AWS Partner Network (APN) Blog
Building a Veeam powered Backup as a Service using AWS
By Avichal Chum, Solutions Architect – AWS
By Ivan Kochemasov, Product Analyst – Veeam
 |
| Veeam |
 |
Customers use Veeam Backup & Replication (VBR) as their backup, recovery, and data security solution for workloads, both on-premises and in the cloud. VBR provides versatile storage options including directly attached storage, network attached storage, deduplicating appliances and object storage like Amazon S3. Built-in features optimize data transfer and resource consumption, minimizing storage costs and recovery time while providing native immutability and in-line scanning for cybersecurity threats.
However, customers must configure, manage, and maintain backup repositories, adding complexity to data protection. Those lacking expertise or resources turn to service providers in the Veeam Cloud & Service Provider (VCSP) program to manage their backup repositories.
To streamline customer backup repository management, Veeam introduced Cloud Repository, an off-site backup location in the cloud. Service providers can deploy a Veeam Cloud Connect (VCC) server supporting multi-tenancy, encryption, and service provider features to offer Cloud Repository services. Many providers use VCC to build robust Backup as a Service (BaaS) solutions, enabling cloud backups in Amazon S3 and helping customers follow the 3-2-1 backup rule.
In this blog post, we explain how Veeam service providers can configure a BaaS platform in AWS to protect virtual, physical, or cloud workloads, covering VCC’s key architectural components and required AWS services.
About Veeam Cloud Connect
Veeam Cloud Connect enables service providers to build multi-tenant, Veeam-powered services, offering customers secure data backup and replication to service provider environments. Starting a BaaS requires service providers to deploy VBR with a VCC license during installation.
Figure 1. Key infrastructure components for service provider and tenants.
Once configured, service providers can create tenant companies and assign backup repository quotas, functioning as an off-site Cloud Repository for protecting customers’ virtual machines, physical servers, and workstations.
VBR customers with compatible software versions can consume Cloud Connect services to send backups off-site. Using their VBR console, customers simply enter provider-supplied credentials to direct backup, backup copy, or replication jobs to the provider’s cloud. Data remains fully encrypted throughout the process without requiring additional customer licensing.
Veeam Cloud Connect V12 in AWS
Veeam Cloud Connect is a storage and vendor-agnostic solution for building Veeam-powered services in AWS. Before V12, service providers had to use costly EBS volumes as primary repositories, with Amazon S3 repositories limited to additional copies only.
VCC V12 enables direct backup to object storage repositories, significantly reducing BaaS costs and complexity on AWS. The release introduced new backup data writing modes – through gateway servers or via direct connection mode, bypassing cloud and repository gateway servers. Service providers can now manage customers’ Amazon S3 configurations, including storage class, tiering, and Object Lock settings.
Further updates added PostgreSQL database support, improved object storage capabilities, and introduced an AI-powered malware detection engine for real-time analysis during backup.
Our focus is on direct connection mode for writing directly to object storage repositories. The VCC-AWS combination offers extensive repository scalability and built-in backup immutability for compliance requirements. AWS’s global infrastructure, spanning 105 Availability Zones across 33 Regions, enables easy service expansion.
We recommend deploying Veeam Service Provider Console (VSPC), a free web-based management platform for all Veeam-powered services. VSPC enables efficient remote monitoring, customer onboarding, licensing management, and self-service capabilities for Microsoft 365, AWS, and Azure workload protection. You can provide managed services and white-label your offering to resellers, who can manage customers through VSPC without additional software.
Infrastructure components
- Veeam Cloud Connect (VCC) Server – VBR server with VCC license installed, deployed on the service provider side to provide multi-tenant BaaS and Disaster Recovery as a Service (DRaaS) functionality.
- PostgreSQL for VCC – Configuration database required for VCC server, supports both Microsoft SQL server and PostgreSQL.
- Cloud Gateway Server (CGW) – Acts as a communication point, receiving connections from tenant and routing to corresponding components in VCC infrastructure. Multiple CGWs can be deployed for additional resiliency.
- Veeam Service Provider Console (VSPC) – Centralized web-based console for daily operations of service providers, resellers and tenants.
- Microsoft SQL Server for VSPC – Configuration database required for VSPC server. Can run on the same or separate instance as VSPC server.
- VSPC Web UI – Provides a web interface that allows administrators, resellers and users to interact with VSPC.
Solution overview
In this deployment, we utilize the VCC pod concept, comprising VCC server, configuration database server and three cloud gateways. For more details, see Veeam Best Practices.
Figure 2. AWS architecture for the Veeam Cloud Connect (VCC) and Veeam Service Provider Console (VSPC).
Cloud gateways handle only management traffic, while backup traffic flows directly from customer sites to Amazon S3 buckets through direct connection mode.
Consider deploying additional VCC pods for data sovereignty requirements, multi-geography operations, or when concurrent tasks exceed 1,000 on a single VCC server.
