AWS Storage Gateway

AWS Storage Gateway is a hybrid cloud storage service that gives users on-premises access to virtually unlimited cloud storage. Customers use Storage Gateway to simplify storage management and reduce costs for key hybrid cloud storage use cases. AWS Storage Gateway reduce physical data center infrastructure, its good for long-term file retention and backup and recovery operations, and it has elasticity of cloud architectures and features to access and use their data in new on-demand. AWS Storage Gateway can provide low-latency Network File System (NFS) access to Amazon Simple Storage Service (Amazon S3) objects from on-premises applications, while offering simultaneous access from any Amazon S3 API-enabled application. AWS Storage Gateway offers file-based, volume-based, and tape-based storage solutions.

  • AWS Storage Gateway connects an on-premises software appliance with cloudbased storage to provide seamless and secure storage integration between an organization’s on-premises IT environment and the AWS storage infrastructure.
  • AWS Storage Gateway enables users to securely store data in the AWS Cloud for scalable and cost-effective storage. AWS Storage Gateway supports industry-standard storage protocols that work with the existing applications.
  • AWS Storage Gateway provides low-latency performance by maintaining frequently accessed data on-premises while securely storing all of the data encrypted in Amazon S3 or Amazon Glacier.
  • For disaster recovery scenarios, AWS Storage Gateway, together with Amazon EC2, can serve as a cloud-hosted solution that mirrors the entire production environment.
  • With gateway-cached volumes, users can use Amazon S3 to hold the primary data, while retaining some portion of it locally in a cache for frequently accessed data. Gateway-cached volumes minimize the need to scale on-premises storage infrastructure while still providing applications with low-latency access to their frequently accessed data.

AWS Storage Gateway Benefits

AWS Storage Gateway

AWS Storage Gateway is managed and updated from the AWS Console. Users download the gateway virtual machine software from AWS or deploy the dedicated hardware appliance, assign an IP address to the gateway, and associate the gateway with the AWS account by activating it. . Customers experience a fast deployment and the cloud storage is delivered and billed on demand, enabling businesses to leverage the infinite scale of the AWS Cloud as business needs fluctuate. Workloads can expand and contract, backup and archive storage can extend without upfront costs, and users can provision additional storage capacity without new hardware. AWS Storage Gateway gives customers looking for hybrid cloud storage the best of both worlds since it provides an easy on-ramp to the cloud while supporting on-premises applications.

Compression, encryption, and bandwidth management are built in. Storage Gateway manages local cache offloads to the cloud based on the desired performance parameters, enabling users to fine-tune the balance of latency and scale for the workloads. Only data that changes is transferred, enabling users to optimize the network bandwidth. AWS Storage Gateway caches data in the local VM or gateway hardware appliance, providing low-latency disk and network performance for your most active data, with optimized data transfers occurring to AWS Cloud storage in the background. The on-premises applications can easily and seamlessly work with data in the cloud. Users and applications continue to operate using a local storage model while you realize the benefits of the AWS Cloud.

Data stored through AWS Storage Gateway benefits from the durability and security embedded in AWS Cloud storage services. Storage management tools like versioning, Cross-Region replication (CRR), and lifecycle management policies can lower the cost of long-term archiving, simplify audit and compliance requirements, and safeguard all of your data, not just the data kept on-premises. AWS Storage Gateway high availability on VMware meets the operational needs of uninterruptible, latency-sensitive workloads such as media drives, streaming log repositories, and storage for scientific instruments. All data that AWS Storage Gateway transfers to AWS is encrypted in transit, and encrypted at rest in AWS.

 

Hybrid cloud storage means the data can be accessed on-premises and stored durably in AWS Cloud storage services, including Amazon S3, Amazon S3 Glacier, Amazon S3 Glacier Deep Archive, and Amazon EBS. Once data is moved to AWS, users will benefit from using AWS compute, machine learning, and big data analytics services to gain more insights from the data. Additionally, users can leverage the full AWS portfolio of security and management services including AWS Key Managament Service (KMS), AWS Identity and Access Management (IAM), SNS workflows, Amazon CloudWatch, and AWS CloudTrail.

