=============== LIBRARY RULES =============== From library maintainers: - This is unofficial documentation - always verify against official Veeam Help Center # Veeam Backup for AWS Documentation Veeam Backup for AWS (VBAWS) is a comprehensive data protection and disaster recovery solution for AWS environments. It protects Amazon EC2 instances, RDS databases, DynamoDB tables, EFS file systems, FSx file systems, Redshift clusters, and VPC configurations through cloud-native snapshots and image-level backups stored in Amazon S3. The solution operates through a Linux-based backup appliance deployed as an EC2 instance, which coordinates all backup and restore operations. Starting from version 7.0, it integrates with Veeam Backup & Replication for centralized management across multiple backup appliances. Key capabilities include automated backup scheduling, cross-region snapshot replication, long-term archival to S3 Glacier, file-level recovery, and restore to original or new locations. --- ## EC2 Instance Backup Policy Creation Create backup policies to protect EC2 instances with configurable schedules, retention policies, and target repositories. Policies can scope resources by AWS account or across an entire AWS Organization. ```yaml # EC2 Backup Policy Configuration Steps: # 1. Navigate to Veeam Backup for AWS Web UI # 2. Go to Policies > EC2 > Add Policy Settings: Name: "Production-EC2-Daily-Backup" Description: "Daily backups of production EC2 instances" Sources: Type: Account # or Organization IAM Role: "arn:aws:iam::123456789012:role/VeeamBackupRole" Schedule: Daily: - Start Time: "02:00" Days: ["Monday", "Tuesday", "Wednesday", "Thursday", "Friday"] Retention: 14 days Weekly: - Start Time: "03:00" Day: "Saturday" Retention: 4 weeks Monthly: - Start Time: "04:00" Day: "First Sunday" Retention: 12 months Target Settings: Snapshots: Enabled: true Regions: ["us-east-1", "us-west-2"] # Replica regions Image-Level Backups: Enabled: true Repository: "s3-backup-repository" Storage Class: "S3 Standard" # or "S3 Glacier Flexible Retrieval" ``` --- ## EC2 Instance Restore Operations Restore entire EC2 instances, individual EBS volumes, or specific files/folders from cloud-native snapshots or image-level backups to original or new locations. ```yaml # EC2 Instance Restore - Full Instance Recovery Restore Type: "Instance Restore" Source: Instance: "i-0abc123def456789" Restore Point: "2024-01-15 02:00:00" Type: "Image-Level Backup" # or "Snapshot", "Snapshot Replica" Target Settings: Restore Mode: "Restore to new location" AWS Account: "arn:aws:iam::123456789012:role/VeeamRestoreRole" Region: "us-east-1" Instance Type: "t3.large" VPC: "vpc-12345678" Subnet: "subnet-abcdef12" Security Groups: ["sg-12345678"] Encryption: Enable EBS Encryption: true KMS Key: "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012" # EC2 Volume Restore Restore Type: "Volume Restore" Source: Instance: "i-0abc123def456789" Restore Point: "2024-01-15 02:00:00" Volumes: ["/dev/sda1", "/dev/xvdf"] Target: Availability Zone: "us-east-1a" # Volumes restored as standalone EBS volumes # EC2 File-Level Recovery Restore Type: "File-Level Recovery" Source: Instance: "i-0abc123def456789" Restore Point: "2024-01-15 02:00:00" Recovery Options: Mode: "Download to local machine" # or "Restore to original location" Files: - "/var/log/application.log" - "/etc/nginx/nginx.conf" # Supported file systems: FAT, FAT32, NTFS, ext2, ext3, ext4, XFS, Btrfs ``` --- ## RDS Database Backup and Restore Protect Amazon RDS DB instances and Aurora clusters with cloud-native snapshots and image-level backups for Microsoft SQL Server and PostgreSQL databases. ```yaml # RDS Backup Policy Configuration Policy Settings: Name: "RDS-Production-Backup" Type: "RDS" Sources: IAM Role: "arn:aws:iam::123456789012:role/VeeamRDSBackupRole" Resources: - Type: "DB Instance" Identifier: "production-sqlserver-db" - Type: "Aurora Cluster" Identifier: "production-aurora-cluster" Schedule: Daily: Start Time: "01:00" Retention: 7 days Target Settings: Snapshots: