update doc name

This commit is contained in:
Nadine Dove
2022-11-22 14:40:05 +02:00
committed by GitHub
parent 3e05f97997
commit 8971796cab
7 changed files with 0 additions and 0 deletions
+61
View File
@@ -0,0 +1,61 @@
# Deploying the ZIC Instance
First you must Obtaining the Image Pull Key Secret. After you receive the email notification that your AWS Account ID was added to the privately published AMI, continue with the following configuration, deployment and installation steps.
#### AWS Configuration
1. In the AWS console, go to AMIs and filter by Private Images. You should see a Private AMI for a zlinux/zAppliance machine.
2. Add a custom IAM Role in zic-primary-account-iam-policy.json.
For more information on how to create an IAM role, see [Creating IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html).
3. Ensure that ports 22 and 443 are open Inbound, as the Security Group for the ZIC management network will need them. See **ZIC Ports and Related Services**
4. Create a VPC with a subnet and use the Security Group you created for the ZIC Appliance.
#### Deploying the ZIC Appliance Deployment in AWS
1. Select the Private zlinux/zAppliance AMI and launch it.
Choose **m5a.large** as the EC2 Instance size.
2. Configure the instance details for ZIC.
- Assign the Custom IAM Role that was created for ZIC.
- Select/Configure the VPC and Subnet.
3. Use the defaults for Storage and add tags (optional).
4. Select the security group created earlier, or create a new security group.
- If creating a new security group, make sure **ports 22 and 443 rules** are added.
5. Click **Review and Launch** to deploy the ZIC Appliance.
<span class="Note">Note: To access a Linux instance in AWS you need to use PuTTY Private Key (ppk). If you are using Putty or WinSCP on Windows you must convert the PEM file to PPK format. Click [here](https://www.puttygen.com/convert-pem-to-ppk) to learn how to convert .pem to .ppk using PuTTYgen.</note>
#### Installing the ZIC Appliance
1. When the ZIC instance is running, connect to it with username "admin". No password is required.
2. Copy the zipped file to /home/admin/ on ZIC, with any tool you normally use to copy files to Linux servers (WinSCP, SCP, Termius).
3. Install Unzip using the command:
```
sudo apt install unzip -y
```
4. Install Unzip using the command:
```
unzip zic-1.0.448.zip.
```
![image](https://user-images.githubusercontent.com/100526941/197970851-c30a1c8e-e1ae-4ae4-ac7c-8b78ea1bcd57.png)
5. Go to the extracted directory and run the following command to allow bash script execution:
```
sudo find . -name "*.bash" -exec chmod +x {} \;
```
7. Run the online installer using the command:
```
sudo install/install_online.bash
```
![image](https://user-images.githubusercontent.com/100526941/197971309-92fe7a12-09f2-446b-82f1-7fec4df1d32d.png)
When the installation completes, it will display “Starting ZIC 1.0.x” and continue displaying status until it displays “ZIC 1.0.x started”. You can now connect to ZIC.
#### Connecting to ZIC
1. Connect to ZIC using the URL [https://zic-ip-address](https://zic-ip-address) to validate it is online.
2. The installer will prompt you for a username and password. Log in with the username and password generated in the ZIC download page in myZerto.
3. The online installer will pull the latest code from myZerto and perform the installation.
![image](https://user-images.githubusercontent.com/100526941/197971688-e0b33543-373d-4d34-a3b1-d00f44cf6fe8.png)
4. Log in using the default "admin" for both user and password for the first time.
3. At the prompt change the admin password.
+1
View File
@@ -0,0 +1 @@
@@ -0,0 +1,15 @@
## Obtaining the Image Pull Key Secret
The image pull key secret is used in the deployment to enable downloading Zertos component images. Follow these steps to obtain the image pull key secret.
1. Log in to myZerto.
2. Navigate to **Support & Downloads > Software Downloads > Zerto In-Cloud**.
3. Click **Download Online Installer** to download the installer.
4. Click **Download Primary Account IAM Policy** to download the policy files.
5. Click **Download Collection** to download collection for Postman.
6. Click **Username and Password** and generate keys.
7. Copy the Username and Password keys to a local file so you have access to them when you need this information later when installing Zerto software.
The account team will send an email notification that your AWS Account ID was added to the privately published AMI.
Continue to Deploying the ZIC Instance.
