Menu
AWS Storage Gateway
User Guide (API Version 2013-06-30)

Requirements

Unless otherwise noted, the following requirements are common to all gateway configurations.

Hardware Requirements

When deploying your gateway on-premises, you must make sure that the underlying hardware on which you are deploying the gateway VM is able to dedicate the following resources:

  • Four or eight virtual processors assigned to the VM.

  • 7.5 GB of RAM assigned to the VM

  • 75 GB of disk space for installation of VM image and system data

For more information, see Optimizing Gateway Performance

For information about how your hardware affects the performance of the gateway VM, see AWS Storage Gateway Limits.

When deploying your gateway on Amazon EC2, you must use the m3, i2, c3, c4, r3, d2, and m4 instance types and the instance size must be at least size xlarge. You must select one of these instance types for the gateway to function. For more information, see AWS Storage Gateway in AWS Marketplace.

Storage Requirements

In addition to 75 GB disk space for the VM, you will also need additional disks for the gateway:

  • For file gateway, you will need storage for the local cache.

  • For cached volumes, you will need storage for the local cache and an upload buffer.

  • For stored volumes, you will need storage for your entire dataset and an upload buffer.

  • For tape gateway, you will need storage for the local cache and an upload buffer.

For more information about how to add disks, see Provisioning Local Disk Storage for the Gateway VM (VMWare).

For information about gateway limits, see AWS Storage Gateway Limits.

Network and Firewall Requirements

Your locally deployed gateway requires access to the internet, local networks, Domain Name Service (DNS) servers, firewalls, routers, and so on. Following, you can find information about required ports and how to allow access through firewalls and routers.

Port Requirements

AWS Storage Gateway requires the following ports for its operation.

Protocol

Port

Source

Destination

How Used

TCP

443

Storage Gateway

Internet

For communication from AWS Storage Gateway to the AWS service endpoint. For information about service endpoints, see Allowing AWS Storage Gateway Access through Firewalls and Routers.

TCP

80

Local networks

Storage Gateway

By local systems to obtain the storage gateway activation key. Port 80 is only used during activation of the Storage Gateway appliance.

Note

AWS Storage Gateway does not require port 80 to be publicly accessible. The required level of access to port 80 depends on your network configuration. If you activate your gateway from the AWS Storage Gateway Management Console, the host from which you connect to the console must have access to your gateway’s port 80.

TCP

3260

Local networks

Storage Gateway

By local systems to connect to iSCSI targets exposed by the gateway.

UDP

53

Storage Gateway

Domain Name Service (DNS) server

For communication between AWS Storage Gateway and the DNS server.

TCP

22

Storage Gateway

Internet

Allows AWS Support to access your gateway to help you with troubleshooting gateway issues. You don't need this port open for the normal operation of your gateway, but it is required for troubleshooting.

Allowing AWS Storage Gateway Access through Firewalls and Routers

Your locally deployed gateway requires access to the following endpoints to communicate with AWS. If you use a firewall or router to filter or limit network traffic, you must configure your firewall and router to allow these service endpoints for outbound communication to AWS.

client-cp.storagegateway.region.amazonaws.com:443
dp-1.storagegateway.region.amazonaws.com:443
anon-cp.storagegateway.region.amazonaws.com:443
proxy-app.storagegateway.region.amazonaws.com:443
storagegateway.region.amazonaws.com:443

The following table provides a list of region strings for the available regions.

Note

Only cached volumes and tape gateway are available on Amazon EC2.

Region NameRegion StringFile GatewayVolume GatewayTape Gateway
US East (N. Virginia)us-east-1

yes

yes

yes

US East (Ohio)us-east-2

yes

yes

yes

US West (N. California)us-west-1

yes

yes

yes

US West (Oregon)us-west-2

yes

yes

yes

Canada (Central)ca-central-1

yes

yes

yes

EU (Ireland)eu-west-1

yes

yes

yes

EU (Frankfurt)eu-central-1

yes

yes

yes

Asia Pacific (Tokyo)ap-northeast-1

yes

yes

yes

Asia Pacific (Seoul)ap-northeast-2

yes

yes

yes

Asia Pacific (Singapore)ap-southeast-1

yes

yes

no

Asia Pacific (Sydney)ap-southeast-2

yes

yes

yes

South America (São Paulo)sa-east-1

yes

yes

no

Depending on your gateway's region, you replace region in the endpoint with the corresponding region string. For example, if you create a gateway in the US West (Oregon) region, the endpoint looks like this: storagegateway.us-west-2.amazonaws.com:443.

Configuring Security Groups for Your Amazon EC2 Gateway Instance

A security group controls traffic to your Amazon EC2 gateway instance. When you create an instance from the Amazon Machine Image (AMI) for AWS Storage Gateway from AWS Marketplace, you have two choices for launching the instance. To launch the instance by using the 1-Click Launch feature of AWS Marketplace, follow the steps in Provisioning an Amazon EC2 Host . We recommend using this Manual Launch feature.

