Connecting your network for AWS DataSync transfers
If you need an AWS DataSync agent, you must establish several network connections for a data transfer or storage discovery. The following diagram shows the three network connections in a DataSync transfer from a storage system (which could be on premises, in another cloud, or at the edge) to an AWS storage service.
1. Network connection between your storage system and agent
Your DataSync agent connects to your on-premises, other cloud, or edge storage system. For more information, see Network requirements for on-premises, self-managed, other cloud, and edge storage.
2. Network connection between your agent and DataSync service
There are a few aspects to connecting your agent to the DataSync service. First, you must connect your storage network to AWS. Second, your agent needs a service endpoint to communicate with DataSync.
Connecting your storage network to AWS
When using DataSync, consider the following options for connecting your storage network to AWS:
-
AWS Direct Connect - With Direct Connect, you can create a dedicated connection between your storage network and AWS. From a DataSync perspective, this lets you:
-
Transfer data over a private path to your virtual private cloud (VPC), which avoids routing over the public internet.
-
Get a more predictable connection than using a virtual private network (VPN) to connect your storage network to AWS (particularly if your agent is an Amazon EC2 instance).
-
Use any type of DataSync service endpoint, including public, Federal Information Processing Standard (FIPS), or VPC endpoints.
For more information, see DataSync architecture and routing examples with AWS Direct Connect.
-
-
VPN - You can connect your storage network to AWS by using a VPN (such as AWS Site-to-Site VPN).
-
Public internet - You can connect your storage network directly to DataSync over the internet by using a public or FIPS service endpoint.
Choosing a service endpoint
Your agent uses a service endpoint to communicate with DataSync. For more information, see Choosing a service endpoint for your AWS DataSync agent.
3. Network connection between DataSync service and AWS storage service
To connect DataSync to an AWS storage service, you just have to make sure that the DataSync service can access your S3 bucket or file system. For more information, see Network requirements for AWS storage services.
Networking when you don't need a DataSync agent
For transfers that don't require a DataSync agent, you just have to make sure that the DataSync service can access the AWS storage services you’re transferring between. For more information, see Network requirements for AWS storage services.
How and where DataSync traffic flows through the network
DataSync has data plane and control plane traffic. Knowing how each of these flows through the network is important if you want to separate your DataSync traffic.
-
Data plane traffic – Includes the file or object data moving between your storage locations. In most cases, data plane traffic routes through network interfaces that DataSync automatically generates and manages when you create a task. Where these network interfaces get created depends on the type of AWS storage service you’re transferring to or from and the service endpoint that your DataSync agent uses.
-
Control plane traffic – Includes management activities for your DataSync resources. This traffic routes through the service endpoint that your agent uses.
Network security for DataSync
For information about how your storage data (including metadata) is secured during a transfer, see AWS DataSync encryption in transit.