AWS Storage Gateway Features

Performance: Because the AWS Storage Gateway VM sits between application, Amazon S3, and underlying on-premises storage, the performance experience depends upon a number of factors. These factors include the speed and configuration of the underlying local disks, the network bandwidth between the iSCSI initiator and gateway VM, the amount of local storage allocated to the gateway VM, and the bandwidth between the gateway VM and Amazon S3.

  • For gateway-cached volumes, to provide low-latency read access to on-premises applications, it’s important that users provide enough local cache storage to store recently accessed data.
  • The AWS Storage Gateway documentation provides guidance on how to optimize the environment setup for best performance, including how to properly size your local storage.
  • AWS Storage Gateway efficiently uses users Internet bandwidth to speed up the upload of on-premises application data to AWS.
  • AWS Storage Gateway only uploads data that has changed, which minimizes the amount of data sent over the Internet. To further increase throughput and reduce the network costs, users can also use AWS Direct Connect to establish a dedicated network connection between on-premises gateway and AWS.

AWS Integrated: AWS Storage Gateway enables users to easily consume AWS services. As a native AWS service, AWS Storage Gateway integrates with other AWS services for storage, backup, and management while still integrating with on-premises environments. The service stores files as native Amazon S3 objects, archives virtual tapes in Amazon S3 Glacier and Amazon S3 Glacier Deep Archive, and stores EBS snapshots generated by the Volume Gateway with Amazon EBS.

  • AWS Storage Gateway integrates with AWS Backup to manage backup and recovery of Volume Gateway volumes, simplifying users backup management, and helping meet the business and regulatory backup compliance requirements.
  • AWS Storage Gateway publishes health and performance logs and metrics to Amazon CloudWatch and provides monitoring of metrics and alarms in the Storage Gateway console.
  • AWS Storage Gateway integrates with AWS IAM to help manage and secure access to Storage Gateway resources. Users data is encrypted by default at rest using S3-SSE or users own encryption keys through Storage Gateway’s integration with AWS KMS.

 Secure Data Transfer: Storage Gateway provides secure upload of changed data and secure downloads of requested data, encrypting data in transit between any type of gateway appliance and AWS using SSL. Storage Gateway delivers end-to-end protection of customer data from the Storage Gateway in the enterprise network to the data residing in AWS.

  • The service supports security features, access controls, and supplies compliances and certifications that address enterprise customers’ real and perceived security concerns when using AWS Cloud storage via the Storage Gateway Optimizations such as multi-part management, automatic buffering, delta transfers used across all gateway types, and data compression applied for all block and virtual tape data.
  • The AWS Storage Gateway encrypts all data in transit to and from AWS by using SSL. All volume and snapshot data stored in AWS using gateway-stored or gateway-cached volumes and all virtual tape data stored in AWS using a gatewayVTL is encrypted at rest using AES-256, a secure symmetric-key encryption standard using 256-bit encryption keys.
  • Storage Gateway offers Federal Information Processing Standard 140-2 (FIPS) compliant endpoints in AWS GovCloud (US-East) and AWS GovCloud (US-West).

VMware Cloud on AWS: AWS Storage Gateway provides high availability on VMware through a set of health-checks integrated with VMware vSphere High Availability (VMware HA). With this integration, Storage Gateway deployed in a VMware environment on-premises, or in VMware Cloud on AWS, will automatically recover from most service interruptions in under 60 seconds. 

