CDM.
● Username: Admin
● Password: Welcome10!Rubrik

2. Click on the gear icon in the upper right and click on Archival Locations under System
Configuration

Rubrik Confidential 17
 3. This brings up the Archival Locations page. Click the + sign icon in the upper right of the
dashboard to begin the archival location creation process

4. Confirm that the Archival Type is set to Amazon S3.

5. Select the Region where the previously created bucket resides.
6. Select Standard for the Storage Class.

7. Open up the credential.csv file that was downloaded when the IAM user that will access
the Rubrik archive bucket was created. Fill out the AWS Access Key and AWS Secret Key
fields with the information stored in the credentials.csv file.

These keys will allow Rubrik to assume the identity of the specially created IAM user
when accessing the archive bucket

8. Input the name of the previously created S3 bucket in the AWS Bucket Name field.

Rubrik Confidential 18
 This will automatically fill out the Archival Location Name field by adding the bucket
name and prepending S3:

9. Confirm that the KMS Master Key ID option is specified

10. Copy the Key ID of the previously created master key and paste into the KMS Master
Key ID field.

11. Click the Add button

Rubrik Confidential 19
 12. The new Rubrik archival location will be added to the Archival Locations page.
● Note: This step may take some time in a real lab.

Rubrik Confidential 20
Task 2b: Configuring SLA Domain

Create a new SLA Domain and Configure Remote Settings to archive to the new S3 bucket

13. From left hand side menu, Select SLA Domain -> Local Domain and click on + sign to
create new SLA.
14. Enter 4hr-3d-AWS-IA for the SLA Domain Name.
● Take a snapshot every 4 hours and retain it for 7 days.

15. Click on Remote Settings to configure archival

16. In the Remote Storage Configuration section, toggle the Archival switch to enable
archival settings.
17. Click on the Archival Location dropdown menu and choose the recently created archival
location.
18. Select Enable Instant Archive.

Rubrik Confidential 21
 Enabling Instant archive makes Rubrik upload the snapshots to the archive as soon
as they are taken and stored on the appliance. This behavior is desirable for
customers that want to immediately get a copy of their data offsite, such as those
using CloudOn.Lower the Retention on Brik to 3 days and click on Create.

With Instant Archive the Retention On Brik slider controls how long data is both on
the Rubrik appliance and in the archive. After the Retention On Brik time has past
there will only be a copy of the data in the archive.

19. At the top of the Rubrik CDM UI, click in the Search by Name or Location field
20. Search for and select Centos-vm1
21. Click on Manage Protection.

Rubrik Confidential 22
 22. Select the newly created SLA (4hr-3d-AWS-IA) and click on Submit

23. Click on the name of the Centos-vm1 to view the backup status in the Activities window
below the Overview and Snapshots windows.

Rubrik Confidential 23
 24. Once the backup has completed successfully and indexing has finished, a copy of the
backup will get uploaded to the S3 archival location.

25. Check the Activity logs and look for upload task.

26. Click on the event to review the details.

Rubrik Confidential 24
 27. The newly archived backup can also be verified from AWS side too, Click on Services,
then S3 and select the newly created bucket.
(Not included in simulator)

The new folder for blobstore and snappables is displayed

Rubrik Confidential 25
Task 3: AWS - Configure Rubrik CloudOn
Rubrik CloudOn supports converting an on-premises virtual machine to an EC2 instance
in AWS. Rubrik can convert a virtual machine snapshot that is available locally on the
Brik or is archived to AWS. The VMDK is converted to an AMI which allows an instance
to be launched in AWS EC2.

The Rubrik appliance uses a set of temporary EC2 instances to convert the vSphere VMs
to AMIs. In order for this to work Rubrik must communicate with these temporary
instances directly. The default behavior is to communicate with the private IP addresses
of these temporary instances. This can happen over a VPN connection or an AWS Direct
Connect connection. If these are not available Public IP addresses can be assigned to the
temporary EC2 instances via a configuration setting in Rubrik. This lab will use a private
connection via VPN and a Transit Gateway.

