Requirements for setting up Tape Gateway - AWS Storage Gateway

Requirements for setting up Tape Gateway

Unless otherwise noted, the following requirements are common to all gateway configurations.

Hardware and storage requirements

This section describes the minimum hardware and settings for your gateway and the minimum amount of disk space to allocate for the required storage.

Hardware requirements for VMs

When deploying your gateway, you must make sure that the underlying hardware on which you deploy the gateway VM can dedicate the following minimum resources:

  • Four virtual processors assigned to the VM.

  • For Tape Gateway, your hardware should dedicate the following amounts of RAM:

    • 16 GiB of reserved RAM for gateways with cache size up to 16 TiB

    • 32 GiB of reserved RAM for gateways with cache size 16 TiB to 32 TiB

    • 48 GiB of reserved RAM for gateways with cache size 32 TiB to 64 TiB

  • 80 GiB of disk space for installation of VM image and system data.

For more information, see Optimizing gateway performance. For information about how your hardware affects the performance of the gateway VM, see AWS Storage Gateway quotas.

Requirements for Amazon EC2 instance types

When deploying your gateway on Amazon Elastic Compute Cloud (Amazon EC2), the instance size must be at least xlarge for your gateway to function. However, for the compute-optimized instance family the size must be at least 2xlarge.

Note

The Storage Gateway AMI is only compatible with x86-based instances that use Intel or AMD processors. ARM-based instances that use Graviton processors are not supported.

For Tape Gateway, your Amazon EC2 instance should dedicate the following amounts of RAM depending on the cache size you plan to use for your gateway:

  • 16 GiB of reserved RAM for gateways with cache size up to 16 TiB

  • 32 GiB of reserved RAM for gateways with cache size 16 TiB to 32 TiB

  • 48 GiB of reserved RAM for gateways with cache size 32 TiB to 64 TiB

Use one of the following instance types recommended for your gateway type.

Recommended for Tape Gateway

  • General-purpose instance family – m4, m5, or m6 instance type.

  • Compute-optimized instance family – c4, c5, c6, or c7 instance types. Choose the 2xlarge instance size or higher to meet the required RAM requirements.

  • Memory-optimized instance family – r3, r5, r6, or r7 instance types.

  • Storage-optimized instance family – i3, i4, or i7 instance types.

Storage requirements

In addition to 80 GiB disk space for the VM, you also need additional disks for your gateway.

The following table recommends sizes for local disk storage for your deployed gateway.

Gateway Type Cache (Minimum) Cache (Maximum) Upload Buffer (Minimum) Upload Buffer (Maximum) Other Required Local Disks
Tape Gateway 150 GiB 64 TiB 150 GiB 2 TiB
Note

You can configure one or more local drives for your cache and upload buffer, up to the maximum capacity.

When adding cache or upload buffer to an existing gateway, it's important to create new disks in your host (hypervisor or Amazon EC2 instance). Don't change the size of existing disks if the disks have been previously allocated as either a cache or upload buffer.

For information about gateway quotas, see AWS Storage Gateway quotas.

Network and firewall requirements

Your gateway requires access to the internet, local networks, Domain Name Service (DNS) servers, firewalls, routers, and so on. Following, you can find information about required ports and how to allow access through firewalls and routers.

Note

In some cases, you might deploy Storage Gateway on Amazon EC2 or use other types of deployment (including on-premises) with network security policies that restrict AWS IP address ranges. In these cases, your gateway might experience service connectivity issues when the AWS IP range values changes. The AWS IP address range values that you need to use are in the Amazon service subset for the AWS Region that you activate your gateway in. For the current IP range values, see AWS IP address ranges in the AWS General Reference.

Note

Network bandwidth requirements vary based on the quantity of data that is uploaded and downloaded by the gateway. A minimum of 100Mbps is required to successfully download, activate, and update the gateway. Your data transfer patterns will determine the bandwidth necessary to support your workload. In some cases, you might deploy Storage Gateway on Amazon EC2 or use other types of deployment

Port requirements

Tape Gateway requires specific ports to be allowed through your network security for successful deployment and operation. Some ports are required for all gateways, while others are required only for specific configurations, such as when connecting to VPC endpoints.

