This is an archive version of the document. To get the most up-to-date information, see the current version.

Worker Instances

To perform most data protection and disaster recovery operations (such as creating and removing EC2 and RDS image-level backups, restoring backed-up data, EFS indexing), Veeam Backup for AWS uses worker instances. Worker instances are temporary Linux-based EC2 instances that are responsible for the interaction between the backup appliance, AWS services and other Veeam Backup for AWS components.

Worker Instance Components

A worker instance uses the following components:

Veeam Data Mover — the service that performs data processing tasks. During backup, the Veeam Data Mover retrieves data of an AWS protected resource (EC2, RDS). During restore, the Veeam Data Mover transfers backed-up data from backup repositories to the target location.

File-level recovery browser — the web service that allows you to find and save files and folders of a backed-up EC2 instance to the local machine or to the original location. The file-level recovery browser is installed automatically on every worker instance that is launched for file-level recovery.

Security Certificates for Worker Instances

Veeam Backup for AWS uses self-signed TLS certificates to establish secure communication between the web browser on the local machine and the file-level recovery browser on the worker instance during file-level recovery. A self-signed certificate is generated automatically on the worker instance when the restore session starts.

How Worker Instances Work

Veeam Backup for AWS automatically launches a worker instance in Amazon EC2 for the duration of a backup, restore or retention process and removes it immediately after the process is complete. Veeam Backup for AWS launches one worker instance per each AWS resource specified in a backup policy, restore or retention task.

Veeam Backup for AWS can launch worker instances in the following AWS accounts:

The backup account is an AWS account to which the service IAM role specified to launch worker instances belongs. By default, Veeam Backup for AWS uses this account to launch worker instances for backup, restore and backup retention operations.
Production accounts are the same AWS accounts where the processed resources belong. By default, Veeam Backup for AWS uses these accounts to launch worker instances for EFS indexing and for RDS backup and restore operations.

To minimize cross-region traffic charges, depending on the data protection and disaster recovery operation, Veeam Backup for AWS launches the worker instance in the following location:

Operation	Worker Instance Location	Possibility to Deploy Worker Instances in Production Accounts	Default Worker Instance Type
Creating EC2 image-level backups	AWS Region in which a processed EC2 instance resides	Yes	c5.large — if the total EBS volume size is less than 1024 GB c5.2xlarge — if the total EBS volume size is 1024 GB - 16 TB c5.4xlarge — if the total EBS volume size is more than 16 TB
Restoring EC2 instances from image-level backups	AWS Region to which an EC2 instance is restored	Yes
Restoring EC2 volumes from image-level backups	AWS Region to which the volumes of a processed EC2 instance are restored	Yes
Performing health check for EC2 backups	AWS Region in which a backup repository with backed-up data resides	No
Creating EC2 archived backups	AWS Region in which a standard backup repository with backed-up data resides	No	c5.2xlarge — if the total EBS volume size is less than 6 TB c5.4xlarge — if the total EBS volume size is more than 6 TB
Performing file-level recovery from image-level backups	AWS Region in which a backup repository with backed-up data resides	No	t3.medium
Performing file-level recovery from cloud-native snapshots and replicated snapshots	AWS Region in which a snapshot is located	No (if restoring to the original location) Yes (if restoring to a local machine)	t3.medium
Creating RDS image-level backups	AWS Region and VPC in which a processed PostgreSQL DB instance resides	Yes	c5.large — if the total EBS volume size is less than 1024 GB c5.2xlarge — if the total storage size is less than 6 TB c5.4xlarge — if the total storage size is more than 6 TB
Restoring PostgreSQL DB instances from image-level backups	AWS Region to which a DB instance is restored	Yes
Performing health check for RDS backups	AWS Region in which a backup repository with backed-up data resides	No
Creating RDS archived backups	AWS Region in which a standard backup repository with backed-up data resides	No	c5.large — if the total EBS volume size is less than 1024 GB c5.2xlarge — if the total EBS volume size is 1024 GB - 16 TB c5.4xlarge — if the total EBS volume size is more than 16 TB
Performing EFS indexing	AWS Region, Availability Zone and VPC in which a file system has a mount target created	Yes	t3.medium
Applying retention policy settings to created restore points	AWS Region in which a backup repository with backed-up data resides	No	c5.large — if the total size of backup files that must be deleted is 1-3 TB c5.xlarge — if the total size of backup files that must be deleted is 3-6 TB c5.2xlarge — if the total size of backup files that must be deleted is 6-13 TB c5.4xlarge — if the total size of backup files that must be deleted is more than 13 TB

Note

For RDS image-level backup operations, performing EFS indexing, and restoring PostgreSQL DB instances from image-level backups, you can instruct Veeam Backup for AWS to deploy worker instances in production accounts only.

Worker instances are deployed based on worker configurations and profiles. For more information, see Managing Worker Instances.

Required Ports

The following network ports must be open to ensure proper communication of components in Veeam Backup for AWS architecture:

From	To	Protocol	Port	Notes
Web browser (local machine)	Worker instances	TCP/HTTPS	443	Required to access the file-level recovery browser running on a worker instance during the file-level recovery process.
Worker instances	AWS services	TCP/HTTPS	443	Required to perform data protection and disaster recovery operations.
Worker instances	AWS services	TCP/NFS	2049	Required to perform EFS indexing.

Required AWS Services

To perform backup and restore operations, worker instances must have outbound internet access to the following AWS services:

Amazon Elastic Compute Cloud (EC2)
AWS Systems Manager (SSM), including access to the ec2messages and ssmmessages endpoints
Amazon Simple Queue Service (SQS)

AWS Security Token Service (STS)

Amazon Simple Storage Service (S3)

If you want worker instances to operate in a private environment, you must enable the private network deployment functionality and configure VPC endpoints for all subnets to which the worker instances will be connected. Otherwise, the instances will not be able to access all the listed services. For more information, see Private Network Deployment.

How To Configure Worker Instance Settings

You can configure the following worker instance settings: