Adding Configurations for Backup Account

By default, Veeam Backup for AWS launches worker instances used for retention, backup and restore operations in the backup account. You can choose an IAM role and specify network settings that will be used to deploy these worker instances.

Specifying IAM Role

Out of the box, Veeam Backup for AWS uses the permissions of the Default Backup Restore role to launch worker instances — the role is preconfigured and has all the required permissions. Therefore, the default backup account is an AWS account where the backup appliance belongs. However, you can specify another IAM role to change the backup account.

To specify an IAM role for worker instances, do the following:

  1. Open the Configuration page.
  1. Navigate to Workers > Network.
  1. At the Backup Accounts tab, click the link in the Service IAM role field.
  1. In the Choose IAM Role window, select the necessary IAM role, and then click Apply.

For an IAM role to be displayed in the list of available IAM roles, it must be added to Veeam Backup for AWS as described in section Adding IAM Roles.


After you choose an IAM role, it is not recommended to change it. Otherwise, all the created worker configurations will be removed automatically as soon as you choose another IAM role.

After you specify the IAM role, it is recommended that you check whether permissions of the specified IAM role are sufficient to launch worker instances. For information on how to check IAM role permissions, see Checking IAM Role Permissions. To learn what permissions must have the IAM role used to launch worker instances, see Service IAM Role in Backup Account.

Specifying IAM Role for Worker Instances

Adding Worker Configurations

To launch worker instances in the Backup account, Veeam Backup for AWS uses the default network settings of AWS Regions (if any). However, to optimize infrastructure costs and to ensure better performance of backup, retention and restore processes, you can add worker configurations to specify network settings for each Availability Zone in which worker instances will be deployed.

To add a worker configuration:

  1. In the Worker configurations section, click Add.
  2. Complete the Add Worker Configuration wizard.
  1. At the General step of the wizard, select an AWS Region and Availability Zone for which you want to configure network settings.


If you create the worker configuration that will be used to perform EC2 backup operations, you can select any Availability Zone in the specified AWS Region. Veeam Backup for AWS will still be able to perform the operations even if the selected zone will differ from the Availability Zone where the processed EC2 instances reside. For restore operations, the configuration must be created in the same Availability Zone where the restored EC2 instance will operate.

  1. At the Network step of the wizard, select an Amazon VPC and a subnet to which you want to connect worker instances, and specify a security group that must be associated with the instances. For an Amazon VPC, a subnet and a security group to be displayed in the lists of available network specifications, they must be created in AWS as described in AWS Documentation.

Veeam Backup for AWS will apply the specified network settings to all worker instances that will be launched in the AWS Region and Availability Zone selected at the General step of the wizard.


When selecting a subnet and security group, consider the following:

  • Security rules configured in the selected security group must allow direct network traffic required to communicate with AWS services. Proxy redirect and setting a proxy in the Veeam Backup for AWS configuration are not supported.
  • By default, Veeam Backup for AWS uses public IPv4 addresses to communicate with worker instances. If the public IPv4 addressing attribute is disabled for the selected subnet, Veeam Backup for AWS will display a warning at the Summary step of the wizard. In this case, you must either enable public IPv4 addressing for the subnet, or configure interface endpoints for it to let Veeam Backup for AWS use private IPv4 addresses. For the list of specific endpoints required to perform backup and restore operations, see Appendix C. Configuring Endpoints in AWS.
  • If you select an Outpost subnet, backup and restore operations in the AWS Region to which the AWS Outpost is connected may fail to complete successfully. The issue occurs if the default worker instance type is not supported for the AWS Outpost. To work around the issue, change the default worker profiles as described in section Managing Worker Profiles.
  1. At the Summary step of the wizard, review summary information and click Finish.

Adding Worker Configuration

Related Topics