Creating an Amazon EC2 Client

The virtualization client manages data protection operations for an Amazon Web Services (AWS) account. If you have multiple AWS accounts, you must create a different virtualization client for each one. You must create Amazon clients on client computers installed with the Virtual Server Agent.

To perform backup operations, each virtualization client can identify multiple proxies where the Virtual Server Agent is installed. The virtualization client uses proxy teaming, enabling proxy failovers for fault tolerant backups. Using multiple proxies for each virtualization client makes it possible to perform backups for a large number of instances in a limited backup window.

When you create a virtualization client, the Commvault software automatically creates an instance, a backup set, and a default subclient that can be used to protect all instances. You can create additional subclients to perform separate protection operations for different groups of instances. For example, you can create a different subclient for each region or zone, or for different guest operating systems, and use the default subclient to protect any remaining instances that are not covered by user-defined subclients.

An Amazon virtualization client is also required to support conversion of virtual machines to Amazon and to create VM Lifecycle Policies.

Before You Begin

  • Commvault does not support multi-factor authentication (MFA) for AWS accounts. If you create a virtualization client for an AWS account that uses multi-factor authentication, backups and restores for that account will fail. A backup job fails with the following error message:

    You are not authorized to perform this operation.
  • Install the Virtual Server Agent (VSA) on at least one instance (proxy) in each region. You can install the VSA on other instances to create additional VSA proxies for each region.

  • Obtain an Amazon EC2 account. Amazon EC2 credentials are required to create an Amazon client.

  • For accounts that use data protection resources from another account, you can specify an Admin account that provides the data protection resources. For more information, see Using Resources from an Admin Account.

    First, create a virtualization client for the admin account (for example, for the MSP). After you create the admin client, create a virtualization client for the tenant account, and refer to the admin account using the Use admin account backup resources option.


    For deployments that use an Admin account, the tenant account must use an access key and secret key for authentication. The admin account can use an access key and secret key for authentication, or an IAM role.

  • Choose one of the following methods for authentication:

    • IAM Role: In the AWS Console, create an IAM role and attach the IAM role to the instance that acts as a VSA proxy. Then assign the proxy instance to the client you create in this procedure.


      If IAM Role authentication is selected for the Amazon client, but a proxy that is not associated with the IAM role is used for a backup or restore, the operation fails.

      The IAM role must have appropriate permissions, which can be any of the following:

    • Access and Secret Key: Obtain the key pair (Access Key and Secret Key) from the Amazon EC2 Web site under Security Credentials.

      To apply an IAM policy for the virtualization client when you use this authentication method, you can attach an IAM policy to the user who is associated with the access and secret key.

      For instructions on obtaining Amazon access keys, see Amazon Elastic Compute Cloud Documentation.


  1. In the CommCell Browser, right click Client Computers, and then click New Client > Virtualization > Amazon.

  2. In the Create Amazon Client dialog box, enter the client name, access key, and secret key, and then identify VSA proxies to be used with the Amazon client:

    • Client Name: Type a name for the client that will appear in the CommCell Browser.

    • Regions: To restrict communication to specific regions, enter the regions as comma-separated values.

      In this list, you can include private region identifiers such as government region values. For examples, see the following pages:

      By default, the VSA proxy tries to communicate with all regions.

    • Amazon Authentication: Choose one of the following methods for authentication:

      • IAM Role: To use an IAM role, select this option and then add one or more proxies that have the IAM role attached.

      • Access and Secret Key: Select this option to use a key pair obtained from the Amazon EC2 Web site, then enter the following information:

        Access Key: Type the Access Key ID that is associated with your Amazon EC2 account.

        Secret Key: Type the Secret Access Key that is associated with your Amazon EC2 account.

    • Use admin account backup resources: If you already configured a virtualization client for an Admin account, you can select this option and then select the Admin account from the Account list.

      This option applies only in environments where data protection resources are provided by a separate Admin account.

      If another Amazon virtualization client is not already configured, this field does not appear.

  3. From the Storage Policy list, select a storage policy to associate with the virtualization client.

    The storage policy you select is also associated with the default subclient that is created automatically for the virtualization client.

  4. Next to Proxies, click Add, and in the Select Clients/Client Groups dialog box, select proxies to be used for backups and restores, and then click OK.


    If you selected IAM Role as the authentication type, all of the proxies you add must have the appropriate IAM role attached. If a proxy that is not associated with the IAM role is used for a backup or restore, the operation fails.

  5. Click OK to create the Amazon client.