Note Taking - Veeam Backup for AWS Best Practice

 My personal blog note about Veeam Backup for AWS Best Practice [24 June 2022]

Backup Appliance Size

1. T3.medium (default 2vcpu, 4 Gib RAM) - support workload 500 - 1000 , 50 Instance per policy

2. T3.2xlarge (medium - 8 vcpu, 32 Gib RAM) - support workload 1000 - 3000. Around 50 - 150 instance per policy

3. C5.9xlarge (large - 36 vcpu, 72 Gib RAM) - support workload 3000 - 4500. Around 50 - 150 instance per policy

Repositories

1. Use a dedicated IAM role (repository role)

2. Support for encryption via password or KMS Integration

3. KMS usage is advised. Password can get lost or forgotten (not recoverable)

Object storage data size

1. Average size of backup data in object storage - 40% - 50%

2. Backup data (S3 tiers) - 1 MiB compressed (~512KiB)

3. Backup data (Glacier tier) - 512 MiB

4. Metadata - 4KiB per GiB of VM source data

Workers

Deployed within the backup account

Worker provision is based on available vcpu count (AWS service quota/per region) 

On average between 10 to 40 workers per region

Different sizes are used for cost-effective protection

Worker is leverage on Ubuntu Image

Placement of worker

1. Creating backup/archive of instance - worker placement at region with target repository

2. Instance Restore/ Volume Level Restore - worker placement at region where restored data will reside

3. File Level Restore from snapshot - worker placement at region where snapshot resides

4. File Level Restore from backup - worker placement at region where backup repository resides

Policy Designing

1. Create specific IAM roles if possible per service

2. Use tag where possible

3. Consider properly your source and target for cost effective design

Policy 

1. 50 -150 workload per policy

2. Appliance memory consumption - 1.5 Gib and 5% RAM free + memory used by policies

3. Policy memory consumption - 100 MiB per policy + 3Mib per workload added

Every policy uses around 225MiB of RAM upon run (even with just 1 instance)

Formula:

Appliance RAM in MB * 0.95 - 1536 MiB - (225 MiB * N of policies + 3MB * N of instances in the policy)

4. Don't start all jobs concurrently unless got sufficient resources.

Security

1. Use cross-account/region - isolate backup

2. Integrate with IAM roles (dedicated)

3. Enable Encryption to  safeguard against internal & external threats

4. Use Amazon KMS to easily control secure access to encrypted backup data

5. Use RBAC to delegate permission to administrate and perform tasks

6. Use MFA to protect access using a second source of validation