Amazon S3 File Gateway documentation has been moved to What is Amazon S3 File Gateway?
Volume Gateway documentation has been moved to What is Volume Gateway?
Tape Gateway documentation has been moved to What is Tape Gateway?
File Gateway setup requirements
Unless otherwise noted, the following requirements are common to all File Gateway types in Amazon Storage Gateway. Your setup must meet the requirements in this section. Review the requirements that apply to your gateway setup before you deploy your gateway.
Topics
Prerequisites
Before you set up your Amazon FSx File Gateway (FSx File Gateway), you must meet the following prerequisites:
-
Create and configure an FSx for Windows File Server file system. For instructions, see Step 1: Create Your File System in the Amazon FSx for Windows File Server User Guide.
-
Configure Microsoft Active Directory (AD) and create an Active Directory service account with the requisite permissions. For more information, see Active Directory service account permission requirements.
-
Ensure that there is sufficient network bandwidth between the gateway and Amazon. A minimum of 100 Mbps is required to successfully download, activate, and update the gateway.
-
Configure your private networking, VPN, or Amazon Direct Connect between your Amazon Virtual Private Cloud (Amazon VPC) and the on-premises environment where you are deploying your gateway.
-
Make sure your gateway can resolve the name of your Active Directory Domain Controller. You can use DHCP in your Active Directory domain to handle resolution, or specify a DNS server manually from the Network Configuration settings menu in the gateway local console.
Hardware and storage requirements
The following sections provide information about the minimum required hardware and storage configurations for your gateway, and the minimum amount of disk space to allocate for the required storage.
Hardware requirements for on-premises VMs
When deploying your gateway on-premises, ensure that the underlying hardware on which you deploy the gateway virtual machine (VM) can dedicate the following minimum resources:
-
Four virtual processors assigned to the VM
-
16 GiB of reserved RAM for File Gateways
-
80 GiB of disk space for installation of VM image and system data
Requirements for Amazon EC2 instance types
When deploying your gateway on Amazon Elastic Compute Cloud (Amazon EC2), the instance size must be at
least xlarge
for your gateway to
function. However, for the compute-optimized instance family the size must be at
least 2xlarge
. Use one of the
following instance types recommended for your gateway type.
Recommended for File Gateway types
-
General-purpose instance family – m4, m5, or m6 instance type.
Note
We don't recommend using the m4.16xlarge instance type.
-
Compute-optimized instance family – c4, c5, or c6 instance types. Choose the 2xlarge instance size or higher to meet the required RAM requirements.
-
Memory-optimized instance family – r3, r5, or r6 instance types.
-
Storage-optimized instance family – i3 or i4 instance types.
Note
When you launch your gateway in Amazon EC2 and the instance type you choose supports ephemeral storage, the disks are listed automatically. For more information about Amazon EC2 instance storage, see Instance storage in the Amazon EC2 User Guide.
Storage requirements
In addition to 80 GiB of disk space for the VM, you also need additional disks for your gateway.
Gateway type | Cache (minimum) | Cache (maximum) |
---|---|---|
File Gateway | 150 GiB | 64 TiB |
Note
You can configure one or more local drives for your cache, up to the maximum capacity.
When adding cache to an existing gateway, it's important to create new disks in your host (hypervisor or Amazon EC2 instance). Don't change the size of existing disks if the disks have been previously allocated as a cache.
Network and firewall requirements
Your gateway requires access to the internet, local networks, Domain Name Service (DNS) servers, firewalls, routers, and so on.
Network bandwidth requirements vary based on the quantity of data that is uploaded and downloaded by the gateway. A minimum of 100Mbps is required to successfully download, activate, and update the gateway. Your data transfer patterns will determine the bandwidth necessary to support your workload.
Following, you can find information about required ports and how to allow access through firewalls and routers.
Note
In some cases, you might deploy your gateway on Amazon EC2 or use other types of deployment (including on-premises) with network security policies that restrict Amazon IP address ranges. In these cases, your gateway might experience service connectivity issues when the Amazon IP range values changes. The Amazon IP address range values that you need to use are in the Amazon service subset for the Amazon Region that you activate your gateway in. For the current IP range values, see Amazon IP address ranges in the Amazon Web Services General Reference.
Topics
Port requirements
Common ports for all gateway types
The following ports are common to all gateway types and are required by all gateway types.
