20. Storage Gateway

Storage gateway is a service that connects an on-premises s/w appliance with cloud-based storage to provide seamless and secure integration between an organizations on-premises IT environment and AWSs storage infrastructure. The service enables you to securely store data to the AWS cloud for scalable and cost effective storage.
Storage Gateways s/w appliance is available for download as virtual machine (VM) image that you install on a host in your datacenter. Storage Gateway supports either VMware ESXi or Microsoft Hyper-V. Once you have installed your gateway and associated it with your AWS account through the activation process, we can use the AWS management console to create the storage gateway option that is right for you.

Three different types of Storage Gateway are as follows:

File Gateway Volume Gateway(iSCSI) Tape Gateway
NFS & SMB Stored volumes & Cached volumes VTL (Virtual Type Library)
For flat files, stored directly on S3
Stored volumes: Entire dataset is stored on site and is asynchronously backed up to S3.

Cached volumes: Entire dataset is stored on S3 and the most frequently accessed data is cached on site.

Tape Gateway allows moving tape backups to the cloud.
It provides a backup solution that seamlessly connects to the AWS cloud and stores data files and backup images in S3 cloud storage. Provide cloud backup iSCSI block storage volumes for on-premises applications using either cached volumes or stored volumes. Providing virtual tape storage and VTL management to store data on S3 and Glacier.

Question 1:
As part of a pilot program, a biotechnology company wants to integrate data files from its on-premises analytical application with AWS Cloud via an NFS interface. Which of the following AWS service is the MOST efficient solution for the given use-case?
Answer: AWS Storage Gateway – File Gateway

Question 2: A company wants to host its internal storage on AWS. This storage is required to be connected to an on-premises application server via an iSCSI device. In addition, after the migration is complete, they plan to use the storage on AWS as their primary storage. Choose a configuration method that can meet this requirement.
Options:
A. Create an S3 bucket and use the S3 connector as an iSCSI device
B. Create an EBS and use the EBS connector as an iSCSI device
C. Create a Glacier archive and use Glacier connector as an iSCSI device
D. Use the AWS storage gateway as an iSCSI device
Answer: D
Explanation
Option D is the correct answer. Storage gateway cached volumes allow you to use Amazon S3 as your primary data storage while keeping frequently accessed data locally. Volumes cached in an on-premises environment provide low-latency access to frequently accessed data. You can create storage volumes up to 32 TiB in size and attach them from your on-premises application server via an iSCSI device. The cached volume is the method to be selected when using the AWS side as the primary.
Options A, B and C are incorrect. These services do not have the ability to connect to the on-premises side via an iSCSI device.

Question 3:
Your company owns 3TB volume data in its on-premises repository and stores a large number of files there. This repository is increasing in capacity by 500 GB annually and should be used as a single logical volume. As a Solutions Architect, you have decided to extend this repository to S3 storage to avoid local storage capacity constraints. You also want to maintain optimal response times for frequently accessed data. The plan is to use S3 as the primary.
Which of the following AWS Storage Gateway configurations meets this requirement?
Options:
A. Cached volume that uses snapshots scheduled to move to S3
B. Storage type that uses snapshots scheduled to move to S3
C. Cached that utilize snapshots scheduled to move to Glacier
D. A virtual type library that utilizes snapshots scheduled to move to S3
Answer: A
Explanation
Cached volumes on the storage gateway allow you to use S3 as your primary data storage while keeping frequently accessed data in your local environment. Therefore, option 1 is the correct answer.
Cached volumes minimize the need to scale your on-premises storage infrastructure. At the same time, applications will continue to have low-latency access to frequently accessed data. You can create up to 32TiB of storage volumes and attach them as iSCSI devices to your on-premises application server. The gateway stores the data in a storage volume created in Amazon S3, which keeps the recently loaded data in the cache of the on-premises storage gateway, and uploads it to buffer storage.
Option 2 is incorrect. Storage type volumes utilize local storage as the primary and asynchronously back up that data to S3. This time the cached volume meets the requirements.
Option 3 is incorrect. It is appropriate to use S3 storage for hybrid configurations with storage gateways. In addition, Glacier is used to save infrequently used files over the medium to long term, so Option 3 is inappropriate for this requirement.
Option 4 is incorrect. The virtual tape library is used for tape-format backups, and option 4 is inappropriate.

