Architecture Overview

In this article

    The Veeam Backup for AWS infrastructure includes the following components:

    Backup Appliance

    The backup appliance is a Linux-based EC2 instance where Veeam Backup for AWS is installed. The backup appliance performs the following administrative activities:

    Backup Appliance Components

    The backup appliance uses the following components:

    Backup Repositories

    A backup repository is a folder in an Amazon S3 bucket where Veeam Backup for AWS stores image-level backups of EC2 instances and additional copies of Amazon VPC configurations.

    To communicate with a backup repository, Veeam Backup for AWS uses Veeam Data Mover — the service that runs on a worker instance and that is responsible for data processing and transfer. When a backup policy addresses the backup repository, the Veeam Data Mover establishes a connection with the repository to enable data transfer. To learn how Veeam Backup for AWS communicates with backup repositories, see Managing Backup Repositories.

    Important

    Backup files are stored in backup repositories in the native Veeam format and must be modified neither manually nor by 3rd party tools. Otherwise, Veeam Backup for AWS may fail to restore the backed-up data.

    Encryption on Backup Repositories

    For enhanced data security, Veeam Backup for AWS allows you to enable encryption at the repository level. Veeam Backup for AWS encrypts backup files stored in backup repositories the same way as Veeam Backup & Replication encrypts backup files stored in backup repositories. To learn what algorithms Veeam Backup & Replication uses to encrypt backup files, see the Veeam Backup & Replication User Guide, section Encryption Standards. To learn how to enable encryption at the repository level, see Adding Backup Repositories.

    Veeam Backup for AWS also supports scenarios where data is backed up to S3 buckets with enabled Amazon S3 default encryption. You can add the S3 bucket to the backup infrastructure as a backup repository and use it as a target for image-level backups. For information on Amazon S3 default encryption, see AWS Documentation.

    Worker Instances

    A worker instance is a Linux-based EC2 instance that is responsible for the interaction between the backup appliance and other components of the Veeam Backup for AWS infrastructure. Worker instances process backup workload and distribute backup traffic when transferring data to backup repositories.

    Veeam Backup for AWS automatically launches a worker instance in Amazon EC2 for the duration of a backup, restore or backup retention process and removes it immediately after the process is complete. Veeam Backup for AWS launches one worker instance per each AWS resource specified in a backup policy, restore or retention task.  To minimize cross-region traffic charges, depending on the data protection and disaster recovery operation, Veeam Backup for AWS launches the worker instance in the following location:

    Operation

    Worker Instance Location

    Default Worker Profile

    Creating EC2 image-level backups

    AWS Region in which a processed EC2 instance resides

    • c5.large — if the total EBS volume size is less than 1024 GB
    • c5.xlarge — if the total EBS volume size is 1024-1250 GB
    • c5.2xlarge — if the total EBS volume size is more than 1250 GB

    EC2 instance restore

    AWS Region to which an EC2 instance is restored

    EC2 volume-level restore

    AWS Region to which the volumes of a processed EC2 instance are restored

    Performing health check for EC2 backups

    AWS Region in which a backup repository with backed-up data resides

    Creating EC2 archived backups

    AWS Region in which a standard backup repository with backed-up data resides

    • c5.2xlarge

    EC2 file-level restore from cloud-native snapshots or replicated snapshots

    AWS Region in which a snapshot is located

    • t3.medium

    EC2 file-level restore from image-level backups

    AWS Region in which a backup repository with backed-up data resides

    • t3.medium

    EFS indexing

    Availability Zone in which a file system has a mount target created

    • t3.medium

    EC2 backup retention

    AWS Region in which a backup repository with backed-up data resides

    • c5.large — if the total size of backup files that must be deleted is 1-3 TB
    • c5.xlarge — if the total size of backup files that must be deleted is 3-6 TB
    • c5.2xlarge — if the total size of backup files that must be deleted is 6-13 TB
    • c5.4xlarge — if the total size of backup files that must be deleted is more than 13 TB

    Worker instances are deployed based on worker configurations and profiles that can be created either automatically by Veeam Backup for AWS, or manually by the user as described in section Managing Worker Instances.

    Worker Instance Components

    A worker instance uses the following components:

    Security Certificates for Worker Instances

    Veeam Backup for AWS uses self-signed TLS certificates to establish secure communication between the web browser on the local machine and the file-level recovery browser on the worker instance during file-level restore. A self-signed certificate is generated automatically on the worker instance when the restore session starts.