Network Requirements for DataSync - AWS DataSync

Network Requirements for DataSync

Using DataSync to transfer your data requires access to certain network ports and endpoints. The following section describes how to configure network access for DataSync agents that transfer data through public service endpoints, Federal Information Processing Standard (FIPS) endpoints, and VPC endpoints.

Network Requirements to Connect to Your NFS or SMB Storage

Deploy the DataSync agent close to the source file system to minimize the distance traveled using native protocols such as Network File System (NFS). Doing this ensures that files travel over the network using our purpose-built, accelerated protocol. It keeps the distance traveled by using native, slower protocols to a minimum, and significantly speeds up transfers.

The following ports are required for communication between the DataSync agent and your NFS or Server Message Block (SMB) storage.

From

To

Protocol

Port

How Used

Agent

NFS server

TCP/UDP

2049 (NFS)

By the DataSync agent to mount a source NFS file system.

Supports NFS v3.x, NFS v4.0, and NFS v4.1.

Agent

SMB server

TCP/UDP

139 (SMB) or 445 (SMB)

By the DataSync agent to mount a source SMB file share.

Supports SMB 2 and SMB 3 versions.

Network Requirements When Using VPC Endpoints

When using only private IP addresses, you can ensure that your VPC can't be reached over the internet, and prevent any packets from entering or exiting the network. Doing this means that you can eliminate all internet access from your on-premises systems, and still use DataSync for data transfers to and from AWS using private IP addresses.

DataSync requires the following ports for its operation when your agent is using private endpoints.

From

To

Protocol

Port

How Used

Your web browser

DataSync agent

TCP

80 (HTTP)

By your computer to obtain the agent activation key. After successful activation, DataSync closes the agent's port 80.

The DataSync agent doesn't require port 80 to be publicly accessible. The required level of access to port 80 depends on your network configuration.

Agent

Your DataSync VPC endpoint

To find the correct IP address, open the Amazon VPC console, and choose Endpoints from the navigation pane on the left. Choose the DataSync endpoint and check the Subnets list to find the private IP address that corresponds to the subnet that you chose for your VPC endpoint setup.

For more information, see step 5 in Configuring DataSync to Use Private IP Addresses for Data Transfer.

TCP

1024 – 1064

For control traffic between the DataSync agent and the AWS service.

Agent

Your task's elastic network interfaces.

To find the related IP addresses, open the Amazon EC2 console and choose Network Interfaces from the dashboard. Enter your task ID into the search filter to see the four elastic network interfaces for the task.

For more information, see step 9 in Configuring DataSync to Use Private IP Addresses for Data Transfer.

TCP

443 (HTTPS)

For data transfer from the DataSync VM to the AWS service.

Agent

Your DataSync VPC endpoint

TCP

22 (Support channel)

To allow AWS Support to access your DataSync to help you with troubleshooting DataSync issues.

You don't need this port open for normal operation, but it's required for troubleshooting.

Following is an illustration of the ports required by DataSync when using private endpoints.

Network Requirements When Using Public Service Endpoints or FIPS Endpoints

Your agent VM requires access to the following endpoints to communicate with AWS when using public service endpoints, or when using FIPS endpoints. Enabling this access is not necessary when using DataSync with VPC endpoints.

If you use a firewall or router to filter or limit network traffic, configure your firewall or router to allow these service endpoints. They're required to enable outbound communication between your network and AWS.

From

To

Protocol

Port

How Used

Endpoints Accessed by the Agent

Your web browser

DataSync agent

TCP

80 (HTTP)

Used by your computer to obtain the agent activation key. After successful activation, DataSync closes the agent's port 80.

The DataSync agent doesn't require port 80 to be publicly accessible. The required level of access to port 80 depends on your network configuration.

Agent AWS TCP

443 (HTTPS)

Used by the DataSync agent to activate with your AWS account. This is for agent activation only. You can block the endpoints after activation.

For public endpoint activation:

activation.datasync.$region.amazonaws
                            

For FIPS endpoint activation:

activation.datasync-fips.$region.amazonaws
                            

Agent

AWS

TCP

443 (HTTPS)

For communication between the DataSync agent and the AWS service endpoint.

For information about regions and service endpoints, see Choose a Service Endpoint.

API endpoints:

datasync.$region.amazonaws.com

Data transfer endpoints:

$taskId.datasync-dp.$region.amazonaws.com
cp.datasync.$region.amazonaws.com
                                

Data transfer endpoints for FIPS:

cp.datasync-fips.$region.amazonaws.com
                            

Agent updates:

repo.$region.amazonaws.com
repo.default.amazonaws.com
packages.$region.amazonaws.com
                                

Agent

Domain Name Service (DNS) server

TCP/UDP

53 (DNS)

For communication between DataSync agent and the DNS server.

Agent

AWS

TCP

22 (Support channel)

Allows AWS Support to access your DataSync to help you with troubleshooting DataSync issues. You don't need this port open for normal operation, but it is required for troubleshooting.

Support channel

54.201.223.107
Agent

NTP server

UDP

123 (NTP)

Used by local systems to synchronize VM time to the host time.

NTP

0.amazon.pool.ntp.org
1.amazon.pool.ntp.org
2.amazon.pool.ntp.org
3.amazon.pool.ntp.org 
                                
Note

If you want to change the default NTP configuration of your VMware agent to use a different NTP server using the local console, see Configuring a Network Time Protocol (NTP) Server.

Following is an illustration of the ports required by DataSync when using public service endpoints or FIPS endpoints.