Best practices for connecting your Veeam on-premises environment to Amazon S3

Many users safeguard their on-premises infrastructure with Veeam Backup & Replication (VBR). This is done to minimize the physical backup infrastructure they need to acquire and maintain. Additionally, they seek to make sure that their backups reside in highly durable, secure, and cost-effective storage solutions.

By using Amazon Simple Storage Service (S3), VBR users can capitalize on its scalability, cost-effectiveness, granular security features and controls, and the advantages it offers for disaster recovery (DR) scenarios. To ensure efficient backup transfer from on-premises locations to Amazon S3, users must evaluate the available network connectivity options. These options help connect existing on-premises infrastructures over the public internet , through secure and dedicated network connectivity solutions, such as AWS Direct Connect, or via an AWS Site-to-Site VPN (virtual private network).

In this post, we walk you through the network connectivity configurations available using AWS Direct Connect, AWS Site-to-Site VPN, and the public internet. We cover the requirements and best practices to make sure that you can perform backups and restorations between your data center, office, or colocation environment and AWS. Upon successfully connecting to AWS, you can copy and tier your VBR backups to Amazon S3 and reduce your reliance and costs associated with more expensive on-premises backup storage.

Solution overview

The three networking paths to connect to AWS from on-premises VBR that we cover are:

• Scenario A: Connecting VBR to Amazon S3 over the public internet
• Scenario B: Connecting VBR to Amazon S3 using the Site-to-Site VPN
• Scenario C: Connecting VBR to Amazon S3 using AWS Direct Connect

For each connectivity path for Veeam backup to AWS, there are three Veeam deployment models, as per the following table.

1. Backup from Veeam performance tier (SOBR) to Amazon S3: Backups first written locally to a performance tier and then to Amazon S3 as the scale-out backup repository (SOBR) capacity tier.
2. Direct to object with Amazon S3 as SOBR performance tier: Veeam version 12, no on-premises backup-repository needed.
3. Direct to object as Veeam backup repository (without SOBR): Veeam version 12, no on-premises backup-repository needed.

Prior to the release of VBR version 12 (March 2023), users wanting to store backups in Amazon S3 needed to first write to a local performance tier, which was a storage tier of a SOBR.

A SOBR consists of one or more backup repositories or object storage repositories called performance tiers, which can be expanded with object storage repositories for long-term and archive storage: capacity tier (Amazon S3 Standard) and archive tier (Amazon S3 Glacier storage classes).

With the release of v12, users can now write directly to Amazon S3, saving on the cost and time of managing the local on-premises storage of a SOBR. Therefore, users with VBR v12 can now use one of the three options in the preceding table (each of these is covered in this post).

Make sure that the general prerequisites detailed in the following section are followed, and then implement the prerequisites for your specific connectivity scenario and Veeam deployment model.

General prerequisites

The following are general prerequisites are for all connectivity scenarios.

TCP Ports required:

• 443, 80, 22. Make sure that the ports are opened outbound or inbound as needed.

Target URL paths (if needed by your firewall services)

• *.amazonaws.com
• *.amazontrust.com

Note: If you would like to use the Veeam capability to archive data to S3 Glacier storage classes, then you must make sure that Port 22 is enabled on your outbound firewall rules in your onsite firewall and inbound firewall rules on your AWS Security Group. This allows Veeam to instantiate an Archiver Appliance that optimizes the object size to reduce costs when moving from Amazon S3 to Glacier S3 storage classes.

Connectivity architecture

This blog covers the three following connectivity scenarios:

• Scenario A: Connecting VBR to Amazon S3 over the public internet
• Scenario B: Connecting VBR to Amazon S3 using the Site-to-Site VPN
• Scenario C: Connecting VBR to Amazon S3 using AWS Direct Connect

Scenario A: VBR to Amazon S3 over the public internet

As a prerequisite of performing Veeam backups to Amazon S3 from your on-premises environment using the public internet, make sure your on-premises Veeam infrastructure has internet connectivity to Amazon S3. Likewise, make sure firewall rules and routes are applied according to your scenario (depending on the deployment model used).

For the scenarios where you want to extend SOBR and use S3 Glacier storage classes for Veeam archive tier, you also need the following:

• VPC landing zone established in your account
• S3 gateway endpoint configured in your VPC (see the S3 User Guide for more information on the differences between S3 gateway endpoints and S3 interface endpoints).

1. Backup from Veeam performance tier (SOBR) to capacity tier (Amazon S3)

This option allows you to back up your local backups on-premises to Amazon S3 storage as a Veeam Capacity tier target. This option uses the local performance tier (Block, File, Object), then it can copy or move older backups over the internet to Amazon S3, and later archive those backups to the S3 Glacier storage classes.

