-
- Product Manager
- Posts: 20415
- Liked: 2302 times
- Joined: Oct 26, 2012 3:28 pm
- Full Name: Vladimir Eremin
- Contact:
Re: Utilize AWS Direct Connect/Private Link for Capacity Tier
I will clarify it internally and come back with more information. Thanks!
-
- Product Manager
- Posts: 20415
- Liked: 2302 times
- Joined: Oct 26, 2012 3:28 pm
- Full Name: Vladimir Eremin
- Contact:
Re: Utilize AWS Direct Connect/Private Link for Capacity Tier
You should replace the first string and remove others.
Also, be sure to follow closely all the following steps including setting two registry keys CloudRegionsDisableUpdate and ArchiveFreezingUsePrivateIpForAmazonAppliance.
If you are sure that you have set everything up correctly, please open a support ticket and share its number here - QA team will assist with the investigation process.
Thanks!
Also, be sure to follow closely all the following steps including setting two registry keys CloudRegionsDisableUpdate and ArchiveFreezingUsePrivateIpForAmazonAppliance.
If you are sure that you have set everything up correctly, please open a support ticket and share its number here - QA team will assist with the investigation process.
Thanks!
-
- Influencer
- Posts: 14
- Liked: 3 times
- Joined: May 10, 2021 5:17 pm
- Full Name: Andrew Foster
- Contact:
Re: Utilize AWS Direct Connect/Private Link for Capacity Tier
I will make that change to the XML file and try again. I did make the CloudRegionsDisableUpdate reg key but not the 2nd one as I read that as only being needed if I am using Archiving which we're not.
-
- Influencer
- Posts: 14
- Liked: 3 times
- Joined: May 10, 2021 5:17 pm
- Full Name: Andrew Foster
- Contact:
Re: Utilize AWS Direct Connect/Private Link for Capacity Tier
@veremin
It appears to now be sending data over our direct connect and private link. One question though, when we look at the stats for our direct connect and watch BytesIn there is an even higher number of BytesOut. Could you explain why as we are copying data off we are even seeing even more traffic for BytesOut? I wish I could attach a picture which might help illustrate what we are seeing better without having to post it to a website and link it in the post.
It appears to now be sending data over our direct connect and private link. One question though, when we look at the stats for our direct connect and watch BytesIn there is an even higher number of BytesOut. Could you explain why as we are copying data off we are even seeing even more traffic for BytesOut? I wish I could attach a picture which might help illustrate what we are seeing better without having to post it to a website and link it in the post.
-
- Product Manager
- Posts: 20415
- Liked: 2302 times
- Joined: Oct 26, 2012 3:28 pm
- Full Name: Vladimir Eremin
- Contact:
Re: Utilize AWS Direct Connect/Private Link for Capacity Tier
Unfortunately without pictures and clear understanding of what you are measuring and how we cannot provide any meaningful response or advice.
If you feel something is going wrong, reach our support team for further investigation.
Thanks!
If you feel something is going wrong, reach our support team for further investigation.
Thanks!
-
- Enthusiast
- Posts: 93
- Liked: never
- Joined: Aug 21, 2014 7:26 am
- Full Name: Toshihiro Kobayashi
- Contact:
[MERGED] Restore as EC2 from S3 via the Interface endpoints for Amazon S3
Hi
Our customer want to restore as EC2 from backup data in S3 via the Interface endpoints for Amazon S3 by using Veeam B&R .
https://docs.aws.amazon.com/en_us/Amazo ... oints.html
We understand Proxy Appliance is required when restoring from S3 backup data as EC2 instance with Veeam B&R.
So if we restore as EC2 from S3 backup data via the following Interface endpoints for Amazon S3, we think Proxy Appliance should connect to S3 using Private IP address.
According to the KB below, by setting the below registory, we believe that the Proxy Appliance can use the Private IP to communicate backup data from the capacity tier to the archive tier.
https://www.veeam.com/kb4226
==========
Key Location: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\
Value Name: ArchiveFreezingUsePrivateIpForAmazonAppliance
Value Type: DWORD (32-Bit) Value
Value Data: 1
==========
Is it possible for the Proxy Appliance to use a Private IP for restore as EC2 from backup data in S3 via the Interface endpoints for Amazon S3 ?
