Veeam backup for aws Processing postgres rds failed: No valid combination of the network settings was found for the worker configuration

In this article, we shall discuss various errors you can encounter when implementing “Veeam Backup for AWS to protect RDS, EC2 and VPC“. Specifically, the following error “veeam backup for aws Processing postgres rds failed: No valid combination of the network settings was found for the worker configuration” will be discussed. A configuration is a group of network settings that Veeam Backup for AWS uses to deploy worker instances in a specific AWS Region. It is used to perform data protection, disaster recovery, backup retention and EFS indexing operations. Please see how to solve cannot find a valid base URL for repo: base/7/x86_64, and how to check Windows Activation Status and troubleshoot activation errors.

According to Veeam, a Worker node is used to perform most data protection and disaster recovery operations (such as creating and removing EC2 and RDS image-level backups, restoring backed-up data, EFS indexing). Worker instances are temporary Linux-based EC2 instances that are responsible for the interaction between the backup appliance, AWS services and other Veeam Backup for AWS components.

Veeam Backup for AWS creates one worker instance per each AWS resource added to a backup policy, restore, indexing or retention task. Veeam Backup for AWS can launch worker instances in the following AWS accounts:

• The backup account is an AWS account to which the service IAM role specified to launch worker instances belongs. By default, Veeam Backup for AWS uses this account to launch worker instances for backup, restore and backup retention operations.
• Production accounts are the same AWS accounts where the processed resources belong. By default, Veeam Backup for AWS uses these accounts to launch worker instances for EFS indexing and for RDS backup and restore operations.

Learn how to Set up Veeam Backup for Microsoft Azure. See also, how to fix “WinRM cannot complete the operation, verify that the specified computer name is valid“, and Migrate Veeam Configuration Database to PostgreSQL Server.

Errors Encountered when deploying VBAWS

One of the tests has failed as shown below for RDS Policies. In order to fix this, we have to determine from the log or session status the root cause. To do this, please proceed to the fix below.

Error 1 Fix: Create a Worker Node

Upon investing the “Session Status”, we can see that the worker network settings for the region specified was not configured. By the way, what is a worker node?

To fix the below error, you have to create a Production worker node for the Frankfurt region.

Note: You can instruct Veeam Backup for AWS to launch worker instances in the backup account or in production accounts. Depending on the type of the account in which you plan to launch worker instances. IAM roles used for worker instance deployment and communication with the instances must have a specific set of permissions.

Please see How to add and remove RDS Collection. Also, see how to Remove Remote Desktop Services Role on Windows Server, and how to install PostgreSQL on Ubuntu.

Create a Worker Node

The Production Worker Accounts are the same AWS accounts where the processed resources belong. By default, Veeam Backup for AWS uses these accounts to launch worker instances for EFS indexing and for RDS backup and restore operations.

To create a worker node, click on the Configuration settings as shown below.

Select “Production Accounts’

Select your desired region and click on Apply.

Specify the AWS Account, IAM roles and ensure it has the adequate permission as stated in the Veeam User Guide. You can check permission when complete. Lastly, also enter the availability zone to place the worker nodes on.

Worker Network Setting

Select an Amazon VPC you have created. Also, select the subnet to which you want to connect worker instances, and specify a security group that must be associated with the instances.

As you can see below, we have populated our network settings and ready to go. Click Next to proceed.

Click on “Finish” to complete the Worker configuration.

As you can see, we have the production account created to  launch worker instances for EFS indexing and for RDS backup and restore operations.

Please see VPC, Subnet, NACL, Security Group: Create your own Network on AWS from Scratch [Part 2], and how to Build a Scalable VPC for Your AWS Environment [Part 1].

Solution: Processing failed: No valid network combination of the network settings was found for the worker configuration

As you can see below, we have a different error.

To resolve both issues, we have to ensure we have the right security group attached to the RDS instance. For me, this was not the issue.

Secondly, the auto Assign Public IP address” was missing for the VPC where the Veeam Backup for AWS was installed. Therefore, I had to edit the VPC and enabled the the “Auto Assign IP Address” as shown below.

