Backup and Recovery Connection Profiles

The following topics describe connection profiles for backup and recovery services:

ConnectionProfile:AWS Backup

AWS Backup enables you to back up and restore your data to the Amazon cloud.

The following examples show how to define a connection profile for an AWS Backup job:

  • This JSON defines an authentication based on an AWS access key and secret:

    Copy
    {
       "AWS_BACK"
       {
          "Type": "ConnectionProfile:AWS Backup",
          "AWS Backup URL": "https://backup.{{AWSRegion}}.amazonaws.com.",
          "AWS Region": "us-east-1",
          "Authentication": "Secret",
          "AWS Access Key": "ZKIATY7B2LKB2JQ85I6D",
          "AWS Secret": "*****",
          "Connection Timeout": "20",
          "Description": "",
          "Centralized": true
       }
    }
  • This JSON defines an authentication based on an AWS IAM role from inside an Amazon EC2 virtual machine (instance).

    Copy
    {
       "AWS_BAK_IAM"
       {
          "Type": "ConnectionProfile:AWS Backup",
          "AWS Backup URL": "https://backup.{{AWSRegion}}.amazonaws.com",
          "AWS Region": "us-east-1",
          "Authentication": "NoSecret",
          "IAM Role": "arn:aws:iam::122343212345:role/Amazon12SSMRoleForInstancesQuickSetup",
          "Connection Timeout": "20",
          "Description": "",
          "Centralized": true
       }
    }

The following table describes the AWS Backup connection profile parameters.

Parameter

Description

AWS Backup URL

Determines the authentication endpoint for AWS Backup, based on the following format:

https://backup.{{AWS_Region}}.amazonaws.com

For more information about regional endpoints available for the AWS Batch service, refer to the AWS documentation.

AWS Region

Determines the region where the AWS Backup jobs are located.

us-east-1

Authentication

Determines one of the following authentication methods:

  • Secret: Authenticates with an AWS access key and secret.

  • NoSecret: Authenticates with an AWS IAM role from within the AWS infrastructure.

AWS Access Key

Defines the access key assigned to the account in the AWS Backup integration setup.

AWS Secret

Defines the secret access key assigned to the account in the AWS Backup integration setup. You can use Secrets in Code to hide this value in the code.

IAM Role

Defines the Identity and Access Management (IAM) role on an Amazon EC2 virtual machine (instance) for the AWS Backup connection.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request to AWS Backup before a timeout occurs.

Default: 20

Centralized

Determines whether to create a centralized connection profile, which is stored in the Control-M/EM database and is available to all Agents.

You must set this parameter to true.

ConnectionProfile:AWS DataSync

AWS DataSync enables you to enables you to move large amounts of data between on-premises storage and AWS storage services, as well as between AWS storage services.

The following examples show how to define a connection profile for an AWS DataSync job:

  • This JSON defines an authentication based on an AWS access key and secret:

    Copy
    {
       "DATASYNC"
       {
          "Type": "ConnectionProfile:AWS DataSync",
          "AWS Logs URL": "https://logs.AwsRegion.amazonaws.com",
          "AWS DataSync URL": "https://datasync.AwsRegion.amazonaws.com",
          "AWS Region": "us-east-1",
          "Authentication": "Secret",
          "AWS Access Key": "ZKIATY7B2LKB2JQ85I6D",
          "AWS Secret": "*****",
          "Connection Timeout": "20",
          "Description": "",
          "Centralized": true
       }
    }
  • This JSON defines an authentication based on an AWS IAM role from inside an Amazon EC2 virtual machine (instance).

    Copy
    {
       "DATASYNC"
       {
          "Type": "ConnectionProfile:AWS DataSync",
          "AWS Logs URL": "https://logs.AwsRegion.amazonaws.com",
          "AWS DataSync URL": "https://datasync.AwsRegion.amazonaws.com",
          "AWS Region": "us-east-1",
          "Authentication": "NoSecret",
          "IAM Role": "arn:aws:iam::122343212345:role/Amazon12SSMRoleForInstancesQuickSetup",
          "Connection Timeout": "30",
          "Description": "",
          "Centralized": true
       }
    }

The following table describes the AWS Backup connection profile parameters.

Parameter

Description

AWS Logs URL

Defines the AWS Logs URL, based on the following format:

https://logs.{{AwsRegion}}.amazonaws.com

AWS DataSync URL

Determines the authentication endpoint for AWS DataSync, based on the following format:

https://datasync.<AWS Region>.amazonaws.com

AWS Region

Determines the region where the AWS DataSync jobs are located.

us-east-1

Authentication

Determines one of the following authentication methods:

  • Secret: Authenticates with an AWS access key and secret.

