Architecture Overview

The Veeam Backup for AWS infrastructure includes the following components:

Backup Appliance

The backup appliance is a Linux-based EC2 instance where Veeam Backup for AWS is installed. The backup appliance performs the following administrative activities:

Backup Appliance Components

The backup appliance uses the following components:

To access AWS services and resources, the backup appliance uses AWS API.

S3 Repositories

An S3 repository is a folder in an Amazon S3 bucket where Veeam Backup for AWS stores image-level backups of EC2 instances and additional copies of the Amazon VPC configuration. For details on Veeam Backup for AWS communication with S3 repositories, see S3 Repositories.

Encryption on S3 Repositories

For enhanced data security, Veeam Backup for AWS allows you to enable encryption at the S3 repository level. For details, see S3 Repository Encryption. For information on how to enable encryption at the S3 repository level, see Adding S3 Repositories.

Veeam Backup for AWS also supports scenarios where data is backed up to S3 buckets with enabled Amazon S3 default encryption. You can add the S3 bucket to the backup infrastructure as an S3 repository and use it as a target for image-level backups. For information on Amazon S3 default encryption, see AWS Documentation.

Limitations for S3 Repositories

Before you add an S3 repository to the Veeam Backup for AWS configuration database, consider the following limitations:

Worker Instances

A worker instance is a Linux-based EC2 instance that is responsible for the interaction between the backup appliance and other components of the Veeam Backup for AWS infrastructure. Worker instances process backup workload and distribute backup traffic when transferring data to S3 repositories.

Veeam Backup for AWS automatically launches a worker instance in Amazon EC2 for the duration of a backup or restore process and removes it immediately after the process is complete. For each AWS Region where worker instances will be launched, you can configure network settings — specify the Amazon VPC, subnet, and security group to which worker instances must be connected. If worker settings are not configured for an AWS Region, Veeam Backup for AWS will get the default settings of the AWS Region to launch worker instances and to perform data protection and disaster recovery operations.

Veeam Backup for AWS launches one worker instance per each EC2 instance specified in a backup policy or restore task. For data protection operations, the type of the worker instance is selected automatically based on the size of the largest EBS volume attached to the processed EC2 instance. For data recovery operations, Veeam Backup for AWS launches worker instances of the following type:

To minimize cross-region traffic charges, depending on the data protection and disaster recovery operation, Veeam Backup for AWS launches a worker instance in the following location:

Operation

Worker Instance Location

Creating image-level backups

AWS Region in which a processed EC2 instance resides

EC2 instance restore

AWS Region to which an EC2 instance is restored

Volume-level restore

AWS Region to which EC2 instance volumes are restored

File-level restore from cloud-native snapshots or snapshot replicas

AWS Region in which an original EC2 instance resides

File-level restore from image-level backups

AWS Region in which an S3 repository with backed-up data resides

Worker Instance Components

A worker instance uses the following components:

Security Certificates for Worker Instances

Veeam Backup for AWS uses self-signed TLS certificates to establish secure communication between the web browser on the local machine and the FLR for Veeam Backup browser on the worker instance during file-level restore. A self-signed certificate is generated automatically on the worker instance when the restore session starts.

I want to report a typo

There is a misspelling right here:

 

I want to let the Veeam Documentation Team know about that.