Configuration instructions are available in the VCC book and Help Center. Each CGW requires two network interfaces – one in private subnet for VCC and VSPC communication, and another in public subnet with Elastic IP and public hostname. This protects VCC and VSPC servers from public exposure while maintaining CGW communication via private subnet. NAT Gateway enables updates and license statistics from VCC and VSPC servers.
Amazon Route 53 manages DNS for CGWs public hostnames, using round-robin DNS to unify multiple CGW hostnames under a single DNS name (example: backup.vcc.com instead of cgw1.vcc.com, cgw2.vcc.com).
Sizing of Veeam components
You can use any x86-based Amazon EC2 instance types with sufficient compute and memory resources. The instance types outlined below are examples provided to manage up to 1,000 tenants (each with one concurrent task configured).
| Server | Amazon EC2 Instance Type | Operating System | EBS Disk Space (Gb) |
|---|---|---|---|
| Veeam Service Provider Console Server | c7i.2xlarge | Microsoft Windows Server 2022 | 200 |
| Veeam Service Provider Console Web UI | c7i.xlarge | Microsoft Windows Server 2022 | 200 |
| Microsoft SQL Server 2022 (VSPC) | c7i.4xlarge | Microsoft Windows Server 2022 | 300 |
| Veeam Cloud Connect Server | c7i.4xlarge | Microsoft Windows Server 2022 | 200 |
| PostgreSQL 15.5 server (VCC) | c7i.4xlarge | Ubuntu Linux 22.04 | 300 |
| Veeam Cloud Gateway Server | m7i.flex.large | Microsoft Windows Server 2022 | 100 |
To further optimize costs, it’s possible to combine multiple roles on the same server. For example, databases for both VSPC and VCC servers can be put on the same Microsoft SQL Server installation. Moreover, for evaluation deployments, all roles below can be put on a single server if the appropriate instance type is selected.
Infrastructure configuration
For a detailed step-by-step guide on how to configure each component, refer to the corresponding sections of Veeam Help Center – VSPC and for VCC.
When you configure a backup repository from the VCC server side, make sure that AWS user account you are adding has the permissions defined in Help Center. Also, add S3 object storage repository to VCC server, specifying “direct connection” on the Specify Object Storage Account step.
If you plan to enable immutability, S3 Object Lock must be enabled during Amazon S3 bucket configuration as described in Help Center.
Additional considerations
This design provides an off-site location for tenant backups. For customers needing long-term retention or multiple off-site copies, you can configure a scale-out backup repository SOBR) on the VCC server.
Figure 3. Scale-out backup repository (SOBR) combined with Amazon S3 storage provides a direct offload option from Amazon S3 Standard to long-term restore points in S3 Glacier Flexible Retrieval or S3 Glacier Deep archive.
SOBR offers horizontally scalable multi-tier data storage, combining multiple backup repositories in the performance tier with object storage for long-term (capacity tier) and archival storage (archive tier). In AWS, you can use Amazon S3 as a Performance tier for short-term retention, then offload data to another S3 repository. When using S3 buckets as Performance tier, you can bypass the Capacity tier and move backups directly to Archive Tier using S3 Glacier Flexible Retrieval or S3 Glacier Deep Archive. This approach optimizes costs for both short-term backup points and long-term GFS (Grandfather-Father-Son) storage.
VCC server automates IAM user creation and policy management for secure multi-tenant S3 repository access. Dedicated repositories per tenant enable S3’s built-in per-tenant billing, customizable bucket settings including Object Lock, and simplified tenant offboarding.
Enabling cold DR and migration for tenant backups
VCC v12.3 enables service providers to restore tenant backups as Amazon EC2 instances, facilitating AWS migration and disaster recovery. Supporting workloads from VMware vSphere, Microsoft Hyper-V, and physical servers, this cross-platform feature can be automated through PowerShell or REST APIs for efficient scaling. Note that backups must have encryption disabled to use this functionality.
Conclusion
In this blog post, we outlined how service providers can plan, size, and deploy VCC V12.3 in AWS to provide managed off-site backup repositories. We demonstrated how ‘direct connection’ mode enables cost-efficient service delivery with enhanced performance and reliability. Amazon S3 repositories offer extensive scalability and security features, including S3 Object Lock for ransomware protection.
As a next step, you can expand your data protection service to other platforms, including Microsoft 365, AWS, and Microsoft Azure workloads of your customers. This is done with the help of VSPC integrations, which provides centralized management plane for all your BaaS and DRaaS services.
.
.
Veeam – AWS Partner Spotlight
Veeam is an AWS Advanced Technology Partner and AWS Storage Competency Partner that provides an advanced monitoring solution for cloud apps and modern infrastructure that aggregates metrics across distributed services to alert you on service-wide issues and trends in real-time. Their product portfolio includes Veeam Backup for AWS, native, policy-based protection for AWS services, with reliable recovery from accidental deletion, ransomware and other data loss scenarios.