How to Offload Backup Files to Capacity and Archive Tiers via AWS Privatelink / Direct Connect

KB ID: 4226
Product: Veeam Backup & Replication
Version: 11a or newer
Published: 2021-10-17
Last Modified: 2022-06-14
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please try again later.

Purpose

This article documents how to configure Veeam Backup & Replication to use AWS PrivateLink or AWS Direct Connect for Scale-Out Backup Repository offload to Capacity Tier or Archive Tier.

Solution

Prepare the Environment

  1. (If using Direct Connect, skip to step 2.) For AWS PrivateLink, configure a VPN connection to the VPC where you are planning to deploy the PrivateLink Endpoint. One of the ways to do this is to create a tunnel on the VM gateway using AWS Client VPN.

  2. Create Endpoints in VPC:
    1. Create an S3 Interface Endpoint in your VPC. It will be assigned a DNS name that you can see in the AWS Console under VPC - Endpoints, when selecting the corresponding Endpoint.
    2. If intending to use Archive Tier, an EC2 Endpoint must be created as well.
  1. Modify the regions file to alter which server Veeam Backup & Replication will attempt to connect to for S3 and EC2
    1. On the Veeam Backup Server, edit C:\Program Files\Veeam\Backup and Replication\Backup\AmazonS3Regions.xml
    2. Find the Region section that corresponds to your PrivateLink or Direct Connect location.

      Example:
       <Region Id="ap-northeast-1" Name="Asia Pacific (Tokyo)" Type="Global">
      
    3. Within that Region's section, find the line <Endpoint Type="s3"> and replace the existing DNS value with the S3 Interface Endpoint DNS created in Step 1.
      Note: For S3, the AWS console will display a DNS value starting with an asterisk. When altering the AmazonS3Regions file, replace the asterisk with the word bucket.

      Example:
      <Endpoint Type="S3">s3-ap-northeast-1.amazonaws.com</Endpoint>
      
      Is changed to:
      <Endpoint Type="S3">bucket.vpce-00000000000000000-00000000.s3.ap-northeast-1.vpce.amazonaws.com</Endpoint>
      
    4. If there are multiple lines for <Endpoint Type="S3"> in the Region section you are altering, remove all but the one you changed.

      Example:
      <Region Id="ap-northeast-1" Name="Asia Pacific (Tokyo)" Type="Global">
      <Endpoint Type="S3">s3-ap-northeast-1.amazonaws.com</Endpoint>
      <Endpoint Type="S3">s3.dualstack.ap-northeast-1.amazonaws.com</Endpoint>
      
    5. If you plan to use Archive Tier: Within the same Region section, find the line <Endpoint Type="EC2"> and replace the existing DNS value with the EC2 Endpoint DNS created in Step 2.

      Example:
      <Endpoint Type="EC2">ec2.ap-northeast-1.amazonaws.com</Endpoint>
      
      Is changed to:
      <Endpoint Type="EC2">vpce-00000000000000000-00000000.ec2.ap-northeast-1.vpce.amazonaws.com</Endpoint>
      
    6. Save the file.
before edits.
Before Changes
After change example
After Adding Custom S3 and EC2 Endpoint
  1. Create the following registry values on the Veeam Backup & Replication server.
    *All registry values are to be created in the key: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\
    *All registry values are DWORD (32-Bit) Values
    1. Name: CloudRegionsDisableUpdate
      Data: 1
    2. Name: S3TLSRevocationCheck
      Data: 0
    If you plan to use Archive Tier, the following addtional values must be created:
    1. Name: ArchiveFreezingUsePrivateIpForAmazonAppliance
      Data: 1
    2. Name: ArchiveFreezingSkipProxyValidation
      Data: 1

Alternatively, the following PowerShell commands can be executed on the Veeam Backup server to set the registry values.

New-ItemProperty -Path 'HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication\' -Name 'CloudRegionsDisableUpdate' -Value "1" -PropertyType DWORD -Force
New-ItemProperty -Path 'HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication\' -Name 'S3TLSRevocationCheck' -Value "0" -PropertyType DWORD -Force
New-ItemProperty -Path 'HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication\' -Name 'ArchiveFreezingUsePrivateIpForAmazonAppliance' -Value "1" -PropertyType DWORD -Force
New-ItemProperty -Path 'HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication\' -Name 'ArchiveFreezingSkipProxyValidation' -Value "1" -PropertyType DWORD -Force
  1. Stop all tasks within Veeam Backup & Replication and restart the Veeam Backup Service to apply all changes.

Add Object Storage Repository

With the AmazonS3Regions.xml file modified, when selecting the corresponding entry within Veeam Backup & Replication, it will connect to the specified endpoints.


Once the Object Storage Repositories are added:

Click here to send feedback regarding this KB, or suggest content for a new KB.
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please try again later.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please try again later.