• EN

Using VB for AWS in private subnets

  • 3 October 2023
  • 2 comments
  • 112 views
barellag
Userlevel 5
Badge

Hello all!

 

Long time since my last post here.

 

I was thinking about some scenarios that I see more often with customers and the issues they face, and I figured I never wrote anything about the private deployment of VB for AWS using private endpoints, this way we can keep all the communication between Veeam and AWS services within the VPC.

 

I will try to make this as simple as possible but since I am showing a complex setup it may become quite long but hopefully detailed and helpful enough.

 

For this demo we will need basically the following settings configured:

 

  • VPC
  • Public Subnet
  • Private Subnet
  • Nat Gateway
  • Internet Gateway
  • Route tables configured correctly.

 

We need the Nat Gateway because the VB for AWS appliance needs to communicate with all AWS services as well as the update repositories. However, it will not have a public IP assigned.

 

VB for AWS deployment

Here you can see a detailed guide + video that @Julia F Morgado  kindly provided, on how to deploy your VB for AWS appliance:

https://community.veeam.com/cloud-city-107/deploy-veeam-backup-for-aws-from-aws-marketplace-5274

 

Just make sure you select your private subnet during the deployment and in my case, I allowed connections on 443 from any IP in my VPC. Of course your can lock this even more by setting only one specific IP or one specific subnet.

And here is my appliance deployed with no public IP:

 

To connect to my appliance, I have a jump box sitting in the public subnet in the same VPC.

 

Note that I configured the Security Groups of the appliance to allow connections on port 22 only from the Security Group that my Linux jump box is (for troubleshooting purposes – not needed for VBAWS functionalities) and the HTTPS for the Security Group where my Windows jump box is.

 

VB for AWS configuration

Using my Windows jump box, I am able to connect to the VB for AWS. I am showing the public address of my server on purpose just to demonstrate the way it is working. Of course, the SG rules are protecting the instance to be accessible.

 

The next step here is to create the worker configuration in VB for AWS. Here is where we will make sure the workers are connecting to a private subnet.

 

Go to Configuration page, click Workers and ADD.

 

Select the Region and AZ.

 

Select the VPC, your Private Subnet and the security group.

Make sure you select a security group with 443 open in case you want to use File-level restores.

Also keep in mind we will be using this Security Group later in the Private Endpoints configuration.

In the Summary page VB for AWS will alert you that this subnet is private, so we need to make sure we’ve got our private endpoints configured to allow Workers communication with AWS services.

 

We need 5 endpoints configured to allow the workers to communicate with the AWS services. They are listed here in the user guide page: https://helpcenter.veeam.com/docs/vbaws/guide/configure_endpoints.html?ver=6a

 

AWS Endpoints configuration

 

Most part of the problems we see with private deployments are in the configuration of the private endpoint. Make sure you select a security group in the endpoint creation that is allowing connections on port 443 from the workers subnet or workers security group as well as the VB for AWS SG or VB for AWS subnet. In this case I used the SGs rather than subnets.

 

Choose a name, it is optional but it will definitely help you identifying the endpoint in the future.

Search for the service you want to create the endpoint, in the following example I picked SQS.

 

Select the VPC and the subnet you want to create the endpoint.

The subnet you plan to select must have proper routes to the Workers and VBAWS subnets.

 

Select the Security Groups you want to associate with the Endpoint. Remember the security group you select here, must allow connections on 443 from VB for AWS appliance and Workers.

 

Click Create Endpoint.

You need to do it for all 4 interface endpoints.

 

For the S3 Gateway endpoint we will select a route table instead of a security group. Here you can select the route table which your private subnet is associated with.

 

This is what you must have at the end of the configuration.

 

To test your endpoint, you can telnet from the appliance to one of them on 443:

 

As you can see, it is connecting to the private IP and not public IP of the SQS endpoint.

This test also shows us that besides the route is properly set, the security group is as well since we can connect to 443.

 

Testing a VB for AWS Backup Policy

 

Finally, let’s run a policy and check if everything is working properly.

As we can see now, the VBA_Worker VM has been created without a public IP.

 

Transferred all data to the S3 bucket.

 

This may look confusing at first glance but it is really helpful to keep your communication within your VPC.

 

I hope it was helpful, in case you have any questions or feedback please leave them in the comments.

Gabriel Barella | Senior Engineer | Advanced Tech Support @ Veeam Software | AWS SAA | Azure AA

2 comments

Chris.Childerhose
Userlevel 7
Badge +20

Very interesting information. Thanks for sharing 👍

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
wesmrt
Userlevel 7
Badge +4

Very detailed as always, Gabe. :)

Congrats for the post, it’s very useful.

Wesley Martins @ Specialist Enginner at Veeam Technical Support | My blog: https://itproland.com.br (PT-BR)

Comment


Terms & Conditions