IDC

Veeam #1 Worldwide in
Data Recovery & Protection in 2H'22

LEARN MORE

VMware Cloud on AWS and VMware Cloud on Dell EMC Support. Considerations and Limitations

KB ID: 2414
Product: Veeam Backup & Replication | 12
Published: 2017-12-14
Last Modified: 2023-03-29
mailbox
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please try again later.

Challenge

VMware Cloud on AWS and VMware Cloud on Dell EMC are vSphere environments running on AWS and Dell EMC hardware, that needs some specific preparation to allow Veeam Backup & Replication 11.0.0.837 P20210525 or later to work with it. Besides the below-listed preparation and limitations, you can interact with it within Backup & Replication like any other vSphere environment to backup, restore, and replicate VM workloads.

Some VMware features and permissions are not granted by default with these VMware offerings. Thus, some Veeam Backup & Replication features will be limited or inoperable. Depending on VMware update releases, the situation may change, and the features from the table below may become available. Please contact your VMware administrator for timely update.

Solution

Implementation step 1 - Prepare Backup & Replication Server

  1. Use a new Windows Server and install Veeam Backup & Replication 11.0.0.837 P20210525 or later if you do not have a Veeam Backup Server. The Server can run within any VMware Cloud on AWS/DellEMC SDDC, the ENI connected AWS environment, or on-premises datacenter environments, if the network connection to the VMC vCenter/Veeam Servers and potentially the VMs (for Guest processing) is possible.
  2. Add DNS network settings so that this Server can resolve Internet DNS names to resolve the fully qualified domain name of the VMC vCenter server.
  3. Check the below information carefully for any known limitations and configuration steps before you proceed.

Implementation step 2 - Configure VMware Cloud

Firewall Configuration for vCenter connection

The Veeam Backup and Replication Server and Veeam proxy server should be connected to the VMware vCenter using HTTPS through TCP port 443. At VMware Cloud on AWS/DellEMC, there is no need to open ports to the ESXi hosts themselves. As the vCenter Server is by design of VMware Cloud on AWS/DellEMC on another network (Management Network), you need to configure one of the following 3 options:

Usage of the local connection for customers with VMware NSX-t (default)

NSX-t allows VMC customers to access the management network over the built-in firewall directly. TCP Port 443 needs to be opened from all Veeam Backup and Veeam Proxy Servers as a Source with the vCenter internal IP as a target.

  1. Configure DNS entry of the vCenter for local IP address usage.

    Go to your SDDC Management – Settings – vCenter FQDN and select the Private vCenter IP address.

    Hint: If you configure the vCenter DNS record for the internal IP address, you will lose VMC connection from the Backup and Replication Server outside of VMC. You can use the local hosts file or any other DNS method to resolve the vCenter FQDN with the public IP address on the Veeam Server outside of VMC. Optionally, use the Public IP address for the VMC internal and external Veeam Server.
dns settings
  1. Open firewall ports for vCenter Server access
  • On the Management Network
firewall settings for management network
  • On the Compute Gateway
firewall settings for compute gateway
Usage of the vCenter public IP for customers with NSX-v
  • Open Port TCP 443 from Backup Server and Proxy Server to the predefined vCenter object on the Compute Network.
Management Gateway
  • Allow the Compute Gateway Public IP to communicate over TCP 443 with the predefined vCenter object on the Management Network.
Compute Gateway
Usage of a VPN tunnel for customers with VMware NSX-v

To be able to directly access the vСenter within VMC, please follow the VMC internal guidelines to create a VPN tunnel from the compute network to the management network.

Please update your DNS Servers to resolve the FQDN of the vСenter to its private IP address. If you want to use hosts entries on the Veeam Server for it, add them on all Veeam Backup and Proxy Servers.

If your Backup & Replication (Management) Server is outside of the VMC cluster, please implement the same VPN connection for it.

Implementation step 3 - add vCenter to Veeam Backup & Replication

Add vCenter to the Veeam console.

