Limitations and Considerations
When adding a repository to Veeam Backup for AWS, keep in mind the following limitations and considerations.
Before you add a repository, check the following prerequisites:
- An Amazon S3 bucket must be created in AWS beforehand as described in AWS Documentation.
- If you have any S3 Lifecycle configuration associated with the selected Amazon S3 bucket, it is recommended that you limit the scope of lifecycle rules applied to Amazon S3 objects in the bucket so that no rules are applied to backup files created by Veeam Backup for AWS. Otherwise, the files may be unexpectedly deleted or transitioned to another storage class, and Veeam Backup for AWS may not be able to access the files. For more information on managing S3 Lifecycle configurations, see AWS Documentation.
If you plan to select an existing folder for storing backup files, consider the following:
- The folder must not be specified as a backup repository on multiple backup appliances simultaneously. Retention sessions running on different backup appliances may corrupt backup files stored in the folder, which may result in unpredictable data loss.
- The created backup repository will have the storage class that has been specified when creating the folder. You cannot change the storage class for the repository.
- If encryption at the repository level is enabled for the selected folder, it will be required to provide a password or an encryption key for this folder at step 4 of the wizard.
- If the selected folder already contains backups created by the Veeam backup service, Veeam Backup for AWS will import the backed-up data to the configuration database. You can then use this data to perform all disaster recovery operations described in section Performing Restore.
By default, Veeam Backup for AWS applies retention settings saved in the backup metadata to the imported backups. However, if the selected folder contains backups of resources that you plan to protect by a backup policy with the created repository specified as a backup target, Veeam Backup for AWS will rewrite the saved retention settings and will apply to the imported backups new retention settings configured for that backup policy.
If you plan to add a repository with immutability enabled, keep in mind the following limitations:
- S3 Object Lock and S3 Versioning must be enabled for an Amazon S3 bucket in which the repository will be located. The default retention period must not be configured in the Object Lock settings. For more information on the S3 Versioning and S3 Object Lock features, see AWS Documentation.
- You cannot change immutability settings for the repository since these settings are based on the immutability settings of the selected Amazon S3 bucket, which are configured in the AWS Management Console upon bucket creation and cannot be modified afterward. For more information, see AWS Documentation.
- An IAM role that you plan to specify to create the repository and further to access the repository when performing data protection and recovery tasks must be assigned permissions to collect immutability settings of Amazon S3 buckets and to create immutable backups. For more information on the required permissions, see Repository IAM Role Permissions.
- You cannot store indexes of EFS file systems and backups of the appliance configuration database in the repository with immutability enabled.
- You cannot store mutable image-level backups, archived backups and VPC backup copies in the repository with immutability enabled. All data stored in the repository automatically becomes immutable for the immutability period. For more information, see How Immutability Works.
- You cannot remove immutable data manually using the Veeam Backup for AWS Web UI, as described in sections Removing EC2 Backups and Snapshots and Removing VPC Configuration Backups.
- You can neither remove immutable data from AWS infrastructure using any cloud service provider tools nor request the technical support department to do it for you. Since Veeam Backup for AWS uses S3 Object Lock in the compliance mode, none of the protected objects can be overwritten or deleted by any user, including the root user in your AWS account. For more information on S3 Object Lock retention modes, see AWS Documentation.
If you plan to enable encryption for a repository, consider the following:
- After you create a repository with encryption enabled, you will not be able to disable encryption for this repository. However, you will still be able to change the encryption settings as described in section Editing Backup Repository Settings.
- If you choose to encrypt data using an AWS KMS key, keep in mind that:
- AWS managed keys cannot be used to encrypt data stored in repositories due to AWS limitations.
- Only symmetric KMS keys are supported.
- Do not disable KMS keys specified in the repository settings. Otherwise, Veeam Backup for AWS will not be able to encrypt data, and backup policies that store backups in these repositories will fail to complete successfully.
- Do not delete KMS keys specified in the repository settings. Otherwise, Veeam Backup for AWS will not be able to decrypt data stored in these repositories.
If a KMS key is scheduled for deletion, it will acquire the Pending deletion state. In this case, Veeam Backup for AWS will raise the warning notifying that you must either change the encryption settings for the backup repository in Veeam Backup for AWS or cancel the key deletion during the following 7 days.
For more information on managing AWS KMS keys, see AWS Documentation.