Getting Started with AWS Backups for VMware Cloud on AWS

By Harsha Sanku, Sr. Partner Solutions Architect – AWS
By Karthik Varadaraj, Sr. System Dev Engineer – AWS

Organizations rely on data protection and archival solutions to safeguard vital data and the ability to recover it. As organizations shift towards hybrid architectures, their data becomes distributed across various platforms and locations, posing a challenge for backup solutions needing to be equipped to handle such complexity.

The advent of automated infrastructure provisioning and cloud-based remote backup and recovery solutions has empowered organizations to embrace advanced data protection and backup strategies tailored for cloud-native workloads.

VMware Cloud on AWS is a jointly engineered and fully managed service that brings together VMware’s enterprise-grade software-defined data center (SDDC) and Amazon Elastic Compute Cloud (Amazon EC2) bare-metal instances running on the Amazon Web Services (AWS) global infrastructure. This integration enables customers to seamlessly migrate their workloads to VMware Cloud on AWS without re-platforming their virtual machines (VMs).

Meanwhile, AWS Backup is a fully managed backup service that centralizes and automates data backups across various AWS services. At re:Invent 2021, we announced AWS Backup support for VMware, allowing customers to centralize and automate data protection of virtual machines running on VMware on-premises, VMware Cloud on AWS, and VMware Cloud on AWS Outposts.

Additionally, in June 2022 AWS Backup added support for AWS PrivateLink for VMware workloads, enabling customers to directly access AWS Backup from their VMware environments via a private interface endpoint running in a virtual private cloud (VPC).

In this post, we will explore the architectural design and considerations that customers should consider before adopting AWS Backup using private interface VPC endpoints (powered by AWS PrivateLink) to protect workloads running on VMware Cloud on AWS.

Solution Overview

AWS Backup integrates with VMware vSphere, enabling the scheduling, management, and storage of virtual machine backups within the AWS ecosystem. These backups can be copied across different AWS regions and accounts, providing a comprehensive solution for business continuity and protection against ransomware attacks. With AWS Backup, customers can create backups on-demand or according to a specified schedule.

The initial backup recovery point consists of a complete snapshot of the VM, while subsequent backups are incremental and capture only the changes made since the last backup. Further, AWS Backup automatically migrates backup recovery points from a warm storage tier to a more economical cold storage tier to reduce costs.

By default, AWS Backup uses the VMware Tools quiescence setting to achieve application-consistent backups of VMs. In cases where VMware Tools is not available, AWS Backup captures crash-consistent backups instead. To enhance network efficiency, the backups are compressed during transmission.

At AWS, security is job zero and AWS Backup employs robust encryption measures. Virtual machine backups are encrypted during transit and at rest using the highly secure AES-256 encryption algorithm. Organizations can use customer-managed keys to encrypt their backups stored in the cloud for enhanced security.

Figure 1 – Integration architecture for VMware Cloud on AWS with AWS Backup.

Customers can use an AWS account that runs the connected VPC (as depicted in Figure 1) to run the AWS Backup interface VPC endpoint that connects to the AWS Backup gateway appliance running on VMware Cloud on AWS.

Before delving into the prerequisites for running AWS Backup, let’s review some fundamental AWS Backup terminologies:

• AWS Backup Gateway Appliance runs on VMware Cloud on AWS and connects to the AWS Backup control plane privately through the AWS Backup interface VPC endpoint. The backup gateway establishes communication with the ESXi hosts and discovers all the virtual machines through VMware vCenter Server, takes VM snapshots, and manages backup and restore data.
• AWS Backup interface VPC endpoints allow the AWS Backup Gateway appliance to access the AWS Backup control plane privately.
• AWS Backup vault is a container that stores and organizes your backup data. Cross-region replication can store data in multiple backup vaults away from production data for business continuity or compliance requirements.

Prerequisites

There are several prerequisites for deploying AWS Backup for VMware Cloud on AWS using an AWS Backup interface VPC endpoint:

• On the VMware Cloud on AWS SDDC, set the vCenter Server FQDN Resolution Address to Private.
• Ensure the default domain name system (DNS) zones of the VMware Cloud on AWS SDDC’s Management Gateway and Compute Gateway are configured to utilize your organization’s internal DNS servers.
• Configure the prerequisite firewall rules to allow access to vCenter.
• Create a compute network segment for the AWS Backup Gateway Appliance.
• Identify an AWS account to run the AWS Backup service.
• Identify a VPC that will host the AWS Backup interface VPC endpoint.
• Ensure network connectivity between the AWS Backup Gateway Appliance running on SDDC and the AWS Backup interface VPC endpoint located in either:
  • Connected VPC: Connectivity already established using cross-account elastic network interfaces (no action needed).
  • Any other VPC: Configure VPC connectivity using external VPC attachments using VMware Transit Connect.
• Opt-in for Virtual Machine support on AWS Backup.

Walkthrough

Step 1: Create an Interface VPC Endpoint

Follow the steps below to create an interface VPC endpoint that connects to the AWS backup service.

• In the Amazon VPC console navigation pane, choose Endpoints and click Create endpoint.

Figure 2 – Create an endpoint from the Amazon VPC console.

• For the Service category, choose AWS services, and for the Service name search and select com.amazonaws.us-east-1.backup-gateway.

Figure 3 – Select the AWS Backup gateway interface endpoint.

