Deploying Veeam Backup for AWS in an Enterprise Environment

Introduction: Deploying Veeam Backup for AWS in an Enterprise Environment

As cloud adoption continues to soar, many enterprises are leveraging AWS to host critical workloads and data. Protecting this valuable information is of utmost importance and deploying a robust backup solution is essential. Veeam Backup for AWS offers a comprehensive solution that’s tailored for AWS environments. In this post, we will explore the key steps and considerations for deploying Veeam Backup for AWS in a complex enterprise environment.

Preparation and information collection: Key to successful deployment

While Veeam Backup for AWS deployment could be easy and straightforward with the ability to deploy from AWS marketplace. In a complex enterprise environment, preparation and collecting information is key for successful deployment. We strongly recommend reviewing our best practices guide and following our user guide for installation and deployment of Veeam Backup for AWS. Our best practices guide is a great place to understand sizing requirements and general information on what to expect from provisioning services from AWS.

Formulating a backup protection strategy: Retention times and archiving

Next, you need to outline your backup protection strategy, define your required retention times and  points, and define your archiving strategy and the requirements you need to fulfill to comply with regulations and laws.

Understanding resource requirements: Permissions, services and organizational guidelines

In addition, you need to understand resource requirements around permissions, firewall rules, required services, AWS service policies requirements and restrictions. This includes your organization’s guidelines around private endpoints, tagging, key management system policies and any other rule or guideline that your company sets in your AWS environment that could  prevent successful deployment and normal operation of Veeam Backup for AWS.

Common Validation Areas

Outlined below is a list of key areas that customers should review and validate to ensure successful deployment:

  1. Permission to deploy from AWS Marketplace

Veeam Backup for AWS can be deployed in two ways, and both must have marketplace permission and accept Veeam’s EULA in AWS Marketplace. After accepting, you can continue to deploy from AWS Marketplace or deploy an EC2 instance with Veeam Backup for AWS Amazon machine image (AMI).

Setting the correct network configuration to support Veeam Backup for AWS Veeam Backup for AWS appliances need to communicate with different AWS resources and have connectivity to the internet for software updates. Setting up the VPC, subnet, routing and security groups are essential for proper operation.

  • Deploy Veeam Backup for AWS to your desired subnet
  • Set subnet routing
  • Deploy NAT gateway and/or internet gateway to properly access the internet

When establishing internet access for receiving crucial security and application updates, it is necessary that you deploy a NAT gateway and/or internet gateway within your infrastructure.

Ensuring proper communication between components in the Veeam Backup for AWS appliance and AWS services means specific ports need to be open.

Private endpoints allow you to access AWS services privately, which ensures that data transfer will occur exclusively within your VPC and industries with strict data privacy and compliance requirements like healthcare or finance. AWS private endpoints provide a means to access AWS services while keeping data within a private network boundary. This helps organizations adhere to regulatory standards and maintain data confidentiality.

  1. Proper IAM permissions
  • Veeam Backup for AWS appliance needs to be able to assume roles. It can create required roles and policies by itself by using a user key and a user secret that has the authority to assume those roles. Veeam Backup for AWS will not use the key for any other purpose beyond configuring required roles and policies. More information on required roles and policies can be found HERE.
  • It is imperative that you undertake a thorough verification process to ensure that the service control policies (SCPs) applied to your AWS account do not conflict with the IAM permissions required to deploy Veeam Backup for AWS. As service control policies override IAM permissions, a deny in SCP can prevent Veeam Backup for AWS from working properly.

***Note that we require users to have cross-account roles and roles in each account you want to back up services***

Additional Considerations: SSL Certificate and Worker Tagging Requirements

  • SSL certificate requirements

If your organization is enforcing certification requirements like the prohibition of self-signed certificates, you need to install your organization’s root certificate in Veeam Backup for AWS’s appliance.

  • Worker tagging requirements

Should your corporate policies require you to assign worker tags, you can find information on how to add tags HERE.

Deploying Veeam Backup for AWS requires careful preparation and information collection. It is important to review Veeam’s best practices guide and user guide to understand sizing requirements and how to provision services from AWS. Additionally, outlining your backup protection strategy, defining retention times, retention points and archiving strategy is crucial.

By following these steps and considerations, enterprises can deploy Veeam Backup for AWS successfully in complex environments, ultimately ensuring the protection and availability of critical workloads and data hosted on AWS.

Deployment checklist: Your guide to successful Veeam Backup for AWS deployment

Please note that this checklist is not to replace the user guide where comprehensive information on how to deploy Veeam Backup for AWS can be found.



Documentation link



User allowed to create new instance



User allowed to deploy from marketplace



Veeam EULA signed in AWS Marketplace




Available user/key to create roles OR



Create roles and add required permissions



Verify no conflict between SCP’s and IAM roles



Create roles in production accounts



Veeam Backup for AWS can access all required AWS services




VPC prepared for VBA deployment



Subnet prepared for VBA deployment



Routing is configured



Internet access is available to VBA



Add relevant ports to security groups



Private endpoints are configured




S3 Bucket doesn’t have CMK



S3 Bucket doesn’t have lifecycle configuration



Each repository uses a unique folder in a bucket



Bucket S3 Object Lock and S3 Versioning enabled for an immutable repository

Object Lock Versioning



Verify SSL certification requirements for VBA appliances



Check appliance/workers tagging requirements



Getting Started With Veeam Backup for AWS: Helpful Links and Community Support

Start with Veeam Backup for AWS’s landing page, where you can start deploying your first Veeam Backup for AWS appliance and protect up to 10 instances for free!

Use our best practices guide end user guide to deploy yours today.

If you would like additional help,, check out our forums or community, and interact with other Veeam community members and customers. Our engineering team is regularly answering questions in our forums, so this is a great channel directly into our R&D!



AWS Backup and Recovery
AWS Backup and Recovery
Veeam Backup for AWS


Similar Blog Posts
Technical | April 18, 2024
Business | April 16, 2024
Business | April 15, 2024
Stay up to date on the latest tips and news
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam’s Privacy Policy
You're all set!
Watch your inbox for our weekly blog updates.