Why is my Storage Gateway activation failing when I try to activate my gateway using an Amazon VPC endpoint?

4 minute read
0

I'm trying to activate my gateway on AWS Storage Gateway using an Amazon Virtual Private Cloud (Amazon VPC) endpoint (provided by AWS PrivateLink). However, the activation is failing.

Resolution

Before you begin, confirm that your gateway meets the hardware and storage requirements for Storage Gateway.

Troubleshooting a gateway that's hosted on-premises

Note: These troubleshooting steps don't apply to an on-premises file gateway that uses an Amazon Simple Storage Service (Amazon S3) VPC endpoint for Amazon S3 traffic.

  • Confirm that your on-premises local network can communicate with your Amazon VPC, either over AWS Direct Connect or VPN. You can check this connection by pinging the private IP address of an Amazon Elastic Compute Cloud (Amazon EC2) instance within the VPC from your virtual machine or server that's on premises.
  • Check the security group that's attached to the VPC endpoint. Confirm that the security group allows inbound traffic from the gateway's IP address on TCP ports 443, 1026, 1027, 1028, 1031, and 2222.
  • Review the on-premises AWS Network Firewall. Confirm that the firewall allows outbound traffic to the gateway's domain name or IP address on TCP ports 443, 1026, 1027, 1028, 1031, and 2222. Additionally, confirm that the firewall allows inbound traffic to the gateway's IP address on TCP port 80.
  • Confirm that your gateway can connect to the VPC endpoint by running a network connectivity test from your gateway's local console.

Troubleshooting an on-premises file gateway that uses an Amazon S3 Gateway type VPC endpoint

If your on-premises file gateway uses an Amazon S3 Gateway type VPC endpoint (over Direct Connect or VPN) for Amazon S3 traffic, such as creating a file share or reading and writing to an S3 bucket, then you must create an HTTP proxy. The HTTP proxy can be hosted on an Amazon EC2 instance.

Note: In this configuration, you must also have a VPC endpoint for Storage Gateway, in addition to the VPC endpoint for Amazon S3. If your HTTP proxy is using a Squid proxy server, then the default TCP port is 3128.

To troubleshoot failing activation for an on-premises file gateway that uses an Amazon S3 Gateway type VPC endpoint, perform these checks:

  • Confirm that the private IP address of the EC2 instance (HTTP proxy host) is configured on the on-premises gateway with outbound HTTP proxy traffic allowed on TCP port 3128.
  • Check the security group that's attached to the EC2 instance (HTTP proxy host). Confirm that the security group allows inbound traffic from the gateway's IP address on TCP port 3128.
  • Check the security group that's attached to the Storage Gateway VPC endpoint. Confirm that the security group allows inbound traffic from the EC2 instance's (HTTP proxy host) IP address on TCP ports 443, 1026, 1027, 1028, 1031, and 2222.
  • Review the on-premises Network Firewall. Confirm that the firewall allows outbound traffic to the EC2 instance's (HTTP proxy host) private IP address on TCP port 3128.

Troubleshooting a gateway that's hosted on Amazon EC2

  • Check the security group that's attached to the VPC endpoint. Confirm that the security group allows inbound traffic from the gateway's IP address on TCP ports 443, 1026, 1027, 1028, 1031, and 2222.
  • Check the security group that's attached to the gateway. Confirm that the security group allows inbound traffic on TCP port 80.
  • Confirm that the workstation you're using to activate the gateway can communicate with the VPC of the gateway instance over Direct Connect or VPN.
    Tip: If your workstation can't communicate with the VPC, try activating the gateway from another instance within the same VPC.

Using VPC Flow Logs to troubleshoot Storage Gateway activation using a VPC endpoint

To get more information about what's causing your gateway's activation to fail, enable VPC flow logs on the network interface of the VPC endpoint.

After you enable VPC Flow Logs, review the flow records for the VPC endpoint. For example, use the flow logs to determine if any ports are rejecting the traffic required for your gateway's activation.


AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago