Overview
There may come a time when you wish to add an AWS Amazon Linux 2 EC2 instance as a managed server in Veeam Backup and Recovery. In this specific case, I was simply playing around with Veeam backup job settings with a Veeam Backup and Replication Server hosted on a VMware Cloud on AWS (VMC) cluster. I wanted to create a new Scale-out Repository (SoBR) and did not want to utilize the storage space within VMCs WorkloadDatastore for this purpose. So, I deployed an Amazon Linux 2 instance, mounted an EFS file system to serve as an extent for the test SoBR, and added an additional user account, veeam-svc-acct, to that instance for use with Veeam.
Creating a new EC2 Key Pair and Retrieving its Public Key
When adding the Linux instance as a Managed Server in Veeam, I could have used the private/public keys of key pair specified when the EC2 instance was created, the same key pair used to say, PuTTY into the instance. I decided however, to create a new key pair for the veeam-svc-acct user.
- Within the AWS Management Console, click EC2 | Key pairs | Create key pair
2. When the key pair is created, the private key will be downloaded to your local workstation. With the private key in hand, you must now retrieve its public key. In this example, I use PuTTYGen to load the private key and view its public key. Copy the contents of the “Public key for pasting…” section as highlighted in blue below:
3. Connect to the AWS Amazon Linux 2 instance that will be added as a managed server in Veeam and complete the following tasks:
- a. sudo adduser veeam-svc-acct
- b. sudo su – veeam-svc-acct
- c. mkdir .ssh
- d. chmod 700 .ssh
- e. touch .ssh/authorized_keys
- f. chmod 600 .ssh/authorized_keys
- g. cat >> .ssh/authorized_keys
- h. paste the contents of the public key into the .ssh/authorized_keys file and press <Enter>
- i. press and hold CTRL+D to exit cat and return to the CLI prompt
- j. to add veeam-svc-acct to the sudoers file, type sudo visudo
- k. press “i” for insert mode
- l. at the bottom of the sudoers file, add the line: <username> ALL=(ALL)NOPASSWD:ALL
- m. press <ESC> to exit insert mode and them enter :wq! to save the file
4. Test connectivity to the Linux system using the veeam-svc-acct user.
5. When adding the instance as a managed server in Veeam, you will be prompted to verify the fingerprint of the systems SSH key. To retrieve the fingerprint, execute the following commands (you can do this while logged in as the veeam-svc-acct user)
- a. ssh-keyscan ip-Your-Machine-IP-Address.ec2.internal > showkeys.ssh-keyscan
- b. ssh-keygen -lf showkeys.ssh-keyscan -E md5
- c. notate, copy, and/or screenshot the MD5 values presented. The 2046 MD5 value should be the fingerprint displayed while adding the Linux instance as a managed server in Veeam
6. With the configuration of the Linux system complete, launch Veeam Backup and Recovery and perform the following:
- a. Click Backup Infrastructure | Linux | Add Server
- b. Enter a name and description
- c. On the Credentials screen, click Add | Linux Private Key
- d. On the Credentials page, enter the Username and add the PPK key created for the Veeam account and click OK
- e. When returned to the main Credentials screen, click Advanced to verify a successful SSH connection. After clicking Advanced, you should be asked if you trust the fingerprint of the system. Assuming the fingerprint matches the value retrieve in Step #5, click Yes.
- f. Review the SSH settings and continue with the Add server wizard
- g. On the Review screen, verify that the Transport component will be installed and click Apply.
- h. Click Finish once the server has been successfully added.
With these steps complete, the Linux system is ready for use with Veeam Backup and Replication.
A Couple Troubleshooting Tips
Shown below are a couple errors you may see when adding the Linux instance as a managed server in Veeam.
- 1. When clicking the Advanced button on the Credentials screen, you may see an error indicating the Add server wizard was “unable to create elevated SSH connection”. To resolve the error, make sure the user account created for Veeam has been added to sudoers file. (look at Step #3, j-m)
- 2. After clicking Apply to install the Transport component, you could see an error stating that the Veeam Data Mover service could not make a connection.
- To resolve this error, check the AWS Security Group, and ensure that TCP 6162 and TCP 2500-3300 are allowed inbound. TCP 6162 is used by the Veeam Data Mover and TCP 2500-3300 are used for communication between Veeam Agent components during data transmission. For every TCP connection a backup jobs uses, one port from this range is assigned.