Adding Configurations for Production Accounts

To launch worker instances in production accounts, Veeam Backup for AWS selects the most appropriate network settings of AWS Regions (for example, selects a VPC specified as a mount target for the processed file system) to perform EFS indexing operations, and the default network settings of AWS Regions (if there are any) to perform EC2 backup and restore operations. However, you can add worker configurations to specify network settings for each region in which worker instances will be deployed. You can add multiple worker configurations with different network settings per AWS Region.

To add a worker configuration:

  1. Open the Configuration page.
  1. Navigate to Workers > Network.
  2. Switch to the Production Accounts tab.
  3. In the Worker configurations section, click Add.
  4. Complete the Add Worker Configuration wizard.
  1. At the General step of the wizard, do the following:
  1. In the Account section, select an AWS account where resources that you plan to process belong and specify an IAM role that will be used to access and list region network settings in the selected AWS account. For more information on required permissions, see Service IAM Roles in Production Accounts.


The selected IAM role will be used only to list network settings in the current wizard. The role whose permissions Veeam Backup for AWS will use to access the configured settings during operations must be specified in the backup policy or restore settings.

  1. In the Region section, select an AWS Region and Availability Zone where AWS resources that you plan to process reside.


If you create the worker configuration that will be used to perform EC2 backup operations, you can select any Availability Zone in the specified AWS Region. Veeam Backup for AWS will still be able to perform the operations even if the selected zone will differ from the Availability Zone where the processed EC2 instances reside.

  1. At the Network step of the wizard, select an Amazon VPC and a subnet to which you want to connect worker instances, and specify a security group that must be associated with the instances. For more information on Amazon VPC, subnets and security groups, see AWS Documentation.

Veeam Backup for AWS will apply the specified network settings to all worker instances that will be launched in the specified location. For EFS indexing, Veeam Backup for AWS will apply these settings to worker instances launched to process file systems that have mount targets in the selected VPC.


When adding a worker configuration to deploy worker instances for EFS indexing operations, consider the following:

  • The selected security group must allow outbound access on 2049 and 443 ports. These ports are used by worker instances to mount file systems and to communicate with AWS services. Proxy redirect and setting a proxy in the Veeam Backup for AWS configuration are not supported.
  • The DNS resolution option must be enabled for the selected VPC. For more information, see AWS Documentation.
  • By default, Veeam Backup for AWS uses public access to communicate with worker instances. That is why the public IPv4 addressing attribute must be enabled for the selected subnet, the selected VPC must have an internet gateway attached, and VPC and subnet route tables must have routes that direct internet-bound traffic to this internet gateway.

If you want worker instances to operate in the private network, configure private endpoints for it to let Veeam Backup for AWS use private IPv4 addresses. To learn how to configure endpoints, see Appendix C. Configuring Endpoints in AWS.

  1. At the Summary step of the wizard, review summary information and click Finish.

Adding Worker Configuration for Production Account