Question 4:
A company is investigating methods to reduce the expenses associated with on-premises backup infrastructure. The Solutions Architect wants to reduce costs by eliminating the use of physical backup tapes. It is a requirement that existing backup applications and workflows should continue to function.
What should the Solutions Architect recommend?
Options:
A. Create an Amazon EFS file system and connect the backup applications using the iSCSI protocol
B. Connect the backup applications to an AWS Storage Gateway using the NFS protocol
C. Create an Amazon EFS file system and connect the backup applications using the NFS protocol
D. Connect the backup applications to an AWS Storage Gateway using an iSCSI-virtual tape library (VTL)
Answer: D
Explanation
The AWS Storage Gateway Tape Gateway enables you to replace using physical tapes on premises with virtual tapes in AWS without changing existing backup workflows. Tape Gateway emulates physical tape libraries, removes the cost and complexity of managing physical tape infrastructure, and provides more durability than physical tapes.
CORRECT: “Connect the backup applications to an AWS Storage Gateway using an iSCSI-virtual tape library (VTL)” is the correct answer.
INCORRECT: “Create an Amazon EFS file system and connect the backup applications using the NFS protocol” is incorrect. The NFS protocol is used by AWS Storage Gateway File Gateways but these do not provide virtual tape functionality that is suitable for replacing the existing backup infrastructure.
INCORRECT: “Create an Amazon EFS file system and connect the backup applications using the iSCSI protocol” is incorrect. The NFS protocol is used by AWS Storage Gateway File Gateways but these do not provide virtual tape functionality that is suitable for replacing the existing backup infrastructure.
INCORRECT: “Connect the backup applications to an AWS Storage Gateway using the NFS protocol” is incorrect. The iSCSI protocol is used by AWS Storage Gateway Volume Gateways but these do not provide virtual tape functionality that is suitable for replacing the existing backup infrastructure.

Question 5:
Storage capacity has become an issue for a company that runs application servers on-premises. The servers are connected to a combination of block storage and NFS storage solutions. The company requires a solution that supports local caching without re-architecting its existing applications.
Which combination of changes can the company make to meet these requirements? (Select TWO.)
Options:
A. Use AWS Direct Connect and mount an Amazon FSx for Windows File Server using iSCSI
B. Use Amazon Elastic File System (EFS) volumes to replace the block storage
C. Use the mount command on servers to mount Amazon S3 buckets using NFS
D. Use an AWS Storage Gateway volume gateway to replace the block storage
E. Use an AWS Storage Gateway file gateway to replace the NFS storage
Answer: D & E
Explanation
In this scenario the company should use cloud storage to replace the existing storage solutions that are running out of capacity. The on-premises servers mount the existing storage using block protocols (iSCSI) and file protocols (NFS). As there is a requirement to avoid re-architecting existing applications these protocols must be used in the revised solution.
The AWS Storage Gateway volume gateway should be used to replace the block-based storage systems as it is mounted over iSCSI and the file gateway should be used to replace the NFS file systems as it uses NFS.
CORRECT: “Use an AWS Storage Gateway file gateway to replace the NFS storage” is a correct answer.
CORRECT: “Use an AWS Storage Gateway volume gateway to replace the block storage” is a correct answer.
INCORRECT: “Use the mount command on servers to mount Amazon S3 buckets using NFS” is incorrect. You cannot mount S3 buckets using NFS as it is an object-based storage system (not file-based) and uses an HTTP REST API.
INCORRECT: “Use AWS Direct Connect and mount an Amazon FSx for Windows File Server using iSCSI” is incorrect. You cannot mount FSx for Windows File Server file systems using iSCSI, you must use SMB.
INCORRECT: “Use Amazon Elastic File System (EFS) volumes to replace the block storage” is incorrect. You cannot use EFS to replace block storage as it uses NFS rather than iSCSI.

