Launches Q-Cloud Protect instance with no access to S3 – needed for blockpool storage

1)     Customer symptoms

a)     Customer is able to connect to QCP UI using browser

b)     Admin Alert on ‘AWSConfiguration’ is posted on QCP UI Home

2)     How to determine if S3 access is root cause of issue

a)     From the Q-Cloud Protect home UI page note the Serial Number i.e.AW8411CAH07595

b)     On AWS Web Services S3 Dashboard look for bucket qcp-<serialnumber>.  If bucket is not then Q-Cloud Protect was unable to setup bucket for blockpool storage

c)     ssh into Q-Cloud Protect as user ServiceLogin using AWS key-pair.

d)     Run ‘less /hurricane/tsunami.log’ and search for ‘S3ResponseError: 403 Forbidden’ with ‘Access Denied’ in response to a ‘create_bucket’ operation

 

3)     Steps to recover

a)     Check the IAM Role associated with Cloud Protect instance has policy that allows access toS3.

b)     Check that EC2 Instance has Internet access (see previous scenarios)

OR

c)     Check that an AWS VPC Endpoint has been defined and is included in the VPC VPN in which the Q-Cloud Protect instance is deployed. Also verify that EndPoint Route Table is associated with the VPC-VPN  Subnet’s Route table

d)     Resolve S3 access and deploy a new Q-Cloud Protect instance. Terminate previous one.

i)      Note a reboot of Q-Cloud Protect instance after access resolved will not resolve/create the S3 bucket .This only occurs during initial deployment.

Audience: 
Public Unrestricted
Review/Evaluate: 
2017-01-14
Document Type: