The Veeam Backup for AWS infrastructure includes the following components:
The backup appliance is a Linux-based EC2 instance where Veeam Backup for AWS is installed. The backup appliance performs the following administrative activities:
- Manages infrastructure components.
- Coordinates snapshot creation, backup and recovery tasks.
- Controls backup policy scheduling.
Backup Appliance Components
The backup appliance uses the following components:
- Backup service — coordinates data protection and disaster recovery operations.
- Configuration database — stores data collected for the Veeam Backup for AWS infrastructure, backup policies, sessions and so on.
- Web UI — provides a web interface that allows user access to the Veeam Backup for AWS functionality.
- Updater service — allows Veeam Backup for AWS to check, view and install product and package updates.
- REST API service — allows clients to perform operations with Veeam Backup for AWS entities using HTTP requests and standard HTTP methods. For details, see the Veeam Backup for AWS REST API Reference.
To access AWS services and resources, the backup appliance uses AWS API.
A backup repository is a folder in an Amazon S3 bucket where Veeam Backup for AWS stores image-level backups of EC2 instances and additional copies of the Amazon VPC configuration. For details on Veeam Backup for AWS communication with backup repositories, see Managing Backup Repositories.
To communicate with a backup repository, Veeam Backup for AWS uses Veeam Data Mover — the service that runs on a worker instance and that is responsible for data processing and transfer. When a backup policy addresses the backup repository, the Veeam Data Mover establishes a connection with the repository to enable data transfer.
Backup files are stored in backup repositories in the native Veeam format and must be modified neither manually nor by 3rd party tools. Otherwise, Veeam Backup for AWS may fail to restore the backed-up data.
Encryption on Backup Repositories
For enhanced data security, Veeam Backup for AWS allows you to enable encryption at the repository level. For details, see Backup Repository Encryption. For information on how to enable encryption at the repository level, see Adding Backup Repositories.
Veeam Backup for AWS also supports scenarios where data is backed up to S3 buckets with enabled Amazon S3 default encryption. You can add the S3 bucket to the backup infrastructure as a backup repository and use it as a target for image-level backups. For information on Amazon S3 default encryption, see AWS Documentation.
Before you add a backup repository to the Veeam Backup for AWS configuration database, consider the following limitations:
- Veeam Backup for AWS allows you to store backups in the S3 Standard, S3 Glacier and S3 Glacier Deep Archive storage classes. The S3 Standard-IA and S3 One Zone-IA storage classes are not supported.
- Amazon S3 buckets with the S3 Object Lock enabled are not supported.
A worker instance is a Linux-based EC2 instance that is responsible for the interaction between the backup appliance and other components of the Veeam Backup for AWS infrastructure. Worker instances process backup workload and distribute backup traffic when transferring data to backup repositories.
Veeam Backup for AWS automatically launches a worker instance in Amazon EC2 for the duration of a backup or restore process and removes it immediately after the process is complete. For each AWS Region where worker instances will be launched, you can configure network settings — specify the Amazon VPC, subnet, and security group to which worker instances must be connected. If worker settings are not configured for an AWS Region, Veeam Backup for AWS will get the default settings of the AWS Region to launch worker instances and to perform data protection and disaster recovery operations.
Veeam Backup for AWS launches one worker instance per each EC2 instance specified in a backup policy or restore task. For data protection operations, the type of the worker instance is selected automatically based on the size of the largest EBS volume attached to the processed EC2 instance. To minimize cross-region traffic charges, depending on the data protection and disaster recovery operation, Veeam Backup for AWS launches a worker instance in the following location:
Worker Instance Location
Default Worker Instance Size
Creating image-level backups
AWS Region in which a processed EC2 instance resides
EC2 instance restore
AWS Region to which an EC2 instance is restored
AWS Region to which EC2 instance volumes are restored
Creating archived backups
AWS Region in which a standard backup repository with backed-up data resides
File-level restore from cloud-native snapshots or snapshot replicas
AWS Region in which an original EC2 instance resides
File-level restore from image-level backups
AWS Region in which a backup repository with backed-up data resides
Worker Instance Components
A worker instance uses the following components:
- Veeam Data Mover is a component that performs data processing tasks. During backup, the Veeam Data Mover retrieves EC2 instance data from snapshots and stores the retrieved data to backup repositories. During restore, the Veeam Data Mover transfers backed-up data from backup repositories to the target location.
- File Level Recovery for Veeam Backup (FLR for Veeam Backup) browser is a web service that allows you to find and save files and folders of a backed-up EC2 instance to the local machine. The FLR for Veeam Backup browser is installed automatically on worker instances that are launched for file-level restore.
Security Certificates for Worker Instances
Veeam Backup for AWS uses self-signed TLS certificates to establish secure communication between the web browser on the local machine and the FLR for Veeam Backup browser on the worker instance during file-level restore. A self-signed certificate is generated automatically on the worker instance when the restore session starts.