Configure your infrastructure to use Backup gateway - AWS Backup

Configure your infrastructure to use Backup gateway

Backup gateway requires the following network, firewall, and hardware configurations to back up and restore your virtual machines.

Network configuration

Backup gateway requires certain ports to be allowed for its operation. Allow the following ports:

  1. TCP 443 Outbound

    • Source: Backup gateway

    • Destination: AWS

    • Use: Allows Backup gateway to communicate with AWS.

  2. TCP 80 Inbound

    • Source: The host you use to connect to the AWS Management Console

    • Destination: Backup gateway

    • Use: By local systems to obtain the Backup gateway activation key. Port 80 is only used during activation of Backup gateway. AWS Backup does not require port 80 to be publicly accessible. The required level of access to port 80 depends on your network configuration. If you activate your gateway from the AWS Management Console, the host from which you connect to the console must have access to your gateway's port 80.

  3. UDP 53 Outbound

    • Source: Backup gateway

    • Destination: Domain Name Service (DNS) server

    • Use: Allows Backup gateway to communicate with the DNS.

  4. TCP 22 Outbound

    • Source: Backup gateway

    • Destination: AWS Support

    • Use: Allows AWS Support to access your gateway to help you with issues. You don't need to open this port for the normal operation of your gateway, but you must open it for troubleshooting.

  5. UDP 123 Outbound

    • Source: NTP client

    • Destination: NTP server

    • Use: Used by local systems to synchronize virtual machine time to the host time.

  6. TCP 443 Outbound

    • Source: Backup gateway

    • Destination: VMware vCenter

    • Use: Allows Backup gateway to communicate with VMware vCenter.

  7. TCP 443 Outbound

    • Source: Backup gateway

    • Destination: ESXi hosts

    • Use: Allows Backup gateway to communicate with ESXi hosts.

  8. TCP 902 Outbound

    • Source: Backup gateway

    • Destination: VMware ESXi hosts

    • Use: Used for data transfer via Backup gateway.

Firewall configuration

Backup gateway requires access to the following service endpoints to communicate with Amazon Web Services. If you use a firewall or router to filter or limit network traffic, you must configure your firewall and router to allow these service endpoints for outbound communication to AWS. Use of an HTTP proxy in between Backup gateway and service points is not supported.

proxy-app.backup-gateway.region.amazonaws.com:443 dp-1.backup-gateway.region.amazonaws.com:443 anon-cp.backup-gateway.region.amazonaws.com:443 client-cp.backup-gateway.region.amazonaws.com:443

Hardware requirements

You must be able to dedicate the following minimum resources on a virtual machine host for the Backup gateway:

  • 4 virtual processors

  • 8 GiB of reserved RAM

VMware permissions

This section lists the minimum VMware permissions required to use Backup gateway. These permissions are necessary for Backup gateway to discover, backup, and restore virtual machines.

To use Backup gateway, create a dedicate user with the following permissions. They are listed based on the VMware permissions hierarchy.

Global

  • Disable methods

  • Enable methods

  • Licenses

  • Log event

  • Manage custom attributes

  • Set custom attributes

vSphere Tagging

  • Assign or Unassign vSphere Tag

DataStore

  • Allocate space

  • Browse datastore

  • Configure datastore (for vSAN datastore)

  • Low level file operations

  • Update virtual machine files

Host

  • Configuration

    • Advanced settings

    • Storage partition configuration

Folder

  • Create folder

Network

  • Assign network

dvPort Group

  • Create

  • Delete

Resource

  • Assign virtual machine to resource pool

Virtual Machine

  • Change Configuration

    • Acquire disk lease

    • Add existing disk

    • Add new disk

    • Advanced configuration

    • Change settings

    • Configure raw device

    • Modify device settings

    • Remove disk

    • Set annotation

    • Toggle disk change tracking

  • Edit Inventory

    • Create from existing

    • Create new

    • Register

    • Remove

    • Unregister

  • Interaction

    • Power Off

    • Power On

  • Provisioning

    • Allow disk access

    • Allow read-only disk access

    • Allow virtual machine download

  • Snapshot Management

    • Create snapshot

    • Remove Snapshot

    • Revert to snapshot