Why is my Storage Gateway activation failing when I try to activate my gateway using an Amazon VPC endpoint?

Last updated: 2020-09-30

I'm trying to activate my gateway on AWS Storage Gateway using an Amazon Virtual Private Cloud (Amazon VPC) endpoint (provided by AWS PrivateLink). However, the activation is failing. How can I troubleshoot this?

Resolution

Before you begin, confirm that your gateway meets the hardware and storage requirements for Storage Gateway.

Troubleshooting a gateway that's hosted on-premises

Note: These troubleshooting steps don't apply to an on-premises file gateway that uses an Amazon Simple Storage Service (Amazon S3) VPC endpoint for Amazon S3 traffic. 

  • Confirm that your on-premises local network can communicate with your Amazon VPC, either over AWS Direct Connect or VPN. You can check this connection by pinging the private IP address of an Amazon Elastic Compute Cloud (Amazon EC2) instance within the VPC from your virtual machine or server that's on premises.
  • Check the security group that's attached to the VPC endpoint. Confirm that the security group allows inbound traffic from the gateway's IP address on TCP ports 443, 1026, 1027, 1028, and 1031.
  • Review the on-premises network firewall. Confirm that the firewall allows outbound traffic to the gateway's domain name or IP address on TCP ports 443, 1026, 1027, 1028, and 1031. Additionally, confirm that the firewall allows inbound traffic to the gateway's IP address on TCP port 80.
  • Confirm that your gateway can connect to the VPC endpoint by running a network connectivity test from your gateway's local console.

Troubleshooting an on-premises file gateway that uses an Amazon S3 VPC endpoint

If your on-premises file gateway uses an Amazon S3 VPC endpoint (over Direct Connect or VPN) for Amazon S3 traffic, such as creating a file share or reading and writing to an S3 bucket, then you must create a proxy. The proxy can be hosted on an Amazon EC2 instance. 

Note: In this configuration, you must also have a VPC endpoint for Storage Gateway, in addition to the VPC endpoint for Amazon S3. 

To troubleshoot failing activation for an on-premises file gateway that uses an Amazon S3 VPC endpoint, perform these checks:

  • Confirm that the private IP address of the EC2 instance (proxy host) is configured on the on-premises gateway with outbound proxy traffic allowed on TCP port 3128.
  • Check the security group that's attached to the EC2 instance (proxy host). Confirm that the security group allows inbound traffic from the gateway's IP address on TCP port 3128.
  • Check the security group that's attached to the Storage Gateway VPC endpoint. Confirm that the security group allows inbound traffic from the EC2 instance's (proxy host) IP address on TCP ports 443, 1026, 1027, 1028, and 1031.
  • Review the on-premises network firewall. Confirm that the firewall allows outbound traffic to the EC2 instance's (proxy host) private IP address on TCP port 3128.

Troubleshooting a gateway that's hosted on Amazon EC2

  • Check the security group that's attached to the VPC endpoint. Confirm that the security group allows inbound traffic from the gateway's IP address on TCP ports 443, 1026, 1027, 1028, and 1031.
  • Check the security group that's attached to the gateway. Confirm that the security group allows inbound traffic on TCP port 80.
  • Confirm that you're using the private IP address of the gateway's EC2 instance for activation. Even if the instance that your gateway is hosted on has a public IP address or an Elastic IP address, you must activate the gateway using the private IP address.
  • Confirm that the workstation you're using to activate the gateway can communicate with the VPC of the gateway instance over Direct Connect or VPN.
    Tip: If your workstation can't communicate with the VPC, try activating the gateway from another instance within the same VPC.

Using VPC Flow Logs to troubleshoot Storage Gateway activation using a VPC endpoint

To get more information about what's causing your gateway's activation to fail, you can enable VPC Flow Logs on the network interface of the VPC endpoint.

After you enable VPC Flow Logs, you can review the flow records for the VPC endpoint. For example, you can use the flow logs to determine if any ports are rejecting the traffic required for your gateway's activation.


Did this article help?


Do you need billing or technical support?