• For VPC, select the VPC in which the AWS Backup interface VPC endpoint is to be created. Under Subnets, select one subnet per AWS Availability Zone (AZ) and for Security group select an appropriate non-default security group.
• For Policy, select Full access or Custom to attach a VPC endpoint policy consistent with your organization’s AWS security policy and click Create endpoint.
• Once an interface VPC endpoint is created, record the DNS name.

Figure 4 – Record the DNS name of the interface VPC endpoint.

Step 2: Deploying the AWS Backup Gateway

Follow the steps to create an AWS Backup Gateway.

• In the AWS Backup console navigation pane, choose Gateways under the External Resources section, and click Create Gateway.

Figure 5 – Create the AWS Backup Gateway from the AWS Backup console.

• In the Set up gateway section, click Download OVF template and follow the instructions to deploy the AWS Backup Gateway appliance.
• Once the OVF deploys a virtual machine, power on the VM.
• Ensure the machine or jump box you’re using to execute these instructions is connected to a network that has reachability to the AWS Backup Gateway appliance; if not, configure an inbound network access translation (NAT) rule from the NSX Manager of the SDDC using a public IP address to ensure reachability. Remember to record the Public IP address.
• Continue with the Set up gateway process. In the Gateway connection section, specify the IP address of the VM from the previous step, and set a Gateway name that’s consistent with your organizations naming conventions.
• Under the Endpoint type, select VPC hosted and choose the VPC endpoint created previously. Create an interface VPC endpoint, and add the required tags (optional) in the Gateway tags section. Finally, click Create Gateway.

Figure 6 – Configure the AWS Backup Gateway and select the interface endpoint.

Step 3: Add vCenter Hypervisor to the AWS Backup Gateway

Follow the steps to add the VMware Cloud on AWS SDDC vCenter as a hypervisor to the AWS Backup Gateway.

• In the AWS Backup console navigation pane, choose Hypervisors under the External Resources section and click Add hypervisor.

Figure 7 – Add a hypervisor to the AWS Backup Gateway.

• In the Hypervisor settings, provide a hypervisor name and the SDDC FQDN as the vCenter server host, along with the user credentials for the vCenter and an encryption key (AWS-owned or customer-owned) that’s consistent with your organization policy. Customers can use the default SDDC administrator cloudadmin@vmc.local or create a service account with the required VMware permissions.

Figure 8 – Specify the hypervisor (vSphere) along with the credentials.

• Choose the previously-created Gateway from the drop-down list box. Then run the Test gateway connection check to ensure the hypervisor is connected successfully.
• Add the required tags under Hypervisor tags (optional) and VMware tag mapping (optional), and click Add hypervisor. Note that while using a non-default AWS Identity and Access Management (IAM) role, ensure the kms:Decrypt action is included so that AWS Backup can encrypt and decrypt hypervisor credentials using customer-managed AWS Key Management Service (AWS KMS) keys.
• Ensure the hypervisor is added successfully and the connection status is Online.

Step 4: Add Firewall Rules on VMware Cloud on AWS

Follow the steps to ensure successful communication between the AWS Backup Gateway and the ESXi hosts in SDDC. This step is vital for the proper functioning of AWS Backup operations and provisioning.

• From the VMware Cloud console, log in to the SDDC’s NSX Manager, and from the Security tab navigate to Gateway Firewall. Under the Management Gateway firewall rules, create a new firewall rule with the below parameters:
  • Source: AWS-Backup-Gateway appliance
  • Destination: ESXi
  • Services: Provisioning & Remote Console (902) and HTTPS (443)

Best Practices

Here are some recommendations for AWS Backup deployment for VMware Cloud on AWS workloads:

• Always use the AWS Backup interface VPC endpoint for deployment, and restrict the publicly accessible endpoint for pilots and proof of concepts.
• Create the AWS Backup interface VPC endpoint in the AWS-connected VPC whenever possible. Using VMware Transit Connect or AWS Transit Gateway to access the AWS Backup interface VPC endpoint can escalate data processing costs that may become unmanageable.
• Ensure the AWS Backup interface VPC endpoint is created in a VPC subnet that’s the same AZ as the VMware Cloud on AWS SDDC to avoid cross-AZ data costs.
• Assess the costs associated with the following components to prevent expenses from spiraling out of control:
  • Costs per GB of data processed through the interface VPC endpoint.
  • Backup costs per GB-month on warm/cold storage.
  • Restore costs per GB-month on warm/cold storage.
  • Restore costs per item (per VM or disk).
  • Cross-AZ charges (if applicable).
  • Cross-region charges (for backup vaults across regions).
  • AWS Backup audit manager costs (optional).
• While not mandatory, utilizing tags where relevant—such as gateway, hypervisor, and VMware tag mapping—is advisable. Tags allow metadata to be assigned as user-defined keys and values. They help manage, identify, organize, search for, and filter resources based on their purpose, owner, environment, or other criteria.
• Although AWS Backup employs the AES-256 encryption algorithm, it’s recommended to activate automatic key rotation for customer-managed keys.

Conclusion

AWS Backup provides a centralized solution to protect your virtual machines running in VMware Cloud on AWS without deploying and managing a complex backup infrastructure.
To learn more about AWS Backup for virtual machines, visit the product page.

Please get in touch with us for guidance on VMware Cloud on AWS, as well as AWS Backup implementation, design, and best practices.

Resources

• AWS Backup for VMware and VMware Cloud on AWS
• AWS Backup product documentation
• AWS Backup pricing
• AWS Backup for VMware launch blog