File Gateway setup requirements - Amazon Storage Gateway
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon S3 File Gateway documentation has been moved to What is Amazon S3 File Gateway?

Volume Gateway documentation has been moved to What is Volume Gateway?

Tape Gateway documentation has been moved to What is Tape Gateway?

File Gateway setup requirements

Unless otherwise noted, the following requirements are common to all File Gateway types in Amazon Storage Gateway. Your setup must meet the requirements in this section. Review the requirements that apply to your gateway setup before you deploy your gateway.

Prerequisites

Before you set up your Amazon FSx File Gateway (FSx File Gateway), you must meet the following prerequisites:

  • Create and configure an FSx for Windows File Server file system. For instructions, see Step 1: Create Your File System in the Amazon FSx for Windows File Server User Guide.

  • Configure Microsoft Active Directory (AD) and create an Active Directory service account with the requisite permissions. For more information, see Active Directory service account permission requirements.

  • Ensure that there is sufficient network bandwidth between the gateway and Amazon. A minimum of 100 Mbps is required to successfully download, activate, and update the gateway.

  • Configure your private networking, VPN, or Amazon Direct Connect between your Amazon Virtual Private Cloud (Amazon VPC) and the on-premises environment where you are deploying your gateway.

  • Make sure your gateway can resolve the name of your Active Directory Domain Controller. You can use DHCP in your Active Directory domain to handle resolution, or specify a DNS server manually from the Network Configuration settings menu in the gateway local console.

Hardware and storage requirements

The following sections provide information about the minimum required hardware and storage configurations for your gateway, and the minimum amount of disk space to allocate for the required storage.

Hardware requirements for on-premises VMs

When deploying your gateway on-premises, ensure that the underlying hardware on which you deploy the gateway virtual machine (VM) can dedicate the following minimum resources:

  • Four virtual processors assigned to the VM

  • 16 GiB of reserved RAM for File Gateways

  • 80 GiB of disk space for installation of VM image and system data

Requirements for Amazon EC2 instance types

When deploying your gateway on Amazon Elastic Compute Cloud (Amazon EC2), the instance size must be at least xlarge for your gateway to function. However, for the compute-optimized instance family the size must be at least 2xlarge. Use one of the following instance types recommended for your gateway type.

Recommended for File Gateway types

  • General-purpose instance family – m4, m5, or m6 instance type.

    Note

    We don't recommend using the m4.16xlarge instance type.

  • Compute-optimized instance family – c4, c5, or c6 instance types. Choose the 2xlarge instance size or higher to meet the required RAM requirements.

  • Memory-optimized instance family – r3, r5, or r6 instance types.

  • Storage-optimized instance family – i3 or i4 instance types.

    Note

    When you launch your gateway in Amazon EC2 and the instance type you choose supports ephemeral storage, the disks are listed automatically. For more information about Amazon EC2 instance storage, see Instance storage in the Amazon EC2 User Guide.

Storage requirements

In addition to 80 GiB of disk space for the VM, you also need additional disks for your gateway.

Gateway type Cache (minimum) Cache (maximum)
File Gateway 150 GiB 64 TiB
Note

You can configure one or more local drives for your cache, up to the maximum capacity.

When adding cache to an existing gateway, it's important to create new disks in your host (hypervisor or Amazon EC2 instance). Don't change the size of existing disks if the disks have been previously allocated as a cache.

Network and firewall requirements

Your gateway requires access to the internet, local networks, Domain Name Service (DNS) servers, firewalls, routers, and so on.

Network bandwidth requirements vary based on the quantity of data that is uploaded and downloaded by the gateway. A minimum of 100Mbps is required to successfully download, activate, and update the gateway. Your data transfer patterns will determine the bandwidth necessary to support your workload.

Following, you can find information about required ports and how to allow access through firewalls and routers.

Note

In some cases, you might deploy your gateway on Amazon EC2 or use other types of deployment (including on-premises) with network security policies that restrict Amazon IP address ranges. In these cases, your gateway might experience service connectivity issues when the Amazon IP range values changes. The Amazon IP address range values that you need to use are in the Amazon service subset for the Amazon Region that you activate your gateway in. For the current IP range values, see Amazon IP address ranges in the Amazon Web Services General Reference.

