How to Configure Endpoints for Veeam Backup for AWS

KB ID: 3197
Product: Veeam Backup for AWS | 2.0 | 3.0 | 4.0 | 5.0 | 5a
Published: 2020-06-29
Last Modified: 2022-11-02
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please try again later.

Purpose

This article provides configuration advice for when you want to launch workers in a subnet that has auto-assignment of Public IPv4 addresses disabled.

Solution

If you use a subnet with disabled auto-assignment of the Public IPv4 addresses to start workers in a region, you will need to configure several endpoints for services that are necessary for Veeam Backup for AWS to work correctly.

The list of endpoints may vary depending on what operations you want to perform.

VPC Interface Endpoint Creation

  1. Go to the VPC Service.
  2. Select the Endpoints section from the list on the left panel and click Create Endpoint.
  3. For Service Name, select the needed endpoint in the format com.amazonaws.region.service (e.g. com.amazonaws.eu-west-3.ssm)
  4. For VPC, choose the VPC ID you want to use for the workers.
  5. For Subnets, choose the Subnet ID you want to use for the workers.
  6. For Enable Private DNS Name, select Enable for this endpoint.
  7. For Security Group, select an existing security group or create a new one.
    Ensure that the security group associated with the endpoint network interface allows communication between the endpoint network interface and the resources in your VPC that communicate with the service. If the security group restricts inbound HTTPS traffic (port 443) from resources in the VPC, you might not be able to send traffic through the endpoint network interface.
  8. Click Create Endpoint.


For more information, see AWS Documentation.

S3 Gateway endpoint creation

  1. Go to the VPC Service.
  2. Select the Endpoints section from the list on the left panel and click Create Endpoint.
  3. For Service Name, select the needed endpoint in the format com.amazonaws.region.service (e.g. com.amazonaws.eu-west-3.s3)
  4. For VPC, choose the VPC ID you want to use for the workers.
  5. For Configure route tables, select the route tables to be used by the endpoint. Amazon automatically adds a route that points traffic destined for the service to the endpoint of the selected route tables.
  6. For Policy, choose the type of policy. You can leave the default option, Full Access, to allow full access to the service. Alternatively, you can select Custom and then use the AWS Policy Generator to create a custom policy or enter your own policy in the policy window.
  7. Click Create Endpoint.


For more information, see AWS Documentation.

Endpoints for Backup to S3

If you want to perform a backup to an S3 repository using private IP addresses for your workers, you need the following configured endpoints for the subnet, which is selected on the Configuration – Workers page or is the default for the source instance location (if there are no settings on the Workers page for the specific region we will use the default settings): 

-com.amazonaws.region.ec2messages 
-com.amazonaws.region.ssm 
-com.amazonaws.region.sqs 
-com.amazonaws.region.s3 
-com.amazonaws.region.ebs

Important:

  • If you perform a backup to an S3 repository, a worker will be started in the same region as the source instance (in the account selected on the Workers page).
    Endpoints must be configured for the subnet that is used for the worker.
  • Your source instance and S3 repository should be in the same region. This is an AWS limitation: «Endpoints are supported within the same Region only. You cannot create an endpoint between a VPC and a service in a different Region». For more information, see AWS Documentation.
    This limitation applies only to regions - a source instance and S3 repository can be in the different accounts.

Endpoints for Restore from S3

If you want to perform a restore from an S3 repository using private IP addresses for your workers, you need the following configured endpoints for the subnet, which is selected on the Configuration – Workers page or is the default for the target instance location (if there are no settings on the Workers page for this region we will use the default settings):

-com.amazonaws.region.ec2messages 
-com.amazonaws.region.ssm 
-com.amazonaws.region.sqs 
-com.amazonaws.region.s3

Important:

  • If you perform a restore from an S3 repository, a worker will be started in the target instance location (in the account selected on the Workers page).
    Endpoints must be configured for the subnet that is used for the worker.
  • Target region and your S3 repository location should be the same. This is an AWS limitation: «Endpoints are supported within the same Region only. You cannot create an endpoint between a VPC and a service in a different Region». For more information, see AWS Documentation.
    This limitation applies only to regions – a target instance and S3 repository location should be the same but can be in different accounts.

Endpoints for File-Level Restore

From Snapshot

If you want to perform an FLR from a snapshot in a private network, you need the following configured endpoints for the subnet, which is selected on the Configuration - Workers page or is the default for the region where the snapshot is located (if there are no settings on the Workers page for this region we will use the default settings): 

-com.amazonaws.region.ec2messages 
-com.amazonaws.region.ssm 
-com.amazonaws.region.sqs

Important: 
If you perform a FLR from a snapshot, a worker will be started in the same region as the snapshot location.
Endpoints must be configured for the subnet that is used for the worker.

From Backup

If you want to perform a FLR from an S3 repository in a private network, you need the following configured endpoints for the subnet, which is selected on the Configuration - Workers page or is the default for the region where S3 is located (if there are no settings on the Workers page for this location we will use the default settings): 

-com.amazonaws.region.ec2messages 
-com.amazonaws.region.ssm 
-com.amazonaws.region.sqs 
-com.amazonaws.region.s3

Important:
If you perform a FLR from an S3 repository, a worker will be started in the same region as the S3 repository location.
Endpoints must be configured for the subnet that is used for the worker.
 

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please try again later.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please try again later.