- Veeam Support Knowledge Base
- VMware Cloud on AWS and VMware Cloud on Dell EMC Support. Considerations and Limitations
VMware Cloud on AWS and VMware Cloud on Dell EMC Support. Considerations and Limitations
Cheers for trusting us with the spot in your mailbox!
Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest
Challenge
VMware Cloud on AWS and VMware Cloud on Dell EMC are vSphere environments running on AWS and Dell EMC hardware, that needs some specific preparation to allow Veeam Backup & Replication 11.0.0.837 P20210525 or later to work with it. Besides the below-listed preparation and limitations, you can interact with it within Backup & Replication like any other vSphere environment to backup, restore, and replicate VM workloads.
Some VMware features and permissions are not granted by default with these VMware offerings. Thus, some Veeam Backup & Replication features will be limited or inoperable. Depending on VMware update releases, the situation may change, and the features from the table below may become available. Please contact your VMware administrator for timely update.
Solution
Implementation step 1 - Prepare Backup & Replication Server
- Use a new Windows Server and install Veeam Backup & Replication 11.0.0.837 P20210525 or later if you do not have a Veeam Backup Server. The Server can run within any VMware Cloud on AWS/DellEMC SDDC, the ENI connected AWS environment, or on-premises datacenter environments, if the network connection to the VMC vCenter/Veeam Servers and potentially the VMs (for Guest processing) is possible.
- Add DNS network settings so that this Server can resolve Internet DNS names to resolve the fully qualified domain name of the VMC vCenter server.
- Check the below information carefully for any known limitations and configuration steps before you proceed.
Implementation step 2 - Configure VMware Cloud
Firewall Configuration for vCenter connection
The Veeam Backup and Replication Server and Veeam proxy server should be connected to the VMware vCenter using HTTPS through TCP port 443. At VMware Cloud on AWS/DellEMC, there is no need to open ports to the ESXi hosts themselves. As the vCenter Server is by design of VMware Cloud on AWS/DellEMC on another network (Management Network), you need to configure one of the following 3 options:
Usage of the local connection for customers with VMware NSX-t (default)
NSX-t allows VMC customers to access the management network over the built-in firewall directly. TCP Port 443 needs to be opened from all Veeam Backup and Veeam Proxy Servers as a Source with the vCenter internal IP as a target.
- Configure DNS entry of the vCenter for local IP address usage.
Go to your SDDC Management – Settings – vCenter FQDN and select the Private vCenter IP address.
Hint: If you configure the vCenter DNS record for the internal IP address, you will lose VMC connection from the Backup and Replication Server outside of VMC. You can use the local hosts file or any other DNS method to resolve the vCenter FQDN with the public IP address on the Veeam Server outside of VMC. Optionally, use the Public IP address for the VMC internal and external Veeam Server.
- Open firewall ports for vCenter Server access
- On the Management Network
- On the Compute Gateway
Usage of the vCenter public IP for customers with NSX-v
- Open Port TCP 443 from Backup Server and Proxy Server to the predefined vCenter object on the Compute Network.
- Allow the Compute Gateway Public IP to communicate over TCP 443 with the predefined vCenter object on the Management Network.
Usage of a VPN tunnel for customers with VMware NSX-v
To be able to directly access the vСenter within VMC, please follow the VMC internal guidelines to create a VPN tunnel from the compute network to the management network.
Please update your DNS Servers to resolve the FQDN of the vСenter to its private IP address. If you want to use hosts entries on the Veeam Server for it, add them on all Veeam Backup and Proxy Servers.
If your Backup & Replication (Management) Server is outside of the VMC cluster, please implement the same VPN connection for it.
Implementation step 3 - add vCenter to Veeam Backup & Replication
Add vCenter to the Veeam console.
- When adding the vCenter server, specify the fully qualified domain name (FQDN) that ends with vmwarevmc.com or vmc.vmware.com (depending on the URL shown in the VMC interface for the vCenter).
- For the credentials, use either:
- The cloudadmin@vmc.local account.
or
- To use an account with the same permissions as the cloudadmin user, you'll need to make sure you have an external identity source configured in vCenter and ensure the user or group that you want to have those permissions is assigned the CloudAdmin role.