Task 3a: CloudOn – IAM Policy/User/Role

1. In AWS Console, select IAM from Recently visited services section.

2. Select the Policies from left hand side menu and click on Create policy

Rubrik Confidential 26
 3. On the Create policy option change the configuration mode to JSON

4. Delete the existing lines and paste the new policy into the JSON editor from the KMS
link below. This is the policy for using KMS, if using an RSA key, use the RSA Policy link
below. Both policies are also available in the CDM User Guide
(In the simulator the KMS policy is already open in the 3rd tab)
5.
● KMS Policy: https://raw.githubusercontent.com/rubrikinc/aws-cloud-on-
permission-template/master/s3_kms_security_policy.json

● RSA Policy: https://raw.githubusercontent.com/rubrikinc/aws-cloud-on-

permission-template/master/s3_rsa_security_policy.json

6. In the JSON editor, replace <mys3bucket> with the name of the unique bucket

Rubrik Confidential 27
 7. Add a Name and Description for the policy and click Create policy
• Name: Rubrik-Cloud-On-Policy

8. Once the new policy has been created, click on Users from the left-side menu and select
RubrikArchive user that we have created for CloudOut

Rubrik Confidential 28
 9. Click on Add Permission

10. Select Attach existing policies directly and search for Rubrik and select Rubrik-Cloud-
On-Policy that was created earlier and hit Next

11. Click Next: Review

Rubrik Confidential 29
 12. Click Add permissions

13. Next create the vmimport role. It is required as a fail-back option incase Rubrik
conversion tool isn’t able to convert the image. The vmimport role is used by the AWS
VMImport service to convert vSphere VMs to AMIs.
• Note: It’s recommended to do a quick search and make sure that vmimport role
doesn’t exit. Many exciting customer environments have this role already in
place and used for VM migration with other tools.

14. Select Roles from left hand side and click on Create role

15. And select AWS service, then EC2 and click Next: Permissions

Rubrik Confidential 30
 16. On step 2 page just hit Next: Tags.
17. Tags are optional, either add tags or just click on Next: Review.
18. Add the role name: vmimport and click on Create role.

NOTE: This role must be named vmimport for the AWS VMImport service to use it. If
a role named vmimport already exists in an environment, simply add the
permissions needed as described in the next steps.

19. Once the new vmimport role has been created, click on its name to modify it.

Rubrik Confidential 31
 20. Click on Add inline policy.

21. Click on JSON to change the config to editor mode, then paste the JSON for vmimport
role policy from Rubrik’s GitHub repository;
(In the simulator this JSON is already loaded in the last tab)

• https://github.com/rubrikinc/use-case-aws-cloudformation-template-
cloudon/blob/master/vmimport.json
• Link to GitHub

Rubrik Confidential 32
 22. Replace disk-image-file-bucket with the name of the S3 archive bucket that was created
earlier.

Rubrik Confidential 33
 23. Click on Review policy.
24. Add the name and click on Create policy

25. Once policy has been created, click on Trust relationship and then click on Edit trust
relationship

Rubrik Confidential 34
 26. Delete the existing configuration, then copy and paste the vmimport trust policy json
from Rubrik’s GitHub repository;
(In the simulator, this JSON is already loaded in the 4th tab)
• https://github.com/rubrikinc/use-case-aws-cloudformation-template-
cloudon/blob/master/vmimport-trust-policy.json
• Link to GitHub

27. Once the trust policy has been pasted, click Update Trust Policy

Rubrik Confidential 35
Task 3b: CloudOn - AWS Security Group

Next a Security Group needs to be created or modified in the VPC to allow CDM to
access the temporary EC2 instances (Bolt). The best practice is to create a new Security
Group for the Rubrik CloudOn service and EC2 instances.
When creating the Security Group, specify the most restricted inbound source range as
possible. The source range must include the IP subnet (CIDR) of the Rubrik cluster that is
the source of the archival snapshots. The Security Group must also have an inbound rule
that allows EC2 instances inside of the Security Group to talk to each other.
In this lab we will also create a Security Group so that EC2 instances can be accessed
once they have been instantiated. Usually this Security Group will already exist for other
workloads that are already running in AWS.

