Requirements for setting up Tape Gateway
Unless otherwise noted, the following requirements are common to all gateway configurations.
Topics
Hardware and storage requirements
This section describes the minimum hardware and settings for your gateway and the minimum amount of disk space to allocate for the required storage.
Hardware requirements for VMs
When deploying your gateway, you must make sure that the underlying hardware on which you deploy the gateway VM can dedicate the following minimum resources:
-
Four virtual processors assigned to the VM.
-
For Tape Gateway, your hardware should dedicate the following amounts of RAM:
-
16 GiB of reserved RAM for gateways with cache size up to 16 TiB
-
32 GiB of reserved RAM for gateways with cache size 16 TiB to 32 TiB
-
48 GiB of reserved RAM for gateways with cache size 32 TiB to 64 TiB
-
-
80 GiB of disk space for installation of VM image and system data.
For more information, see Optimizing gateway performance. For information about how your hardware affects the performance of the gateway VM, see AWS Storage Gateway quotas.
Requirements for Amazon EC2 instance types
When deploying your gateway on Amazon Elastic Compute Cloud (Amazon EC2), the instance size must be at least xlarge for your gateway to function. However, for the compute-optimized instance family the size must be at least 2xlarge.
Note
The Storage Gateway AMI is only compatible with x86-based instances that use Intel or AMD processors. ARM-based instances that use Graviton processors are not supported.
For Tape Gateway, your Amazon EC2 instance should dedicate the following amounts of RAM depending on the cache size you plan to use for your gateway:
-
16 GiB of reserved RAM for gateways with cache size up to 16 TiB
-
32 GiB of reserved RAM for gateways with cache size 16 TiB to 32 TiB
-
48 GiB of reserved RAM for gateways with cache size 32 TiB to 64 TiB
Use one of the following instance types recommended for your gateway type.
Recommended for Tape Gateway
-
General-purpose instance family – m4, m5, or m6 instance type.
-
Compute-optimized instance family – c4, c5, c6, or c7 instance types. Choose the 2xlarge instance size or higher to meet the required RAM requirements.
-
Memory-optimized instance family – r3, r5, r6, or r7 instance types.
-
Storage-optimized instance family – i3, i4, or i7 instance types.
Storage requirements
In addition to 80 GiB disk space for the VM, you also need additional disks for your gateway.
The following table recommends sizes for local disk storage for your deployed gateway.
Gateway Type | Cache (Minimum) | Cache (Maximum) | Upload Buffer (Minimum) | Upload Buffer (Maximum) | Other Required Local Disks |
---|---|---|---|---|---|
Tape Gateway | 150 GiB | 64 TiB | 150 GiB | 2 TiB | — |
Note
You can configure one or more local drives for your cache and upload buffer, up to the maximum capacity.
When adding cache or upload buffer to an existing gateway, it's important to create new disks in your host (hypervisor or Amazon EC2 instance). Don't change the size of existing disks if the disks have been previously allocated as either a cache or upload buffer.
For information about gateway quotas, see AWS Storage Gateway quotas.
Network and firewall requirements
Your gateway requires access to the internet, local networks, Domain Name Service (DNS) servers, firewalls, routers, and so on. Following, you can find information about required ports and how to allow access through firewalls and routers.
Note
In some cases, you might deploy Storage Gateway on Amazon EC2 or use other types of deployment (including on-premises) with network security policies that restrict AWS IP address ranges. In these cases, your gateway might experience service connectivity issues when the AWS IP range values changes. The AWS IP address range values that you need to use are in the Amazon service subset for the AWS Region that you activate your gateway in. For the current IP range values, see AWS IP address ranges in the AWS General Reference.
Note
Network bandwidth requirements vary based on the quantity of data that is uploaded and downloaded by the gateway. A minimum of 100Mbps is required to successfully download, activate, and update the gateway. Your data transfer patterns will determine the bandwidth necessary to support your workload. In some cases, you might deploy Storage Gateway on Amazon EC2 or use other types of deployment
Topics
Port requirements
Tape Gateway requires specific ports to be allowed through your network security for successful deployment and operation. Some ports are required for all gateways, while others are required only for specific configurations, such as when connecting to VPC endpoints.
