Thursday, November 28, 2024

Veeam Backup for AWS: Workers

In the previous post we looked at Veeam Backup for AWS (VBA) appliance architecture and deployment. To protect AWS resources VBA uses two methods: worker based and AWS native protection (snapshots and backup vaults). We will treat native protection in future posts where we will look at the backup process for different types of resources.

Workers are part of the VBA architecture. They are temporary instances deployed automatically at the beginning of a backup, restore or retention activity. They are removed at the end of the operation. Workers are used for the following operations:

  • image-level backups for EC2 and RDS
  • restore data from an image-level backup
  • index EFS 
  • retention task
Backups created by workers are sent to a backup repository which uses Amazon S3.    

Workers are based on standard amzn-linux-v2 and the specific Veeam binaries are installed from a dedicated S3 bucket (configuration bucket). They run the following services:

Veeam Data Mover —  retrieves data of protected AWS resources and transfers it to backup repositories. During restore, it transfers backed-up data from backup repositories to the target location.

File-level recovery browser — web service that allows to find and save files and folders of a backed-up EC2 instance to the local machine or to the original location.

Worker are deployed in either the backup account or in the production account. As a best practice, a backup account should be implemented to deploy the VBA appliance and the workers. Additionally a dedicated repository account should be created for the S3 buckets used as backup repositories. This account segmentation is aligned with an increased security posture and helps prevent catastrophic situations in case of an account breach.

For the following operations the workers are deployed in the backup account:

  • EC2 image-level backup
  • entire EC2 instance restore from image-level backups
  • EC2 volume-level restore from image-level backups
  • EC2 file-level recovery
  • EC2 backup retention tasks
  • RDS archived backup

By default, workers are deployed in production accounts for the following operations:

  • EFS indexing
  • RDS image-level backup
  • RDS database restore from image-level backup

However, additional operations can have workers distributed across multiple production accounts:

  • EC2 image-level backups
  • EC2 instance restore from image-level backups
  • EC2 volume-level restore from image-level backups 
  • EC2 file-level recovery from snapshots

During deployment operations, VBA assumes a worker deployment role in the account where it needs to deploy the workers. A temporary IAM role is attached to each deployed worker. By default, VBA uses the "Default Backup Restore" role that has all the permissions required to perform data protection and disaster recovery operations.

Workers are created with default profiles based on the size of processed data: 

  • Small profile (c5.large) - total EBS volume size < 1024 GB
  • Medium profile (c5.2xlarge) - 1024 GB < total EBS volume size < 16 TB
  • Large profile (c5.4xlarge) - total EBS volume size > 16 TB
  • Archiving profile (c5.2xlarge) is used for transferring data to archive repositories
The default profiles can be customized per region level. However, make sure you understand the impact of changing the worker size on the overall costs for the operation.


Tags can be automatically added to worker instances and the following parameters are available for use:
  • %applianceId% - unique VBA appliance ID
  • %policyId% - policy ID for which the worker is deployed
  • %policyName% - policy name for which the worker is deployed
From networking point of view, you can select per region VPC, subnet and security group where to connect the instances:


VBA uses public IP to communicate with workers which means the selected VPC must have internet gateway and routing tables and security groups should permit access. This behavior can be changed and worker instances can be deployed in a private network by enabling private network deployment functionality in VBA. To ensure your VBA can work in private environment, configure private endpoints as presented here.

Workers are a key architectural component of VBA. Understanding their use cases and how to customize a standard deployment is essential to creating a proper VBA architecture. 




Tuesday, November 19, 2024

Veeam Backup for AWS: Backup Appliance Architecture and Deployment

We continue our series of posts on Veeam Backup for AWS (VBA) and we look at its architecture and deployment process. Veeam Backup for AWS appliance coordinates backup and recovery tasks, controls scheduling, notifications, manages retention tasks and controls deployment of additional components used during backup and restore operations. 

Veeam Backup for AWS appliance is a Linux-based EC2 instance running several services:

  • Backup service - coordinates backup and recovery operations.
  • Configuration database (PostgreSQL) - stores configuration of backup policies, worker instance, added IAM roles, sessions and so on
  • Configuration restore service — allows to back up and restore the configuration of the backup appliance. While connected to a VBR server, the configuration backup will be configured and executed from VBR console.
  • Web UI  - web interface to access VBA
  • Veeam Updater service - install product and package updates
  • Veeam FLR service — restore individual files and folders of protected EC2 instances
  • Self Backup service — allows Veeam Backup for AWS to back up and restore the configuration database of the backup appliance.
  • REST API service

Veeam Backup & Replication server (VBR) centrally manages VBA appliances. One or more instances can be managed from the same VBR allowing for multi-region deployment. The backup server (VBR) can be deployed either in AWS or on-premises. Backup server uses Veeam Plugin for AWS to connect to AWS services and manage the lifecycle of Veeam Backup for AWS components. 


