VMware Cloud on AWS Support. Considerations and Limitations

Challenge

Solution

 Implementation step 1 - Backup & Replication  

1. Use a new Windows Server and install Veeam Backup & Replication v9.5 Update 3 or newer if you do not have an Veeam Backup Server. The Server can run within any VMware cloud on AWS SDDC, AWS S3 or on premises environments, if the network connection to the VMC vCenter/Veeam Servers potentially the VMs (for Guest processing) is possible.
2. Install the latest VMware Cloud on AWS Veeam patch:
   Please download the patch for Veeam Backup & Replication 9.5 Update 3 for VMware Cloud on AWS SDDC Version 1.4 (released May, 2018) here (instructions included).
3. Add DNS network settings so that this Server can resolve Internet DNS names.
4. Check the below information carefully for any known limitations and configuration steps before you proceed.

Implementation step 2 - VMware Cloud on AWS

Firewall Configuration for vCenter connection

The Veeam Backup and Replication Server and Veeam proxy server should be connected to the VMware vCenter using HTTPS through TCP port 443. At VMware Cloud on AWS there is no need to open ports to the ESXi hosts itself. As the vCenter Server is by design of VMware Cloud on AWS on another network (Management Network) you need to implement a VPN tunnel to it or configure the following firewall settings:

1. Open Port TCP 443 from Backup Server and Proxy Server to the predefined vCenter object on the Compute Network.
   
2. Allow the Compute Gateway Public IP to communicate over TCP 443 with the predefined vCenter object on the Management Network.
   

Implementation step 3 - add vCenter

Add vCenter to the Veeam console as described here: https://helpcenter.veeam.com/docs/backup/vsphere/add_vmware_server.html?ver=95

1. Create a vCenter User with required rights (Active Directory linked mode) described here, or use the cloudadmin@vmc.local user.
2. When adding a vCenter server, specify the fully qualified domain name (FQDN) that ends with vmwarevmc.com or vmc.vmware.com (depending on the URL shown in the VMC interface for the vCenter).

Implementation step 4 - add Veeam Proxy

For any VMware Cloud on AWS SDDC Cluster, roll out at least one Veeam Proxy Server to be able to process HotAdd / Virtual Appliance Backup Mode. The Backup & Replication itself can be used when installed at the SDDC Cluster (Proxy preinstalled). Please look at the Veeam documentation for details: https://helpcenter.veeam.com/docs/backup/vsphere/add_vmware_proxy.html?ver=95

Implementation step 5 - add Veeam Repository

VMware Cloud on AWS has only one accessible vSAN disk. It would not make sense to use that disk for production workloads and backups. An external Backup device needs to be added. Depending on the use case there are several ways to achieve this with different economic factors. Please find below an example of an Amazon S3 EC2 Linux Server (e.g. EC2 C4 Server with EBS ST1 storage) used as a backup target over the VMware Cloud on AWS integrated ENI network connection:



To connect the EC2 Server(s) used as Veeam Repositories the following Firewall configuration is needed:

1. On the Compute Network:
   1. Open TCP 22 (SSH) port from Veeam Backup server and Veeam proxy server to the Amazon VPC where the EC2 Server was installed. You can as well define the exact IP addresses of the repository server as Destination.
   2. Open TCP 2500-5000 ports for Veeam Data Transport in both directions for same servers. It is recommended to use the VMware Cloud on AWS integrated high throughput/low latency ENI network connection to avoid any traffic costs.
2. Open the same ports on the Inbound Firewall of the Amazon EC2 server used as a repository server. As the Firewall Rule Source you should add all Veeam Backup Servers (including Proxy/Repository/MountServer/Console/…) instead of 0.0.0.0/0                                                                                                                                                                 

Implementation step 6 - add secondary backup target

It is suggested to create a backup copy to an additional place. Depending on the use case there are several ways to achieve this with different economic factors. Among other ways the following technologies can be used:

1. Veeam Backup Copy Job to a second EC2 Server used as an additional Repository. The second EC2 Server can be placed on another AWS Availability Zone or AWS Geo Location.
2. AWS Storage Gateway Software in VTL mode can be used to emulate a Tape Library to write data to S3. Veeam Backup to Tape Jobs can be used with it. For details see: https://www.veeam.com/wp-using-aws-vtl-gateway-deployment-guide.html
3. Veeam Backup Copy Job to on premises or Veeam Cloud Connect (Enterprise). There is no special configuration needed for this use case beside network and firewall connections. For standard Repository usage on premises it is recommended to create a VPN tunnel from VMware Cloud on AWS to the on premises datacenter. This can be done by the VMC integrated VPN functionality, by Veeam PN or Third Party.

Additional Scenarios

1. VMware Cloud on AWS used as Restore target. 
   1. Implementation steps 1-4 are needed.
2. Veeam VM Replication.
   1.  Implementation steps 1-5 are needed. The Repository Server (when NOT used for Backups, can run within the VMware Cloud on AWS SDDC to store the Veeam Replication data. On premises to VMC, VMC to VMC and VMC to on premises is possible. Usage of Veeam Availability Orchestrator is possible in specific scenarios, see VAO deployment guide: https://helpcenter.veeam.com/docs/vao/deployment/welcome.html?ver=10

More Information