How can I set up a private network connection between a file gateway and Amazon S3?

Short description

You can set up a private network connection between a file gateway and Amazon S3 within an Amazon Virtual Private Cloud (Amazon VPC) where the gateway appliance connects with service endpoints over an internal private network. To set up this private connection within a VPC, do the following:

1. Create either a VPC gateway endpoint or an interface endpoint for Amazon S3.
2. Create a file gateway using a VPC endpoint.

Amazon S3 File Gateway supports two Amazon S3 endpoints. However, you need to create only one type of endpoint based on your use case.

Note: Amazon S3 gateway endpoints can't be used with on-premises gateways. An Amazon S3 gateway endpoint is used with Amazon EC2 instance-based gateways. Amazon S3 interface endpoints can be used with both on-premises and EC2 instance-based gateways

Resolution

Create a VPC gateway endpoint for Amazon S3

1. Open the Amazon VPC console.
2. In the navigation pane, choose Endpoints.
3. Choose Create Endpoint.
4. For Service category, select AWS services.
5. For Service Name, select the Service Name that ends with s3 and has Type as Gateway.
6. For VPC, select the VPC that you want to use when accessing Storage Gateway.
7. For Configure route tables, select the Route Table ID for your configuration.
8. Choose Create endpoint.

When using Gateway VPC endpoints, VPC endpoint policies are used to restrict access and only allow requests to S3 buckets from authorized users. In addition, you can control which buckets are accessible from a particular VPC. This is the best practices model for accessing S3 from a VPC in the same Region. To use a Gateway VPC endpoint from on-premises applications, or to access S3 from a VPC in a different AWS Region, you must have set up a fleet of proxy servers with private IP addresses in your VPC. This results in changes to your on-premises applications so that they direct requests to the proxy servers, and then forward them to S3 through your VPC endpoint.

Create a VPC interface endpoint for Amazon S3

1. Open the Amazon VPC console.
2. In the navigation pane, choose Endpoints.
3. Choose Create Endpoint.
4. For Service category, select AWS services.
5. For Service Name, select the service name that ends with s3 and has Type as Interface.
6. For VPC, select the VPC and subnets that you want to use when accessing Storage Gateway.
7. For Security group, select the security group where port 443 is opened.
8. Choose Create endpoint.

Create a file gateway using the VPC endpoint

To create a file gateway using a VPC endpoint, you must create a VPC endpoint for Storage Gateway, create and configure a file gateway and activate your gateway in a VPC.

Note: If you're using on-premises Storage Gateway using a private connectivity with AWS, then you can use interface endpoint for Amazon S3 that works without an Amazon Elastic Compute Cloud (Amazon EC2) proxy.

Create file share using the VPC interface endpoint for Amazon S3

With Amazon S3 File Gateway, you can create a file share that can be accessed using either the Network File System (NFS) or Server Message Block (SMB) protocol. For more information on creating a file share, see Creating a file share.

Test the network connectivity

Note: Testing the connectivity helps you to check if the Storage Gateway appliance can connect with the service endpoint over the required TCP port.

1. Connect to the file gateway's Amazon EC2 host instance using SSH.
2. In the SSH session, enter 3 to select 3: Test Network Connectivity.
3. The tests return [ PASSED ] for a successful network connection.

---

Related information

Use cases (AWS PrivateLink and VPC endpoints)

Performing maintenance tasks on the local console

Secure hybrid access to Amazon S3 using AWS PrivateLink