To start VBA deployment from VBR  make sure you have access to an AWS account. During deployment process, Veeam Plugin for AWS connects to multiple AWS APIs and services:

  • AWS IAM  - create IAM roles for VBA (impersonation role and backup/restore access role)
  • Amazon EC2 - deploy the appliance from an EC2 Ubuntu image and create networking if necessary 
  • AWS SSM - run scripts and configure the VBA appliance 
  • Amazon S3 - deployment scripts and binaries
  • Amazon KMS 
  • Amazon STS 
  • CloudWatch 
  • Service Quota
You can choose to connect to an existing appliance or deploy a new one. Next add AWS account access key and secret key. Remember the account needs permissions to the above services. See below a list of all the APIs called during installation:
  • cloudtrail.amazonaws.com
  • config.amazonaws.com
  • ec2.amazonaws.com
  • kms.amazonaws.com
  • monitoring.amazonaws.com
  • notifications.amazonaws.com
  • resource-explorer-2.amazonaws.com
  • s3.amazonaws.com
  • servicequotas.amazonaws.com
  • ssm.amazonaws.com
  • sso.amazonaws.com
  • sts.amazonaws.com

Select the region where you want to deploy VBA, enter an instance name for the appliance and choose how to connect to it - dynamic public IP, static public IP or private IP. In the  case you choose private IP you need to make sure you have access to that IP range. The deployment process can also create networking infrastructure if it does not exist - VPC, subnets, security groups, internet gateway and so on. Finally enter the guest OS administrator credentials and the key pair to encrypt credentials with. 

The deployment process automatically goes through several stages: 
  • get and deploy an EC2 Ubuntu image 
  • create IAM roles
  • prepare the instance (deploy and configure the required binaries in the appliance)
  • create administrator credentials for the appliance 
  • initialize services in the appliances
  • check for updates for Ubuntu Linux, Microsoft Windows (ASP.NET Core Runtime) and PostgreSQL
  • install updates 
  • reboot appliance
  • add permissions to IAM role
The installation can take some time, so be patient. During the installation IAM roles are automatically created.

"Impersonation role" is attached to the backup appliance and it is used to assume other IAM roles. It has the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "*"
        }
    ]
}

and the following trust relationship:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Another 2 roles are created: "VeeamInstanceBackupRestoreAccessRole" and "VcbSnapshotsRole"

VeeamInstanceBackupRestoreAccessRole - is the default role that will allow VBA to perform all backup and restore operations. It must be granted permissions to assume the IAM roles:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "ec2.amazonaws.com",
                    "backup.amazonaws.com",
                    "batchoperations.s3.amazonaws.com"
                ],
                "AWS": "arn:aws:iam::1111111:role/VeeamImpersonationRole"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

The permissions list is pretty long and it can be found here. In IAM a series of policies are created and named with vbaws_policy_* and vcb_policy_* in order to add all required permissions. 


VcbSnapshotsRole - gives permissions to manage ec2 snapshots and it also needs assume permissions:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "dlm.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}


After VBA appliance is deployed, you may choose to create and configure a S3 bucket to use as a backup repository and start the wizard from the VBR console or open VBA console and start configuring the appliance. 


Monday, November 11, 2024

Veeam ONE for NIS 2 Compliance: Key Benefits and Features

The NIS 2 Directive, an EU regulatory standard for cybersecurity, has brought new compliance requirements that impact organizations across critical sectors. Enforced to enhance cybersecurity across the Union, the directive applies to both "essential" and "important" entities, which must now align with stricter guidelines on incident reporting, risk management, and continuous security monitoring. Articles 21 and 23, in particular, detail essential cybersecurity risk management measures and rigorous reporting practices. For companies looking to meet these mandates, Veeam ONE offers a robust solution through its in-depth monitoring, alerting, and reporting capabilities. In this post, we’ll explore how Veeam ONE aligns with NIS 2 compliance, enabling organizations to efficiently manage cybersecurity risks and meet their regulatory requirements.


Let’s first examine Articles 21 and 23 of the NIS 2 Directive:

  • Article 21 establishes the need for essential cybersecurity measures and risk management practices. This includes continuous monitoring, incident prevention and detection, vulnerability management, and real-time security alerts to help manage cybersecurity risks.

  • Article 23 outlines the expectations for incident handling and reporting. Organizations are required to have mechanisms in place for reporting cybersecurity incidents in a timely manner, providing detailed information to relevant authorities, and ensuring these incidents are contained and managed to prevent widespread impact.

In essence, these articles push organizations to adopt an end-to-end approach to cybersecurity, emphasizing visibility, timely reporting, and proactive threat management—all of which can be effectively addressed by Veeam ONE.


Designed to deliver insights, monitoring, and proactive alerting, Veeam ONE aligns well with the NIS 2 Directive’s requirements for both risk management and incident reporting. Here’s how:

1. Continuous Monitoring and Real-Time Visibility

Article 21 mandates the implementation of continuous monitoring for risk management, and Veeam ONE’s advanced monitoring features fulfill this requirement. It provides a unified view of the virtual and backup infrastructure, allowing organizations to observe system performance, detect anomalies, and gain visibility into potential vulnerabilities across both virtual and physical environments. 