The data path is as follows, which is also shown in Figure 1:

• VBR performance tier -> Gateway server (if configured) -> User firewall -> Internet -> SOBR capacity tier (Amazon S3)

Figure 1: VBR to Amazon S3 as SOBR capacity tier over the public internet

2. Direct to object with Veeam SOBR to performance tier (Amazon S3)

This option allows you to backup directly to Amazon S3 storage as a Veeam performance tier target. This option uses Amazon S3 for fast restore performance and can then copy to another AWS Region or tier older backups to the S3 Glacier storage classes.

The data path is as follows, which is also shown in Figure 2:

• VBR backup proxies -> Gateway server (if configured) -> User Firewall -> Internet -> SOBR performance tier (Amazon S3)

Figure 2: VBR to Amazon S3 as SOBR performance tier over the public internet

3. Direct to object (Amazon S3)

This option allows users to write directly to Amazon S3. This removes the need to use a SOBR and is more targeted toward workloads that do not have a long-term retention requirement.

The data path is as follows, which is also shown in Figure 3:

• VBR backup proxies -> Gateway server (if configured) -> User firewall -> Internet -> backup repository (Amazon S3)

Figure 3: Direct to object (Amazon S3) over the public internet (SOBR optional)

Scenario B: VBR to Amazon S3 using the Site-to-Site VPN

While there are three deployment models available, the following will focus on the most common approach of connecting on-premises performance tier (SOBR) over the VPN to AWS.

As a prerequisite of performing Veeam backups to Amazon S3 from your on-premises environment using the AWS Site-to-Site VPN and AWS PrivateLink for Amazon S3, the following are required:

• VPC landing zone established in your account
• AWS Site-to-Site VPN established as per the AWS Site-to-Site VPN User Guide.
• If you are planning to use the archive tier (S3 Glacier storage classes), then configure an EC2 endpoint.
• Configure S3 interface endpoints in your VPC.
• With VPN connections, you can write backups to Amazon S3 using AWS PrivateLink for Amazon S3 (without setting up a gateway in your VPC). However, having a Veeam gateway instance running in EC2 enables you to restore those backups within your AWS environment.

Figure 4: VPN connection between a VPC and your on-premises network

Make sure that your on-premises environment is connected to AWS through the Site-to-Site VPN connectivity requirements, as shown in the preceding diagram. Follow this link for more information about the VPN requirements.

1. Backup from Veeam performance tier (SOBR) to capacity tier (Amazon S3)

This option allows you to back up your local backups on premises to Amazon S3 storage as a Veeam capacity tier target. This option uses a local performance tier (Block, File, Object), then it can copy or move older backups over a VPN to Amazon S3, and later archive those backups to S3 Glacier storage classes. The key difference from the first scenario (over the public internet) is that all traffic remains on a private IP range, however they are encapsulated over a public network. This is more secure than just using SSL/TLS over the internet, such as in the first scenario.

Make sure that you have implemented the prerequisites for the AWS Site-to-Site VPN, along with the Veeam KB article instructions, detailed as follows:

1. Disable automatic updates of the AmazonS3Regions.xml file using registry updates.
2. If you plan to use S3 Glacier storage classes for Archive Tier, certificate revocation checks must be permitted on the VBR server (refer to point 6 in the Veeam KB article instructions).
3. Force Archiver appliances (if using archive tier) and Health Check appliances to use private IP addresses using registry updates.
4. Modify the AmazonS3Regions.xml with your custom endpoints – Amazon S3 interface endpoint and (if using archive tier) Amazon EC2 interface endpoint.

The data path is as follows, which is also shown in Figure 5:

• VBR performance tier -> Gateway server (if configured) -> User firewall -> Site-to-Site VPN -> Amazon S3 interface endpoint -> SOBR Capacity tier (Amazon S3)

Figure 5: VBR to Amazon S3 as SOBR Capacity tier over Site-to-Site VPN

Scenario C: VBR to Amazon S3 using AWS Direct Connect

Direct Connect is a networking service that provides an alternative to using the internet to connect to AWS. Using Direct Connect, data that would have previously been transported over the internet is delivered through a private network connection between your facilities and AWS.

In using Direct Connect, there are two connectivity options to write your backups to Amazon S3. These options are either to write to the default Amazon S3 interface (a public internet address) or to write to an Amazon S3 private internet address that needs AWS PrivateLink for Amazon S3 to be configured, as shown in Figure 6.