  • VMware Cloud on AWS provides dedicated, single-tenant cloud infrastructure with support for up to 16 host vSphere clusters, delivered on the next-generation bare metal AWS infrastructure based on the latest Amazon EC2 Storage Optimized high I/O instances and featuring low-latency Non-Volatile Memory Express (NVMe) based SSDs.
  • Users can start from as few as 2 hosts per SDDC then scale the capacity in the clusters up to 16 hosts. VMware Cloud on AWS runs the VMware Software-Defined Data Center (SDDC) software stack directly on host servers without nested virtualization.
  • Users can move existing workloads between the existing VMware environment and VMware Cloud on AWS through cold migration, VM template migration, or even while a workloads are running through live migration (vMotion). 

Interfaces: The AWS Management Console can be used to download the AWS Storage Gateway VM on-premises or onto an EC2 instance (an AMI that contains the gateway VM image). Users can then select between a gateway-cached, gatewaystored, or gateway-VTL configuration and activate the AWS storage gateway by associating the gateway’s IP address with their AWS account.

  • All the detailed steps for AWS Storage Gateway deployment can be found in Getting Started in the AWS Storage Gateway User Guide. 
  • The integrated AWS CLI also provides a set of high-level, Linux-like commands for common operations of the AWS Storage Gateway service.
  • Users can use the AWS SDKs to develop applications that interact with AWS Storage Gateway. The AWS SDKs for Java, .NET, JavaScript, Node.js, Ruby, PHP, and Go wrap the underlying AWS Storage Gateway API to simplify the programming tasks.

Standard Storage Protocols: AWS Storage Gateway seamlessly connects to users local production or backup applications with NFS, SMB, iSCSI, or iSCSI-VTL, so they can adopt AWS Cloud storage without needing to modify the applications. Its protocol conversion and device emulation enables to access block data on volumes managed by Storage Gateway on top of Amazon S3, store files as native Amazon S3 objects, and keep virtual tape backups online in a virtual tape library backed by S3 or move the backups to a tape archive tier on Amazon S3 Glacier and Amazon S3 Glacier Deep Archive.

Fully Managed Cache: The local gateway appliance maintains a cache of recently written or read data so users applications can have low-latency access to data that is stored durably in AWS. The gateways use a read-through and write-back cache, committing data locally, acknowledging the write operations, and then asynchronously copying data to AWS, reducing application latency.

virtual machine (VM)

Users can download the AWS Storage Gateway software appliance as a virtual machine (VM) image that can be installed on a host in users data center or as an EC2 instance. Once installed the gateway and associated it with AWS account through the AWS activation process, users can use the AWS Management Console to create gateway-cached volumes, gateway-stored volumes, or a gateway-virtual tape library (VTL), each of which can be mounted as an Internet Small Computer Systems Interface (iSCSI) device by on-premises applications.

Gateway-cached volumes

With gateway-cached volumes, users can use Amazon S3 to hold the primary data, while retaining some portion of it locally in a cache for frequently accessed data. Gateway-cached volumes minimize the need to scale on-premises storage infrastructure while still providing applications with low-latency access to their frequently accessed data. users can create storage volumes up to 32 TiB in size and mount them as iSCSI devices from on-premises application servers.

  • Each gateway configured for gateway-cached volumes can support up to 20 volumes and total volume storage of 150 TiB. Data written to these volumes is stored in Amazon S3, with only a cache of recently written and recently read data stored locally on users on-premises storage hardware.
  •  Gateway-cached volumes offer a substantial cost savings on primary storage and minimize the need to scale storage on-premises. Users also retain low-latency access to frequently accessed data.
Gateway-stored volumes

Gateway-stored volumes store users primary data locally, while asynchronously backing up that data to AWS. These volumes provide on-premises applications with low-latency access to their entire datasets, while providing durable, off-site backups. Users can create storage volumes up to 1 TiB in size and mount them as iSCSI devices from on-premises application servers.

