Considerations for Amazon VPC endpoints Creating an AWS Backup VPC endpoint Using a VPC endpoint Creating a VPC endpoint policy Availability AWS Backup currently supports VPC endpoints in the following AWS Regions:

AWS PrivateLink

AWS PrivateLink allows you to establish a private connection between your Virtual Private Cloud (“VPC”) and AWS Backup endpoints by creating an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology that enables you to privately access AWS Backup APIs by restricting all network traffic between your VPC and AWS Backup to the Amazon network.

AWS PrivateLink enables you to privately access AWS Backup operations without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC don't need public IP addresses to communicate with AWS Backup API endpoints Your instances also don't need public IP addresses to use any of the available AWS Backup API and Backup gateway API operations. Traffic between your VPC and AWS Backup doesn't leave the Amazon network.

For more information about VPC endpoints, see Interface VPC endpoints (AWS PrivateLink) in the Amazon VPC User Guide.

Considerations for Amazon VPC endpoints

Before you set up an interface VPC endpoint for AWS Backup endpoints, review Interface endpoint properties and limitations in the Amazon VPC User Guide.

All AWS Backup operations relevant to managing Amazon Backup resources are available from your VPC using AWS PrivateLink.

VPC endpoint policies are supported for Backup endpoints. By default, full access to Backup operations is allowed through the endpoint. For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.

Creating an AWS Backup VPC endpoint

You can create a VPC endpoint for AWS Backup using either the Amazon VPC console or the AWS Command Line Interface (AWS CLI). For more information, see Creating an interface endpoint in the Amazon VPC User Guide.

Create a VPC endpoint for AWS Backup using the service name com.amazonaws.region.backup.

In China (Beijing) Region and China (Ningxia) Region, the service name should be cn.com.amazonaws.region.backup.

For Backup gateway endpoints, use com.amazonaws.region.backup-gateway.

The following TCP ports must be allowed in the security group when creating a VPC endpoint for backup Gateway:

TCP 443
TCP 1026
TCP 1027
TCP 1028
TCP 1031
TCP 2222

Protocol	Port	Direction	Source	Destination	Usage
TCP	443 (HTTPS)	Outbound	Backup Gateway	AWS	For communication from Backup Gateway to the AWS service endpoint

Using a VPC endpoint

If you enable private DNS for the endpoint, you can make API requests to AWS Backup with the VPC endpoint using its default DNS name for the AWS Region, for example backup.us-east-1.amazonaws.com.

However, for the China (Beijing) Region and China (Ningxia) Region AWS Regions, API requests should be made with the VPC endpoint using backup.cn-north-1.amazonaws.com.cn and backup.cn-northwest-1.amazonaws.com.cn, respectively.

For more information, see Accessing a service through an interface endpoint in the Amazon VPC User Guide.

Creating a VPC endpoint policy

You can attach an endpoint policy to your VPC endpoint that controls access to the Amazon Backup API. The policy specifies:

The principal that can perform actions.
The actions that can be performed.
The resources on which actions can be performed.

Important

When a non-default policy is applied to an interface VPC endpoint for AWS Backup, certain failed API requests, such as those failing from RequestLimitExceeded, might not be logged to AWS CloudTrail or Amazon CloudWatch.

For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.

Example: VPC endpoint policy for AWS Backup actions

The following is an example of an endpoint policy for AWS Backup. When attached to an endpoint, this policy grants access to the listed AWS Backup actions for all principles on all resources.


{
  "Statement":[
    {
      "Action":"backup:*",
      "Effect":"Allow",
      "Principal":"*",
      "Resource":"*"
    }
  ]
}

Example: VPC endpoint policy that denies all access from a specified AWS account

The following VPC endpoint policy denies AWS account 123456789012 all access to resources using the endpoint. The policy allows all actions from other accounts.


{
  "Id":"Policy1645236617225",
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"Stmt1645236612384",
      "Action":"backup:*",
      "Effect":"Deny",
      "Resource":"*",
      "Principal":{
        "AWS":[
          "123456789012"
        ]
      }
    }
  ]
}

For further details on available API responses, please refer to the API Guide.

Availability AWS Backup currently supports VPC endpoints in the following AWS Regions:

US East (Ohio) Region
US East (N. Virginia) Region
US West (Oregon) Region
US West (N. California) Region
Africa (Cape Town) Region
Asia Pacific (Hong Kong) Region
Asia Pacific (Mumbai) Region
Asia Pacific (Osaka) Region
Asia Pacific (Seoul) Region
Asia Pacific (Singapore) Region
Asia Pacific (Sydney) Region
Asia Pacific (Tokyo) Region
Canada (Central) Region
Europe (Frankfurt) Region
Europe (Ireland) Region
Europe (London) Region
Europe (Paris) Region
Europe (Stockholm) Region
Europe (Milan) Region
Middle East (Bahrain) Region
South America (São Paulo) Region
Asia Pacific (Jakarta) Region
Asia Pacific (Osaka) Region
China (Beijing) Region
China (Ningxia) Region
AWS GovCloud (US-East)
AWS GovCloud (US-West)

Note

AWS Backup for VMware is not available in China Regions (China (Beijing) Region and China (Ningxia) Region) or Asia Pacific (Jakarta) Region.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Legal holds

Resilience