Configure private connectivity for Air Gap Protect storage

You can configure secure, cross-account connectivity from the AWS account you use for Air Gap Protect to an Amazon S3 bucket in another AWS account if your on-premises data center is connected to AWS through Direct Connect. This setup uses an interface VPC endpoint (AWS PrivateLink), an S3 access point, and an S3 bucket policy to enable private, secure access to the S3 bucket.

Requirements and considerations

• The connection between your on-premises environment and AWS Direct Connect must have sufficient bandwidth and low latency for expected workloads.
• DNS and related forwarders must be set up correctly so that [bucketname].s3.region.amazonaws.com can resolve to the private IP address in the VPC endpoint.
• The security group associated with the VPC endpoint must allow inbound connections on port 443 from your on-premises network.
• The VPC endpoint must not restrict access only to principals in your AWS account.
• The use of VPC endpoints incurs data processing charges from AWS.

Step 1: Create an interface VPC endpoint in your AWS account

1. Log on to the AWS Management Console with an account that has permissions to manage VPC endpoints and S3 resources.

2. In the VPC you want to use, create a new interface endpoint for the S3 service (com.amazonaws.[region].s3).

3. Associate the endpoint with the required subnets and security groups, and enable private DNS if needed.

4. Review and confirm the configuration to create the endpoint.

Step 2: Provide account and VPC endpoint information to Commvault

1. Log on to the support.commvault.com.

2. Open a support ticket that provides the following:

   • AWS account ID

   • VPC endpoint IDs (only if you want to restrict access to specific VPCs)

Step 3: Validate the connection

After Commvault confirms that the S3 bucket policy and access point are configured, you can validate the connection.

1. From your AWS account, launch an EC2 instance in the connected VPC.

2. Access the S3 bucket using the configured VPC endpoint and S3 access point.

3. Confirm the following:

   • Data transfer occurs through the AWS backbone (PrivateLink and Direct Connect) without traversing the public internet.

   • The EC2 instance can read from and write to the S3 bucket.

   • Network traffic routes securely through Direct Connect and AWS PrivateLink.

You can configure secure, cross-subscription connectivity from the Azure subscription used for Air Gap Protect to an Azure Blob Storage account in another Azure subscription if your on-premises data center is connected to Azure through ExpressRoute. This setup uses Azure Private Link, a private endpoint for the storage account, and Azure role-based access control (RBAC) or storage account network rules to enable private, secure access to the Blob container without exposing it to the public internet.

To configure Azure Private Link, do the following:

1. Go to the Commvault Support Portal and request a storage resource ID.

2. In Azure, create a private endpoint using the storage resource ID. For more information, see Create a private endpoint.

3. Contact Commvault Support and provide the name of the private endpoint that you created, to request approval.

The approval takes up to 10 business days.

1. After the private endpoint is approved, in Azure, verify that connection state for the private endpoint is Approved. For instructions, see Get Private Link connection states.

2. Update your DNS server to resolve your storage account endpoint to the IP address of the private endpoint.

   To get the name of the storage account, go to Manage > Air Gap Protect and click the storage. For example, in the following image, the name of the storage account is AGP-Bahrain:

   

3. For the subnet that contains the private endpoint, disable the following subnet properties:

   • privateLinkServiceNetworkPolicies: Disabled

   • privateEndpointNetworkPolicies: Disabled

   For instructions, see the following pages in the Microsoft documentation:

   • Disable network policies for Private Link service source IP

   • Manage network policies for private endpoints

Azure Express Route is supported with no configuration required in Commvault.