Deploying and configuring the gateway VM host - AWS Storage Gateway

Amazon FSx File Gateway documentation has been moved to What is Amazon FSx File Gateway?

Volume Gateway documentation has been moved to What is Volume Gateway?

Tape Gateway documentation has been moved to What is Tape Gateway?

Deploying and configuring the gateway VM host

The following topics provide information about setting up the virtual machine host platform for your gateway.

Synchronize VM time with Hyper-V or Linux KVM host time

For a gateway deployed on VMware ESXi, setting the hypervisor host time and synchronizing the virtual machine time to the host is sufficient to avoid time drift. For more information, see Synchronize VM time with VMware host time. For a gateway deployed on Microsoft Hyper-V or Linux KVM, we recommend that you periodically check the virtual machine time using the procedure described following.

To view and synchronize the time of a hypervisor gateway virtual machine to a Network Time Protocol (NTP) server
  1. Log in to your gateway's local console:

  2. On the Storage Gateway Configuration main menu screen, enter the corresponding numeral to select System Time Management.

  3. On the System Time Management menu screen, enter the corresponding numeral to select View and Synchronize System Time.

    The gateway local console displays the current system time and compares it with the time reported by the NTP server, then reports the exact discrepancy between the two times in seconds.

  4. If the time discrepancy is greater than 60 seconds, enter y to synchronize the system time with NTP time. Otherwise, enter n.

    Time synchronization might take a few moments.

Synchronize VM time with VMware host time

To successfully activate your gateway, you must ensure that your VM time is synchronized to the host time, and that the host time is correctly set. In this section, you first synchronize the time on the VM to the host time. Then you check the host time and, if needed, set the host time and configure the host to synchronize its time automatically to a Network Time Protocol (NTP) server.

Important

Synchronizing the VM time with the host time is required for successful gateway activation.

To synchronize VM time with host time
  1. Configure your VM time.

    1. In the vSphere client, right-click on the name of your gateway VM in panel on the left side of the application window to open the context menu for the VM, and then choose Edit Settings.

      The Virtual Machine Properties dialog box opens.

    2. Choose the Options tab, and then choose VMware Tools from the options list.

    3. Check the Synchronize guest time with host option in the Advanced section on the right side of the Virtual Machine Properties dialog box, and then choose OK.

      The VM synchronizes its time with the host.

  2. Configure the host time.

    It is important to make sure that your host clock is set to the correct time. If you have not configured your host clock, perform the following steps to set and synchronize it with an NTP server.

    1. In the VMware vSphere client, select the vSphere host node in the left panel, and then choose the Configuration tab.

    2. Select Time Configuration in the Software panel, and then choose the Properties link.

      The Time Configuration dialog box appears.

    3. Under Date and Time, set the date and time for your vSphere host.

    4. Configure the host to synchronize its time automatically to an NTP server.

      1. Choose Options in the Time Configuration dialog box, and then in the NTP Daemon (ntpd) Options dialog box, choose NTP Settings in the left panel.

      2. Choose Add to add a new NTP server.

      3. In the Add NTP Server dialog box, type the IP address or the fully qualified domain name of an NTP server, and then choose OK.

        You can use pool.ntp.org as the domain name.

      4. In the NTP Daemon (ntpd) Options dialog box, choose General in the left panel.

      5. Under Service Commands, choose Start to start the service.

        Note that if you change this NTP server reference or add another later, you will need to restart the service to use the new server.

    5. Choose OK to close the NTP Daemon (ntpd) Options dialog box.

    6. Choose OK to close the Time Configuration dialog box.

Deploy a customized Amazon EC2 host for S3 File Gateway

You can deploy and activate an Amazon S3 File Gateway on an Amazon Elastic Compute Cloud (Amazon EC2) instance. The AWS Storage Gateway Amazon Machine Image (AMI) is available as a community AMI.

Note

Storage Gateway community AMIs are published and fully supported by AWS. You can see that the publisher is AWS, a verified provider.

S3 File Gateway AMIs use the following naming convention. The version number appended to the AMI name changes with each version release.

aws-storage-gateway-FILE_S3-1.25.0

To deploy an Amazon EC2 instance to host your Amazon S3 File Gateway
  1. Start setting up a new gateway using the Storage Gateway console. For instructions, see Set up an Amazon S3 File Gateway. When you reach the Platform options section, choose Amazon EC2 as the Host platform, then use the following steps to launch the Amazon EC2 instance that will host your File Gateway.

