Challenge
You want to launch workers in the subnet with disabled auto-assignment of the Public IPv4 addresses.Solution
If you use a subnet with disabled auto-assignment of the Public IPv4 addresses to start workers in a region, you will need to configure several endpoints for services that are necessary for Veeam Backup for AWS to work correctly.The list of endpoints may vary depending on what operations you want to perform.
- How to create VPC interface endpoint in the Amazon
- How to create S3 Gateway endpoint in the Amazon
- Endpoints needed for backup to S3 repository in a private network
- Endpoints needed for restore from S3 repository in a private network
- Endpoints needed for File-level Restore from Snapshot and Backup in a private network
VPC interface endpoint creation
- Go to the VPC Service.
- Select the Endpoints section from the list on the left panel and click Create Endpoint.
- For Service Name, select the needed endpoint in the format com.amazonaws.region.service (e.g. com.amazonaws.eu-west-3.ssm)
- For VPC, choose the VPC ID you want to use for the workers.
- For Subnets, choose the Subnet ID you want to use for the workers.
- For Enable Private DNS Name, select Enable for this endpoint.
- For Security Group, select an existing security group, or create a new one.
Ensure that the security group that's associated with the endpoint network interface allows communication between the endpoint network interface and the resources in your VPC that communicate with the service. If the security group restricts inbound HTTPS traffic (port 443) from resources in the VPC, you might not be able to send traffic through the endpoint network interface. - Click Create Endpoint.
S3 Gateway endpoint creation
- Go to the VPC Service.
- Select the Endpoints section from the list on the left panel and click Create Endpoint.
- For Service Name, select the needed endpoint in the format com.amazonaws.region.service (e.g. com.amazonaws.eu-west-3.ssm)
- For VPC, choose the VPC ID you want to use for the workers.
- For Configure route tables, select the route tables to be used by the endpoint. Amazon automatically adds a route that points traffic destined for the service to the endpoint to the selected route tables.
- For Policy, choose the type of policy. You can leave the default option, Full Access, to allow full access to the service. Alternatively, you can select Custom, and then use the AWS Policy Generator to create a custom policy or enter your own policy in the policy window.
- Click Create Endpoint.
Backup to S3
If you want to perform a backup to an S3 repository, using private IP addresses for your workers, you need the following configured endpoints for the subnet, which is selected on the Configuration – Workers page or is the default for the source instance location (if there are no settings on the Workers page for the specific region we will use the default settings):-com.amazonaws.region.ec2messages -com.amazonaws.region.ssm -com.amazonaws.region.sqs -com.amazonaws.region.s3 -com.amazonaws.region.ebsImportant:
- If you perform a backup to an S3 repository, a worker will be started in the same region as the source instance (in the account selected on the Workers page).
Endpoints must be configured for the subnet that is used for the worker. - Your source instance and S3 repository should be in the same region. This is an AWS limitation: «Endpoints are supported within the same Region only. You cannot create an endpoint between a VPC and a service in a different Region». For more information, see AWS Documentation.
This limitation applies only to regions - a source instance and S3 repository can be in the different accounts.
Restore
If you want to perform a restore from an S3 repository, using private IP addresses for your workers, you need the following configured endpoints for the subnet, which is selected on the Configuration – Workers page or is the default for the target instance location (if there are no settings on the Workers page for this region we will use the default settings):-com.amazonaws.region.ec2messages -com.amazonaws.region.ssm -com.amazonaws.region.sqs -com.amazonaws.region.s3Important:
- If you perform a restore from an S3 repository, a worker will be started in the target instance location (in the account selected on the Workers page).
Endpoints must be configured for the subnet that is used for the worker. - Target region and your S3 repository location should be the same. This is an AWS limitation: «Endpoints are supported within the same Region only. You cannot create an endpoint between a VPC and a service in a different Region». For more information, see AWS Documentation.
This limitation applies only to regions – a target instance and S3 repository location should be the same, but can be in different accounts.
File-level Restore
From Snapshot
If you want to perform a FLR from a snapshot in a private network, you need the following configured endpoints for the subnet, which is selected on the Configuration - Workers page or is the default for the region where the snapshot is located (if there are no settings on the Workers page for this region we will use the default settings):
-com.amazonaws.region.ec2messages
-com.amazonaws.region.ssm
-com.amazonaws.region.sqs
If you perform a FLR from a snapshot, a worker will be started in the same region as the snapshot location.
Endpoints must be configured for the subnet that is used for the worker.
From Backup
If you want to perform a FLR from an S3 repository in a private network, you need the following configured endpoints for the subnet, which is selected on the Configuration - Workers page or is the default for the region where S3 is located (if there are no settings on the Workers page for this location we will use the default settings):-com.amazonaws.region.ec2messages -com.amazonaws.region.ssm -com.amazonaws.region.sqs -com.amazonaws.region.s3Important:
If you perform a FLR from an S3 repository, a worker will be started in the same region as the S3 repository location.
Endpoints must be configured for the subnet that is used for the worker.