Considerations and Limitations

When you plan to deploy and configure Veeam Backup for AWS, keep in mind the following limitations and considerations.

Deployment

When deploying backup appliances, consider the following:

• Veeam Backup for AWS is available only in AWS Global and AWS GovCloud (US) regions.
• You can deploy Veeam Backup for AWS within a single Availability Zone only.
• To ensure successful deployment and installation of Veeam Backup for AWS, customers are encouraged to make sure they are operating within AWS service quotas. For more information, see AWS Documentation.

Licensing

If the license file is not installed, Veeam Backup for AWS will operate in the Free edition allowing you to protect up to 10 instances free of charge.

Hardware

The minimum recommended EC2 instance type for the backup appliance is t3.medium. For the list of all existing instance types, see AWS Documentation.

Software

To access Veeam Backup for AWS, use Microsoft Edge (latest version), Mozilla Firefox (latest version) or Google Chrome (latest version). Internet Explorer is not supported.

Security Certificates

Veeam Backup for AWS supports certificates only in the .PFX and .P12 format.

Backup Repositories

When managing backup repositories, consider the following:

• Amazon S3 buckets with S3 Object Lock and S3 Versioning enabled can be used only for creating backup repositories with enabled immutability settings.
• Amazon S3 buckets with only S3 Object Lock enabled is not supported. It is recommended that S3 Object Lock and S3 Versioning are either both enabled or both disabled for a bucket.
• Amazon S3 buckets using server-side encryption with AWS KMS keys (SSE-KMS) are not supported.
• Veeam Backup for AWS allows you to store backups only in the S3 Standard, S3 Glacier Flexible Retrieval and S3 Glacier Deep Archive storage classes. The S3 Standard-IA and S3 One Zone-IA storage classes are not supported.
• You cannot change Amazon S3 buckets, folders and storage classes for backup repositories already added to Veeam Backup for AWS.

• You cannot change immutability settings for the repository since these settings are based on the immutability settings of the selected Amazon S3 bucket, which are configured in the AWS Management Console upon bucket creation and cannot be modified afterward. For more information, see AWS Documentation.

• When you add a backup repository of the S3 Glacier Flexible Retrieval or S3 Glacier Deep Archive storage class, Veeam Backup for AWS does not create any S3 Glacier vaults in your AWS environment — it assigns the selected storage class to backups stored in the repository. That is why these backups remain in Amazon S3 and cannot be accessed directly through the Amazon S3 Glacier service.

• If you plan to use AWS Key Management Service (KMS) keys to encrypt backup repositories, note that only symmetric KMS keys are supported.

If you use a KMS key to encrypt a repository, do not disable or delete this key. Otherwise, Veeam Backup for AWS will not be able to encrypt and decrypt data stored in the repository.

• After you create a repository with encryption enabled, you will not be able to disable encryption for this repository. However, you will still be able to change the encryption settings as described in section Editing Backup Repository Settings.

• A backup repository must not be managed by multiple backup appliances simultaneously. Retention sessions running on different backup appliances may corrupt backups stored in the repository, which may result in unpredictable data loss.
• Even though an Amazon S3 bucket is no longer used as a backup repository, Veeam Backup for AWS preserves all backup files previously stored in the repository and keeps these files in Amazon S3.

If you no longer need the backed-up data, either delete it as described in sections Removing EC2 Backups and Snapshots, Removing RDS Backups and Snapshots and Removing VPC Configuration Backups before you remove the repository from Veeam Backup for AWS, or use the AWS Management Console to delete the data if the repository has already been removed.

Backup

When protecting AWS resources, consider the following:

• Veeam Backup for AWS protects only EC2 instances that run in VPCs. EC2-Classic instances are not supported. For more information, see this Veeam KB article.
• When Veeam Backup for AWS backs up EC2 instances with IPv6 addresses assigned, it does not save the addresses. That is why when you restore these instances, IP addresses are assigned according to the settings specified in AWS for the subnet to which the restored instances will be connected.