Protocol |
Port |
Direction |
Source |
Destination |
Usage |
---|---|---|---|---|---|
TCP |
443 (HTTPS) |
Outbound |
Storage Gateway |
Amazon |
For communication from Storage Gateway to the Amazon service endpoint. For information about service endpoints, see Allowing Amazon Storage Gateway access through firewalls and routers. |
TCP |
80 (HTTP) |
Inbound |
The host from which you connect to the Amazon Web Services Management Console. |
Storage Gateway |
By local systems to obtain the Storage Gateway activation key. Port 80 is only used during activation of the Storage Gateway appliance. Storage Gateway does not require port 80 to be publicly accessible. The required level of access to port 80 depends on your network configuration. If you activate your gateway from the Storage Gateway console, the host from which you connect to the console must have access to your gateway’s port 80. |
TCP/UDP |
53 (DNS) |
Outbound |
Storage Gateway |
DNS server |
For communication between Storage Gateway and the DNS server. |
TCP |
22 (Support channel) |
Outbound |
Storage Gateway |
Amazon Web Services Support |
Allows Amazon Web Services Support to access your gateway to help you with troubleshooting gateway issues. You don't need this port open for the normal operation of your gateway, but it is required for troubleshooting. |
UDP |
123 (NTP) |
Outbound |
NTP client |
NTP server |
Used by local systems to synchronize VM time to the host time. NoteNot required for gateways hosted on Amazon EC2. |
TCP |
1026 |
Outbound |
Used for control traffic. |
||
TCP |
1027 |
Outbound |
Used only during activation and can then be closed. |
||
TCP |
1028 |
Outbound |
Used for control traffic. |
||
TCP |
1031 |
Outbound |
Used only for software updates for file gateways. |
Ports for File Gateways
For FSx File Gateway, you must use Microsoft Active Directory to allow domain users to access a Server Message Block (SMB) file share. You can join your File Gateway to any valid Microsoft Windows domain (resolvable by DNS).
You can also use the Amazon Directory Service to create an Amazon Managed Microsoft AD in the Amazon Web Services Cloud. For most Amazon Managed Microsoft AD deployments, you need to configure the Dynamic Host Configuration Protocol (DHCP) service for your VPC. For information about creating a DHCP options set, see Create a DHCP options set in the Amazon Directory Service Administration Guide.
FSx File Gateway requires the following ports.
Protocol |
Port |
Direction |
Source |
Destination |
Usage |
---|---|---|---|---|---|
UDP NetBIOS |
137 |
Inbound and outbound |
Storage Gateway |
Microsoft Active Directory |
For connecting to Microsoft Active Directory. |
UDP NetBIOS |
138 |
Inbound and outbound |
Storage Gateway |
Microsoft Active Directory |
For Datagram service |
TCP/UDP (SMBv2) |
139 | Inbound | Client | Storage Gateway |
Required for SMBv2 clients connecting to the Storage Gateway |
TCP/UDP LDAP |
389 |
Inbound and outbound |
Storage Gateway |
Microsoft Active Directory |
Directory System Agent (DSA); client connection |
TCP/UDP Kerberos |
88 |
Inbound and outbound |
Storage Gateway |
Microsoft Active Directory |
|
TCP Distributed Computing Environment/End Point Mapper (DCE/EMAP) |
135 |
Inbound and outbound |
Storage Gateway |
Microsoft Active Directory |
|
TCP/UDP (SMBv3) |
445 |
Inbound and outbound |
Storage Gateway and Clients |
Amazon FSx Endpoints and Storage Gateway |
Storage data transfer between File Gateway and FSx for Windows File Server Also to serve data transfer between clients and Storage Gateway |
TCP (HTTPS) |
443 |
Outbound |
Storage Gateway |
Storage Gateway service endpoints |
Management control – Used for communication from a Storage Gateway VM to an Amazon service endpoint |
TCP HTTPS |
443 |
Outbound |
Storage Gateway |
Amazon CloudFront |
For gateway activation |
TCP |
443 |
Outbound |
Storage Gateway |
VPC endpoint usage |
Management control – Used for communication from an Storage Gateway VM to an Amazon service endpoint |
TCP |
1026 |
Outbound |
Storage Gateway |
VPC endpoint usage |
Used for control traffic |
TCP |
1027 |
Outbound | Storage Gateway |
VPC endpoint usage |
Used only during activation and can then be closed |
TCP |
1028 | Outbound | Storage Gateway |
VPC endpoint usage |
Used for control traffic |
TCP |
1031 |
Outbound | Storage Gateway |
Storage Gateway service endpoints |
Used only for software updates for File Gateways |
TCP |
2222 |
Outbound |
Storage Gateway | Amazon Web Services Support |
Used to open a support channel to the gateway when using VPC endpoints |
TCP (HTTPS) |
8080 |
Inbound |
The host from which you connect to the Amazon Web Services Management Console |
Storage Gateway |
Required briefly for activation of a hardware appliance |
TCP (HTTPS) |
80 | Inbround |
The host from which you connect to the Amazon Web Services Management Console |
Storage Gateway |
Required briefly for activation of a hardware appliance |
Networking and firewall requirements for the Storage Gateway Hardware Appliance
Each Storage Gateway Hardware Appliance requires the following network services:
-
Internet access – an always-on network connection to the internet through any network interface on the server.