Port requirements for Tape Gateway
Network Element |
From |
To |
Protocol |
Port |
Inbound |
Outbound |
Required |
Notes |
---|---|---|---|---|---|---|---|---|
Web browser |
Your web browser |
Storage Gateway VM |
TCP HTTP |
80 |
✓ |
✓ |
✓ |
Used by local systems to obtain the Storage Gateway activation key. Port 80 is used only during activation of a Storage Gateway appliance. A Storage Gateway VM doesn't require port 80 to be publicly accessible. The required level of access to port 80 depends on your network configuration. If you activate your gateway from the Storage Gateway Management Console, the host from which you connect to the console must have access to your gateway's port 80. |
Web browser |
Storage Gateway VM |
AWS |
TCP HTTPS |
443 |
✓ |
✓ |
✓ |
AWS Management Console (all other operations) |
DNS |
Storage Gateway VM |
Domain Name Service (DNS) server |
TCP & UDP DNS |
53 |
✓ |
✓ |
✓ |
Used for communication between a Storage Gateway VM and the DNS server for IP name resolution. |
NTP |
Storage Gateway VM |
Network Time Protocol (NTP) server |
TCP & UDP NTP |
123 |
✓ |
✓ |
✓ |
Used by on-premises systems to synchronize VM time to the host time. A Storage Gateway VM is configured to use the following NTP servers:
NoteNot required for gateways hosted on Amazon EC2. |
Storage Gateway |
Storage Gateway VM |
Support Endpoint |
TCP SSH |
22 |
✓ |
✓ |
✓ |
Allows Support to access your gateway to help you with troubleshooting gateway issues. You don't need this port open for the normal operation of your gateway, but it is required for troubleshooting. For a list of support endpoints, see Support endpoints. |
Storage Gateway |
Storage Gateway VM |
AWS |
TCP HTTPS |
443 |
✓ |
✓ |
✓ |
Management control |
Amazon CloudFront |
Storage Gateway VM |
AWS |
TCP HTTPS |
443 |
✓ |
✓ |
✓ |
For activation |
VPC |
Storage Gateway VM |
AWS |
TCP HTTPS |
443 |
✓ |
✓ |
✓* |
Management control *Required only when using VPC endpoints |
VPC |
Storage Gateway VM |
AWS |
TCP HTTPS |
1026 |
✓ |
✓* |
Control Plane endpoint *Required only when using VPC endpoints |
|
VPC |
Storage Gateway VM |
AWS |
TCP HTTPS |
1027 |
✓ |
✓* |
Anon Control Plane (for activation) *Required only when using VPC endpoints |
|
VPC |
Storage Gateway VM |
AWS |
TCP HTTPS |
1028 |
✓ |
✓* |
Proxy endpoint *Required only when using VPC endpoints |
|
VPC |
Storage Gateway VM |
AWS |
TCP HTTPS |
1031 |
✓ |
✓* |
Data Plane *Required only when using VPC endpoints |
|
VPC |
Storage Gateway VM |
AWS |
TCP HTTPS |
2222 |
✓ |
✓* |
SSH Support Channel for VPCe *Required only for opening support channel when using VPC endpoints |
|
VPC |
Storage Gateway VM |
AWS |
TCP HTTPS |
443 |
✓ |
✓ |
✓* |
Management control *Required only when using VPC endpoints |
iSCSI Client |
iSCSI client |
Storage Gateway VM |
TCP |
3260 |
✓ |
✓ |
✓ |
For local systems to connect to iSCSI targets exposed by the gateway. |
The following illustration shows network traffic flow for a basic Tape Gateway deployment.

Networking and firewall requirements for the Storage Gateway Hardware Appliance
Each Storage Gateway Hardware Appliance requires the following network services:
-
Internet access – an always-on network connection to the internet through any network interface on the server.
-
DNS services – DNS services for communication between the hardware appliance and DNS server.
-
Time synchronization – an automatically configured Amazon NTP time service must be reachable.
-
IP address – A DHCP or static IPv4 address assigned. You cannot assign an IPv6 address.
There are five physical network ports at the rear of the Dell PowerEdge R640 server. From left to right (facing the back of the server) these ports are as follows:
-
iDRAC
-
em1
-
em2
-
em3
-
em4
You can use the iDRAC port for remote server management.

A hardware appliance requires the following ports to operate.
Protocol |
Port |
Direction |
Source |
Destination |
How Used |
---|---|---|---|---|---|
SSH |
22 |
Outbound |
Hardware appliance |
|
Support channel |
DNS | 53 | Outbound | Hardware appliance | DNS servers | Name resolution |
UDP/NTP | 123 | Outbound | Hardware appliance | *.amazon.pool.ntp.org |
Time synchronization |
HTTPS |
443 |
Outbound |
Hardware appliance |
|
Data transfer |
HTTP | 8080 | Inbound | AWS | Hardware appliance | Activation (only briefly) |
To perform as designed, a hardware appliance requires network and firewall settings as follows:
-
Configure all connected network interfaces in the hardware console.