  • Each gateway configured for gateway-stored volumes can support up to 12 volumes and total volume storage of 12 TiB.
  • Data written to gateway-stored volumes is stored on users on-premises storage hardware, and asynchronously backed up to Amazon S3 in the form of Amazon EBS snapshots.
Gateway-VTL

A gateway-VTL allows users to perform offline data archiving by presenting users existing backup application with an iSCSI-based virtual tape library consisting of a virtual media changer and virtual tape drives. Users can create virtual tapes in the Virtual Tape Library (VTL) by using the AWS Management Console, and they can size each virtual tape from 100 GiB to 2.5 TiB.

  • A VTL can hold up to 1,500 virtual tapes, with a maximum aggregate capacity of 150 TiB. Once the virtual tapes are created, users backup application can discover them by using its standard media inventory procedure. Once created, tapes are available for immediate access and are stored in Amazon S3.

AWS Storage Gateway Architecture

#01

File Gateway

 
 

File Gateway is a configuration of the AWS Storage Gateway service that provides users applications a file interface to seamlessly store files as objects in Amazon S3 and combines a service and a virtual software appliance, that cab be accessed using industry standard file protocols. By using this combination, users can store and retrieve objects in Amazon S3 using industry-standard file protocols such as Network File System (NFS) and Server Message Block (SMB). The software appliance, or gateway, is deployed into users on-premises environment as a virtual machine (VM) running on VMware ESXi, Microsoft Hyper-V, or Linux Kernel-based Virtual Machine (KVM) hypervisor.

  • File Gateway enables existing file-based applications, devices, and workflows to use Amazon S3, without modification.
  • File Gateway securely and durably stores both file contents and metadata as objects, while providing on-premises applications low-latency access to cached data.
  • File Gateway supports Amazon S3 Standard, S3 Intelligent-Tiering, S3 Standard – Infrequent Access (S3 Standard-IA) and S3 One Zone-IA.

Individual files that are written to Amazon S3 using the file gateway are stored as independent objects. This provides high durability, low-cost, flexible storage with virtually infinite capacity. Files are stored as objects in Amazon S3 in their original format without any proprietary modification. This means that data is readily available to data analytics and machine learning applications and services that natively integrate with Amazon S3 buckets, such as Amazon EMR, Amazon Athena, or Amazon Transcribe.AWS Storage Gateway provides access to objects in S3 as files or file share mount points. With a file gateway, users can do the following:

  • Users can store and retrieve files directly using the NFS version 3 or 4.1 protocol.
  • Users can store and retrieve files directly using the SMB file system version, 2 and 3 protocol.
  • Users can access data directly in Amazon S3 from any AWS Cloud application or service.
  • Users can manage S3 data using lifecycle policies, cross-region replication, and versioning. A file gateway can be seen as a file system mount on S3.
 

A file gateway simplifies file storage in Amazon S3, integrates to existing applications through industry-standard file system protocols, and provides a cost-effective alternative to on-premises storage. It also provides low-latency access to data through transparent local caching. A file gateway manages data transfer to and from AWS, buffers applications from network congestion, optimizes and streams data in parallel, and manages bandwidth consumption. File gateways integrate with AWS services, for example with the following:

  • Common access management using AWS Identity and Access Management (IAM)
  • Encryption using AWS Key Management Service (AWS KMS)
  • Monitoring using Amazon CloudWatch (CloudWatch)
  • Audit using AWS CloudTrail (CloudTrail)
  • Operations using the AWS Management Console and AWS Command Line Interface (AWS CLI)
  • Billing and cost management

A file gateway provides a simple solution for presenting one or more Amazon S3 buckets and their objects as a mountable NFS to one or more clients on-premises. The file gateway is deployed in the form of a virtual appliance that can run either in a VMware environment or in an Amazon Elastic Compute Cloud (Amazon EC2) instance in AWS. When the file gateway is deployed in a privately hosted VMware environment, it acts as a performanceoptimized connection between NFS (v3.0 or v4.1) client systems in a private data center and Amazon S3 buckets hosted in a given AWS Region. The file gateway uses locally attached storage to provide a read/write cache to reduce latency for NFS clients in the same local area network (LAN) as the file gateway.