Please let me know if you have the required registry key.
Our customer want to restore as EC2 from backup data in S3 via the Interface endpoints for Amazon S3 by using Veeam B&R .
https://docs.aws.amazon.com/en_us/Amazo ... oints.html
We understand Proxy Appliance is required when restoring from S3 backup data as EC2 instance with Veeam B&R.
So if we restore as EC2 from S3 backup data via the following Interface endpoints for Amazon S3, we think Proxy Appliance should connect to S3 using Private IP address.
According to the KB below, by setting the below registory, we believe that the Proxy Appliance can use the Private IP to communicate backup data from the capacity tier to the archive tier.
https://www.veeam.com/kb4226
==========
Key Location: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\
Value Name: ArchiveFreezingUsePrivateIpForAmazonAppliance
Value Type: DWORD (32-Bit) Value
Value Data: 1
==========
Is it possible for the Proxy Appliance to use a Private IP for restore as EC2 from backup data in S3 via the Interface endpoints for Amazon S3 ?
Please let me know if you have the required registry key.
-
- Enthusiast
- Posts: 93
- Liked: never
- Joined: Aug 21, 2014 7:26 am
- Full Name: Toshihiro Kobayashi
- Contact:
Re: Utilize AWS Direct Connect/Private Link for Capacity Tier
Hi
When we run offload backup files via AWS PrivateLink, which port does Veean need ?
From the below Veeam user guide, we believe that TCP 443 communication with bucket.DNS name of S3 Interface Endpoint will be required.
https://helpcenter.veeam.com/docs/backu ... onnections
-------------------------
Gateway Server -> bucket.DNS name of S3 Interface Endpoint TCP 443
-------------------------
If we use Global regions, is "https" communication to "*.amazonaws.com" and "*.amazontrust.com" from Gateway Server also required even if the bucket.DNS name of S3 Interface Endpoint is specified in AmazonS3Regions.xml file ?
When we run offload backup files via AWS PrivateLink, which port does Veean need ?
From the below Veeam user guide, we believe that TCP 443 communication with bucket.DNS name of S3 Interface Endpoint will be required.
https://helpcenter.veeam.com/docs/backu ... onnections
-------------------------
Gateway Server -> bucket.DNS name of S3 Interface Endpoint TCP 443
-------------------------
If we use Global regions, is "https" communication to "*.amazonaws.com" and "*.amazontrust.com" from Gateway Server also required even if the bucket.DNS name of S3 Interface Endpoint is specified in AmazonS3Regions.xml file ?
-
- Enthusiast
- Posts: 57
- Liked: 2 times
- Joined: Feb 06, 2017 4:07 am
- Full Name: Antony Marijanovic
- Contact:
Re: Utilize AWS Direct Connect/Private Link for Capacity Tier
Hi All,
I just want to confirm if it's required for the Object storage gateways to still communicate management traffic over their public interface to the Proxy Appliance when using private link? Assuming if it is required then data traffic is sent over private link. The KB https://www.veeam.com/kb4226 has been followed including both reg keys.
Below is the error we are seeing:
Can confirm that S3 object storage has been successfully added (no backups copied/moved yet).
I just want to confirm if it's required for the Object storage gateways to still communicate management traffic over their public interface to the Proxy Appliance when using private link? Assuming if it is required then data traffic is sent over private link. The KB https://www.veeam.com/kb4226 has been followed including both reg keys.
Below is the error we are seeing:
Can confirm that S3 object storage has been successfully added (no backups copied/moved yet).
-
- Product Manager
- Posts: 20415
- Liked: 2302 times
- Joined: Oct 26, 2012 3:28 pm
- Full Name: Vladimir Eremin
- Contact:
Re: Utilize AWS Direct Connect/Private Link for Capacity Tier
Have you configured EC2 interface endpoint in the VPC selected for proxy appliance? Thanks!