Port requirements for Tape Gateway

Network Element

From

To

Protocol

Port

Inbound

Outbound

Required

Notes

Web browser

Your web browser

Storage Gateway VM

TCP HTTP

80

Used by local systems to obtain the Storage Gateway activation key. Port 80 is used only during activation of a Storage Gateway appliance. A Storage Gateway VM doesn't require port 80 to be publicly accessible. The required level of access to port 80 depends on your network configuration. If you activate your gateway from the Storage Gateway Management Console, the host from which you connect to the console must have access to your gateway's port 80.

Web browser

Storage Gateway VM

AWS

TCP HTTPS

443

AWS Management Console (all other operations)

DNS

Storage Gateway VM

Domain Name Service (DNS) server

TCP & UDP DNS

53

Used for communication between a Storage Gateway VM and the DNS server for IP name resolution.

NTP

Storage Gateway VM

Network Time Protocol (NTP) server

TCP & UDP NTP

123

Used by on-premises systems to synchronize VM time to the host time. A Storage Gateway VM is configured to use the following NTP servers:

  • 0.amazon.pool.ntp.org

  • 1.amazon.pool.ntp.org

  • 2.amazon.pool.ntp.org

  • 3.amazon.pool.ntp.org

Note

Not required for gateways hosted on Amazon EC2.

Storage Gateway

Storage Gateway VM

Support Endpoint

TCP SSH

22

Allows Support to access your gateway to help you with troubleshooting gateway issues. You don't need this port open for the normal operation of your gateway, but it is required for troubleshooting. For a list of support endpoints, see Support endpoints.

Storage Gateway

Storage Gateway VM

AWS

TCP HTTPS

443

Management control

Amazon CloudFront

Storage Gateway VM

AWS

TCP HTTPS

443

For activation

VPC

Storage Gateway VM

AWS

TCP HTTPS

443

✓*

Management control

*Required only when using VPC endpoints

VPC

Storage Gateway VM

AWS

TCP HTTPS

1026

✓*

Control Plane endpoint

*Required only when using VPC endpoints

VPC

Storage Gateway VM

AWS

TCP HTTPS

1027

✓*

Anon Control Plane (for activation)

*Required only when using VPC endpoints

VPC

Storage Gateway VM

AWS

TCP HTTPS

1028

✓*

Proxy endpoint

*Required only when using VPC endpoints

VPC

Storage Gateway VM

AWS

TCP HTTPS

1031

✓*

Data Plane

*Required only when using VPC endpoints

VPC

Storage Gateway VM

AWS

TCP HTTPS

2222

✓*

SSH Support Channel for VPCe

*Required only for opening support channel when using VPC endpoints

VPC

Storage Gateway VM

AWS

TCP HTTPS

443

✓*

Management control

*Required only when using VPC endpoints

iSCSI Client

iSCSI client

Storage Gateway VM

TCP

3260

For local systems to connect to iSCSI targets exposed by the gateway.

The following illustration shows network traffic flow for a basic Tape Gateway deployment.

network resources connected to Storage Gateway using various ports.

Networking and firewall requirements for the Storage Gateway Hardware Appliance

Each Storage Gateway Hardware Appliance requires the following network services:

  • Internet access – an always-on network connection to the internet through any network interface on the server.

  • DNS services – DNS services for communication between the hardware appliance and DNS server.

  • Time synchronization – an automatically configured Amazon NTP time service must be reachable.

  • IP address – A DHCP or static IPv4 address assigned. You cannot assign an IPv6 address.

There are five physical network ports at the rear of the Dell PowerEdge R640 server. From left to right (facing the back of the server) these ports are as follows:

  1. iDRAC

  2. em1

  3. em2

  4. em3

  5. em4

You can use the iDRAC port for remote server management.

network resources connected to hardware appliance using various ports.

A hardware appliance requires the following ports to operate.

Protocol

Port

Direction

Source

Destination

How Used

SSH

22

Outbound

Hardware appliance

54.201.223.107

Support channel
DNS 53 Outbound Hardware appliance DNS servers Name resolution
UDP/NTP 123 Outbound Hardware appliance *.amazon.pool.ntp.org Time synchronization
HTTPS

443

Outbound

Hardware appliance

*.amazonaws.com

Data transfer

HTTP 8080 Inbound AWS Hardware appliance Activation (only briefly)

To perform as designed, a hardware appliance requires network and firewall settings as follows:

  • Configure all connected network interfaces in the hardware console.

