Worker Deployment Options

Veeam Backup for AWS provides the following options for deploying worker instances:

Worker deployment in the backup account
Worker deployment in production accounts

The backup account is an AWS account in which Veeam Backup for AWS deploys worker instances to perform operations with resources belonging to either the same or any other AWS account. By default, worker instances are deployed in the backup account to perform most backup and restore operations with EC2 instances:

To deploy worker instances in the backup account, Veeam Backup for AWS employs a worker deployment role (service IAM role) that is then used to create temporary IAM roles to be attached to the deployed instances for communication with them. Out of the box, Veeam Backup for AWS uses the preconfigured Default Backup Restore role that has all the permissions required to perform data protection and disaster recovery operations. For more information on the Default Backup Restore role, see Deploying Backup Appliance.

You can specify the worker deployment role in the worker instance settings as described in section Managing Worker Instances. For more information on the IAM role permissions required to deploy worker instances in the backup account, see Worker IAM Permissions.

How Worker Deployment in Backup Account Works

To perform a data protection or disaster recovery operation, Veeam Backup for AWS deploys worker instances in the following way:

Assumes a worker deployment role to deploy the worker instances.
Deploys in the backup account a worker instance for each AWS account to which the processed resources belongs, and attaches to this instance a temporary IAM role that will be used to communicate with it.
When the operation session completes, removes the worker instances and the temporary IAM role from AWS.

Worker Deployment in Production Accounts

Production accounts are AWS accounts in which Veeam Backup for AWS deploys worker instances to perform operations with processed AWS resources belonging to the same AWS accounts. By design, worker instances are deployed in production accounts to perform the following operations:

Additionally, if you want to distribute workload across multiple AWS accounts and to manage resource costs for each account separately, you can instruct Veeam Backup for AWS to deploy worker instances in production accounts to perform the following operations:

To deploy worker instances in production accounts, Veeam Backup for AWS employs the following IAM roles:

Role	Permissions	Settings
An IAM role that is used to perform an operation (that is, a backup or restore IAM role)	Depending on the operation, the role must be assigned additional permissions listed in either of the following sections: EFS Backup IAM Role Permissions RDS Backup IAM Role Permissions EC2 Backup IAM Role Permissions EC2 Restore IAM Permissions	Depending on the operation, you must specify this IAM role in the backup policy or restore settings as described in either of the following sections: Creating EFS Backup Policies Creating EC2 Backup Policies Performing RDS Backup Performing Entire EC2 Instance Restore Performing Volume-Level Restore Performing RDS Database Restore
An IAM role that is attached to the deployed worker instances and further used by Veeam Backup for AWS to communicate with the instances (that is, a worker IAM role)	Depending on the operation, the role must be assigned permissions listed in either of the following sections: Worker Deployment Role Permissions in Production Accounts FLR Worker IAM Role Permissions	Depending on the operation, you must specify this IAM role when enabling worker deployment in production accounts in the backup policy or restore settings, as described in either of the following sections: Creating EFS Backup Policies Creating RDS Backup Policies Creating EC2 Backup Policies Performing RDS Database Restore Performing Entire EC2 Instance Restore Performing Volume-Level Restore Performing File-Level Recovery

Role

Permissions

Settings

An IAM role that is used to perform an operation (that is, a backup or restore IAM role)

Depending on the operation, the role must be assigned additional permissions listed in either of the following sections:

Depending on the operation, you must specify this IAM role in the backup policy or restore settings as described in either of the following sections:

An IAM role that is attached to the deployed worker instances and further used by Veeam Backup for AWS to communicate with the instances (that is, a worker IAM role)

Depending on the operation, the role must be assigned permissions listed in either of the following sections:

Depending on the operation, you must specify this IAM role when enabling worker deployment in production accounts in the backup policy or restore settings, as described in either of the following sections:

How Worker Deployment in Production Accounts Works

To perform a data protection or disaster recovery operation, Veeam Backup for AWS deploys worker instances in the following way:

Assumes a backup or restore role to deploy the worker instances.
Deploys in each production account a worker instance for each AWS account to which the processed resources belongs, and attaches to this instance a worker IAM role that will be used to communicate with it.
When the operation session completes, removes the worker instance from AWS. Note that Veeam Backup for AWS does not remove the worker IAM role since it will be used for future backup and restore operations.