Port requirements

Common ports for all gateway types

The following ports are common to all gateway types and are required by all gateway types.

Protocol

Port

Direction

Source

Destination

Usage

TCP

443 (HTTPS)

Outbound

Storage Gateway

Amazon

For communication from Storage Gateway to the Amazon service endpoint. For information about service endpoints, see Allowing Amazon Storage Gateway access through firewalls and routers.

TCP

80 (HTTP)

Inbound

The host from which you connect to the Amazon Web Services Management Console.

Storage Gateway

By local systems to obtain the Storage Gateway activation key. Port 80 is only used during activation of the Storage Gateway appliance.

Storage Gateway does not require port 80 to be publicly accessible. The required level of access to port 80 depends on your network configuration. If you activate your gateway from the Storage Gateway console, the host from which you connect to the console must have access to your gateway’s port 80.

TCP/UDP

53 (DNS)

Outbound

Storage Gateway

DNS server

For communication between Storage Gateway and the DNS server.

TCP

22 (Support channel)

Outbound

Storage Gateway

Amazon Web Services Support

Allows Amazon Web Services Support to access your gateway to help you with troubleshooting gateway issues. You don't need this port open for the normal operation of your gateway, but it is required for troubleshooting.

UDP

123 (NTP)

Outbound

NTP client

NTP server

Used by local systems to synchronize VM time to the host time.

Note

Not required for gateways hosted on Amazon EC2.

TCP

1026

Outbound

Used for control traffic.

TCP

1027

Outbound

Used only during activation and can then be closed.

TCP

1028

Outbound

Used for control traffic.

TCP

1031

Outbound

Used only for software updates for file gateways.

Ports for File Gateways

For FSx File Gateway, you must use Microsoft Active Directory to allow domain users to access a Server Message Block (SMB) file share. You can join your File Gateway to any valid Microsoft Windows domain (resolvable by DNS).

You can also use the Amazon Directory Service to create an Amazon Managed Microsoft AD in the Amazon Web Services Cloud. For most Amazon Managed Microsoft AD deployments, you need to configure the Dynamic Host Configuration Protocol (DHCP) service for your VPC. For information about creating a DHCP options set, see Create a DHCP options set in the Amazon Directory Service Administration Guide.

FSx File Gateway requires the following ports.

Protocol

Port

Direction

Source

Destination

Usage

UDP

NetBIOS

137

Inbound and outbound

Storage Gateway

Microsoft Active Directory

For connecting to Microsoft Active Directory.

UDP

NetBIOS

138

Inbound and outbound

Storage Gateway

Microsoft Active Directory

For Datagram service

TCP/UDP (SMBv2)

139 Inbound Client Storage Gateway

Required for SMBv2 clients connecting to the Storage Gateway

TCP/UDP LDAP

389

Inbound and outbound

Storage Gateway

Microsoft Active Directory

Directory System Agent (DSA); client connection

TCP/UDP Kerberos

88

Inbound and outbound

Storage Gateway

Microsoft Active Directory

TCP Distributed Computing Environment/End Point Mapper (DCE/EMAP)

135

Inbound and outbound

Storage Gateway

Microsoft Active Directory

TCP/UDP (SMBv3)

445

Inbound and outbound

Storage Gateway and Clients

Amazon FSx Endpoints and Storage Gateway

Storage data transfer between File Gateway and FSx for Windows File Server

Also to serve data transfer between clients and Storage Gateway

TCP (HTTPS)

443

Outbound

Storage Gateway

Storage Gateway service endpoints

Management control – Used for communication from a Storage Gateway VM to an Amazon service endpoint

TCP HTTPS

443

Outbound

Storage Gateway

Amazon CloudFront

For gateway activation

TCP

443

Outbound

Storage Gateway

VPC endpoint usage

Management control – Used for communication from an Storage Gateway VM to an Amazon service endpoint