-
Make sure that each network interface is on a unique subnet.
-
Provide all connected network interfaces with outbound access to the endpoints listed in the diagram preceding.
-
Configure at least one network interface to support the hardware appliance. For more information, see Configuring hardware appliance network parameters.
Note
For an illustration showing the back of the server with its ports, see Physically installing your hardware appliance
All IP addresses on the same network interface (NIC), whether for a gateway or a host, must be on the same subnet. The following illustration shows the addressing scheme.

For more information on activating and configuring a hardware appliance, see Using the Storage Gateway Hardware Appliance.
Allowing AWS Storage Gateway access through firewalls and routers
Your gateway requires access to the following service endpoints to communicate with AWS. If you use a firewall or router to filter or limit network traffic, you must configure your firewall and router to allow these service endpoints for outbound communication to AWS.
Note
If you configure private VPC endpoints for your Storage Gateway to use for connection and data transfer to and from AWS, your gateway does not require access to the public internet. For more information, see Activating a gateway in a virtual private cloud.
Important
Depending on your gateway's AWS Region, replace
region
in the service endpoint with the correct
region string.
The following service endpoints are required by all gateways for control path (anon-cp, client-cp, proxy-app) and data path (dp-1) operations.
anon-cp.storagegateway.
region
.amazonaws.com:443 client-cp.storagegateway.region
.amazonaws.com:443 proxy-app.storagegateway.region
.amazonaws.com:443 dp-1.storagegateway.region
.amazonaws.com:443
The following gateway service endpoint is required to make API calls.
storagegateway.
region
.amazonaws.com:443
The following example is a gateway service endpoint in the US West (Oregon)
Region (us-west-2
).
storagegateway.us-west-2.amazonaws.com:443
A Storage Gateway VM is configured to use the following NTP servers.
0.amazon.pool.ntp.org 1.amazon.pool.ntp.org 2.amazon.pool.ntp.org 3.amazon.pool.ntp.org
-
Storage Gateway—For supported AWS Regions and a list of AWS service endpoints you can use with Storage Gateway, see AWS Storage Gateway endpoints and quotas in the AWS General Reference.
-
Storage Gateway Hardware Appliance—For supported AWS Regions you can use with the hardware appliance see Storage Gateway hardware appliance regions in the AWS General Reference.
Configuring security groups for your Amazon EC2 gateway instance
A security group controls traffic to your Amazon EC2 gateway instance. When you configure a security group, we recommend the following:
-
The security group should not allow incoming connections from the outside internet. It should allow only instances within the gateway security group to communicate with the gateway. If you need to allow instances to connect to the gateway from outside its security group, we recommend that you allow connections only on ports 3260 (for iSCSI connections) and 80 (for activation).
-
If you want to activate your gateway from an Amazon EC2 host outside the gateway security group, allow incoming connections on port 80 from the IP address of that host. If you cannot determine the activating host's IP address, you can open port 80, activate your gateway, and then close access on port 80 after completing activation.
-
Allow port 22 access only if you are using Support for troubleshooting purposes. For more information, see You want Support to help troubleshoot your EC2 gateway.
In some cases, you might use an Amazon EC2 instance as an initiator (that is, to connect to iSCSI targets on a gateway that you deployed on Amazon EC2. In such a case, we recommend a two-step approach:
-
You should launch the initiator instance in the same security group as your gateway.
-
You should configure access so the initiator can communicate with your gateway.
For information about the ports to open for your gateway, see Port requirements.
Supported hypervisors and host requirements
You can run Storage Gateway on-premises as either a virtual machine (VM) appliance, or a physical hardware appliance, or in AWS as an Amazon EC2 instance.
Note
When a manufacturer ends general support for a hypervisor version, Storage Gateway also ends support for that hypervisor version. For detailed information about support for specific versions of a hypervisor, see the manufacturer's documentation.
Storage Gateway supports the following hypervisor versions and hosts:
-
VMware ESXi Hypervisor (version 7.0 or 8.0) – For this setup, you also need a VMware vSphere client to connect to the host.
