Protect VMC ON AWS workloads using Veeam Backup & Replication – PART 02

In the previous blog post, we have given a brief about protecting the VMC ON AWS workloads using Veeam Backup & Replication. As I mentioned in the previous post there are two types of deployments available one is simple deployment, and another is advanced.

In this post, we will cover the simple deployment method of protecting VMC ON AWS workloads using Veeam Backup & Replication.

Simple Deployment

Simple deployment is preferable for VMware Cloud on AWS environments with low traffic load. Per this deployment type, you can install the backup server and the backup proxy on the same VM.

In a simple VMware Cloud on AWS deployment the backup infrastructure includes the following components:

  • Source ESXi host
  • Veeam backup server
  • Veeam backup proxy
  • Veeam backup repository: a Linux-based EC2 instance in AWS


  • Backup Server: Veeam backup server will be deployed as Windows 2016 or 2019 virtual machine in the VMware Cloud on AWS environment.
  • Backup Proxy: Backup proxy will be deployed as Windows 2016 or 2019 virtual machine in the in the VMware Cloud on AWS environment. You can assign the role of the backup proxy to a dedicated VM or to the backup server.

To provide enough resources for the smooth backup operation, deploy at least one backup proxy on the SDDC cluster which is required for AWS specific Hot-Add processing in the VMware Cloud on AWS.

  • Backup Repository:As per the best practice it is recommended to use a backup repository created outside of the VMware Cloud on AWS environment. Amazon EC2 Linux instance can be used as a repository server and launched from the connected VPC. This will help for efficient data transfer over the fast ENI connection used by VMware to communicate with AWS.

You can configure multiple Linux Repository based on the IOPS requirement using different EBS volume types available in AWS like SSD (GP2) , HDD ( ST1) etc.

Setting Up Backup Environment

First, we need to deploy Veeam Backup and Replication (B&R) servers in VMC as Virtual Machines. Create Separate windows virtual machines for Backup Server , you can refer the installation from our blog or refer to  Installing Veeam Backup & Replication guide.

Once Veeam Backup & Replication is deployed, we need to look into the design of the rest of the backup infrastructure to meet your needs. In the case of VMware Cloud on AWS you need to back up the data to external not in VMC infrastructure. The easiest logical step is to spin up an EC2 instance with attached EBS storage in AWS native.

In our case we have used a Linux instance in AWS and added the attached EBS volume as a repository to Veeam Backup & Replication Server. And we are using S3 as secondary storage, in our environment SOBR is configured as a repository which is combination of Linux Repository and S3 . And the backup policy we are using is reverse incremental which helps to keep the latest backup in EBS volume.

Also, there is networking and security to consider for the communication between VMC and AWS native. In our case the Linux repository server we launched from the same Availability Zone as my production data in VMC. If you want to protect against and AZ failure launch the repo server in a different AZ that talks to the proxy via the native VPC.

Networking and Security in VMC ON AWS

Next is setting up the firewall rules to allow communication to VMC vCenter. Veeam Backup & Replication server and proxy servers are placed in Compute workloads and vCenter & ESXi are under management components.

Compute Gateway: – Configure the firewall policy to allow all communication from Veeam B&R servers to vCenter & ESXi. Also, you have to allow the traffic between the Linux repository server and Veeam backup server & proxy server.

Note:-in our case there many other services running between connected VPC and SDDC we have allowed all traffic, you may create a custom rule to restrict traffic


Management Gateway:- You can specify the communication between Veeam Servers to vCenter over port 443 and ESXi over port 902 using a management gateway firewall.


Distributed Firewall:- You can configure the firewall policy for specific ports communication between the Veeam backup servers, Proxy Servers.



Configure SDDC vCenter in Veeam Backup & Replication Console

To add VMware Cloud on AWS to the backup infrastructure, follow the same steps as described in the Adding VMware vSphere Servers section. You can use a vCenter User with required rights (Active Directory linked mode) described here, or use the cloudadmin@vmc.local user. Also while adding the vCenter specify the fully qualified domain name (FQDN) or the Private IP address.

Backup Job Configuration

Once you have added the vCenter to the Veeam Backup Server m you can start configuring the backup job. Follow the Veeam documentation to configure the backup job form Creating Backup Jobs

Note that you have to set the below-mentioned configuration while configuring the backup with VMC ON AWS

  • Select the backup repository as Linux Repository with EBS volume configured

It is recommended to place the backup data outside VMC, and Setting the Linux Repository is the preferred method.


  • From Advanced Options select the reverse incremental backup method 

Using this option, you will have the most recent restore point in the backup chain is always a full backup, and it gets updated after every successful backup job session. And the reverse incremental backup

method lets you immediately restore a VM to the most recent state without extra processing because the most recent restore point is a full backup file.




After you configure the backup job, you may test the backup job, it will work as expected with VMC on AWS.