Preparing for SaaS application data protection

Before you start protecting your Amazon Route 53 data, complete the following steps:

Preparing for SaaS application data protection
- Getting familiar with your SaaS application specifics
- Configuring SaaS application data backup options

Getting familiar with your SaaS application specifics

Before you start protecting your Amazon Route 53 data, you must get familiar with all prerequisites, limitations, considerations, and/or recommendations in this topic to make sure that your module is prepared and configured correctly.

Prerequisites

Your Authentication IAM account must be granted the minimum permissions set. The following permissions must be included:

iam:ListAttachedRolePolicies
iam:ListRolePolicies
iam:GetRolePolicy
iam:GetPolicy
iam:GetPolicyVersion
ec2:DescribeRegions
ec2:DescribeVpcs
route53:ListHostedZones
route53:ListResourceRecordSets
route53:ListHealthChecks
route53:ListCidrCollections
route53:ListCidrLocations
route53:ListCidrBlocks
route53:ListTrafficPolicies
route53:ListTrafficPolicyVersions
route53:ListTrafficPolicyInstances
route53:ListQueryLoggingConfigs
route53:GetHostedZone
route53:GetDNSSEC
route53:GetQueryLoggingConfig
route53:GetHealthCheck
route53:GetTrafficPolicy
route53:GetTrafficPolicyInstance
route53:CreateHostedZone
route53:AssociateVPCWithHostedZone
route53:ChangeResourceRecordSets
route53:CreateKeySigningKey
route53:EnableHostedZoneDNSSEC
route53:CreateQueryLoggingConfig
route53:CreateHealthCheck
route53:UpdateHealthCheck
route53:CreateTrafficPolicy
route53:CreateTrafficPolicyVersion
route53:CreateTrafficPolicyInstance
route53:CreateCidrCollection
route53:ChangeCidrCollection
route53resolver:ListResolverEndpoints
route53resolver:ListResolverRules
route53resolver:ListResolverRuleAssociations
route53resolver:ListResolverQueryLogConfigs
route53resolver:ListResolverQueryLogConfigAssociations
route53resolver:ListFirewallRules
route53resolver:ListFirewallDomainLists
route53resolver:ListFirewallRuleGroups
route53resolver:ListFirewallRuleGroupAssociations
route53resolver:GetResolverEndpoint
route53resolver:GetResolverRule
route53resolver:GetResolverRulePolicy
route53resolver:GetResolverRuleAssociation
route53resolver:GetFirewallRuleGroup
route53resolver:GetFirewallDomainList
route53resolver:GetFirewallRuleGroupAssociation
route53resolver:GetResolverQueryLogConfig
route53resolver:GetResolverQueryLogConfigPolicy
route53resolver:GetResolverQueryLogConfigAssociation
route53resolver:CreateResolverEndpoint
route53resolver:CreateResolverRule
route53resolver:AssociateResolverRule
route53resolver:PutResolverRulePolicy
route53resolver:CreateFirewallRuleGroup
route53resolver:AssociateFirewallRuleGroup
route53resolver:CreateFirewallRule
route53resolver:CreateFirewallDomainList
route53resolver:UpdateFirewallDomains
route53resolver:CreateResolverQueryLogConfig
route53resolver:AssociateResolverQueryLogConfig
route53resolver:PutResolverQueryLogConfigPolicy
arc-zonal-shift:ListManagedResources
arc-zonal-shift:GetManagedResource
arc-zonal-shift:CreatePracticeRunConfiguration
arc-zonal-shift:UpdateZonalAutoshiftConfiguration
route53-recovery-control-config:ListClusters
route53-recovery-control-config:ListControlPanels
route53-recovery-control-config:ListRoutingControls
route53-recovery-control-config:ListSafetyRules
route53-recovery-control-config:ListAssociatedRoute53HealthChecks
route53-recovery-control-config:ListTagsForResource
route53-recovery-control-config:DescribeCluster
route53-recovery-control-config:DescribeControlPanel
route53-recovery-control-config:DescribeRoutingControl
route53-recovery-control-config:DescribeSafetyRule
route53-recovery-control-config:CreateCluster
route53-recovery-control-config:CreateControlPanel
route53-recovery-control-config:CreateRoutingControl
route53-recovery-control-config:CreateSafetyRule
route53-recovery-readiness:ListCells
route53-recovery-readiness:ListRecoveryGroups
route53-recovery-readiness:ListReadinessChecks
route53-recovery-readiness:ListResourceSets
route53-recovery-readiness:ListTagsForResources
route53-recovery-readiness:GetCell
route53-recovery-readiness:GetRecoveryGroup
route53-recovery-readiness:GetReadinessCheck
route53-recovery-readiness:GetResourceSet
route53-recovery-readiness:CreateCell
route53-recovery-readiness:CreateRecoveryGroup
route53-recovery-readiness:CreateReadinessCheck
route53-recovery-readiness:CreateResourceSet
route53-recovery-readiness:UpdateCell
route53-recovery-readiness:UpdateRecoveryGroup
route53-recovery-readiness:UpdateReadinessCheck
route53profiles:ListProfiles
route53profiles:ListProfileAssociations
route53profiles:ListProfileResourceAssociations
route53profiles:ListTagsForResource
route53profiles:GetProfile
route53profiles:GetProfileAssociation
route53profiles:GetProfileResourceAssociation
route53profiles:CreateProfile
route53profiles:AssociateProfile
route53profiles:AssociateResourceToProfile