  2. Choose Launch instance to open the AWS Storage Gateway AMI template in the Amazon EC2 console, where you can configure additional settings.

    Use Quicklaunch to launch the Amazon EC2 instance with default settings. For more information on Amazon EC2 Quicklaunch default specifications, see Quicklaunch Configuration Specifications for Amazon EC2.

  3. For Name, enter a name for the Amazon EC2 instance. After the instance is deployed, you can search for this name to find your instance on list pages in the Amazon EC2 console.

  4. In the Instance type section, for Instance type, choose the hardware configuration for your instance. The hardware configuration must meet certain minimum requirements to support your gateway. We recommend starting with the m5.xlarge instance type, which meets the minimum hardware requirements for your gateway to function properly. For more information, see Requirements for Amazon EC2 instance types.

    You can resize your instance after you launch, if necessary. For more information, see Resizing your instance in the Amazon EC2 User Guide.

    Note

    Certain instance types, particularly i3 EC2, use NVMe SSD disks. These can cause problems when you start or stop File Gateway; for example, you can lose data from the cache. Monitor the CachePercentDirty Amazon CloudWatch metric, and only start or stop your system when that parameter is 0. To learn more about monitoring metrics for your gateway, see Storage Gateway metrics and dimensions in the CloudWatch documentation.

  5. In the Key pair (login) section, for Key pair name - required, select the key pair you want to use to securely connect to your instance. You can create a new key pair if necessary. For more information, see Create a key pair in the Amazon Elastic Compute Cloud User Guide for Linux Instances.

  6. In the Network settings section, review the preconfigured settings and choose Edit to make changes to the following fields:

    1. For VPC - required, choose the VPC where you want to launch your Amazon EC2 instance. For more information, see How Amazon VPC works in the Amazon Virtual Private Cloud User Guide.

    2. (Optional) For Subnet, choose the subnet where you want to launch your Amazon EC2 instance.

    3. For Auto-assign Public IP, choose Enable.

  7. In the Firewall (security groups) subsection, review the preconfigured settings. You can change the default name and description of the new security group to be created for your Amazon EC2 instance if you want, or choose to apply firewall rules from an existing security group instead.

  8. In the Inbound security groups rules subsection, add firewall rules to open the ports that clients will use to connect to your instance. For more information on the ports required for Amazon S3 File Gateway, see Port requirements. For more information on adding firewall rules, see Security group rules in the Amazon Elastic Compute Cloud User Guide for Linux Instances.

    Note

    Amazon S3 File Gateway requires TCP port 80 to be open for inbound traffic and one-time HTTP access during gateway activation. After activation, you can close this port.

    If you plan to create NFS file shares, you must open TCP/UDP port 2049 for NFS access, TCP/UDP port 111 for NFSv3 access, and TCP/UDP port 20048 for NFSv3 access.

    If you plan to create SMB file shares, you must open TCP port 445 for SMB access.

  9. In the Advanced network configuration subsection, review the preconfigured settings and make changes if necessary.

  10. In the Configure storage section, choose Add new volume to add storage to your gateway instance.

    Important

    You must add at least one Amazon EBS volume with at least 150 GiB capacity for cache storage in addition to the preconfigured Root volume. For increased performance, we recommend allocating multiple EBS volumes for cache storage with at least 150 GiB each.

  11. In the Advanced details section, review the preconfigured settings and make changes if necessary.

  12. Choose Launch instance to launch your new Amazon EC2 gateway instance with the configured settings.

  13. To verify that your new instance launched successfully, navigate to the Instances page in the Amazon EC2 console and search for your new instance by name. Ensure that that Instance state displays Running with a green check mark, and that the Status check is complete, and shows a green check mark.

  14. Select your instance from the details page. Copy the Public IPv4 address from the Instance summary section, then return to the Set up gateway page in the Storage Gateway console to resume setting up your Amazon S3 File Gateway.

You can determine the AMI ID to use for launching a File Gateway by using the Storage Gateway console or by querying the AWS Systems Manager parameter store.

To determine the AMI ID, do one of the following:

  • Start setting up a new gateway using the Storage Gateway console. For instructions, see Set up an Amazon S3 File Gateway. When you reach the Platform options section, choose Amazon EC2 as the Host platform, then choose Launch instance to open the AWS Storage Gateway AMI template in the Amazon EC2 console.

    You are redirected to the EC2 community AMI page, where you can see the AMI ID for your AWS Region in the URL.

