-
- Expert
- Posts: 119
- Liked: 11 times
- Joined: Nov 16, 2020 2:58 pm
- Full Name: David Dunworthy
- Contact:
Avoiding traffic to internet s3 offloads.
So I created a bucket and it is set to block all public access.
I made a programmatic only user in aws and created the custom policy veeam has for limiting access to only the buckets. Then I assigned the policy to that new user.
I gave veeam the keys and it was able to add the s3 repo.
I am wondering how veeam was able to contact the bucket and make a folder if not "public" over the internet? The key i think maybe is that my veeam server is a vm running in vmware cloud on aws? So does it somehow detect that it can talk to the bucket "internally in aws" rather than public traffic? I don't know how? Just curious. Since it seems to have to be doing this since default new bucket settings in s3 block public access.
I am just concerned with egress charges and want to ensure that the data all stays within the aws ecosystem. I read a veeam guide that said to make sure to use internal ips of s3 but there is no place to enter in dns or ip.. it is all just keys and select your bucket. So how would I even do that?
The performance extent will be an ec2 block storage disk attached to an ec2 instance. So those backups would travel from there to s3 bucket which is all within aws is what I am hoping.
Just don't want any of this as considered egress from public to or from aws since those rates are higher and the guides I read claim this is all possible so long as internal ips are used with aws. Which I still need clarification on how to do.
I made a programmatic only user in aws and created the custom policy veeam has for limiting access to only the buckets. Then I assigned the policy to that new user.
I gave veeam the keys and it was able to add the s3 repo.
I am wondering how veeam was able to contact the bucket and make a folder if not "public" over the internet? The key i think maybe is that my veeam server is a vm running in vmware cloud on aws? So does it somehow detect that it can talk to the bucket "internally in aws" rather than public traffic? I don't know how? Just curious. Since it seems to have to be doing this since default new bucket settings in s3 block public access.
I am just concerned with egress charges and want to ensure that the data all stays within the aws ecosystem. I read a veeam guide that said to make sure to use internal ips of s3 but there is no place to enter in dns or ip.. it is all just keys and select your bucket. So how would I even do that?
The performance extent will be an ec2 block storage disk attached to an ec2 instance. So those backups would travel from there to s3 bucket which is all within aws is what I am hoping.
Just don't want any of this as considered egress from public to or from aws since those rates are higher and the guides I read claim this is all possible so long as internal ips are used with aws. Which I still need clarification on how to do.
-
- Veeam Software
- Posts: 492
- Liked: 175 times
- Joined: Jul 21, 2015 12:38 pm
- Full Name: Dustin Albertson
- Contact:
Re: Avoiding traffic to internet s3 offloads.
That’s not exactly what blocking public access means on an s3 bucket. Blocking public access is more for blocking the s3 bucket from being accessed via a browser or without IAM keys. Blocking public access is a recommended default from aws but it doesn’t apply to how software connects to s3.
S3 is a namespace and we connect to those public endpoints provided by aws via dns. There are ways to send s3 traffic over a direct connect using VPC endpoints and route53 dns. But I’m assuming you don’t have a direct connect. Aws also has a s3 private endpoint service that would work over vpn but it also has costs associated with it. You seem to be more concerned with egress charges and none of this would matter. Egress is egress no matter if it’s to public internet or aws network. And restore out of s3 is an egress charge.
S3 is a namespace and we connect to those public endpoints provided by aws via dns. There are ways to send s3 traffic over a direct connect using VPC endpoints and route53 dns. But I’m assuming you don’t have a direct connect. Aws also has a s3 private endpoint service that would work over vpn but it also has costs associated with it. You seem to be more concerned with egress charges and none of this would matter. Egress is egress no matter if it’s to public internet or aws network. And restore out of s3 is an egress charge.
Dustin Albertson | Director of Product Management - Cloud & Applications | Veeam Product Management, Alliances
-
- Expert
- Posts: 119
- Liked: 11 times
- Joined: Nov 16, 2020 2:58 pm
- Full Name: David Dunworthy
- Contact:
Re: Avoiding traffic to internet s3 offloads.
https://www.veeam.com/kb2414
If you look at step 6 part 1 it says "please use the internal interface of the s3 target to avoid internet traffic costs".
I still don't see how veeam can know to "use internal interface" as all it takes is an access key and special key. It does the rest.
