Veeam Backup for AWS 6a [Archived]
User Guide
Related documents
Search
This is an archive version of the document. To get the most up-to-date information, see the current version.

Restoring From Image-Level Backups

The process of restoring an EC2 instance with encrypted EBS volumes from an image-level backup differs depending on whether a worker instance is launched in the same AWS account to which you perform restore or not:

Note

Consider the following:

  • An AWS account that owns an IAM role specified for launching worker instances is also referred to as the source AWS account.
  • An AWS account to which you restore an instance is also referred to as the target AWS account.
  • Veeam Backup for AWS always launches a worker instance in a target AWS Region specified in restore settings. For more information, see Managing Worker Instances.

Restore to Same AWS Account

If a worker instance is launched in the same AWS account where the restored EC2 instance will reside, to encrypt EBS volumes of the restored EC2 instance, Veeam Backup for AWS uses an IAM role specified to launch worker instances, as described in section Configuring Worker Instance Settings. The IAM role must have permissions to access to the KMS key with which you want to encrypt EBS volumes of the restored EC2 instance.

Restore to Another AWS Account

If a worker instance is launched in an AWS account that is different from the AWS account where the restored EC2 instance will reside, Veeam Backup for AWS performs the following steps:

  1. Creates empty EBS volumes in the target AWS Region in the source AWS account and attaches them to the worker instance. To protect data that will be restored to these volumes, Veeam Backup for AWS encrypts the created EBS volumes with the default encryption key specified for the target AWS Region.

To encrypt the volumes, Veeam Backup for AWS uses an IAM role specified to launch worker instances, as described in section Configuring Worker Instance Settings. The IAM role must have permissions to access to the default encryption key specified for the target AWS Region in the source AWS account.

  1. Restores backed-up data to the empty EBS volumes on the worker instance.
  2. Creates an encrypted cloud-native snapshot of the EBS volumes with the restored data.
  3. Shares the created snapshot with the target AWS account.

Important

According to AWS limitations, snapshots encrypted with the default key for EBS encryption (aws/ebs alias) cannot be shared between AWS accounts. Thus, if the default encryption key specified for the target AWS Region in the source AWS account is the default key for EBS encryption, Veeam Backup for AWS will not be able to share the snapshot and the restore process will fail. For more information, see this Veeam KB article.

  1. Creates an EC2 instance in the target AWS Region within the target AWS account.
  2. Creates encrypted EBS volumes from the shared encrypted snapshot and attaches them to the created EC2 instance.

To create and encrypt EBS volumes, Veeam Backup for AWS uses an IAM role specified for the restore operation, as described in section Performing Entire EC2 Instance Restore. The IAM role must have permissions to access the following KMS keys:

  • The default encryption key specified for the target AWS Region in the source AWS account.
  • A KMS key with which you want to encrypt EBS volumes of the restored EC2 instance (target KMS key).

Restoring From Image-Level Backups 

View all results across Veeam
Back to document search