"This article documents the configuration of Veeam Backup & Replication for using AWS PrivateLink or AWS Direct Connect. These services enable Scale-Out Backup Repository offload to Capacity Tier or Archive Tier, as well as the connection to an Object Storage Repository, without the use of public endpoints.
The instructions are applicable to Veeam Backup & Replication version 12 or newer.
_(If using AWS Direct Connect, skip to step 2.)
_For AWS PrivateLink, configure a VPN connection to the VPC where you plan to deploy the PrivateLink Endpoint. One of the ways to do this is to create a tunnel on the VM gateway using AWS Client VPN.
Create Endpoints in VPC:
1. Create an S3 Interface Endpoint in your VPC. It will be assigned a DNS name that you can see in the AWS Console under VPC - Endpoints when selecting the corresponding Endpoint.
2. An EC2 Endpoint must also be created if intending to use Archive Tier.
**Key Location:**HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\
**Value Name:**CloudRegionsDisableUpdate
**Value Type:**DWORD (32-Bit) Value
**Value Data:**1
AmazonS3Regions.xml Overwritten During Product Update
The ‘CloudRegionsDisableUpdate’ registry value only disables Veeam Backup & Replication performing its daily check and update of the AmazonS3Regions.xml file.
This registry value** does not** prevent that file from being overwritten by an updated version of that file contained within and deployed by a product update.
You should keep a copy of your modified AmazonS3Regions.xml in a safe place so that you can restore it if a product update reverts the custom changes you make.
* For Linux-based Gateway servers, add the following entry to the ****/etc/VeeamAgentConfig**If the /etc/VeeamAgentConfig file is not present, it must be created.****** file:
ObjectStorageTlsRevocationCheck=0
Note: Prior to Veeam Backup & Replication 12, this setting was named S3TLSRevocationCheck.
5. To configure the Helper Appliance used for Object Storage Repository Health Checks to use the private IP address, add the following registry value on the Veeam Backup Server:
Key Location: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication **Value Name: **ArchiveUsePrivateIpForAmazonHelperAppliance **Value Type: **DWORD (32-Bit) Value **Value Data: **1
1 = Enable Archive Appliance use Private IP | 0 = Disable (Default)
6. If you plan to use Amazon Glacier for Archive Tier, review the following:
* Certificate revocation checks must be permitted. The Veeam Backup Server and the VPC where the Archiver Appliance is deployed must have access to certificate revocation lists used by AWS over port 80 (*.amazontrust.com).
* The following additional registry values must be created on the Veeam Backup Server:
* **Key Location:**HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\
**Value Name:**ArchiveFreezingUsePrivateIpForAmazonAppliance
**Value Type:**DWORD (32-Bit) Value
**Value Data:**1
* **Key Location:**HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\
**Value Name:**ArchiveFreezingSkipProxyValidation
**Value Type:**DWORD (32-Bit) Value
**Value Data:**1
This Affects All Traffic to the Modified Region
The AmazonS3Regions.xml file contains a list of regions and their respective endpoints. Modifying a region’s endpoints makes it possible to force Veeam Backup & Replication to connect to a specific endpoint when that region is selected in the UI. This modification will cause all tasksthat utilize the region you modify to employ the customized S3 and EC2 endpoints. If you wish to avoid interference, consider altering a region that other tasks or objects in Veeam Backup & Replication are not using. Then, use that altered region exclusively when you want to direct traffic to use the custom endpoints.
Example:
<Region Id="ap-northeast-1" Name="Asia Pacific (Tokyo)" Type="Global">
_Note: For S3, the AWS console will display a DNS value starting with an asterisk. When altering the AmazonS3Regions file, replace that asterisk with the word bucket.
_
Example:
<Endpoint Type="S3">s3-ap-northeast-1.amazonaws.com</Endpoint>
Is changed to:
<Endpoint Type="S3">**bucket**.vpce-00000000000000000-00000000.s3.ap-northeast-1.vpce.amazonaws.com</Endpoint>
Example:
<Region Id="ap-northeast-1" Name="Asia Pacific (Tokyo)" Type="Global">
<Endpoint Type="S3">bucket.vpce-00000000000000000-00000000.s3.ap-northeast-1.vpce.amazonaws.com</Endpoint>
~~<Endpoint Type="S3">s3.dualstack.ap-northeast-1.amazonaws.com</Endpoint>~~
Example:
<Endpoint Type="EC2">ec2.ap-northeast-1.amazonaws.com</Endpoint>
Is changed to:
<Endpoint Type="EC2">vpce-00000000000000000-00000000.ec2.ap-northeast-1.vpce.amazonaws.com</Endpoint>
Before Changes
After Adding Custom S3 and EC2 Endpoint
Now that the AmazonS3Regions.xml file has been modified, when you select the entry you changed within Veeam Backup & Replication, the software will connect to the specified endpoints.
Related Articles:
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.
Vendor | Product | Version | CPE |
---|---|---|---|
veeam | veeam_backup_\&_replication | 12.2 | cpe:2.3:a:veeam:veeam_backup_\&_replication:12.2:*:*:*:*:*:*:* |
veeam | veeam_backup_\&_replication | 12.1 | cpe:2.3:a:veeam:veeam_backup_\&_replication:12.1:*:*:*:*:*:*:* |
veeam | veeam_backup_\&_replication | 12 | cpe:2.3:a:veeam:veeam_backup_\&_replication:12:*:*:*:*:*:*:* |