Veeam Backup for AWS -- Deployment Feedback

[ChrisAnderson_2019]

Hi All,
Thought I'd share my experience from deploying and integrating Veeam Backup for AWS in the hope it may help others and provide feedback for you guys at Veeam.

We have a Veeam B&R instance running in EC2, this connects to on-prem virtual infrastructure to backup VMware workload to a local repositories.
The next task was to install the AWS plugin and deploy the appliance.

Following the required permissions listed in the documentation, we created the IAM account to use for deploying/managing the appliance.
This failed 5/6 times with various permissions (which we were easily able to identify from the Veeam.AWS.PlatformSvc log) for the specified IAM user.

e.g. not authorized to perform: cloudwatch:PutMetricAlarm on resource
and
not authorized to perform: dlm:CreateLifecyclePolicy on resource
and
Fail: Invalid principal in policy: "AWS":"arn:aws:iam::xxxxx:role/s-de-aws-vbr02-VeeamImpersonationRoleV1

We were able to overcome this adding the required permissions on the fly, but then we failed trying waiting to connect to the applicance.

The VBR instance (on the same VPC) was trying to connect to the appliance publicly (not privately). Hence we need to enable inbound access from the VBR instance. As we didn't want to enable public access our workaround was as follows:

1) Deploy the appliance from the AWS marketplace (this created all the required permissions /alarms / etc as we were using a non-restricted account)
2) Connect to the UI and create a local user account
3) Add the appliance in VBR by "connect to existing appliance" (rather than deploy new)
4) Specify "private network" for the connection type and enter the IP of the appliance

This worked a treat and the AWS appliance is now integrated with AWS.

Hope this helps.
Cheers,
Chris.

[dalbertson]

Thank you for your feedback. Can you ellaborate on the use case for have VBR as an EC2 Instance and protecting VMware workloads onprem?

[nielsengelen]

Can u clarify the following?

The next task was to install the AWS plugin and deploy the appliance.

Did you deploy the appliance from VBR after installing the plugin? Or was the first deployment also done via the marketplace?

[ChrisAnderson_2019]

@dalbertson
The bulk of the clients infrastructure is (/ will be) in AWS. The on-prem workloads are remote branch offices, with local file/print resource. One site has a local vCenter server deployed and the remaining sites are managed with ROBO licensing.

Each branch office has a local proxy instance and a local repository. All jobs are orchestrated centrally via the VBR in EC2.


@nielsengelen
AWS plugin was installed on the VBR server first (download from Veeam). Then we ran the "add managed server" wizard, specifying "Veeam Backup for AWS" and "deploy new appliance".

The workaround was to deploy the appliance from the market place, then "add managed server" wizard, specifying "Veeam Backup for AWS" and "connect to existing appliance".

[nielsengelen]

Thank you for the feedback and extra information. We will look into it and see if there are things that need to be resolved or improved.