How do I set up a private network connection between an S3 File Gateway and Amazon S3?

Short description

You can set up a private network connection between an S3 File Gateway and Amazon S3 within an Amazon Virtual Private Cloud (Amazon VPC). The gateway connects with service endpoints over an internal private network.

To set up the private connection within a VPC, complete the following steps:

1. Create either a VPC gateway endpoint or an interface endpoint for Amazon S3.
2. Create and activate an S3 File Gateway with the VPC endpoint.

Note: You can't use Amazon S3 gateway endpoints with on-premises gateways. Use an Amazon S3 gateway endpoint only with Amazon Elastic Compute Cloud (Amazon EC2) instance-based gateways. However, you can use Amazon S3 interface endpoints with both on-premises and EC2 instance-based gateways.

Resolution

You must create only one type of endpoint based on your use case.

Create a VPC gateway endpoint for Amazon S3

To create a gateway endpoint for Amazon S3, see Create a gateway endpoint.

Attach a VPC endpoint policy to restrict access and allow only authorized users to make requests to the S3 buckets. Also, you can control the buckets that users can access from a specific VPC. It's best practice to use VPC endpoint policies and bucket policies when you access Amazon S3 from a VPC in the same Region.

Note: For your on-premises applications to access Amazon S3, it's a best practice to use an interface endpoint.

Create a VPC interface endpoint for Amazon S3

Complete the following steps:

1. Open the Amazon VPC console.
2. In the navigation pane, choose Endpoints.
3. Choose Create endpoint.
4. For Type, select AWS services.
5. For Services, select the service name that ends with s3 and has Type as Interface.
6. For VPC, select the VPC and subnets that you want to use.
7. For Security group, select the security group with port 443.
8. Choose Create endpoint.

Create an S3 File Gateway with the VPC endpoint

Complete the following steps:

1. Create a VPC endpoint for Storage Gateway.
2. Set up an S3 File Gateway.
3. Connect your S3 File Gateway to a VPC.
4. Review your settings, and activate the S3 File Gateway.

Note: If you use an on-premises Storage Gateway with a private connection to AWS, then you can use an interface endpoint for Amazon S3 without an Amazon EC2 proxy.

Create a file share with the VPC interface endpoint for Amazon S3

Create a file share with S3 File Gateway that you can access with either the Network File System (NFS) or Server Message Block (SMB) protocol.

Note: When you create a file share, you can only select the VPC endpoint interface type in the configuration. To use an Amazon S3 VPC gateway endpoint for Amazon EC2 based storage gateways, the instance subnet must already be present in the route table and associated with the Amazon S3 VPC gateway endpoint.

Test the network connectivity

Note: Test the connectivity to confirm that the Storage Gateway appliance can connect with the service endpoint over the required TCP port.

Complete the following steps:

1. Connect to the file gateway's local console. 
2. In the SSH or local console session, enter 3 to select 3: Test Network Connectivity to verify the connectivity to Storage Gateway service endpoints that includes control, proxy and data planes.
3. If the network connection is successful, then you receive a [ PASSED ] result.
4. Enter 4, and then select 4: Test S3 Connectivity to confirm the connection to S3 service endpoints over port 443.

Related information

Use cases

Secure hybrid access to Amazon S3 using AWS PrivateLink