When you configure backups for Amazon EC2 instances using backup gateways, the way that you configure the backups depends on your AWS deployment and the type of authentication that you use.
AWS IAM Permissions
When you configure backups using backup gateways for an AWS workload, the Commvault Cloud provides a CloudFormation template that automatically creates a JSON policy that specifies AWS IAM permissions based on the authentication method that you select. Then the template attaches the policy to an IAM role or a user group. The policy contains permissions for all AWS workloads that are supported by Commvault Cloud. If some AWS workloads are not in use, you can detach those policies from the IAM role or user group.
Connection to the Amazon EBS Service Endpoint
The Amazon EBS service endpoint must be directly accessible from the backup gateway, without an HTTP proxy. The HTTP proxy setting is not honored for Amazon EBS direct API requests. For more information about Amazon EBS endpoints for different regions, see Amazon Elastic Block Store endpoints and quotas on the AWS documentation site.
Maximizing Throughput
For maximum throughput, use an interface VPC endpoint for the Amazon EBS service. For example, in the AWS console, create an interface endpoint in your VPC for the com.amazonaws.us-east-1.ebs service. Verify that the ebs.us-east-1.amazonaws.com service resolves to the private IP address of the interface endpoint. If it does not resolve to that private IP address, add a host file entry to enforce IP address resolution.
Because the Amazon EBS direct API backup operation is CPU intensive, the instance type of the backup gateway is a limiting factor for throughput.
The service quota for GetSnapshotBlock requests per account per Region is 1,000 per second by default. To increase the service quota limit, open a ticket with AWS.