Step 4. Enable EFS Indexing
At the Indexing step of the wizard, you can instruct Veeam Backup for AWS to perform indexing of the processed EFS file systems. EFS indexing allows you to perform EFS file-level recovery operations without specifying the exact paths to the necessary files and to restore files using different restore points during one restore session. While performing EFS indexing of a file system, Veeam Backup for AWS creates a catalog of all files and directories (an index) and saves the index to a backup repository. This index is further used to reproduce the file system structure and to enable browsing and searching for specific files within an EFS backup.
To learn how indexing works, see EFS Backup.
To perform indexing of the EFS file systems, Veeam Backup for AWS launches a worker instance per each processed file system in the same AWS account where the file system resides — production account. By default, the most appropriate network settings of AWS Regions are used to launch these worker instances. However, you can add specific worker configurations that will be used to launch worker instances used for EFS indexing operations.
Limitations and Requirements
Before you enable EFS indexing, consider the following:
- EFS indexing is not supported in the Free edition of Veeam Backup for AWS. For more information on license editions, see Licensing.
- Each processed EFS file system for which you want to perform indexing must meet the following requirements:
- A file system must have at least one mount target created.
- A mount target that will be used by worker instances to connect to the file system must be associated with a security group that allows inbound access on 2049 port.
- If no specific worker configurations are added to Veeam Backup for AWS, the most appropriate network settings of AWS Regions are used to launch worker instances for EFS indexing operation. For Veeam Backup for AWS to be able to launch a worker instance used to create an index of a file system:
- A VPC in which the file system has the mount target must have at least one security group that allows outbound access on 2049 and 443 ports. These ports are used by worker instances to mount the file system and to communicate with AWS services.
- The DNS resolution option must be enabled for the VPC. For more information, see AWS Documentation.
- As Veeam Backup for AWS uses public access to communicate with worker instances, the public IPv4 addressing attribute must be enabled at least for one subnet in the Availability Zone in which the file system has a mount target and the VPC to which the subnet belong must have an internet gateway attached. VPC and subnet route tables must have routes that direct internet-bound traffic to this internet gateway.
If you want worker instances to operate in the private network, configure private endpoints for it to let Veeam Backup for AWS use private IPv4 addresses. To learn how to configure endpoints, see Appendix C. Configuring Endpoints in AWS.
Enabling EFS Indexing
To enable indexing of the processed file systems, do the following:
- Set the Enable indexing toggle to On.
- In the Repositories window, select a repository where the created EFS indexes will be stored, and click Apply.
For a backup repository to be displayed in the repository list, it must be added to Veeam Backup for AWS as described in section Adding Backup Repositories. The list shows only backup repositories of the S3 Standard storage class that have encryption enabled and immutability disabled.
- In the IAM role section, choose an IAM role that will be attached to the worker instances and used by Veeam Backup for AWS to communicate with these instances. The role must be assigned permissions listed in section Indexing Worker IAM Role Permissions.
For an IAM role to be displayed in the list, it must be added to Veeam Backup for AWS as described in section Adding IAM Roles. The list shows only IAM roles that belong to the production account — account where the file systems belong. Note that the specified IAM role must be included in one or more instance profiles. For more information on instance profiles, see AWS Documentation.
It is recommended that you check whether the selected IAM role has all the required permissions to perform the operation. If the IAM role permissions are insufficient, the backup policy will fail to complete successfully. To run the IAM role permission check, click Check Permissions. Veeam Backup for AWS will display the Permission check window where you can track the progress and view the results of the check. If the IAM role permissions are insufficient, the check will complete with errors, and the list of permissions that must be granted to the IAM role will be displayed in the Missing Permissions column. You can grant the missing permissions to the IAM role using the AWS Management Console or instruct Veeam Backup for AWS to do it.
To download the full list of missing permissions as a single JSON policy document that you can use to grant the permissions to the role in the AWS Management Console, click Export Missing Permissions.
If your organization uses service control policies (SCPs) to manage permissions in its accounts, and some of the permissions required for the operation are forbidden by these SCPs, Veeam Backup for AWS will not be able to perform the operation even if you grant the permissions to the selected IAM role. For more information on SCPs, see AWS Documentation.
To let Veeam Backup for AWS grant the missing permissions:
- In the Permission check window, click Grant.
- In the Grant Permissions window, provide one-time access keys of an IAM user that is authorized to update permissions of IAM roles, and then click Apply.
The IAM user must have the following permissions:
Veeam Backup for AWS does not store one-time access keys in the configuration database.
- To make sure that the missing permissions have been successfully granted, click Recheck.