-
- Enthusiast
- Posts: 57
- Liked: 2 times
- Joined: Feb 06, 2017 4:07 am
- Full Name: Antony Marijanovic
- Contact:
Re: Utilize AWS Direct Connect/Private Link for Capacity Tier
We didn't have the EC2 interface endpoint configured but have created it after your suggestion. We missed that from the KB.
The EC2 interface endpoint has been created but the issue is still there. The VPC we are connecting to only accepts private direct connect/private link traffic as there is no internet gateway.
When we add the public IP to the AWS security group it does allow us to add the Archive Tier repository and proxy appliance but this is a not perfect solution. Even with the EC2 interface endpoint and the private on premises IP range added to the AWS security group VBR still searches for the public IP address to allow 443, 22 to the AWS subnet range.
Is this just a legacy check and not needed when you use private link? Does this need to be removed and only be used when using a public connection?
The EC2 interface endpoint has been created but the issue is still there. The VPC we are connecting to only accepts private direct connect/private link traffic as there is no internet gateway.
When we add the public IP to the AWS security group it does allow us to add the Archive Tier repository and proxy appliance but this is a not perfect solution. Even with the EC2 interface endpoint and the private on premises IP range added to the AWS security group VBR still searches for the public IP address to allow 443, 22 to the AWS subnet range.
Is this just a legacy check and not needed when you use private link? Does this need to be removed and only be used when using a public connection?
-
- Product Manager
- Posts: 20415
- Liked: 2302 times
- Joined: Oct 26, 2012 3:28 pm
- Full Name: Vladimir Eremin
- Contact:
Re: Utilize AWS Direct Connect/Private Link for Capacity Tier
How have you registered capacity and archive object storage repositories? Under S3 Interface Endpoint DNS name, correct?
-
- Enthusiast
- Posts: 57
- Liked: 2 times
- Joined: Feb 06, 2017 4:07 am
- Full Name: Antony Marijanovic
- Contact:
Re: Utilize AWS Direct Connect/Private Link for Capacity Tier
Hi Vlad,
We have luck in that offloads are now working however indexing is taking 1 hour per VM and also offloads are running at 500KB/s. Quite slow over dual 5GbE links. We have around 300TB of data to send so it's not workable in the current state. There is a support case open with no resolution yet.
Case number: 05123943
We have luck in that offloads are now working however indexing is taking 1 hour per VM and also offloads are running at 500KB/s. Quite slow over dual 5GbE links. We have around 300TB of data to send so it's not workable in the current state. There is a support case open with no resolution yet.
Case number: 05123943
-
- Product Manager
- Posts: 20415
- Liked: 2302 times
- Joined: Oct 26, 2012 3:28 pm
- Full Name: Vladimir Eremin
- Contact:
Re: Utilize AWS Direct Connect/Private Link for Capacity Tier
Might be interesting to check how other non-offload traffic (not produced by VB&R even) is affected by PrivateLink presence - whether the performance decreases or not. Also, it might be worth verifying the download traffic (produced by VB&R) as well.
We will follow the investigation and chime in, as soon as we have time for that - currently most teams are working on the next cumulative patch.
Thanks!
We will follow the investigation and chime in, as soon as we have time for that - currently most teams are working on the next cumulative patch.
Thanks!
-
- Enthusiast
- Posts: 57
- Liked: 2 times
- Joined: Feb 06, 2017 4:07 am
- Full Name: Antony Marijanovic
- Contact:
Re: Utilize AWS Direct Connect/Private Link for Capacity Tier
They get great non Veeam performance - max out a 5GbE link (around 50MB/s upload test confirmed to be traversing private link using private subnet (192.168.x.x)
Need to confirm if V11a brought in everything required to support Private Link because right now it doesn't seem so but definitely could be wrong and the Knowledge Base article might need updating if there are extra steps required.
Need to confirm if V11a brought in everything required to support Private Link because right now it doesn't seem so but definitely could be wrong and the Knowledge Base article might need updating if there are extra steps required.
-
- Product Manager
- Posts: 20415
- Liked: 2302 times
- Joined: Oct 26, 2012 3:28 pm
- Full Name: Vladimir Eremin
- Contact:
Re: Utilize AWS Direct Connect/Private Link for Capacity Tier
And what about the performance during download operation? What speed do you get, if you try to download backups from capacity tier using backup server?
