Choosing a service endpoint for your Amazon DataSync agent - Amazon DataSync
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Choosing a service endpoint for your Amazon DataSync agent

The second step in creating your Amazon DataSync agent is choosing a service endpoint for the agent. A service endpoint is how your agent communicates with the DataSync service. An agent can use the following types of service endpoints:

  • Virtual private cloud (VPC) endpoint – Data is sent through your VPC instead of over the public internet, increasing the security of the transferred data.

  • Public endpoint – Data is sent over the public internet.

  • Federal Information Processing Standard (FIPS) endpoint – Data is sent over the public internet by using processes that comply with FIPS.

Remember the following when choosing a service endpoint:

  • An agent can only use one type of endpoint. If you need to transfer data with different endpoint types, create an agent for each type.

  • How you connect your storage network to Amazon determines what service endpoints you can use.

  • For DataSync Discovery, you can only use a public endpoint.

For more information, see Amazon service endpoints in the Amazon Web Services General Reference.

Using a VPC service endpoint with DataSync

With a VPC service endpoint, you don't have to transfer your data across the public internet. DataSync can transfer data to Amazon through a VPC that's based on the Amazon VPC service.

How DataSync agents work with VPC service endpoints

VPC service endpoints are provided by Amazon PrivateLink. These types of endpoints let you privately connect supported Amazon Web Services to your VPC. When you use a VPC service endpoint with DataSync, all communication between your DataSync agent and Amazon remains in your VPC. DataSync also creates network interfaces in your VPC for data transfer traffic.

These interfaces and the VPC service endpoint are private IP addresses that are only accessible from inside your VPC. For more information, see Networking with Amazon DataSync.

DataSync limitations with VPCs

  • VPCs that you use with DataSync must have default tenancy. VPCs with dedicated tenancy are not supported. For more information, see Work with VPCs.

  • DataSync doesn't support shared VPCs.

  • DataSync VPC service endpoints only support IPv4. IPv6 and dualstack options aren't supported.

Configuring your DataSync agent to use a VPC service endpoint

After deploying your DataSync agent, configure the agent to use a VPC service endpoint.

The following diagram shows an example DataSync transfer from an on-premises storage system to an Amazon S3 bucket. The numbered callouts correspond to the steps to configure your DataSync agent to use a VPC service endpoint.

A network diagram showing the order in which you can configure your DataSync agent to use a VPC service endpoint.
To configure your DataSync agent to use a VPC service endpoint
  1. Create or determine a VPC and subnet where you want to create your VPC service endpoint.

    If you're transferring to or from storage that's outside Amazon, the VPC should extend to that storage environment (for example, the data center where your on-premises NFS file server is located). You can do this by using routing rules over Amazon Direct Connect or VPN.

  2. In your VPC, configure a security group that allows the traffic required for using DataSync VPC service endpoints.

    The security group must allow your agent to connect with the private IP addresses of the VPC service endpoint and your task's network interfaces. For specific ports and protocols, see Network requirements for VPC service endpoints.

  3. Create a DataSync VPC service endpoint by doing the following:

    1. Open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

    2. In the left navigation pane, choose Endpoints, then choose Create endpoint.

    3. For Service category, choose Amazon Web Services.

    4. For Services, search for datasync and choose the endpoint for the Region you're in (for example, com.amazonaws.us-east-1.datasync).

    5. For VPC, choose the VPC where you want to create the VPC service endpoint.

    6. Expand Additional settings and clear the Enable Private DNS Name check box.

    7. For Subnet, choose the subnet where you want to create the VPC service endpoint.

    8. Choose Create endpoint.

    For more information on creating VPC service endpoints, see the Amazon VPC User Guide.

  4. Open the Amazon DataSync console at https://console.amazonaws.cn/datasync/.

    In the left navigation pane, choose Agents, and then choose Create agent. In the Service endpoint section, do the following:

    1. For Endpoint type, choose VPC endpoints using Amazon PrivateLink.

    2. For VPC endpoint, choose the VPC service endpoint that your agent will use.

    3. For Subnet, choose the subnet where your VPC service endpoint is located.

    4. For Security group, choose the security group that you configured for allowing your agent to use your VPC service endpoint.

Next step: Activating your Amazon DataSync agent

Using a public service endpoint with DataSync

If you use a public service endpoint, all communication between your DataSync agent and DataSync service occurs over the public internet.

To configure your DataSync agent to use a public service endpoint
  1. After deploying your DataSync agent, configure your network to allow the traffic required for using DataSync public service endpoints.

  2. Open the Amazon DataSync console at https://console.amazonaws.cn/datasync/.

  3. In the left navigation pane, choose Agents, and then choose Create agent.

  4. In the Service endpoint section, choose Public service endpoints in Amazon Web Services Region name.

    For a list of endpoints that you can use, see DataSync service endpoints in the Amazon Web Services General Reference.

Next step: Activating your Amazon DataSync agent

Using a FIPS service endpoint with DataSync

DataSync offers some service endpoints that comply with FIPS. For more information, see FIPS endpoints in the Amazon Web Services General Reference.

To configure your DataSync agent to use a FIPS service endpoint
  1. Open the Amazon DataSync console at https://console.amazonaws.cn/datasync/.

  2. In the left navigation pane, choose Agents, and then choose Create agent.

  3. In the Service endpoint section, choose FIPS service endpoints in Amazon Web Services Region name.

    For a list of endpoints that you can use, see DataSync service endpoints in the Amazon Web Services General Reference.

Next step: Activating your Amazon DataSync agent