Enabled: true Replica Regions: ["us-west-2"] Image-Level Backups: # SQL Server and PostgreSQL only Enabled: true Repository: "s3-rds-backup-repo" # Supported PostgreSQL versions: 12, 13, 14, 15, 16, 17 # RDS Restore Operation Restore Settings: Source: Resource: "production-sqlserver-db" Restore Point: "2024-01-15 01:00:00" Type: "Snapshot" # or "Image-Level Backup" Target: Restore Mode: "Restore to new location" DB Identifier: "restored-sqlserver-db" Instance Class: "db.m5.large" VPC: "vpc-12345678" Subnet Group: "production-subnet-group" Publicly Accessible: false ``` --- ## EFS File System Protection Create cloud-native backups of Amazon EFS file systems with optional indexing for granular file-level recovery and cross-region backup copies. ```yaml # EFS Backup Policy Configuration Policy Settings: Name: "EFS-Backup-Policy" Type: "EFS" Sources: IAM Role: "arn:aws:iam::123456789012:role/VeeamEFSBackupRole" File Systems: - "fs-12345678" - "fs-87654321" Schedule: Daily: Start Time: "03:00" Retention: 30 days Target Settings: Backup Vault: "Default" # AWS Backup vault in source region Backup Copy: Enabled: true Target Region: "us-west-2" Retention: 90 days Indexing: # Enables granular file browsing and search Enabled: true Repository: "s3-efs-index-repo" Worker Settings: IAM Role: "arn:aws:iam::123456789012:role/VeeamEFSWorkerRole" Subnet: "subnet-abcdef12" # EFS Restore Options Restore Types: - Entire File System Restore - File/Directory Level Recovery (requires indexing) ``` --- ## DynamoDB Table Backup Protect Amazon DynamoDB tables with cloud-native backups stored in AWS Backup vaults, including cross-region backup copies for disaster recovery. ```yaml # DynamoDB Backup Policy Configuration # Note: Requires backup appliance managed by Veeam Backup & Replication Policy Settings: Name: "DynamoDB-Backup-Policy" Type: "DynamoDB" Sources: IAM Role: "arn:aws:iam::123456789012:role/VeeamDynamoDBBackupRole" Tables: - "production-users-table" - "production-orders-table" Schedule: Daily: Start Time: "04:00" Retention: 14 days Target Settings: Backup Vault: "Default" Backup Copy: Enabled: true Target Region: "eu-west-1" Retention: 30 days # Supported Table Properties for Backup/Restore: # - Table name (changeable on restore) # - Partition key and Sort key # - Global/Local secondary indexes # - Table class and Capacity mode # - Server-side encryption # - Point-in-time recovery (PITR) # - Deletion protection ``` --- ## Redshift Cluster and Serverless Backup Create cloud-native backups of Amazon Redshift provisioned clusters and Redshift Serverless namespaces. ```yaml # Redshift Cluster Backup Policy # Note: Requires backup appliance managed by Veeam Backup & Replication Policy Settings: Name: "Redshift-Cluster-Backup" Type: "Redshift" Sources: IAM Role: "arn:aws:iam::123456789012:role/VeeamRedshiftBackupRole" Clusters: - "production-datawarehouse" Schedule: Daily: Start Time: "05:00" Retention: 7 days Target Settings: Backup Vault: "Default" # Backups stored in same AWS account and region as source # Redshift Serverless Backup Policy Policy Settings: Name: "Redshift-Serverless-Backup" Type: "Redshift Serverless" Sources: Namespaces: - "analytics-namespace" # Restore Options: # - Restore to same AWS account and region only # - Change: Cluster ID, Node type, Number of nodes, VPC, Subnet, Port ``` --- ## FSx File System Backup Protect Amazon FSx for Windows File Server, FSx for Lustre, and FSx for OpenZFS file systems with cloud-native backups. ```yaml # FSx Backup Policy Configuration # Note: Requires backup appliance managed by Veeam Backup & Replication Policy Settings: Name: "FSx-Backup-Policy" Type: "FSx" Sources: IAM Role: "arn:aws:iam::123456789012:role/VeeamFSxBackupRole" File Systems: - "fs-0123456789abcdef0" # FSx for Windows - "fs-abcdef0123456789a" # FSx for Lustre Schedule: Daily: Start Time: "02:30" Retention: 14 days Target Settings: Backup Vault: "Default" Backup Copy: Enabled: true Target Region: "us-west-2" # Must be default AWS Region Retention: 30 days # Required Security Group