What is Druva Quantum Bridge
The Quantum Bridge is an ephemeral EC2 instance dynamically provisioned within your AWS environment solely for the duration of backup and recovery operations. Druva Quantum Bridge acts as a secure intermediary that bridges data transfer between Amazon EFS and Druva’s Airgapped Storage.
To ensure successful backups, the EFS file system must have at least one valid mount target. Druva identifies existing mount targets and automatically selects one to facilitate the backup process. The Subnet and Security Group associated with that specific mount target provide the network blueprint, and are used to provision the Druva Quantum Bridge. Druva does not use EFS Access Points - instead mounts the file system directly to ensure the entire directory structure remains accessible for a full backup.
📝 Note
Druva automatically detects and configures the mount target. Manual intervention is only required if the assigned mount target, resource VPC, or resource subnet has connectivity or configuration issues. For more information, see Manually Configure Quantum Bridge.
Druva Quantum Bridge deployment workflow
Step 1: Mount Target Discovery
Druva begins by scanning all available file system mount targets within your AWS environment. During the discovery phase, this filters out any mount targets that do not actively permit inbound traffic on Port 2049, the standard port used for NFS/EFS communication.
Step 2: Bidirectional Security Group validation
For each valid mount target, Druva analyzes the associated VPC’s Security Groups to identify the optimal configuration for the Quantum Bridge. The selected Security Group must satisfy the following networking requirements:
Druva service connectivity: The Security Group must allow outbound HTTPS traffic on Port 443 to enable communication with Druva's cloud control services.
Bridge to Mount Target access: The Security Group must permit outbound traffic on Port 2049 to the target mount point, either through its IP address or its associated Security Group.
Mount Target to Bridge authorization: The mount target's Security Group must contain an inbound rule that explicitly allows traffic from the Quantum Bridge Security Group on Port 2049.
Step 3: Subnet-Level Network ACL (NACL) verification
Since Security Groups are stateful while Network ACLs (NACLs) are stateless, Druva performs an additional validation at the subnet level. It verifies that the subnet's NACL allows both inbound and outbound traffic on Port 443, ensuring the Quantum Bridge can maintain a reliable and uninterrupted connection to Druva control services.
Step 4: VPC DNS configuration validation
Druva verifies that the VPC has both DNS Resolution and DNS Hostnames enabled. This configuration ensures that the Quantum Bridge can successfully resolve mount target hostnames and maintain connectivity with AWS and Druva services.
Note: If disabled, Druva does not automatically enable this or modify existing settings. You will need to manually enable this from your AWS management console. For more information, refer to the AWS documentation.
Step 5: Seamless EFS backup and restores
With all networking prerequisites validated, including mount target accessibility, Security Group rules, Network ACL configurations, and VPC DNS settings, Quantum Bridge can reliably communicate with both the EFS mount targets and Druva services.
Manually configure Quantum Bridge
Druva automatically detects and configures the mount target. Manual intervention is only required if the assigned mount target, resource VPC, or resource subnet has connectivity or configuration issues.
Before you begin
When initiating a manual setup of Druva Quantum Bridge, verify the following Amazon VPC network configurations:
Network Alignment:
Routing: The Quantum Bridge EC2 instance must be in a subnet with a direct network route to the storage Mount Target.
Localization: Deploy the bridge instance in the same Availability Zone (AZ) as the active storage mount target to maximize performance and avoid cross-AZ data transfer fees.
Security Group Rules:
Configure your AWS Security Groups to allow the following traffic:
Component | Traffic Type/Port | Source/Destination |
Storage Mount Target Security Group | Inbound on Port 2049 (NFS) | From Quantum Bridge Security Group |
Quantum Bridge Security Group | Outbound on Port 2049 (NFS) | To Storage Mount Target IP/SG |
Quantum Bridge Security Group | Outbound on Port 443 (HTTPS) | To Druva Backup Cloud Endpoint |
Setup Quantum Bridge
Log in to the AWS Workloads Management Console.
Click EFS on the left pane and navigate to the All File Systems page.
Select a File System marked with a warning icon, and click Setup Quantum Bridge.
📝 Note
You may hover over the warning icon to view the exact issue. For detailed information on potential issues and resolution, see Prerequisites for Amazon EFS data protection.
On the Quantum Bridge Network Access page, select the following:
Mount Target: Select from the list of available mount targets.
📝 Note: If no mount targets are available, you will need to create a new mount target from your AWS management console. For more information refer to the AWS documentation.
Once you create a new mount target, navigate back to your AWS Workloads management console, click the Refresh icon, and then assign the mount target.Subnet: The Subnet defaults based on the Mount Target assigned.
Security Group: Select from the list of available security groups. The inbound and outbound ports and rules defined for each Security Group are also displayed. Ensure that the Security Group selected allows:
Inbound and outbound traffic on Port 2049 (NFS)
Outbound traffic on Port 443 to the Druva Endpoint
📝 Note
You must configure your AWS Security Groups to allow inbound and outbound traffic between the Quantum Bridge and the mount targets. An error displays if the selected Security Group does not meet the inbound and outbound rules criteria, and you will need to reassign an alternate Security Group to proceed.
5. Click Save.