Veeam backup for AWS appliance configuration failure

[sumeet]

Hello all,

Deploying the VBAWS appliance for the first time. As part of setting up access to AWS services, I have used the create endpoint in my VPC to setup access to AWS services for Sydney region.
In the user guide https://helpcenter.veeam.com/docs/vbaws ... tml?ver=60 which lists AWS services that the backup appliance has to have access, I'm not able to setup endpoint for AWS Identity and Access Management (IAM), Marketplace metering service and Resource Access Manager.

When I try to create endpoint for IAM and under services when I search for iam.amazonaws.com (as given in the link https://docs.aws.amazon.com/general/lat ... rvice.html), nothing comes up in the search. Same is with metering.marketplace, nothing available for the Sydney region and finally same with ram.ap, Resource access manager endpoint.

I feel this might be the reason why after deploying the appliance as cloudformation, as I open the UI, it goes to initial configuration as though I have deployed AMI https://helpcenter.veeam.com/docs/vbaws ... tml?ver=60. But even when following steps in this initial configuration fails at the end and the log file that I get at the end, has the below error about not authorized.

[{"status":"Failed","style":"None","title":"You are not authorized to perform this operation.","description":"","createTimeUtc":"2023-04-19T14:24:08.127749","createTime":"2023-04-19T14:24:08.127749","updateTimeUtc":"2023-04-19T14:24:08.127749","updateTime":"2023-04-19T14:24:08.127749"}]

Has anyone seen similar issue?
Any help will be great.

I have a case 06018298, but as of now no much help.

Thanks,
-Sumeet.

[nielsengelen]

Hi Sumeet,

Yes, those endpoints need to be accessible or it won't work. Have you tried to deploy the appliance with the option of creating a VPC for you instead of doing it yourself? I can't directly say what could be the reason that the AWS management console fails to detect it's own service endpoints.

It may require insight from support with the case you have open.

[sumeet]

Hi Niels,

Deploying the appliance with the option to create a VPC worked.
I'm not able to figure out what is different from the VPC that we already have in the env.

While working with our client, we might have to use an existing VPC and not have the liberty to deploy with new VPC.

I also see this link -- https://stackoverflow.com/questions/723 ... private-li
Which says that the IAM AWS service endpoing is no longer available.

If my subnet is public, does VB AWS appliance access these AWS services through outbound internet access? Is that the reason that this worked with creating its own VPC in deployment?

But even when I was deploying the appliance in my VPC, the security group created during the appliance deployment had full out bound access through the public subnet.
Unable to figure out what is different.

I have provided logs (by doing a SSH) from the failed appliances, waiting for support to get back on what is missing.

Thanks,
-Sumeet.

[nielsengelen]

Hi Sumeet,

Certain services are indeed only available via "public" within AWS. Let's see what our support discovers but it's most likely related.

[sumeet]

Hi Niels,

With support we could not debug the real cause. Also since I had to setup a demo, I went ahead with deploying the appliance in a public subnet. This worked fine.

But now my client is keen on getting this deployed in a private subnet (due to security concerns), so based on your previous reply that certain services are only available via "public" within AWS, makes me think that is the deployment even supported in a private subnet.
Has anyone using VBAWS got this working in private subnet?
Maybe you can check with Veeam Q&A and if they have got this tested on private subnet?

I need to inform and discuss with my client if private subnet is not supported.

Thanks,
-Sumeet.

[nielsengelen]

Hi Sumeet,

I'll try to gather a shortlist of what you can expect in private deployment and which services are only available via public connection in the current release. We are actually working on enhancements and updates to the user guide around this topic for an upcoming release.

[sumeet]

Hi Niels,

Appreciate that.
For now, I'm checking with my client if he is ok to allow a public subnet. Should have more details by tomorrow.

Thanks,
-Sumeet.

[Ecosinus]

Hi,

Did you finally get it works in a private subnet ?

Regards

[sumeet]

Hi Ecosinus,

I could not get this to work in private subnet.

Niels,
Do you have any additional details. The documentation mentions that the appliance works in private subnet with access to service endpoints, but I cannot get this to work.
This is urgent now as we have a potential customer who is keen on backup in AWS, but only has private VPN/subnets - public access is a BIG NO.

Thanks,
-Sumeet.

[nielsengelen]

Hi Sumeet,

I would recommend contacting support for assistance and insight. If you follow the guide and something doesn't work, it's hard to troubleshoot via the forums.

We are looking at enhancements for a future release also on this level so your support case may help in showing things we may need to optimize.

Please let me know the case ID once you've opened it. Thanks!