Installing Veeam Backup for AWS Using CloudFormation Template

Veeam Backup for AWS is installed on a single EC2 instance. The EC2 instance is created during the product installation.


When you install the solution using a CloudFormation template, Veeam Backup for AWS automatically creates 2 IAM roles required for the backup appliance configuration and performing backup and disaster recovery operations. These roles have wide scopes of permissions and capabilities. After the deployment completes, you can either limit permissions assigned to the IAM roles or remove the roles and replace them with custom IAM roles created manually. However, this scenario is not preferred. If you want to create the required IAM roles manually, it is recommended that you use the installing Veeam Backup for AWS from an AMI option.

For more information on the created IAM roles and permissions that must be assigned to them, see Required IAM Permissions.

To install Veeam Backup for AWS using a CloudFormation template:

  1. Log in to AWS Marketplace using credentials of an AWS account in which you plan to install Veeam Backup for AWS.

You can install Veeam Backup for AWS in the production site — in the AWS account where resources that you plan to back up reside. It is recommended, however, that you use a separate AWS account for Veeam Backup for AWS installation. In this case, if a disaster strikes in the production site, you will still be able to access Veeam Backup for AWS and perform recovery operations.

  1. Open the Veeam Backup for AWS overview page for the necessary product edition:

For more information on product editions, see Licensing.

  1. Click Continue to Subscribe.


  1. On the Subscribe to this software page, read the product license agreement and click Continue to Configuration.

To view the license agreement, expand the details in the Terms and Conditions section and click End User License Agreement.

Accepting License Agreement

  1. On the Configure this software page, configure installation settings:
  1. From the Fulfillment option drop-down list, select CloudFormation Template and then choose whether you want to connect the EC2 instance running Veeam Backup for AWS to an existing Amazon VPC and subnet, or to create a new Amazon VPC and subnet for the instance.

For more information on Amazon VPCs and subnets, see AWS Documentation.

  1. From the Software Version drop-down list, select the latest version of Veeam Backup for AWS.
  2. From the Region drop-down list, select an AWS Region in which the EC2 instance running Veeam Backup for AWS will reside.

For more information on AWS Regions, see AWS Documentation.

  1. Click Continue to Launch.


  1. On the Launch this software page, do the following:
  1. In the Configuration Details section, review the product installation settings.
  1. From the Choose Action drop-down list, select Launch CloudFormation.
  2. Click Launch. The Create stack wizard will open.

Veeam Backup for AWS is installed using AWS CloudFormation stacks. In AWS CloudFormation, a stack is a collection of AWS services and resources that you can manage as a single unit. You can create a stack in an AWS account, use resources included in the stack to run an application, or delete a stack if you no longer need it. For more information on AWS CloudFormation stacks, see AWS Documentation.

In the Create stack wizard, you will create a stack for Veeam Backup for AWS.

Creating Stack

  1. At the Specify template step of the wizard, the stack template settings are preconfigured by Veeam Backup for AWS and cannot be changed.

Specifying Template

  1. At the Specify stack details step of the wizard, configure the following stack settings:
  1. In the Stack name field, specify a name for the new stack.

Specifying Stack Name

  1. In the Instance Configuration section, do the following:
  1. Select the EC2 instance type for the backup appliance.

The recommended EC2 instance type is t3.medium.


Veeam Backup for AWS will be deployed on the EC2 instance of the specified instance type with 2 gp3 volumes attached — the root volume with 16 GB of storage capacity and an additional EBS volume with 20 GB of storage capacity. The second volume is intended for storing Veeam Backup for AWS configuration database.

To prevent runtime issues caused by multiple concurrent operations running on the backup appliance, you can later attach an additional EBS volume to the backup appliance and allow the system to allocate its resources in case of memory shortage. For more information, see Appendix D. Enabling Swap Partition.

  1. Select a key pair that will be used to authenticate against the backup appliance.

For a key pair to be displayed in the Key pair for Veeam Backup for AWS server list, it must be created in the Amazon EC2 console. To learn how to create key pairs, see AWS Documentation.

Configuring Instance

  1. In the Network Configuration section, do the following:
  1. Select true if you want to create an Elastic IP address for the backup appliance.

For more information on Elastic IP addresses, see AWS Documentation.

  1. Specify the IPv4 address ranges from which Veeam Backup for AWS Web UI will be accessible.

Make sure the IPv4 address of the local machine from which you plan to access Veeam Backup for AWS lies within the specified IPv4 range.

The IPv4 address ranges must be specified in the CIDR notation (for example, To let all IPv4 addresses access Veeam Backup for AWS, you can specify . Note that allowing access from all IPv4 addresses is unsafe and thus not recommended in production environments.

Based on the specified IPv4 ranges, AWS CloudFormation will create a security group for Veeam Backup for AWS with an inbound rule for HTTPS traffic. By default, port 443 is open for the inbound HTTPS traffic. If you plan to change the security group for Veeam Backup for AWS upon the product installation, you will need to manually add inbound rules to the new security group and make sure this security group allows access to AWS services listed in the AWS Services section.


Configuring Network

  1. In the VPC and Subnet section, specify an Amazon VPC and subnet to which the backup appliance will be connected.

Depending on the option selected at step 5a, you can either select an existing Amazon VPC and subnet, or specify IPv4 address ranges in the CIDR notation for the new Amazon VPC and subnet.


Consider the following:

  • The specified Amazon VPC and subnet must have the outbound internet access to AWS services listed in the AWS Services section.
  • The specified Amazon VPC and subnet must allow the inbound internet access from the local machine from which you plan to access Veeam Backup for AWS.

To learn how to enable internet access for Amazon VPCs and subnets, see AWS Documentation.



Specifying VPC

  1. At the Configure stack options step of the wizard, specify AWS tags, IAM role permissions and other additional settings for the stack.

For more information on available stack options, see AWS Documentation.

Specifying Stack Options

  1. At the Review step of the wizard, do the following:
  1. Review the configured settings.
  2. Select the I acknowledge that AWS CloudFormation might create IAM resources check box.
  3. Click Submit.

Finishing Wizard

Right after installation, you must accept license agreements and create a default user. To learn how to do that, see After You Install.