To use your own TLS certificate during file-level restore and have the static Veeam Backup browser link:
- In AWS CloudFormation, deploy and configure an EC2 instance that will act as an FLR relay proxy.
In stack settings, you will need to specify the path to the TLS certificate and desired public DNS name. To obtain the stack template file, contact Veeam Customer Support.
- In worker instance settings, specify the FLR relay proxy for each AWS region where you plan to perform file-level restore.
During file-level restore, Veeam Backup for AWS will route traffic to and from the launched worker instance through the specified FLR relay proxy.
- Valid TLS certificate, for example, obtained from Let’s Encrypt.
The TLS certificate must be located in an S3 bucket folder.
- Public DNS name that you own, for example, flr.domain.com.
Deploying FLR Relay Proxy in AWS CloudFormation
In AWS CloudFormation, for each AWS region where you plan to use the FLR relay proxy, complete the following steps:
- Launch the Create Stack wizard as described in AWS Documentation.
- At the Specify template step of the wizard, upload a template file obtained from Veeam Customer Support.
- At the Specify stack details step of the wizard, specify the following settings:
- In the Stack name field, specify a name for the EC2 instance that will act as an FLR relay proxy.
- From the Key Pair drop-down list, select a key pair that will be used to authenticate against the FLR relay proxy.
You will require the specified key pair if you want to connect to the proxy over SSH.
- [Optional] In the SSH Location field, specify the IPv4 address range from which you want to access the FLR relay proxy over SSH.
- In the HTTPS Location field, specify the IPv4 address range from which you plan to access the Veeam Backup browser during file-level restore.
- From the VPC and Subnet drop-down lists, select an Amazon Virtual Private Cloud (Amazon VPC) and subnet to which the FLR relay proxy must be connected.
- In the DNS Name field, specify the public DNS name that you own and want to include in the Veeam Backup browser link.
- In the S3 bucket with certificate field, specify the bucket folder name where the TLS certificate you want to use is located (without ‘s3://’).
For example, MyBucketName/certificates
- In the Certificate file name field, specify the name of the certificate file that is located in the specified bucket folder.
For example, certificate.pem
- In the Key file name field, specify the name of the private key file that is located in the specified bucket folder.
For example, privatekey.pem
- At the Configure stack options step of the wizard, specify AWS tags, IAM role permissions and other additional settings if necessary, and then click Next.
- At the Review step of the wizard, review the specified settings, select the I acknowledge that AWS CloudFormation might create IAM resources check box, and click Create stack.
- Associate the DNS name specified at step 3.6 with the Elastic IP address that is assigned to the FLR relay proxy.
To view the public IP address of the FLR relay proxy:
- Open the Amazon EC2 console.
- In the navigation pane, click Instances.
- Find and click your FLR relay proxy.
- On the Description tab, on the right of IPv4 Public IP, you will find the IP address of the FLR relay proxy.
- Wait until the FLR relay proxy is deployed.
You can track the proxy deployment progress in the execution log at http://<IPaddress-of-your-proxy>:80.
After successful installation of proxy components, the proxy will automatically shut down.
If this does not happen, check the proxy deployment status in the execution log at http://<IPaddress-of-your-proxy>:80 and contact Veeam Customer Support.
Specifying FLR Relay Proxy in Advanced Worker Instance Settings
Once the FLR relay proxy is deployed, access Veeam Backup for AWS and complete the following steps:
- At the top right corner of the Veeam Backup for AWS window, click Configuration.
- In the configuration menu on the left, click Workers.
- On the Advanced tab, click Add.
Veeam Backup for AWS will launch the Add Region wizard.
- At the Region step of the wizard, specify the AWS region in which the FLR relay proxy is deployed.
- At the Worker Settings step of the wizard:
- Click Select and choose the necessary FLR relay proxy from the list.
- In the DNS Name field, enter the DNS name that you specified in FLR relay proxy settings.
- From the Security Group drop-down list, select a security group to which the FLR relay proxy will be connected during file-level restore.
- At the Summary step of the wizard, review the specified settings and click Finish.
Veeam Backup for AWS will automatically use the configured FLR relay proxy when you perform file-level restore in the AWS region where the proxy is deployed.