Network requirements for self-managed and other cloud storage Network requirements for Amazon storage services Network requirements for VPC endpoints Network requirements for public endpoints Network interface requirements

Amazon DataSync network requirements

Configuring your network is an important step in setting up Amazon DataSync. Your network configuration depends on several factors, such as whether you want information about your storage or are ready to transfer data. It's also based on what kind of service endpoint you plan to use for sending data to Amazon.

Network requirements for self-managed and other cloud storage

The following network requirements can apply to on-premises or cloud-based storage systems that you manage or storage services from other cloud providers.

Note

Depending on your network, you might need to allow traffic on ports other than what's listed here for DataSync to connect with your storage.

From	To	Protocol	Port	How it's used by DataSync
DataSync agent	NFS file server	TCP	2049	Mounts the NFS file server. DataSync supports NFS versions 3.x, 4.0, and 4.1.
DataSync agent	SMB file server	TCP	139 or 445	Mounts the SMB file server. DataSync supports SMB versions 1.0 and later.
DataSync agent	Object storage	TCP	443 (HTTPS) or 80 (HTTP)	Accesses your object storage.
DataSync agent	Hadoop cluster	TCP	NameNode port (default is 8020) In most clusters, you can find this port number in the `core-site.xml` file under the `fs.default` or `fs.default.name` property (depending on the Hadoop distribution).	Accesses the NameNodes in your Hadoop cluster. Specify the port used when creating an HDFS location.
DataSync agent	Hadoop cluster	TCP	DataNode port (default is 50010) In most clusters, you can find this port number in the `hdfs-site.xml` file under the `dfs.datanode.address` property.	Accesses the DataNodes in your Hadoop cluster. The DataSync agent automatically determines the port to use.
DataSync agent	Hadoop Key Management Server (KMS)	TCP	KMS port (default is 9600)	Accesses the KMS for your Hadoop cluster.
DataSync agent	Kerberos Key Distribution Center (KDC) server	TCP	KDC port (default is 88)	Authenticates with the Kerberos realm. This port is used only with HDFS.
DataSync agent	Storage system's management interface	TCP	Depends on your network	Connects to your storage system. DataSync Discovery uses this connection to collect information about your system.

Network requirements for Amazon storage services

The network ports required for DataSync to connect to an Amazon storage service during a transfer vary.

From	To	Protocol	Port
DataSync service	Amazon EFS	TCP	2049
DataSync service	FSx for Windows File Server	See file system access control for FSx for Windows File Server.
DataSync service	FSx for Lustre	See file system access control for FSx for Lustre.
DataSync service	FSx for OpenZFS	See file system access control for FSx for OpenZFS.
DataSync service	FSx for ONTAP	TCP	111, 635, and 2049 (NFS) 445 (SMB)
DataSync service	Amazon S3	TCP	443 (HTTPS)

Network requirements for VPC endpoints

A virtual private cloud (VPC) endpoint provides a private connection between your agent and Amazon that doesn't cross the internet or use public IP addresses. This also helps prevent packets from entering or exiting the network. For more information, see Using Amazon DataSync agents with VPC endpoints.

DataSync requires the following ports for your agent to use a VPC endpoint.

From	To	Protocol	Port	How it's used
Your web browser	Your DataSync agent	TCP	80 (HTTP)	By your computer to obtain the agent activation key. After successful activation, DataSync closes the agent's port 80. The DataSync agent doesn't require port 80 to be publicly accessible. The required level of access to port 80 depends on your network configuration. Note Alternatively, you can obtain the activation key from the agent's local console. This method does not require connectivity between the browser and your agent. For more information about using the local console to get the activation key, see Getting an agent activation key.
DataSync agent	Your DataSync VPC endpoint To find the correct IP address, open the Amazon VPC console, and choose Endpoints from the left navigation pane. Choose the DataSync endpoint, and check the Subnets list to find the private IP address that corresponds to the subnet that you chose for your VPC endpoint setup. For more information, see step 5 in Configuring your DataSync agent to use a VPC endpoint.	TCP	1024–1064	For control traffic between the DataSync agent and the Amazon service.
DataSync agent	Your task's network interfaces To find the related IP addresses, open the Amazon EC2 console and choose Network Interfaces from the left navigation pane. To see the four network interfaces for the task, enter your task ID in the search filter. For more information, see step 9 in Configuring your DataSync agent to use a VPC endpoint.	TCP	443 (HTTPS)	For data transfer from the DataSync VM to the Amazon Web Service.
DataSync agent	Your DataSync VPC endpoint	TCP	22 (Support channel)	To allow Amazon Web Services Support to access your DataSync agent for troubleshooting. You don't need this port open for normal operation.

The following diagram shows the ports required by DataSync when using VPC endpoints.

Shows the ports used by DataSync with VPC endpoints.

Network requirements for public endpoints

Your agent VM requires access to the following endpoints to communicate with Amazon when using public service endpoints. If you use a firewall or router to filter or limit network traffic, configure your firewall or router to allow these service endpoints.

