Before You Begin

Before you start file-level recovery, check the following limitations and prerequisites:

  • To recover files and folders of an EC2 instance from a backup that is stored in an archive backup repository, you must retrieve the archived data manually before you begin the file-level recovery operation. For more information on data retrieval, see Retrieving EC2 Data From Archive.
  • The 443 port must be open on worker instances to allow inbound network access from the machine from which you plan to open the file-level recovery browser. To enable access for a worker instance, update the security group specified in worker instance settings to add an inbound rule. To learn how to add rules to security groups, see AWS Documentation.

If you want worker instances to operate in a private network, enable the private network deployment functionality and configure specific VPC endpoints for all subnets to which the worker instances will be connected. Alternatively, configure VPC endpoints for all subnets as described in section Appendix C. Configuring Endpoints in AWS.

Tip

It is recommended that you run a file-level recovery test before you start a file-level recovery operation in a specific AWS Region. For more information, see Testing Configurations for FLR.

Restoring to Original Location

If you plan to perform file-level recovery to the original location, consider the following additional limitations and prerequisites:

  • To perform restore to the original location, Veeam Backup for AWS launches worker instances in the backup account. That is why you must specify network settings for worker instances beforehand as described in section Adding Configurations for Backup Account.
  • [For Linux-based EC2 instances] Python v2 or v3 with module 6 must be installed on the source instance.
  • The source instance must be configured to communicate with AWS System Manager. To learn how to configure instance permissions for Systems Manager, see AWS Documentation.
  • SSM Agent must be installed on the source instance. To learn how to install SSM Agent, see AWS Documentation.
  • The IAM role attached to the source EC2 instance must meet the following requirements:
  1. The IAM role must be included in the instance profile. For more information on instance profiles, see AWS Documentation.
  2. The Amazon EC2 service must be granted permissions to assume the IAM role.

To allow the Amazon EC2 service to assume the IAM role, configure trust relationships for the role and add the following statement to the trust policy.

{

 "Version": "2012-10-17",

 "Statement": [

   {

     "Effect": "Allow",

     "Action": "sts:AssumeRole",

     "Principal": {

       "Service": "ec2.amazonaws.com"

     }

   }

 ]

}

  1. During the file-level recovery session, Veeam Backup for AWS will create a temporary IAM role in the backup account to perform data transmission using Amazon Kinesis Data Streams. That is why the IAM role attached to the source EC2 instance must have the permissions to assume the temporary role, as well as the permissions to work with Amazon Simple Queue Service (SQS) and Amazon Kinesis Data Streams:

{

   "Version": "2012-10-17",

   "Statement": [

       {

           "Sid": "VisualEditor0",

           "Effect": "Allow",

           "Action": [

               "sqs:ListQueues",

               "sqs:GetQueueUrl",

               "kinesis:List*",

               "kinesis:Describe*",

               "kinesis:Get*",

               "sqs:GetQueueAttributes",

               "sqs:ListDeadLetterSourceQueues"

           ],

           "Resource": "*"

       },

       {

           "Sid": "VisualEditor1",

           "Effect": "Allow",

           "Action": "sts:AssumeRole",

           "Resource": "arn:aws:iam:: <service-account-id> :role/ veeam_rto_<original-instance-id>"

       }

   ]

}

Where the <service-account-id> is an AWS ID of the trusted backup AWS account, and <original-instance-id> is an AWS ID of the source EC2 instance.

  • If the source EC2 instance operates in a private network, you must create the following VPC endpoints for the subnet to which the instance is connected:
  • com.amazonaws.<region>.ec2messages
  • com.amazonaws.<region>.ssm
  • com.amazonaws.<region>.sqs
  • com.amazonaws.<region>.kinesis-streams
  • com.amazonaws.<region>.sts

To learn how to create interface VPC endpoints, see AWS Documentation.