Access Amazon Backup using an interface VPC endpoint (Amazon PrivateLink) - Amazon Backup
Considerations for Amazon VPC endpointsCreating an Amazon Backup VPC endpointUsing a VPC endpointCreating a VPC endpoint policyAvailability Amazon Backup currently supports VPC endpoints in the following Amazon Regions:
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Access Amazon Backup using an interface VPC endpoint (Amazon PrivateLink)

You can establish a private connection between your virtual private cloud (VPC) and Amazon Backup by creating an interface VPC endpoint. Interface endpoints are powered by Amazon PrivateLink, a technology that enables you to access the Amazon Backup API without using an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection. Instances in your VPC don't need public IP addresses to communicate with Amazon Backup API endpoints. Your instances also don't need public IP addresses to use any of the available Amazon Backup API and Backup gateway API operations.

For more information, see Access Amazon Web Services through Amazon PrivateLink in the Amazon PrivateLink Guide.

Considerations for Amazon VPC endpoints

All Amazon Backup operations relevant to managing your resources are available from your VPC using Amazon PrivateLink.

VPC endpoint policies are supported for Backup endpoints. By default, full access to Backup operations is allowed through the endpoint. Alternatively, you can associate a security group with the endpoint network interfaces to control traffic to Amazon Backup through the interface endpoint.

Creating an Amazon Backup VPC endpoint

You can create a VPC endpoint for Amazon Backup using either the Amazon VPC console or the Amazon Command Line Interface (Amazon CLI). For more information, see Create an interface endpoint in the Amazon PrivateLink Guide.

Create a VPC endpoint for Amazon Backup using the service name com.amazonaws.region.backup.

In China (Beijing) Region and China (Ningxia) Region, the service name should be cn.com.amazonaws.region.backup.

For Backup gateway endpoints, use com.amazonaws.region.backup-gateway.

The following TCP ports must be allowed in the security group when creating a VPC endpoint for backup Gateway:

  • TCP 443

  • TCP 1026

  • TCP 1027

  • TCP 1028

  • TCP 1031

  • TCP 2222

Protocol Port Direction Source Destination Usage

TCP

443 (HTTPS)

Outbound

Backup Gateway

Amazon

For communication from Backup Gateway to the Amazon service endpoint

Using a VPC endpoint

If you enable private DNS for the endpoint, you can make API requests to Amazon Backup with the VPC endpoint using its default DNS name for the Amazon Region, for example backup.us-east-1.amazonaws.com.

However, for the China (Beijing) Region and China (Ningxia) Region Amazon Web Services Regions, API requests should be made with the VPC endpoint using backup.cn-north-1.amazonaws.com.cn and backup.cn-northwest-1.amazonaws.com.cn, respectively.

Creating a VPC endpoint policy

You can attach an endpoint policy to your VPC endpoint that controls access to the Amazon Backup API. The policy specifies:

  • The principal that can perform actions.

  • The actions that can be performed.

  • The resources on which actions can be performed.

Important

When a non-default policy is applied to an interface VPC endpoint for Amazon Backup, certain failed API requests, such as those failing from RequestLimitExceeded, might not be logged to Amazon CloudTrail or Amazon CloudWatch.

For more information, see Control access to services using endpoint policies in the Amazon PrivateLink Guide.

Example: VPC endpoint policy for Amazon Backup actions

The following is an example of an endpoint policy for Amazon Backup. When attached to an endpoint, this policy grants access to the listed Amazon Backup actions for all principles on all resources.

{
  "Statement":[
    {
      "Action":"backup:*",
      "Effect":"Allow",
      "Principal":"*",
      "Resource":"*"
    }
  ]
}

Example: VPC endpoint policy that denies all access from a specified Amazon account

The following VPC endpoint policy denies Amazon account 123456789012 all access to resources using the endpoint. The policy allows all actions from other accounts.

{
  "Id":"Policy1645236617225",
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"Stmt1645236612384",
      "Action":"backup:*",
      "Effect":"Deny",
      "Resource":"*",
      "Principal":{
        "AWS":[
          "123456789012"
        ]
      }
    }
  ]
}

For more information about available API responses, see the API Guide.

Availability Amazon Backup currently supports VPC endpoints in the following Amazon Regions:

  • US East (Ohio) Region

  • US East (N. Virginia) Region

  • US West (Oregon) Region

  • US West (N. California) Region

  • Africa (Cape Town) Region

  • Asia Pacific (Hong Kong) Region

  • Asia Pacific (Mumbai) Region

  • Asia Pacific (Osaka) Region

  • Asia Pacific (Seoul) Region

  • Asia Pacific (Singapore) Region

  • Asia Pacific (Sydney) Region

  • Asia Pacific (Tokyo) Region

  • Canada (Central) Region

  • Europe (Frankfurt) Region

  • Europe (Ireland) Region

  • Europe (London) Region

  • Europe (Paris) Region

  • Europe (Stockholm) Region

  • Europe (Milan) Region

  • Middle East (Bahrain) Region

  • South America (São Paulo) Region

  • Asia Pacific (Jakarta) Region

  • Asia Pacific (Osaka) Region

  • China (Beijing) Region

  • China (Ningxia) Region

  • Amazon GovCloud (US-East)

  • Amazon GovCloud (US-West)

Note

Amazon Backup for VMware is not available in China Regions (China (Beijing) Region and China (Ningxia) Region) or Asia Pacific (Jakarta) Region.