Adding Configurations for Production Accounts
To perform EFS indexing operations, worker instances are launched in production accounts by default. However, if you also want Veeam Backup for AWS to launch worker instances in production accounts for backup and restore operations performed for EC2 instances (for example, to restore instances from cloud-native snapshots encrypted using default AWS managed keys), you must configure the backup policy and restore settings.
To launch worker instances in production accounts, Veeam Backup for AWS employs the following IAM roles:
- An IAM role that is used to retrieve network settings of AWS Regions in a production account when adding new or editing existing working configurations. The role must be assigned permissions listed in section Service IAM Roles in Production Accounts.
You must specify this IAM role in the Add Worker Configuration wizard as described in Adding Worker Configurations.
- An IAM role that is used to perform a backup or restore operation. Veeam Backup for AWS also uses this role to launch worker instances in a production account. That is why the role must be assigned additional permissions listed in section EFS Backup IAM Role Permissions, EC2 Backup IAM Role Permissions or EC2 Restore IAM Permissions.
You must specify this IAM role in the backup policy or restore settings as described in section Creating EFS Backup Policies, Creating EC2 Backup Policies, Performing Entire EC2 Instance Restore or Performing Volume-Level Restore.
- An IAM role that is attached to the launched worker instances and further used by Veeam Backup for AWS to communicate with the instances. The role must be assigned permissions listed in section Indexing Worker IAM Role Permissions, Backup and Restore Worker IAM Role Permissions or FLR Worker IAM Role Permissions.
You must specify this IAM role when enabling worker deployment in production accounts in the backup policy or restore settings as described in section Creating EFS Backup Policies, Creating EC2 Backup Policies, Performing Entire EC2 Instance Restore, Performing Volume-Level Restore or Performing File-Level Restore.
Since you do not specify an IAM role for file-level restore operations, the role that you specify when enabling worker deployment in production accounts in the restore settings is also used by Veeam Backup for AWS to launch worker instances.
To launch worker instances in production accounts, Veeam Backup for AWS automatically chooses the most appropriate network settings of AWS Regions (for example, specifies a VPC as a mount target for the processed file system) when performing EFS indexing operations, and uses the default network settings of AWS Regions (if any) when performing EC2 backup and restore operations. However, you can add worker configurations to specify network settings for each region in which worker instances will be deployed. You can add multiple worker configurations with different network settings per AWS Region.
To add a worker configuration:
- Switch to the Configuration page.
- Navigate to Workers > Network.
- Switch to the Production Accounts tab.
- In the Worker configurations section, click Add.
- Complete the Add Worker Configuration wizard.
- At the General step of the wizard, do the following:
- In the Account section, select an AWS account where resources that you plan to process belong and specify an IAM role that will be used to access and list region network settings in the selected AWS account. The role must be granted the permissions listed in section Service IAM Roles in Production Accounts.
For an IAM role to be displayed in the IAM role list, it must be added to Veeam Backup for AWS as described in section Adding IAM Roles. If you have not added the necessary IAM role to Veeam Backup for AWS beforehand, you can do it without closing the Add Worker Configuration wizard. To add an IAM role, click Add and complete the Add IAM Role wizard.
The selected IAM role will be used only to populate network settings for the Add Worker Configuration wizard. IAM roles whose permissions Veeam Backup for AWS will use to configure the specified settings when launching worker instances will be specified in the backup policy and restore settings.
- In the Region section, select an AWS Region and Availability Zone in which AWS resources that you plan to process reside.
If the newly created worker configuration will be used to perform only EC2 backup operations, there is no need to select the availability zone where the processed EC2 instances reside — you can select any zone in the specified region.
- At the Network step of the wizard, select an Amazon VPC and a subnet to which you want to connect worker instances created based on the new worker configuration, and specify a security group that will be associated with the instances. For an Amazon VPC, a subnet and a security group to be displayed in the lists of available network specifications, they must be created in AWS as described in AWS Documentation.
Veeam Backup for AWS will apply the specified network settings to all worker instances that will be launched in the specified location. For EFS indexing, Veeam Backup for AWS will also apply these settings to worker instances launched to process file systems that have mount targets in the selected VPC.
When adding a worker configuration, consider the following:
If you want worker instances to operate in a private network, configure VPC endpoints to let Veeam Backup for AWS use private IPv4 addresses. For more information, see Appendix C. Configuring Endpoints in AWS.
- At the Summary step of the wizard, review summary information and click Finish.