Adding Configurations for Production Accounts

To perform EFS indexing operations, as well as RDS backup and restore operations, worker instances are launched in production accounts by default. However, if you also want Veeam Backup for AWS to launch worker instances in production accounts for backup and restore operations performed for EC2 instances (for example, to restore instances from cloud-native snapshots encrypted using default AWS managed keys), you must configure the backup policy and restore settings.

Specifying IAM Roles

To launch worker instances in production accounts, Veeam Backup for AWS employs the following IAM roles:

You must specify this IAM role in the Add Worker Configuration wizard as described in section Adding Worker Configurations.

You must specify this IAM role in the backup policy or restore settings as described in section Creating EFS Backup Policies, Creating EC2 Backup Policies, Performing RDS Backup, Performing Entire EC2 Instance Restore, Performing Volume-Level Restore or Performing RDS Database Restore.

You must specify this IAM role when enabling worker deployment in production accounts in the backup policy or restore settings as described in section Creating EFS Backup Policies, Creating EC2 Backup Policies, Creating RDS Backup Policies, Performing Entire EC2 Instance Restore, Performing Volume-Level Restore, Performing File-Level Recovery or Performing RDS Database Restore.

Note

Since you do not specify an IAM role for file-level recovery operations, the role that you specify when enabling worker deployment in production accounts in the restore settings is also used by Veeam Backup for AWS to launch worker instances.

Adding Worker Configurations

To launch worker instances in production accounts, Veeam Backup for AWS automatically chooses the most appropriate network settings of AWS Regions (for example, specifies a VPC as a mount target for the processed file system) when performing EFS indexing operations, and uses the default network settings of AWS Regions (if any) when performing EC2 backup and restore operations. However, you can add worker configurations to specify network settings for each region in which worker instances will be deployed. You can add multiple worker configurations with different network settings per AWS Region.

To add a worker configuration:

  1. Switch to the Configuration page.
  1. Navigate to Workers > Network.
  2. Switch to the Production Accounts tab.
  3. In the Worker configurations section, click Add.
  4. Complete the Add Worker Configuration wizard.
  1. At the General step of the wizard, do the following:
  1. In the Account section, select an AWS account where resources that you plan to process belong and specify an IAM role that will be used to access and list region network settings in the selected AWS account. The role must be granted the permissions listed in section Worker Configuration IAM Role Permissions.

For an IAM role to be displayed in the IAM role list, it must be added to Veeam Backup for AWS as described in section Adding IAM Roles. If you have not added the necessary IAM role to Veeam Backup for AWS beforehand, you can do it without closing the Add Worker Configuration wizard. To add an IAM role, click Add and complete the Add IAM Role wizard.

Note

Consider the following:

  • After you specify the IAM role, it is recommended that you check whether permissions of the specified IAM role are sufficient to access and list region network settings in the selected AWS account. For information on how to check IAM role permissions, see Checking IAM Role Permissions.
  • The selected IAM role will be used only to populate network settings for the Add Worker Configuration wizard. IAM roles whose permissions Veeam Backup for AWS will use to configure the specified settings when launching worker instances will be specified in the backup policy and restore settings.
  1. In the Region section, select an AWS Region and Availability Zone in which AWS resources that you plan to process reside.

Tip

If the newly created worker configuration will be used to perform only EC2 backup operations, there is no need to select the availability zone where the processed EC2 instances reside — you can select any zone in the specified region.

  1. At the Network step of the wizard, select an Amazon VPC and a subnet to which you want to connect worker instances created based on the new worker configuration, and specify a security group that will be associated with the instances. For an Amazon VPC, a subnet and a security group to be displayed in the lists of available network specifications, they must be created in AWS as described in AWS Documentation.

Veeam Backup for AWS will apply the specified network settings to all worker instances that will be launched in the specified location. For EFS indexing, Veeam Backup for AWS will also apply these settings to worker instances launched to process file systems that have mount targets in the selected VPC.

Important

When adding a worker configuration, consider the following:

  • [Applies only to worker instances used for EFS indexing] The selected security group must allow outbound access on ports 2049 and 443. These ports are used by worker instances to mount file systems and to communicate with AWS services. Proxy redirect and setting a proxy in the Veeam Backup for AWS configuration are not supported.
  • [Applies only to worker instances used for EFS indexing] The DNS resolution option must be enabled for the selected VPC. For more information, see AWS Documentation.
  • [Applies only to worker instances used for EC2 backup and restore] The selected security group must allow outbound access on port 443 required to communicate with AWS services. Proxy redirect and setting a proxy in the Veeam Backup for AWS configuration are not supported.

By default, Veeam Backup for AWS uses public access to communicate with worker instances. That is why the public IPv4 addressing attribute must be enabled for the selected subnet, the selected VPC must have an internet gateway attached, and the VPC and subnet route tables must have routes that direct internet-bound traffic to this internet gateway. If you want worker instances to operate in a private network, do either of the following:

  • Enable the private network deployment functionality, and configure specific VPC endpoints for the subnet to let Veeam Backup for AWS use private IPv4 addresses as described in section Enabling Private Network Deployment.

For the list of specific endpoints required to perform backup and restore operations, see Configuring Private Networks.

  1. At the Summary step of the wizard, review summary information and click Finish.

Adding Worker Configuration for Production Account