Installing Veeam Backup for AWS from AMI

In this article

    Veeam Backup for AWS is installed on a single EC2 instance. The EC2 instance is created during the product installation.


    After you install Veeam Backup for AWS from the Amazon Machine Image (AMI), you will be asked to provide one-time access keys of an IAM user that Veeam Backup for AWS will use to create IAM roles required for the backup appliance configuration. If you do not want to provide the keys, you can create the required IAM roles manually before you begin the installation. For more information on the required IAM roles, see Required IAM Permissions.

    To install Veeam Backup for AWS from the AMI:

    1. Log in to the AWS Management Console using credentials of an AWS account in which you plan to install Veeam Backup for AWS.

    You can install Veeam Backup for AWS in the production site — in the AWS account where resources that you plan to back up reside. It is recommended, however, that you use a separate AWS account for Veeam Backup for AWS installation. In this case, if a disaster strikes in the production site, you will still be able to access Veeam Backup for AWS and perform recovery operations.

    1. Use the region selector in the upper-right corner of the page to select an AWS Region in which the EC2 instance running Veeam Backup for AWS will reside.

    For more information on AWS Regions, see AWS Documentation.

    1. In the AWS services section, expand the All services menu and navigate to Compute > EC2.
    2. On the EC2 Dashboard tab, click Launch instance > Launch instance. The launch instance wizard will open.

    Launching Instance

    1. At the Choose an Amazon Machine Image (AMI) step of the wizard, open the Community AMIs tab. Then, in the search field, type veeam-aws and press [ENTER] on the keyboard.

    Choose the necessary product edition (Free, Paid or BYOL) and click Select. For more information on product editions, see Licensing.

    Choosing AMI

    1. At the Choose an Instance Type step of the wizard, select an EC2 instance type for the backup appliance. The minimum recommended EC2 instance type is t3.medium.

    Selecting Instance Type

    1. At the Configure Instance Details of the wizard, do the following:
    1. In the Network and Subnet fields, specify an Amazon VPC and subnet to which the backup appliance will be connected. You can either select an existing Amazon VPC and subnet, or create a new Amazon VPC and subnet.

    For more information on Amazon VPCs and subnets, see AWS Documentation.


    Consider the following:

    • The specified Amazon VPC and subnet must have the outbound internet access to AWS services listed in the AWS Services section.
    • The specified Amazon VPC and subnet must allow the inbound internet access from the local machine that you plan to use to access Veeam Backup for AWS.

    To learn how to enable internet access for Amazon VPCs and subnets, see AWS Documentation.

    1. From the Auto-assign Public IP drop-down list, select Enable.
    2. [Applies if you have created IAM roles required for the product installation beforehand] In the IAM role field, specify the Impersonation IAM role that will be attached to the backup appliance. This role will allow Veeam Backup for AWS to assume IAM roles to perform backup and restore operations.
    3. In the Advance Details section, enable access to the instance metadata to allow Veeam Backup for AWS to use the Instance Metadata Service (IMDS) to be able to configure and manage the running backup appliance. To do that, select Enabled from the Metadata accessible drop-down list.
    4. Configure additional settings for the backup appliance to meet your organization requirements. To learn how to configure Amazon Linux instances, see AWS Documentation.

    Configuring Instance Details

    1. At the Add Storage step of the wizard, review the preconfigured storage settings and click Next: Add Tags. For technical reasons, it is not recommended to change these settings.

    Reviewing Settings

    1. At the Add Tags step of the wizard, you can specify AWS tags that will be assigned to the backup appliance. For example, you can specify a name that will help you easily identify and locate the appliance.

    Adding Tags

    1. At the Configure Security Group step of the wizard, choose a security group that will control the inbound and outbound traffic for the backup appliance. You can either associate an existing security group with the backup appliance or create a new security group.
    1. Click Add Rule.
    2. Select HTTPS from the Type drop-down list and enter 443 in the Port Range field.
    3. In the Source column, specify IPv4 address ranges from which Veeam Backup for AWS Web UI will be accessible.

    Make sure the IPv4 address of the local machine from which you plan to access Veeam Backup for AWS lies within the specified IPv4 ranges.

    IPv4 address ranges must be specified in the CIDR notation (for example, To allow unrestricted access to the backup appliance, you can specify However, the latter is not recommended since unrestricted access to Veeam Backup for AWS can violate your organization security policy.

    Selecting Security Group

    1. At the Review step of the wizard, review the configured settings and click Launch.

    Right after installation, you must perform a number of additional actions for the backup appliance configuration. For more information, see After You Install.