Preparing for SaaS application data protection

Before you start protecting your Amazon DynamoDB data, complete the following steps:

Preparing for SaaS application data protection
- Getting familiar with your SaaS application specifics
- Configuring data protection settings for SaaS applications

Getting familiar with your SaaS application specifics

Before you start protecting your Amazon RDS data, you must get familiar with all prerequisites, limitations, considerations, and/or recommendations in this topic to make sure that your module is prepared and configured correctly.

Prerequisites

Your AWS account must be assigned a role that is granted the following permissions:

ec2:DescribeRegions
rds:AddTagsToResource
rds:CreateDBClusterSnapshot
rds:CreateDBSnapshot
rds:DescribeDBClusters
rds:DescribeDBInstances
rds:DescribeDBSnapshots
rds:DescribeDBSubnetGroups
rds:RestoreDBClusterFromSnapshot
rds:RestoreDBInstanceFromDBSnapshot
rds:DeleteDBSnapshot
kms:ListKeys
kms:DescribeKey
kms:ListAliases

Instead of granting the individual permissions, you can also attach the following policies to the role:

AmazonRDSFullAccess
AmazonEC2ReadOnlyAccess
AWSKeyManagementServicePowerUser

Limitations

Protecting the custom database instances is not supported.
Protecting the instances in the Amazon GovCloud is not supported.
If the storage auto-scaling option is enabled, the maximum allocated storage size for the restored instance is set to 1000 GiB.
The number of snapshots that can be stored in Amazon S3 is by default limited to:
- 100 instance snapshots per region
- 100 cluster snapshots per region
 Note You can increase the allowed number of snapshots in the AWS Management Console. For details, see AWS documentation.
Using the Copy policy option to create the copies of backup data is not supported.

Consideration

The backup data is not copied to the Amazon S3 storage but remains in the same storage type as other snapshots in RDS. R-Cloud creates regional snapshots that are named using the following format:

<OriginalInstanceName>-hycu-snapshot-yyyymmdd-hhmmss

Example The snapshot name for an instance named db1 is:
db1-hycu-snapshot-20230301-114301.

R-Cloud adds the following tags to the created snapshots:

Name	Value	Notes
`hycu-task-id`	UUID	Derived from the backup or restore request
`hycu-instance-snapshot`	none	Only on database instance snapshots.
`hycu-cluster-snapshot`	none	Only on database cluster snapshots.

Configuring data protection settings for SaaS applications

Before you start protecting SaaS applications, you can adjust SaaS application protection to the needs of your data protection environment by configuring protection settings in R‑Cloud. You can configure data protection settings for a single SaaS application or for multiple SaaS applications at the same time.

 Important Configuring data protection settings is not supported for all types of SaaS applications. Additionally, the list of available data protection settings varies depending on the type of your SaaS application.

Data protection settings

Setting	Description
Exclude Resources	Enables you to specify one or more resources to be excluded from the backup.
Options	Enables you to use data protection settings specific to each SaaS application or SaaS application resource (for example, if you are protecting Google Cloud SQL, you can set the offload option that enables R‑Cloud to delegate the export operation to a separate data mover).
Data Movers	Enables you to assign a data mover configuration to specify the location (compute and the networking details) where data movers will be created. For instructions, see Procedure

Prerequisites

For SaaS applications in Google Cloud: Specifically for the HMSA, R‑Cloud requires additional permissions. For details, see Google Cloud permissions required by R‑Cloud.
The data mover configuration must ensure that the data mover will have access to the SaaS applications that you want to protect and to the targets that store the protected data.

 Tip You can check under which subnet the SaaS applications and the targets are accessible in your cloud provider management console.

Considerations

If you assign a data mover configuration to a SaaS application that already inherits a data mover configuration from the related SaaS instance, the manually assigned data mover configuration will be used.
If you do not configure the Data Movers backup option, the default configurations are:
- For the SaaS applications that do not run natively in AWS, Azure or Google Cloud and whose R-Cloud module does not require using compute: The HYCU Managed data mover configuration is preselected, which means that the data movers will be created in the HYCU managed cloud accounts.
- For all other SaaS applications: The Automatic data mover configuration is preselected, which means that the data movers will be created in the original SaaS instance location or in the compute that you added as a separate part of your data protection infrastructure.
Only if you plan to store the protected SaaS application data on an Azure target. For security purposes, it is recommended that you configure SaaS application data protection settings so that R‑Cloud creates the data mover in the Azure resource group to keep the protected data in the same Azure environment during the backup.

Recommendation

If you plan to use targets for storing the protected data, optimize the egress data costs by configuring SaaS application data protection settings so that the data mover uses the same region as the target.

 Note R‑Cloud performs automatic synchronization of SaaS applications at periodic intervals. However, you can at any time update the list of SaaS applications also manually by clicking Synchronize Refresh.

Procedure

In the SaaS panel, select one or more SaaS applications for which you want to configure data protection settings.
Click Configuration. The SaaS Configuration dialog box opens.

Depending on what you want to do, perform the required action:

I want to...	Instructions
Exclude resources from the backup.	On the Exclude Resources tab, select the resources that you want to exclude from the backup.
Use a backup option specific to my SaaS application or resource.	On the Options tab, specify which of the available data protection settings you want to use and provide the required information.
Assign a data mover configuration to the selected SaaS applications.	On the Data Movers tab, use the Data Movers drop-down menu to do one of the following: By clicking Add New, you are automatically redirected to the dialog box that enables you to add a new data mover configuration. For details, see Creating a data mover configuration. Select an existing data mover configuration.

I want to...

Instructions

Exclude resources from the backup.

On the Exclude Resources tab, select the resources that you want to exclude from the backup.

Use a backup option specific to my SaaS application or resource.

On the Options tab, specify which of the available data protection settings you want to use and provide the required information.

Assign a data mover configuration to the selected SaaS applications.

On the Data Movers tab, use the Data Movers drop-down menu to do one of the following:

By clicking Add New, you are automatically redirected to the dialog box that enables you to add a new data mover configuration. For details, see Creating a data mover configuration.
Select an existing data mover configuration.

Click Save.