VMware Cloud on AWS Support. Considerations and Limitations

Veeam Availability for AWS
Last Modified:


VMware Cloud on AWS is a vSphere environment running on AWS hardware, that needs some specific preparation to allow Veeam Backup & Replication v9.5 Update 4b + Patch 2414 or newer to work with it. Besides the below-listed preparation and limitations, you can interact with it within Backup & Replication like any other vSphere environment to backup, restore and replicate VM workloads.

Some of VMware features and permissions are not granted by default at the start of VMware Cloud on AWS (VMC). Thus, some depending Veeam Backup & Replication features will be limited or not operating. Depending on VMware update releases for VMware Cloud on AWS, the situation may change and the features from the table below may become available. Please contact your VMware administrator for timely update.


 Implementation step 1 - Backup & Replication  

  1. Use a new Windows Server and install Veeam Backup & Replication v9.5 Update 4b + Patch 2414 or newer if you do not have a Veeam Backup Server. The Server can run within any VMware cloud on AWS SDDC, AWS S3 or on-premises environments, if the network connection to the VMC vCenter/Veeam Servers potentially the VMs (for Guest processing) is possible.
  2. Add DNS network settings so that this Server can resolve Internet DNS names to be able to resolve the fully qualified domain name of the VMC vCenter server
  3. Check the below information carefully for any known limitations and configuration steps before you proceed.

Implementation step 2 - VMware Cloud on AWS

Firewall Configuration for vCenter connection

The Veeam Backup and Replication Server and Veeam proxy server should be connected to the VMware vCenter using HTTPS through TCP port 443. At VMware Cloud on AWS there is no need to open ports to the ESXi hosts itself. As the vCenter Server is by design of VMware Cloud on AWS on another network (Management Network), you need to configure one of the following 3 options:
  1. Usage of the vCenter public IP for customers with NSX-v (default) 
    • Open Port TCP 443 from Backup Server and Proxy Server to the predefined vCenter object on the Compute Network. User-added image
    • Allow the Compute Gateway Public IP to communicate over TCP 443 with the predefined vCenter object on the Management Network.
      User-added image
  2. Usage of a VPN tunnel for customers with VMware NSX-v 
    To be able to directly access the vСenter within VMC, please follow the VMC internal guidelines to create a VPN tunnel from the compute network to the management network: https://docs.vmware.com/en/VMware-Cloud-on-AWS/services/com.vmware.vmc-aws.getting-started/GUID-30BED7B3-D312-4DF3-BD7A-66F8D1C619DC.html
    Please update your DNS Servers to resolve the FQDN of the vСenter to its private IP address. If you want to use hosts entries on the Veeam Server for it, add them on all Veeam Backup and Proxy Servers.
    If your Backup & Replication (Management) Server is outside of the VMC cluster, please implement the same VPN connection for it.
  3. Usage of the local connection for customers with VMware NSX-t 
    NSX-t allows VMC customers to directly access the management network over the built-in firewall. TCP Port 443 needs to be opened from all Veeam Backup and Veeam Proxy Servers as a Source with the vCenter internal IP as a target.
    a) Configure DNS entry of the vCenter for local IP address usage.

    Go to your SDDC Management – Settings – vCenter FQDN and select the Private vCenter IP address. User-added image
    Hint: If you configure the vCenter DNS record for the internal IP address, you will lose VMC connection from Backup and Replication Server outside of VMC. You can use the local hosts file or any other DNS method to resolve the vCenter FQDN with the public IP address on the Veeam Server outside of VMC. Optionally, use the Public IP address for the VMC internal and external Veeam Server.

    b) Open firewall ports for vCenter Server access

    On the Management Network
    User-added image
    On the Compute Gateway
    User-added image

Implementation step 3 - add vCenter

Add vCenter to the Veeam console as described here: https://helpcenter.veeam.com/docs/backup/vsphere/add_vmware_server.html?ver=95
  1. Create a vCenter User with required rights (Active Directory linked mode) described here, or use the cloudadmin@vmc.local user.
  2. When adding a vCenter server, specify the fully qualified domain name (FQDN) that ends with vmwarevmc.com or vmc.vmware.com (depending on the URL shown in the VMC interface for the vCenter).
Implementation step 4 - add Veeam Proxy