+133
View File
@@ -0,0 +1,133 @@
# Prerequisites & Requirements
ZIC for AWS is a single appliance that is installed in an AWS Account, preferably in the target region, to protect machines between availability zones, regions, and accounts. Installing a single ZIC on AWS is all you need to protect the whole Account.
Ensure that you meet all of the prerequisites and requirements before starting the installation.
### Zerto User Interface Supported Browsers
The ZIC user interface requires one of these Zerto Virtual Manager Supported Browsers.
| Google Chrome | Mozilla Firefox | Microsoft Internet Expolorer | Microsoft Edge | Safari |
|-- |--|--|-- |-- |
|Zerto supports the latest 2 versions| Zerto supports the latest 2 versions| Zerto no longer supports IE 11| Zerto supports the latest 2 versions | Zerto supports the latest 2 versions | The lowest supported screen resolution is 1366x768.||
The lowest supported screen resolution is 1366x768.
### ZIC Ports and Related Services
ZIC primarily uses ports 443 and 22.
The table below provides a detailed breakdown of all of the ports used and the services that use them. Make sure that these ports are available for use by ZIC.
| Port | Component | Notes |
|--|--|--|
|443 | Keycloak |Login|
|443 | Keycloak |Manager page|
|http, 49153 | Keycloak |Manager page|
|443 | Keycloak (API) |Create access token|
|http, 49155 | ZIC GUI |Redirected to /main/vpgs|
|443 | Traefik (API) | |
|80 | Traefik/ZIC-GUI |Redirected to 443 and to /main/vpgs|
|443 | Traefik/ZIC-GUI |Redirected to /main/vpgs|
|443 | ZIC-GUI |Redirected to /main/vpgs|
|443 | ZIC (Swagger) | |
|443 | ZIC (Swagger) | |
|443 | ZIC (API) | Multiple endpoints for operations |
|8082 | ZIC-SUPPORT |Log collection |
|http, 49154 | ZIC |Redirected to /main/vpgs|
|22 | End User CLI |SSH and a .pem key to access the ZIC shell||
### ZIC Container Outgoing Endpoints
ZIC executes calls to AWS EC2 (Amazon Elastic Compute Cloud), DynamoDB, and STS services, using their regional endpoint host name, and their global host name for the STS service. Access to these endpoints is required in the region ZIC is deployed in and in all recovery regions in order for ZIC to function properly.
**Endpoint Examples**
- Regional EC2 service endpoint in ca-central-1 region: ec2.ca-central-1.amazonaws.com
- Regional DynamoDB service endpoint in the ca-central-1 region: dynamodb.ca-central-1.amazonaws.com
- Global STS service endpoint: sts.amazonaws.com
### Appliance Connectivity Requirements
The following ZIC for AWS Appliance connectivity requirements must be met.
- Public internet access from ZIC to the myZerto repository. The repository is hosted at zapps-registry.zerto.com
- Network communication between AWS regions.
- The Instance on which the ZIC Appliance is installed must use a subnet that is accessible to DynamoDB.
See [ZIC Ports and Related Services](#ZIC-Ports-and-Related-Services) for details.
- The ZIC Appliance should be a m5a.2xlarge machine size.
### Minimum Required IAM Role AWS Permissions
ZIC requires IAM roles to be defined and assigned to the ZIC host. IAM roles must be assigned permissions. For the AWS account used by ZIC, Zerto requires only a subset of AWS permissions. This gives the Zerto customer more security and control over their AWS environment.
The IAM role must include this subset of required AWS permissions.
Copy and paste the following template with the required IAM role and permissions, and create a policy in JSON format.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:CopySnapshot",
"ec2:DeleteSnapshot",
"ec2:CreateSnapshots",
"ec2:ModifySnapshotAttribute",
"ec2:DescribeInstanceTypeOfferings",
"ec2:CreateVolume",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:ModifyVolume",
"ec2:DeleteVolume",
"ec2:CreateTags",
"ec2:RunInstances",
"ec2:DescribeImages",
"ec2:DescribeSnapshots",
"ec2:DescribeRegions",
"ec2:DescribeInstances",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeVpcs",
"ec2:DescribeSecurityGroups",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:DescribeVolumeStatus",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:ModifyInstanceAttribute",
"ec2:RunInstances",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:StartInstances",
"ec2:TerminateInstances",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:StopInstances",
"dynamodb:DescribeTable",
"dynamodb:CreateTable",
"dynamodb:PutItem",
"dynamodb:Scan",
"dynamodb:GetItem",
"dynamodb:DeleteItem",
"dynamodb:Query",
"dynamodb:BatchGetItem",
"dynamodb:DeleteTable",
"dynamodb:ListTables",
"sts:AssumeRole",
"iam:passRole",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:GenerateDataKeyWithoutPlainText"
],
"Resource": "*"
}
]
}
```
+95
View File
@@ -0,0 +1,95 @@
## Configuring ZIC To Use Access Token from Keycloak
Zerto In-Cloud overcomes the AWS 20 concurrent snapshot copy limits between source and target regions by allowing you to use multiple AWS Accounts as Scale Accounts. Scale Accounts effectively multiply the number of concurrent snapshots that can be replicated for much lower RPOs.
