Virtual machine backups - Amazon Backup
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Virtual machine backups

Amazon Backup supports centralized and automated data protection for on-premises VMware virtual machines (VMs) along with VMs in the VMware Cloud™ (VMC) on Amazon and VMware Cloud™ (VMC) on Amazon Outposts. You can back up from your on-premises and VMC virtual machines to Amazon Backup. Then, you can restore from Amazon Backup to on-premises VMs, VMs in the VMC, or the VMC on Amazon Outposts.

Amazon Backup also provides you with fully-managed, Amazon-native VM backup management capabilities, such as VM discovery, backup scheduling, retention management, a low-cost storage tier, cross-Region and cross-account copy, support for Amazon Backup Vault Lock and Amazon Backup Audit Manager, encryption that is independent from source data, and backup access policies. For a full list of capabilities and details, see the Feature availability by resource table.

You can use Amazon Backup to protect your virtual machines on VMware Cloud™ on Amazon Outposts. Amazon Backup stores your VM backups in the Amazon Web Services Region to which your VMware Cloud™ on Amazon Outposts is connected. You can use Amazon Backup to protect your VMware Cloud™ on Amazon Backup VMs when you’re using VMware Cloud™ on Amazon Outposts to meet your low-latency and local data-processing needs for your application data. Based on your data residency requirements, you may choose Amazon Backup to store backups of your application data in the parent Amazon Web Services Region to which your Amazon Outposts is connected.

Supported VMs

Amazon Backup can back up and restore the following virtual machines: VMware ESXi 6.7, 7.0, and 8.0 VMs running on NFS, VMFS, and VSAN datastores on premises and in VMC on Amazon. In addition, Amazon Backup supports both SCSI Hot-Add and Network Block Device Secure Sockets Layer (NBDSSL) transport modes for copying data from source VMs to Amazon for on-premises VMware. To protect VMs on VMware Cloud on Amazon, Amazon Backup supports Hot-Add mode.

Amazon Backup supports virtual machines managed by a VMware vCenter, including vSphere 8. Amazon Backup supports VM virtual disk sizes that are multiples of 1 KiB.

Amazon Backup does not support RDM (raw disk mapping) disks or NVMe controllers and their disks.

Note: VMs with independent-persistent and independent-non persistent disk modes are not supported.

Backup consistency

Amazon Backup, by default, captures application-consistent backups of VMs using the VMware Tools quiescence setting on the VM. Your backups are application consistent if your applications are compatible with VMware Tools. If the quiescence capability is not available, Amazon Backup captures crash-consistent backups. Validate that your backups meet your organization’s needs by testing your restores.

Backup gateway

Backup gateway is downloadable Amazon Backup software that you deploy to your VMware infrastructure to connect your VMware VMs to Amazon Backup. The gateway connects to your VM management server to discover VMs, discovers your VMs, encrypts data, and efficiently transfers data to Amazon Backup. The following diagram illustrates how Backup gateway connects to your VMs:

To download the Backup gateway software, follow the procedure for Working with gateways.

For information on VPC (Virtual Private Cloud) endpoints, see Amazon Backup and Amazon PrivateLink connectivity.

Backup gateway comes with its own API which is separately maintained from the Amazon Backup API. To view a list of Backup gateway API actions, see Backup gateway actions. To view a list of Backup gateway API data types, see Backup gateway data types.


Existing users who currently use a public endpoint and who wish to switch to a VPC (Virtual Private Cloud) endpoint can create a new gateway with a VPC endpoint using Amazon PrivateLink, associate the existing hypervisor to the gateway, and then delete the gateway containing the public endpoint.