Protecting On-Premises VMware VMs with AWS Backup Gateway - A Hybrid Backup Strategy

Deploy a gateway into your vSphere environment and centrally manage on-premises VMware VM backups with AWS Backup plans. Also covers cross-region copy for disaster recovery.

Backup Gateway Overview

Backup Gateway is a gateway service that protects on-premises VMware virtual machines with AWS Backup. While AWS Backup centrally manages backups for AWS resources such as EC2, RDS, and EFS, Backup Gateway extends that management to on-premises VMware VMs. It supports vSphere 6.7.x and later, taking backups at the individual VM level on ESXi hosts. The gateway communicates with AWS over HTTPS (port 443), making it easy to deploy in existing firewall environments. Backup data is encrypted both in transit and at rest, ensuring on-premises VM images are stored securely in AWS.

Deployment and Backup

The Backup Gateway appliance is deployed to vSphere as an OVA template and activated with your AWS account. The recommended resources for the appliance VM are 4 or more vCPUs, 8 GB or more of RAM, and 80 GB or more of local disk. After deployment, enter the activation key in the AWS Management Console to register the gateway. After registering the vCenter Server hypervisor, the managed VMs appear in the AWS Backup console. You define a backup plan specifying the schedule (e.g., daily at 2:00 AM), retention period (e.g., 30 days), and cross-region copy. The initial backup transfers a full image, while subsequent backups leverage CBT (Changed Block Tracking) for incremental backups that transfer only changed blocks, significantly reducing network bandwidth and time. Restores can recover an entire VM to vSphere or retrieve individual files.

Backup Policies and Restoration

VM backups taken through Backup Gateway are managed by AWS Backup plans. You can set lifecycle policies such as retaining daily backups for 30 days and monthly backups for one year. Adding cold storage transition rules can further reduce storage costs for long-term retention. To restore, select a recovery point in the AWS Backup console and recover the VM to your on-premises VMware environment. The restore target is not limited to the original host; you can specify a different ESXi host managed by the same vCenter. Cross-region copy keeps a DR backup in another region for recovery in case of a regional outage. Backup encryption is configured with either AWS managed keys or customer managed keys. To understand data management with Backup Gateway, related books (Amazon) are a helpful reference.

Specific Use Cases

Backup Gateway is particularly effective in the following scenarios. First, when you want to manage both on-premises vSphere environments and AWS workloads from a single backup console. With Backup Gateway, you can gradually retire existing tape backups or third-party products while migrating to AWS Backup. Second, building a DR environment for regional disaster scenarios. By transferring production VMs daily to AWS, you can recover workloads in AWS even during site disasters, reducing RTO (Recovery Time Objective) to a matter of hours. Third, meeting data retention obligations required by compliance regulations. Combining with AWS Backup Vault Lock applies a WORM (Write Once Read Many) policy that prevents backup deletion during the retention period, enabling data archives that meet regulatory requirements.

Comparison with Other Backup Methods

For backing up on-premises VMware VMs, there are alternatives beyond Backup Gateway. Third-party products like Veeam and Commvault are feature-rich but carry high license costs and require maintaining dedicated management servers. In contrast, Backup Gateway operates as part of AWS Backup, eliminating the need to build additional backup infrastructure within your AWS account. Using AWS Storage Gateway (volume gateway) for backup purposes is another option, but it operates at the block storage (iSCSI) level rather than per-VM, making it less suitable for VM-level snapshot management and recovery point selection. In summary, Backup Gateway is ideal when you need VM-granularity backups combined with AWS Backup's unified management, while other methods are more appropriate when block-level replication or existing full-featured backup products are required.

Backup Gateway Pricing

Backup Gateway storage costs approximately $0.05 per GB/month. Restores cost approximately $0.02 per GB. The gateway VM itself runs on your on-premises resources with no additional AWS charges. Backups transitioned to cold storage have lower per-GB rates, but note that restoring from cold storage incurs additional fees and warm-up time. Properly configuring retention periods and lifecycle policies to avoid unnecessarily long retention keeps storage costs under control. Incremental backups transfer only changed blocks, minimizing both storage usage and network transfer. Note that enabling cross-region copy incurs additional storage costs in the destination region and inter-region data transfer charges.

Summary

Backup Gateway is a service that centrally manages on-premises VMware virtual machines with AWS Backup. Deploy the gateway into your vSphere environment and define daily and monthly schedules with lifecycle policies in a backup plan. Incremental backups leveraging CBT reduce network load while cross-region copy secures DR backups. Combined with Vault Lock, it addresses compliance requirements, enabling unified data protection across cloud and on-premises environments.