Step 3. Specify IAM Identity

At the Account step of the wizard, specify IAM roles that Veeam Backup for AWS will use to perform the restore operation.

Configuring Worker Settings

At the Account step of the wizard, do the following:

1. In the IAM role section, specify an IAM role to allow Veeam Backup for AWS to perform the restore operation. For information on the permissions that the IAM role must have to perform the restore operation, see RDS Database Restore IAM Permissions.

For an IAM role to be displayed in the IAM role list, it must be added to Veeam Backup for AWS with the Amazon RDS Restore operation selected as described in section Adding IAM Roles. If you have not added the necessary IAM role to Veeam Backup for AWS beforehand, you can do it without closing the RDS Database Restore wizard. To add an IAM role, click Add and complete the Add IAM Role wizard.

2. In the Worker deployment section, specify an IAM role that will be attached to the worker instances and used by Veeam Backup for AWS to communicate with these instances. For information on the permissions that the IAM role must have to perform the restore operation, see Worker IAM Role Permissions.

For an IAM role to be displayed in the IAM role list, it must be added to Veeam Backup for AWS with the Worker deployment role selected as described in section Adding IAM Roles. If you have not added the necessary IAM role to Veeam Backup for AWS beforehand, you can do it without closing the RDS Database Restore wizard. To add an IAM role, click Add and complete the Add IAM Role wizard.

Worker Instance Requirements

To restore DB instance databases from image-level backups, Veeam Backup for AWS launches worker instances in an AWS Region where DB instance that will host the restored databases resides in an AWS account to which the instance belongs. By default, Veeam Backup for AWS uses the most appropriate network settings of AWS Regions to launch worker instances. However, you can add specific worker configurations that will be used to launch worker instances used for database restore operations.

If no specific worker configurations are added to Veeam Backup for AWS, the most appropriate network settings of AWS Regions are used to launch worker instances for the database restore operation. For Veeam Backup for AWS to be able to launch a worker instance used to perform the restore operation:

• The VPC to which the DB instance is connected must have at least one security group that allows outbound access on port 443. This ports is used by worker instances to communicate with AWS services.
• The DNS resolution option must be enabled for the VPC. For more information, see AWS Documentation.
• As Veeam Backup for AWS uses public access to communicate with worker instances, the public IPv4 addressing attribute must be enabled at least for one subnet in the Availability Zone where the DB instance resides and the VPC to which the subnet belongs must have an internet gateway attached. VPC and subnet route tables must have routes that direct internet-bound traffic to this internet gateway.

If you want worker instances to operate in a private network, enable the private network deployment functionality and configure specific VPC endpoints for the subnet to let Veeam Backup for AWS use private IPv4 addresses. Alternatively, configure VPC interface endpoints as described in section Appendix C. Configuring Endpoints in AWS.