  • Make sure that each network interface is on a unique subnet.

  • Provide all connected network interfaces with outbound access to the endpoints listed in the diagram preceding.

  • Configure at least one network interface to support the hardware appliance. For more information, see Configuring hardware appliance network parameters.

Note

For an illustration showing the back of the server with its ports, see Physically installing your hardware appliance

All IP addresses on the same network interface (NIC), whether for a gateway or a host, must be on the same subnet. The following illustration shows the addressing scheme.

host IP and service IP on a single subnet sharing one NIC.

For more information on activating and configuring a hardware appliance, see Using the Storage Gateway Hardware Appliance.

Allowing AWS Storage Gateway access through firewalls and routers

Your gateway requires access to the following service endpoints to communicate with AWS. If you use a firewall or router to filter or limit network traffic, you must configure your firewall and router to allow these service endpoints for outbound communication to AWS.

Note

If you configure private VPC endpoints for your Storage Gateway to use for connection and data transfer to and from AWS, your gateway does not require access to the public internet. For more information, see Activating a gateway in a virtual private cloud.

Important

Depending on your gateway's AWS Region, replace region in the service endpoint with the correct region string.

The following service endpoints are required by all gateways for control path (anon-cp, client-cp, proxy-app) and data path (dp-1) operations.

anon-cp.storagegateway.region.amazonaws.com:443 client-cp.storagegateway.region.amazonaws.com:443 proxy-app.storagegateway.region.amazonaws.com:443 dp-1.storagegateway.region.amazonaws.com:443

The following gateway service endpoint is required to make API calls.

storagegateway.region.amazonaws.com:443

The following example is a gateway service endpoint in the US West (Oregon) Region (us-west-2).

storagegateway.us-west-2.amazonaws.com:443

A Storage Gateway VM is configured to use the following NTP servers.

0.amazon.pool.ntp.org 1.amazon.pool.ntp.org 2.amazon.pool.ntp.org 3.amazon.pool.ntp.org

Configuring security groups for your Amazon EC2 gateway instance

A security group controls traffic to your Amazon EC2 gateway instance. When you configure a security group, we recommend the following:

  • The security group should not allow incoming connections from the outside internet. It should allow only instances within the gateway security group to communicate with the gateway. If you need to allow instances to connect to the gateway from outside its security group, we recommend that you allow connections only on ports 3260 (for iSCSI connections) and 80 (for activation).

  • If you want to activate your gateway from an Amazon EC2 host outside the gateway security group, allow incoming connections on port 80 from the IP address of that host. If you cannot determine the activating host's IP address, you can open port 80, activate your gateway, and then close access on port 80 after completing activation.

  • Allow port 22 access only if you are using Support for troubleshooting purposes. For more information, see You want Support to help troubleshoot your EC2 gateway.

In some cases, you might use an Amazon EC2 instance as an initiator (that is, to connect to iSCSI targets on a gateway that you deployed on Amazon EC2. In such a case, we recommend a two-step approach:

  1. You should launch the initiator instance in the same security group as your gateway.

  2. You should configure access so the initiator can communicate with your gateway.

For information about the ports to open for your gateway, see Port requirements.

Supported hypervisors and host requirements

You can run Storage Gateway on-premises as either a virtual machine (VM) appliance, or a physical hardware appliance, or in AWS as an Amazon EC2 instance.

Note

When a manufacturer ends general support for a hypervisor version, Storage Gateway also ends support for that hypervisor version. For detailed information about support for specific versions of a hypervisor, see the manufacturer's documentation.

Storage Gateway supports the following hypervisor versions and hosts:

  • VMware ESXi Hypervisor (version 7.0 or 8.0) – For this setup, you also need a VMware vSphere client to connect to the host.

  • Microsoft Hyper-V Hypervisor (version 2012 R2, 2016, 2019, or 2022) – A free, standalone version of Hyper-V is available at the Microsoft Download Center. For this setup, you need a Microsoft Hyper-V Manager on a Microsoft Windows client computer to connect to the host.

