To communicate with a backup repository, Veeam Backup for AWS uses Veeam Data Mover — the service that runs on a worker instance and that is responsible for data processing and transfer. When a backup policy addresses the backup repository, the Veeam Data Mover establishes a connection with the repository to enable data transfer. To learn how Veeam Backup for AWS communicates with backup repositories, see Managing Backup Repositories.

Important

Backup files are stored in backup repositories in the native Veeam format and must be modified neither manually nor by 3rd party tools. Otherwise, Veeam Backup for AWS may fail to restore the backed-up data.

Encryption on Backup Repositories

For enhanced data security, Veeam Backup for AWS allows you to enable encryption at the repository level. Veeam Backup for AWS encrypts backup files stored in backup repositories the same way as Veeam Backup & Replication encrypts backup files stored in backup repositories. To learn what algorithms Veeam Backup & Replication uses to encrypt backup files, see the Veeam Backup & Replication User Guide, section Encryption Standards. To learn how to enable encryption at the repository level, see Adding Backup Repositories.

Veeam Backup for AWS also supports scenarios where data is backed up to S3 buckets with enabled Amazon S3 default encryption. You can add the S3 bucket to the backup infrastructure as a backup repository and use it as a target for image-level backups. For information on Amazon S3 default encryption, see AWS Documentation.

Worker Instances

A worker instance is a Linux-based EC2 instance that is responsible for the interaction between the backup appliance and other Veeam Backup for AWS components. Worker instances process backup workload and distribute backup traffic when transferring data to backup repositories.

Veeam Backup for AWS automatically launches a worker instance in Amazon EC2 for the duration of a backup, restore or retention process and removes it immediately as soon as the process is over. Veeam Backup for AWS launches one worker instance per each AWS resource specified in a backup policy, restore or retention task. To minimize cross-region traffic charges, depending on the data protection and disaster recovery operation, Veeam Backup for AWS launches the worker instance in the following location:

Operation	Worker Instance Location	Default Worker Instance Size
Creating EC2 image-level backups	AWS Region in which a processed EC2 instance resides	c5.large — if the total EBS volume size is less than 1024 GB c5.2xlarge — if the total EBS volume size is 1024 GB - 16 TB c5.4xlarge — if the total EBS volume size is more than 16 TB
EC2 instance restore	AWS Region to which an EC2 instance is restored
EC2 volume-level restore	AWS Region to which the volumes of a processed EC2 instance are restored
Performing health check for EC2 backups	AWS Region in which a backup repository with backed-up data resides
Creating EC2 archived backups	AWS Region in which a standard backup repository with backed-up data resides	c5.2xlarge
EC2 file-level restore from cloud-native snapshots or replicated snapshots	AWS Region in which a snapshot is located	t3.medium
EC2 file-level restore from image-level backups	AWS Region in which a backup repository with backed-up data resides	t3.medium
EFS indexing	Availability Zone in which a file system has a mount target created	t3.medium
EC2 backup retention	AWS Region in which a backup repository with backed-up data resides	c5.large — if the total size of backup files that must be deleted is 1-3 TB c5.xlarge — if the total size of backup files that must be deleted is 3-6 TB c5.2xlarge — if the total size of backup files that must be deleted is 6-13 TB c5.4xlarge — if the total size of backup files that must be deleted is more than 13 TB

Worker instances are deployed based on worker configurations and profiles. For more information, see Managing Worker Instances.

Worker Instance Components

A worker instance uses the following components:

Veeam Data Mover — the service that performs data processing tasks. During backup, the Veeam Data Mover retrieves EC2 instance data from snapshots and stores the retrieved data to backup repositories. During restore, the Veeam Data Mover transfers backed-up data from backup repositories to the target location.

File-level recovery browser — the web service that allows you to find and save files and folders of a backed-up EC2 instance to the local machine. The file-level recovery browser is installed automatically on every worker instance that is launched for file-level recovery.

Security Certificates for Worker Instances

Veeam Backup for AWS uses self-signed TLS certificates to establish secure communication between the web browser on the local machine and the file-level recovery browser on the worker instance during file-level restore. A self-signed certificate is generated automatically on the worker instance when the restore session starts.