Discussions related to using object storage as a backup target.
veremin
Product Manager
Posts: 20415
Liked: 2302 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Utilize AWS Direct Connect/Private Link for Capacity Tier

Post by veremin » 1 person likes this post

I will clarify it internally and come back with more information. Thanks!
veremin
Product Manager
Posts: 20415
Liked: 2302 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Utilize AWS Direct Connect/Private Link for Capacity Tier

Post by veremin »

You should replace the first string and remove others.

Also, be sure to follow closely all the following steps including setting two registry keys CloudRegionsDisableUpdate and ArchiveFreezingUsePrivateIpForAmazonAppliance.

If you are sure that you have set everything up correctly, please open a support ticket and share its number here - QA team will assist with the investigation process.

Thanks!
vIdaho1
Influencer
Posts: 14
Liked: 3 times
Joined: May 10, 2021 5:17 pm
Full Name: Andrew Foster
Contact:

Re: Utilize AWS Direct Connect/Private Link for Capacity Tier

Post by vIdaho1 »

I will make that change to the XML file and try again. I did make the CloudRegionsDisableUpdate reg key but not the 2nd one as I read that as only being needed if I am using Archiving which we're not.
vIdaho1
Influencer
Posts: 14
Liked: 3 times
Joined: May 10, 2021 5:17 pm
Full Name: Andrew Foster
Contact:

Re: Utilize AWS Direct Connect/Private Link for Capacity Tier

Post by vIdaho1 »

@veremin

It appears to now be sending data over our direct connect and private link. One question though, when we look at the stats for our direct connect and watch BytesIn there is an even higher number of BytesOut. Could you explain why as we are copying data off we are even seeing even more traffic for BytesOut? I wish I could attach a picture which might help illustrate what we are seeing better without having to post it to a website and link it in the post.
veremin
Product Manager
Posts: 20415
Liked: 2302 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Utilize AWS Direct Connect/Private Link for Capacity Tier

Post by veremin »

Unfortunately without pictures and clear understanding of what you are measuring and how we cannot provide any meaningful response or advice.

If you feel something is going wrong, reach our support team for further investigation.

Thanks!
Tos
Enthusiast
Posts: 93
Liked: never
Joined: Aug 21, 2014 7:26 am
Full Name: Toshihiro Kobayashi
Contact:

[MERGED] Restore as EC2 from S3 via the Interface endpoints for Amazon S3

Post by Tos »

Hi

Our customer want to restore as EC2 from backup data in S3 via the Interface endpoints for Amazon S3 by using Veeam B&R .
https://docs.aws.amazon.com/en_us/Amazo ... oints.html

We understand Proxy Appliance is required when restoring from S3 backup data as EC2 instance with Veeam B&R.
So if we restore as EC2 from S3 backup data via the following Interface endpoints for Amazon S3, we think Proxy Appliance should connect to S3 using Private IP address.

According to the KB below, by setting the below registory, we believe that the Proxy Appliance can use the Private IP to communicate backup data from the capacity tier to the archive tier.
https://www.veeam.com/kb4226
==========
Key Location: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\
Value Name: ArchiveFreezingUsePrivateIpForAmazonAppliance
Value Type: DWORD (32-Bit) Value
Value Data: 1
==========

Is it possible for the Proxy Appliance to use a Private IP for restore as EC2 from backup data in S3 via the Interface endpoints for Amazon S3 ?
Please let me know if you have the required registry key.
Tos
Enthusiast
Posts: 93
Liked: never
Joined: Aug 21, 2014 7:26 am
Full Name: Toshihiro Kobayashi
Contact:

Re: Utilize AWS Direct Connect/Private Link for Capacity Tier

Post by Tos »

Hi
When we run offload backup files via AWS PrivateLink, which port does Veean need ?

