You can activate a AWS storage gateway to three endpoint types 1) Public 2) VPC 3) FIPS
In this post, we will go through the below steps and activate to VPC endpoint using AWS CLI. Interface VPC endpoint provides PrivateLink and enables private access to Storage Gateway and S3 services.
In this post, we will go through the below steps and activate to VPC endpoint using AWS CLI.
1) Create a Storage Gateway and S3 Interface VPC endpoints
2) Launch a EC2 instance using the Storage Gateway AMI
3) Activate the gateway to Storage Gateway VPC endpoint
4) Create a NFS file share using S3 VPC endpoint
1) Create a Storage Gateway and S3 Interface VPC endpoints (PrivateLink) :
S3 VPC Interface endpoint : $ aws ec2 create-vpc-endpoint --vpc-id <vpc-12345678> --vpc-endpoint-type Interface --service-name com.amazonaws.us-west-2.s3 --subnet-id <subnet-1234567> --security-group-id <sg-1234567> --no-private-dns-enabled
Storage Gateway VPC Interface endpoint : $ aws ec2 create-vpc-endpoint --vpc-id <vpc-12345678> --vpc-endpoint-type Interface --service-name com.amazonaws.us-west-2.storagegateway --subnet-id <subnet-1234567> --security-group-id <sg-1234567> --no-private-dns-enabled
You can choose a private subnet with no internet access. For S3 VPC endpoint security group, allow TCP port 443 inbound from File Gateway EC2 instance IP address. For Storage Gateway VPC endpoint security group, allow inbound TCP ports 443,1026,1027,1028,1031 and 2222 from the File Gateway EC2 instance IP address. Disable Private DNS as both Storage Gateway and S3 VPC endpoint don’t support private DNS.
2) Launch a EC2 instance using the Storage Gateway AMI :
a) Fetch the latest AMI for the launch region : $ aws --region us-west-2 ssm get-parameter --name /aws/service/storagegateway/ami/FILE_S3/latest
b) Launch Storage Gateway EC2 instance :
Provide above AMI ID under image ID, use m5.xlarge instance type which meets the minimum hardware requirements. For File Gateway, you need a minimum of 150 GB EBS volume as cache disk. You can create a mappings.json file as below and pass it to device-mappings.
[
{
"DeviceName": "/dev/sdh",
"Ebs": {
"VolumeSize": 150
}
}
]$ aws ec2 run-instances --image-id ami-01474d4f7ea4e4c90 --instance-type m5.xlarge --subnet-id subnet-1234567 --security-group-ids sg-1234567 --key-name <keyname --block-device-mappings file://mapping.json
3. Activate the gateway to Storage Gateway VPC endpoint
a) Fetch activation key :
You can get the activation key following the steps here through EC2 local console. Using this method, you don’t need to temporarily allow inbound TCP port 80 in gateway EC2 instance security group rule.
Alternatively, you can run the following curl command or enter the following URL in browser to get the activation key to VPC endpoint. You need to allow TCP port 80 Inbound in gateway EC2 instance security group from the workstation where you are running the following command.
$ curl "http://172.31.18.129/?gatewayType=FILE_S3&activationRegion=us-west-2&vpcEndpoint=vpce-1234-5678.storagegateway.us-west-2.vpce.amazonaws.com&no_redirect"
This would give you an activation key something like this : RVBA3-16RBB-RMVB2-MRSI8-SK2U3
b) Activate gateway :
You can run the following command to complete the gateway activation. If you are activating from a computer in a private subnet with no internet access, you can supply –endpoint-url and specify the VPC endpoint DNS name.
$ aws --region us-west-2 storagegateway activate-gateway --activation-key RVBA3-16RBB-RMVB2-MRSI8-SK2U3 --gateway-type FILE_S3 --gateway-name file_gateway --gateway-timezone GMT-5:00 --gateway-region us-west-2
You would see the gateway ID in the above response command and run describe-gateway-information with above gateway ARN to verify gateway details.
4. Create the File Share using S3 VPC endpoint:
$ aws storagegateway create-nfs-file-share --location-arn arn:aws:s3:::<bucketname> --gateway-arn arn:aws:storagegateway:us-west-2:111122223333:gateway/sgw-12345678 --vpc-endpoint-dns-name vpce-12345-789.s3.us-west-2.vpce.amazonaws.com --bucket-region us-west-2 --role arn:aws:iam::111122223333:role/service-role/StorageGatewayBucketAccessRole --client-token 111
To create the file share using AWS management console, you can follow the steps here.
That completes the share creation using S3 VPC Interface endpoint. Now, you have your file gateway and its traffic to S3 in a private network without any internet access. Please note when using Storage Gateway in on-premises hypervisor, you need VPN or DirectConnect to use S3 and Storage Gateway Interface VPC endpoints (also called as PrivateLink).