For any VMware Cloud on AWS SDDC Cluster, roll out at least one Veeam Proxy Server to be able to process HotAdd / Virtual Appliance Backup Mode. The Backup & Replication itself can be used when installed at the SDDC Cluster (Proxy preinstalled). Please look at the Veeam documentation for details: https://helpcenter.veeam.com/docs/backup/vsphere/add_vmware_proxy.html?ver=95

Implementation step 5 - add Veeam Repository

VMware Cloud on AWS has only one accessible vSAN disk. It would not make sense to use that disk for production workloads and backups. An external Backup device needs to be added. Depending on the use case there are several ways to achieve this with different economic factors. Please find below an example of an Amazon S3 EC2 Linux Server (e.g. EC2 C4 Server with EBS ST1 storage) used as a backup target over the VMware Cloud on AWS integrated ENI network connection:

User-added image

To connect the EC2 Server(s) used as Veeam Repositories the following Firewall configuration is needed:
  1. On the Compute Network:
    1. Open TCP 22 (SSH) port from Veeam Backup server and Veeam proxy server to the Amazon VPC where the EC2 Server was installed. You can as well define the exact IP addresses of the repository server as Destination.
    2. Open TCP 2500-5000 ports for Veeam Data Transport in both directions for same servers. It is recommended to use the VMware Cloud on AWS integrated high throughput/low latency ENI network connection to avoid any traffic costs.User-added image
  2. Open the same ports on the Inbound Firewall of the Amazon EC2 server used as a repository server. As the Firewall Rule Source you should add all Veeam Backup Servers (including Proxy/Repository/MountServer/Console/…) instead of                                                                                                                                                                 User-added image

Implementation step 6 - add secondary backup target

It is suggested to create a backup copy to an additional place. Depending on the use case there are several ways to achieve this with different economic factors. Among other ways the following technologies can be used:
  1. Veeam Backup Copy Job to a second EC2 Server used as an additional Repository. The second EC2 Server can be placed on another AWS Availability Zone or AWS Geo Location.
  2. AWS Storage Gateway Software in VTL mode can be used to emulate a Tape Library to write data to S3. Veeam Backup to Tape Jobs can be used with it. For details see: https://www.veeam.com/wp-using-aws-vtl-gateway-deployment-guide.html
  3. Veeam Backup Copy Job to on premises or Veeam Cloud Connect (Enterprise). There is no special configuration needed for this use case beside network and firewall connections. For standard Repository usage on premises it is recommended to create a VPN tunnel from VMware Cloud on AWS to the on premises datacenter. This can be done by the VMC integrated VPN functionality, by Veeam PN or Third Party.
Additional Scenarios
  1. VMware Cloud on AWS used as Restore target. 
    1. Implementation steps 1-4 are needed.
  2. Veeam VM Replication.
    1.  Implementation steps 1-5 are needed. The Repository Server (when NOT used for Backups, can run within the VMware Cloud on AWS SDDC to store the Veeam Replication data. On premises to VMC, VMC to VMC and VMC to on premises is possible. Usage of Veeam Availability Orchestrator is possible in specific scenarios, see VAO deployment guide: https://helpcenter.veeam.com/docs/vao/deployment/welcome.html?ver=10

More Information

VMware Cloud on AWS specific problems and solutions:


There is no option to select a network at Veeam “Entire VM” restore to a new VM name wizard when VMware Cloud on AWS is used with VMware NSX-t.


To solve the issue, apply the patch:
  1. Download the patch.
  2. Check that you have version of Veeam Backup & Replication installed.
  3. Make sure that no jobs are running, close the Veeam console and stop all Veeam services on the Veeam Backup server.
  4. On the Veeam Backup server, rename following original files by adding _original in the end of the file name in folders: C:\Program Files\Veeam\Backup and Replication\Backup
    and C:\Program Files\Veeam\Backup and Replication\Console:
    • Veeam.Backup.Common.dll
    • Veeam.Backup.Core.dll
    • Veeam.Backup.Interaction.VMware.dll
    • Veeam.Backup.PowerShell.dll
    • Veeam.Backup.ServiceLib.dll
    • Veeam.Backup.SureBackup.dll
    • Veeam.Backup.UI.FileRestore.dll
    • Veeam.Backup.VcdLib.dll
    • Veeam.Backup.ViSoap.dll
  5. Copy all files from the patch into folders C:\Program Files\Veeam\Backup and Replication\Backup
    and C:\Program Files\Veeam\Backup and Replication\Console Veeam Backup server.
  6. Start Veeam services on Veeam Backup server.
[[DOWNLOAD|DOWNLOAD PATCH|https://www.veeam.com/download_add_packs/vmware-esx-backup/kb2414/]]

