Beginning December 7, 2023, we will discontinue version 1 DataSync agents. Check the Agents page on the DataSync console to see if you have affected agents. If you do, replace those agents before then to avoid data transfer or storage discovery disruptions. If you need more help, contact Amazon Web Services Support
Amazon DataSync network requirements
Configuring your network is an important step in setting up Amazon DataSync. Your network configuration depends on several factors, such as whether you want information about your storage or are ready to transfer data. It's also based on what kind of service endpoint you plan to use for sending data to Amazon.
Network requirements for self-managed and other cloud storage
The following network requirements can apply to on-premises or cloud-based storage systems that you manage or storage services from other cloud providers.
Note
Depending on your network, you might need to allow traffic on ports other than what's listed here for DataSync to connect with your storage.
From | To | Protocol | Port | How it's used by DataSync |
---|---|---|---|---|
DataSync agent |
NFS file server |
TCP |
2049 |
Mounts the NFS file server. DataSync supports NFS versions 3.x, 4.0, and 4.1. |
DataSync agent |
SMB file server |
TCP |
139 or 445 |
Mounts the SMB file server. DataSync supports SMB versions 1.0 and later. |
DataSync agent |
Object storage |
TCP |
443 (HTTPS) or 80 (HTTP) |
Accesses your object storage. |
DataSync agent | Hadoop cluster | TCP |
NameNode port (default is 8020) In most clusters, you can find this port number in the
|
Accesses the NameNodes in your Hadoop cluster. Specify the port used when creating an HDFS location. |
DataSync agent | Hadoop cluster | TCP |
DataNode port (default is 50010) In most clusters, you can find this port number in the
|
Accesses the DataNodes in your Hadoop cluster. The DataSync agent automatically determines the port to use. |
DataSync agent | Hadoop Key Management Server (KMS) | TCP | KMS port (default is 9600) | Accesses the KMS for your Hadoop cluster. |
DataSync agent | Kerberos Key Distribution Center (KDC) server | TCP | KDC port (default is 88) | Authenticates with the Kerberos realm. This port is used only with HDFS. |
DataSync agent | Storage system's management interface | TCP | Depends on your network | Connects to your storage system. DataSync Discovery uses this connection to collect information about your system. |
Network requirements for Amazon storage services
The network ports required for DataSync to connect to an Amazon storage service during a transfer vary.
From | To | Protocol | Port |
---|---|---|---|
DataSync service |
Amazon EFS |
TCP |
2049 |
DataSync service |
FSx for Windows File Server |
See file system access control for FSx for Windows File Server. |
|
DataSync service |
FSx for Lustre |
||
DataSync service | FSx for OpenZFS | ||
DataSync service | FSx for ONTAP | TCP |
111, 635, and 2049 (NFS) 445 (SMB) |
DataSync service | Amazon S3 | TCP | 443 (HTTPS) |
Network requirements for VPC endpoints
A virtual private cloud (VPC) endpoint provides a private connection between your agent and Amazon that doesn't cross the internet or use public IP addresses. This also helps prevent packets from entering or exiting the network. For more information, see Using Amazon DataSync agents with VPC endpoints.
DataSync requires the following ports for your agent to use a VPC endpoint.
From | To | Protocol | Port | How it's used |
---|---|---|---|---|
Your web browser |
Your DataSync agent |
TCP |
80 (HTTP) |
By your computer to obtain the agent activation key. After successful activation, DataSync closes the agent's port 80. The DataSync agent doesn't require port 80 to be publicly accessible. The required level of access to port 80 depends on your network configuration. NoteAlternatively, you can obtain the activation key from the agent's local console. This method does not require connectivity between the browser and your agent. For more information about using the local console to get the activation key, see Getting an agent activation key. |
DataSync agent |
Your DataSync VPC endpoint To find the correct IP address, open the Amazon VPC
console For more information, see step 5 in Configuring your DataSync agent to use a VPC endpoint. |
TCP |
1024–1064 |
For control traffic between the DataSync agent and the Amazon service. |
DataSync agent |
Your task's network interfaces To find the related IP addresses, open the Amazon EC2 console and choose Network Interfaces from the left navigation pane. To see the four network interfaces for the task, enter your task ID in the search filter. For more information, see step 9 in Configuring your DataSync agent to use a VPC endpoint. |
TCP |
443 (HTTPS) |
For data transfer from the DataSync VM to the Amazon Web Service. |
DataSync agent |
Your DataSync VPC endpoint |
TCP |
22 (Support channel) |
To allow Amazon Web Services Support to access your DataSync agent for troubleshooting. You don't need this port open for normal operation. |
The following diagram shows the ports required by DataSync when using VPC endpoints.

Network requirements for public endpoints
Your agent VM requires access to the following endpoints to communicate with Amazon when using public service endpoints. If you use a firewall or router to filter or limit network traffic, configure your firewall or router to allow these service endpoints.