From the below Veeam user guide, we believe that TCP 443 communication with bucket.DNS name of S3 Interface Endpoint will be required.
https://helpcenter.veeam.com/docs/backu ... onnections
-------------------------
Gateway Server -> bucket.DNS name of S3 Interface Endpoint TCP 443
-------------------------

If we use Global regions, is "https" communication to "*.amazonaws.com" and "*.amazontrust.com" from Gateway Server also required even if the bucket.DNS name of S3 Interface Endpoint is specified in AmazonS3Regions.xml file ?
antony.marijanovic
Enthusiast
Posts: 57
Liked: 2 times
Joined: Feb 06, 2017 4:07 am
Full Name: Antony Marijanovic
Contact:

Re: Utilize AWS Direct Connect/Private Link for Capacity Tier

Post by antony.marijanovic »

Hi All,

I just want to confirm if it's required for the Object storage gateways to still communicate management traffic over their public interface to the Proxy Appliance when using private link? Assuming if it is required then data traffic is sent over private link. The KB https://www.veeam.com/kb4226 has been followed including both reg keys.

Below is the error we are seeing:

Image

Can confirm that S3 object storage has been successfully added (no backups copied/moved yet).
veremin
Product Manager
Posts: 20415
Liked: 2302 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Utilize AWS Direct Connect/Private Link for Capacity Tier

Post by veremin »

Have you configured EC2 interface endpoint in the VPC selected for proxy appliance? Thanks!
antony.marijanovic
Enthusiast
Posts: 57
Liked: 2 times
Joined: Feb 06, 2017 4:07 am
Full Name: Antony Marijanovic
Contact:

Re: Utilize AWS Direct Connect/Private Link for Capacity Tier

Post by antony.marijanovic »

We didn't have the EC2 interface endpoint configured but have created it after your suggestion. We missed that from the KB.

The EC2 interface endpoint has been created but the issue is still there. The VPC we are connecting to only accepts private direct connect/private link traffic as there is no internet gateway.

When we add the public IP to the AWS security group it does allow us to add the Archive Tier repository and proxy appliance but this is a not perfect solution. Even with the EC2 interface endpoint and the private on premises IP range added to the AWS security group VBR still searches for the public IP address to allow 443, 22 to the AWS subnet range.

Is this just a legacy check and not needed when you use private link? Does this need to be removed and only be used when using a public connection?
veremin
Product Manager
Posts: 20415
Liked: 2302 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Utilize AWS Direct Connect/Private Link for Capacity Tier

Post by veremin »

How have you registered capacity and archive object storage repositories? Under S3 Interface Endpoint DNS name, correct?
antony.marijanovic
Enthusiast
Posts: 57
Liked: 2 times
Joined: Feb 06, 2017 4:07 am
Full Name: Antony Marijanovic
Contact:

Re: Utilize AWS Direct Connect/Private Link for Capacity Tier

Post by antony.marijanovic »

Hi Vlad,

We have luck in that offloads are now working however indexing is taking 1 hour per VM and also offloads are running at 500KB/s. Quite slow over dual 5GbE links. We have around 300TB of data to send so it's not workable in the current state. There is a support case open with no resolution yet.

Case number: 05123943
veremin
Product Manager
Posts: 20415
Liked: 2302 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Utilize AWS Direct Connect/Private Link for Capacity Tier

Post by veremin »

Might be interesting to check how other non-offload traffic (not produced by VB&R even) is affected by PrivateLink presence - whether the performance decreases or not. Also, it might be worth verifying the download traffic (produced by VB&R) as well.

We will follow the investigation and chime in, as soon as we have time for that - currently most teams are working on the next cumulative patch.

Thanks!
antony.marijanovic
Enthusiast
Posts: 57
Liked: 2 times
Joined: Feb 06, 2017 4:07 am
Full Name: Antony Marijanovic
Contact:

Re: Utilize AWS Direct Connect/Private Link for Capacity Tier

Post by antony.marijanovic »

They get great non Veeam performance - max out a 5GbE link (around 50MB/s upload test confirmed to be traversing private link using private subnet (192.168.x.x)

Need to confirm if V11a brought in everything required to support Private Link because right now it doesn't seem so but definitely could be wrong and the Knowledge Base article might need updating if there are extra steps required.
veremin
Product Manager
Posts: 20415
Liked: 2302 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Utilize AWS Direct Connect/Private Link for Capacity Tier

Post by veremin »

And what about the performance during download operation? What speed do you get, if you try to download backups from capacity tier using backup server?