Question 6:
A company runs an application in a factory that has a small rack of physical compute resources. The application stores data on a network attached storage (NAS) device using the NFS protocol. The company requires a daily offsite backup of the application data.
Which solution can a Solutions Architect recommend to meet this requirement?
Options:
A. Create an IPSec VPN to AWS and configure the application to mount the Amazon EFS file system. Run a copy job to backup the data to EFS
B. Use an AWS Storage Gateway volume gateway with stored volumes on premises to replicate the data to Amazon S3
C. Use an AWS Storage Gateway file gateway hardware appliance on premises to replicate the data to Amazon S3
D. Use an AWS Storage Gateway volume gateway with cached volumes on premises to replicate the data to Amazon S3
Answer: C
Explanation
The AWS Storage Gateway Hardware Appliance is a physical, standalone, validated server configuration for on-premises deployments. It comes pre-loaded with Storage Gateway software, and provides all the required CPU, memory, network, and SSD cache resources for creating and configuring File Gateway, Volume Gateway, or Tape Gateway.
A file gateway is the correct type of appliance to use for this use case as it is suitable for mounting via the NFS and SMB protocols.
CORRECT: “Use an AWS Storage Gateway file gateway hardware appliance on premises to replicate the data to Amazon S3” is the correct answer.
INCORRECT: “Use an AWS Storage Gateway volume gateway with stored volumes on premises to replicate the data to Amazon S3” is incorrect. Volume gateways are used for block-based storage and this solution requires NFS (file-based storage).
INCORRECT: “Use an AWS Storage Gateway volume gateway with cached volumes on premises to replicate the data to Amazon S3” is incorrect. Volume gateways are used for block-based storage and this solution requires NFS (file-based storage).
INCORRECT: “Create an IPSec VPN to AWS and configure the application to mount the Amazon EFS file system. Run a copy job to backup the data to EFS” is incorrect. It would be better to use a Storage Gateway which will automatically take care of synchronizing a copy of the data to AWS.

Question 7:
As part of a pilot program, a biotechnology company wants to integrate data files from its on-premises analytical application with AWS Cloud via an NFS interface.
Which of the following AWS service is the MOST efficient solution for the given use-case?
Options:
A. AWS Site-to-Site VPN
B. AWS Storage Gateway – Volume Gateway
C. AWS Storage Gateway – Tape Gateway
D. AWS Storage Gateway – File Gateway
Answer: D
Explanation
Correct option:
AWS Storage Gateway – File Gateway
AWS Storage Gateway is a hybrid cloud storage service that gives you on-premises access to virtually unlimited cloud storage. The service provides three different types of gateways – Tape Gateway, File Gateway, and Volume Gateway – that seamlessly connect on-premises applications to cloud storage, caching data locally for low-latency access.
AWS Storage Gateway’s file interface, or file gateway, offers you a seamless way to connect to the cloud in order to store application data files and backup images as durable objects on Amazon S3 cloud storage. File gateway offers SMB or NFS-based access to data in Amazon S3 with local caching. As the company wants to integrate data files from its analytical instruments into AWS via an NFS interface, therefore AWS Storage Gateway – File Gateway is the correct answer.
Incorrect options:
AWS Storage Gateway – Volume Gateway – You can configure the AWS Storage Gateway service as a Volume Gateway to present cloud-based iSCSI block storage volumes to your on-premises applications. Volume Gateway does not support NFS interface, so this option is not correct.
AWS Storage Gateway – Tape Gateway – AWS Storage Gateway – Tape Gateway allows moving tape backups to the cloud. Tape Gateway does not support NFS interface, so this option is not correct.
AWS Site-to-Site VPN – AWS Site-to-Site VPN enables you to securely connect your on-premises network or branch office site to your Amazon Virtual Private Cloud (Amazon VPC). You can securely extend your data center or branch office network to the cloud with an AWS Site-to-Site VPN (Site-to-Site VPN) connection. It uses internet protocol security (IPSec) communications to create encrypted VPN tunnels between two locations. You cannot use AWS Site-to-Site VPN to integrate data files via the NFS interface, so this option is not correct.

