System Requirements
Before you start using Veeam Backup for AWS, consider the following requirements.
The following network ports must be open to ensure proper communication of components in the Veeam Backup for AWS infrastructure.
From | To | Protocol | Port | Notes |
---|---|---|---|---|
Web browser (local machine) | Backup appliance | TCP | 443 | Required to access the Web UI component from a user workstation. |
SSH | 22 | Required to communicate with the backup service running on the backup appliance. | ||
TCP | 11005 | Default port required to communicate with the REST API service running on the backup appliance. For information on how to change the port number, see the Configuring Security Settings section in the Veeam Backup for AWS REST API Reference. | ||
Worker instance | TCP | 443 | Required to access the File Level Recovery for Veeam Backup browser running on a worker instance during the file-level restore process. | |
Backup appliance | SMTP server | TCP | 25 | Default port used for sending email notifications. |
Veeam Update Notification Server (repository.veeam.com) | TCP | 443 | Required to download information on available product updates. |
To open network ports, in the AWS Management Console, you must add inbound rules to security groups associated with Veeam Backup for AWS infrastructure components.
- A security group for the backup appliance is created during the product installation. For details, see Installing Veeam Backup for AWS.
- A security group for worker instances is selected per AWS Region and Availability Zone. For details, see Configuring Worker Instance Settings.
For details on how to add inbound rules to security groups, see AWS Documentation.
IAM roles that Veeam Backup for AWS uses to perform data protection and disaster recovery operations must have permissions to access AWS services and resources. The minimal set of permissions for IAM roles is described in the following Veeam KB articles: KB3032, KB3033, KB3034.
The backup appliance and worker instances must have outbound internet access to the following AWS services:
- Amazon CloudWatch
- Amazon CloudWatch Events
- Amazon Elastic Block Store (EBS)
- Amazon Elastic Compute Cloud (EC2)
- Amazon Kinesis Data Streams
- Amazon Relational Database Service (RDS)
- Amazon Simple Notification Service (SNS)
- Amazon Simple Queue Service (SQS)
- Amazon Simple Storage Service (S3)
- AWS Identity and Access Management (IAM)
- AWS Key Management Service (KMS)
- AWS Marketplace Metering Service
- AWS Resource Access Manager
- AWS Security Token Service (STS)
- AWS Service Quotas
- AWS Systems Manager (SSM), including access to the ec2messages and ssmmessages endpoints
- Elastic Load Balancing (ELB)