AWS Cloud Migration Services – 7R Strategies

🔄 MAJOR UPDATE NOTICE – June 2026

The AWS migration services landscape has undergone significant changes:

  • AWS Migration Hub – No longer accepting new customers (Nov 2025). Replaced by AWS Transform.
  • AWS Application Discovery Service – No longer accepting new customers (Nov 2025). Replaced by AWS Transform.
  • AWS Server Migration Service (SMS) – Discontinued (March 2022). Replaced by AWS Transform MGN.
  • AWS Application Migration Service (MGN) – Rebranded to AWS Transform MGN (June 2026).
  • AWS Snowmobile – Retired (March 2024).
  • AWS Snowball Edge – Only available to existing customers (Nov 2025). New customers should use AWS DataSync or AWS Data Transfer Terminal.

See new sections below for AWS Transform, AWS DataSync, AWS Data Transfer Terminal, and AWS Interconnect.

AWS Cloud Migration Services

  • AWS Cloud Migration services help to address a lot of common use cases such as
    • cloud migration,
    • disaster recovery,
    • data center decommission, and
    • content distribution.
  • For migrating data from on-premises to AWS, the major aspect for consideration are
    • amount of data and network speed
    • data security in transit
    • existing application knowledge for recreation

Application & Database Cloud Migration Services

AWS Transform

  • is the next-generation migration and modernization service launched in May 2025, replacing AWS Migration Hub and integrating multiple migration capabilities into a unified platform.
  • uses agentic AI to automate discovery, dependency mapping, migration planning, network conversion, and EC2 instance optimization.
  • accelerates full-stack Windows modernization, mainframe modernization, and VMware migration.
  • provides a unified experience that consolidates capabilities previously spread across Migration Hub, Application Discovery Service, and Application Migration Service.
  • generates migration plans for tens of thousands of servers and applications in hours.
  • automatically creates or updates landing zones, modernizes and right-sizes networks, and containerizes applications during migration.
  • supports custom transformations of code, APIs, frameworks, and more—making tech stacks AI-ready while eliminating technical debt.
  • Key capabilities include:
    • AWS Transform for VMware – Automates VMware-to-AWS migration with dependency mapping, wave planning, and network configuration conversions.
    • AWS Transform MGN (formerly Application Migration Service) – Proven replication engine for lift-and-shift migrations.
    • Strategy Recommendations – AI-driven migration and modernization strategy building.
    • EC2 Instance Recommendations – Cost estimation for running existing servers in AWS.
    • Migration Journeys – Prescriptive guided migration and modernization workflows.

AWS Transform MGN (formerly AWS Application Migration Service)

  • is the primary migration service for lift-and-shift migrations to AWS (rebranded from AWS Application Migration Service in June 2026).
  • simplifies migration by allowing the same automated process for a wide range of applications, without changes to applications, their architecture, or the migrated servers.
  • supports non-disruptive tests prior to cutover.
  • performs continuous block-level replication of source servers to AWS.
  • supports migration from physical, virtual, or cloud servers to AWS.
  • replaces both AWS Server Migration Service (SMS) and CloudEndure Migration.
  • is used to Re-host (lift-and-shift).

AWS Migration Hub (Maintenance Mode)

⚠️ Note: AWS Migration Hub stopped accepting new customers on November 7, 2025. Existing customers can continue using the service. New customers should use AWS Transform.

  • provides a centralized, single place to discover the existing servers, plan migrations, and track the status of each application migration.
  • provides visibility into the application portfolio and streamlines planning and tracking.
  • helps visualize the connections and the status of the migrating servers and databases, regardless of which migration tool is used.
  • stores all the data in the selected Home Region and provides a single repository of discovery and migration planning information for the entire portfolio and a single view of migrations into multiple AWS Regions.
  • helps track the status of the migrations in all AWS Regions, provided the migration tools are available in that Region.
  • helps understand the environment by letting you explore information collected by AWS discovery tools and stored in the AWS Application Discovery Service’s repository.
  • supports migration status updates from the following tools:
  • migration tools send migration status to the selected Home Region
  • supports EC2 instance recommendations, that provide you with the ability to estimate the cost of running the existing servers in AWS.
  • supports Strategy Recommendations, that help easily build a migration and modernization strategy for the applications running on-premises or in AWS.
  • All current Migration Hub features, including Strategy Recommendations, EC2 Instance Recommendations, Migration Hub Journeys, and Orchestrator, are available in AWS Transform with improved functionality.

AWS Application Discovery Service (Maintenance Mode)

⚠️ Note: AWS Application Discovery Service stopped accepting new customers on November 7, 2025. The Discovery Connector was deprecated on November 17, 2025. New customers should use AWS Transform for VM discovery and assessment.

