How to Connect to an Object Storage Repository via AWS Privatelink / Direct Connect
Purpose
This article documents how to configure Veeam Backup & Replication to use AWS PrivateLink or AWS Direct Connect for Scale-Out Backup Repository offload to Capacity Tier or Archive Tier or to connect to an Object Storage Repository in Veeam Backup & Replication 12 or newer.
Solution
Prepare the AWS Environment
- (If using AWS Direct Connect, skip to step 2.)
For AWS PrivateLink, configure a VPN connection to the VPC where you plan to deploy the PrivateLink Endpoint. One of the ways to do this is to create a tunnel on the VM gateway using AWS Client VPN. - Create Endpoints in VPC:
- Create an S3 Interface Endpoint in your VPC. It will be assigned a DNS name that you can see in the AWS Console under VPC - Endpoints when selecting the corresponding Endpoint.
- An EC2 Endpoint must also be created if intending to use Archive Tier.
Prepare the Veeam Backup & Replication Environment
- Disable automatic updating of the AmazonS3Regions.xml file by creating the following registry value on the Veeam Backup Server.
This will prevent Veeam Backup & Replication from overwriting the changes you'll make in the next section of this guide.
Key Location: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\
Value Name: CloudRegionsDisableUpdate
Value Type: DWORD (32-Bit) Value
Value Data: 1 - Disable certificate revocation checks by creating the following setting on the machine that is assigned as the Gateway server within the Object Storage Repository settings:
- For Windows-based Gateway servers, create the following registry value:
Key Location: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\
Value Name: ObjectStorageTlsRevocationCheck
Value Type: DWORD (32-Bit) Value
Value Data: 0 - For Linux-based Gateway servers, add the following entry to the /etc/VeeamAgentConfigIf the /etc/VeeamAgentConfig file is not present, it must be created. file:
ObjectStorageTlsRevocationCheck=0
- For Windows-based Gateway servers, create the following registry value:
- To configure the Helper Appliance used for Object Storage Repository Health Checks to use the private IP address, add the following registry value on the Veeam Backup Server:
Key Location: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication
Value Name: ArchiveUsePrivateIpForAmazonHelperAppliance
Value Type: DWORD (32-Bit) Value
Value Data: 1
1 = Enable Archive Appliance use Private IP | 0 = Disable (Default) - If you plan to use Amazon Glacier for Archive Tier, review the following:
- Certificate revocation checks must be permitted. The Veeam Backup Server and the VPC where the Archiver Appliance is deployed must have access to certificate revocation lists used by AWS over port 80 (*.amazontrust.com).
- The following additional registry values must be created on the Veeam Backup Server:
- Key Location: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\
Value Name: ArchiveFreezingUsePrivateIpForAmazonAppliance
Value Type: DWORD (32-Bit) Value
Value Data: 1 - Key Location: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\
Value Name: ArchiveFreezingSkipProxyValidation
Value Type: DWORD (32-Bit) Value
Value Data: 1
- Key Location: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\
Modify the AmazonS3Regions.xml File
This Affects All Traffic to the Modified Region
The AmazonS3Regions.xml file contains a list of regions and their respective endpoints. Modifying a region's endpoints makes it possible to force Veeam Backup & Replication to connect to a specific endpoint when that region is selected in the UI. This modification will cause all tasks that utilize the region you modify to employ the customized S3 and EC2 endpoints. If you wish to avoid interference, consider altering a region that other tasks or objects in Veeam Backup & Replication are not using. Then, use that altered region exclusively when you want to direct traffic to use the custom endpoints.
- On the Veeam Backup Server, edit C:\Program Files\Veeam\Backup and Replication\Backup\AmazonS3Regions.xml
- Find the Region section corresponding to your PrivateLink or Direct Connect location.
Example:
<Region Id="ap-northeast-1" Name="Asia Pacific (Tokyo)" Type="Global">
- Within that region's section, find the line <Endpoint Type="s3"> and replace the existing DNS value with the S3 Interface Endpoint DNS created in Prepare the AWS Environment > Step 2.
Note: For S3, the AWS console will display a DNS value starting with an asterisk. When altering the AmazonS3Regions file, replace that asterisk with the word bucket.
Example:
<Endpoint Type="S3">s3-ap-northeast-1.amazonaws.com</Endpoint>
Is changed to:
<Endpoint Type="S3">bucket.vpce-00000000000000000-00000000.s3.ap-northeast-1.vpce.amazonaws.com</Endpoint>
- If multiple lines for <Endpoint Type="S3"> are in the Region section you are altering, remove all but the one you changed.
Example:
<Region Id="ap-northeast-1" Name="Asia Pacific (Tokyo)" Type="Global"> <Endpoint Type="S3">bucket.vpce-00000000000000000-00000000.s3.ap-northeast-1.vpce.amazonaws.com</Endpoint>
<Endpoint Type="S3">s3.dualstack.ap-northeast-1.amazonaws.com</Endpoint> - If you plan to use Archive Tier: Within the same Region section, find the line <Endpoint Type="EC2"> and replace the existing DNS value with the EC2 Endpoint DNS created in Step 2.
Example:
<Endpoint Type="EC2">ec2.ap-northeast-1.amazonaws.com</Endpoint>
Is changed to:
<Endpoint Type="EC2">vpce-00000000000000000-00000000.ec2.ap-northeast-1.vpce.amazonaws.com</Endpoint>
- Save the file.
Before Changes
After Adding Custom S3 and EC2 Endpoint
- Stop all tasks within Veeam Backup & Replication and restart the Veeam Backup Service to apply all changes.
Add Object Storage Repository
Now that the AmazonS3Regions.xml file has been modified, when you select the entry you changed within Veeam Backup & Replication, the software will connect to the specified endpoints.
- For Object Storage Repository, Add Amazon S3 Storage repository. On the Bucket tab of the wizard, select the Region that matches the Region name you modified in the AmazonS3Regions.xml file.
- For Capacity Tier, Add Amazon S3 Storage repository. On the Bucket tab of the wizard, select the Region that matches the Region name you modified in the AmazonS3Regions.xml file. Then add Capacity Tier to Scale-Out Backup Repository
- For Archive Tier, Add Amazon S3 Glacier Storage repository. On the Bucket tab of the wizard, select the Data center that matches the Region name you modified in the AmazonS3Regions.xml file. Then, add Archive Tier to the Scale-Out Backup Repository.
More Information
Related Articles:
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.