-
DNS services – DNS services for communication between the hardware appliance and DNS server.
-
Time synchronization – an automatically configured Amazon NTP time service must be reachable.
-
IP address – A DHCP or static IPv4 address assigned. You cannot assign an IPv6 address.
There are five physical network ports at the rear of the Dell PowerEdge R640 server. From left to right (facing the back of the server) these ports are as follows:
-
iDRAC
-
em1
-
em2
-
em3
-
em4
You can use the iDRAC port for remote server management.
![network resources connected to hardware appliance using various ports.](images/ApplianceFirewallRules.png)
A hardware appliance requires the following ports to operate.
Protocol |
Port |
Direction |
Source |
Destination |
Usage |
---|---|---|---|---|---|
SSH |
22 |
Outbound |
Hardware appliance |
|
Support channel |
DNS | 53 | Outbound | Hardware appliance | DNS servers | Name resolution |
UDP/NTP | 123 | Outbound | Hardware appliance | *.amazon.pool.ntp.org |
Time synchronization |
HTTPS |
443 |
Outbound |
Hardware appliance |
|
Data transfer |
HTTP | 8080 | Inbound | Amazon | Hardware appliance | Activation (only briefly) |
To perform as designed, a hardware appliance requires network and firewall settings as follows:
-
Configure all connected network interfaces in the hardware console.
-
Make sure that each network interface is on a unique subnet.
-
Provide all connected network interfaces with outbound access to the endpoints listed in the diagram preceding.
-
Configure at least one network interface to support the hardware appliance. For more information, see Configuring hardware appliance network parameters.
Note
For an illustration showing the back of the server with its ports, see Rack-mounting your hardware appliance and connecting power.
All IP addresses on the same network interface (NIC), whether for a gateway or a host, must be on the same subnet. The following illustration shows the addressing scheme.
![host IP and service IP on a single subnet sharing one NIC.](images/ApplianceAddressing.png)
For more information about activating and configuring a hardware appliance, see Using the Amazon Storage Gateway Hardware Appliance.
Allowing Amazon Storage Gateway access through firewalls and routers
Your gateway requires access to the following service endpoints to communicate with Amazon. If you use a firewall or router to filter or limit network traffic, you must configure your firewall and router to allow these service endpoints for outbound communication to Amazon.
Note
If you configure private VPC endpoints for your Storage Gateway to use for connection and data transfer to and from Amazon, your gateway does not require access to the public internet. For more information, see Activating a gateway in a virtual private cloud.
Important
Replace region
in the following endpoint examples
with the correct Amazon Web Services Region string for your gateway, such as
us-west-2
.
Replace bucket-name
with the actual name of the
Amazon S3 bucket in your deployment, such as my-testbucket-1
. You can
also use an asterisk (*
) in place of
bucket-name
to create a wildcard entry in your
firewall rules, which will allowlist the service endpoint for all bucket
names.
If your gateways are deployed in Amazon Web Services Regions in the United States or Canada
and require Federal Information Processing Standard (FIPS) compliant endpoint
connections, replace s3
with
s3-fips
.