Use these steps to configure Zerto In-Cloud an IAM Policy and assign roles for ZIC Scale Accounts.
1. Log into the scale account.
2. Navigate to **IAM - Policies**.
3. Create a Policy.
4. Create Roles.
#### Create a Policy
1. Navigate to the JSON tab, copy and paste the following:
```{
"Version": "2012-10-17",
"Statement": [
{
"Sid":
"VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:CopySnapshot",
"ec2:DeleteSnapshot",
"ec2:CreateSnapshots",
"ec2:ModifySnapshotAttribute",
"ec2:DescribeInstanceTypeOfferings",
"ec2:CreateVolume",
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:ModifyVolume",
"ec2:DeleteVolume",
"ec2:CreateTags",
"ec2:RunInstances",
"ec2:DescribeImages",
"ec2:DescribeSnapshots",
"ec2:DescribeRegions",
"ec2:DescribeInstances",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeVpcs",
"ec2:DescribeSecurityGroups",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:DescribeVolumeStatus",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:ModifyInstanceAttribute",
"ec2:RunInstances",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:StartInstances",
"ec2:TerminateInstances",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:StopInstances",
"dynamodb:DescribeTable",
"dynamodb:CreateTable",
"dynamodb:PutItem",
"dynamodb:Scan",
"dynamodb:GetItem",
"dynamodb:DeleteItem",
"dynamodb:Query",
"dynamodb:BatchGetItem",
"dynamodb:DeleteTable",
"dynamodb:ListTables",
"sts:AssumeRole",
"iam:passRole",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:GenerateDataKeyWithoutPlainText",
],
"Resource": "*"
}
]
}
```
2. Name the policy **ZicScaleAccountPolicy** and **Save**.
#### Create Roles
1. Go to **Roles**.
2. Create role - **Another AWS account**.
3. In **Account ID** insert the Deployment account. Click **Next**.
![Create_role](Images/ZIC_create_Role.png?raw=true)
4. Select the policy you created. Click **Next**.
![Create_Policy](Images/ZIC_create_Policy.png?raw=true)
5. Name the Role **ZicScaleAccountRole**.
![ZicScaleAccountRole](Images/ZIC_ZicScaleAccountRole.png?raw=true)
+20
View File
@@ -0,0 +1,20 @@
## ZIC Installation
The installation installs the following components:
- **Zerto In-Cloud Manager** </br>
A containerized application that manages everything required for the orchestration and replication between the protected and recovery availability zones, regions, and accounts in AWS. ZIC leverages native AWS platform snapshots and manages the SLA using the Zerto journal and familiar Zerto protection components and methods.
![ZIC_ZIC_Manager1](Images/ZIC_ZIC_Manager1.png?raw=true)
- **Zerto In-Cloud Appliance** </br>
A single AWS Instance Appliance that protects any account, region or availability zone to any AWS account, region, or availability zone.
- **Networking** </br>
ZIC requires at least one VPC, Subnet and Security Group to exist in the target region.
- **Keycloak** </br>
Keycloak is an open-source identity and access management tool, which is used for user and component authentication. It is deployed automatically as part of the ZIC installation.
- **Zerto Analytics** </br>
A Zerto user interface which provides a view over all existing VPGs.
+9
View File
@@ -0,0 +1,9 @@
Zerto In-Cloud (ZIC) for AWS brings Zerto disaster recovery for native AWS instances. Easily protect and recover any application running on EC2 Instances between Accounts, Regions or Availability Zones.
## Zerto In-Cloud (ZIC) Deployment Models
ZIC is installed in one account, at either the source or target region.
In the following graphic, ZIC is installed in the target region in a single account:
![graphic](Images/ZIC_deployment_1.png?raw=true)