• Veeam Backup for AWS does not support backup and restore of RDS Multi-AZ DB clusters.

• Snapshot replication is not supported for Aurora multi-master clusters.

• For Veeam Backup for AWS to be able to create RDS image-level backups, make sure that security groups associated with worker instances allow outbound HTTPS traffic from the worker instances through port 443 to download a certificate bundle for establishing SSL/TLS connections. For more information on certificate bundles for AWS Regions, see AWS Documentation.

• Veeam Backup for AWS supports backup of DynamoDB tables only to the same AWS accounts where the source tables belong.

• Veeam Backup for AWS uses the AWS Backup service to create DynamoDB backups and backup copies. The DynamoDB backup service is not supported.
• For Veeam Backup for AWS to be able to back up DynamoDB tables, you must configure the AWS Backup settings to enable both the Opt-in service and the advanced features for Amazon DynamoDB backups. Otherwise, Veeam Backup for AWS will automatically enable these settings for each AWS Region specified in the backup policy settings in your AWS account while performing backup operations. For more information on advanced DynamoDB backup, see AWS Documentation.

• Veeam Backup for AWS supports backup of EFS file systems only to the same AWS accounts where the source file systems belong.
• Indexing of the backed up EFS file systems is not supported in the Free edition of Veeam Backup for AWS. For more information on license editions, see Licensing of Standalone Backup Appliances.
• Veeam Backup for AWS does not support backup of the following VPC configuration components: VPC Traffic Mirroring, AWS Network Firewall, Route 53 Resolver DNS Firewall, AWS Verified Access, VPC Flow Logs, carrier gateways, customer IP pools, transit gateway policy tables, and core networks in route tables.

• When configuring policy scheduling, consider that Veeam Backup for AWS runs retention sessions at 4:00 AM by default, according to the time zone set on the backup appliance. If you schedule backup policies to execute at 4:00 AM, the backup policies and retention tasks will be queued.

Restore

When restoring AWS resources, consider the following:

• When restoring multiple EC2 instances that have the same EBS volume attached, Veeam Backup for AWS restores one volume per each instance and enables the Multi-Attach option for every restored volume. For more information on Amazon EBS Multi-Attach, see AWS Documentation.
• Restore of files and folders is supported only for the following file systems: FAT, FAT32, NTFS, ext2, ext3, ext4, XFS, Btrfs.

For EC2 instances running Microsoft Windows OSes, Veeam Backup for AWS supports file-level recovery only for basic volumes.

• Restore of RDS resources with gp3 storage volumes is not supported. For more information on General Purpose gp3 storage volumes, see AWS Documentation.
• Restore of EC2 instances to the original location cannot be performed, if the source instances with termination protection and stop protection enabled still exist in AWS.
• When restoring Aurora DB clusters to a new location, Veeam Backup for AWS creates only primary DB instances in the restored clusters. Additional writer DB instances (for Aurora multi-master clusters) or Aurora Replicas (for Aurora DB clusters with single-master replication) must be added manually in the AWS Management Console after the restore operation completes. To learn how to add DB instances to Amazon Aurora DB clusters, see AWS Documentation.

• The AWS Backup service does not support copying DynamoDB backups stored in a cold storage tier to another AWS Region. These means that you will only be able to use these backups to restore tables to the same AWS Region in which the backups reside after being transitioned from a warm storage tier.

• Veeam Backup for AWS supports restore of DynamoDB tables only to the same AWS account where the source tables belong.
• You can change the Time to Live (TTL) setting for DynamoDB tables only an hour after the restore operation completes.
• Veeam Backup for AWS supports restore of EFS file systems only to the same AWS account where the source file systems belong.
• Restore of entire VPC configurations to a new location is not supported for the following VPC configuration items: Client VPN endpoints, customer gateways and load balancer listeners that use authentication certificates and specific components of route tables (core networks, routes to AWS Outpost local gateways, network interfaces, instances and carrier gateways).
• Restore of specific VPC configuration items to a new location is not supported.