Step 1. Create Interface Endpoints
To allow Veeam Backup for AWS to create image-level backups of EC2 instances, to perform restore operations and to save EFS indexes to backup repositories, you must configure specific VPC interface endpoints for all subnets to which worker instances deployed for these operations will be connected. For the list of VPC interface endpoints required for backup and restore operations, see Configuring Private Networks.
To deploy worker instances, Veeam Backup for AWS uses either the default or the most appropriate network settings of AWS Regions where the processed resources reside. However, you can add specific worker configurations as described in section Managing Worker Configurations.
Creating Interface Endpoints
To create an interface VPC endpoint, do the following:
- Log in to the AWS Management Console using credentials of an AWS account in which you want to create the endpoint.
- Navigate to Services > Networking & Content Delivery and click VPC.
- In the VPC console, navigate to Virtual Private Cloud > Endpoints and click Create Endpoint.
- Complete the Create endpoint wizard:
- At the Endpoint settings step, do the following:
- [Optional] In the Name tag field, specify a name for the endpoint.
- In the Service category section, select the AWS services option.
- At the Services step, enter Interface in the search field and choose a service for which you want to create a VPC endpoint.
- At the VPC step, do the following:
- From the VPC drop-down list, choose a VPC to which the deployed worker instances will be connected. Make sure that the Enable DNS hostnames check box is selected for the VPC.
- In the Additional settings section, select the Enable DNS name check box.
- At the Subnets step, choose a subnet for each Availability Zone where the worker instances will be deployed, and specify the IP address type. Make sure that the Auto-assign public IPv4 address check box is not selected for the subnet.
- At the Security groups step, choose security groups that will be associated with the endpoint network interfaces.
Ensure that each security group allows communication between the associated endpoint network interface and resources in your VPC communicating with the selected service. If a security group restricts inbound HTTPS traffic (port 443) from the resources in the VPC, you will not be able to send traffic through the endpoint network interface.
- At the Policy step, select the Full access option to allow full access to the service. Alternatively, select the Custom option, and attach a VPC endpoint policy that will control permissions required to access available resources over the VPC endpoint.
- Click Create Endpoint.
For more information on interface VPC endpoints, see AWS Documentation.
Creating S3 Interface Endpoints
To create an S3 interface VPC endpoint, do the following:
- In the VPC console, navigate to Virtual Private Cloud > Endpoints and click Create Endpoint.
- Complete the Create endpoint wizard:
- At the Endpoint settings step, do the following:
- [Optional] In the Name tag field, specify a name for the endpoint.
- In the Service category section, select the AWS services option.
- At the Services step, enter S3 in the search field and choose the com.amazonaws.<region>.s3 service with the Interface type, where <region> is the name of an AWS Region in which a backup repository is located.
- At the VPC step, choose a VPC to which the deployed worker instances will be connected.
- At the Subnets step, choose a subnet for each Availability Zone where the worker instances will be deployed, and specify the IP address type.
- At the Security groups step, choose security groups that will be associated with the endpoint network interface.
- At the Policy step, select the Full access option to allow full access to the service. Alternatively, select the Custom option, and attach a VPC endpoint policy that will control permissions required to access available resources over the VPC endpoint.
- Click Create Endpoint.
Important |
The backup appliance and worker instances must be able to communicate with the Amazon S3 service through the created S3 interface endpoint. That is why security groups associated with the endpoint network interface must allow inbound HTTPS traffic from both the backup appliance and the worker instances through port 443. |
For more information on interface endpoints for Amazon S3, see AWS Documentation.