Back up on-premises systems to Cloud Storage via Private Google Access

This document covers the configuration settings required for sending backup data via Actifio GO/Backup and DR Service to an OnVault Pool (a Cloud Storage bucket) using Private Google Access, which ensures the data travels via a private network link or gateway (Cloud VPN, Dedicated Interconnect, or Partner Interconnect) instead of via public networks (internet).

  1. For any VPCs in Google Cloud, ensure that Private Google Access is enabled on each subnet that may be used for network traffic. This setting is in VPC network details on the Subnets tab.

  2. Local DNS should be modified to include a zone for googleapis.com.

    1. Configure an A record for private.googleapis.com pointing to all IP addresses that it resolves to. For example, as of January 2023 this is 199.36.153.8-11, and 199.36.153.8/30 is the CIDR.
    2. Configure a CNAME record for *.googleapis.com to point to private.googleapis.com.

  3. Ensure that routing for Cloud VPN or interconnects has the subnet 199.36.153.8/30 traversing the VPC subnet with Private Google Access configured, this can be done via static routes or dynamic routing depending on your network architecture.

  4. Ensure that you update the locally deployed appliances (Actifio Sky and/or backup/recovery appliance(s)) with the correct DNS server(s) that have the DNS changes implemented as mentioned in Step 2 above.

    1. Point your browser to the IP address of the appliance running on-premises and open the System & Network Management page.

    2. Authenticate with the local admin username and password.

    3. Ensure the Primary and Secondary DNS servers are set correctly.

    4. Change to the Troubleshooting tab and choose the Traceroute or IP Route Get utilities and test connecting to the private.googleapis.com IP addresses, to make sure the traffic is flowing over the Interconnect or Cloud VPN link as expected.

Now you should be able to start OnVault jobs, and monitor your links to confirm that traffic is flowing correctly for OnVault jobs.

Additional option for testing purposes only

To conduct a Proof of Concept/Test without adding the DNS lookup for the appliance(s), you can update the Host Resolution tab with a manual entry (akin to editing a hosts file). It only allows a single IP address to be used for testing purposes.

Add a single entry for private.googleapis.com and add a single IP address from the range 199.36.153.8/30.