From	To	Protocol	Port	How it's used	Endpoints accessed by the agent
Your web browser	DataSync agent	TCP	80 (HTTP)	Allows your computer to obtain the DataSync agent's activation key. After successful activation, DataSync closes the agent's port 80. The agent doesn't require port 80 to be publicly accessible. The required level of access to port 80 depends on your network configuration. Note Alternatively, you can obtain the activation key from the agent's local console. This method does not require connectivity between the browser and your agent. For more information, see Getting an agent activation key.	N/A
DataSync agent	Amazon	TCP	443 (HTTPS)	Activates your DataSync agent and associates it with your Amazon Web Services account. You can block the public endpoints after activation.	The `activation-region` is the Amazon Web Services Region where you activate your DataSync agent. `activation.datasync.activation-region.amazonaws.com.cn`
DataSync agent	Amazon	TCP	443 (HTTPS)	Allows communication between the DataSync agent and Amazon service endpoint. For information, see Choose a service endpoint for your Amazon DataSync agent.	The `activation-region` is the Amazon Web Services Region where you activated your DataSync agent. DataSync API endpoints: `datasync.activation-region.amazonaws.com.cn` Data transfer endpoints: `your-task-id.datasync-dp.activation-region.amazonaws.com.cn` `cp.datasync.activation-region.amazonaws.com.cn`
DataSync agent	Amazon	TCP	443 (HTTPS)	Allows the DataSync agent to get updates from Amazon.	The `activation-region` is the Amazon Web Services Region where you activated your DataSync agent. `amazonlinux.default.amazonaws.com.cn` `amazonlinux-2-repos-activation-region.s3.dualstack.activation-region.amazonaws.com.cn` `amazonlinux-2-repos-activation-region.s3.activation-region.amazonaws.com.cn` `*.s3.activation-region.amazonaws.com.cn`
DataSync agent	Domain Name Service (DNS) server	TCP/UDP	53 (DNS)	Allows communication between the DataSync agent and DNS server.	N/A
DataSync agent	Amazon	TCP	22 (Support channel)	Allows Amazon Web Services Support to access your DataSync agent to help you troubleshoot issues. You don't need this port open for normal operation.	Amazon Web Services Support channel: `54.201.223.107`
DataSync agent	Network Time Protocol (NTP) server	UDP	123 (NTP)	Allows local systems to synchronize the VM time to the host time.	NTP: `0.amazon.pool.ntp.org` `1.amazon.pool.ntp.org` `2.amazon.pool.ntp.org` `3.amazon.pool.ntp.org` Note To change the default NTP configuration of your VM agent to use a different NTP server using the local console, see Synchronizing the time on your VMware agent.

Network interface requirements

For every task you create, DataSync automatically generates and manages network interfaces for data transfer traffic. How many network interfaces DataSync creates and where they’re created depends on the following details about your task:

Whether your task requires a DataSync agent.
Your source and destination locations (where you’re copying data from and to).
The type of service endpoint that your agent uses.

Each network interface uses a single IP address in your subnet (the more network interfaces there are, the more IP addresses you need). Use the following tables to make sure your subnet has enough IP addresses for your task.

Topics

Network interfaces for transfers with agents
Network interfaces for transfers without agents
Viewing your network interfaces

Network interfaces for transfers with agents

In general, you need a DataSync agent when copying data between an Amazon storage service and storage system that isn't Amazon.

Location	Network interfaces created by default	Where network interfaces are created when using a public or FIPS endpoint	Where network interfaces are created when using a private (VPC) endpoint
Amazon S3	4	N/A¹	The subnet you specify when activating your DataSync agent.
Amazon EFS	4	The subnet you specify when creating the Amazon EFS location.
Amazon FSx for Windows File Server	4	The same subnet as the file system's preferred file server.
Amazon FSx for Lustre	4	The same subnet as the file system.
Amazon FSx for OpenZFS	4	The same subnet as the file system.
Amazon FSx for NetApp ONTAP	4	The same subnet as the file system.

¹ Network interfaces aren't needed because the DataSync service communicates directly with the S3 bucket.

Network interfaces for transfers without agents

You don’t need a DataSync agent when copying data between Amazon Web Services.

The total number of network interfaces depends on the DataSync locations in your transfer. For example, transferring between Amazon EFS and FSx for Lustre file systems requires four network interfaces. Meanwhile, transferring between FSx for Windows File Server and an S3 bucket requires two network interfaces.

Location	Network interfaces created by default	Where network interfaces are created
Amazon S3	N/A¹	N/A¹
Amazon EFS	2	The subnet you specify when creating the Amazon EFS location.
FSx for Windows File Server	2	The same subnet as the preferred file server for the file system.
FSx for Lustre	2	The same subnet as the file system.
FSx for OpenZFS	2	The same subnet as the file system.
FSx for ONTAP	2	The same subnet as the file system.

¹ Network interfaces aren't needed because the DataSync service communicates directly with the S3 bucket.

Viewing your network interfaces

To see the network interfaces allocated to your DataSync transfer task, do one of the following:

Use the DescribeTask operation. The operation returns SourceNetworkInterfaceArns and DestinationNetworkInterfaceArns with responses that look like this:
```
arn:aws:ec2:your-region:your-account-id:network-interface/eni-f012345678abcdef0
```
In this example, the network interface ID is eni-f012345678abcdef0.
In the Amazon EC2 console, search for your task ID (such as task-f012345678abcdef0) to find its network interfaces.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Agent requirements

Required permissions