Networking with Amazon DataSync - Amazon DataSync
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Networking with Amazon DataSync

If you need an Amazon DataSync agent, you must establish several network connections for a data transfer or storage discovery. The following diagram shows the three network connections in a DataSync transfer from a storage system (which could be on premises, in another cloud, or at the edge) to an Amazon storage service.

Alt text should describe what's relevant about the image and end with a period.

1. Network connection between your storage system and agent

Your DataSync agent connects to your on-premises, other cloud, or edge storage system. For more information, see Network requirements for on-premises, self-managed, other cloud, and edge storage.

2. Network connection between your agent and DataSync service

There are a few aspects to connecting your agent to the DataSync service. First, you must connect your storage network to Amazon. Second, your agent needs a service endpoint to communicate with DataSync.

Connecting your storage network to Amazon

When using DataSync, consider the following options for connecting your storage network to Amazon:

  • Amazon Direct Connect - With Direct Connect, you can create a dedicated connection between your storage network and Amazon. From a DataSync perspective, this lets you:

    • Transfer data over a private path to your virtual private cloud (VPC), which avoids routing over the public internet.

    • Get a more predictable connection than using a virtual private network (VPN) to connect your storage network to Amazon (particularly if your agent is an Amazon EC2 instance).

    • Use any type of DataSync service endpoint, including VPC, public, or Federal Information Processing Standard (FIPS) endpoints.

    For more information, see Amazon DataSync architecture and routing examples with Amazon Direct Connect.

  • VPN - You can connect your storage network to Amazon by using a VPN (such as Amazon Site-to-Site VPN).

  • Public internet - You can connect your storage network directly to DataSync over the internet by using a public or FIPS service endpoint.

Choosing a service endpoint

Your agent uses a service endpoint to communicate with DataSync. For more information, see Choosing a service endpoint for your Amazon DataSync agent.

3. Network connection between DataSync service and Amazon storage service

To connect DataSync to an Amazon storage service, you just have to make sure that the DataSync service can access your S3 bucket or file system. For more information, see Network requirements for Amazon storage services.

Networking when you don't need a DataSync agent

For transfers that don't require a DataSync agent, you just have to make sure that the DataSync service can access the Amazon storage services you’re transferring between. For more information, see Network requirements for Amazon storage services.

How and where DataSync traffic flows through the network

DataSync has data plane and control plane traffic. Knowing how each of these flows through the network is important if you want to separate your DataSync traffic.

  • Data plane traffic – Includes the file or object data moving between your storage locations. In most cases, data plane traffic routes through network interfaces that DataSync automatically generates and manages when you create a task. Where these network interfaces get created depends on the type of Amazon storage service you’re transferring to or from and the service endpoint that your DataSync agent uses.

  • Control plane traffic – Includes management activities for your DataSync resources. This traffic routes through the service endpoint that your agent uses.

Network security for DataSync

For information about how your storage data (including metadata) is secured during a transfer, see Amazon DataSync encryption in transit.