Appendix C. Configuring Endpoints in AWS

In this article

    If you want worker instances to operate in private environments, that is to use subnets with disabled auto-assignment of Public IPv4 addresses to launch worker instances in AWS Regions, configure specific endpoints for services used by the backup appliance to perform backup and restore operations.

    The following interface endpoints are required to perform Veeam Backup for AWS operations.

    Operation

    Interface Endpoints

    S3 Gateway Endpoints

    Creating EC2 image-level backups

    • com.amazonaws.<region>.ec2messages
    • com.amazonaws.<region>.ssm
    • com.amazonaws.<region>.sqs
    • com.amazonaws.<region>.ebs
    • com.amazonaws.<region>.s3

    EC2 instance restore

    • com.amazonaws.<region>.ec2messages
    • com.amazonaws.<region>.ssm
    • com.amazonaws.<region>.sqs
    • com.amazonaws.<region>.s3

    EC2 volume-level restore

    • com.amazonaws.<region>.ec2messages
    • com.amazonaws.<region>.ssm
    • com.amazonaws.<region>.sqs
    • com.amazonaws.<region>.s3

    EC2 file-level restore from image-level backups

    • com.amazonaws.<region>.ec2messages
    • com.amazonaws.<region>.ssm
    • com.amazonaws.<region>.sqs
    • com.amazonaws.<region>.s3

    EC2 file-level restore from cloud-native snapshots or replicated snapshots

    • com.amazonaws.<region>.ec2messages
    • com.amazonaws.<region>.ssm
    • com.amazonaws.<region>.sqs

     

    EFS indexing

    • com.amazonaws.<region>.ssmmessages
    • com.amazonaws.<region>.ssm
    • com.amazonaws.<region>.sqs
    • com.amazonaws.<region>.sts
    • com.amazonaws.<region>.s3

    To create these endpoints, use the specified endpoint names, where <region> is the name of an AWS Region in which worker instances will be launched.

    Creating Interface Endpoints

    To allow Veeam Backup for AWS to create image-level backups of EC2 instances and to perform restore operations and EFS indexing, configure interface VPC endpoints in AWS regions where worker instances are launched for subnets to which worker instances must be connected. By default, Veeam Backup for AWS uses the default or the most appropriate network settings of AWS Regions to launch worker instances. However, you can add specific worker configurations as described in section Managing Worker Configurations.

    For more information on AWS regions in which worker instances are launch to perform specific operations, see Architecture Overview.

    To create an interface VPC endpoint, do the following:

    1. Log in to the AWS Management Console using credentials of an AWS account in which you want to create the endpoint.
    2. In the AWS services section, navigate to All Services > Networking & Content Delivery and click VPC. The VPC console will open.
    3. Navigate to Virtual Private Cloud > Endpoints and click Create Endpoint. The Create endpoint wizard will open.
    4. At the Endpoint settings step of the wizard, do the following:
    1. [Optional] In the Name tag field, specify a name for the endpoint.
    2. In the Service category section, select AWS services.
    1. At the Services step of the wizard, use the following filter Type: Interface and select a service for which you want to create a VPC endpoint.
    2. At the VPC step of the wizard, do the following:
    1. From the VPC drop-down list, select a VPC to which the deployed worker instances will be connected.
    2. In the Additional settings section, select the Enable DNS name check box.
    1. At the Subnets step of the wizard, select one subnet for each Availability Zone where worker instances will be launched.
    2. At the Security groups step of the wizard, select security groups that will be associated with the endpoint network interfaces.

    Ensure that the security group that is associated with the endpoint network interface allows communication between the endpoint network interface and the resources in your VPC that communicate with the service. If the security group restricts inbound HTTPS traffic (port 443) from resources in the VPC, you will not be able to send traffic through the endpoint network interface.

    1. At the Policy step of the wizard, select Full access to allow full access to the service. Alternatively, select Custom and attach a VPC endpoint policy that will control permissions on resources available over the VPC endpoint.
    2. Click Create Endpoint.

    For more information on interface VPC endpoints, see AWS Documentation.

    Creating S3 Gateway Endpoints

    To allow Veeam Backup for AWS to create image-level backups of EC2 instances, to perform restore operations from these backups, and to save EFS indexes to backup repositories, configure S3 gateway endpoints in AWS regions where worker instances are launched for subnets to which worker instances must be connected. By default, Veeam Backup for AWS uses the default or the most appropriate network settings of AWS Regions to launch worker instances. However, you can add specific worker configurations as described in section Managing Worker Configurations.

    For more information on AWS regions in which worker instances are launch to perform specific operations, see Architecture Overview.

    To create a gateway endpoint for a subnet, do the following:

    1. Log in to the AWS Management Console using credentials of an AWS account in which you want to create the endpoint.
    2. In the AWS services section, navigate to All Services > Networking & Content Delivery and click VPC. The VPC console will open.
    3. Navigate to Virtual Private Cloud > Endpoints and click Create Endpoint. The Create endpoint wizard will open.
    4. At the Endpoint settings step of the wizard, do the following:
    1. [Optional] In the Name tag field, specify a name for the endpoint.
    2. In the Service category section, select AWS services.
    1. At the Services step of the wizard, use the following filter Type: Gateway and select com.amazonaws.<region>.s3, where <region> is a name of an AWS Region in which worker instances will be launched.
    2. At the VPC step of the wizard, select a VPC to which the deployed worker instances will be connected.
    3. At the Route tables step of the wizard, select the route tables to be used by the endpoint. AWS automatically will add a route that points traffic destined for the service to the endpoint network interface.
    4. At the Policy step of the wizard, select Full access to allow full access to the service. Alternatively, select Custom and attach a VPC endpoint policy that will control permissions on resources available over the endpoint.
    5. Click Create Endpoint.

    For more information on gateway endpoints for Amazon S3, see AWS Documentation.

    Important

    When you create an S3 gateway endpoint, consider that a VPC and a service for which you create the endpoint must belong to the same AWS Region. That is, when you perform backup operations using endpoints, the processed source instances must reside in the region in which a repository where the backups will be stored is located;  when you perform restore operations using endpoints, the instances must be restored to the region in which a repository where the backup files are stored is located.

    This limitation is only region-specific - services and VPCs can belong to different AWS accounts.