Figure 6: AWS Direct Connect with Amazon S3 Public and private virtual interfaces

As a prerequisite of performing Veeam backups to Amazon S3 from your on-premises environment through Direct Connect, the following are necessary:

• VPC landing zone established in your account.
• If you are planning to use the Archive tier (S3 Glacier storage classes), configure an EC2 endpoint.

You can implement the three deployment models using one of the two Direct Connect options detailed as follows (S3 public interface or PrivateLink for S3).

Direct Connect to Amazon S3 options:

1. Writing to Amazon S3 through Direct Connect using the S3 public interface (writes to a public IP address).
2. Writing to Amazon S3 through Direct Connect using a private interface (writes to a private IP address) using AWS PrivateLink for Amazon S3.

For more information on accessing an S3 bucket through Direct Connect, see this AWS knowledge center post.

1. Direct Connect using the S3 public interface

For the three Veeam deployment models, follow the guidance for connectivity to Amazon S3 through the S3 public interface. Configure an S3 gateway endpoint configured in your VPC (prerequisite). Make sure that you have implemented the prerequisites for Direct Connect.

This connectivity option allows you to back up your local backups from on-premises to Amazon S3 storage as a Veeam capacity or performance tier target, or using Direct to object backup over Direct Connect. This option keeps traffic over a user’s Direct Connect network but also traverses their public virtual interface (VIF) and exits to a public endpoint, as per the preceding image (Figure 6).

The data path is as follows, which is also shown in Figure 7:

• VBR performance tier -> Gateway server (if configured) -> User firewall -> Direct Connect public interface -> SOBR capacity tier (Amazon S3)

In-VPC data flow, such as archiving Veeam backups to the S3 Glacier storage classes (SOBR archive tier), an archiver appliance reads/writes data from Amazon S3 through the S3 gateway endpoint (see Figure 7).

Figure 7: Direct Connect with Amazon S3 using the public interface

2. Direct Connect using the AWS PrivateLink for Amazon S3

For the three Veeam deployment models, follow the guidance for connectivity to Amazon S3 through the S3 private interface (PrivateLink for S3). Configure S3 interface endpoints in your VPC (prerequisite).

This connectivity option allows you to back up your local backups from on-premises to Amazon S3 storage as a Veeam capacity or performance tier target, or using Direct to object backup over your Direct Connect network. This option keeps traffic over a user’s Direct Connect network and using their private link. This means that no public IP addresses are used or public connections need to be made. An end-to-end private connection is made.

Make sure that you have implemented the prerequisites for Direct Connect, along with the Veeam KB article instructions, detailed as follows:

1. Disable automatic updates of the AmazonS3Regions.xml file using registry updates.
2. If you plan to use S3 Glacier storage classes for Archive Tier, certificate revocation checks must be permitted on the VBR server (refer to point 6 in the Veeam KB article instructions).
3. Force Archiver appliances (if using archive tier) and Health Check appliances to use private IP addresses using registry updates.
4. Modify the AmazonS3Regions.xml with your custom endpoints – Amazon S3 interface endpoint and (if using archive tier) Amazon EC2 interface endpoint.

The data path is as follows, which is also shown in Figure 8:

• VBR performance tier -> Gateway server (if configured) -> User firewall -> Direct Connect private interface -> Amazon S3 interface endpoint -> SOBR Capacity tier (Amazon S3)

For in-VPC data flow, such as archiving Veeam backups to the S3 Glacier storage classes (SOBR archive tier), an archiver appliance reads/writes data from Amazon S3 through the S3 gateway endpoint (see Figure 8).

Figure 8: Direct Connect with Amazon S3 using the private interface (AWS PrivateLink for S3)

Conclusion

In this post, we detailed the network connectivity options available when using VBR to back up data to Amazon S3 (AWS Direct Connect, AWS Site-to-Site VPN, and the public internet). We walked you through the Veeam deployment models available and showed you the prerequisites and data path for each (Backup from Veeam performance tier (SOBR) to Amazon S3, Direct to object with Amazon S3 as SOBR performance tier, and Direct to object as Veeam backup repository (without SOBR).

By understanding these different connectivity options, you can select the most suitable method for your organization’s specific requirements and infrastructure. This flexibility makes sure that you can optimize your backup and replication processes to Amazon S3, meeting your desired Recovery Point Objectives (RPOs) and Recovery Time Objectives (RTOs) while maintaining efficient data protection.

For further information about connectivity options to Amazon S3 with Veeam, refer to the following resources:

• Network-to-Amazon VPC connectivity options
• Accessing and listing an Amazon S3 bucket
• Object Storage: Backup directly to AWS S3 – step by step recipe
• Back up and archive data to Amazon S3 with Veeam Backup & Replication