- The cloudadmin@vmc.local account.
Implementation step 4 - add Veeam Backup Proxy
For any VMware Cloud on AWS/DellEMC SDDC Cluster, deploy at least one Veeam Proxy Server to utilize Virtual Appliance (HOTADD) transport mode. If the Backup & Replication server is deployed in the SDDC Cluster, it may be used as a Backup Proxy.
Note: Linux-based Backup Proxy can not be used with VMware Cloud on AWS/DellEMC as they do not enable specific mandatory VMware VDDK settings.
Implementation step 5 - add Veeam Repository
As VMware Cloud on AWS/DellEMC has only one accessible vSAN disk, it would not be prudent to utilize that disk for both production workloads and backups. It is, therefore, advisable to have an external Backup device to store the backup files. Depending on the use case, there are several ways to achieve this with different economic factors.
You could, for example, achieve this by sending data directly to Amazon S3 object storage if applicable, or use an EC2 VM as a backup target and then tier to Amazon S3, or by sending backup data to a repository in a different location depending on the bandwidth and throughput available.
You may need to ensure network security groups allow Veeam repository traffic. Veeam - Backup Repository Connections.
Example of Linux EC2 w/ EBS Storage
To connect the EC2 Server(s) used as Veeam Repositories the following Firewall configuration is needed:
On the Compute Network:
Open TCP 22 (SSH) port from Veeam Backup server and Veeam proxy server to the Amazon VPC where the EC2 Server was installed. You can as well define the exact IP addresses of the repository server as Destination.
Open TCP 2500-5000 ports for Veeam Data Transport in both directions for same servers. It is recommended to use the VMware Cloud on AWS/DellEMC integrated high throughput/low latency ENI network connection to avoid any traffic costs.
- Open the same ports on the Inbound Firewall of the Amazon EC2 server used as a repository server. As the Firewall Rule Source, you should add all Veeam Backup Servers (including Proxy/Repository/MountServer/Console/…) instead of 0.0.0.0/0
| Ports |
Protocol |
Source |
| 2500-3300 |
tcp |
0.0.0.0/0 |
| 22 |
tcp |
0.0.0.0/0 |
Example of Direct Backup to Object Storage
Implementation step 6 - add secondary backup target
It is suggested to create a backup copy to an additional place. Depending on the use case, there are several ways to achieve this with different economic factors. Among other ways, the following technologies can be used:
- Veeam Scale-out Backup Repository – CapacityTier usage. In copy mode, this feature can be used to create additional backup copies at Amazon AWS S3. Make sure to use the internal interface of the S3 target to avoid internet traffic costs.
- For VMware Cloud on AWS, a Veeam Backup Copy Job to a second EC2 Server can be used as an additional Repository. The second EC2 Server can be placed on another AWS Availability Zone or AWS Geo-Location.
- AWS Storage Gateway Software in VTL mode can emulate a Tape Library to write data to S3. Veeam Backup to Tape Jobs can be used with it. For details, see https://www.veeam.com/wp-using-aws-vtl-gateway-deployment-guide.html.
- Veeam Backup Copy Job to on-premises or Veeam Cloud Connect (Enterprise). There is no special configuration needed for this use case besides network and firewall connections. For standard Repository usage on-premises, it is recommended to create a VPN tunnel from VMware Cloud on AWS/DellEMC to the on-premises datacenter. This can be done by the VMC integrated VPN functionality, by Veeam PN, or third-party.
Additional Scenarios
- VMware Cloud on AWS/DellEMC used as Restore target.
- Implementation steps 1-4 are needed.
- Veeam VM Replication.
- Implementation steps 1-5 are needed. The Repository Server (when NOT used for Backups, can run within the VMware Cloud on AWS/DellEMC SDDC to store the Veeam Replication data. On premises standard datacenter to VMC, VMC to VMC and VMC to on premises standard datacenter is possible. Usage of Veeam Availability Orchestrator is possible in specific scenarios. See VAO deployment guide.