TCP

1026

Outbound

Storage Gateway

VPC endpoint usage

Used for control traffic

TCP

1027

Outbound Storage Gateway

VPC endpoint usage

Used only during activation and can then be closed

TCP

1028 Outbound Storage Gateway

VPC endpoint usage

Used for control traffic

TCP

1031

Outbound Storage Gateway

Storage Gateway service endpoints

Used only for software updates for File Gateways

TCP

2222

Outbound

Storage Gateway Amazon Web Services Support

Used to open a support channel to the gateway when using VPC endpoints

TCP (HTTPS)

8080

Inbound

The host from which you connect to the Amazon Web Services Management Console

Storage Gateway

Required briefly for activation of a hardware appliance

TCP (HTTPS)

80 Inbround

The host from which you connect to the Amazon Web Services Management Console

Storage Gateway

Required briefly for activation of a hardware appliance

Networking and firewall requirements for the Storage Gateway Hardware Appliance

Each Storage Gateway Hardware Appliance requires the following network services:

  • Internet access – an always-on network connection to the internet through any network interface on the server.

  • DNS services – DNS services for communication between the hardware appliance and DNS server.

  • Time synchronization – an automatically configured Amazon NTP time service must be reachable.

  • IP address – A DHCP or static IPv4 address assigned. You cannot assign an IPv6 address.

There are five physical network ports at the rear of the Dell PowerEdge R640 server. From left to right (facing the back of the server) these ports are as follows:

  1. iDRAC

  2. em1

  3. em2

  4. em3

  5. em4

You can use the iDRAC port for remote server management.

network resources connected to hardware appliance using various ports.

A hardware appliance requires the following ports to operate.

Protocol

Port

Direction

Source

Destination

Usage

SSH

22

Outbound

Hardware appliance

54.201.223.107

Support channel
DNS 53 Outbound Hardware appliance DNS servers Name resolution
UDP/NTP 123 Outbound Hardware appliance *.amazon.pool.ntp.org Time synchronization
HTTPS

443

Outbound

Hardware appliance

*.amazonaws.com

Data transfer

HTTP 8080 Inbound Amazon Hardware appliance Activation (only briefly)

To perform as designed, a hardware appliance requires network and firewall settings as follows:

  • Configure all connected network interfaces in the hardware console.

  • Make sure that each network interface is on a unique subnet.

  • Provide all connected network interfaces with outbound access to the endpoints listed in the diagram preceding.

  • Configure at least one network interface to support the hardware appliance. For more information, see Configuring hardware appliance network parameters.

Note

For an illustration showing the back of the server with its ports, see Rack-mounting your hardware appliance and connecting power.

All IP addresses on the same network interface (NIC), whether for a gateway or a host, must be on the same subnet. The following illustration shows the addressing scheme.

host IP and service IP on a single subnet sharing one NIC.

For more information about activating and configuring a hardware appliance, see Using the Amazon Storage Gateway Hardware Appliance.

Allowing Amazon Storage Gateway access through firewalls and routers

Your gateway requires access to the following service endpoints to communicate with Amazon. If you use a firewall or router to filter or limit network traffic, you must configure your firewall and router to allow these service endpoints for outbound communication to Amazon.

Note

If you configure private VPC endpoints for your Storage Gateway to use for connection and data transfer to and from Amazon, your gateway does not require access to the public internet. For more information, see Activating a gateway in a virtual private cloud.

Important

Replace region in the following endpoint examples with the correct Amazon Web Services Region string for your gateway, such as us-west-2.

Replace bucket-name with the actual name of the Amazon S3 bucket in your deployment, such as my-testbucket-1. You can also use an asterisk (*) in place of bucket-name to create a wildcard entry in your firewall rules, which will allowlist the service endpoint for all bucket names.

If your gateways are deployed in Amazon Web Services Regions in the United States or Canada and require Federal Information Processing Standard (FIPS) compliant endpoint connections, replace s3 with s3-fips.