1. Go back to Services, find EC2 under History and select it, then from left hand side click
on Security Groups under Network & Security
2. Create two Security Groups, one for Rubrik CloudOn and one more for Oasis Lab to
access the EC2 instances, after they have been instantiated.
Click on Create Security Group

3. Add the Security group name and Description, select the VPC for Oasis lab, then click on
Add Rule, and add the following rules. We are creating 3 separate rules, one for each
custom port numbers (2002, 8088 and 7785) and at the end click on Create
● Security group name: rubrik-cloudon
● Description: SG used for Rubrik CloudOn
● VPC: Select the vpcAWS-Accred-Oasis<X> Security Group.
● Custom TCP Ports: 2002, 8077 and 7785
● Source: 10.0.0.0/11
o Because of the way this lab is configured with a transit gateway and NAT,
the CIDR range of the entire Oasis lab must be selected. Normally the
CIDR range of the Rubrik appliance can be used when using private IPs.
o When public IPs are used the public Internet address of the datacenter
that the Rubrik appliance is in would be used. This can usually be found
by Googling “what’s my IP” from a system on the same subnet as the
Rubrik appliance.

Rubrik Confidential 36
 12. Select the new Security Group, rubrik-cloudon, copy the Security Group ID either from
Description page or from top of the detail view
13. Go to the Inbound tab, and click Edit

14. Add a new rule that allows all traffic within the Security Group Click Add Role, select All
Traffic, paste the Security Group ID of that was just copied from last step and click Save

Rubrik Confidential 37
 15. Create another Security Group to allow SSH and RDP to the instantiated VMs as follows:
● Security group name: oasis-access-EC2
● Description: SG used for Oasis to access EC2 instances
● VPC: Select the vpcAWS-Accred-Oasis<X> Security Group.
● Rule #1:
i. Type: SSH
ii. Source: 10.0.0.0/11 (IP range of the on-prem network)
● Rule #2:
i. Type: RDP
ii. Source: 10.0.0.0/11 (IP range of the on-prem network)
NOTE: Because of the way this lab is configured with a transit gateway
and NAT, the CIDR range of the entire Oasis lab must be selected.
Normally the CIDR range for the on prem VMs can be used when using
private IPs.

Rubrik Confidential 38
Task 3c: Collect AWS information
Information for configuring CloudOn and Consolidation needs to be collected from the AWS
console. The following information is needed to configure Cloud Compute Settings in Rubrik:
● Virtual Network ID
● Subnet ID
● Security Group ID

4. Go back up to the Services drop down menu and choose VPC from the History section
5. From left hand side menu click on Your VPCs

6. Select the VPC named vpcAWS-Accred-Oasis<X>. Where <X> is your pod number.

7. From detail view click Copy to clipboard of that VPC ID and paste it to a notepad

Rubrik Confidential 39
 8. Then from left hand side menu click on Subnets and select the Private subnet of your
VPC

9. From detail view click Copy to clipboard of that Subnet and paste it to your notepad

10. Navigate to the Services menu and select EC2 from the History section.
11. On the left side click on Security Groups under Security section and select the Security
Group for you VPC

Rubrik Confidential 40
 12. From detail view click Copy to clipboard of that Security Group ID and paste it to your
notepad

Rubrik Confidential 41
Task 4: Rubrik - Configure Rubrik CloudOn

Task 4a: Configure Compute Settings on Rubrik

Now we have all the information needed for enabling Cloud Compute setting under
Archival Location of our new AWS S3 target to enable CloudOn and Cloud Consolidation