MD5 checksum for kb2414.zip: ade0167d3c35f909ebf896937fd77d04
SHA-1 checksum for kb2414.zip: 41a1598f1b74f95cc2605c1a569c9b8539080169


Impossible to add the VMware Cloud on AWS vCenter server to the managed server, VMs within this vCenter are not visible in the list of VMs or an Error is displayed in the Veeam Jobs “Processing SQL Error: File does not exist or locked. …”


  1. Create a vCenter User with required rights (Active Directory linked mode) described here, or use the cloudadmin@vmc.local user.
  2. When adding a vCenter server, specify the fully qualified domain name (FQDN) that ends with vmwarevmc.com or vmc.vmware.com (depending on the URL shown in the VMC interface for the vCenter).


When working with Restore or VM Replication wizard, users may face some issues accessing VMware Cloud on AWS vCenter server. By design, VMware does not provide customers access to the background infrastructure and used datastores.


For proper operation, you can select the specific areas marked as “Workload” or “Compute”. Avoid using the non-accessible areas, for example:
  • vsanDatastore datastore
  • Management VMs folder
  • Mgmt-ResourcePool resource pool


Backup & Replication stop working after VMware Cloud on AWS was automatically updated to Version 1.3 or newer.


UPDATE: New VMware Cloud on AWS SDDC 1.3 or newer (including the latest version 1.6) requires updated Veeam Backup & Replication components. Please download Update 4a (or newer) for Veeam Backup & Replication 9.5 here


Some of the Backup & Replication Features are not working correctly because of limitations of the VMware Cloud on AWS environment (compared with a standard vSphere environment).


Affected Veeam FeatureLimitationWorkaround

Instant VM Recovery

Currently, VMware Cloud on AWS (VMC) does not allow for NFS usage

Use a combination of a Veeam backup job and replication job for proactive restore capabilities

Other OS File Level Recovery

Currently, VMC does not allow for NFS

Start Linux File-Level Recovery from a backup copy on-premises

SureBackup, Sure Replica, OnDemand Labs, Virtual Lab

Currently, VMC  does not allow NFS and network manipulation

As for SureReplica, you can perform it if the replication target is a non-VMC vSphere environment (e.g., replicate VM from VMC to on-premises)

VM Replication ReIP

ReIP is not available on VMC


Non-Unicode VM names

Currently, VMC does not allow non-Unicode characters for VM names within their APIs used ad VMC


VM Replication-based File Level Recovery


Use file restore from backups or use a VM replica on a non VMC environment to start the File recovery

Replication (where EC2-based repository is used to store replica metadata)Due to lack of permissions, the repository Data Mover is not able to connect to the Veeam ServerEnable "Run server on this side" option for the repository. For Windows repositories it can be found under Ports configuration,
for Linux - under Advanced settings in the server configuration wizard.

See also:
VMware Cloud on AWS and Veeam – VMware KB
VMware Cloud on AWS SDDC 1.6 – VMware Compatibility Guide Listing
VMware Cloud on AWS SDDC 1.5 – VMware Compatibility Guide Listing
VMware vSAN and Veeam – VMware KB
VMware vSAN 6.7 U1 – VMware Compatibility Guide Listing
VMware vSAN 6.0-6.5 – VMware Compatibility Guide Listing


Please be aware that we’re making changes which will restrict access to product updates for users without an active contract.


Rate the quality of this KB article: 
4.4 out of 5 based on 17 ratings

Couldn't find what you were looking for?

Below you can submit an idea for a new knowledge base article.

Report a typo on this page:

Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!

Spelling error in text: