https://login.veeam.com/en/oauth?client_id=nXojRrypJ8&redirect_uri=https%3A%2F%2Fwww.veeam.com%2Fservices%2Fauthentication%2Fredirect_url&response_type=code&scope=profile&state=eyJmaW5hbFJlZGlyZWN0TG9jYXRpb24iOiJodHRwczovL3d3dy52ZWVhbS5jb20va2IzMTk3IiwiaGFzaCI6ImIwNDNhZGRjLTUxMzgtNDlhMy1hOWU5LWE3YzA3MzI3MmM5OCJ9
1-800-691-1991 | 9am - 8pm ET
EN

How to Configure Endpoints for Veeam Backup for AWS

Challenge

You want to launch workers in the subnet with disabled auto-assignment of the Public IPv4 addresses.

Solution

If you use a subnet with disabled auto-assignment of the Public IPv4 addresses to start workers in a region, you will need to configure several endpoints for services that are necessary for Veeam Backup for AWS to work correctly.

The list of endpoints may vary depending on what operations you want to perform.
VPC interface endpoint creation
  1. Go to the VPC Service.
  2. Select the Endpoints section from the list on the left panel and click Create Endpoint.
  3. For Service Name, select the needed endpoint in the format com.amazonaws.region.service (e.g. com.amazonaws.eu-west-3.ssm)
  4. For VPC, choose the VPC ID you want to use for the workers.
  5. For Subnets, choose the Subnet ID you want to use for the workers.
  6. For Enable Private DNS Name, select Enable for this endpoint.
  7. For Security Group, select an existing security group, or create a new one.
    Ensure that the security group that's associated with the endpoint network interface allows communication between the endpoint network interface and the resources in your VPC that communicate with the service. If the security group restricts inbound HTTPS traffic (port 443) from resources in the VPC, you might not be able to send traffic through the endpoint network interface.
  8. Click Create Endpoint.
For more information, see AWS Documentation.
    S3 Gateway endpoint creation
    1. Go to the VPC Service.
    2. Select the Endpoints section from the list on the left panel and click Create Endpoint.
    3. For Service Name, select the needed endpoint in the format com.amazonaws.region.service (e.g. com.amazonaws.eu-west-3.ssm)
    4. For VPC, choose the VPC ID you want to use for the workers.
    5. For Configure route tables, select the route tables to be used by the endpoint. Amazon automatically adds a route that points traffic destined for the service to the endpoint to the selected route tables.
    6. For Policy, choose the type of policy. You can leave the default option, Full Access, to allow full access to the service. Alternatively, you can select Custom, and then use the AWS Policy Generator to create a custom policy or enter your own policy in the policy window.
    7. Click Create Endpoint.
    For more information, see AWS Documentation.
     
    Backup to S3
    If you want to perform a backup to an S3 repository, using private IP addresses for your workers, you need the following configured endpoints for the subnet, which is selected on the Configuration – Workers page or is the default for the source instance location (if there are no settings on the Workers page for the specific region we will use the default settings): 
    -com.amazonaws.region.ec2messages 
    -com.amazonaws.region.ssm 
    -com.amazonaws.region.sqs 
    -com.amazonaws.region.s3 
    -com.amazonaws.region.ebs
    Important:
    • If you perform a backup to an S3 repository, a worker will be started in the same region as the source instance (in the account selected on the Workers page).
      Endpoints must be configured for the subnet that is used for the worker.
    • Your source instance and S3 repository should be in the same region. This is an AWS limitation: «Endpoints are supported within the same Region only. You cannot create an endpoint between a VPC and a service in a different Region». For more information, see AWS Documentation.
      This limitation applies only to regions - a source instance and S3 repository can be in the different accounts.
    Restore
    If you want to perform a restore from an S3 repository, using private IP addresses for your workers, you need the following configured endpoints for the subnet, which is selected on the Configuration – Workers page or is the default for the target instance location (if there are no settings on the Workers page for this region we will use the default settings):
    -com.amazonaws.region.ec2messages 
    -com.amazonaws.region.ssm 
    -com.amazonaws.region.sqs 
    -com.amazonaws.region.s3
    Important:
    • If you perform a restore from an S3 repository, a worker will be started in the target instance location (in the account selected on the Workers page).
      Endpoints must be configured for the subnet that is used for the worker.
    • Target region and your S3 repository location should be the same. This is an AWS limitation: «Endpoints are supported within the same Region only. You cannot create an endpoint between a VPC and a service in a different Region». For more information, see AWS Documentation.
      This limitation applies only to regions – a target instance and S3 repository location should be the same, but can be in different accounts.
    File-level Restore
     

    From Snapshot

    If you want to perform a FLR from a snapshot in a private network, you need the following configured endpoints for the subnet, which is selected on the Configuration - Workers page or is the default for the region where the snapshot is located (if there are no settings on the Workers page for this region we will use the default settings): 

    -com.amazonaws.region.ec2messages 
    -com.amazonaws.region.ssm 
    -com.amazonaws.region.sqs

    Important: 
    If you perform a FLR from a snapshot, a worker will be started in the same region as the snapshot location.
    Endpoints must be configured for the subnet that is used for the worker.
     

    From Backup

    If you want to perform a FLR from an S3 repository in a private network, you need the following configured endpoints for the subnet, which is selected on the Configuration - Workers page or is the default for the region where S3 is located (if there are no settings on the Workers page for this location we will use the default settings): 
    -com.amazonaws.region.ec2messages 
    -com.amazonaws.region.ssm 
    -com.amazonaws.region.sqs 
    -com.amazonaws.region.s3
    Important:
    If you perform a FLR from an S3 repository, a worker will be started in the same region as the S3 repository location.
    Endpoints must be configured for the subnet that is used for the worker.
     
    KB ID:
    3197
    Product:
    Veeam Backup for AWS
    Version:
    2.x and later
    Published:
    2020-06-29
    Last Modified:
    2020-08-13
    Please rate how helpful this article was to you:
    5 out of 5 based on 1 ratings
    Thank you for helping us improve!
    An error occurred during voting. Please try again later.

    Couldn't find what you were looking for?

    Below you can submit an idea for a new knowledge base article.
    Report a typo on this page:

    Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!

    Spelling error in text

    Knowledge base content request
    By submitting, you agree that your personal data will be managed by Veeam in accordance with the Privacy Policy.

    ty icon

    Thank you!

    We have received your request and our team will reach out to you shortly.

    OK

    error icon

    Oops! Something went wrong.

    Please go back try again later.