Why does my Storage Gateway activation fail when I try to activate my gateway with an Amazon VPC endpoint?

Resolution

Prerequisite: Confirm that your gateway meets the hardware and storage requirements for Storage Gateway.

Troubleshoot a gateway that's hosted on-premises

Note: The following steps don't apply to an on-premises file gateway that uses an Amazon Simple Storage Service (Amazon S3) VPC endpoint for Amazon S3 traffic.

To troubleshoot a gateway that's hosted on-premises, perform the following checks:

• Confirm that your on-premises local network can communicate with your Amazon VPC, either over AWS Direct Connect or VPN. Ping the private IP address of an Amazon Elastic Compute Cloud (Amazon EC2) instance within the VPC from your virtual machine or on-premises server.
• Check the security group that's attached to the VPC endpoint. Confirm that the security group allows inbound traffic from the gateway's IP address on TCP ports 443, 1026, 1027, 1028, 1031, and 2222.
• Review the on-premises AWS Network Firewall. Confirm that the firewall allows outbound traffic to the gateway's domain name or IP address on TCP ports 443, 1026, 1027, 1028, 1031, and 2222. Additionally, confirm that the firewall allows inbound traffic to the gateway's IP address on TCP port 80.
• To confirm that your gateway can connect to the VPC endpoint, run a network connectivity test from your gateway's local console.

Troubleshoot an on-premises file gateway that uses an Amazon S3 Gateway type VPC endpoint

If your on-premises file gateway uses an Amazon S3 Gateway type VPC endpoint for Amazon S3 traffic, then you must create an HTTP proxy. The HTTP proxy can be hosted on an Amazon EC2 instance.

Note: In this configuration, you must also have a VPC endpoint for Storage Gateway, in addition to the VPC endpoint for Amazon S3. If your HTTP proxy uses a Squid proxy server, then the default TCP port is 3128.

To troubleshoot failed activation for an on-premises file gateway that uses an Amazon S3 Gateway type VPC endpoint, perform the following checks:

• Confirm that the private IP address of the EC2 instance (HTTP proxy host) is configured on the on-premises gateway. Also, confirm that the outbound HTTP proxy traffic allowed on TCP port 3128.
• Check the security group that's attached to the EC2 instance (HTTP proxy host). Confirm that the security group allows inbound traffic from the gateway's IP address on TCP port 3128.
• Check the security group that's attached to the Storage Gateway VPC endpoint. Confirm that the security group allows the following inbound traffic from the EC2 instance (HTTP proxy host) IP address TCP ports: 443, 1026, 1027, 1028, 1031, and 2222.
• Review the on-premises Network Firewall. Confirm that the firewall allows outbound traffic to the EC2 instance's (HTTP proxy host) private IP address on TCP port 3128.

Troubleshoot a gateway that's hosted on Amazon EC2

To troubleshoot a gateway that's hosted on Amazon EC2, perform the following checks:

• Check the security group that's attached to the VPC endpoint. Confirm that the security group allows inbound traffic from the gateway's IP address on TCP ports 443, 1026, 1027, 1028, 1031, and 2222.
• Check the security group that's attached to the gateway. Confirm that the security group allows inbound traffic on TCP port 80.
• Confirm that the workstation that you use to activate the gateway can communicate with the VPC of the gateway instance over Direct Connect or VPN.
  Note: If your workstation can't communicate with the VPC, then activate the gateway from another instance within the same VPC.

Use VPC Flow Logs to troubleshoot Storage Gateway activation with a VPC endpoint

To get more information about what's causing your gateway's activation to fail, turn on VPC Flow Logs on the network interface of the VPC endpoint.

After you turn on VPC Flow Logs, review the flow records for the VPC endpoint. For example, use the flow logs to determine if any ports reject the traffic required for your gateway's activation.