Secure File Copy to AWS S3 FAQ

What is Secure File Copy to AWS S3?

AWS Storage Gateway supports the NFS/SMB file interface, volume interface and tape interface to S3, which is useful when you want to use S3 as if it is an NFS or SMB file system. But there are times when the use case is different.

For example: Developers like to leverage the Direct Connect to copy files to S3 but you are not sure how to enable them in a secure manner. Since S3 is a public service, you must use public VIF to terminate the Direct Connect. This implies all on-prem users can upload to any S3 bucket.

Another example: Your customers need to send data to AWS S3 buckets but you need to apply control to the activities as to which user and which buckets are available to upload objects.

Aviatrix Secure File Copy is a tool that allows your developers to copy files between on-prem while enabling you to control from which S3 buckets and from where the file can be copied.

What are the benefits of Secure File Copy?

The key benefit of Secure File Copy (SFC) to AWS S3 is its ability for you to have control over the data transfer in and out of AWS S3 bucket.

If you upload files to S3 over Direct Connect, you have to use Direct Connect Public VIF which means you must open your firewall to all AWS public services. An end user can upload to his own S3 account and bucket, leading to data leakage.

Same issue of data leakage occurs if you upload files to S3 over public Internet.

How does SFC work?

SFC works by launching an Aviatrix gateway in a VPC that has a private connection to on-prem, for example, over a Direct Connect, as shown below.


Through SFC, an S3 bucket is mounted as a local directory to the Aviatrix gateway with the same name as the bucket. A VPC endpoint is created to serve S3 so that data object transferring is private within the AWS network and free of charge. File copying from on-prem to the gateway directory is transferred to the S3 bucket.

With this approach, you can specify policies such as only allowing the VPC endpoint to access S3 buckets. Since only the mounted S3 buckets on an Aviatrix gateway can be used for file transferring, SFC effectively locks down which S3 buckets and from where data can be transferred.

SFC also works in a VPC that connects over the Internet with IPSEC.

Is there an additional data charge by going through the Aviatrix gateway?

No, there is no data charge by AWS for using SFC. Normally AWS charges data transfer for data traffic leaving a VPC, however in this case, data transfer is through an AWS VPC endpoint to S3 which is free of charge.

How to setup SFC with preview release?

Here are the steps for setting up SFC in a preview release.

  1. Custom upgrade to 4.1-sfc-preview.
  2. At the Aviatrix Controller console, create an AWS account with access key and secret key (NOT with IAM roles.)
  3. Launch an Aviatrix gateway in this account in a VPC.
  4. Go to AWS console VPC page to create a VPC endpoint for S3 with the VPC where the gateway was launched.
  5. At the Aviatrix Controller Console, go to Useful Tools -> Secure File Copy. Select the gateway name and enter the name of the S3 bucket where you need to transfer file to. Leave all other options on default value and click OK.
  6. Open the security group inbound rules of the gateway instance from AWS Console to allow TCP port 22 from the on-prem network address range.
  7. Upload a file by using the scp commands with the following syntax. (contact for the private key.)
scp -i guest_private_key.pem file_to_be_uploaded guest@gateway_private_ip_address:/home/guest/bucket_name/.

What are the known limitations of the preview release?

  1. Only one bucket, one private key and one user “guest” are supported.
  2. If you stop and start the gateway, the mount point cannot be preserved. You need to delete the bucket and create it again.
  3. IAM roles are not supported.

What to expect in the future official release?

We expect all limitations stated above to be removed when this feature is officially released.