Worker Deployment Options
Veeam Backup for AWS provides the following options for deploying worker instances:
Worker Deployment in Backup Account
The backup account is an AWS account in which Veeam Backup for AWS deploys worker instances to perform operations with resources belonging to either the same or any other AWS account. By default, worker instances are deployed in the backup account to perform most backup and restore operations with EC2 instances:
- EC2 image-level backup
- Entire EC2 instance restore from image-level backups
- EC2 volume-level restore from image-level backups
- EC2 file-level recovery
- EC2 backup retention tasks
- RDS archived backup
To deploy worker instances in the backup account, Veeam Backup for AWS employs a worker deployment role (service IAM role) that is then used to create temporary IAM roles to be attached to the deployed instances for communication with them. Out of the box, Veeam Backup for AWS uses the preconfigured Default Backup Restore role that has all the permissions required to perform data protection and disaster recovery operations. For more information on the Default Backup Restore role, see Deploying Backup Appliance.
You can specify the worker deployment role in the worker instance settings as described in section Managing Worker Instances. For more information on the IAM role permissions required to deploy worker instances in the backup account, see Worker IAM Permissions.
How Worker Deployment in Backup Account Works
To perform a data protection or disaster recovery operation, Veeam Backup for AWS deploys worker instances in the following way:
- Assumes a worker deployment role to deploy the worker instances.
- Deploys in the backup account a worker instance for each AWS account to which the processed resources belongs, and attaches to this instance a temporary IAM role that will be used to communicate with it.
- When the operation session completes, removes the worker instances and the temporary IAM role from AWS.
Worker Deployment in Production Accounts
Production accounts are AWS accounts in which Veeam Backup for AWS deploys worker instances to perform operations with processed AWS resources belonging to the same AWS accounts. By design, worker instances are deployed in production accounts to perform the following operations:
Additionally, if you want to distribute workload across multiple AWS accounts and to manage resource costs for each account separately, you can instruct Veeam Backup for AWS to deploy worker instances in production accounts to perform the following operations:
- EC2 image-level backup
- Entire EC2 instance restore from image-level backups
- EC2 volume-level restore from image-level backups
- EC2 file-level recovery from cloud-native snapshots
To deploy worker instances in production accounts, Veeam Backup for AWS employs the following IAM roles:
Role | Permissions | Settings |
---|---|---|
An IAM role that is used to perform an operation (that is, a backup or restore IAM role) | Depending on the operation, the role must be assigned additional permissions listed in either of the following sections: | Depending on the operation, you must specify this IAM role in the backup policy or restore settings as described in either of the following sections: |
An IAM role that is attached to the deployed worker instances and further used by Veeam Backup for AWS to communicate with the instances (that is, a worker IAM role) | Depending on the operation, the role must be assigned permissions listed in either of the following sections: | Depending on the operation, you must specify this IAM role when enabling worker deployment in production accounts in the backup policy or restore settings, as described in either of the following sections: |
How Worker Deployment in Production Accounts Works
To perform a data protection or disaster recovery operation, Veeam Backup for AWS deploys worker instances in the following way:
- Assumes a backup or restore role to deploy the worker instances.
- Deploys in each production account a worker instance for each AWS account to which the processed resources belongs, and attaches to this instance a worker IAM role that will be used to communicate with it.
- When the operation session completes, removes the worker instance from AWS. Note that Veeam Backup for AWS does not remove the worker IAM role since it will be used for future backup and restore operations.