Connecting a backup network

To use IBM® Cloud Sync to back up DNS data, connect a backup network from IBM NS1 Connect® to an Amazon Simple Storage Service (S3) bucket.

Before you begin

Make sure that you have:
  • A Cloud Sync subscription
  • An Amazon Web Services (AWS) account with permissions to create policies and roles
  • Amazon S3 as your storage service
  • An Amazon S3 bucket with a unique name

About this task

Configuring a backup network is a multistep process that you complete in NS1 Connect and in AWS. If you need help on using AWS, refer to its help documentation.

Connect to an external network through which NS1 Connect backs up DNS data. Enter the account ID and the unique name of the Amazon S3 bucket.

Enable cross-account access to allow NS1 Connect to perform DNS actions in your AWS account. To do so, you create an identity access management (IAM) policy and role for the NS1 Connect account for Cloud Sync services. This helps ensure that NS1 Connect can perform certain actions on certain objects through a trusted role in the NS1 Connect account. NS1 Connect validates that the AWS account ID that you provide is for an account that you control. NS1 Connect can then verify that it can perform certain actions in your AWS account.

If you can't validate the network connection when you initially connect a network, you can validate it later. Only when the network connection is validated can Cloud Sync back up data from NS1 Connect to Amazon S3.

Connecting a backup network is a one-time setup for each Amazon S3 bucket.

Procedure

  1. Click DNS > Network.
    The Networks page opens.
  2. In Outbound networks, click Connect network.
    The Connect an external network page opens.
  3. In 1. Select an external DNS service, select the Amazon Simple Storage Service (Amazon S3) checkbox.
  4. Click Next.
    The 2. Configure the connection page opens.
  5. In Backup network name, enter a unique name for the AWS backup network.
    This name is included in the list of networks in NS1 Connect for each zone that is managed through this network.
  6. In AWS account ID, enter your account ID to establish a connection between AWS and NS1 Connect.
  7. In Bucket name, enter the name of the Amazon S3 bucket to store backups.
    The bucket you use:
    • Must exist
    • Have a unique name
    • Have Bucket Versioning enabled
  8. Click Next.
    The 3. Prepare policy page opens.
  9. For Are you using AWS organization?, select Yes or No to indicate whether you use AWS organization services. If you select No, skip to step 11
  10. If you select Yes that you use AWS organization services, you might have AWS service control policies in place. Review the policies to make sure that the actions that NS1 Connect must perform aren't denied.
    1. Navigate to AWS service control policies: In AWS Organizations, open Policies to locate your existing service control policies in your AWS account. If you don’t have any policies that are configured, skip to step 11
    2. Review AWS service control policies: If you have service control policies that are configured for your organization, review them to see whether any of the following actions are denied. If any of the actions are denied, proceed to substep c, Edit conditions for policies denying required actions. If none of the actions are denied, skip to step 11

      Actions:

      • s3:PutObject
      • s3:DeleteObject
      • s3:ListBucketVersions
      • s3:GetObjectVersion
      • s3:ListBucket
      • s3:GetObject
    3. Edit conditions for policies denying required actions: Copy the conditions from NS1 Connect and paste into the Conditions block for each policy that denies any of the s3 actions.
  11. In AWS, create an IAM role:
    1. Open the IAM console in AWS.
    2. Choose Roles, then click Create role.
    3. For the Trusted entity type choose Custom trust policy, then copy and paste the trust policy code.
    4. Click Next button to skip adding permissions for now. An inline policy will be added after creation. It's important that the policy is inline and not managed to validate account ownership and role configuration.
    5. Copy and paste the NS1-CloudSync-BackupRestore role name.
    6. Click Create role to finish.
  12. Add permissions to the new role. After you create the role, the summary page opens. Or, you can access the summary by choosing Roles in the IAM console, then search for the role by name.
    1. In the Permissions tab, click Add permissions, then choose Create inline policy.
    2. In the Policy Editor, copy and paste the JSON policy code from NS1 Connect.
  13. In NS1 Connect, click Validate connection to verify that you have configured the trust relationship, policy, and role correctly and that you are the authenticated owner of the AWS account.
  14. Click Next.
    The Summary page opens and displays the status of the validation, indicating whether it was validated.
  15. Click Done.

What to do next

If the connection was validated successfully, publish zones to the network to start backing up the DNS data. Every time a DNS change is made in NS1 Connect, Cloud Sync backs up the changes to Amazon S3.

If the Connection validated section of the Summary page showed an error, you must validate the connection. Otherwise, the DNS data isn't backed up to Amazon S3 even if you publish a zone to this network in NS1 Connect.

If you have other networks through which you want to back up data to AmazonS3, repeat the preceding steps for each network.