Ports: # FSx for Windows: UDP 53,88,123,389,464 | TCP 53,88,135,389,445,464,636,3268,3269,5985,9389,49152-65535 # FSx for Lustre: TCP 988,1018-1023 # FSx for OpenZFS: TCP/UDP 111,2049,20001-20003 ``` --- ## Backup Repository Configuration Configure Amazon S3 buckets as backup repositories for storing EC2 and RDS image-level backups with optional encryption and immutability. ```yaml # Add Backup Repository via Web UI Repository Settings: Name: "production-backup-repo" Description: "Primary backup repository for production workloads" S3 Bucket Configuration: IAM Role: "arn:aws:iam::123456789012:role/VeeamRepositoryRole" Region: "us-east-1" Bucket: "veeam-backups-production" Folder: "ec2-backups" Storage Class: "S3 Standard" # or "S3 Glacier Flexible Retrieval", "S3 Glacier Deep Archive" Encryption: Enabled: true Type: "SSE-S3" # or KMS with symmetric key KMS Key ARN: "arn:aws:kms:us-east-1:123456789012:key/..." Immutability: # Requires S3 Object Lock and Versioning enabled Enabled: true Retention Period: 30 days # Storage Class Options: # - S3 Standard: Frequent access, immediate restore # - S3 Glacier Flexible Retrieval: Archival, 1-5 minute to 12 hour retrieval # - S3 Glacier Deep Archive: Long-term archival, 12-48 hour retrieval ``` --- ## IAM Role Configuration Configure IAM roles with appropriate permissions for backup, restore, worker deployment, and repository access operations. ```yaml # IAM Role Types and Permissions # 1. EC2 Backup Role Role Purpose: "Backup EC2 instances" Required Permissions: - ec2:CreateSnapshot - ec2:CopySnapshot - ec2:DescribeInstances - ec2:DescribeVolumes - ec2:DescribeSnapshots - ec2:CreateTags - ec2:DeleteSnapshot # 2. Repository Role Role Purpose: "Access S3 backup repositories" Required Permissions: - s3:GetObject - s3:PutObject - s3:DeleteObject - s3:ListBucket - s3:GetBucketLocation # 3. Worker Deployment Role (Backup Account) Role Purpose: "Deploy worker instances in backup account" Required Permissions: - ec2:RunInstances - ec2:TerminateInstances - ec2:DescribeSubnets - ec2:DescribeSecurityGroups - iam:PassRole # 4. Production Worker Role Role Purpose: "Deploy workers in production accounts for image-level backups" Required Permissions: - ec2:RunInstances - ec2:TerminateInstances - ec2:AttachVolume - ec2:DetachVolume # Adding IAM Role in Veeam Backup for AWS Add IAM Role Settings: Type: "IAM role from current account" # or "IAM role from another account", "Create new IAM role" Role ARN: "arn:aws:iam::123456789012:role/VeeamBackupRole" Permissions: Workload Permissions: - EC2 Backup - EC2 Restore - RDS Snapshot - RDS Restore Management Roles: - Worker deployment role - Repository role ``` --- ## Worker Instance Configuration Configure worker instances that handle backup traffic processing, image-level backup creation, and restore operations. ```yaml # Worker Instance Overview # Workers are temporary Linux EC2 instances (amzn-linux-v2) # Named: VBA_Worker (backup/restore) or EFS_Worker (EFS indexing) # Worker Configuration Settings Worker Configuration: Name: "production-worker-config" Deployment Account: "Production" # or "Backup Account" Region Settings: us-east-1: VPC: "vpc-12345678" Subnet: "subnet-abcdef12" Security Group: "sg-12345678" us-west-2: VPC: "vpc-87654321" Subnet: "subnet-12345abc" Security Group: "sg-87654321" # Worker Profile (Instance Type Selection) Worker Profile: Name: "standard-worker" Instance Types: - Volume Size: "0-500 GB" Instance Type: "t3.medium" - Volume Size: "500 GB - 2 TB" Instance Type: "m5.large" - Volume Size: "2 TB+" Instance Type: "m5.xlarge" # Private Network Deployment Private Network Settings: Enabled: true # Deploy workers without public IPv4 Required Endpoints: - com.amazonaws.region.s3 # Gateway endpoint - com.amazonaws.region.ec2 - com.amazonaws.region.ssm - com.amazonaws.region.kms ``` --- ## Backup Schedule and Retention Configuration Configure comprehensive backup schedules with daily, weekly, monthly, and yearly retention policies for long-term data protection. ```yaml # Schedule Types and Retention