Configuring Worker Instance Settings

In this article

    To perform image-level backup or restore backed-up data, you must first configure worker instance settings.

    1. Specify an IAM role for worker instances.
    2. Configure network settings for AWS Regions in which worker instances will be launched.

    Specifying IAM Role

    By default, Veeam Backup for AWS uses the Default Backup Restore IAM role to launch worker instances. The role is preconfigured and has all the required permissions to launch worker instances within the initial AWS account.

    You can specify a different IAM role, for example, if you want Veeam Backup for AWS to launch worker instances in another AWS account. Before you specify the necessary role, make sure it is added to Veeam Backup for AWS as described in section Adding IAM Roles.

    To specify an IAM role for worker instances, do the following:

    1. Switch to the Configuration page.
    1. Navigate to Workers > General.
    1. Click the link to the right of Worker IAM role.
    1. In the Choose IAM Role window, click the necessary IAM role, and then click Apply.

    After you specify the IAM role, it is recommended that you check whether permissions of the specified IAM role are sufficient to launch worker instances. For information on how to check IAM role permissions, see Checking IAM Role Permissions. To learn what permissions must have the IAM role used to launch worker instances, see Service IAM Role Permissions.

    Configuring Worker Instance Settings 

    Configuring Network Settings

    For each AWS Region in which worker instances will be launched, you must configure network settings.

    To configure network settings, in the Worker network settings section, click Add and complete the Add Region wizard.

    1. At the Region step of the wizard, select the AWS Region and Availability Zone for which you want to configure network settings.
    1. At the Network Settings step of the wizard, select the Amazon VPC and subnet to which you want to connect worker instances, and specify the security group that must be associated with the instances. For more information on Amazon VPC, subnets and security groups, see AWS Documentation.

    Veeam Backup for AWS will apply the specified network settings to all worker instances that will be launched in the AWS Region and Availability Zone selected at the Region step of the wizard.


    Consider the following:

    • The public IPv4 addressing attribute must be enabled for the selected subnet, otherwise Veeam Backup for AWS will display a warning at the Summary step of the wizard. To learn how to enable the public IPv4 addressing attribute for a subnet, see AWS Documentation.

    To let Veeam Backup for AWS launch worker instances with private IPv4 addresses, the following endpoints must be configured for the selected subnet: sqs, ssm, ec2messages, ssmmessages. For information on how to configure endpoints, see AWS Documentation.

    • If you select an Outpost subnet, backup and restore operations in an AWS Region to which the AWS Outpost is connected may fail. The issue occurs if the default worker instance class (c5.large) is not supported for the AWS Outpost. To work around the issue, contact Veeam Customer Support.
    1. At the Summary step of the wizard, review summary information and click Finish.

    Configuring Worker Instance Settings