Enable Auto Assign Public IP Address on AWS

To do this, proceed to the VPC section on AWS, and edit the Subnet settings. Ensure the checkbox close to “Enable Auto Assign Public IP Address” on AWS” is checked.

As you can see below, we have successfully changed Successfully changed the IP auto Assignment for the Subnet

Note: For best practice, it is not recommended to create a publicly accessible DB instance. 

Since this is a lab, I needed to configure the VPC this way and this enabled the worker node to communicate correctly and have the RDS backup. You should create the right networking before hand to enable this communication.

Fix The worker instance failed to connect to AWS SSM service

Another error you could encounter is the “Failed Processing postgres rds failed: The worker instance failed to connect to AWS SSM service”.

Note: It is recommended to check whether network settings are properly configured.

By default. the AWS SSM Service is installed on almost all instances. 

So I quickly verified this on the Veeam Backup for AWS Appliance as shown below and as you can see, this appliance is this services up and running and up to date.

Note: An updated version of SSM Agent is released whenever new capabilities are added to Systems Manager or updates are made to existing capabilities. Failing to use the latest version of the agent can prevent your managed node from using various Systems Manager capabilities and features. For that reason, we recommend that you automate the process of keeping SSM Agent up to date on your machines. This can be done via the AWS System State Manager.

By default, AWS Systems Manager doesn’t have permission to perform actions on your instances. You can provide instance permissions at the account level using an AWS Identity and Access Management (IAM) role. Or at the instance level using an instance profile. If your use case allows, we recommend granting access at the account level using the Default Host Management Configuration.

As you can see also, we have the right permission in place

How can we fix this issue then?

Ensuring the right connectivity between the RDS instance and worker is key for a successfully backup and restore operation.

I found a “Default SG” created for different VPC attached to the RDS instance. Removed it and the issue was resolved.

For Veeam Backup for AWS to be able to create RDS image-level backups, make sure that security groups associated with worker instances allow outbound HTTPS traffic from the worker instances through port 443 to download a certificate bundle for establishing SSL/TLS connections.

Usually, these rules are created automatically by Veeam.

Here is How to fix Synology NAS Quick Connect is not enabled issue. See also, how to Create New Users and Join Synology NAS to Active Directory.

FATAL: password authentication failed for user and password retrieved from file “/tmp/pgpwd”

Processing postgresql failed: The process psql has exited with exit code 2. psql: error: connection to server at “postgresql.czioywu6ew6t.eu-central-1.rds.amazonaws.com” (IP Address), port 5432 failed: FATAL: password authentication failed for user “christian” password retrieved from file “/tmp/pgpwd”

Ensure you use the username and password utilized when creating the RDS instance. In my case, there was an error in the password.

Run the RDS policy Backup Job

To do this, navigate and access the appliance and click on Policies. Under RDS, select the policy (job) and click on start.

Note: A backup policy is a collection of settings that define the way backup operations are performed: what data to back up, where to store backups, when to start the backup process, how to retain restore points and so on.

The Worker Nodes are being deployed without issues.

We can see the Backup status as running

Snapshots succeeded successfully, while the backup is still running. During every backup session, Veeam Backup for AWS creates a cloud-native snapshot for each RDS resource added to a backup policy.  The cloud-native snapshot itself is a collection of point-in-time snapshots that Veeam Backup for AWS takes using native AWS capabilities. You can read more here.

From the session status, there are no errors withe the native snapshot creation.

Now, our backup job has completed as well. But this time, with a warning. This is being investigated and would be blogged separately in a new post.

It is worth mentioning that, During every successful backup session, Veeam Backup for AWS creates a new restore point. If Veeam Backup for AWS detects that the number of restore points in the snapshot chain exceeds the retention limit, the earliest restore point is removed from the chain. Also, Veeam Backup for AWS does not apply retention policy to cloud-native snapshots created manually.

FAQs relating to Veeam backup for aws postgres rds failed: No valid network found

I hope you found this guide “Veeam backup for aws Processing postgres rds failed: No valid combination of the network settings was found for the worker configuration” useful. Please feel free to leave a comment below.