The following service endpoint is required by all gateways for head-bucket operations.
bucket-name
.s3
.region
.amazonaws.com.cn:443
The following service endpoints are required by all gateways for control path
(anon-cp
, client-cp
, proxy-app
) and data
path (dp-1
) operations.
anon-cp.storagegateway.
region
.amazonaws.com.cn:443 client-cp.storagegateway.region
.amazonaws.com.cn:443 proxy-app.storagegateway.region
.amazonaws.com.cn:443 dp-1.storagegateway.region
.amazonaws.com.cn:443
The following gateway service endpoint is required to make API calls.
storagegateway.
region
.amazonaws.com.cn:443
The following example is a gateway service endpoint in the US West (Oregon)
Region (us-west-2
).
storagegateway.us-west-2.amazonaws.com.cn:443
In addition to the Storage Gateway and Amazon S3 service endpoints, Storage Gateway VMs also require network access to the following NTP servers:
0.amazon.pool.ntp.org 1.amazon.pool.ntp.org 2.amazon.pool.ntp.org 3.amazon.pool.ntp.org
-
For a complete list of supported Amazon Regions and Amazon service endpoints that you can use with Storage Gateway, see Amazon Storage Gateway endpoints and quotas in the Amazon Web Services General Reference.
-
For a list supported Amazon Regions that you can use with the hardware appliance, see Storage Gateway hardware appliance Regions in the Amazon Web Services General Reference.
Configuring security groups for your Amazon EC2 gateway instance
In Amazon Storage Gateway, a security group controls traffic to your Amazon EC2 gateway instance. When you configure a security group, we recommend the following:
-
The security group should not allow incoming connections from the outside internet. It should allow only instances within the gateway security group to communicate with the gateway.
If you need to allow instances to connect to the gateway from outside its security group, we recommend that you allow connections only on port 80 (for activation).
-
If you want to activate your gateway from an Amazon EC2 host outside the gateway security group, allow incoming connections on port 80 from the IP address of that host. If you cannot determine the activating host's IP address, you can open port 80, activate your gateway, and then close access on port 80 after completing activation.
-
Allow port 22 access only if you are using Amazon Web Services Support for troubleshooting purposes. For more information, see You want Amazon Web Services Support to help troubleshoot your Amazon EC2 gateway.
Supported hypervisors and host requirements
You can run Storage Gateway on-premises as either a virtual machine (VM) appliance or a physical hardware appliance, or in Amazon as an Amazon EC2 instance.
Storage Gateway supports the following hypervisor versions and hosts:
-
VMware ESXi Hypervisor (version 7.0 or 8.0) – A free version of VMware is available on the VMware website
. For this setup, you also need a VMware vSphere client to connect to the host. -
Microsoft Hyper-V Hypervisor (version 2012 R2, 2016, 2019, or 2022) – A free, standalone version of Hyper-V is available at the Microsoft Download Center
. For this setup, you need a Microsoft Hyper-V Manager on a Microsoft Windows client computer to connect to the host. -
Linux Kernel-based Virtual Machine (KVM) – A free, open-source virtualization technology. KVM is included in all versions of Linux version 2.6.20 and newer. Storage Gateway is tested and supported for the CentOS/RHEL 7.7, RHEL 8.6 Ubuntu 16.04 LTS, and Ubuntu 18.04 LTS distributions. Any other modern Linux distribution may work, but function or performance is not guaranteed. We recommend this option if you already have a KVM environment up and running and you are already familiar with how KVM works.
-
Amazon EC2 instance – Storage Gateway provides an Amazon Machine Image (AMI) that contains the gateway VM image. For information about how to deploy a gateway on Amazon EC2, see Deploy a customized Amazon EC2 host for FSx File Gateway.
-
Storage Gateway Hardware Appliance – Storage Gateway provides a physical hardware appliance as an on-premises deployment option for locations with limited virtual machine infrastructure.
Note
Storage Gateway doesn’t support recovering a gateway from a VM that was created from a snapshot or clone of another gateway VM or from your Amazon EC2 AMI. If your gateway VM malfunctions, activate a new gateway and recover your data to that gateway. For more information, see Recovering from an unexpected virtual machine shutdown.
Storage Gateway doesn’t support dynamic memory and virtual memory ballooning.
Supported SMB clients for File Gateway
File Gateway supports the following Service Message Block (SMB) clients:
-
Microsoft Windows Server 2008 R2 and later
-
Windows desktop versions: 10, 8, and 7.
-
Windows Terminal Server running on Windows Server 2008 and later
Note
Server Message Block encryption requires clients that support SMB v3.x dialects.
Supported file system operations for File Gateway
Your SMB client can write, read, delete, and truncate files. When clients send writes to Storage Gateway, it writes to local cache synchronously. Then it writes to Amazon FSx asynchronously through optimized transfers. Reads are first served through the local cache. If data is not available, it's fetched through Amazon FSx as a read-through cache.
Writes and reads are optimized in that only the parts that are changed or requested are transferred through your gateway. Deletes remove files from Amazon FSx.