Step 3. Specify IAM Identity
At the Account step of the wizard, specify IAM roles that Veeam Backup for AWS will use to perform the restore operation.
Important |
Make sure that the specified IAM roles belong to an AWS account in which you plan to restore the selected databases. |
Configuring Worker Settings
At the Account step of the wizard, do the following:
- In the IAM role section, specify an IAM role to allow Veeam Backup for AWS to perform the restore operation. For information on the permissions that the IAM role must have to perform the restore operation, see RDS Database Restore IAM Permissions.
For an IAM role to be displayed in the IAM role list, it must be added to Veeam Backup for AWS with the Amazon RDS Restore operation selected as described in section Adding IAM Roles. If you have not added the necessary IAM role to Veeam Backup for AWS beforehand, you can do it without closing the RDS Database Restore wizard. To do that, click Add and complete the Add IAM Role wizard.
- In the Worker deployment section, specify an IAM role that will be attached to the worker instances and used by Veeam Backup for AWS to communicate with these instances. For information on the permissions that the IAM role must have to perform the restore operation, see Worker Deployment Role Permissions in Production Accounts.
For an IAM role to be displayed in the IAM role list, it must be added to Veeam Backup for AWS with the Production worker role selected as described in section Adding IAM Roles. If you have not added the necessary IAM role to Veeam Backup for AWS beforehand, you can do it without closing the RDS Database Restore wizard. To do that, click Add and complete the Add IAM Role wizard.
Important |
It is recommended that you check whether the selected IAM roles have all the permissions required to perform the operation. If some permissions of the IAM role permissions are missing, the restore operation will fail to complete successfully. To run the IAM role permission check, click Check Permissions and follow the instructions provided in section Checking IAM Role Permissions. |
Worker Instance Requirements
To restore DB instance databases from image-level backups, Veeam Backup for AWS deploys worker instances in an AWS Region where DB instance that will host the restored databases resides in an AWS account to which the instance belongs. By default, Veeam Backup for AWS uses the most appropriate network settings of AWS Regions to deploy worker instances. However, you can add specific worker configurations that will be used to deploy worker instances used for database restore operations.
If no specific worker configurations are added to Veeam Backup for AWS, the most appropriate network settings of AWS Regions are used to deploy worker instances for the database restore operation. For Veeam Backup for AWS to be able to deploy a worker instance used to perform the restore operation:
- The DNS resolution option must be enabled for the VPC. For more information, see AWS Documentation.
- As Veeam Backup for AWS uses public access to communicate with worker instances, the public IPv4 addressing attribute must be enabled at least for one subnet in the Availability Zone where the DB instance resides and the VPC to which the subnet belongs must have an internet gateway attached. VPC and subnet route tables must have routes that direct internet-bound traffic to this internet gateway.
If you want worker instances to operate in a private network, enable the private network deployment functionality and configure specific VPC endpoints for the subnet to let Veeam Backup for AWS use private IPv4 addresses. Alternatively, configure VPC interface endpoints as described in section Appendix C. Configuring Endpoints in AWS.
Note |
During RDS image-level backup operations, Veeam Backup for AWS creates 2 additional security groups that are further associated with the source DB instances and worker instances to allow direct network traffic between them. To learn how DB instance database restore works, see Database Restore. |