Create a File Gateway in a Secured AWS VPC

So let’s get this started:

  1. Choose Endpoints from the left panel, and then choose Create Endpoint.
  2. On the Create Endpoint page, choose AWS Services for Service category.
  3. For Service Name, choose com.amazonaws.region.storagegateway. For example
  4. For VPC, choose your VPC and note its Availability Zones and subnets( for this I would prefer you use Custom VPC, and choose private subnets that you have in those VPC. Keep in mind you should have Route Tables set accordingly for those private subnets i.e. Route Table should have local and NAT access)
  5. Verify that Enable Private DNS Name is not selected.
  6. For the Security group, choose the security group that you want to use for your VPC. You can accept the default security group. Verify that all of the following TCP ports are allowed in your security group:
  • TCP 1026
  • TCP 1027
  • TCP 1028
  • TCP 1031
  • TCP 2222

8. Choose Create an endpoint. The initial state of the endpoint is pending. When the endpoint is created, note the ID of the VPC endpoint that you just created.

9. When the endpoint is created, choose Endpoints, then choose the new VPC endpoint.

10. In the DNS Names section, use the first DNS name that doesn’t specify an Availability Zone. Your DNS name look similar to this:

11. Now create an endpoint for Amazon S3. Follow the same steps as shown in To create a VPC endpoint for AWS Storage Gateway section above but you choose under Service Name instead. Then you select the route table that you want the S3 endpoint associated with instead of the subnet/security group(for this demo select your route table associated with the private subnet which you selected previously).

Note: We can create policy while creating the Gateway endpoint, for restricted access. But for this demo, we will keep the policy default which will allow all access.


Now as we are creating Gateway using VPC endpoint which is in Private subnet, we will not be able to create Gateway from Console. We need to create the gateway using AWS CLI from one of the bastion host of our custom VPC,(bastion: a server in public subnet of our custom VPC whose route table has access to local network and Internet gateway. This way it will be able to talk to resources in private subnet as well as it has internet access we will be able to access those resources).

  1. Go to EC2 Dashboard of AWS Console.
  2. From the console dashboard, choose Launch Instance
  3. The Choose an Amazon Machine Image (AMI) page displays a list of basic configurations, called Amazon Machine Images (AMIs), that serve as templates for your instance. Select an HVM version of Amazon Linux 2. Notice that these AMIs are marked “Free tier eligible.”
  4. On the Choose an Instance Type page, you can select the hardware configuration of your instance. Select the t2.micro instance type, which is selected by default. The t2.micro instance type is eligible for the free tier. In Regions where t2.micro is unavailable, you can use a t3.micro instance under the free tier.
  5. Choose your Custom VPC, and PUBLIC Subnet, and Enable Auto-assign Public IP.
  6. Keep Storage and Tags default. For Security Group allow the instance to SSH from your system and have HTTP and HTTPS port open(SSH, HTTP, HTTPS)
  7. Click Review and launch and then launch the instance with your associated Key Pair.

If you don’t have a Key Pair, Create a new Key Pair, Download it, and then launch the instance.

Once this instance is launched go to Storage Gateway Dashboard from AWS Services options.

  1. Now Click on Launch Instance to launch an instance as a gateway server. This will take you to the EC2 launch instance step where it automatically selects a Gateway AMI and lands you on the instance type page. Select m4.xlarge(generally preferred for smooth working of Storage Gateway).
  2. In VPC choose your Custom VPC > Private Subnet > enable public ip.
  3. In Storage ‘Add New Volume’(EBS) > 150GiB
  4. You can add tags if you want(optional)
  5. For Security Group choose a security group that has the following ports open for the CIDR range of your Custom VPC:

PORT 22, 80, 111, 2049, 20048

Next Review and Launch. You can review all the configuration you have selected for the gateway instance and then click Launch.

Once the instance is up and running, SSH into your bastion > configure your AWS CLI access with proper AWS Credentials.

http://GATEWAY_EC2_IP ADDRESS/?gatewayType=FILE_S3&activationRegion=REGION&vpcEndpoint=VPCEndpointDNSname&no_redirect


curl “"

An example activation key follows.


Use the following command to create Gateway:

aws --region us-east-1 storagegateway activate-gateway --activation-key BME11-LQPTD-DF11P-BLLQ0-111V1 --gateway-type FILE_S3 --gateway-name user-ec2-iad-pl-fgw2 --gateway-timezone GMT-4:00 --gateway-region us-east-1 --endpoint-url

Following is an example response:

{“GatewayARN”: “arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-FFF12345”}

Now when you go to the Storage Gateway dashboard from AWS Console, you can see that a gateway is created for you.

Select that Gateway > Actions > edit local disks > select your EBS volume that you attached to the gateway instance.

Now create File Share with this Gateway, with the bucket which is in the same region as this gateway.


(Create File Share part)

Now once the File Share is created you won’t be able to mount your File Share on your local system as this is in a totally different and secured network.

If you are working on AWS WorkSpace and that is in the same private subnet as this gateway then it will be able to mount to this gateway. But if you want to mount to your local System then you need an AWS Site-to-Site VPN connection.

I will soon create an AWS Site-to-Site VPN connection blog and refer to the link here.

Till then keep exploring AWS.



Table of Contents

On Key

Related Posts

Doc Analyzer

AWS Textract Based Document Segregation Automating Doc’s Data Extraction from any document using Amazon Textract in Python. This project was intended to segregate the submitted