You can also launch an instance by using the 1-Click Launch feature in AWS Marketplace. In this case, an autogenerated security group that is named AWS Storage Gateway-1-0-AutogenByAWSMP- is created. This security group has the correct rule for port 80 to activate your gateway. For more information about security groups, see Security Group Concepts in the Amazon EC2 User Guide for Linux Instances.

Regardless of the security group that you use, we recommend the following:

  • The security group should not allow incoming connections from the outside Internet. It should allow only instances within the gateway security group to communicate with the gateway. If you need to allow instances to connect to the gateway from outside its security group, we recommend you allow connections only on ports 3260 (for iSCSI connections) and 80 (for activation).

  • If you want to activate your gateway from an EC2 host outside the gateway security group, allow incoming connections on port 80 from the IP address of that host. If you cannot determine the activating host's IP address, you can open port 80, activate your gateway, and then close access on port 80 after completing activation.

  • Allow port 22 access only if you are using AWS Support for troubleshooting purposes. For more information, see Enabling AWS Support to Access a Gateway Hosted on an Amazon EC2 Instance.

If you are using an Amazon EC2 instance as an initiator (that is, to connect to the iSCSI targets on the gateway you deployed on Amazon EC2), then we recommend a two-step approach:

  1. You should launch the initiator instance in the same security group as the gateway.

  2. You should configure access so the initiator can communicate with the gateway.

Supported Hypervisors and Host Requirements

You can choose to run AWS Storage Gateway either on-premises as a virtual machine (VM) appliance, or in AWS as an Amazon Elastic Compute Cloud (Amazon EC2) instance.

AWS Storage Gateway supports the following hypervisor versions and hosts:

  • VMware ESXi Hypervisor (version 4.1, 5.0, 5.1, 5.5 or 6.0)—A free version of VMware is available on the VMware website. You will also need a VMware vSphere client to connect to the host.

    Note

    Currently, file gateway supports only the VMware ESXi Hypervisor.

  • Microsoft Hyper-V Hypervisor (version 2008 R2, 2012, or 2012 R2)—A free, stand-alone version of Hyper-V is available at the Microsoft Download Center. You will need a Microsoft Hyper-V Manager on a Microsoft Windows client computer to connect to the host.

  • EC2 instance—AWS Storage Gateway provides an Amazon Machine Image (AMI) that contains the gateway VM image. Only gateways created with cached volumes and tape gateways can be deployed on Amazon EC2. For information about how to deploy a gateway on Amazon EC2, see Provisioning an Amazon EC2 Host.

Supported Protocols For File Gateway

File gateway supports the following protocols:

  • Clients that connect to the gateway using NFS V3 and V4.1 over TCP.

    Note

    Windows clients support NFS V3 and we are evaluating options to enhance Windows integration.

Supported File System Operations For File Gateway

Your NFS client can write, read, delete, and truncate files. Writes are sent to S3 through optimized multi-part uploads through a write-back cache. Reads are first served through the local cache. If data is not available, it is fetched through S3 as a read through cache. Writes and reads are optimized in that only the parts that are changed or requested are transferred through the Gateway. Deletes remove objects from S3. Directories are managed as folder objects in S3, using the same syntax as the S3 console.

Supported iSCSI Initiators

When you deploy a gateway-cached or gateway-stored volume gateway, you can create iSCSI storage volumes on your gateway. When you deploy a tape gateway, the gateway is preconfigured with one media changer and ten tape drives. These tape drives and the media changer are available to your existing client backup applications as iSCSI devices. To connect to these iSCSI devices, AWS Storage Gateway supports the following iSCSI initiators:

  • Windows Server 2012 and Windows Server 2012 R2

  • Windows Server 2008 and Windows Server 2008 R2

  • Windows 7

  • Red Hat Enterprise Linux 5

  • Red Hat Enterprise Linux 6

  • Red Hat Enterprise Linux 7

  • VMware ESX Initiator (Provides an alternative to using initiators in the guest operating systems of your VMs.)

Important

Storage Gateway does not support Microsoft Multipath I/O (MPIO) from Windows clients.

Although AWS Storage Gateway enables applications that are clustered using Windows Server Failover Clustering (WSFC) to use the iSCSI initiator to access your gateway's volumes, connecting multiple hosts to the same iSCSI target is not supported.

Compatible Third-Party Backup Software for Tape Gateway

You use backup software to read, write, and manage tapes with a tape gateway. A tape gateway setup is compatible with many third-party backup software packages, including the following:

Backup SoftwareVersion
Backup Exec2012, 2014, 15 and 16
Dell NetVault Backup10.0
EMC NetWorker8.x
HPE Data Protector9.x
Microsoft System Center Data Protection Manager2012 R2
Symantec NetBackup 7.x
Veeam Backup & ReplicationV7, V8 and V9