Tuesday, November 19, 2024

Veeam Backup for AWS: Backup Appliance Architecture and Deployment

We continue our series of posts on Veeam Backup for AWS (VBA) and we look at its architecture and deployment process. Veeam Backup for AWS appliance coordinates backup and recovery tasks, controls scheduling, notifications, manages retention tasks and controls deployment of additional components used during backup and restore operations. 

Veeam Backup for AWS appliance is a Linux-based EC2 instance running several services:

  • Backup service - coordinates backup and recovery operations.
  • Configuration database (PostgreSQL) - stores configuration of backup policies, worker instance, added IAM roles, sessions and so on
  • Configuration restore service — allows to back up and restore the configuration of the backup appliance. While connected to a VBR server, the configuration backup will be configured and executed from VBR console.
  • Web UI  - web interface to access VBA
  • Veeam Updater service - install product and package updates
  • Veeam FLR service — restore individual files and folders of protected EC2 instances
  • Self Backup service — allows Veeam Backup for AWS to back up and restore the configuration database of the backup appliance.
  • REST API service

Veeam Backup & Replication server (VBR) centrally manages VBA appliances. One or more instances can be managed from the same VBR allowing for multi-region deployment. The backup server (VBR) can be deployed either in AWS or on-premises. Backup server uses Veeam Plugin for AWS to connect to AWS services and manage the lifecycle of Veeam Backup for AWS components. 


To start VBA deployment from VBR  make sure you have access to an AWS account. During deployment process, Veeam Plugin for AWS connects to multiple AWS APIs and services:

  • AWS IAM  - create IAM roles for VBA (impersonation role and backup/restore access role)
  • Amazon EC2 - deploy the appliance from an EC2 Ubuntu image and create networking if necessary 
  • AWS SSM - run scripts and configure the VBA appliance 
  • Amazon S3 - deployment scripts and binaries
  • Amazon KMS 
  • Amazon STS 
  • CloudWatch 
  • Service Quota
You can choose to connect to an existing appliance or deploy a new one. Next add AWS account access key and secret key. Remember the account needs permissions to the above services. See below a list of all the APIs called during installation:
  • cloudtrail.amazonaws.com
  • config.amazonaws.com
  • ec2.amazonaws.com
  • kms.amazonaws.com
  • monitoring.amazonaws.com
  • notifications.amazonaws.com
  • resource-explorer-2.amazonaws.com
  • s3.amazonaws.com
  • servicequotas.amazonaws.com
  • ssm.amazonaws.com
  • sso.amazonaws.com
  • sts.amazonaws.com

Select the region where you want to deploy VBA, enter an instance name for the appliance and choose how to connect to it - dynamic public IP, static public IP or private IP. In the  case you choose private IP you need to make sure you have access to that IP range. The deployment process can also create networking infrastructure if it does not exist - VPC, subnets, security groups, internet gateway and so on. Finally enter the guest OS administrator credentials and the key pair to encrypt credentials with. 

The deployment process automatically goes through several stages: 
  • get and deploy an EC2 Ubuntu image 
  • create IAM roles
  • prepare the instance (deploy and configure the required binaries in the appliance)
  • create administrator credentials for the appliance 
  • initialize services in the appliances
  • check for updates for Ubuntu Linux, Microsoft Windows (ASP.NET Core Runtime) and PostgreSQL
  • install updates 
  • reboot appliance
  • add permissions to IAM role
The installation can take some time, so be patient. During the installation IAM roles are automatically created.

"Impersonation role" is attached to the backup appliance and it is used to assume other IAM roles. It has the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "*"
        }
    ]
}

and the following trust relationship:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Another 2 roles are created: "VeeamInstanceBackupRestoreAccessRole" and "VcbSnapshotsRole"

VeeamInstanceBackupRestoreAccessRole - is the default role that will allow VBA to perform all backup and restore operations. It must be granted permissions to assume the IAM roles:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "ec2.amazonaws.com",
                    "backup.amazonaws.com",
                    "batchoperations.s3.amazonaws.com"
                ],
                "AWS": "arn:aws:iam::1111111:role/VeeamImpersonationRole"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

The permissions list is pretty long and it can be found here. In IAM a series of policies are created and named with vbaws_policy_* and vcb_policy_* in order to add all required permissions. 


VcbSnapshotsRole - gives permissions to manage ec2 snapshots and it also needs assume permissions:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "dlm.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}


After VBA appliance is deployed, you may choose to create and configure a S3 bucket to use as a backup repository and start the wizard from the VBR console or open VBA console and start configuring the appliance. 


No comments: