Amazon PrivateLink - Amazon Backup
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon PrivateLink

Amazon PrivateLink allows you to establish a private connection between your Virtual Private Cloud (“VPC”) and Amazon Backup endpoints by creating an interface VPC endpoint. Interface endpoints are powered by Amazon PrivateLink, a technology that enables you to privately access Amazon Backup APIs by restricting all network traffic between your VPC and Amazon Backup to the Amazon network.

Amazon PrivateLink enables you to privately access Amazon Backup operations without an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection. Instances in your VPC don't need public IP addresses to communicate with Amazon Backup API endpoints Your instances also don't need public IP addresses to use any of the available Amazon Backup API and Backup gateway API operations. Traffic between your VPC and Amazon Backup doesn't leave the Amazon network.

For more information about VPC endpoints, see Interface VPC endpoints (Amazon PrivateLink) in the Amazon VPC User Guide.

Considerations for Amazon VPC endpoints

Before you set up an interface VPC endpoint for Amazon Backup endpoints, review Interface endpoint properties and limitations in the Amazon VPC User Guide.

All Amazon Backup operations relevant to managing Amazon Backup resources are available from your VPC using Amazon PrivateLink.

VPC endpoint policies are supported for Backup endpoints. By default, full access to Backup operations is allowed through the endpoint. For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.

Creating an Amazon Backup VPC endpoint

You can create a VPC endpoint for Amazon Backup using either the Amazon VPC console or the Amazon Command Line Interface (Amazon CLI). For more information, see Creating an interface endpoint in the Amazon VPC User Guide.

Create a VPC endpoint for Amazon Backup using the service name com.amazonaws.region.backup.

In China (Beijing) Region and China (Ningxia) Region, the service name should be cn.com.amazonaws.region.backup.

For Backup gateway endpoints, use com.amazonaws.region.backup-gateway.

The following TCP ports must be allowed in the security group when creating a VPC endpoint for backup Gateway:

  • TCP 443

  • TCP 1026

  • TCP 1027

  • TCP 1028

  • TCP 1031

  • TCP 2222

Protocol Port Direction Source Destination Usage

TCP

443 (HTTPS)

Outbound

Backup Gateway

Amazon

For communication from Backup Gateway to the Amazon service endpoint

Using a VPC endpoint

If you enable private DNS for the endpoint, you can make API requests to Amazon Backup with the VPC endpoint using its default DNS name for the Amazon Region, for example backup.us-east-1.amazonaws.com.

However, for the China (Beijing) Region and China (Ningxia) Region Amazon Web Services Regions, API requests should be made with the VPC endpoint using backup.cn-north-1.amazonaws.com.cn and backup.cn-northwest-1.amazonaws.com.cn, respectively.

For more information, see Accessing a service through an interface endpoint in the Amazon VPC User Guide.

Creating a VPC endpoint policy

You can attach an endpoint policy to your VPC endpoint that controls access to the Amazon Backup API. The policy specifies:

  • The principal that can perform actions.

  • The actions that can be performed.

  • The resources on which actions can be performed.

Important

When a non-default policy is applied to an interface VPC endpoint for Amazon Backup, certain failed API requests, such as those failing from RequestLimitExceeded, might not be logged to Amazon CloudTrail or Amazon CloudWatch.

For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.

Example: VPC endpoint policy for Amazon Backup actions

The following is an example of an endpoint policy for Amazon Backup. When attached to an endpoint, this policy grants access to the listed Amazon Backup actions for all principles on all resources.

{ "Statement":[ { "Action":"backup:*", "Effect":"Allow", "Principal":"*", "Resource":"*" } ] }

Example: VPC endpoint policy that denies all access from a specified Amazon account

The following VPC endpoint policy denies Amazon account 123456789012 all access to resources using the endpoint. The policy allows all actions from other accounts.

{ "Id":"Policy1645236617225", "Version":"2012-10-17", "Statement":[ { "Sid":"Stmt1645236612384", "Action":"backup:*", "Effect":"Deny", "Resource":"*", "Principal":{ "AWS":[ "123456789012" ] } } ] }

For further details on available API responses, please refer to the API Guide.

Availability Amazon Backup currently supports VPC endpoints in the following Amazon Regions:

  • US East (Ohio) Region

  • US East (N. Virginia) Region

  • US West (Oregon) Region

  • US West (N. California) Region

  • Africa (Cape Town) Region

  • Asia Pacific (Hong Kong) Region

  • Asia Pacific (Mumbai) Region

  • Asia Pacific (Osaka) Region

  • Asia Pacific (Seoul) Region

  • Asia Pacific (Singapore) Region

  • Asia Pacific (Sydney) Region

  • Asia Pacific (Tokyo) Region

  • Canada (Central) Region

  • Europe (Frankfurt) Region

  • Europe (Ireland) Region

  • Europe (London) Region

  • Europe (Paris) Region

  • Europe (Stockholm) Region

  • Europe (Milan) Region

  • Middle East (Bahrain) Region

  • South America (São Paulo) Region

  • Asia Pacific (Jakarta) Region

  • Asia Pacific (Osaka) Region

  • China (Beijing) Region

  • China (Ningxia) Region

  • Amazon GovCloud (US-East)

  • Amazon GovCloud (US-West)

Note

Amazon Backup for VMware is not available in China Regions (China (Beijing) Region and China (Ningxia) Region) or Asia Pacific (Jakarta) Region.