Nutanix Cloud Connect and S3 Encryption

By | January 12, 2018

Over the last week, I have been asked questions about how to set the cloud connect feature in Nutanix.  One question stuck out.

How do I keep my data secure?

We need to first look at the requirements for cloud connect.

You need to follow ports on your file

  • TCP ports 2009/2020 – AOS communications
  • UDP port 53 – DNS
  • HTTPS port 443 – AWS communication
  • TCP port 22 – SSH communication to Nutanix Controller VM

You will need an AWS VPC setup.  This will require an AWS direct connect or a VPN.  I plan on writing another blog about VPC and VPNs in the near future.

I need to note one thing: The current cloud connect can not support DR. Other limitation and recommendation can be found here

The following user permissions are required in AWS:

EC2

  • AWS service: Amazon EC2
  • Actions: All actions
  • ARN:*

S3

  • AWS service: Amazon S3
  • Actions: All actions
  • ARN:*

For production workloads, do not use the SSH connection to AWS

OK here is where we get into the AWS encryption. AWS has multiple types of encryptions.

  • Use Server-Side Encryption – You request Amazon S3 to encrypt your object before saving it on disks in its data centers and decrypt it when you download the objects.
  • Use Client-Side Encryption – You can encrypt data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools.

We can only encrypt the S3 bucket that stores the backup.  You cannot use encryption on the CVM that is running in AWS.  This will not be supported by Nutanix.

We now to make the choice on how to use the encryption:

  • Use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) – Each object is encrypted with a unique key employing strong multi-factor encryption. As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates. Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.
  • Use Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS) – Similar to SSE-S3, but with some additional benefits along with some additional charges for using this service. There are separate permissions for the use of an envelope key (that is, a key that protects your data’s encryption key) that provides added protection against unauthorized access of your objects in S3. SSE-KMS also provides you with an audit trail of when your key was used and by whom.
  • Use Server-Side Encryption with Customer-Provided Keys (SSE-C) – You manage the encryption keys and Amazon S3 manages the encryption, as it writes to disks, and decryption when you access your objects.

This customer did not want to own or manage the KMS service, so they opted to use the S3-managed Keys.

Reflection

We were able to test restores with the current S3 bucket that was encrypted back to the on-prem Nutanix cluster.  With a VPN and Server-Side encryption setup, we were able to protect client data from the on-prem cluster to AWS and back to the on-prem cluster.