Daily Schedule: - Start Time: "02:00" Run Every: 4 hours # Creates restore points every 4 hours Days: ["Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday", "Sunday"] Retention: 14 days Weekly Schedule: - Start Time: "03:00" Day: "Sunday" Retention: 4 weeks Monthly Schedule: - Start Time: "04:00" Day: "First Sunday" # or specific date (1-28) Retention: 12 months Yearly Schedule: - Start Time: "05:00" Month: "January" Day: "First Sunday" Retention: 7 years # Harmonized Scheduling # Combines multiple schedule types for efficient retention # Example: Daily (14 days) + Weekly (4 weeks) + Monthly (12 months) # Veeam automatically promotes restore points to longer retention tiers # Backup Archiving Archive Settings: Enabled: true Archive Repository: "s3-glacier-archive-repo" Archive After: 30 days # Move to archive storage class ``` --- ## VPC Configuration Backup Protect Amazon VPC configurations including subnets, route tables, security groups, NAT gateways, and network ACLs. ```yaml # VPC Configuration Backup Policy # Pre-configured policy exists on backup appliance (disabled by default) Policy Settings: Name: "VPC Configuration Backup" Enabled: true Sources: IAM Role: "arn:aws:iam::123456789012:role/VeeamVPCBackupRole" Regions: Mode: "Automatic" # or "Manual" for specific regions # Automatic: All regions where VPCs exist # Manual: Specify region list Schedule: Daily: Start Time: "06:00" Retention: 30 days Target Settings: Storage: - Configuration Database # Veeam Backup for AWS internal - S3 Repository: "vpc-config-backup-repo" # Supported VPC Components: # - VPCs, Subnets, Route Tables # - Internet Gateways, NAT Gateways # - Security Groups, Network ACLs # - VPC Peering Connections # - VPN Gateways, Customer Gateways # - Elastic IPs, Network Interfaces # VPC Restore Options: # - Entire VPC configuration restore # - Selected items restore (specific components) ``` --- ## Version Compatibility Matrix Reference table for compatible versions of Veeam components when planning deployments or upgrades. ```yaml # Version Compatibility Compatible Versions: - Veeam Backup & Replication: "13.0.1.180" Veeam Plug-In for AWS: "13.10.0.225" Veeam Backup for AWS: "10.0.0.232" - Veeam Backup & Replication: "13.0.0.4967" Veeam Plug-In for AWS: "13.9.1.467" Veeam Backup for AWS: "9.1.0.45" - Veeam Backup & Replication: "12.3.2.3617" Veeam Plug-In for AWS: "12.9.0.281" Veeam Backup for AWS: "9.1.0.45" # Backup Appliance Requirements: Hardware: Minimum Instance Type: "t3.medium" AMI Architecture: "x86_64" Software Stack: - Ubuntu 22.04 LTS - ASP.NET Core Runtime 8.0 - PostgreSQL 15 - nginx 1.18 # Supported Web Browsers: # - Microsoft Edge (latest) # - Mozilla Firefox (latest) # - Google Chrome (latest) # - Internet Explorer: NOT SUPPORTED ``` --- ## Summary Veeam Backup for AWS provides enterprise-grade data protection for the full spectrum of AWS services through a unified backup appliance architecture. Primary use cases include protecting production EC2 instances with automated snapshot and image-level backups, safeguarding RDS databases with application-consistent backups for SQL Server and PostgreSQL, and enabling cross-region disaster recovery through snapshot replication and backup copies. The solution supports compliance requirements through immutable backups, long-term archival to S3 Glacier, and comprehensive retention policies. Integration patterns center on the Veeam Backup & Replication console for centralized multi-cloud management, with the Veeam Plug-In for AWS enabling unified control across multiple backup appliances. Organizations typically deploy backup appliances in dedicated backup accounts, configure IAM roles with least-privilege permissions for each operation type, and leverage worker instances deployed in production accounts for processing workloads. The REST API service enables automation and integration with existing orchestration tools, while email notifications and daily reports provide operational visibility into backup policy execution and resource protection status.