The Veeam Backup for AWS infrastructure includes the following components:
The backup appliance is a Linux-based EC2 instance where Veeam Backup for AWS is installed. The backup appliance performs the following administrative activities:
- Manages infrastructure components.
- Coordinates snapshot creation, backup and recovery tasks.
- Controls backup policy scheduling.
Backup Appliance Components
The backup appliance uses the following components:
- Backup service — coordinates data protection and disaster recovery operations.
- Configuration database — stores data collected for the Veeam Backup for AWS infrastructure, backup policies, sessions and so on.
- Web UI — provides a web interface that allows user access to the Veeam Backup for AWS functionality.
- Updater service — allows to check, view and install product and package updates.
- REST API service — allows to perform operations with Veeam Backup for AWS entities using HTTPS requests and standard HTTP methods. For details, see the Veeam Backup for AWS REST API Reference.
To access AWS services and resources, the backup appliance uses AWS API.
An S3 repository is a folder in an Amazon S3 bucket where Veeam Backup for AWS stores image-level backups of EC2 instances and additional copies of the Amazon VPC configuration. For details on Veeam Backup for AWS communication with S3 repositories, see S3 Repositories.
Encryption on S3 Repositories
For enhanced data security, Veeam Backup for AWS allows you to enable encryption at the S3 repository level. For details, see S3 Repository Encryption. For information on how to enable encryption at the S3 repository level, see Adding S3 Repositories.
Veeam Backup for AWS also supports scenarios where data is backed up to S3 buckets with enabled Amazon S3 default encryption. You can add the S3 bucket to the backup infrastructure as an S3 repository and use it as a target for image-level backups. For information on Amazon S3 default encryption, see AWS Documentation.
Before you add an S3 repository to the Veeam Backup for AWS configuration database, consider the following limitations:
- Veeam Backup for AWS allows you to store backups only in the S3 Standard storage class. S3 Standard-IA, S3 One Zone-IA and S3 Glacier storage classes are not supported.
- S3 buckets with S3 Object Lock enabled are not supported.
A worker instance is a Linux-based EC2 instance that is responsible for the interaction between the backup appliance and other components of the Veeam Backup for AWS infrastructure. Worker instances process backup workload and distribute backup traffic when transferring data to S3 repositories.
Veeam Backup for AWS automatically launches a worker instance in Amazon EC2 for the duration of a backup or restore process and removes it immediately after the process is complete. For each AWS Region where worker instances will be launched, you can configure network settings — specify the Amazon VPC, subnet, and security group to which worker instances must be connected. If worker settings are not configured for an AWS Region, Veeam Backup for AWS will get the default settings of the AWS Region to launch worker instances and to perform data protection and disaster recovery operations.
Veeam Backup for AWS launches one worker instance per each EC2 instance specified in a backup policy or restore task. For data protection operations, the type of the worker instance is selected automatically based on the size of the largest EBS volume attached to the processed EC2 instance. For data recovery operations, Veeam Backup for AWS launches worker instances of the following type:
- c5.large — for EC2 instance restore and volume-level restore if the size of the largest EBS volume is less then 1024 GB
- c5.xlarge — for EC2 instance restore and volume-level restore if the size of the largest EBS volume is from 1024 GB to 1250 GB
- c5.2xlarge — for EC2 instance restore and volume-level restore if the size of the largest EBS volume is more then 1250 GB
- t2.medium — for file-level restore
Worker Instance Location
Creating image-level backups
AWS Region in which a processed EC2 instance resides
EC2 instance restore
AWS Region to which an EC2 instance is restored
AWS Region to which EC2 instance volumes are restored
File-level restore from cloud-native snapshots or snapshot replicas
AWS Region in which an original EC2 instance resides
File-level restore from image-level backups
AWS Region in which an S3 repository with backed-up data resides
Worker Instance Components
A worker instance uses the following components:
- Veeam Data Mover is a component that performs data processing tasks. During backup, the Veeam Data Mover retrieves EC2 instance data from snapshots and stores the retrieved data to S3 repositories. During restore, the Veeam Data Mover transfers backed-up data from S3 repositories to the target location.
- File Level Recovery for Veeam Backup (FLR for Veeam Backup) browser is a web service that allows you to find and save files and folders of a backed-up EC2 instance to the local machine. The FLR for Veeam Backup browser is installed automatically on worker instances that are launched for file-level restore.
Security Certificates for Worker Instances
Veeam Backup for AWS uses self-signed TLS certificates to establish secure communication between the web browser on the local machine and the FLR for Veeam Backup browser on the worker instance during file-level restore. A self-signed certificate is generated automatically on the worker instance when the restore session starts.