  • A bucket share consists of a Network File System (NFS) share hosted from a file gateway across a single Amazon S3 bucket. The file gateway virtual appliance currently supports up to 10 bucket shares.
 

Tape Gateway is a cloud-based Virtual Tape Library (VTL), that provides users backup application with an iSCSI VTL interface, consisting of a virtual media changer, virtual tape drives, and virtual tapes. Virtual tapes are stored in Amazon S3 and can be archived to Amazon S3 Glacier or Amazon S3 Glacier Deep Archive. It presents backup application with a VTL interface, consisting of a media changer and tape drives. Users can create virtual tapes in the virtual tape library using the AWS Management Console. Users backup application can read data from or write data to virtual tapes by mounting them to virtual tape drives using the virtual media changer. 

  • The tape gateway is deployed into users on-premises environment as a VM running on VMware ESXi, KVM, or Microsoft Hyper-V hypervisor.
  • The tape gateway provides a virtual tape infrastructure that scales seamlessly with users business needs and eliminates the operational burden of provisioning, scaling, and maintaining a physical tape infrastructure.
  • Users can use gateways hosted on EC2 instances for disaster recovery, data mirroring, and providing storage for applications hosted on Amazon EC2.
  • Users can continue to use the existing backup applications and workflows while writing to a nearly limitless collection of virtual tapes. 
  •  Tape Gateway integrates with all leading backup applications allowing users to start using cloud storage for on-premises backup and archive without any changes to the backup and archive workflows.
  • The minimum size and maximum size of a virtual tape users create on a Tape Gateway is 100 GiB and 5 TiB respectively. Users only pay for the amount of data stored on each tape, and not for the size of the tape.

Tape Gateway offers a durable, cost-effective solution to archive data in the AWS Cloud. With its virtual tape library (VTL) interface, Customers use the existing tape-based backup infrastructure to store data on virtual tape cartridges that was created on the tape gateway. Each tape gateway is preconfigured with a media changer and tape drives. The following are tape gateway components:

  • Virtual tape: A virtual tape is like a physical tape cartridge. However, virtual tape data is stored in the AWS Cloud. Like physical tapes, virtual tapes can be blank or can have data written on them. Users can create virtual tapes either by using the Storage Gateway console or programmatically by using the Storage Gateway API. Each gateway can contain up to 1,500 tapes or up to 1 PiB of total tape data at a time. The size of each virtual tape, which can be configured during the creation of the tape, which is between 100 GiB and 5 TiB.
  • Virtual tape library (VTL):  A VTL is like a physical tape library available on-premises with robotic arms and tape drives. Users VTL includes the collection of stored virtual tapes. Each tape gateway comes with one VTL. The virtual tapes that users create appear in the gateway’s VTL. Tapes in the VTL are backed up by Amazon S3. As the backup software writes data to the gateway, the gateway stores data locally and then asynchronously uploads it to virtual tapes in the VTL—that is, Amazon S3.

    • Tape drive: A VTL tape drive is analogous to a physical tape drive that can perform I/O and seek operations on a tape. Each VTL comes with a set of 10 tape drives, which are available to backup application as iSCSI devices.
    • Media changer: A VTL media changer is analogous to a robot that moves tapes around in a physical tape library’s storage slots and tape drives. Each VTL comes with one media changer, which is available to your backup application as an iSCSI device.

  • Archive: Archive is analogous to an offsite tape holding facility. Users can archive tapes from the gateway’s VTL to the archive. If needed, users can retrieve tapes from the archive back to the gateway’s VTL.

