Network requirements for on-premises, self-managed, other cloud, and edge storage Network requirements for AWS storage services Network requirements for public or FIPS service endpoints Network requirements for VPC service endpoints

AWS DataSync network requirements

Configuring your network is an important step in setting up AWS DataSync. Your network configuration depends on several factors, such as whether you want information about your storage or are ready to transfer data. It's also based on what kind of service endpoint you plan to use for sending data to AWS.

Network requirements for on-premises, self-managed, other cloud, and edge storage

The following network requirements can apply to on-premises, self-managed, other cloud, and edge storage systems. These are typically storage systems that you manage or might be managed by another cloud provider.

Note

Depending on your network, you might need to allow traffic on ports other than what's listed here for your DataSync agent to connect with your storage.

From	To	Protocol	Port	How it's used by DataSync
DataSync agent	NFS file server	TCP	2049	Mounts the NFS file server. DataSync supports NFS versions 3.x, 4.0, and 4.1.
DataSync agent	SMB file server	TCP	139 or 445	Mounts the SMB file server. DataSync supports SMB versions 1.0 and later.
DataSync agent	Object storage	TCP	443 (HTTPS) or 80 (HTTP)	Accesses your object storage.
DataSync agent	Hadoop cluster	TCP	NameNode port (default is 8020) In most clusters, you can find this port number in the `core-site.xml` file under the `fs.default` or `fs.default.name` property (depending on the Hadoop distribution).	Accesses the NameNodes in your Hadoop cluster. Specify the port used when creating an HDFS location.
DataSync agent	Hadoop cluster	TCP	DataNode port (default is 50010) In most clusters, you can find this port number in the `hdfs-site.xml` file under the `dfs.datanode.address` property.	Accesses the DataNodes in your Hadoop cluster. The DataSync agent automatically determines the port to use.
DataSync agent	Hadoop Key Management Server (KMS)	TCP	KMS port (default is 9600)	Accesses the KMS for your Hadoop cluster.
DataSync agent	Kerberos Key Distribution Center (KDC) server	TCP	KDC port (default is 88)	Authenticates with the Kerberos realm. This port is used only with HDFS.
DataSync agent	Storage system's management interface	TCP	Depends on your network	Connects to your storage system. DataSync Discovery uses this connection to collect information about your system.

Network requirements for AWS storage services

The network ports required for DataSync to connect to an AWS storage service during a transfer vary.

From	To	Protocol	Port
DataSync service	Amazon EFS	TCP	2049
DataSync service	FSx for Windows File Server	See file system access control for FSx for Windows File Server.
DataSync service	FSx for Lustre	See file system access control for FSx for Lustre.
DataSync service	FSx for OpenZFS	See file system access control for FSx for OpenZFS.
DataSync service	FSx for ONTAP	TCP	111, 635, and 2049 (NFS) 445 (SMB)
DataSync service	Amazon S3	TCP	443 (HTTPS)

Network requirements for public or FIPS service endpoints

Your DataSync agent requires the following network access when using public or FIPS service endpoints. If you use a firewall or router to filter or limit network traffic, configure your firewall or router to allow these endpoints.