  • When adding the vCenter server, specify the fully qualified domain name (FQDN) that ends with vmwarevmc.com or vmc.vmware.com (depending on the URL shown in the VMC interface for the vCenter).
  • For the credentials, use either:
    • The cloudadmin@vmc.local account.

      or
    • To use an account with the same permissions as the cloudadmin user, you'll need to make sure you have an external identity source configured in vCenter and ensure the user or group that you want to have those permissions is assigned the CloudAdmin role.

Implementation step 4 - add Veeam Backup Proxy

For any VMware Cloud on AWS/DellEMC SDDC Cluster, deploy at least one Veeam Proxy Server to utilize Virtual Appliance (HOTADD) transport mode. If the Backup & Replication server is deployed in the SDDC Cluster, it may be used as a Backup Proxy.

Note: Linux-based Backup Proxy can not be used with VMware Cloud on AWS/DellEMC as they do not enable specific mandatory VMware VDDK settings.

Implementation step 5 - add Veeam Repository

As VMware Cloud on AWS/DellEMC has only one accessible vSAN disk, it would not be prudent to utilize that disk for both production workloads and backups. It is, therefore, advisable to have an external Backup device to store the backup files. Depending on the use case, there are several ways to achieve this with different economic factors.
 
You could, for example, achieve this by sending data directly to Amazon S3 object storage if applicable, or use an EC2 VM as a backup target and then tier to Amazon S3, or by sending backup data to a repository in a different location depending on the bandwidth and throughput available.
 
You may need to ensure network security groups allow Veeam repository traffic. Veeam - Backup Repository Connections.

Example of Linux EC2 w/ EBS Storage
Below is an example of an Amazon S3 EC2 Linux Server (e.g. EC2 C4 Server with EBS ST1 storage) used as a backup target over the VMware Cloud on AWS integrated ENI network connection.
Example of Linux EC2 Repository

To connect the EC2 Server(s) used as Veeam Repositories the following Firewall configuration is needed:

  1. On the Compute Network:

    1. Open TCP 22 (SSH) port from Veeam Backup server and Veeam proxy server to the Amazon VPC where the EC2 Server was installed. You can as well define the exact IP addresses of the repository server as Destination.

    2. Open TCP 2500-5000 ports for Veeam Data Transport in both directions for same servers. It is recommended to use the VMware Cloud on AWS/DellEMC integrated high throughput/low latency ENI network connection to avoid any traffic costs.

  1. Open the same ports on the Inbound Firewall of the Amazon EC2 server used as a repository server. As the Firewall Rule Source, you should add all Veeam Backup Servers (including Proxy/Repository/MountServer/Console/…) instead of 0.0.0.0/0
Ports
Protocol
Source
2500-3300
tcp
0.0.0.0/0
22
tcp
0.0.0.0/0
Swipe to show more of the table
firewall port example
Example of Direct Backup to Object Storage
Below is an example of an Amazon S3 bucket used as a backup target over the VMware Cloud on AWS integrated ENI network connection.
DirectBackup
With Direct to Object backup, customers can now send their backups directly to object storage without needing an EC2 VM instance.  This can provide significant economic savings.

Implementation step 6 - add secondary backup target

It is suggested to create a backup copy to an additional place. Depending on the use case, there are several ways to achieve this with different economic factors. Among other ways, the following technologies can be used:

  • Veeam Scale-out Backup RepositoryCapacityTier usage. In copy mode, this feature can be used to create additional backup copies at Amazon AWS S3. Make sure to use the internal interface of the S3 target to avoid internet traffic costs.
  • For VMware Cloud on AWS, a Veeam Backup Copy Job to a second EC2 Server can be used as an additional Repository. The second EC2 Server can be placed on another AWS Availability Zone or AWS Geo-Location.
  • AWS Storage Gateway Software in VTL mode can emulate a Tape Library to write data to S3. Veeam Backup to Tape Jobs can be used with it. For details, see https://www.veeam.com/wp-using-aws-vtl-gateway-deployment-guide.html.
  • Veeam Backup Copy Job to on-premises or Veeam Cloud Connect (Enterprise). There is no special configuration needed for this use case besides network and firewall connections. For standard Repository usage on-premises, it is recommended to create a VPN tunnel from VMware Cloud on AWS/DellEMC to the on-premises datacenter. This can be done by the VMC integrated VPN functionality, by Veeam PN, or third-party.

