AWS S3 storage backup via closed network

[Kei]

Hi

I would like to know how to conduct backup to AWS S3 directly via closed network(Direct Connect or Internet VPN).

I found the way to conduct backup to S3 via closed network when I use SOBR.
https://www.veeam.com/kb4226
But I can not find the article for direct backup to S3.

Best regards.

[Mildur]

Hi Keita

Have you tried the KB for your scenario? At least some of the config files sounds valid to me.
I cannot test it myself because I don't have the right Lab. I have asked internally for confirmation.

Best,
Fabian

[Kei]

Hi Fabian

Thank you for your reply.
I have not tested using KB because I am not sure backup to AWS S3 directly via closed network(Direct Connect or Internet VPN) is suppored by Veeam.

If AWS S3 directly via closed network(Direct Connect or Internet VPN) is suppored by Veeam, I will test on LAB by utilizing the KB.

Thank you.

[veremin]

Can you clarify a bit where the backup server is located? Inside or outside AWS? Are you protecting on-prem workloads and thinking about directly backing them up to S3 over a private connection? Thanks!

[Kei]

Let me explain our topology.

⁻ VBR is located on AWS EC2 instance.
- Protecting on-premises servers.
- AWS and on-premises is connected using Internet VPN.(also considering to use direct connect)
- Backup mode is managed by agent.
- I would like to backup on-premises servers to S3 directly via Internet VPN.(also considering to use direct connect)

Thank you.

[Kei]

Hi

Is there any update for this？
If I need to show more detailed information, please let me know.

Thank you.

[veremin]

In this case you don't need to modify any of the backup server components, just ensure that direct connection mode is set for the object storage repository and that managed agents are connecting to S3 endpoints using Direct Connect services. Thanks!

[Kei]

Hi

Thank you for your reply.
I think if I do not do any additional configuration, the traffic flow is as bellow.
Even if I deploy Gateway Server on AWS,

Veeam agent→(DirectConnect)→Gateway Server→(Internet)→S3

Because Veeam agent or VBR do not know the S3 private endpoint on VPC.
If my understanding is incorrect, please let me know.

Thank you.

[veremin]

If you set a direct connection mode for the object storage repository, no gateway server will be participating in traffic flow, but sure you need to set up Direct Connect so all managed agents are capable of reaching S3 services using it (but that does not have anything to do with our products). Thanks!

[Kei]

Hi

Thank you for your reply. I am sorry for misunderstanding.
But let me confirm one point.
If we would like traffic to pass via Direct Connect, I think we need to configure Veeam agent or VBR.
As bellow Veeam KB, when we use SOBR and would like traffic to pass via Direct Connect, we need to configure region file on VBR.
https://www.veeam.com/kb4226

I think this is Veeam product matter.
If my understanding is not correct, please let me know.

Thank you.

[veremin]

Hi, Keita,

I seem to have misunderstood your request a bit. Apologize for that.

You are right that xml modification is required on the managed agents and on the backup server.

The steps appear to be the same - correct the region list and disregard the regkey portion.

Our QA team have not tested the Direct Connect with agents, so we cannot promise something at this stage.

However, once we're done with the cumulative patch release, we will try to reproduce your case and see what additional actions are needed.

I will update the thread, once I have more information.

Thanks!

[veremin]

By the way, can you share with us the types of agents you are managing? Windows, Linux, etc.? This will help us to limit the testing scope and come back with the answers sooner.

[Kei]

Hi, Thank you for your reply.

The type of agent is Windows.
I will wait your update.

Thank you

[veremin]

Thanks, Keita, I've passed the information further to the QA team. I will keep the thread updated.

[veremin]

We found that there is an easier approach to your ask:

- Add Amazon S3 bucket through the S3 compatible backup repository wizard
- Set the following value as Service Endpoint:

Code: Select all

<S3 Interface Endpoint DNS>.s3.<Region_Name>.vpce.amazonaws

Example:

Code: Select all

bucket.vpce-00000000000000000-00000000.s3.ap-northeast-1.vpce.amazonaws.com

- Specify the “provided by object storage capabilities (direct to object) ” as access control option
- Set the following values to the IAM and STS endpoints:

Code: Select all

iam.amazonaws.com

Code: Select all

sts.amazonaws.com

That seems to be it, and no additional manipulations are needed.

Sorry the update took longer than expected.

Thanks!

[Kei]

Hi

Sorry for late reply.
Thank you for your guide. I will test it on our lab.

Regards.

[veremin]

Let us know if everything goes well. We are interested to see whether the alternative proposal answers your requirements. Thanks!

[Kei]

Hi

I tested on my lab, but I had error and failed to backup to S3.

Error: Failed to get certificate from: https://bucket.<S3 Interface Endpoint DNS>.s3.<Region_Name>.vpce.amazonaws.com/

Do I need additional setting except you have already mentioned?

Best regards.

[veremin]

Can you tell me where exactly you got this message? In the object storage repository wizard or in the agent policy session? Thanks!

[Kei]

Hi

Thank you for reply.
I got this message on Veeam agent.
As I mentioned above, I use managed by agent so VBR do not have any message.

Thank you.

[veremin]

Got it, we will verify what might be wrong with the proposed configuration.

[veremin]

The proposed configuration seems valid.

The error identifies the connectivity issue, as the agent could not reach the S3 service via Privatelink.

Could you try to reach the given address from the agent machine and see whether you could do it outside of our software?

Thanks!

[Kei]

Hi

Thank you for your reply.
On target server which installed Veeam agent, I checked connectivity to S3 interface endpoint via internet VPN and it worked well...(port 443)

If you have any idea about this issue, please let me know.

Thanks.

[veremin]

Then, we kindly ask you to collect the debug logs, open a ticket with our support team and share its number here.

This way we can follow the investigation and provide our assistance if any is necessary.

Thanks!

[Kei]

Hi

Thank you for your reply.
Now we are using free license, so we can not use support...

But I found backup is going well if we choose "Through a gateway server" as connection type.
Did you use this connection type on your test?

Best regards

[veremin]

Do you mean Community Edition? I'm curious because object storage repositories are only available for restoration purposes in such editions. Thanks!

[Kei]

Hi

Thank you for your reply. I use NFR license.

Thanks.

[veremin]

Got it, you still try getting a ticket, as support is provided even for the owners of free licenses (on a best effort, though).

As to the last question, by switching to the "gateway" connection mode you made the agents connect and write to object storage through the specified servers instead of writing to it directly. Not sure whether this is a desired outcome.

Thnaks!

[Kei]

Hi

Thank you for your reply.
I will try to use best effort support.

But let me make sure one point. Does Veeam support both type of Connection Type on this scenario?

Thank you.

[veremin]

You can make both modes work through Privatelink, if that's what you are asking. Thanks!