  • NoSecret: Authenticates with an AWS IAM role from within the AWS infrastructure.

AWS Secret

Defines the secret access key assigned to the account in the AWS DataSync integration setup. You can use Secrets in Code to hide this value in the code.

AWS Access Key

Defines the access key assigned to the account in the AWS DataSync integration setup.

IAM Role

Defines the Identity and Access Management (IAM) role on an Amazon EC2 virtual machine (instance) for the AWS DataSync connection.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request to AWS DataSync before a timeout occurs.

Default: 30

Centralized

Determines whether to create a centralized connection profile, which is stored in the Control-M/EM database and is available to all Agents.

You must set this parameter to true.

ConnectionProfile:Azure Backup

Azure Backup enables you to back up and restore your data in the Microsoft Azure cloud.

The following examples show how to define a connection profile for an Azure Backup job:

  • This JSON defines an authentication using an Azure service principal:

    Copy
    {
       "ABK_CCP_SERVICE_PRINCIPAL"
       {
          "Type": "ConnectionProfile:Azure Backup",
          "Subscription ID": "e76056e0-70de-4da8-b02e-61263a150b1j",
          "Authentication Method": "service",
          "Azure Management URL": "https://management.azure.com",
          "Azure Login URL": "https://login.microsoftonline.com"
          "Tenant ID": "92b796c5-5839-40a6-8dd9-c1fad320c68c",
          "Client Secret": "*****",
          "Application ID": "7f477fa3-1a1f-4877-ba80-f39bb563f1b8",
          "Connection Timeout": "50",
          "Description": "",
          "Centralized": true
       }
    }
  • This JSON defines an authentication using a managed identity.

    Copy
    {
       "ABK_CCP_MANAGED_IDENTITY "
       {
          "Type": "ConnectionProfile:Azure Backup",
          "Subscription ID": "e76056e0-70de-4da8-b02e-61263a150b1j",
          "Authentication Method": "identity",
          "Azure Management URL": "https://management.azure.com",
          "Specify Managed Identity Client ID": "&client_id=",
          "Managed Identity Client ID": "7f477fa3-1a1f-4877-ba80-f39bb563f1b8",
          "Connection Timeout": "50",
          "Description": "",
          "Centralized": true
       }
    }

Managed Identity authentication is based on an Azure token that is valid, by default, for 24 hours. Token lifetime can be extended by Azure.

The following table describes the Azure Backup connection profile parameters.

Parameter

Description

Subscription ID

Defines the registered subscription ID for the Azure Backup service.

You can retrieve the subscription ID from the Subscription menu in the Azure portal.

Authentication Method

Determines one of the following authentication types:

  • identity: Managed Identity authentication uses an Azure Active Directory token, which removes the need to provide additional credentials.

  • service: Service Principal authentication uses an application ID (service account) and client secret.

Azure Management URL

Defines the endpoint that enables you to perform API calls and retrieve the token for authentication.

Default: https://management.azure.com

Specify Managed Identity Client ID

(Managed Identity) Determines whether the client ID for your Managed Identity is specified by the Managed Identity Client ID parameter.

Include this parameter only if you are using the Managed Identity authentication method and you have multiple Managed Identities defined on your Azure virtual machine. Set its value to &client_id=.

Managed Identity Client ID

(Managed Identity) Determines which client ID to use as the Managed Identity.

This parameter requires a value only if you have multiple Managed Identities defined on your Azure virtual machine and you included the Specify Managed Identity Client ID parameter.

If you have only one Managed Identity, it is detected automatically.

Azure Login URL

(Service Principal) Defines the Azure Backup authentication endpoint base URL.

Default: https://login.microsoftonline.com

Tenant ID

(Service Principal) Defines the Azure tenant ID, which represents your organization.

Client Secret

(Service Principal) Defines the password associated with the Azure user and the Azure AD application ID. You can use Secrets in Code to hide this value in the code.

Application ID

(Service Principal) Defines the Azure AD application ID for Azure Backup.

The Service Principal must be an Azure Backup workspace user with a Contributor or Owner role.

Connection Timeout

Determines the number of seconds to wait after Control-M initiates a connection request to Azure Backup before a timeout occurs.

Default: 50

Centralized

Determines whether to create a centralized connection profile, which is stored in the Control-M/EM database and is available to all Agents.

You must set this parameter to true.