From	To	Protocol	Port	How it's used	Endpoints accessed
Your web browser	DataSync agent	TCP	80 (HTTP)	Allows your browser to obtain the DataSync agent's activation key. Once activated, DataSync closes the agent's port 80. Your agent doesn't require port 80 to be publicly accessible. The required level of access to port 80 depends on your network configuration. Note You can get the activation key without a connection between your browser and agent. For more information, see Getting an activation key.	N/A
DataSync agent	Amazon CloudFront	TCP	443 (HTTPS)	Helps bootstrap your DataSync agent prior to activation.	AWS Regions: `d3dvvaliwoko8h.cloudfront.net` AWS GovCloud (US) Regions: `s3.us-gov-west-1.amazonaws.com/fmrsendpoints-endpointsbucket-go4p5gpna6sk`
DataSync agent	AWS	TCP	443 (HTTPS)	Activates your DataSync agent and associates it with your AWS account. You can block the public endpoint after activation.	The `activation-region` is the AWS Region where you activate your DataSync agent. Public endpoint activation: `activation.datasync.activation-region.amazonaws.com` FIPS endpoint activation: `activation.datasync-fips.activation-region.amazonaws.com`
DataSync agent	AWS	TCP	443 (HTTPS)	Allows communication between the DataSync agent and DataSync service endpoint. For information, see Choosing a service endpoint for your AWS DataSync agent.	The `activation-region` is the AWS Region where you activate your DataSync agent. Depending on what you're using DataSync for, you might not need to allow access to every endpoint listed here. DataSync control plane endpoints: Public endpoint: `cp.datasync.activation-region.amazonaws.com` FIPS endpoint: `cp.datasync-fips.activation-region.amazonaws.com` DataSync data plane endpoint (for transfer tasks only): `your-task-id.datasync-dp.activation-region.amazonaws.com` DataSync Discovery endpoint (for discovery jobs only): `discovery-datasync.activation-region.amazonaws.com`
DataSync agent	AWS	TCP	443 (HTTPS)	Allows the DataSync agent to get updates from AWS. For more information, see Managing your AWS DataSync agent.	The `activation-region` is the AWS Region where you activate your DataSync agent. `amazonlinux.default.amazonaws.com` `cdn.amazonlinux.com` `amazonlinux-2-repos-activation-region.s3.dualstack.activation-region.amazonaws.com` `amazonlinux-2-repos-activation-region.s3.activation-region.amazonaws.com` `*.s3.activation-region.amazonaws.com`
DataSync agent	Domain Name Service (DNS) server	TCP/UDP	53 (DNS)	Allows communication between the DataSync agent and DNS server.	N/A
DataSync agent	AWS	TCP	22 (Support channel)	Allows AWS Support to access your DataSync agent to help you troubleshoot issues. You don't need this port open for normal operation.	AWS Support channel: `54.201.223.107`
DataSync agent	Network Time Protocol (NTP) server	UDP	123 (NTP)	Allows local systems to synchronize the VM time to the host time.	NTP: `0.amazon.pool.ntp.org` `1.amazon.pool.ntp.org` `2.amazon.pool.ntp.org` `3.amazon.pool.ntp.org` Note To change the default NTP configuration of your VM agent to use a different NTP server using the local console, see Synchronizing the time on your VMware agent.

The following diagram shows the ports required by DataSync when using public or FIPS service endpoints.

Shows the ports used by DataSync with public or FIPS endpoints.

Network requirements for VPC service endpoints

A virtual private cloud (VPC) endpoint provides a private connection between your agent and AWS that doesn't cross the internet or use public IP addresses. This also helps prevent packets from entering or exiting the network. For more information, see Choosing a VPC service endpoint.

DataSync requires the following ports for your agent to use a VPC service endpoint.

From	To	Protocol	Port	How it's used
Your web browser	Your DataSync agent	TCP	80 (HTTP)	Allows your browser to obtain the agent activation key. Once activated, DataSync closes the agent's port 80. Your agent doesn't require port 80 to be publicly accessible. The required level of access to port 80 depends on your network configuration. Note You can get the activation key without a connection between your browser and agent. For more information, see Getting an activation key.
DataSync agent	Your DataSync VPC service endpoint To find the endpoint's IP address, open the Amazon VPC console, choose Endpoints, and select your DataSync VPC service endpoint. On the Subnets tab, locate the IP address for your VPC service endpoint's subnet. This is the endpoint's IP address.	TCP	1024-1064	For control plane traffic.
DataSync agent	Your DataSync task's network interfaces To find the IP addresses of these interfaces, see Viewing your network interfaces.	TCP	443 (HTTPS)	For data plane traffic.
DataSync agent	Your DataSync VPC service endpoint	TCP	22 (Support channel)	To allow AWS Support to access your DataSync agent for troubleshooting. You don't need this port open for normal operation.

The following diagram shows the ports required by DataSync when using VPC service endpoints.

Shows the ports used by DataSync with VPC service endpoints.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Networking

Network interfaces for data transfers