Adding Configurations for Backup Account

In this article

    To launch worker instances used for backup and restore operations, Veeam Backup for AWS uses the default network settings of AWS Regions. However, to optimize infrastructure costs and to ensure better performance of backup and restore processes, you can add worker configurations to specify network settings for each region in which worker instances will be deployed. To do that:

    Specifying IAM Role

    By default, Veeam Backup for AWS uses permissions of the Default Backup Restore IAM role to launch worker instances. The role is preconfigured and has all the required permissions to launch worker instances within the initial AWS account.

    You can specify a different IAM role, for example, if you want Veeam Backup for AWS to change the Backup account. Before you specify the necessary role, make sure it is added to Veeam Backup for AWS as described in section Adding IAM Roles.

    To specify an IAM role for worker instances, do the following:

    1. Open the Configuration page.
    1. Navigate to Workers > Network.
    1. At the Backup Accounts tab, click the link in the Service IAM role field.
    1. In the Choose IAM Role window, select the necessary IAM role, and then click Apply.


    It is not recommended that you change the specified IAM role. Otherwise, all configured worker instance settings will be automatically removed as soon as you specify another IAM role.

    After you specify the IAM role, it is recommended that you check whether permissions of the specified IAM role are sufficient to launch worker instances. For information on how to check IAM role permissions, see Checking IAM Role Permissions. To learn what permissions must have the IAM role used to launch worker instances, see Service IAM Role Permissions.

    Specifying IAM Role for Worker Instances

    Adding Worker Configurations

    For each AWS Region in which worker instances will be launched, you can configure specific network settings:

    1. In the Worker configurations section, click Add.
    2. Complete the Add Worker Configuration wizard.
    1. At the General step of the wizard, select an AWS Region and Availability Zone for which you want to configure network settings.
    2. At the Network step of the wizard, select an Amazon VPC and a subnet to which you want to connect worker instances, and specify a security group that must be associated with the instances. For more information on Amazon VPC, subnets and security groups, see AWS Documentation.

    Veeam Backup for AWS will apply the specified network settings to all worker instances that will be launched in the AWS Region and Availability Zone selected at the General step of the wizard.


    Consider the following:

    • By default, Veeam Backup for AWS uses public IPv4 addresses to communicate with worker instances. If the public IPv4 addressing attribute is disabled for the selected subnet, Veeam Backup for AWS will display a warning at the Summary step of the wizard. In this case, you must either enable public IPv4 adressing for the subnet, or configure the sqs, ssm, ec2messages and ssmmessages endpoints for it to let Veeam Backup for AWS use private IPv4 addresses. To learn how to configure endpoints, see Appendix C. Configuring Endpoints in AWS.
    • If you select an Outpost subnet, backup and restore operations in the AWS Region to which the AWS Outpost is connected may fail to complete successfully. The issue occurs if the default worker instance type is not supported for the AWS Outpost. To work around the issue, change the default worker profiles as described in Managing Worker Profiles.
    1. At the Summary step of the wizard, review summary information and click Finish.

    Adding Worker Configuration

    Related Topics: