Discussions related to using object storage as a backup target.
Post Reply
JOHNVE
Lurker
Posts: 1
Liked: never
Joined: Jan 18, 2023 8:23 pm
Contact:

Veeam proxy appliance s3 glacier private ec2 communication flow

Post by JOHNVE »

We have a sobr on s3. It´s fine that data itself is transferred via the normal public internet s3 endpoint, this saves on transfer cost as inbound traffic is free.
However, for archiving backups to s3 glacier veeam deploys a proxy appliance in a vpc. By default this proxy appliance has a public ip listening on 22/443 to which veeam connects.
I´m interested in having this communication go over our vpn, as I assume it wont transfer any backup data (the reason why the proxy is running in the vpc in the first place - I tend to believe).

I´ve found some great posts here on this matter referring to https://www.veeam.com/kb4226 however, I´m a bit confused by it:

Afaic the only relevant part in allowing to communicate via the private ip address of the ec2 are the reg values like ´ArchiveFreezingUsePrivateIpForAmazonAppliance´
However, the article refers to having a vpc enpoint for the ec2 service. Could it be correct that this is not required? As the endpoint is just for the ec2 api communication, like if veeam is creating the ec2 it will use the ec2 api, having a ec2 endpoint will route this ¨api traffic¨ towards the private ec2 endpoint rather than the default public one.
veeam will, after the instance was created, connect via ssh or https with the agent on the instance - this is the flow I want to route over the vpn towards aws, so that the instance does not need a public ip

So my questions:

1) could it be correct that to allow veeam to communicate with the ec2 using its private ip the vpc endpoint is optional, and the registry values suffice? So veeam wil introspect the ec2 and use it´s private ip rather than its public, disregarding if its using teh ec2 api via the public or a vpc endpoint?
2) when deploying the proxy appliance veeam created a public subnet (with an internet gateway) allowing the ec2 to get a public ip. Will veeam stop doing that once the registry values are in place? Or do I need to select them (create them myself) rather than letting veeam create them to avoid getting the public subnet?

Thanks
veremin
Product Manager
Posts: 20270
Liked: 2252 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Veeam proxy appliance s3 glacier private ec2 communication flow

Post by veremin »

The corresponding EC2 service endpoint is permanently required for archiving backups over a private connection. Thanks!
Post Reply

Who is online

Users browsing this forum: No registered users and 7 guests