Instead of granting the individual permissions, you can also assign your Authentication IAM account the following policies:

AmazonRoute53FullAccess
AmazonRoute53ResolverFullAccess
AmazonRoute53RecoveryControlConfigFullAccess
AmazonRoute53RecoveryReadinessFullAccess
AmazonRoute53ProfilesFullAccess
ElasticLoadBalancingFullAccess (or any other policy that includes the arc-zonal-shift permissions)

Limitations

General limitations

The following resources are not protected due to the API limitations:
- Domain management data (registration and transferring of the domains)
- Reusable delegation sets
- Resolver outpost resources
- Profile configuration data
- Application Recovery Controller (ARC) manual zonal shifts
Protecting the shared configuration data for various resources is not supported.
The restore tags will not be created after the maximum number of tags defined for the related resource is reached.
To run a successful restore of the related resources, the VPC associations related to the profiles, the resolver rules, the resolver query logging config, and the DNS firewall rule groups must be removed.
The query logging configuration for the hosted zone and the DNSSEC data for the hosted zone cannot be restored if the related resources already exist.
To restore a DNSSEC, the KMS customer-managed key related to the DNSSEC key-signing keys (KSK) records must be available.
A hosted zone created by the Cloud Map service cannot be restored if it already exists because the resource is managed by the Cloud Map service. If the hosted zone created by the Cloud Map service is deleted, it can be restored by the Route 53 service and will be marked as managed by Route 53.
To restore the query logging configuration, the CloudWatch log group related to the query logging configuration must be available.
The CloudWatch alarms created for the health checks cannot be protected.
The CIDR location restore will fail if there is another CIDR location with overlapping blocks.
Only the latest traffic policy version is protected.
The failed traffic policy records are not restored to avoid any conflicting operations.
The traffic policy records that already exist cannot be restored.
The corresponding traffic policy version must be available to restore the related traffic policy record.
After the granular restore of a health check resource, the related resources using the restored health check must be updated with the newly restored health check ID.

Route 53 Resolver limitations

To restore the Route 53 Resolver inbound and outbound endpoints, the backed-up IP address must be available. In this case, either the original endpoints must be deleted, or the IP addresses must be changed.
The empty domain lists cannot be restored. At least one domain is required for a restore.

Route 53 ARC limitations

The endpoints of an ARC cluster cannot be protected.
The ARC resource set granular restore will not recreate the missing ARC readiness check resources.

API call rate limitations

For the Route 53 API requests: five requests per second per AWS account
For the Route 53 Resolver API requests: five requests per second per AWS account per region
For the Route 53 ARC API requests: three mutating requests per second to a cluster endpoint

For more information about the Amazon Route 53 service quotas, see AWS documentation.

Considerations

The original hosted zone NS and SOA records are not restored by default. You can enable the restore of the original NS and SOA records to an existing hosted zone in R-Cloud.
To restore a resource, the AWS quotas must not be exceeded. For more information about the Amazon Route 53 service quotas, see AWS documentation.
The restored state of the ARC routing controls is always set to off.
The VPC resources associated with any other Route 53 resource (private hosted zones, resolver endpoints, resolver rules, or DNS firewall rule groups) must be available for a successful restore of the corresponding resource.
The restore of an existing DNSSEC key-signing key (KSK) will be completed with the KeySigningKeyAlreadyExists error. If a KSK must be returned to the backed-up state, the related KSK must be deleted before restoring.
Restoring some of the existing resources may finish with the "The source already exists" errors. To restore the affected resources, delete them before restoring.