11a brought everything needed for PrivateLink support - this was confirmed by our QA team, and KB article has been created as the result of this confirmation.
Will check the given ticket, as soon as we are done with the next cumulative patch testing.
Thanks!
11a brought everything needed for PrivateLink support - this was confirmed by our QA team, and KB article has been created as the result of this confirmation.
Will check the given ticket, as soon as we are done with the next cumulative patch testing.
Thanks!
-
- Lurker
- Posts: 2
- Liked: never
- Joined: Apr 27, 2020 7:51 am
- Full Name: Sachin Pangal
- Contact:
Re: Utilize AWS Direct Connect/Private Link for Capacity Tier
Whether aws direct/private link works with version Veeam 10.0.1.4854 P2
-
- Product Manager
- Posts: 20415
- Liked: 2302 times
- Joined: Oct 26, 2012 3:28 pm
- Full Name: Vladimir Eremin
- Contact:
Re: Utilize AWS Direct Connect/Private Link for Capacity Tier
Nope, you need to install 11a first. Thanks!
-
- Enthusiast
- Posts: 67
- Liked: 6 times
- Joined: Aug 07, 2015 8:45 pm
- Full Name: David Engler
- Contact:
[MERGED] Modify AmazonS3Regions.xml for direct connect
I found kb4226 that mentions modifying a section of the AmazonS3Regions.xml file to utilize a direct link for offloading backups. Can I just copy an existing section and modify it to be unique or am I limited to updating an existing connection. I tried adding a section below and it initially appeared to work but then gave an error. At the time I didn't have time to make updates and restart services so I put the original file back. Below is what I tried, I'm hoping someone can confirm I can go this route and if there are any suggestions before I try this again when I have a window to stop/start services.
I matched the Region Id with LocationContraint but not sure if that is required/necessary
I matched the Region Id with LocationContraint but not sure if that is required/necessary
Code: Select all
<Region Id="us-direct-1" Name="Direct01" Type="Global">
<Endpoint Type="S3">bucket.MYDIRECTURL.amazonaws.com</Endpoint>
<Endpoint Type="EC2">ec2.us-east-2.amazonaws.com</Endpoint>
<Endpoint Type="IAM">iam.amazonaws.com</Endpoint>
<Endpoint Type="EC2" Fips="true">ec2-fips.us-east-2.amazonaws.com</Endpoint>
<Endpoint Type="S3" Fips="true">s3-fips.us-east-2.amazonaws.com</Endpoint>
<Endpoint Type="IAM" Fips="true">iam-fips.amazonaws.com</Endpoint>
<Protocol>HTTP</Protocol>
<Protocol>HTTPS</Protocol>
<LocationConstraint>us-direct-1</LocationConstraint>
<SignatureVersion>4</SignatureVersion>
</Region>
-
- Product Manager
- Posts: 9848
- Liked: 2607 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Modify AmazonS3Regions.xml for direct connect
Hi David
Thanks
Fabian
What's the Case number?and it initially appeared to work but then gave an error.
Thanks
Fabian
Product Management Analyst @ Veeam Software
-
- Enthusiast
- Posts: 67
- Liked: 6 times
- Joined: Aug 07, 2015 8:45 pm
- Full Name: David Engler
- Contact:
Re: Utilize AWS Direct Connect/Private Link for Capacity Tier
I have not opened a case yet, I tried the edits above and got an error so I put the original file back. I'm hoping to get some clarifications on my edits before I schedule another downtime where I can restart services and try the updated file.
-
- Product Manager
- Posts: 20415
- Liked: 2302 times
- Joined: Oct 26, 2012 3:28 pm
- Full Name: Vladimir Eremin
- Contact:
Re: Utilize AWS Direct Connect/Private Link for Capacity Tier
Kindly follow the instructions given in the KB article, and open a case, if they do not help. This way we can assist you productively with the investigation process, which we currently cannot do over forum correspondence. Thank you for the understanding!
Who is online
Users browsing this forum: No registered users and 10 guests