Service 14

AWS Storage Gateway

StorageHybridMigration

AWS Storage Gateway is a hybrid storage service: a small virtual (or hardware) appliance runs in your data center, local applications talk to it through familiar protocols, and behind the scenes it stores or caches data in AWS. It migrates data without changing applications, keeps a local cache of cloud data, and replaces tape backup systems.

You install the gateway, register it with AWS, and present it on the local network as NFS, SMB, iSCSI, or virtual tape — applications see ordinary storage while the durable copy lives in S3, FSx, or Glacier.

Gateway Types

AWS positions three types for new workloads. S3 File Gateway presents an NFS/SMB share whose files become S3 objects, caching recent files locally. FSx File Gateway presents SMB backed specifically by FSx for Windows File Server. Tape Gateway appears as a virtual tape library to backup software, storing tapes in S3 and tiering them to Glacier.

Volume Gateway (block storage over iSCSI, backed by S3 or EBS snapshots) still works but is legacy — prefer the other three for new designs unless iSCSI block semantics are a hard requirement.

How It Works

The appliance does three things: protocol translation (NFS/SMB/iSCSI/VTL locally, S3/FSx/EBS to AWS), caching of recently used data on a local SSD for fast reads, and asynchronous upload — writes hit the local cache first, then upload in the background.

Storage Gateway — Hybrid Bridge to AWS

On-prem appNFS · SMB · iSCSI · virtual tape

→

Gateway appliancelocal SSD cache · async upload over TLS

→

AWS storageS3 · FSx for Windows · S3 Glacier

Local apps speak familiar protocols; the appliance caches recent data and uploads asynchronously. The durable copy lives in AWS.

In-transit data is encrypted at the HTTPS/TLS layer regardless of path. Direct Connect itself is not encrypted by default; add MACsec or an IPsec VPN over the DX link if you need wire-level encryption.

Storage Gateway vs DataSync vs Snowball

Storage Gateway — ongoing hybrid access — local apps reading and writing cloud-backed storage continuously.

AWS DataSync — fast one-time or scheduled bulk transfers between on-prem and AWS over the network.

Snowball — moving very large datasets physically when network transfer would be too slow.

Common Mistakes

Deploying Storage Gateway when you have no on-premises footprint — use S3, EFS, or FSx directly.
Expecting sub-millisecond writes to AWS — the gateway uploads asynchronously and is not built for real-time low-latency cloud writes.
Using Storage Gateway for a one-time migration where DataSync or Snowball would move the data far faster.
Under-sizing the local cache, so reads miss cache and crawl — watch the CloudWatch cache hit rate.
Choosing legacy Volume Gateway for a new project when S3, FSx, or Tape Gateway would fit better.
Assuming Direct Connect encrypts traffic — it does not by default; rely on the TLS layer or add MACsec/IPsec.

Best Practices

Right-size the local cache and monitor cache hit rate in CloudWatch.
Use Direct Connect or Site-to-Site VPN for reliable performance; add MACsec/IPsec if wire-level encryption is required.
Use Tape Gateway with Glacier Deep Archive to retire physical tape cost-effectively.
Prefer S3, FSx, or Tape Gateway over legacy Volume Gateway for new workloads.
Use DataSync or Snowball instead for one-time bulk migrations.

Comparable services GCP No direct equivalent (Storage Transfer Service for transfers)Azure Azure File Sync, StorSimple (retired)

Knowledge Check

What problem does AWS Storage Gateway primarily solve?

Letting on-premises apps use cloud-backed storage through familiar local protocols without being rewritten
Replacing S3 entirely with a faster, cheaper object store that runs locally inside your own corporate data center
Running and orchestrating containerized workloads in your on-premises data center
Encrypting every Direct Connect link automatically and end-to-end on your behalf

Which gateway type does AWS treat as legacy for new workloads?

Volume Gateway (iSCSI block) — prefer S3 File, FSx File, or Tape Gateway unless iSCSI is required
S3 File Gateway, presenting on-premises NFS and SMB file shares that are durably backed by S3 objects
Tape Gateway, exposing virtual tapes to existing backup software
FSx File Gateway, fronting FSx for Windows File Server shares

For a one-time transfer of a very large dataset, what is usually better than Storage Gateway?

AWS DataSync or Snowball — built for fast bulk migration, not ongoing hybrid access
Volume Gateway running in stored mode for the whole one-time transfer
Uploading the entire dataset object-by-object by hand through the S3 console in the browser, one file at a time
Tape Gateway paired with the Expedited retrieval tier for the move

What is true about encryption when Storage Gateway runs over Direct Connect?

Traffic is encrypted at the HTTPS/TLS layer, but Direct Connect itself is unencrypted by default — add MACsec or IPsec if needed
Direct Connect encrypts all of the traffic crossing it end-to-end automatically
Storage Gateway never encrypts any of its data while it is in transit
Encryption is only ever available over the public internet path, and it is never applied over a dedicated private Direct Connect link

You got correct