The following service endpoint is required by all gateways for head-bucket operations.

bucket-name.s3.region.amazonaws.com.cn:443

The following service endpoints are required by all gateways for control path (anon-cp, client-cp, proxy-app) and data path (dp-1) operations.

anon-cp.storagegateway.region.amazonaws.com.cn:443 client-cp.storagegateway.region.amazonaws.com.cn:443 proxy-app.storagegateway.region.amazonaws.com.cn:443 dp-1.storagegateway.region.amazonaws.com.cn:443

The following gateway service endpoint is required to make API calls.

storagegateway.region.amazonaws.com.cn:443

The following example is a gateway service endpoint in the US West (Oregon) Region (us-west-2).

storagegateway.us-west-2.amazonaws.com.cn:443

In addition to the Storage Gateway and Amazon S3 service endpoints, Storage Gateway VMs also require network access to the following NTP servers:

0.amazon.pool.ntp.org 1.amazon.pool.ntp.org 2.amazon.pool.ntp.org 3.amazon.pool.ntp.org

Configuring security groups for your Amazon EC2 gateway instance

In Amazon Storage Gateway, a security group controls traffic to your Amazon EC2 gateway instance. When you configure a security group, we recommend the following:

  • The security group should not allow incoming connections from the outside internet. It should allow only instances within the gateway security group to communicate with the gateway.

    If you need to allow instances to connect to the gateway from outside its security group, we recommend that you allow connections only on port 80 (for activation).

  • If you want to activate your gateway from an Amazon EC2 host outside the gateway security group, allow incoming connections on port 80 from the IP address of that host. If you cannot determine the activating host's IP address, you can open port 80, activate your gateway, and then close access on port 80 after completing activation.

  • Allow port 22 access only if you are using Amazon Web Services Support for troubleshooting purposes. For more information, see You want Amazon Web Services Support to help troubleshoot your Amazon EC2 gateway.

Supported hypervisors and host requirements

You can run Storage Gateway on-premises as either a virtual machine (VM) appliance or a physical hardware appliance, or in Amazon as an Amazon EC2 instance.

Storage Gateway supports the following hypervisor versions and hosts:

  • VMware ESXi Hypervisor (version 7.0 or 8.0) – A free version of VMware is available on the VMware website. For this setup, you also need a VMware vSphere client to connect to the host.

  • Microsoft Hyper-V Hypervisor (version 2012 R2, 2016, 2019, or 2022) – A free, standalone version of Hyper-V is available at the Microsoft Download Center. For this setup, you need a Microsoft Hyper-V Manager on a Microsoft Windows client computer to connect to the host.

  • Linux Kernel-based Virtual Machine (KVM) – A free, open-source virtualization technology. KVM is included in all versions of Linux version 2.6.20 and newer. Storage Gateway is tested and supported for the CentOS/RHEL 7.7, RHEL 8.6 Ubuntu 16.04 LTS, and Ubuntu 18.04 LTS distributions. Any other modern Linux distribution may work, but function or performance is not guaranteed. We recommend this option if you already have a KVM environment up and running and you are already familiar with how KVM works.

  • Amazon EC2 instance – Storage Gateway provides an Amazon Machine Image (AMI) that contains the gateway VM image. For information about how to deploy a gateway on Amazon EC2, see Deploy a customized Amazon EC2 host for FSx File Gateway.

  • Storage Gateway Hardware Appliance – Storage Gateway provides a physical hardware appliance as an on-premises deployment option for locations with limited virtual machine infrastructure.

Note

Storage Gateway doesn’t support recovering a gateway from a VM that was created from a snapshot or clone of another gateway VM or from your Amazon EC2 AMI. If your gateway VM malfunctions, activate a new gateway and recover your data to that gateway. For more information, see Recovering from an unexpected virtual machine shutdown.

Storage Gateway doesn’t support dynamic memory and virtual memory ballooning.

Supported SMB clients for File Gateway

File Gateway supports the following Service Message Block (SMB) clients:

  • Microsoft Windows Server 2008 R2 and later

  • Windows desktop versions: 10, 8, and 7.

  • Windows Terminal Server running on Windows Server 2008 and later

    Note

    Server Message Block encryption requires clients that support SMB v3.x dialects.

Supported file system operations for File Gateway

Your SMB client can write, read, delete, and truncate files. When clients send writes to Storage Gateway, it writes to local cache synchronously. Then it writes to Amazon FSx asynchronously through optimized transfers. Reads are first served through the local cache. If data is not available, it's fetched through Amazon FSx as a read-through cache.

Writes and reads are optimized in that only the parts that are changed or requested are transferred through your gateway. Deletes remove files from Amazon FSx.