Skip to main content

Implement and configure AWS Backup for VMware Cloud on AWS VM workloads

In our previous post we saw the design of the AWS Backup on VMC. In this post we’re going through the implementation steps

As per the design and best practice, we are going to use the ENI for the Backup traffic



1. Open the Amazon VPC console at  

2. In the navigation pane, choose Endpoints

3. Choose Create endpoint
4. Name the endpoint  

5. For Service category, choose AWS services

6. For Service name, search “Backup” and select “backup-gateway” service from the dropdown

7. For VPC, select the VPC which we used for SDDC deployment and extension
8. To create an interface endpoint for Amazon S3, you must “uncheck” Additional settings, Enable DNS name. This is because Amazon S3 does not support private DNS for interface VPC endpoints
9. For Subnets, select one subnet per Availability Zone which we used for SDDC VMC selection 

10. For Security group, select the security groups to associate with the endpoint network interfaces. The security group rules must allow Backup resource to communicate with the SDDC MGW/CGW to communicate with the endpoint network interface

11. For Policy, select Full access to allow all operations by all principals on all resources over the VPC endpoint.  If you want to go with custom services, use the policy creation tool to generate the custom policy and apply here
12. (Optional) To add a tag, choose Add new tag and enter the tag key and the tag value
13. Choose Create endpoint

14. Back to VPC console and check the progress of VPC endpoint creation 

Next, lets setup the Backup Gateway and establish the connection between AWS Connected account and on-premises 



1. Open the AWS Backup console at

2. In the left navigation pane, under the External resources section, choose Gateways

3. Choose Create gateway

4. Download OVF template from the create gateway wizard. Follow the instructions on the prompt to deploy the Backup Gateway appliance in SDDC

5. Login to VMware on AWS SDDC console 
6. Create a network segment for backups(recommended) and create a group.

a) Navigate to Software-Defined Data Centers (SDDC) and select the SDDC where you have deployed the backup gateway
b) Select Networking & Security tab
c) In the Networking & Security, under Networks, select “Segments” and Add Segment

d) Specify a segment Type and fill in the required configuration parameters. Set the IP assignment configuration to DHCP to have IPs assigned automatically 
e) Click SAVE to create or update the segment. 
f) In the Networking & Security, under Inventory – select “Groups” and navigate to “Management Groups
g) Add Group, provide a name and Set Members to the CIDR of your backup segment

h) Now navigate back to the Networking & Security, under Inventory – select “Groups” and select “Compute Groups
i) Add Group, provide a name and Set Members to the CIDR of your backup segment and your local network IP address/subnet from where you will register backup gateway

7. Add Management Gateway Firewall Rules

1. On the Networking & Security tab, click Gateway Firewall

2. On the Gateway Firewall card, click Management Gateway, then click ADD RULE and give the new rule a Name

3. Enter the parameters for the new rule – the Source should the Group created for backup segment and destination should be the vCenter and the ESXi

4. In services drop-down, select Provisioning & Remote Console, HTTPS of  ESXi, and HTTPS for the vCenter

5. Click PUBLISH to create the rule

8. Add Compute Gateway Firewall Rules
1. On the Networking & Security tab, click Gateway Firewall.
2. On the Gateway Firewall card, click Compute Gateway, then click ADD RULE and give the new rule a Name.
3. Enter the parameters for the new inbound rule – the Source should be the Group created for your local network IP address/CIDR and destination should be the backup segment group. Allow port 80 and 443.

4. Enter the parameters for the new outbound rule – the Destination can be “Any” (If you want to drill down the outbound traffic, the set the source to be backup segment group and destination to AWS, DNS Server, AWS Support and NTP Server. Allow port TCP 443, UDP 53, TCP 22 and UDP 123.
5. Click PUBLISH to create the rule

9. Once the Backup gateway appliance is deployed and powered ON, complete the following steps:

1. Return to the AWS Console, In the Gateway connection section, type in the IP address of the gateway.
1. To find this IP address, go to the vSphere Client.
2. Select your gateway under the Summary tab.
3. Copy the IP address and paste it in the AWS Backup console text bar

2. In the Gateway settings section,
1. Type in a Gateway name.
2. Verify the AWS Region. ( choose the right region to avoid cross regional data charges)
3. Choose Endpoint type as VPC hosted  
4. Select VPC endpoint ID 
5. From the dropdown select the Backup endpoint which we created in the previous task

3. [Optional] In the Gateway tags section, you can assign tags by inputting the key and optional value. To add more than one tag, click Add another tag.
4. To complete the process, click Create gateway, which takes you to the gateway detail page

In our next post we see how to add the Hypervisors, backup plan, Backup vaults and Backup rules. Stay tuned. 

Popular posts from this blog


The BCD registry file controls which operating system installation starts and how long the boot manager waits before starting Windows. Basically, it’s like the Boot.ini file in earlier versions of Windows. If you need to edit it, the easiest way is to use the Startup And Recovery tool from within Vista. Just follow these steps: 1. Click Start. Right-click Computer, and then click Properties. 2. Click Advanced System Settings. 3. On the Advanced tab, under Startup and Recovery, click Settings. 4. Click the Default Operating System list, and edit other startup settings. Then, click OK. Same as Windows XP, right? But you’re probably not here because you couldn’t find that dialog box. You’re probably here because Windows Vista won’t start. In that case, you shouldn’t even worry about editing the BCD. Just run Startup Repair, and let the tool do what it’s supposed to. If you’re an advanced user, like an IT guy, you might want to edit the BCD file yourself. You can do this

DNS Scavenging.

                        DNS Scavenging is a great answer to a problem that has been nagging everyone since RFC 2136 came out way back in 1997.  Despite many clever methods of ensuring that clients and DHCP servers that perform dynamic updates clean up after themselves sometimes DNS can get messy.  Remember that old test server that you built two years ago that caught fire before it could be used?  Probably not.  DNS still remembers it though.  There are two big issues with DNS scavenging that seem to come up a lot: "I'm hitting this 'scavenge now' button like a snare drum and nothing is happening.  Why?" or "I woke up this morning, my DNS zones are nearly empty and Active Directory is sitting in a corner rocking back and forth crying.  What happened?" This post should help us figure out when the first issue will happen and completely avoid the second.  We'll go through how scavenging is setup then I'll give you my best practices.  Scavenging s

AD LDS – Syncronizing AD LDS with Active Directory

First, we will install the AD LDS Instance: 1. Create and AD LDS instance by clicking Start -> Administrative Tools -> Active Directory Lightweight Directory Services Setup Wizard. The Setup Wizard appears. 2. Click Next . The Setup Options dialog box appears. For the sake of this guide, a unique instance will be the primary focus. I will have a separate post regarding AD LDS replication at some point in the near future. 3. Select A unique instance . 4. Click Next and the Instance Name dialog box appears. The instance name will help you identify and differentiate it from other instances that you may have installed on the same end point. The instance name will be listed in the data directory for the instance as well as in the Add or Remove Programs snap-in. 5. Enter a unique instance name, for example IDG. 6. Click Next to display the Ports configuration dialog box. 7. Leave ports at their default values unless you have conflicts with the default values. 8. Click N