Copy Job via AWS Privatelink

[adlloyd79]

Hi,

I have followed this article (https://www.veeam.com/kb4226) to configure VBR to conect to the EC2 appliance using the private IP.

Is it possible to do the same thing in Veeam Backup for Microsoft 365?

Thanks.

[Mike Resseler]

Hey Aaron,

As far as I am aware this is not tested with the VB365 appliance. I will put this on the QA test list but it will probably take some time to get it tested since we are getting close to a new (minor) version release.

If you have the possibility to test it yourself, please do

[adlloyd79]

Hi Mike,

Yeah, I have been having a go but no success so far. I think the only real issue is that I cannot find a way to actually tell VB365 to use the private IP address. I have modified the AmazonS3Regions file as described in the article but modified the file in C:\Program Files\Veeam\Backup365. I then took a punt and created the same registry values described in the article but placed them in HKLM\SOFTWARE\Veeam\Veeam Backup for Microsoft Office 365\. However it is still trying to connect using the public IP rather than the private IP.

I suspect the registry entries are the issue. Any suggestions on how to configure VB365 to use the private IP rather than public?

Thanks,

Aaron

[bricel13]

Hi, i'm also interested, if it's not possible, how to secure S3 bucket with public access configured ?

Thanks.

Brice

[adlloyd79]

Hi,

I would like to register a feature request for VBO to be able to backup to AWS and connect to the EC2 appliance using the private IP. This is already possible in VBR as per this article (https://www.veeam.com/kb4226) but does not appear to be possible in VBO.


I would also appreciate thoughts on the remaining benefits of using a VPN for VBR if it cannot be used for VBO? For us two key benefits of the VPN for VBR were that we only had to open SSH to the private IP and that we did not need to open public access into AWS. It now seems though that we will lose both of these benefits as they will stop VBO from working. So with that in mind are there still any benefits to using a VPN for VBR when it cannot be used by VBO?

Many Thanks,

Aaron

[Mildur]

Hi Aaron

Thanks for the request.
I believe it‘s the same question as this one.

It now seems though that we will lose both of these benefits as they will stop VBO from working.

Have you installed VB365 on the same server as VBR? Or why is the VPN between VBR and AWS connected to the VB365 machine?

Thanks
Fabian

[adlloyd79]

Hi Fabian,

Yes, its the same question. I logged a support case (Case #05495988) and it was suggested that I should raise a feature request.

I do have them installed on the same server, although happy to seperate if it is going to help resolve this issue though.

The VPN is not actually to the server though, it is to our Cisco ASA. We have routing setup to send traffic for the AWS private IP range over the VPN.

Thanks,

Aaron

[Mildur]

Hi Aaron

Thanks.
I'll moved your request to the same topic then.
Using different server for VBR and VB365 is our recommendation. Not because of this VPN issue, but other things like Veeam component sharing and CPU/Memory sharing.

I'm not a network specialist, but can you put a dedicated VB365 server in to his own subnet and exclude this subnet from the global routing? Or exclude a single source IP Address?

Thanks
Fabian

[adlloyd79]

Hi Fabian,

Yes, we can certainly do that, but that is not really the issue/concern.

The concern is that to get VBO working using the public IP we need to open up far more access than we would reallt want to i.e. SSH to all of the AWS IP range.

Having the VPN for VBR meant that we only needed to open SSH to our private IP in AWS which is much better practice for us. However it now seems we are going to have to change that and open SSH to the full AWS public range anyway, which is some ways make having the VPN for VBR a bit pointless now.

Thanks,

Aaron