Configure your infrastructure to use Backup gateway - Amazon Backup
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Configure your infrastructure to use Backup gateway

Backup gateway requires the following network, firewall, and hardware configurations to back up and restore your virtual machines.

Network configuration

Backup gateway requires certain ports to be allowed for its operation. Allow the following ports:

  1. TCP 443 Outbound

    • Source: Backup gateway

    • Destination: Amazon

    • Use: Allows Backup gateway to communicate with Amazon.

  2. TCP 80 Inbound

    • Source: The host you use to connect to the Amazon Web Services Management Console

    • Destination: Backup gateway

    • Use: By local systems to obtain the Backup gateway activation key. Port 80 is only used during activation of Backup gateway. Amazon Backup does not require port 80 to be publicly accessible. The required level of access to port 80 depends on your network configuration. If you activate your gateway from the Amazon Web Services Management Console, the host from which you connect to the console must have access to your gateway's port 80.

  3. UDP 53 Outbound

    • Source: Backup gateway

    • Destination: Domain Name Service (DNS) server

    • Use: Allows Backup gateway to communicate with the DNS.

  4. TCP 22 Outbound

    • Source: Backup gateway

    • Destination: Amazon Web Services Support

    • Use: Allows Amazon Web Services Support to access your gateway to help you with issues. You don't need to open this port for the normal operation of your gateway, but you must open it for troubleshooting.

  5. UDP 123 Outbound

    • Source: NTP client

    • Destination: NTP server

    • Use: Used by local systems to synchronize virtual machine time to the host time.

  6. TCP 443 Outbound

    • Source: Backup gateway

    • Destination: VMware vCenter

    • Use: Allows Backup gateway to communicate with VMware vCenter.

  7. TCP 443 Outbound

    • Source: Backup gateway

    • Destination: ESXi hosts

    • Use: Allows Backup gateway to communicate with ESXi hosts.

  8. TCP 902 Outbound

    • Source: Backup gateway

    • Destination: VMware ESXi hosts

    • Use: Used for data transfer via Backup gateway.

The above ports are necessary for Backup gateway. See Creating an Amazon Backup VPC endpoint for more information on how to configure Amazon VPC endpoints for Amazon Backup.

Firewall configuration

Backup gateway requires access to the following service endpoints to communicate with Amazon Web Services. If you use a firewall or router to filter or limit network traffic, you must configure your firewall and router to allow these service endpoints for outbound communication to Amazon. Use of an HTTP proxy in between Backup gateway and service points is not supported.

Configure your gateway for multiple NICs in VMware

You can maintain separate networks for your internal and external traffic by attaching multiple virtual network interface connections (NICs) to your gateway and then directing internal traffic (gateway to hypervisor) and external traffic (gateway to Amazon) separately.

By default, virtual machines connected to Amazon Backup gateway have one network adapter (eth0). This network includes the hypervisor, the virtual machines, and network gateway (Amazon Backup gateway) which communicates with the broader Internet.

Here is an example of a setup with multiple virtual network interfaces:

eth0: - IP: - routes: eth1: - IP: - routes: - default gateway:
  • In this example, the connection is to a hypervisor with IP, the gateway will use eth0 as the hypervisor IP is part of the block

  • To connect to a hypervisor with IP, the gateway will use eth1

  • To connect to an IP outside of the local networks (ex., the gateway will fall back to the default gateway,, which is in the block and thus go through eth1

The first sequence to add an additional network adapter occurs in the vSphere client:

  1. In the VMware vSphere client, open the context menu (with a right-click) for your gateway virtual machine, and choose Edit Settings.

  2. On the Virtual Hardware tab of the Virtual Machine Properties dialog box, open the Add New Device menu, and select Network Adapter to add a new network adapter.

    1. Expand the New Network details to configure the new adapter.

    2. Ensure that Connect At Power On is selected.

    3. For Adapter Type, see Network Adapter Types in the ESXi and vCenter Server Documentation.

  3. Click Okay to save the new network adapter settings.

The next sequence of steps to configure an additional adpater occurs in the Amazon Backup gateway console (note this is not the same interface as the Amazon management console where backups and other services are managed).

Once the new NIC is added to the gateway VM, you need to

  • Go to Command Prompt and turn on the new adapters

  • Configure static IPs for each new NIC

  • Set the preferred NIC as the default

To do these:

  1. In the VMware vSphere client, select your gateway virtual machine and Launch Web Console to access the Backup Gateway local console.

    1. For more information on accessing a local console, see Accessing the Gateway Local Console with VMware ESXi

  2. Exit Command Prompt and go to Network Configuration > Configure Static IP and follow the setup instructions to update the routing table.

    1. Assign a static IP within the network adapter’s subnet.

    2. Set up a network mask.

    3. Enter the IP address of the default gateway. This is the network gateway that connects to all traffic outside of the local network.

  3. Select Set Default Adapter to designate the adapter that will be connected to the cloud as the default device.

  4. All IP addresses for the gateway can be displayed in both the local console and on the VM summary page in VMware vSphere.

Hardware requirements

You must be able to dedicate the following minimum resources on a virtual machine host for the Backup gateway:

  • 4 virtual processors

  • 8 GiB of reserved RAM

VMware permissions

This section lists the minimum VMware permissions required to use Backup gateway. These permissions are necessary for Backup gateway to discover, backup, and restore virtual machines.

To use Backup gateway, create a dedicate user with the following permissions. They are listed based on the VMware permissions hierarchy.

  • Disable methods

  • Enable methods

  • Licenses

  • Log event

  • Manage custom attributes

  • Set custom attributes

vSphere Tagging
  • Assign or Unassign vSphere Tag

  • Allocate space

  • Browse datastore

  • Configure datastore (for vSAN datastore)

  • Low level file operations

  • Update virtual machine files

  • Configuration

    • Advanced settings

    • Storage partition configuration

  • Create folder

  • Assign network

dvPort Group
  • Create

  • Delete

  • Assign virtual machine to resource pool

Virtual Machine
  • Change Configuration

    • Acquire disk lease

    • Add existing disk

    • Add new disk

    • Advanced configuration

    • Change settings

    • Configure raw device

    • Modify device settings

    • Remove disk

    • Set annotation

    • Toggle disk change tracking

  • Edit Inventory

    • Create from existing

    • Create new

    • Register

    • Remove

    • Unregister

  • Interaction

    • Power Off

    • Power On

  • Provisioning

    • Allow disk access

    • Allow read-only disk access

    • Allow virtual machine download

  • Snapshot Management

    • Create snapshot

    • Remove Snapshot

    • Revert to snapshot