Configuring SaaS application data backup options

Before you start protecting SaaS applications, you can adjust SaaS application protection to the needs of your data protection environment by configuring backup options in R‑Cloud.

 Important Configuring backup options is not supported for all types of SaaS applications. Additionally, the list of available backup options varies depending on the type of your SaaS application.

Backup options

Backup option	Description
Exclude Resources	Enables you to specify one or more resources to be excluded from the backup.
Options	Enables you to use backup options specific to each SaaS application or SaaS application resource (for example, if you are protecting Google Cloud SQL, you can set the offload option that enables R‑Cloud to delegate the export operation to a separate data mover).
Data Movers	Enables you to specify the source, the region, and the subnet where you want R‑Cloud to create a data mover during the backup. If the specified source is an AWS account, you can also select a security group. If the specified source is an Azure resource group, you must select a network.  Important For the SaaS applications that run in an AWS account, in an Azure resource group, or in a Google Cloud project: If you do not configure this backup option, R‑Cloud by default creates the data mover in your AWS account, Azure resource group, or Google Cloud project after you set up a target in R‑Cloud or add a source to R‑Cloud.

Prerequisites

For Google Cloud SaaS applications: Specifically for the HMSA, R‑Cloud requires additional permissions. For details, see Google Cloud permissions required by R‑Cloud.
Only if you plan to configure the data mover and select the Azure resource group as a source for the data mover. The network that you select must allow your Azure service principal or the HMSP to access the specified source and the targets that store the protected data.
The data movers must have access to the SaaS applications that you want to protect and to the targets that store the protected data. To ensure this, configure SaaS application backup options so that the data mover uses the appropriate subnet.

 Tip You can check under which subnet the SaaS applications and the targets are accessible in your cloud provider management console.

Consideration

Only if you plan to store the protected SaaS application data on an Azure target. For security purposes, it is recommended that you configure SaaS application backup options so that R‑Cloud creates the data mover in the Azure resource group to keep the protected data in the same Azure environment during the backup.

Recommendation

If you plan to use targets for storing the protected data, optimize the egress data costs by configuring SaaS application backup options so that the data mover uses the same or the nearest available region as the target.

 Note R‑Cloud performs automatic synchronization of SaaS applications at periodic intervals. However, you can at any time update the list of SaaS applications also manually by clicking Synchronize Refresh.

Procedure

In the SaaS panel, select the SaaS application or the resource for which you want to configure backup options.
Click Configuration. The SaaS Configuration dialog box opens.

Depending on what you want to do, perform the required action:

I want to...	Instructions
Exclude resources from the backup.	On the Exclude Resources tab, select the resources that you want to exclude from the backup.
Use a backup option specific to my SaaS application or resource.	On the Options tab, specify which of the available backup options you want to use and provide the required information.
Specify the source, the region, the subnet, the network, or the security group for a data mover.	On the Data Movers tab, do the following: From the Compute drop-down menu, select the source for the data mover.  Important If the type of the source that you select for the data mover differs from the source where the target specified in the R‑Cloud policy resides, this may result in data egress charges. From the Region drop-down menu, select the preferred region. For Azure resource groups: From the Network drop-down menu, select the preferred network. From the Subnet drop-down menu, select the preferred subnet. For AWS accounts: Optionally, from the Security Group drop-down menu, select the preferred security group. By default, the data mover is created in the default security group of the preferred subnet.

I want to...

Instructions

Exclude resources from the backup.

On the Exclude Resources tab, select the resources that you want to exclude from the backup.

Use a backup option specific to my SaaS application or resource.

On the Options tab, specify which of the available backup options you want to use and provide the required information.

Specify the source, the region, the subnet, the network, or the security group for a data mover.

On the Data Movers tab, do the following:

From the Compute drop-down menu, select the source for the data mover.

 Important If the type of the source that you select for the data mover differs from the source where the target specified in the R‑Cloud policy resides, this may result in data egress charges.
From the Region drop-down menu, select the preferred region.
For Azure resource groups: From the Network drop-down menu, select the preferred network.
From the Subnet drop-down menu, select the preferred subnet.
For AWS accounts: Optionally, from the Security Group drop-down menu, select the preferred security group. By default, the data mover is created in the default security group of the preferred subnet.

Click Save.