Question 8:
A company has a hybrid cloud structure for its on-premises data center and AWS Cloud infrastructure. The company wants to build a web log archival solution such that only the most frequently accessed logs are available as cached data locally while backing up all logs on Amazon S3.
As a solutions architect, which of the following solutions would you recommend for this use-case?
Options:
A• Use AWS Volume Gateway – Cached Volume – to store the most frequently accessed logs locally for low-latency access while storing the full volume with all logs in its Amazon S3 service bucket
B• Use AWS Volume Gateway – Stored Volume – to store the most frequently accessed logs locally for low-latency access while storing the full volume with all logs in its Amazon S3 service bucket
C• Use AWS Snowball Edge Storage Optimized device to store the most frequently accessed logs locally for low-latency access while storing the full backup of logs in an Amazon S3 bucket
D• Use AWS direct connect to store the most frequently accessed logs locally for low-latency access while storing the full backup of logs in an Amazon S3 bucket
Answer: A
Explanation
Correct option:
Use AWS Volume Gateway – Cached Volume – to store the most frequently accessed logs locally for low-latency access while storing the full volume with all logs in its Amazon S3 service bucket
AWS Storage Gateway is a hybrid cloud storage service that gives you on-premises access to virtually unlimited cloud storage. The service provides three different types of gateways – Tape Gateway, File Gateway, and Volume Gateway – that seamlessly connect on-premises applications to cloud storage, caching data locally for low-latency access. With cached volumes, the AWS Volume Gateway stores the full volume in its Amazon S3 service bucket, and just the recently accessed data is retained in the gateway’s local cache for low-latency access.
Incorrect options:
Use AWS direct connect to store the most frequently accessed logs locally for low-latency access while storing the full backup of logs in an Amazon S3 bucket – AWS Direct Connect lets you establish a dedicated network connection between your network and one of the AWS Direct Connect locations. Direct connect cannot be used to store the most frequently accessed logs locally for low-latency access.
Use AWS Volume Gateway – Stored Volume – to store the most frequently accessed logs locally for low-latency access while storing the full volume with all logs in its Amazon S3 service bucket – With stored volumes, your entire data volume is available locally in the gateway, for fast read access. Volume Gateway also maintains an asynchronous copy of your stored volume in the service’s Amazon S3 bucket. This does not fit the requirements per the given use-case, hence this option is not correct.
Use AWS Snowball Edge Storage Optimized device to store the most frequently accessed logs locally for low-latency access while storing the full backup of logs in an Amazon S3 bucket – You can use Snowball Edge Storage Optimized device to securely and quickly transfer dozens of terabytes to petabytes of data to AWS. Snowball Edge Storage Optimized device cannot be used to store the most frequently accessed logs locally for low-latency access.

