Amazon Backup network - Amazon Backup
EndpointsAmazon PrivateLink
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Backup network

Amazon Backup endpoints

Amazon Backup offers both public and private endpoints for your connectivity needs. For these endpoints, Amazon Backup supports both Internet Protocols version 4 (IPv4) and version 6 (IPv6) for resource types that support IPv6.

The newer public endpoint backup.[Region].api.aws has dual-stack capabilities and can resolve either or both IPv4 endpoints and IPv6 endpoints. When you make a request to a dual-stack Amazon Backup API endpoint, the endpoint will resolve to the address determined by the configuration of the protocol used by your network and client.

The older endpoint backup.[Region].amazonaws.com can be used for calls that reference only IPv4.

You can view the public service endpoints for Amazon Backup in the Amazon Web Services General Reference. You can view the steps for setting up private endpoints in Amazon Backup through VPC.

You can establish a private connection between your virtual private cloud (VPC) and Amazon Backup by creating an interface VPC endpoint. Interface endpoints are powered by Amazon PrivateLink, a technology that enables you to access the Amazon Backup API without using an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection. Instances in your VPC don't need public IP addresses to communicate with Amazon Backup API endpoints. Your instances also don't need public IP addresses to use any of the available Amazon Backup API and Backup gateway API operations.

For more information, see Access Amazon Web Services services through Amazon PrivateLink in the Amazon PrivateLink Guide.

Considerations for Amazon VPC endpoints

All Amazon Backup operations relevant to managing your resources are available from your VPC using Amazon PrivateLink.

VPC endpoint policies are supported for Backup endpoints. By default, full access to Backup operations is allowed through the endpoint. Alternatively, you can associate a security group with the endpoint network interfaces to control traffic to Amazon Backup through the interface endpoint.

You can select IPv4, IPv6, or dual stack when created an endpoint. You will receive the same DNS names (which will have both IPv4 and IPv6 addresses if you select dual stack).

Amazon Backup for SAP HANA does not support Amazon PrivateLink. SAP HANA backups are enabled by the Amazon Backint agent, which does not support VPC endpoints; it sends backup data to the storage endpoint for Amazon Backup.

Create an Amazon Backup VPC endpoint

You can create a VPC endpoint for Amazon Backup using either the Amazon VPC console or the Amazon Command Line Interface (Amazon CLI). For more information, see Create an interface endpoint in the Amazon PrivateLink Guide.

PrivateLink endpoints use the same name structure of IPv4, though each endpoint can be configured for IPv4, IPv6, or dual stack.

Create a VPC endpoint for Amazon Backup using the service name com.amazonaws.region.backup.

In China (Beijing) Region and China (Ningxia) Region, the service name should be cn.com.amazonaws.region.backup.

For Backup gateway endpoints, use com.amazonaws.region.backup-gateway.

The following TCP ports must be allowed in the security group when creating a VPC endpoint for backup Gateway:

  • TCP 443

  • TCP 1026

  • TCP 1027

  • TCP 1028

  • TCP 1031

  • TCP 2222

Protocol Port Direction Source Destination Usage

TCP

443 (HTTPS)

Outbound

Backup Gateway

Amazon

For communication from Backup Gateway to the Amazon service endpoint

Use a VPC endpoint

If you enable private DNS for the endpoint, you can make API requests to Amazon Backup with the VPC endpoint using its default DNS name for the Amazon Region, for example backup.us-east-1.api.aws.

However, for the China (Beijing) Region and China (Ningxia) Region Amazon Web Services Regions, API requests should be made with the VPC endpoint using backup.cn-north-1.amazonaws.com.cn and backup.cn-northwest-1.amazonaws.com.cn, respectively.

Creating a VPC endpoint policy

You can attach an endpoint policy to your VPC endpoint that controls access to the Amazon Backup API. The policy specifies:

  • The principal that can perform actions.

  • The actions that can be performed.

  • The resources on which actions can be performed.

Important

When a non-default policy is applied to an interface VPC endpoint for Amazon Backup, certain failed API requests, such as those failing from RequestLimitExceeded, might not be logged to Amazon CloudTrail or Amazon CloudWatch.

For more information, see Control access to services using endpoint policies in the Amazon PrivateLink Guide.

Example: VPC endpoint policy for Amazon Backup actions

The following is an example of an endpoint policy for Amazon Backup. When attached to an endpoint, this policy grants access to the listed Amazon Backup actions for all principles on all resources.

{
  "Statement":[
    {
      "Action":"backup:*",
      "Effect":"Allow",
      "Principal":"*",
      "Resource":"*"
    }
  ]
}

Example: VPC endpoint policy that denies all access from a specified Amazon account

The following VPC endpoint policy denies Amazon account 123456789012 all access to resources using the endpoint. The policy allows all actions from other accounts.

{
  "Id":"Policy1645236617225",
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"Stmt1645236612384",
      "Action":"backup:*",
      "Effect":"Deny",
      "Resource":"*",
      "Principal":{
        "AWS":[
          "123456789012"
        ]
      }
    }
  ]
}

For more information about available API responses, see the API Guide.