    • Archiving tapes: When users backup software ejects a tape, the gateway moves the tape to the archive for long-term storage. The archive is located in the AWS Region in which users activated the gateway. Tapes in the archive are stored in the virtual tape shelf (VTS). The VTS is backed by S3 Glacier or S3 Glacier Deep Archive, low-cost storage service for data archiving, backup, and long-term data retention.
    • Retrieving tapes:  Users can’t read archived tapes directly. To read an archived tape, they must first retrieve it to the tape gateway by using either the Storage Gateway console or the Storage Gateway API.

#02

Tape Gateway

 
 

 

#03

WebSocket

 
 

Volume Gateway presents cloud-backed Internet Small Computer System Interface (iSCSI) block storage volumes to users on-premises applications. Volume Gateway stores and manages on-premises data in Amazon S3 on users behalf and operates in either cache mode or stored mode. It also enables users to create block storage volumes and mount them as iSCSI devices from on-premises or EC2 application servers. Volume Gateways compress data before that data is transferred to AWS and while stored in AWS. This compression can reduce both data transfer and storage charges.

  • Users can take point in time copies of volumes which are stored in AWS as Amazon EBS snapshots, take copies of volumes and manage their retention using AWS Backup, and restore EBS snapshots to a Volume Gateway volume or an EBS volume.
  • Volume Gateway maintains on premises either a cache of recently accessed data, or a full volume copy, so users applications get the benefit of fast access to data. Concurrently, all of the volume data is compressed and stored durably and cost-effectively in AWS, with petabyte scalability.
  • With Amazon EBS snapshots, Storage Gateway volume clones, and AWS Backup, users have several options to restore the application data stored in the volumes – back to the existing Volume Gateway onsite, to EBS for recovery of the application into EC2, or even to a new Volume Gateway running at another on-premises location.
  • All data transferred between the gateway and AWS storage is encrypted using SSL. By default, all data stored by Volume Gateway in S3 is encrypted server-side with Amazon S3-Managed Encryption Keys (SSE-S3).
Volume Gateway Architecture

The volume gateway is deployed into users on-premises environment as a VM running on VMware ESXi, KVM, or Microsoft Hyper-V hypervisor. AWS Storage Gateway offers two configurations for volume gateways. In both cases, all data is securely stored in AWS. The primary difference is how much data is stored on-premises.

Gateway-Cached Volume: Gateway-cached volumes enables customers to use Amazon Simple Storage Service (Amazon S3) as a primary data storage while retaining frequently accessed data locally in the storage gateway. Gateway-cached volumes minimize the need to scale on-premises storage infrastructure, while still providing applications with low-latency access to their frequently accessed data. Users can create storage volumes up to 32 TiB in size and attach to them as iSCSI devices from on-premises application servers.

  • Gateway-cached volumes range from 1 GiB to 32 TiB in size, and must be rounded to the nearest GiB. Each gateway configured for gateway-cached volumes can support up to 20 volumes and a total volume storage of 150 TiB.
  • In the gateway-cached volume solution, AWS Storage Gateway stores all your on-premises application data in a storage volume in Amazon S3.
  • Users can take incremental backups called snapshots of the storage volumes in Amazon S3. These point-in-time snapshots are stored in Amazon S3 as Amazon EBS snapshots. Users can initiate snapshots on a scheduled or one-time basis
  • Users can restore an Amazon EBS snapshot to a gateway storage volume if you need to recover a backup of your data. Alternatively, for snapshots up to 16 TiB in size, you can use the snapshot as a starting point for a new Amazon EBS volume. Users can then attach this new Amazon EBS volume to an Amazon EC2 instance.

Gateway-Stored Volume: Gateway-stored volumes let users to store primary data locally, while asynchronously backing up that data to AWS. Gateway-stored volumes provide on-premises applications with low-latency access to their entire data sets, while providing durable, off-site backups. Users can create storage volumes up to 1 TiB in size and mount them as iSCSI devices from users on-premises application servers. Data written to your gateway-stored volumes is stored on users on-premises storage hardware.