  • Query the Systems Manager parameter store. You can use the AWS CLI or Storage Gateway API to query the Systems Manager public parameter under the namespace /aws/service/storagegateway/ami/FILE_S3/latest. For example, using the following CLI command returns the ID of the current AMI in the AWS Region you specify.

    aws --region us-east-2 ssm get-parameter --name /aws/service/storagegateway/ami/FILE_S3/latest

    The CLI command returns output similar to the following.

    { "Parameter": { "Type": "String", "LastModifiedDate": 1561054105.083, "Version": 4, "ARN": "arn:aws:ssm:us-east-2::parameter/aws/service/storagegateway/ami/FILE_S3/latest", "Name": "/aws/service/storagegateway/ami/FILE_S3/latest", "Value": "ami-123c45dd67d891000" } }

Deploy a default Amazon EC2 host for S3 File Gateway

This topic lists the steps to deploy an Amazon EC2 host using the default specifications.

You can deploy and activate an Amazon S3 File Gateway on an Amazon Elastic Compute Cloud (Amazon EC2) instance. The AWS Storage Gateway Amazon Machine Image (AMI) is available as a community AMI.

Note

Storage Gateway community AMIs are published and fully supported by AWS. You can see that the publisher is AWS, a verified provider.

  1. To set up the Amazon EC2 instance, choose Amazon EC2 as the Host platform in the Platform options section of the workflow. For instructions on configuring the Amazon EC2 instance, see Deploying an Amazon EC2 instance to host your Amazon S3 File Gateway.

  2. Select Launch instance to open the AWS Storage Gateway AMI template in the Amazon EC2 console and customize additional settings such as Instance types, Network settings and Configure storage.

  3. Optionally, you can select Use default settings in the Storage Gateway console to deploy an Amazon EC2 instance with the default configuration.

    The Amazon EC2 instance that Use default settings creates has the following default specifications:

    • Instance typem5.xlarge

    • Network Settings

      • For VPC, select the VPC that you want your EC2 instance to run in.

      • For Subnet, specify the subnet that your EC2 instance should be launched in.

        Note

        VPC subnets will appear in the drop down only if they have the auto-assign public IPv4 address setting activated from the VPC management console.

      • Auto-assign Public IPActivated

      • An EC2 security group is created and associated with the EC2 Instance. The security group has the following inbound port rules:

        Note

        You will need Port 80 open during gateway activation. The port is closed immediately following activation. Thereafter, your EC2 instance can only be accessed over the other ports from the selected VPC.

        The file shares on your gateway are only accessible from the hosts in the same VPC as the gateway. If the file shares need to be accessed from hosts outside of the VPC, you should update the appropriate security group rules.

        You can edit security groups at any time by navigating to the Amazon EC2 instance details page, selecting Security, navigating to Security group details, and choosing the security group ID.

        Port

        Protocol

        File System Protocol

        80

        TCP

        HTTP access for activation

        111

        TCP, UDP

        NFSv3

        139

        TCP, UDP

        SMB

        445

        TCP

        SMB

        2049

        TCP, UDP

        NFS

        20048

        TCP, UDP

        NFSv3

    • Configure storage

      Default Settings

      AMI Root Volume

      Volume 2 Cache

      Device Name

      '/dev/sdb'

      Size

      80 Gib

      165 GiB

      Volume Type

      gp3

      gp3

      IOPS

      3000

      3000

      Delete on termination

      Yes

      Yes

      Encrypted

      No

      No

      Throughput

      125

      125

Modify Amazon EC2 instance metadata options

The instance metadata service (IMDS) is an on-instance component that provides secure access to Amazon EC2 instance metadata. An instance can be configured to accept incoming metadata requests that use IMDS Version 1 (IMDSv1) or require that all metadata requests use IMDS Version 2 (IMDSv2). IMDSv2 uses session-oriented requests and mitigates several types of vulnerabilities that could be used to try to access the IMDS. For information about IMDSv2, see How Instance Metadata Service Version 2 works in the Amazon Elastic Compute Cloud User Guide.

We recommend that you require IMDSv2 for all Amazon EC2 instances that host Storage Gateway. IMDSv2 is required by default on all newly launched gateway instances. If you have existing instances that are still configured to accept IMDSv1 metadata requests, see Require the use of IMDSv2 in the Amazon Elastic Compute Cloud User Guide for instructions to modify your instance metadata options to require the use of IMDSv2. Applying this change does not require an instance reboot.