AWS Storage Gateway

Concepts Covered

• AWS Storage Gateway
• Hybrid cloud storage
• S3 File Gateway
• FSx File Gateway
• Volume Gateway
• Tape Gateway
• Local cache
• NFS, SMB, iSCSI, and virtual tapes
• On-premises deployment
• Storage Gateway versus Direct Connect, S3, EFS, and FSx

1. Plain-English Mental Model

AWS Storage Gateway is a hybrid storage bridge between on-premises applications and AWS storage.

The simple model is:

on-premises app -> familiar storage protocol -> Storage Gateway -> AWS storage

Some applications cannot immediately use S3 APIs, EFS mounts, or cloud-native backup tools. They expect NFS, SMB, iSCSI volumes, or tape backup interfaces.

Storage Gateway gives those applications a local gateway appliance with cache, while AWS stores the durable backing data or backup/archive target.

It is not a network connection service like Direct Connect or VPN. Those provide connectivity. Storage Gateway provides storage protocol integration.

2. Why This Service Exists

Hybrid migration is not only about packets. It is also about old storage assumptions.

An on-premises backup application may expect a tape library. A file workflow may expect SMB or NFS shares. A block-based application may expect iSCSI volumes. Rewriting everything for S3 is often too slow or risky during migration.

Storage Gateway exists to let on-premises applications keep using familiar storage protocols while AWS becomes the durable, scalable, or archival storage backend.

For SAA-C03, Storage Gateway appears in questions about hybrid storage, on-premises file shares backed by S3 or FSx, volume storage backed by AWS, tape replacement, local caching, backup and archive to AWS, and migration without rewriting applications.

3. The Naive Approach And Where It Breaks

The naive pattern is a full application rewrite:

old app uses file share -> rewrite app to use S3 APIs

That may be the right long-term goal, but it is often too much for a migration or backup modernization project.

Another naive pattern is buying more on-premises storage because local systems are full. That delays the move to cloud storage and keeps backup or archive growth in the data center.

Another mistake is using Direct Connect as if it solves storage protocol translation. Direct Connect gives private connectivity. It does not turn an NFS share into S3-backed storage.

Storage Gateway fills the protocol bridge.

4. Core Primitives

A gateway is a virtual or hardware appliance deployed on premises, on supported hypervisors, as a hardware appliance, or in some cases in AWS.

S3 File Gateway presents NFS or SMB file shares and stores files as objects in S3.

FSx File Gateway provides on-premises access to FSx for Windows File Server file shares.

Volume Gateway presents iSCSI block volumes. Cached volumes keep frequently accessed data locally while storing primary data in AWS. Stored volumes keep the full dataset locally and asynchronously back up snapshots to AWS.

Tape Gateway presents a virtual tape library interface for backup applications and archives virtual tapes in AWS.

Local cache stores recently accessed data for low-latency access.

CloudWatch, CloudTrail, and Storage Gateway metrics support operations.

5. Architecture Use Cases

Use S3 File Gateway when on-premises applications need NFS or SMB shares but the durable backing store should be S3:

on-premises file app -> NFS or SMB -> S3 File Gateway -> S3 bucket

Use FSx File Gateway when on-premises users or applications need low-latency access to FSx for Windows File Server shares.

Use Volume Gateway when applications need iSCSI block volumes backed or protected by AWS.

Use Tape Gateway to replace physical tape infrastructure with virtual tapes stored and archived in AWS.

Use Direct Connect or VPN for the network path when latency, bandwidth, or private connectivity requirements justify it.

7. Security Model

Storage Gateway security spans on-premises infrastructure, AWS IAM, storage service policies, encryption, and network connectivity.

The gateway appliance must be secured, patched, and monitored.

File share access uses NFS or SMB controls depending on gateway type.

S3 bucket policies, KMS keys, IAM roles, and encryption settings control AWS-side access.

For hybrid connectivity, use VPN or Direct Connect where requirements call for private or encrypted paths.

Do not expose gateway management interfaces broadly.

Backup and archive data should have retention, access control, and deletion protection appropriate to its sensitivity.

8. Reliability And Resilience

Storage Gateway reliability depends on the gateway appliance, local cache, network path, and AWS service backend.

If the WAN link is unavailable, locally cached data may remain accessible depending on gateway type and workload, but uncached data or uploads may be affected.

Design cache size for working set, not total dataset.

Use monitoring for cache utilization, upload buffer, health, and throughput.

For critical workloads, plan gateway host resilience, network redundancy, and restore procedures.

Storage Gateway does not remove the need for backup validation. Tape or volume backups must still be restorable.

9. Performance And Scaling

Performance depends on local disk cache, gateway host resources, network bandwidth, protocol behavior, and AWS storage backend.

S3 File Gateway is useful for file-to-object workflows, but S3 object semantics still exist behind the gateway.

Volume Gateway performance depends on local cache and iSCSI behavior.

Tape Gateway performance depends on backup application behavior and upload/archive flow.

Direct Connect can improve hybrid path consistency, but does not remove local gateway sizing requirements.

Avoid using Storage Gateway as a magic accelerator for every cloud storage workflow.

10. Cost Model

Storage Gateway cost includes gateway usage, AWS storage services such as S3 or FSx, requests, data transfer, snapshots, archive storage, and network connectivity.

Local hardware or hypervisor resources also have cost.

Tape Gateway can reduce physical tape management cost.

S3 File Gateway can reduce on-premises storage growth by moving durable storage to S3 while keeping local cache.

The right cost comparison includes operational work: tape handling, storage refreshes, backup windows, offsite copies, and migration effort.

12. SAA-C03 Exam Signals

"On-premises application needs NFS or SMB file access backed by S3" points to S3 File Gateway.

"On-premises access to FSx for Windows File Server shares" points to FSx File Gateway.

"iSCSI block volumes backed by AWS" points to Volume Gateway.

"Replace physical tape library" points to Tape Gateway.

"Hybrid storage with local cache" points to Storage Gateway.

"Dedicated network link to AWS" points to Direct Connect, not Storage Gateway.

"Shared file system for EC2 in AWS" points to EFS or FSx, not Storage Gateway unless on-premises integration is central.

13. Common Exam Traps

Do not confuse Storage Gateway with Direct Connect or VPN.

Do not choose Storage Gateway when the app can directly use S3 APIs and no hybrid protocol bridge is needed.

Do not forget local cache sizing and network bandwidth.

Do not assume file shares behave exactly like native S3 applications.

Do not ignore KMS, bucket policies, and gateway security.

Do not use Tape Gateway unless tape backup replacement is the requirement.

15. Related Topics

Review Amazon S3, Amazon FSx, AWS Backup, AWS Direct Connect, and AWS Site-to-Site VPN.

Official AWS references:

• AWS Storage Gateway documentation
• How Amazon S3 File Gateway works
• What is Volume Gateway?
• How Tape Gateway works