  • This data is asynchronously backed up to Amazon S3 in the form of Amazon EBS snapshots. Gateway-stored volumes can range from 1 GiB to 1 TiB in size and must be rounded to the nearest GiB.
  • Each gateway configured for gateway-stored volumes can support up to 12 volumes and a total volume storage of 12 TiB.
  • In gateway stored volumes,  volume data is stored on-premises, snapshots provide durable, off-site backups in Amazon S3. Users can create a new volume from a snapshot if  recover a backup is necessary.

In either mode, users can take point-in-time snapshots of the volumes, which are stored as Amazon EBS Snapshots in AWS, enabling to make space-efficient versioned copies of users volumes for data protection, recovery, migration and various other copy data needs.

Gateway Hardware Appliance

The AWS Storage Gateway Hardware Appliance is a physical hardware appliance with the Storage Gateway software preinstalled on a validated server configuration. Users can manage hardware appliance from the Hardware page on the AWS Storage Gateway console. The hardware appliance is a high-performance 1U server that users can deploy in their data center, or on-premises inside corporate firewall. The AWS Storage Gateway Hardware Appliance can be ordered directly from the AWS Storage Gateway console.

  • Gateway Hardware Appliance comes pre-loaded with Storage Gateway software, and provides all the required CPU, memory, network, and SSD cache resources for creating and configuring File Gateway, Volume Gateway, or Tape Gateway.
  • The AWS  Storage Gateway Hardware Appliance is designed to provide users with a simple out of the box experience that does not require any additional infrastructure, and is managed from the AWS Console or API.
  • Frequently, branch offices, research and development departmental workgroups, and laboratory or industrial sites lack the on-premises infrastructure to run a virtual machine appliance, hypervisors, server clusters, and networked storage systems.
  • The AWS Storage Gateway Hardware Appliance can be dropped in and rapidly set up, providing local applications access to virtually unlimited cloud storage for a wide variety of use cases.
  • The hardware appliance supports File Gateway with NFS and SMB interfaces, Volume Gateway cached volumes with iSCSI, and Tape Gateway with iSCSI-VTL.

The hardware appliance further simplifies procurement, deployment, and management of AWS Storage Gateway on-premises for IT environments such as remote offices and departments which lack existing virtual server infrastructure, adequate disk and memory resources, or staff with hypervisor management skills. It avoids having to procure additional infrastructure necessary for a virtual environment in order to operate the local AWS Storage Gateway VM appliance.

Increasing the usable cache storage

Users can increase the usable storage on the hardware appliance from 5 TB to 12 TB. Doing this provides a larger cache for low latency access to data in AWS. If ordered the 5 TB model, users can increase the usable storage to 12 TB by buying five 1.92 TB SSDs (solid state drives), which are available for ordering on the console Hardware page. Users can order the additional SSDs by following the same ordering process as ordering a hardware appliance and requesting a sales quote from the AWS Storage Gateway console.

Users can then add them to the hardware appliance before activating it. If already activated the hardware appliance and want to increase the usable storage on the appliance to 12 TB, do the following:

  1. Reset the hardware appliance to its factory settings. Contact AWS Support for instructions on how to do this.
  2. Add five 1.92 TB SSDs to the appliance.
Network interface card options
 

Depending on the model of appliance users ordered, it may come with a 10G-Base-T copper network card or a 10G DA/SFP+ network card.

10G-Base-T NIC configuration:

  • Use CAT6 cables for 10G or CAT5(e) for 1G

10G DA/SFP+ NIC configuration:

  • Use Twinax copper Direct Attach Cables up to 5 meters
  • Dell/Intel compatible SFP+ optical modules (SR or LR)
  • SFP/SFP+ copper transceiver for 1G-Base-T or 10G-Base-T
 

Security

 

 

The AWS shared responsibility model applies to data protection in AWS Storage Gateway. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. Users are responsible for maintaining control over the content that is hosted on this infrastructure. These are the best practice to protect and secure data:

