DataSync architecture and routing examples with AWS Direct Connect
Consider the following network architectures when using AWS Direct Connect with your AWS DataSync transfers.
Tip
If your network uses a transit gateway, we recommend separating your DataSync transfer's logical path to optimize costs (particularly if you're migrating a large amount of data).
For example, if you use AWS Transit Gateway for normal traffic between your on-premises networks and virtual private clouds (VPCs), you can configure your network so that DataSync traffic bypasses the transit gateway and its data processing charges.
Using Direct Connect with a DataSync VPC service endpoint
If your DataSync agent uses a VPC service endpoint, you need a Direct Connect gateway to connect to your VPC.
Contents
Direct Connect architecture with VPC endpoint and S3 destination
The following Direct Connect architecture shows a DataSync transfer from an on-premises storage system to an S3 bucket.
-
The DataSync agent routes DataSync traffic from the on-premises storage system (source location) to the Direct Connect connection.
-
DataSync traffic routes to a Direct Connect gateway that’s used for your transfer. To set this up, you must:
-
Associate the Direct Connect gateway with a virtual private gateway for the VPC. This is the VPC where the DataSync VPC endpoint is located and where the DataSync task creates network interfaces.
-
Create a private virtual interface that connects this VPC to the Direct Connect gateway.
-
-
DataSync traffic (control plane) routes through the DataSync VPC endpoint.
-
DataSync traffic (data plane) routes through the DataSync network interfaces in the subnet that you specify when creating the DataSync agent.
-
DataSync traffic routes through the DataSync service to the S3 bucket (destination location).
Direct Connect architecture with VPC endpoint and file system destination in same subnet
When transferring to or from an Amazon EFS or Amazon FSx file system, your file system and DataSync VPC endpoint can be in the same subnet.
The following Direct Connect architecture shows a DataSync transfer from an on-premises storage system to an Amazon EFS or Amazon FSx file system.
-
The DataSync agent routes DataSync traffic from the on-premises storage system (source location) to the Direct Connect connection.
-
DataSync traffic routes to a Direct Connect gateway that's used for your transfer. To set this up, you must:
-
Associate the Direct Connect gateway with a virtual private gateway for the VPC. This is the VPC where the DataSync VPC endpoint is located and where the DataSync task creates network interfaces for the file system (destination location).
-
Create a private virtual interface that connects this VPC to the Direct Connect gateway.
-
-
DataSync traffic (control plane) routes through the DataSync VPC endpoint.
-
DataSync traffic (data plane) routes through the DataSync network interfaces in the file system's subnet. This is the same subnet where the DataSync VPC endpoint is located.
-
DataSync traffic routes through the DataSync service to the file system (destination location).
Direct Connect architecture with VPC endpoint and file system destination in different subnets
When transferring to or from an Amazon EFS or Amazon FSx file system, your file system and DataSync VPC endpoint can be in different subnets.
The following Direct Connect architecture shows a DataSync transfer from an on-premises storage system to an Amazon EFS or Amazon FSx file system.
-
The DataSync agent routes DataSync traffic from the on-premises storage system (source location) to the Direct Connect connection.
-
DataSync traffic routes to a Direct Connect gateway that's used for your transfer. To set this up, you must:
-
Associate the Direct Connect gateway with a virtual private gateway for the VPC. This is the VPC where the DataSync VPC endpoint is located and where the DataSync task creates network interfaces for the file system (destination location).
-
Create a private virtual interface that connects these VPCs to the Direct Connect gateway.
-
-
DataSync traffic (control plane) routes through the DataSync VPC endpoint.
-
DataSync traffic (data plane) routes through the DataSync network interfaces in the file system's subnet. This is a different subnet than where the DataSync VPC endpoint is located.
-
DataSync traffic routes through the DataSync service to the file system (destination location).
Using Direct Connect with a DataSync public or FIPS service endpoint
If your DataSync agent uses a public or Federal Information Processing Standard (FIPS) service endpoint, you can route your data transfer traffic through a Direct Connect connection by using a public virtual interface.
While Direct Connect advertises all local and remote AWS Region prefixes by default, you can use BGP community tags to control the scope (Regional or global) and route preference of traffic on the public virtual interface. You must advertise at least one public prefix to create your DataSync agent.
The following Direct Connect architecture shows a DataSync transfer from an on-premises storage system through a public or FIPS endpoint to an S3 bucket.
-
The DataSync agent routes DataSync traffic from the on-premises storage system (source location) to the Direct Connect connection.
-
DataSync traffic routes to the DataSync service through a public virtual interface.
-
DataSync traffic to the S3 bucket (destination location).
Next steps
If you need a DataSync agent and haven't created one yet, deploy the agent, choose a service endpoint for the agent, and then activate the agent.
Once you create the agent, you can configure your network for DataSync.