1. Return to the Demo1 Rubrik CDM Cluster and select Archival Locations under the Gear
menu.
2. Click on the Edit option of your new AWS S3 archival location

3. Then scroll down and click on Advanced Settings

Rubrik Confidential 42
 4. Now we can insert all the setting information required for Cloud Compute Setting and
Enable Archival Consolidation
● Virtual Network ID
● Subnet ID
● Security Group ID

5. One you have added all the information, click Save and Update the Archive Location.

Rubrik Confidential 43
Task 4b: Rubrik Launch CloudOn

1. Go to the global search on Rubrik and search for the CentOS vm that we added earlier to
our 4hr-3d-AWS-IA policy

2. From the Snapshot Calendar view, select the most recent backup that has been archived
and Select Launch on Cloud
• Note: The cloud over Brik icon next to the ellipsis indicates that there is a copy of
the snapshot in both the Archival Location and on the brik. A cloud only icon
indicates that there is a copy of the snapshot only in the Archival location. No
icon or Brik over Brik icon indicates that there are no copies of the snapshot in
the Archival Location. This may have occurred because Instant Archive is not
enabled in the SLA.

Rubrik Confidential 44
 3. Fill in the Launch on Cloud details. The Location Name will be the Archive where the
snapshots were uploaded to.

4. The Instance Type defaults to an AWS instance that matches or exceeds the CPU and
memory specs in the VMX file of the VM being launched. In this case leave the default
selected.

NOTE: Only a subset of the AWS instance types are shown here. You can select
Custom Type and type in any valid AWS Instance type.

5. Select the private Subnet(VPC).

Note: This does not need to be the same Subnet and VPC as Bolt. This is the VPC and
Subnet that the converted virtual machine will run in. Often Bolt will be configured
to run in a services VPC/Subnet whereas converted VMs will be put into a
production VPC/Subnet.

6. Select the oasis-access-EC2 Security Group.

NOTE: This Security Group will generally not be the same one as Bolt. The Security
Group selected here should allow the type of access needed by the VM being
launched. In this case we’ve allowed SSH and RDP. The Bolt security group does not
allow these ports. If it is used the user won’t be able to access the VM after it has
been launched.

7. Click Submit

Rubrik Confidential 45
 8. Scroll down and from Activities window you will see a new task that has started
launching Bolt, click on it to get more detail

Rubrik Confidential 46
 9. You can also check the status of Instances from AWS console and see the Bolt and
converter VM coming initializing. Select Services EC2 Instances

10. This process can take 20-25 minutes to finish and once the conversion has completed
you can verify it both from Rubrik Activity Detail and AWS Console.
(In the simulator we have removed this extra time)
• NOTE: Feel free to continue on to the next section of this lab and come back
once the conversion has completed.

11. In AWS, Rubrik adds several tags to the EC2 instances when they are instantiated. One
of these tags is rk_object_name. This tag is the original name of the VM when it was
backed up. From the AWS EC2 service add rk_object_name to the dashboard view
option and then verify the VM name. From your AWS Console, go to Services EC2
Instances;
(skip this step in the simulator)
• Select the Gear in the upper right-hand corner.

Rubrik Confidential 47
 • Select rk_object_name under Your Tag Keys
• Select Close.

12. At this point your VM is fully up and running and putty can be used to access the VM. To
get the IP address of your new VM, select the new VM and from detail view note down
the Private IP address and use that to access it.

13. Optionally, verify connectivity using PuTTY.

• On the jump box start Putty.

Rubrik Confidential 48
 • In Putty connect to the private IP address of the VM and login as root.
• Browse the file system to demonstrate that the VM is usable.
• Log out and close Putty.
14. Go back to Rubrik’s dashboard, expand Cloud Mounts and select AWS and click on the
radio option

15. Power off the VM

16. Once the VM is powered off, select the Terminate to clean up and remove the VM

17. Form AWS console you can verify that VM is powered off and marked terminated. You
may have to refresh the AWS page to see the status update.

