Error "Unable To Access S3 Bucket {aa} Which Is Required For Recovery Operations. Make Sure The Following Recovery Have Access To S3: VPC ID {yy} , Subnet Id {tt} , Security Group Id {ff}" when Recovering to AWS
- Last UpdatedJun 16, 2021
An administrator may receive an error regarding accessing an S3 bucket, yet communication to the S3 bucket seems to be fine, but Recovery Operations still fail.
User configures network settings of a VM in a VPG to something different from the ZCA network settings, in terms of selected VPC, Subnet, and Security Group.
As a result, recovery to AWS will fail with the following error message:
Unable To Access S3 Bucket {aa} Which Is Required For Recovery Operations. Make Sure The Following Recovery Have Access To S3: VPC ID {yy} , Subnet Id {tt} , Security Group Id {ff}
No access from the zImporter instance(s) to the ZCA's S3 bucket because VPC and/or Subnet and/or Security Group configured in the VPG do not have access to the S3 ZCA bucket.
There is no validation in Edit/Create VPG and thus a user will not know recovery to AWS will fail until an attempt is made.
In 8.0, there was a change that allowed zimporters to spin up in the same VPC/subnet/SG as the recovery VM it is in charge of importing a disk for (gets this from the VPG configuration itself). Many administrators setup an isolated VPC just for Failover Tests and thus the zimporters are not able to reach the S3 bucket in the ZCA's VPC.
In order to resolve this issue, follow one of the options below:
-
Modify the selected VPC, Subnet, and Security Group so they can access the ZCA S3 bucket, or,
-
Choose different network settings that do have access to the ZCA S3 bucket.
In order to setup access to the S3 bucket:
-
Create an S3 endpoint in the ZCA's VPC as well as the Recovery VPC.
-
Set the Outbound rules of the Security Group(s) assigned to the VMs within the VPG configuration to allow traffic over ports 22 (SSH) and 443 (HTTPS). Specifically they should be open to speak to the ip_prefix(s) for the S3 service in the region where the ZCA resides (as that is where the S3 bucket resides). You can use the below link to determine which ip_prefixes are relevant (do not utilize ipv6):
-
https://ip-ranges.amazonaws.com/ip-ranges.json
-
-
Additionally, check the DHCP Option Set for the Recovery VPC. Ensure is it set to either the default internal AWS DNS or a DNS that has been stood up in the Recovery VPC. On-prem DNS selection for this attribute has been seen to take too long for requests from zimporter -> out of AWS -> across network -> into on-prem network -> on-prem DNS to facilitate the request -> return in opposite direction. Therefore, if it is required to have the Recovery VMs speak to a production DNS, it is best to stand up a new DNS in the Recovery VPC and then select that DNS as the primary DNS in the VPC's DHCP Option Set.