AWS DataSync
User Guide

Using AWS DataSync in a Virtual Private Cloud

You can deploy AWS DataSync in your virtual private cloud (VPC) by using VPC endpoints. With this feature, the connection between an agent that is deployed either on-premises or in-cloud and the DataSync service doesn't need to travel across the public internet or need public IP addresses. Doing this increases the security of your data as it's transferred over the network by keeping network traffic within your Amazon VPC (Amazon VPC). VPC endpoints for DataSync are powered by VPC Endpoint Services (AWS PrivateLink), a highly available, scalable AWS service that enables you to privately connect your VPC to supported AWS services.

Considerations When Creating an Agent in a VPC

When you create tasks using an agent that is created in a VPC, the tasks are private. Each task creates four elastic network interfaces in your AWS account for transferring data. These network interfaces are created in the same subnet that your VPC endpoint is in. Make sure that you allow the agent to connect to the VPC endpoint elastic network interfaces.

Make sure the agent is able to route all the network interfaces.

You also need to create a security group to protect your network interfaces for tasks that run on your agent.

When you create an agent in a VPC, DataSync uses a private activation key to activate the agent.

Allow the following on each elastic network interface at all times:

  • Allow port 443 for all agent and task network interfaces.

  • Allow ports 1024–1064.

  • Allow the TCP protocol.

  • Allow port 22 (TCP) if you want to open a support channel.


    The agent needs to connect to a public NTP server on port 123 (UDP) for local systems to synchronize VM time to the host time.

    All security groups and firewalls must allow ephemeral egress traffic or permit use of Conntrack tools.

Creating an Agent Using VPC

Creating an agent using VPC is a four-step process:

  1. Create a VPC endpoint for DataSync. For more information, see Creating an Interface Endpoint.

  2. Download and deploy the agent on a host. For more information, see Deploy an AWS DataSync Agent.

  3. Choose the VPC endpoint to use with the agent. For more information, see Choose a VPC Endpoint.

  4. Activate the agent. For more information, see Activate Your Agent.