VBR / VBO Offload via AWS Privatelink

[adlloyd79]

Hi,

Just looking for a bit of feedback really.

We plan to use both Veeam Backup & Recovery, and Veeam Backup for Office 365. I have followed this article (https://www.veeam.com/kb4226) to configure VBR to conect to AWS using the private IP over VPN, this is working well. However I now understand that VBO does not support connecting to AWS using the private IP, so we will need to maintain access to AWS via public IP for VBO to work.

With this in mind I would appreciate thoughts on the remaining benefits of using a VPN for VBR only if it cannot also be used for VBO? For us two key benefits of the VPN were that we could restrict SSH to the AWS private IP (rather than the massive AWS public IP range) and that we did not need to open public access into AWS. It seems though that we will have to lose these restrictions as they will stop VBO from working. So I am now not really sure there is much point still using the VPN for VBR, am I missing some remaining benefit to continue using the VPN for VBR only?

Thanks,

Aaron

[veremin]

Are you using Capacity or Archive Tiers? Or Direct Restore to AWS EC2? If so, you can make both of them work through a private IP address following the recommendations provided in the KB article. Otherwise, no need to configure it. Thanks!

[chris.childerhose]

The issue is that he is asking about VBO versus VBR in this case which I am sure you cannot use the private link as noted by OP.

[veremin]

Not sure about this assumption, as Aaron has asked the following

With this in mind I would appreciate thoughts on the remaining benefits of using a VPN for VBR only if it cannot also be used for VBO?

Thanks!

[adlloyd79]

Hi,

Yeah, sorry maybe not as clear as I hoped.

So VBR is configured to use private IP already and works fine.

However now that I know that I cannot use the private IP for VBO I am not sure that there is much point in using the VPN/private IP for VBR anymore.

What I am trying to get clear in my own mind is as I have to relax security for VBO (i.e. allow access to SSH for the full AWS public IP range), are there still any benefits to using VPN/private IP for VBR given that restricting to private IP only is no longer possible due to VBO requirements. If access to AWS is not restricted to private IP only, is there really much point forcing VBR to use the private IP? With access over public IP being open for VBO, I might as well use the same method for VBR as well? Or is there still benefit to using private IP for VBR while VBO uses public IP?

Thanks.

[veremin]

As mentioned, you can make the said features (Capacity Tier, Archive Tier, Direct Restore to AWS EC2) communicate with the cloud over private IP addresses. If you do not find any benefits in this setup, you can relax the security requirements and have everything exposed over public IP addresses. Thanks!