  • Use multi-factor authentication (MFA) with each account.
  • Use SSL/TLS to communicate with AWS resources. AWS recommend TLS 1.2 or later.
  • Set up API and user activity logging with AWS CloudTrail.
  • Use AWS encryption solutions, along with all default security controls within AWS services.
  • Use advanced managed security services such as Amazon Macie, which assists in discovering and securing personal data that is stored in Amazon S3.
  • If require FIPS 140-2 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see Federal Information Processing Standard (FIPS) 140-

AWS Storage Gateway uses SSL/TLS (Secure Socket Layers/Transport Layer Security) to encrypt data that is transferred between gateway appliance and AWS storage. By default, Storage Gateway uses Amazon S3-Managed Encryption Keys (SSE-S3) to server-side encrypt all data it stores in Amazon S3.

 
  • Encrypting a file share: For a file share, users can configure gateway to encrypt the objects with AWS KMS–managed keys by using SSE-KMS. For information on using the Storage Gateway API to encrypt data written to a file share, see CreateNFSFileShare in the AWS Storage Gateway API Reference.
  • Encrypting a volume: For cached and stored volumes, users can configure gateway to encrypt volume data stored in the cloud with AWS KMS–managed keys by using the Storage Gateway API. Users can specify one of the managed customer master keys (CMKs) as the KMS key. The CMK that use to encrypt the volume can’t be changed after the volume is created. For information on using the Storage Gateway API to encrypt data written to a cached or stored volume, see CreateCachediSCSIVolume or CreateStorediSCSIVolume in the AWS Storage Gateway API Reference.
  • Encrypting a tape: For a virtual tape, users can configure gateway to encrypt tape data stored in the cloud with AWS KMS–managed keys by using the Storage Gateway API. Users can specify one of the managed customer master keys (CMKs) as the KMS key. The CMK that you use to encrypt your tape data can’t be changed after the tape is created. For information on using the Storage Gateway API to encrypt data written to a virtual tape, see CreateTapes in the AWS Storage Gateway API Reference.

AWS CloudTrail: AWS Storage Gateway is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Storage Gateway. CloudTrail captures all API calls for Storage Gateway as events. The calls captured include calls from the Storage Gateway console and code calls to the Storage Gateway API operations. 

AWS Storage Gateway is a hybrid cloud storage service that gives users on-premises access to virtually unlimited cloud storage. Customers use Storage Gateway to simplify storage management and reduce costs for key hybrid cloud storage use cases. AWS Storage Gateway reduce physical data center infrastructure, its good for long-term file retention and backup and recovery operations, and it has elasticity of cloud architectures and features to access and use their data in new on-demand. AWS Storage Gateway can provide low-latency Network File System (NFS) access to Amazon Simple Storage Service (Amazon S3) objects from on-premises applications, while offering simultaneous access from any Amazon S3 API-enabled application. AWS Storage Gateway offers file-based, volume-based, and tape-based storage solutions.

  • AWS Storage Gateway connects an on-premises software appliance with cloudbased storage to provide seamless and secure storage integration between an organization’s on-premises IT environment and the AWS storage infrastructure.
  • AWS Storage Gateway enables users to securely store data in the AWS Cloud for scalable and cost-effective storage. AWS Storage Gateway supports industry-standard storage protocols that work with the existing applications.
  • AWS Storage Gateway provides low-latency performance by maintaining frequently accessed data on-premises while securely storing all of the data encrypted in Amazon S3 or Amazon Glacier.
  • For disaster recovery scenarios, AWS Storage Gateway, together with Amazon EC2, can serve as a cloud-hosted solution that mirrors the entire production environment.
  • With gateway-cached volumes, users can use Amazon S3 to hold the primary data, while retaining some portion of it locally in a cache for frequently accessed data. Gateway-cached volumes minimize the need to scale on-premises storage infrastructure while still providing applications with low-latency access to their frequently accessed data.