Unable to access AWS Volume Gateway from outside AWS network

Hello,

I'm Mike with the Storage Gateway team, let me see if I can help.

As a general rule, EC2 instances come with two types of network setups: Private IP only and Private & Public IP (there are exceptions, but I'm talking about the typical customer EC2 deployment. If you had Private IP only, then access from the public internet wouldn't be possible, but you have chosen Public and Private IP addresses, so you appear to be set up correctly for your use case (i.e. access from the public internet). There is no "public only" EC2 instance, there will always be a private IP chosen for the system.

Being able to discover the public IP address of your EC2 instance using your iSCSI tool means we are communicating on the public IP over port 3260 (iSCSI default port), so this isn't a public IP vs. private IP issue. There are two possibilities of what may be happening:

1. If by "login" you mean you have implemented CHAP authentication on the target/initiator pair, I would first try to connect without any CHAP authentication in order to establish connectivity and functionality of the overall server/volume gateway setup. Once working, then introduce CHAP secrets and troubleshoot as necessary. This will clarify whether you are troubleshooting a connection issue or CHAP issue.
2. If you are not able to establish a connection with CHAP removed, then you need to look at where your client is located in relationship to the gateway. You don't say whether your iSCSI initiator is also in EC2 or not, but I suspect that it isn't. If your initiator is on-premise, then your iSCSI connection to the gateway may never work unfortunately. iSCSI protocol is a very "dirty" protocol and is designed for short network hops on a LAN. Attempting to make such a "chatty" protocol work over a WAN connection is not recommended as you get two things; connection/setup issues and sub-par performance. So even if the connection is completed, the performance over a WAN link to the volume would be painfully slow.

The recommended method of storage gateway deployment is to keep the initiator and target as close together on the network as possible and then have the gateway do the long haul over the WAN to the virtual volumes. This works because the gateway is using HTTPS to communicate on the WAN, which is designed to function well over multiple network hops.

Hope this helps. Please feel free to ask any other questions you may have.

Mike H.

Hello Mike,
Thanks a lot for your quick response.

Regarding my setup where iSCSI LOGIN is NOT working, I am not using CHAP authentication for my volume Gateway which was created Amazon EC2 instance. I am running my iSCSI initiator from on-premise.

Thanks,
Arti

Edited by: AartiShinde on May 26, 2021 5:12 AM

Hello Mike,

This is another question regarding volume gateway -
When I create a cached volume using volume gateway, I do not see any option to select S3 bucket but I see S3 bucket in almost all the block diagrams for volume gateway. Is that for EBS snapshots which are backed by S3 bucket?

How can I access the S3 Bucket where data of volume gateway is stored?

Thanks,
Arti

The data that you put in your iSCSI mounted volumes is stored in S3, but within S3 buckets that are owned and controlled by the SGW service, not buckets in your own AWS account. The reason we don't allow customer access to the volume data stored in our private S3 buckets is this is block data, not file data, that we are managing. This block data is in a format that only the SGW service and your gateway can interpret and make use of. If any of that data got deleted or modified by a customer, the data could end up corrupted or lost.

If you are seeking a method to put useable file data into a bucket you control, take a look at the file gateway we offer. With that gateway, the data you put in the share is replicated identically into the bucket and you can then use that bucket data in whatever way you require.

Mike H.

Thanks a lot Mike.

Another question regarding the STATUS of volume gateway - How can I start the stopped gateway?
So I can STOP the running gateway and status changes from RUNNING to SHUTDOWN. But I do not see option to start the gateway again ?
I only have option to DELETE the gateway.

Thanks,
Arti

Another question on deleting volumes -

I created bunch of stored volumes for my tests . Now when I tried deleting all the volumes, I get error for one of the volume - "Failed to delete volume".
How can I check more details for this error? What are the likely reasons for this error. I faced this even for cached volume, so I had to delete the gateway to do the cleanup.

Thanks,
Arti

Hello,

When working with volume/tape gateway and you have done the shutdown of services (through the AWS console or on the VM console itself), the Details tab of your gateway should be showing you a "Start Gateway" button to bring services back online.

https://docs.aws.amazon.com/storagegateway/latest/userguide/MaintenanceShutDown-common.html#start-stop-classic

Mike Haws

In regards the volume that wouldn't delete, I can't give you any great insight into what may have occurred with that particular since the gateway is now deleted. If you have a similar problem in the future, I would recommend opening a support case with our Premium Support team.

With that case opened, the process of investigation and looking into logs can take place and answers to specific issues to specific gateways can be answered.

Mike H-aws