One thing I didn't think of is that I will have a private eni interface between veeam server in vmware cloud and the ec2 vm that will store the first copy of backups.
So the backups only need to travel from ec2 over to s3. That is the part I want to avoid egress fees.
Both of the options you mentioned would cost so I wonder if egress is actually cheaper than dealing with those other costs. Hmm
If you look at step 6 part 1 it says "please use the internal interface of the s3 target to avoid internet traffic costs".
I still don't see how veeam can know to "use internal interface" as all it takes is an access key and special key. It does the rest.
One thing I didn't think of is that I will have a private eni interface between veeam server in vmware cloud and the ec2 vm that will store the first copy of backups.
So the backups only need to travel from ec2 over to s3. That is the part I want to avoid egress fees.
Both of the options you mentioned would cost so I wonder if egress is actually cheaper than dealing with those other costs. Hmm
-
- Veeam Software
- Posts: 492
- Liked: 175 times
- Joined: Jul 21, 2015 12:38 pm
- Full Name: Dustin Albertson
- Contact:
Re: Avoiding traffic to internet s3 offloads.
I wrote that article. That is referring to VMware cloud on AWS. It has an internal elastic interface to AWS internal network that keeps traffic on the AWS backbone. This is for traffic inside of VMC and egress charges would still apply on this as well.
By default in VMC all traffic will go across the eni to s3. You can check this on the network settings page.
By default in VMC all traffic will go across the eni to s3. You can check this on the network settings page.
Dustin Albertson | Director of Product Management - Cloud & Applications | Veeam Product Management, Alliances
-
- Expert
- Posts: 119
- Liked: 11 times
- Joined: Nov 16, 2020 2:58 pm
- Full Name: David Dunworthy
- Contact:
Re: Avoiding traffic to internet s3 offloads.
Yes I have vmware cloud on aws. The diagram is exactly how my setup will be.
I will use Linux vm in ec2 and then sobr this with s3. I'm glad I'm talking to the person who wrote the article! Lol
So to try to understand better. I was going by how the eni is between veeam server and ec2 vm. It didn't look like it covers anything else.
So it is instead that the eni is connection for all of vmc itself to all the rest of any s3 services?
Do you have any link or info on how I would create the ENI itself?
Lastly, I assume veeam server in vmc will just have the Linux vm copy the data sitting on its own ebs disk from there to s3. It will not travel back into vmc to the veeam server vm and then into s3 surely?
I appreciate your help!
I will use Linux vm in ec2 and then sobr this with s3. I'm glad I'm talking to the person who wrote the article! Lol
So to try to understand better. I was going by how the eni is between veeam server and ec2 vm. It didn't look like it covers anything else.
So it is instead that the eni is connection for all of vmc itself to all the rest of any s3 services?
Do you have any link or info on how I would create the ENI itself?
Lastly, I assume veeam server in vmc will just have the Linux vm copy the data sitting on its own ebs disk from there to s3. It will not travel back into vmc to the veeam server vm and then into s3 surely?
I appreciate your help!
-
- Veeam Software
- Posts: 492
- Liked: 175 times
- Joined: Jul 21, 2015 12:38 pm
- Full Name: Dustin Albertson
- Contact:
Re: Avoiding traffic to internet s3 offloads.
Sure. I’ll reply back with more detail in the morning. But the eni is created by default and there is nothing you have to do to add it
Dustin Albertson | Director of Product Management - Cloud & Applications | Veeam Product Management, Alliances
-
- Expert
- Posts: 119
- Liked: 11 times
- Joined: Nov 16, 2020 2:58 pm
- Full Name: David Dunworthy
- Contact:
Re: Avoiding traffic to internet s3 offloads.
That is awesome and makes this sound way easier. I'll wait for you detail tomorrow.
-
- Expert
- Posts: 119
- Liked: 11 times
- Joined: Nov 16, 2020 2:58 pm
- Full Name: David Dunworthy
- Contact:
Re: Avoiding traffic to internet s3 offloads.
Don't leave me hangin Dustin! lol j/k, I know you are very busy. If you end up with some spare time please let me know any more detail you can. I am trying to reach out to AWS people as well but this is a big project I'm doing with Veeam and trying to make sure it goes well. I've used it everywhere I've worked and enjoy pushing it to companies.
Who is online
Users browsing this forum: No registered users and 14 guests