11a brought everything needed for PrivateLink support - this was confirmed by our QA team, and KB article has been created as the result of this confirmation.

Will check the given ticket, as soon as we are done with the next cumulative patch testing.

Thanks!
pangal1
Lurker
Posts: 2
Liked: never
Joined: Apr 27, 2020 7:51 am
Full Name: Sachin Pangal
Contact:

Re: Utilize AWS Direct Connect/Private Link for Capacity Tier

Post by pangal1 »

Whether aws direct/private link works with version Veeam 10.0.1.4854 P2
veremin
Product Manager
Posts: 20415
Liked: 2302 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Utilize AWS Direct Connect/Private Link for Capacity Tier

Post by veremin »

Nope, you need to install 11a first. Thanks!
efd121
Enthusiast
Posts: 67
Liked: 6 times
Joined: Aug 07, 2015 8:45 pm
Full Name: David Engler
Contact:

[MERGED] Modify AmazonS3Regions.xml for direct connect

Post by efd121 »

I found kb4226 that mentions modifying a section of the AmazonS3Regions.xml file to utilize a direct link for offloading backups. Can I just copy an existing section and modify it to be unique or am I limited to updating an existing connection. I tried adding a section below and it initially appeared to work but then gave an error. At the time I didn't have time to make updates and restart services so I put the original file back. Below is what I tried, I'm hoping someone can confirm I can go this route and if there are any suggestions before I try this again when I have a window to stop/start services.

I matched the Region Id with LocationContraint but not sure if that is required/necessary

Code: Select all

<Region Id="us-direct-1" Name="Direct01" Type="Global">
		<Endpoint Type="S3">bucket.MYDIRECTURL.amazonaws.com</Endpoint>
		<Endpoint Type="EC2">ec2.us-east-2.amazonaws.com</Endpoint>
		<Endpoint Type="IAM">iam.amazonaws.com</Endpoint>
		<Endpoint Type="EC2" Fips="true">ec2-fips.us-east-2.amazonaws.com</Endpoint>
		<Endpoint Type="S3" Fips="true">s3-fips.us-east-2.amazonaws.com</Endpoint>
		<Endpoint Type="IAM" Fips="true">iam-fips.amazonaws.com</Endpoint>
		<Protocol>HTTP</Protocol>
		<Protocol>HTTPS</Protocol>
		<LocationConstraint>us-direct-1</LocationConstraint>
		<SignatureVersion>4</SignatureVersion>
	</Region>
Mildur
Product Manager
Posts: 9848
Liked: 2607 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Modify AmazonS3Regions.xml for direct connect

Post by Mildur »

Hi David
and it initially appeared to work but then gave an error.
What's the Case number?

Thanks
Fabian
Product Management Analyst @ Veeam Software
efd121
Enthusiast
Posts: 67
Liked: 6 times
Joined: Aug 07, 2015 8:45 pm
Full Name: David Engler
Contact:

Re: Utilize AWS Direct Connect/Private Link for Capacity Tier

Post by efd121 »

I have not opened a case yet, I tried the edits above and got an error so I put the original file back. I'm hoping to get some clarifications on my edits before I schedule another downtime where I can restart services and try the updated file.
veremin
Product Manager
Posts: 20415
Liked: 2302 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Utilize AWS Direct Connect/Private Link for Capacity Tier

Post by veremin »

Kindly follow the instructions given in the KB article, and open a case, if they do not help. This way we can assist you productively with the investigation process, which we currently cannot do over forum correspondence. Thank you for the understanding!
Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests