Veeam Backup for AWS 7.0
User Guide
Related documents
Search

Configuring Image-Level Backup Settings

In the Backups section of the Targets step of the wizard, you can instruct Veeam Backup for AWS to create image-level backups of the processed DB instances, to copy backups to a long-term archive storage, and to deploy worker instances used for backup operations in the production account.

Configuring Backup Settings

To instruct Veeam Backup for AWS to create image-level backups of the selected RDS resources, do the following:

  1. Set the Enable backups toggle to On.
  2. In the Repositories window, select a backup repository where the created image-level backups will be stored, and click Apply.

For a backup repository to be displayed in the list of available repositories, it must be added to Veeam Backup for AWS as described in section Adding Backup Repositories. The list shows only backup repositories of the S3 Standard storage class.

To learn how Veeam Backup for AWS creates image-level backups, see RDS Backup.

Configuring Archive Settings

To instruct Veeam Backup for AWS to store backed-up data in a low-cost, long-term archive storage, do the following:

  1. Select the Archives will be stored in check box.
  2. In the Repositories window, select a backup repository where the archived data will be stored, and click Apply.

For an archive backup repository to be displayed in the list of available repositories, it must be added to Veeam Backup for AWS as described in section Adding Backup Repositories. The list shows only backup repositories of the S3 Glacier Flexible Retrieval or S3 Glacier Deep Archive storage classes.

For more information on backup archiving, see Enabling Backup Archiving.

Important

If you enable the backup archiving, consider that data encryption must be either enabled or disabled for both backup and archive backup repositories. This means that, for example, you cannot select an encrypted standard backup repository and an unencrypted archive backup repository in one backup policy. However, the selected repositories can have different encryption schemes (password and KMS encryption).

Configuring Worker Settings

From the IAM role drop-down list, select an IAM role that will be attached to the worker instances and used by Veeam Backup for AWS to communicate with these instances. The role must belong to the same account to which the IAM role specified to perform the backup operation belongs and must be assigned permissions listed in section Worker IAM Role Permissions.

For an IAM role to be displayed in the IAM role list, it must be added to Veeam Backup for AWS with the Production worker role selected as described in section Adding IAM Roles. If you have not added the necessary IAM role to Veeam Backup for AWS beforehand, you can do it without closing the Add RDS Policy wizard. To add an IAM role, click Add and complete the Add IAM Role wizard.

Important

Consider the following:

  • For Veeam Backup for AWS to deploy worker instances in production accounts, you must assign additional permissions to the IAM role used to perform the backup operation. For more information on the required permissions, see section RDS Backup IAM Role Permissions.
  • It is recommended that you check whether both the IAM role specified at step 3.1 of the wizard and the IAM role specified in the Backups section have the required permissions. If some permissions of the IAM role are missing, the backup policy will fail to complete successfully. To run the IAM role permission check, click Check Permissions and follow the instructions provided in section Checking IAM Role Permissions.

Worker Instance Requirements

To create RDS image-level backups, Veeam Backup for AWS launches worker instances in a production account — that is, the same AWS account to which the processed resources belong. By default, Veeam Backup for AWS uses the most appropriate network settings of AWS Regions in production accounts to launch worker instances for RDS image-level backup operations. However, you can add specific worker configurations to specify network settings for each region in which worker instances will be deployed.

If no specific worker configurations are added to Veeam Backup for AWS, the most appropriate network settings of AWS Regions are used to launch worker instances for the RDS backup operation. For Veeam Backup for AWS to be able to launch a worker instance used to create an image-level backup:

  • The DNS resolution option must be enabled for the VPC. For more information, see AWS Documentation.
  • As Veeam Backup for AWS uses public access to communicate with worker instances, the public IPv4 addressing attribute must be enabled at least for one subnet in the Availability Zone where the DB instance resides and the VPC to which the subnet belongs must have an internet gateway attached. VPC and subnet route tables must have routes that direct internet-bound traffic to this internet gateway.

If you want worker instances to operate in a private network, enable the private network deployment functionality and configure specific VPC endpoints for the subnet to let Veeam Backup for AWS use private IPv4 addresses. Alternatively, configure VPC interface endpoints as described in section Appendix C. Configuring Endpoints in AWS.

  • The VPC to which the DB instance is connected must have at least one security group that allows outbound access on port 443. This port is used by worker instances to communicate with AWS services.

Note

During RDS image-level backup operations, Veeam Backup for AWS creates 2 additional security groups that are further associated with the source DB instances and worker instances to allow direct network traffic between them. To learn how RDS resource backup works, see RDS Backup.

Creating RDS Backup Policy

View all results across Veeam
Back to document search