VMware Cloud (VMC) specific problems and solutions:
- VMware internal monitoring reports access violations to ESXi host hardware sensors when Veeam ONE is used.
- Contact support to obtain registry vale to correct this.
- Contact support to obtain registry vale to correct this.
- When performing an Entire VM restore, using the Restore to a new location mode, to VMware Cloud on AWS with VMware NSX-t, the Network tab's Networks... selector is empty.
- To solve the issue, upgrade to Veeam Backup & Replication 11.0.0.837 P20210525 or later.
- To solve the issue, upgrade to Veeam Backup & Replication 11.0.0.837 P20210525 or later.
- Impossible to add the VMware Cloud on AWS/DellEMC vCenter server to the managed server. VMs within this vCenter are not visible in the list of VMs, or an Error is displayed in the Veeam Jobs “Processing SQL Error: File does not exist or locked. …”
- Create a vCenter User with required rights (Active Directory linked mode) described here, or use the cloudadmin@vmc.local user.
- When adding a vCenter server, specify the fully qualified domain name (FQDN) that ends with vmwarevmc.com or vmc.vmware.com (depending on the URL shown in the VMC interface for the vCenter).
- When working with Restore or VM Replication wizard, users may face issues accessing VMware Cloud on AWS/DellEMC vCenter server. By design, VMware does not provide customers access to the background infrastructure and used datastores.
- For proper operation, you can select the specific areas marked as “Workload” or “Compute.” Avoid using the non-accessible areas, for example:
- vsanDatastore datastore
- Management VMs folder
- Mgmt-ResourcePool resource pool
- For proper operation, you can select the specific areas marked as “Workload” or “Compute.” Avoid using the non-accessible areas, for example:
- Veeam Backup & Replication stops working after VMware Cloud on AWS/DellEMC is automatically updated.
- Please check this article for the minimum required Veeam Backup & Replication version or Patches.
- For customers with socket-based licensing, ensure that the automatically generated new ESXi hosts can receive Veeam licenses. Potentially, older ESXi hosts need to be revoked from the license. We recommend using Veeam Universal Licensing to avoid any license-specific issues with VMware Cloud on AWS or VMware Cloud on DellEMC.
Some of the Backup & Replication Features are not working correctly because of limitations of the VMware Cloud on AWS/DellEMC environment (compared with a standard vSphere environment).
| Affected Veeam Feature | Limitation | Workaround |
Instant VM Recovery |
Currently, VMware Cloud on AWS (VMC) does not allow for NFS usage |
Use a combination of a Veeam backup job and replication job for proactive restore capabilities |
Other OS File Level Recovery |
Currently, VMC does not allow for NFS usage |
Start Linux File Level Recovery with a Linux server helper host, instead of using a temporary helper appliance |
SureBackup, Sure Replica, OnDemand Labs, Virtual Lab |
Currently, VMC does not allow NFS and network manipulation |
As for SureReplica, you can perform it if the replication target is a non-VMC vSphere environment (e.g., replicate VM from VMC to on-premises) |
VM Replication ReIP |
ReIP is not available on VMC |
|
Non-Unicode VM names |
Currently, VMC does not allow non-Unicode characters for VM names within their APIs used ad VMC |
|
VM Replication-based File Level Recovery |
|
Use file restore from backups or use a VM replica on a non VMC environment to start the File recovery |
| Replication (where EC2-based repository is used to store replica metadata) | Due to lack of permissions, the repository Data Mover is not able to connect to the Veeam Server | Enable "Run server on this side" option for the repository. For Windows repositories it can be found under Ports configuration, for Linux - under Advanced settings in the server configuration wizard. |
| Continuous Data Protection (CDP) | Currently, VMware Cloud on AWS (VMC) does not allow for CDP |
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.
Spelling error in text
Thank you!
Your feedback has been received and will be reviewed.
Oops! Something went wrong.
Please try again later.
You have selected too large block!
Please try select less.
KB Feedback/Suggestion
This form is only for KB Feedback/Suggestions, if you need help with the software open a support case
Thank you!
Your feedback has been received and will be reviewed.