Choosing a service endpoint for your AWS DataSync agent - AWS DataSync
Choosing a public service endpointChoosing a FIPS service endpointChoosing a VPC service endpoint

Choosing a service endpoint for your AWS DataSync agent

A service endpoint is how your AWS DataSync agent communicates with the DataSync service. DataSync supports the following types of service endpoints:

  • Public service endpoint – Data is sent over the public internet.

  • Federal Information Processing Standard (FIPS) service endpoint – Data is sent over the public internet by using processes that comply with FIPS.

  • Virtual private cloud (VPC) service endpoint – Data is sent through your VPC instead of over the public internet, increasing the security of your transferred data.

You need a service endpoint to activate your agent. When choosing a service endpoint, remember the following:

  • An agent can only use one type of endpoint. If you need to transfer data using different endpoint types, create an agent for each type.

  • How you connect your storage network to AWS determines what service endpoints you can use.

  • With DataSync Discovery, you can only use public endpoints.

Choosing a public service endpoint

If you use a public service endpoint, all communication between your DataSync agent and the DataSync service occurs over the public internet.

  1. Determine the DataSync public service endpoint that you want to use.

  2. Configure your network to allow the traffic required for using DataSync public service endpoints.

Next step: Activating your AWS DataSync agent

Choosing a FIPS service endpoint

DataSync provides some service endpoints that comply with FIPS. For more information, see FIPS endpoints in the AWS General Reference.

  1. Determine the DataSync FIPS service endpoint that you want to use.

  2. Configure your network to allow the traffic required for using DataSync FIPS service endpoints.

Next step: Activating your AWS DataSync agent

Choosing a VPC service endpoint

If you use a VPC service endpoint, your data isn't transferred across the public internet. DataSync instead transfers data through a VPC that's based on the Amazon VPC service.

How DataSync agents work with VPC service endpoints

VPC service endpoints are provided by AWS PrivateLink. These types of endpoints let you privately connect supported AWS services to your VPC. When you use a VPC service endpoint with DataSync, all communication between your DataSync agent and the DataSync service remains in your VPC.

The VPC service endpoint (along with the network interfaces DataSync creates for data transfer traffic) are private IP addresses that are only accessible from inside your VPC. For more information, see Networking with AWS DataSync.

DataSync limitations with VPCs

  • VPCs that you use with DataSync must have default tenancy. VPCs with dedicated tenancy aren't supported.

  • DataSync doesn't support shared VPCs.

  • DataSync VPC service endpoints only support IPv4. IPv6 and dualstack options aren't supported.

Creating a VPC service endpoint for DataSync

The following diagram shows an example of DataSync using a VPC service endpoint for transferring from an on-premises storage system to an Amazon S3 bucket. The numbered callouts correspond to the steps to create a VPC service endpoint.

A network diagram showing the order in which you can create a VPC service endpoint for DataSync.
To create a VPC service endpoint for DataSync

  1. Create or determine a VPC and subnet where you want to create your VPC service endpoint.

    If you're transferring to or from storage that's outside AWS, the VPC should extend to that storage environment (for example, your storage environment might be a data center where your on-premises NFS file server is located). You can do this by using routing rules over AWS Direct Connect or VPN.

  2. Create a DataSync VPC service endpoint by doing the following:

    1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

    2. In the left navigation pane, choose Endpoints, then choose Create endpoint.

    3. For Service category, choose AWS services.

    4. For Services, search for datasync and choose the endpoint for the Region you're in (for example, com.amazonaws.us-east-1.datasync).

    5. For VPC, choose the VPC where you want to create the VPC service endpoint.

    6. Expand Additional settings and clear the Enable Private DNS Name check box.

    7. For Subnet, choose the subnet where you want to create the VPC service endpoint. Take note of the subnet ARN (you need this when activating your agent).

    8. Choose Create endpoint. Take note of the endpoint ID (you need this when activating your agent).

  3. In your VPC, configure a security group that allows the traffic required for using DataSync VPC service endpoints. Take note of the security group ARN (you need this when activating your agent).

    The security group must allow your agent to connect with the private IP addresses of the VPC service endpoint and your network interfaces (which get created when you create your task).

Next step: Activating your AWS DataSync agent