AWS Services
To perform backup and restore operations, the AWS Plug-In for Veeam Backup & Replication, backup appliance and worker instances must have outbound internet access to the following AWS services.
AWS Services Required For AWS Plug-In for Veeam Backup & Replication
- Amazon CloudWatch
- Amazon Data Lifecycle Manager
- Amazon Elastic Compute Cloud (EC2)
- Amazon Simple Storage Service (S3)
- AWS Identity and Access Management (IAM)
- AWS Key Management Service (KMS)
- AWS Systems Manager (SSM)
- AWS Security Token Service (STS)
- AWS Service Quotas
Additionally, consider the following requirement:
If you plan to deploy a backup appliance with a public IP address, consider that outbound internet access must be allowed from the backup server to https://checkip.amazonaws.com/ through port 443 over the HTTPS protocol — this is required for AWS Plug-in for Veeam Backup & Replication to be able to retrieve the IP address of the backup appliance.
AWS Services Required For Backup Appliance
- Amazon CloudWatch
- Amazon CloudWatch Events
- Amazon Elastic Block Store (EBS)
- Amazon Elastic Compute Cloud (EC2)
- Amazon Kinesis Data Streams
- AWS Lambda
- AWS Organizations
- Amazon Relational Database Service (RDS)
- Amazon Redshift and Amazon Redshift Serverless
- AWS Secrets Manager
- Amazon Elastic File System (EFS)
- Amazon FSx File Systems
- Amazon DynamoDB
- Amazon Simple Notification Service (SNS)
- Amazon Simple Queue Service (SQS)
- Amazon Simple Storage Service (S3)
- Amazon S3-control
- AWS Identity and Access Management (IAM)
- AWS Key Management Service (KMS)
- AWS Marketplace Metering Service
- AWS Resource Access Manager
- AWS Security Token Service (STS)
- AWS Service Quotas
- AWS Backup
- AWS Systems Manager (SSM), including access to the ec2messages and ssmmessages endpoints
- Elastic Load Balancing (ELB)
- Instance Metadata Service
Additionally, consider the following requirements:
- For Veeam Backup for AWS to be able to deploy worker instances when performing RDS image-level backup operations, outbound internet access must be allowed from the backup appliance to the TrustStore through port 443 over the HTTPS protocol to download the following certificate authority (CA) certificates https://truststore.pki.us-gov-west-1.rds.amazonaws.com/global/global-bundle.pem (for AWS GovCloud (US) regions) and https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem (for AWS commercial regions).
- For Veeam Backup for AWS to be able to receive information on the cost of EC2 and RDS services while performing EC2 and RDS backup and restore operations, outbound internet access must be allowed from the backup appliance to the AWS Pricing API through port 443 over the HTTPS protocol to download .JSON file from https://pricing.us-east-1.amazonaws.com.
- For Veeam Backup for AWS to be able to retrieve the names of AWS Regions, outbound internet access must be allowed from the backup appliance to the AWS Service Health Dashboard (https://status.aws.amazon.com) through port 443 over the HTTPS protocol.
AWS Services Required For Worker Instances
- AWS Systems Manager (SSM), including access to the ec2messages and ssmmessages endpoints
- Amazon Simple Queue Service (SQS)
- Amazon Simple Storage Service (S3)
- Amazon Elastic Block Store (EBS)
- Amazon Kinesis Data Streams
Important |
If you plan to configure an HTTP proxy for the backup appliance, make sure that the security group associated with the proxy server allows direct network traffic required to communicate with the AWS services. |