-
Microsoft Hyper-V Hypervisor (version 2012 R2, 2016, 2019, or 2022) – A free, standalone version of Hyper-V is available at the Microsoft Download Center
. For this setup, you need a Microsoft Hyper-V Manager on a Microsoft Windows client computer to connect to the host. -
Linux Kernel-based Virtual Machine (KVM) – A free, open-source virtualization technology. KVM is included in all versions of Linux version 2.6.20 and newer. Storage Gateway is tested and supported for the CentOS/RHEL 7.7, Ubuntu 16.04 LTS, and Ubuntu 18.04 LTS distributions. Any other modern Linux distribution may work, but function or performance is not guaranteed. We recommend this option if you already have a KVM environment up and running and you are already familiar with how KVM works.
-
Amazon EC2 instance – Storage Gateway provides an Amazon Machine Image (AMI) that contains the gateway VM image. Only file, cached volume, and Tape Gateway types can be deployed on Amazon EC2. For information about how to deploy a gateway on Amazon EC2, see Deploy a customized Amazon EC2 instance for Tape Gateway.
-
Storage Gateway Hardware Appliance – Storage Gateway provides a physical hardware appliance as a on-premises deployment option for locations with limited virtual machine infrastructure.
Note
Storage Gateway doesn’t support recovering a gateway from a VM that was created from a snapshot or clone of another gateway VM or from your Amazon EC2 AMI. If your gateway VM malfunctions, activate a new gateway and recover your data to that gateway. For more information, see Recovering from an unexpected virtual machine shutdown.
Storage Gateway doesn’t support dynamic memory and virtual memory ballooning.
Supported iSCSI initiators
When you deploy a Tape Gateway, the gateway is preconfigured with one media changer and 10 tape drives. These tape drives and the media changer are available to your existing client backup applications as iSCSI devices.
To connect to these iSCSI devices, Storage Gateway supports the following iSCSI initiators:
-
Microsoft Windows Server 2022
-
Red Hat Enterprise Linux 8
-
Red Hat Enterprise Linux 9
-
VMware ESX Initiator, which provides an alternative to using initiators in the guest operating systems of your VMs
Important
Storage Gateway doesn't support Microsoft Multipath I/O (MPIO) from Windows clients.
Storage Gateway supports connecting multiple hosts to the same volume if the hosts coordinate access by using Windows Server Failover Clustering (WSFC). However, you can't connect multiple hosts to that same volume (for example, sharing a nonclustered NTFS/ext4 file system) without using WSFC.
Supported third-party backup applications for a Tape Gateway
You use a backup application to read, write, and manage tapes with a Tape Gateway. The type of medium changer you choose depends on the backup application you plan to use.
AWS has tested the third-party backup applications in the following table to ensure compatibility with these Tape Gateway features and functions:
-
Discovery functionality including iSCSI initiator connectivity, medium changer, rescan, automatic and manual device mapping.
-
Tape functions including create, delete, import, export, inventory, and barcode visibility.
-
Erasure of tape content and verification that subsequent restores contain no data.
-
Data backup to single and multiple tapes, verification that backup jobs exceeding tape capacity will pause to wait for additional tapes.
-
Restoration of full and partial data from tapes and verification of data integrity.
-
Verification of functionality and data integrity after gateway shutdown and restart events during backup operations.
Backup Application | Version | Medium Changer Type | Gateway Version Tested |
---|---|---|---|
Arcserve Backup | 19 | AWS-Gateway-VTL | 2.12.3 |
Bacula Enterprise | 15.0.2 | AWS-Gateway-VTL or STK-L700 | 2.12.3 |
Commvault | 2024E / 11.36.35 | STK-L700 | 2.12.3 |
Dell EMC NetWorker | 19.10 | AWS-Gateway-VTL | 2.12.3 |
IBM Storage Protect | 8.1.10 | IBM-03584L32-0402 | All |
Micro Focus Data Protector | 24.4 | AWS-Gateway-VTL | 2.12.3 |
Microsoft System Center Data Protection Manager | 2025 | STK-L700 | 2.12.3 |
NovaStor DataCenter | 9.5.3 | STK-L700 | 2.12.3 |
Quest NetVault Backup | 13.3 | STK-L700 | 2.12.3 |
Veeam Backup & Replication | 12 | AWS-Gateway-VTL | All |
Veritas Backup Exec | 24 | AWS-Gateway-VTL | All |
Veritas NetBackup | 10.5 | AWS-Gateway-VTL | 2.12.3 |
Important
We highly recommend that you choose the medium changer that's listed for your backup application. Other medium changers might not function properly. You can choose a different medium changer after the gateway is activated. For more information, see Selecting a Medium Changer After Gateway Activation.