 Additional Scenarios

  1. VMware Cloud on AWS/DellEMC used as Restore target. 
    1. Implementation steps 1-4 are needed.
  2. Veeam VM Replication.
    1.  Implementation steps 1-5 are needed. The Repository Server (when NOT used for Backups, can run within the VMware Cloud on AWS/DellEMC SDDC to store the Veeam Replication data. On premises standard datacenter to VMC, VMC to VMC and VMC to on premises standard datacenter is possible. Usage of Veeam Availability Orchestrator is possible in specific scenarios. See VAO deployment guide.

VMware Cloud (VMC) specific problems and solutions:

  • VMware internal monitoring reports access violations to ESXi host hardware sensors when Veeam ONE is used.
  • When performing an Entire VM restore, using the Restore to a new location mode, to VMware Cloud on AWS with VMware NSX-t, the Network tab's Networks... selector is empty.
  • Impossible to add the VMware Cloud on AWS/DellEMC vCenter server to the managed server. VMs within this vCenter are not visible in the list of VMs, or an Error is displayed in the Veeam Jobs “Processing SQL Error: File does not exist or locked. …
    • Create a vCenter User with required rights (Active Directory linked mode) described here, or use the cloudadmin@vmc.local user.
    • When adding a vCenter server, specify the fully qualified domain name (FQDN) that ends with vmwarevmc.com or vmc.vmware.com (depending on the URL shown in the VMC interface for the vCenter).
       
  • When working with Restore or VM Replication wizard, users may face issues accessing VMware Cloud on AWS/DellEMC vCenter server. By design, VMware does not provide customers access to the background infrastructure and used datastores.
    • For proper operation, you can select the specific areas marked as “Workload” or “Compute.” Avoid using the non-accessible areas, for example:
      • vsanDatastore datastore
      • Management VMs folder
      • Mgmt-ResourcePool resource pool
         
  • Veeam Backup & Replication stops working after VMware Cloud on AWS/DellEMC is automatically updated.
    • Please check this article for the minimum required Veeam Backup & Replication version or Patches.
    • For customers with socket-based licensing, ensure that the automatically generated new ESXi hosts can receive Veeam licenses. Potentially, older ESXi hosts need to be revoked from the license. We recommend using Veeam Universal Licensing to avoid any license-specific issues with VMware Cloud on AWS or VMware Cloud on DellEMC.

 

Some of the Backup & Replication Features are not working correctly because of limitations of the VMware Cloud on AWS/DellEMC environment (compared with a standard vSphere environment).

Affected Veeam Feature Limitation Workaround

Instant VM Recovery

Currently, VMware Cloud on AWS (VMC) does not allow for NFS usage

Use a combination of a Veeam backup job and replication job for proactive restore capabilities

Other OS File Level Recovery

Currently, VMC does not allow for NFS usage

Start Linux File Level Recovery with a Linux server helper host, instead of using a temporary helper appliance

SureBackup, Sure Replica, OnDemand Labs, Virtual Lab

Currently, VMC  does not allow NFS and network manipulation

As for SureReplica, you can perform it if the replication target is a non-VMC vSphere environment (e.g., replicate VM from VMC to on-premises)

VM Replication ReIP

ReIP is not available on VMC

 

Non-Unicode VM names

Currently, VMC does not allow non-Unicode characters for VM names within their APIs used ad VMC

 

VM Replication-based File Level Recovery

 

Use file restore from backups or use a VM replica on a non VMC environment to start the File recovery

Replication (where EC2-based repository is used to store replica metadata) Due to lack of permissions, the repository Data Mover is not able to connect to the Veeam Server Enable "Run server on this side" option for the repository. For Windows repositories it can be found under Ports configuration,
for Linux - under Advanced settings in the server configuration wizard.
Continuous Data Protection (CDP) Currently, VMware Cloud on AWS (VMC) does not allow for CDP  
Swipe to show more of the table
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please try again later.