Out of the box and customizable dashboards are used to monitor in real time the state of your infrastructure as seen below in vSphere Alarms dashboard:


2. Advanced Alerting for Proactive Risk Management

Veeam ONE supports compliance with Article 21’s focus on risk management through its advanced alerting capabilities. Organizations can configure specific alerts for potential threats or anomalies such as ransomware attacks, allowing IT teams to respond to risks promptly. These alerts can be customized to focus on critical NIS 2 areas, such as system failures, unauthorized access attempts, or irregular system behaviors. The ability to set thresholds for alerts ensures that teams are notified about risks before they escalate, enhancing response time and preventing potential incidents.

Alerts can be used immediately and notifications received in real time via syslog, SNMP traps, e-mail or ServiceNow. A deep view on any possible threats is provided, such as failed login attempts:


3. Comprehensive Reporting and Documentation for Compliance

One of the key aspects of Article 23 is the ability to report incidents comprehensively. Veeam ONE’s robust reporting features make it easier to document and communicate relevant cybersecurity events. Reports can be generated on demand, providing detailed documentation of incidents, system performance, and overall cybersecurity health. These reports not only help in complying with NIS 2 but also streamline communication with stakeholders and regulatory authorities.

More than a hundred predefined reports that can be scheduled to run periodically are available:


4. Resource Optimization and Capacity Planning

To meet NIS 2 compliance, organizations must also ensure that they have the resources to manage cybersecurity effectively. Veeam ONE’s capacity planning tools allow organizations to forecast resource needs, identify areas of potential overuse or underutilization, and optimize resource allocation across critical areas. 


5. Enhanced Incident Response and Management

Veeam ONE supports Article 23’s emphasis on efficient incident response by providing a detailed view of system health and performance, enabling organizations to react promptly to cybersecurity events. Veeam ONE’s integration with Veeam Backup & Replication also allows organizations to automate responses for certain incidents, ensuring continuity and minimizing the impact of any security event


By providing critical insights, proactive alerts, and robust reporting capabilities, Veeam ONE empowers organizations to meet NIS 2 mandates while maintaining optimal security and performance. As cybersecurity threats continue to evolve, solutions like Veeam ONE can be invaluable assets for organizations looking to stay compliant and protect their operations.

Wednesday, November 6, 2024

Veeam Backup for AWS: Comprehensive Cloud Data Protection

In today's cloud-dependent world, data protection is essential for maintaining business continuity. Veeam Backup for AWS (VBA) offers an AWS-native, highly adaptable solution designed to protect, manage, and recover data within AWS environments. Its main purpose is to help organizations address the unique data protection needs of AWS workloads, ensuring that cloud data remains resilient against threats like accidental deletion, cyberattacks, or service interruptions.

Key Components of Veeam Backup for AWS

  1. Automated Backup and Recovery: Veeam allows for fully automated backup processes, supporting Amazon EC2, RDS, Dynamo DB, Redshift, EFS, FSx and VPC. With policies and schedules, users can customize backups to fit business needs and ensure their critical data is consistently protected.

  2. Cost Optimization: Veeam uses Amazon S3 and its various storage classes, such as Glacier and Glacier Deep Archive, to optimize storage costs. Users can automatically tier their data to lower-cost storage options, making cloud backups more affordable without sacrificing accessibility.

  3. Immutability and Security: Leveraging Amazon S3 Object Lock, Veeam ensures that backups remain immutable, providing a strong defense against ransomware and other cyber threats. This feature prevents any changes or deletions to stored data within a specified timeframe, securing it from unauthorized access or malicious attacks.

  4. Cross-Region and Cross-Account Recovery: In case of an outage or disaster, Veeam enables cross-region and cross-account recovery, allowing users to restore data quickly and securely across different AWS accounts or regions, thereby meeting stringent recovery objectives.

  5. User-Friendly Interface and Self-Service: The solution includes a streamlined interface that simplifies backup setup and monitoring. Additionally, self-service recovery options allow users to restore their data with minimal intervention, enabling faster response times in critical situations.

Starting with version 7.0, Veeam Backup for AWS is part of the Veeam Backup & Replication (VBR) solution. AWS Plug-in for Veeam Backup & Replication extends the Veeam Backup & Replication functionality and allows you to add backup appliances to Veeam Backup & Replication. The entire lifecycle of VBA is managed from VBR through AWS Plug-in. 
Deployment, update and management of VBA is done from VBR console. Currently you can still deploy VBA from AWS marketplace, connect it to VBR and upgrade it to the latest version. However this process is deprecated and only VBR console should be used to manage VBA. One or multiple VBA appliances can be managed from the same VBR server. 

Additionally, Veeam ONE can offer enhanced monitoring and reporting capabilities for VBA by collecting date about protected AWS resources. 

By combining these components, Veeam Backup for AWS provides an end-to-end backup and disaster recovery solution tailored for AWS cloud environments, balancing security, cost, and ease of use. 

In the following posts we will take a deeper look at Veeam Backup for AWS architecture and operations.