Introduction
During AWS re:Invent 2019, Veeam released “Backup for AWS”, a backup and recovery solution designed, at this time, to protect AWS EC2 instances. In this upcoming (and now here) series of posts, I’ll detail how to deploy and use Veeam Backup for AWS to backup and restore data from your AWS EC2 instances. This series is not intended as a product comparison with other cloud-native backup utilities though
Deploying Veeam Backup for AWS from the AWS Marketplace
The steps below highlight those required to deploy Veeam Backup for AWS using the Veeam provided CloudFormation template PLUS a few notes of my own in regards to setting up the networking
1. Sign in to AWS Marketplace using credentials of an AWS account in which you plan to install Veeam Backup for AWS. Enter Veeam in the search bar and select the product version you wish to install.
2. Open the Veeam Backup for AWS overview page for the necessary product edition and, click Continue to Subscribe.
3. Accept the licensing terms and then click Continue to Configuration.
4. On the Configure this software page, specify the installation settings. At the time of this writing, there was only a single Fulfillment Option and Software Version available (shown below). On the Region dropdown, select the AWS region in which to install the Veeam Backup for AWS instance and then click Continue to Launch.
5. On the Launch this software page, specify the launch Action from the drop-down list. The available options are Copy to Service Catalog and Launch CloudFormation. In this example, CloudFormation was selected. When you click Launch, the CloudFormation Create Stack wizard will launch.
6. On the Specify template screen, the template settings are already configured. Click Next to continue.
7. On the Specify stack details page, specify the following:
- In the Stack name field, specify a name for the created stack.
- In the Instance Configuration section:
- From the Instance type for Veeam Backup for AWS server drop-down list, select the type for the EC2 instance on which Veeam Backup for AWS (VBAWS) will be installed.
- The recommended instance type is a t2.medium.
- From the Key Pair for Veeam Backup for AWS Server drop-down list, select a key pair that will be used to authenticate against the VBAWS EC2 instance. If necessary, a new key pair can be created.
- Select true if you want to enable an automatic backup for EBS volumes of the Veeam Backup for AWS server.
- Select true if you want to let AWS restart the Veeam Backup for AWS server if any software failure occurs.
- Select true if you want to let AWS restart the Veeam Backup for AWS server if any infrastructure failure occurs.
- From the Instance type for Veeam Backup for AWS server drop-down list, select the type for the EC2 instance on which Veeam Backup for AWS (VBAWS) will be installed.
- In the Network Configuration section:
- Select true if you want to create an Elastic IP address for the Veeam Backup for AWS server. For my instance, I set the value to False to see if any problems arise using a dynamic IP. I’ve yet to have any in my environment but you mileage may vary.
- In the Allowed Source IP Addresses for connection to SSH field, specify the IPv4 address range from which the Veeam Backup for AWS server will be accessible over SSH.
- In the Allowed Source IP Addresses for connection to HTTPS field, specify the IPv4 address range from which Veeam Backup for AWS Web UI will be accessible.
Based on the specified IPv4 ranges, AWS CloudFormation will create a security group for Veeam Backup for AWS with inbound rules for SSH and HTTPS traffic using the values you specify. By default, port 22 is open for inbound SSH traffic and port 443 is open for inbound HTTPS traffic.
- In the VPC and Subnet configuration section:
- Select the VPC and the Subnet in which the Veeam Backup for AWS server will reside and then click Next.
- A personal tidbit – When I deployed my server, I selected a private subnet. To date, I have experienced no issues in regards to deploying the server on a private subnet. However, I did have problems with file-level restores when worker instances were deployed to private subnets because the FLR restoration browser is only accessible via a public IP/URL/DNS hostname.
8. On the Configure Stack Options screen, specify any relevant Tags, Permissions, or Advanced Options and click Next.
9. At the Review step of the wizard, do the following:
- Review the stack settings.
- At the bottom of the page, select the I acknowledge that AWS CloudFormation might create IAM resources check box.
- Click Create stack.
10. Once the instance is available, notate the instance ID. Launch a web browser and connect to the servers IP address. When prompted:
- accept the EULA
- enter the instance ID
- specify an administrator account/password
11. Once logged into the server, the next steps will be to configure worker instances, add a backup repository, and create a backup policy.
Conclusion
It may seem like a bunch of steps but deploying Veeam Backup for AWS is relatively straightforward. I would just suggest considering/remembering the following:
- Prior to deploying the Veeam Backup for AWS server:
- Determine which IPs/subnets should be able to access the server using SSH and HTTPS in order to avoid creating an “Allow All” security group that you’ll promise to change later but maybe forget. Start with least-privilege as opposed to allow all.
- Do you have a tagging strategy? Hopefully you do. Determine the tags relevant to the Veeam backup server itself as well as tags assigned to your EC2 instances. Once you log into the server, you are able to create backup policies based on tags.
- To date, I have not experienced any issues in regards to deploying the server on a private subnet. However, worker instances must be deployed to public subnets to support file-level restores.
- During the deploying of the server, an IAM role is created that allows the Veeam server permissions to backup all EC2 instances and S3 buckets in the account in which the Veeam server is deployed. You can create and assign a custom IAM role to the Veeam Backup for AWS server if you need to backup instances in other accounts.
- Finally, this is just something I’ve been kicking around in my head but for this install, I selected the “free edition” which allows you to backup up to 10 EC2 instances. I then opened a support case to troubleshoot the FLR issue described here and got a “we’ll give the best support we can for free products” email. Ultimately I got the help I need but wonder if I would have received an answer quicker if I had chosen to deploy the BYOL edition which “allows you to purchase a Subscription License and upon installation, the BYOL edition allows you to protect up to 10 EC2 instances.” May play around with this later but if anybody out there has any thoughts, please feel free to share with us.
Finally, Veeam KB3058 explains how to recover or migrate Veeam Backup for AWS volume/data to a new instance which allows you to reconfigure your backup server to switch license types.