Question 9:
A retail organization is moving some of its on-premises data to AWS Cloud. The DevOps team at the organization has set up an AWS Managed IPSec VPN Connection between their remote on-premises network and their Amazon VPC over the internet.
Which of the following represents the correct configuration for the IPSec VPN Connection?
Options:
A• Create a Virtual Private Gateway on the on-premises side of the VPN and a Customer Gateway on the AWS side of the VPN
B• Create a Virtual Private Gateway on the AWS side of the VPN and a Customer Gateway on the on-premises side of the VPN
C• Create a Virtual Private Gateway on both the AWS side of the VPN as well as the on-premises side of the VPN
D• Create a Customer Gateway on both the AWS side of the VPN as well as the on-premises side of the VPN
Answer: B
Explanation
Correct option:
Create a Virtual Private Gateway on the AWS side of the VPN and a Customer Gateway on the on-premises side of the VPN
Amazon VPC provides the facility to create an IPsec VPN connection (also known as site-to-site VPN) between remote customer networks and their Amazon VPC over the internet. The following are the key concepts for a site-to-site VPN:
Virtual private gateway: A Virtual Private Gateway (also known as a VPN Gateway) is the endpoint on the AWS VPC side of your VPN connection.
VPN connection: A secure connection between your on-premises equipment and your VPCs.
VPN tunnel: An encrypted link where data can pass from the customer network to or from AWS.
Customer Gateway: An AWS resource that provides information to AWS about your Customer Gateway device.
Customer Gateway device: A physical device or software application on the customer side of the Site-to-Site VPN connection.
Incorrect options:
Create a Virtual Private Gateway on the on-premises side of the VPN and a Customer Gateway on the AWS side of the VPN – You need to create a Virtual Private Gateway on the AWS side of the VPN and a Customer Gateway on the on-premises side of the VPN. Therefore, this option is wrong.
Create a Customer Gateway on both the AWS side of the VPN as well as the on-premises side of the VPN – You need to create a Virtual Private Gateway on the AWS side of the VPN and a Customer Gateway on the on-premises side of the VPN. Therefore, this option is wrong.
Create a Virtual Private Gateway on both the AWS side of the VPN as well as the on-premises side of the VPN – You need to create a Virtual Private Gateway on the AWS side of the VPN and a Customer Gateway on the on-premises side of the VPN. Therefore, this option is wrong.

Question 10:
The DevOps team at an IT company has created a custom VPC (V1) and attached an Internet Gateway (I1) to the VPC. The team has also created a subnet (S1) in this custom VPC and added a route to this subnet’s route table (R1) that directs internet-bound traffic to the Internet Gateway. Now the team launches an EC2 instance (E1) in the subnet S1 and assigns a public IPv4 address to this instance. Next the team also launches a NAT instance (N1) in the subnet S1.
Under the given infrastructure setup, which of the following entities is doing the Network Address Translation for the EC2 instance E1?
Options:
A• NAT instance (N1)
B• Subnet (S1)
C• Route Table (R1)
D• Internet Gateway (I1)
Answer: D
Explanation
Correct option:
Internet Gateway (I1)
An Internet Gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet.
An Internet Gateway serves two purposes: to provide a target in your VPC route tables for internet-routable traffic and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses. Therefore, for instance E1, the Network Address Translation is done by Internet Gateway I1.
Additionally, an Internet Gateway supports IPv4 and IPv6 traffic. It does not cause availability risks or bandwidth constraints on your network traffic.
To enable access to or from the internet for instances in a subnet in a VPC, you must do the following:
Attach an Internet gateway to your VPC.
Add a route to your subnet’s route table that directs internet-bound traffic to the internet gateway. If a subnet is associated with a route table that has a route to an internet gateway, it’s known as a public subnet. If a subnet is associated with a route table that does not have a route to an internet gateway, it’s known as a private subnet.
Ensure that instances in your subnet have a globally unique IP address (public IPv4 address, Elastic IP address, or IPv6 address).
Ensure that your network access control lists and security group rules allow the relevant traffic to flow to and from your instance.
Incorrect options:
NAT instance (N1) – You can use a network address translation (NAT) instance in a public subnet in your VPC to enable instances in the private subnet to initiate outbound IPv4 traffic to the Internet or other AWS services, but prevent the instances from receiving inbound traffic initiated by someone on the Internet. As the instance E1 is in a public subnet, therefore this option is not correct.
Subnet (S1)
Route Table (R1)
A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. A subnet is a range of IP addresses in your VPC. A route table contains a set of rules, called routes, that are used to determine where network traffic is directed. Therefore neither Subnet nor Route Table can be used for Network Address Translation.