Deploying Veeam Backup for AWS in an Enterprise Environment
Introduction: Deploying Veeam Backup for AWS in an Enterprise Environment
As cloud adoption continues to soar, many enterprises are leveraging AWS to host critical workloads and data. Protecting this valuable information is of utmost importance and deploying a robust backup solution is essential. Veeam Backup for AWS offers a comprehensive solution that’s tailored for AWS environments. In this post, we will explore the key steps and considerations for deploying Veeam Backup for AWS in a complex enterprise environment.
Preparation and information collection: Key to successful deployment
While Veeam Backup for AWS deployment could be easy and straightforward with the ability to deploy from AWS marketplace. In a complex enterprise environment, preparation and collecting information is key for successful deployment. We strongly recommend reviewing our best practices guide and following our user guide for installation and deployment of Veeam Backup for AWS. Our best practices guide is a great place to understand sizing requirements and general information on what to expect from provisioning services from AWS.
Formulating a backup protection strategy: Retention times and archiving
Next, you need to outline your backup protection strategy, define your required retention times and points, and define your archiving strategy and the requirements you need to fulfill to comply with regulations and laws.
Understanding resource requirements: Permissions, services and organizational guidelines
In addition, you need to understand resource requirements around permissions, firewall rules, required services, AWS service policies requirements and restrictions. This includes your organization’s guidelines around private endpoints, tagging, key management system policies and any other rule or guideline that your company sets in your AWS environment that could prevent successful deployment and normal operation of Veeam Backup for AWS.
Common Validation Areas
Outlined below is a list of key areas that customers should review and validate to ensure successful deployment:
- Permission to deploy from AWS Marketplace
Veeam Backup for AWS can be deployed in two ways, and both must have marketplace permission and accept Veeam’s EULA in AWS Marketplace. After accepting, you can continue to deploy from AWS Marketplace or deploy an EC2 instance with Veeam Backup for AWS Amazon machine image (AMI).
Setting the correct network configuration to support Veeam Backup for AWS Veeam Backup for AWS appliances need to communicate with different AWS resources and have connectivity to the internet for software updates. Setting up the VPC, subnet, routing and security groups are essential for proper operation.
- Deploy Veeam Backup for AWS to your desired subnet
- Set subnet routing
- Deploy NAT gateway and/or internet gateway to properly access the internet
When establishing internet access for receiving crucial security and application updates, it is necessary that you deploy a NAT gateway and/or internet gateway within your infrastructure.
Ensuring proper communication between components in the Veeam Backup for AWS appliance and AWS services means specific ports need to be open.
Private endpoints allow you to access AWS services privately, which ensures that data transfer will occur exclusively within your VPC and industries with strict data privacy and compliance requirements like healthcare or finance. AWS private endpoints provide a means to access AWS services while keeping data within a private network boundary. This helps organizations adhere to regulatory standards and maintain data confidentiality.
- Proper IAM permissions
- Veeam Backup for AWS appliance needs to be able to assume roles. It can create required roles and policies by itself by using a user key and a user secret that has the authority to assume those roles. Veeam Backup for AWS will not use the key for any other purpose beyond configuring required roles and policies. More information on required roles and policies can be found HERE.
- It is imperative that you undertake a thorough verification process to ensure that the service control policies (SCPs) applied to your AWS account do not conflict with the IAM permissions required to deploy Veeam Backup for AWS. As service control policies override IAM permissions, a deny in SCP can prevent Veeam Backup for AWS from working properly.
Note that we require users to have cross-account roles and roles in each account you want to back up services
Additional Considerations: SSL Certificate and Worker Tagging Requirements
- SSL certificate requirements
If your organization is enforcing certification requirements like the prohibition of self-signed certificates, you need to install your organization’s root certificate in Veeam Backup for AWS’s appliance.
- Worker tagging requirements
Should your corporate policies require you to assign worker tags, you can find information on how to add tags HERE.
Deploying Veeam Backup for AWS requires careful preparation and information collection. It is important to review Veeam’s best practices guide and user guide to understand sizing requirements and how to provision services from AWS. Additionally, outlining your backup protection strategy, defining retention times, retention points and archiving strategy is crucial.
By following these steps and considerations, enterprises can deploy Veeam Backup for AWS successfully in complex environments, ultimately ensuring the protection and availability of critical workloads and data hosted on AWS.
Deployment checklist: Your guide to successful Veeam Backup for AWS deployment
Please note that this checklist is not to replace the user guide where comprehensive information on how to deploy Veeam Backup for AWS can be found.
| Task | Documentation link | |
| EC2 | ||
| User allowed to create new instance | ||
| User allowed to deploy from marketplace | ||
| Veeam EULA signed in AWS Marketplace | LINK | |
| IAM | ||
| Available user/key to create roles OR | LINK | |
| Create roles and add required permissions | LINK | |
| Verify no conflict between SCP’s and IAM roles | LINK | |
| Create roles in production accounts | LINK | |
| Veeam Backup for AWS can access all required AWS services | LINK | |
| Network | ||
| VPC prepared for VBA deployment | LINK | |
| Subnet prepared for VBA deployment | LINK | |
| Routing is configured | LINK | |
| Internet access is available to VBA | LINK | |
| Add relevant ports to security groups | LINK | |
| Private endpoints are configured | LINK | |
| S3 | ||
| S3 Bucket doesn’t have CMK | LINK | |
| S3 Bucket doesn’t have lifecycle configuration | LINK | |
| Each repository uses a unique folder in a bucket | ||
| Bucket S3 Object Lock and S3 Versioning enabled for an immutable repository | Object Lock Versioning | |
| Misc. | ||
| Verify SSL certification requirements for VBA appliances | ||
| Check appliance/workers tagging requirements | LINK | |
Getting Started With Veeam Backup for AWS: Helpful Links and Community Support
Start with Veeam Backup for AWS’s landing page, where you can start deploying your first Veeam Backup for AWS appliance and protect up to 10 instances for free!
Use our best practices guide end user guide to deploy yours today.
If you would like additional help,, check out our forums or community, and interact with other Veeam community members and customers. Our engineering team is regularly answering questions in our forums, so this is a great channel directly into our R&D!