  • Linux Kernel-based Virtual Machine (KVM) – A free, open-source virtualization technology. KVM is included in all versions of Linux version 2.6.20 and newer. Storage Gateway is tested and supported for the CentOS/RHEL 7.7, Ubuntu 16.04 LTS, and Ubuntu 18.04 LTS distributions. Any other modern Linux distribution may work, but function or performance is not guaranteed. We recommend this option if you already have a KVM environment up and running and you are already familiar with how KVM works.

  • Amazon EC2 instance – Storage Gateway provides an Amazon Machine Image (AMI) that contains the gateway VM image. Only file, cached volume, and Tape Gateway types can be deployed on Amazon EC2. For information about how to deploy a gateway on Amazon EC2, see Deploy a customized Amazon EC2 instance for Tape Gateway.

  • Storage Gateway Hardware Appliance – Storage Gateway provides a physical hardware appliance as a on-premises deployment option for locations with limited virtual machine infrastructure.

Note

Storage Gateway doesn’t support recovering a gateway from a VM that was created from a snapshot or clone of another gateway VM or from your Amazon EC2 AMI. If your gateway VM malfunctions, activate a new gateway and recover your data to that gateway. For more information, see Recovering from an unexpected virtual machine shutdown.

Storage Gateway doesn’t support dynamic memory and virtual memory ballooning.

Supported iSCSI initiators

When you deploy a Tape Gateway, the gateway is preconfigured with one media changer and 10 tape drives. These tape drives and the media changer are available to your existing client backup applications as iSCSI devices.

To connect to these iSCSI devices, Storage Gateway supports the following iSCSI initiators:

  • Microsoft Windows Server 2022

  • Red Hat Enterprise Linux 8

  • Red Hat Enterprise Linux 9

  • VMware ESX Initiator, which provides an alternative to using initiators in the guest operating systems of your VMs

Important

Storage Gateway doesn't support Microsoft Multipath I/O (MPIO) from Windows clients.

Storage Gateway supports connecting multiple hosts to the same volume if the hosts coordinate access by using Windows Server Failover Clustering (WSFC). However, you can't connect multiple hosts to that same volume (for example, sharing a nonclustered NTFS/ext4 file system) without using WSFC.

Supported third-party backup applications for a Tape Gateway

You use a backup application to read, write, and manage tapes with a Tape Gateway. The type of medium changer you choose depends on the backup application you plan to use.

AWS has tested the third-party backup applications in the following table to ensure compatibility with these Tape Gateway features and functions:

  • Discovery functionality including iSCSI initiator connectivity, medium changer, rescan, automatic and manual device mapping.

  • Tape functions including create, delete, import, export, inventory, and barcode visibility.

  • Erasure of tape content and verification that subsequent restores contain no data.

  • Data backup to single and multiple tapes, verification that backup jobs exceeding tape capacity will pause to wait for additional tapes.

  • Restoration of full and partial data from tapes and verification of data integrity.

  • Verification of functionality and data integrity after gateway shutdown and restart events during backup operations.

Backup Application Version Medium Changer Type Gateway Version Tested
Arcserve Backup 19 AWS-Gateway-VTL 2.12.3
Bacula Enterprise 15.0.2 AWS-Gateway-VTL or STK-L700 2.12.3
Commvault 2024E / 11.36.35 STK-L700 2.12.3
Dell EMC NetWorker 19.10 AWS-Gateway-VTL 2.12.3
IBM Storage Protect 8.1.10 IBM-03584L32-0402 All
Micro Focus Data Protector 24.4 AWS-Gateway-VTL 2.12.3
Microsoft System Center Data Protection Manager 2025 STK-L700 2.12.3
NovaStor DataCenter 9.5.3 STK-L700 2.12.3
Quest NetVault Backup 13.3 STK-L700 2.12.3
Veeam Backup & Replication 12 AWS-Gateway-VTL All
Veritas Backup Exec 24 AWS-Gateway-VTL All
Veritas NetBackup 10.5 AWS-Gateway-VTL 2.12.3
Important

We highly recommend that you choose the medium changer that's listed for your backup application. Other medium changers might not function properly. You can choose a different medium changer after the gateway is activated. For more information, see Selecting a Medium Changer After Gateway Activation.