Worker Instances
To perform most data protection and disaster recovery operations (such as creating and removing EC2 and RDS image-level backups, restoring backed-up data, EFS indexing), Veeam Backup for AWS uses worker instances. Worker instances are temporary Linux-based EC2 instances that are responsible for the interaction between the backup appliance, AWS services and other Veeam Backup for AWS components.
Worker Instance Components
A worker instance uses the following components:
- Veeam Data Mover — the service that performs data processing tasks. During backup, the Veeam Data Mover retrieves data of an AWS protected resource (EC2, RDS). During restore, the Veeam Data Mover transfers backed-up data from backup repositories to the target location.
- File-level recovery browser — the web service that allows you to find and save files and folders of a backed-up EC2 instance to the local machine or to the original location. The file-level recovery browser is installed automatically on every worker instance that is launched for file-level recovery.
Security Certificates for Worker Instances
Veeam Backup for AWS uses self-signed TLS certificates to establish secure communication between the web browser on the local machine and the file-level recovery browser on the worker instance during file-level recovery. A self-signed certificate is generated automatically on the worker instance when the restore session starts.
Veeam Backup for AWS automatically launches a worker instance in Amazon EC2 for the duration of a backup, restore or retention process and removes it immediately after the process is complete. Veeam Backup for AWS launches one worker instance per each AWS resource specified in a backup policy, restore or retention task.
Veeam Backup for AWS can launch worker instances in the following AWS accounts:
- The backup account is an AWS account to which the service IAM role specified to launch worker instances belongs. By default, Veeam Backup for AWS uses this account to launch worker instances for backup, restore and backup retention operations.
- Production accounts are the same AWS accounts where the processed resources belong. By default, Veeam Backup for AWS uses these accounts to launch worker instances for EFS indexing and for RDS backup and restore operations.
To minimize cross-region traffic charges, depending on the data protection and disaster recovery operation, Veeam Backup for AWS launches the worker instance in the following location:
Operation | Worker Instance Location | Possibility to Deploy Worker Instances in Production Accounts | Default Worker Instance Type |
|---|---|---|---|
Creating EC2 image-level backups | AWS Region in which a processed EC2 instance resides | Yes |
|
Restoring EC2 instances from image-level backups | AWS Region to which an EC2 instance is restored | Yes | |
Restoring EC2 volumes from image-level backups | AWS Region to which the volumes of a processed EC2 instance are restored | Yes | |
Performing health check for EC2 backups | AWS Region in which a backup repository with backed-up data resides | No | |
Creating EC2 archived backups | AWS Region in which a standard backup repository with backed-up data resides | No |
|
Performing file-level recovery from image-level backups | AWS Region in which a backup repository with backed-up data resides | No |
|
Performing file-level recovery from cloud-native snapshots and replicated snapshots | AWS Region in which a snapshot is located |
|
|
Creating RDS image-level backups | AWS Region and VPC in which a processed PostgreSQL DB instance resides | Yes |
|
Restoring PostgreSQL DB instances from image-level backups | AWS Region to which a DB instance is restored | Yes | |
Performing health check for RDS backups | AWS Region in which a backup repository with backed-up data resides | No | |
Creating RDS archived backups | AWS Region in which a standard backup repository with backed-up data resides | No |
|
Performing EFS indexing | AWS Region, Availability Zone and VPC in which a file system has a mount target created | Yes |
|
Applying retention policy settings to created restore points | AWS Region in which a backup repository with backed-up data resides | No |
|
Note |
For RDS image-level backup operations, performing EFS indexing, and restoring PostgreSQL DB instances from image-level backups, you can instruct Veeam Backup for AWS to deploy worker instances in production accounts only. |
Worker instances are deployed based on worker configurations and profiles. For more information, see Managing Worker Instances.
Required Ports
The following network ports must be open to ensure proper communication of components in Veeam Backup for AWS architecture:
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Web browser (local machine) | Worker instances | TCP/HTTPS | 443 | Required to access the file-level recovery browser running on a worker instance during the file-level recovery process. |
Worker instances | TCP/HTTPS | 443 | Required to perform data protection and disaster recovery operations. | |
TCP/NFS | 2049 | Required to perform EFS indexing. |
Required AWS Services
To perform backup and restore operations, worker instances must have outbound internet access to the following AWS services:
- Amazon Elastic Compute Cloud (EC2)
- AWS Systems Manager (SSM), including access to the ec2messages and ssmmessages endpoints
- Amazon Simple Queue Service (SQS)
If you want worker instances to operate in a private environment, you must enable the private network deployment functionality and configure VPC endpoints for all subnets to which the worker instances will be connected. Otherwise, the instances will not be able to access all the listed services. For more information, see Private Network Deployment.
How To Configure Worker Instance Settings
You can configure the following worker instance settings:
- Choose whether you want to deploy worker instances in the backup or production accounts.
- Specify groups of network settings that Veeam Backup for AWS will use to deploy worker instances in specific AWS Regions.
- Specify instance types that Veeam Backup for AWS will use to deploy worker instances in specific AWS Regions.
- Assign AWS tags to worker instances to help you differentiate the instances.