Rubrik Confidential 49
Task 5: Cloud Consolidation
(There is no specific simulator lab for this section, it is included for informational purposes only)

Archive Consolidation frees archival storage by consolidating and deleting expired snapshots.
When Archival Consolidation is enabled, Rubrik merges the expired set of snapshots with the
next live snapshot. This occurs when the storage consumed by expired snapshots exceeds a
certain threshold. When this happens the Rubrik cluster launches a temporary Rubrik instance
and initiates consolidation jobs on the S3 bucket.

Archive Consolidation requires the same permissions as CloudOn to launch Bolt and access the
S3 bucket. If CloudOn has been configured, then just enable Archive Consolidation from the
Cloud Compute settings. If CloudOn has not been configured the Cloud Compute Settings need
to be configured for the Archival Location.

1. Follow the steps from Tasks 3a, 3b and 3c of this lab guide to setup the Cloud Compute
settings. The steps where the vmimport role and policy are configured can skipped. Archive
Consolidation does not use the AWS VMImport service.

2. To configure Archive Consolidation, just open the Archival Location and select Advanced
Settings. Go to Cloud Compute Settings and check the box to Enable Archive Consolidation

Rubrik Confidential 50
Task 6: Cloud Conversion
(There is no specific simulator lab for this section, it is included for informational purposes only)

Rubrik supports two workflows for converting and instantiating an on-premise VM in the Cloud:
• On Demand Cloud Conversion
• Automatic Cloud Conversion

On Demand Cloud Conversion

This option was covered on task 4 and provides the flexibility of a good RPO as an end-
user can go back in time on any snapshot and choose to Launch on Cloud that will trigger a
CloudConversion job. However, the time required to complete the Cloud Conversion job is
higher as it converts the full.

Automatic Cloud Conversion

In this option, once Cloud Conversion has been enabled, Cloud Conversion checks for
new snapshots to convert every two hours by default, and converts the snapshot to an AMI.
This option may result in a variable RPO if the archival frequency is much more aggressive than
the non-configurable two-hour CloudConversion frequency. However, it provides the benefit of
an almost instant RTO as the AMI’s are created automatically. Also, with 5.0, Rubrik now
supports incremental conversions of snapshots across Windows and Linux Oss which helps to
do conversion in order of minutes since it would an incremental and not full. This setting can be
enabled per VM

Note: Cloud Conversion will skip snapshots if the prior job has not yet completed.

1. To enable CloudConversion, navigate to the VM Centos-VM1 that is been protected by

the CDM. You can find the VM by using the global search bar on top
2. Click on Configure button under Cloud Conversion

3. Enable the Cloud Conversion

Rubrik Confidential 51
 4. We also have the option to retains the converted AMIs for all the snapshots of this
virtual machine, including expired snapshots by checking the box for Keep older AMIs
5. We are going to leave it as unchecked and just hit Submit.
• In this case we will only keep the latest AMI that would allow customers to have
an image always ready to do instant recovery in AWS.

Rubrik Confidential 52
Task 7: AWS CloudFormation
To simplify the process of configuring AWS for CloudOut and CloudOn, Rubrik has created
CloudFormation templates. They create the S3 buckets, IAM policies, IAM users, IAM roles and
Security Groups that are required. AWS CloudFormation is available at no additional charge.
You can get the Rubrik’s latest CloudFormation template on biuild.rubrik.com and Use Cases

Task 7a: Configure CloudOut with CloudFormation

(There is no specific simulator lab for this section, it is included for informational purposes only)

1. From AWS Console, go to Services and Choose CloudFormation

2. Either search and select CloudFormation or just select it from the list under
Management & Governance

Rubrik Confidential 53
 3. From the CloudFormation console click on Create stack

4. Select Template is ready, then Amazon S3 URL and paste the URL for Rubrik CloudOut
template and click Next :

• https://s3-us-west-1.amazonaws.com/cloudformation-templates-rubrik-
prod/rubrik_cloudout.template
• You can copy the link from here: CloudOut-Template
• You can also get the link also from build.rubrik.com

