Overview
VBA uses the following components for the backup process:
- A backup appliance to control backup operations via a service bus and workers
- A simple queue service instance to communicate with workers
- Pools of workers used to run backup operations that send data to repositories
- A bucket used for worker provisioning
- A bucket used as a backup repository
This guide is intended to provide best practices around sizing, deploying and using VBA, and assumes you have already read the Veeam Backup for AWS documentation.
How backup works
VBA can protect the following workloads:
- EC2 instances using cloud-native snapshots, snapshot replicas and image-level backups
- RDS instances using cloud-native snapshots and snapshot replicas
- EFS file system backups using a backup vault
- VPC configuration backup
-
Workers are used for EC2 image-level backup and archiving, and EFS indexing. Workers are created with the correct networking in-place. VBA can communicate to workers via the Simple Queue Service (SQS) instance. Components are installed via the AWS Systems Manager (SSM) agent.
-
Once deployed workers communicate via traditional networking or via an SQS queue. The simple queue service instance is provisioned automatically upon initial install.
-
The appliance issues the relevant API calls. Cloud-native snapshots are used for EC2 and RDS, a backup vault is used for EFS, and VPC configuration is exported as applicable. For EC2 the worker service starts processing the data at source to make an image-level backup. EBS snapshots are tagged with encrypted metadata to help identify them.
for EC2 Instances
a. A pre-freeze script is run inside the instance using the SSM agent, this requires an IAM instance profile for SSM. This is an optional configuration in the policy and it is not required.
b. Per disk an EBS snapshot is created by the appliance. After the initial snapshot subsequent snapshots are incremental. Snapshots are used to create EBS volumes that are mounted to the worker instance.
c. If snapshot replication is enabled the appliance orchestrates the copy of these to the target account and region specified in backup policy settings. The first replica becomes the start of the snapshot replica chain.
d. Workers use changed block tracking (CBT) to compare the newest EBS snapshot to the previous one. Workers only read the data that has changed since the previous backup session. If this is not possible the worker reads all the data instead. Snapshots are used for this so it is possible VBA temporarily keeps more snapshots for CBT than you would expect based on the retention policy settings.
b. Per disk an EBS snapshot is created by the appliance. After the initial snapshot subsequent snapshots are incremental. Snapshots are used to create EBS volumes that are mounted to the worker instance.
c. If snapshot replication is enabled the appliance orchestrates the copy of these to the target account and region specified in backup policy settings. The first replica becomes the start of the snapshot replica chain.
d. Workers use changed block tracking (CBT) to compare the newest EBS snapshot to the previous one. Workers only read the data that has changed since the previous backup session. If this is not possible the worker reads all the data instead. Snapshots are used for this so it is possible VBA temporarily keeps more snapshots for CBT than you would expect based on the retention policy settings.
e. Data is offloaded to the destination backup repository and stored in the native Veeam format. Workers are released upon backup session completion and if there are no further tasks the worker instance is removed.
for RDS Instances
a. An EBS snapshot is created of the RDS instance. After the initial snapshot subsequent snapshots are incremental.
b. If snapshot replication is enabled the appliance orchestrates the copy of these to the target account and region specified in backup policy settings. The first replica becomes the start of the snapshot replica chain.
for EFS Instances
a. The appliance issues commands to create a backup of EFS file system data and is saved in the selected backup vault. The first backup session may take a significant amount of time to complete since the entire EFS file system is copied. Subsequent sessions only contain changed data.
b. If create backup copies is turned on, a copy is sent to a separate backup vault as per policy settings using region mapping.
for VPC Backup
a. The VPC configuration backup policy is built-in to VBA, but turned off by default. The config export contains all settings of all VPC entities selected for every account and region. If no change is detected no new configuration point will be created. The backups are stored in the VBA database but an additional copy can be made to an S3 backup repository as well.
-
EC2 instances, files, RDS instances, EFS instances and VPC configuration settings can be restored by using the source snapshots if applicable, or S3 repository data for EC2, backup vault for EFS, or appliance local database for VPC configuration.
Restore Operations
In order to restore over an existing instance the original EC2 instance will be removed, unless termination protection is turned on. A new EC2 instance is created with a new ID where the relationship to the old EC2 ID is tracked by VBA.
Networking
IP settings for worker instances are inherited from the subnet settings in AWS. If the public IPv4 addressing attribute is disabled for the selected subnet, you must configure endpoints for the subnet to allow private addressing to work. A worker will need an IPv4 connection to AWS services.