From | To | Protocol | Port | How it's used | Endpoints accessed by the agent |
---|---|---|---|---|---|
Your web browser |
DataSync agent |
TCP |
80 (HTTP) |
Allows your computer to obtain the DataSync agent's activation key. After successful activation, DataSync closes the agent's port 80. The agent doesn't require port 80 to be publicly accessible. The required level of access to port 80 depends on your network configuration. NoteAlternatively, you can obtain the activation key from the agent's local console. This method does not require connectivity between the browser and your agent. For more information, see Getting an agent activation key. |
N/A |
DataSync agent | Amazon | TCP |
443 (HTTPS) |
Activates your DataSync agent and associates it with your Amazon Web Services account. You can block the public endpoints after activation. |
The
|
DataSync agent |
Amazon |
TCP |
443 (HTTPS) |
Allows communication between the DataSync agent and Amazon service endpoint. For information, see Choose a service endpoint for your Amazon DataSync agent. |
The DataSync API endpoints:
Data transfer endpoints:
|
DataSync agent | Amazon | TCP | 443 (HTTPS) | Allows the DataSync agent to get updates from Amazon. |
The
|
DataSync agent |
Domain Name Service (DNS) server |
TCP/UDP |
53 (DNS) |
Allows communication between the DataSync agent and DNS server. |
N/A |
DataSync agent |
Amazon |
TCP |
22 (Support channel) |
Allows Amazon Web Services Support to access your DataSync agent to help you troubleshoot issues. You don't need this port open for normal operation. |
Amazon Web Services Support channel:
|
DataSync agent |
Network Time Protocol (NTP) server |
UDP |
123 (NTP) |
Allows local systems to synchronize the VM time to the host time. |
NTP:
NoteTo change the default NTP configuration of your VM agent to use a different NTP server using the local console, see Synchronizing the time on your VMware agent. |
Network interface requirements
For every task you create, DataSync automatically generates and manages network interfaces for data transfer traffic. How many network interfaces DataSync creates and where they’re created depends on the following details about your task:
-
Whether your task requires a DataSync agent.
-
Your source and destination locations (where you’re copying data from and to).
-
The type of service endpoint that your agent uses.
Each network interface uses a single IP address in your subnet (the more network interfaces there are, the more IP addresses you need). Use the following tables to make sure your subnet has enough IP addresses for your task.
Topics
Network interfaces for transfers with agents
In general, you need a DataSync agent when copying data between an Amazon storage service and storage system that isn't Amazon.
Location | Network interfaces created by default | Where network interfaces are created when using a public or FIPS endpoint | Where network interfaces are created when using a private (VPC) endpoint |
---|---|---|---|
Amazon S3 |
4 | N/A1 |
The subnet you specify when activating your DataSync agent. |
Amazon EFS |
4 | The subnet you specify when creating the Amazon EFS location. | |
Amazon FSx for Windows File Server | 4 |
The same subnet as the file system's preferred file server. |
|
Amazon FSx for Lustre | 4 | The same subnet as the file system. | |
Amazon FSx for OpenZFS | 4 | The same subnet as the file system. | |
Amazon FSx for NetApp ONTAP | 4 | The same subnet as the file system. |
1 Network interfaces aren't needed because the DataSync service communicates directly with the S3 bucket.
Network interfaces for transfers without agents
You don’t need a DataSync agent when copying data between Amazon Web Services.
The total number of network interfaces depends on the DataSync locations in your transfer. For example, transferring between Amazon EFS and FSx for Lustre file systems requires four network interfaces. Meanwhile, transferring between FSx for Windows File Server and an S3 bucket requires two network interfaces.
Location | Network interfaces created by default | Where network interfaces are created |
---|---|---|
Amazon S3 |
N/A1 |
N/A1 |
Amazon EFS |
2 | The subnet you specify when creating the Amazon EFS location. |
FSx for Windows File Server | 2 |
The same subnet as the preferred file server for the file system. |
FSx for Lustre | 2 | The same subnet as the file system. |
FSx for OpenZFS | 2 | The same subnet as the file system. |
FSx for ONTAP | 2 | The same subnet as the file system. |
1 Network interfaces aren't needed because the DataSync service communicates directly with the S3 bucket.
Viewing your network interfaces
To see the network interfaces allocated to your DataSync transfer task, do one of the following:
-
Use the DescribeTask operation. The operation returns
SourceNetworkInterfaceArns
andDestinationNetworkInterfaceArns
with responses that look like this:arn:aws:ec2:
your-region
:your-account-id
:network-interface/eni-f012345678abcdef0In this example, the network interface ID is
eni-f012345678abcdef0
. -
In the Amazon EC2 console, search for your task ID (such as
task-f012345678abcdef0
) to find its network interfaces.