Rubrik Confidential 54
 5. Provide the stack name and select parameters as follow and click on Next

• Stack name: Rubrik-CloudOut-Stack

• CreateNewS3Bucket: Yes
• S3BucketName: oasis-aws-pod-[Pod#]-[Date+letter]-cf
• CreateNewUser: Yes
• IAMUserName: RubrikArchive-cf
• UserPolicyName: CloudOutPolicy-cf
• UseKMS: Yes

6. Under advance setting you can define Stack policy, Rollback and Notification. We are
not changing any of these setting for this lab, click Next

Rubrik Confidential 55
 7. Review the stack option, scroll down and accept the acknowledgement box and hit
Create Stack

8. On the progress screen you can monitor the status of all the tasks, click the refresh
button to update the screen.

9. Once the process has completed and you will see CREATE_COMPLETE. Click on
Resources and verify that all of the tasks have completed successfully.

Rubrik Confidential 56
 10. Click on Outputs. Under Output screen you will get all the necessary information to
configure your new S3 bucket as an Archival Location

11. Go back to Rubrik dashboard and add your new bucket as new archival location

Rubrik Confidential 57
 12. At this point you can update your SLA and start using the new archival target

Rubrik Confidential 58
Task 7b: Configure CloudOn with CloudFormation

Configuring CloudOn with using CloudFormation for the new Archival Target that was just
created.

• NOTE: The CloudOn CloudFormation template can create the AWS resources for
both CloudOut and CloudOn. Here we will simply add CloudOn to an existing
CloudOut configuration, which is also a common activity.

1. As first step we need to remove existing Inline Policy for CloudOut. From AWS Console
go to Services IAM User and select RubrikArchive-cf

2. Click on the X for CloudOutPolicy-CF and delete it

3. Now go back to CloudFormation in the AWS console, using the Services drop down
menu.

Rubrik Confidential 59
 4. Click on Create stack

5. Select, Template is ready and Amazon S3 URL

6. Add the URL for the template, you can get the latest one from build.rubrik.com and click
on Next
● https://s3-us-west-1.amazonaws.com/cloudformation-templates-rubrik-
prod/rubrik_cloudon.template

7. Add Stack name and parameters required as follows:

● Stack name: Rubrik-CloudOn-Stack

● CreateNewS3Bucket: no (We are using the same bucket that was created on 5a)
● S3BucketName: Name of the bucket from task 7a
o For new a configuration without CloudOut select Yes and add a bucket name
● VPC: vpcAWS-Accred-Oasis<#>
● OnPremRubrikCIDR: 10.0.0.0/11
● CreateNewUser: no (Use the same user from task 7a: RubrikArchive-cf)
o For a new configuration without CloudOut select Yes and enter a username.
● CreateVMImportRole: no (One has been created during task 3)

Rubrik Confidential 60
 o For a new configuration select Yes and it will create the vmimport role
● IAMUserName: RubrikArchive-cf (From task 7a)
● SecurityGroupName: rubrik-cloudon-cf
● SecurityGroupDescription: <Leave the default>
● SecurityGroupRoleDescription: <Leave the default>
● VMImportPolicyName: <Leave the default>

Rubrik Confidential 61
 8. Select Next

9. Scroll down and accept the acknowledgement then select Create Stack.

10. Once all the tasks have completed successfully, click on Outputs and make note of the
information that will be used to configure Cloud Compute settings

11. Configure the Cloud Compute Settings of the Archival Location that was created during
task 5a.

12. Click Save and Update the Archival Location settings.

13. At this point the new archival target has been configured and can use it for instantiating
VMs on AWS.

Rubrik Confidential 62
 14. Go back to AWS Console and verify the creation of following objects and make sure their
settings are correct.
● Security Group
● User Policy name
● User policy document includes the correct bucket name.

Rubrik Confidential 63