  • AWS Application Discovery Service helps plan migration to the AWS cloud by collecting usage and configuration data about the on-premises servers.
  • helps enterprises obtain a snapshot of the current state of their data center servers by collecting server specification information, hardware configuration, performance data, details of running processes, and network connections
  • is integrated with AWS Migration Hub,
    • which simplifies migration tracking as it aggregates migration status information into a single console.
    • can help view the discovered servers, group them into applications, and then track the migration status of each application.
  • discovered data for all the regions is stored in the AWS Migration Hub home Region.
  • The data can be exported for analysis in Microsoft Excel or AWS analysis tools such as Amazon Athena and Amazon QuickSight.
  • supports Agentless Collector (for VMware environments) and Discovery Agent (for all environments) for performing discovery and collecting data about the on-premises servers.
  • Note: The Discovery Connector (agentless, vCenter-based) was deprecated on November 17, 2025. The Agentless Collector (supports network connection discovery since November 2024) remains available for existing customers.

AWS Server Migration Service (SMS)

⚠️ DEPRECATED: AWS Server Migration Service was discontinued on March 31, 2022. Use AWS Transform MGN (formerly Application Migration Service) for all lift-and-shift migrations.

  • was an agentless service that made it easier and faster to migrate thousands of on-premises workloads to AWS.
  • helped automate, schedule, and track incremental replications of live server volumes, making it easier to coordinate large-scale server migrations.
  • supported migration of virtual machines from VMware vSphere, Windows Hyper-V and Azure VM to AWS.
  • replicated each server volume, which was saved as a new AMI, which could be launched as an EC2 instance.
  • was a significant enhancement of EC2 VM Import/Export service.
  • was used to Re-host.
  • Migration Path: Use AWS Transform MGN, which supports physical, virtual, and cloud servers with continuous block-level replication and non-disruptive testing.

AWS Database Migration Service (DMS)

  • helps migrate databases to AWS quickly and securely.
  • source database remains fully operational during the migration, minimizing downtime to applications that rely on the database.
  • supports homogeneous migrations such as Oracle to Oracle, as well as heterogeneous migrations between different database platforms, such as Oracle or Microsoft SQL Server to Amazon Aurora.
  • monitors for replication tasks, network or host failures, and automatically provisions a host replacement in case of failures that can’t be repaired
  • supports both one-time data migration into RDS and EC2-based databases as well as for continuous data replication
  • supports continuous replication of the data with high availability and consolidate databases into a petabyte-scale data warehouse by streaming data to Amazon Redshift and Amazon S3
  • provides free AWS Schema Conversion Tool (SCT) that automates the conversion of Oracle PL/SQL and SQL Server T-SQL code to equivalent code in the Amazon Aurora / MySQL dialect of SQL or the equivalent PL/pgSQL code in PostgreSQL
  • AWS DMS Serverless (launched June 2023)
    • automatically provisions, scales, and manages migration resources without infrastructure management.
    • removes the need for capacity estimation, provisioning, cost-optimization, and version/patch management.
    • supports automatic storage scaling beyond the default 100GB limit for large transaction volumes.
    • supports S3 source endpoints for migrating CSV or Parquet data.
    • supports homogeneous migrations via CLI, SDK, and API with fully automated replication (October 2024).
    • supports premigration assessments to identify potential issues before migration.
  • Note: AWS DMS Fleet Advisor reaches end of support on May 20, 2026.

AWS EC2 VM Import/Export

  • allows easy import of virtual machine images from existing environment to EC2 instances and export them back to on-premises environment
  • allows leveraging of existing investments in the virtual machines, built to meet compliance requirements, configuration management and IT security by bringing those virtual machines into EC2 as ready-to-use instances
  • Common usages include
    • Migrate Existing Applications and Workloads to EC2, allowing preserving of the software and settings configured in the existing VMs.
    • Copy Your VM Image Catalog to EC2
    • Create a Disaster Recovery Repository for your VM images
  • Note: For server migrations, AWS Transform MGN is the recommended service as it provides continuous replication, non-disruptive testing, and automated cutover. VM Import/Export remains available for specific image import/export use cases.

Data Transfer Services

VPN

  • connection utilizes IPSec to establish encrypted network connectivity between on-premises network and VPC over the Internet.
  • connections can be configured in minutes and a good solution for an immediate need, have low to modest bandwidth requirements, and can tolerate the inherent variability in Internet-based connectivity.
  • still requires internet and be configured using VGW and CGW

AWS Direct Connect

  • provides a dedicated physical connection between the corporate network and AWS Direct Connect location with no data transfer over the Internet.
  • helps bypass Internet service providers (ISPs) in the network path
  • helps reduce network costs, increase bandwidth throughput, and provide a more consistent network experience than with Internet-based connection
  • takes time to setup and involves third parties
  • are not redundant and would need another direct connect connection or a VPN connection
  • Security
    • provides a dedicated physical connection without internet
    • For additional security can be used with VPN
    • Supports MACsec (IEEE 802.1AE) encryption on dedicated connections and supported partner interconnects for Layer 2 encryption.
  • Recent Updates:
    • Native 400 Gbps Dedicated Connections available at select locations (July 2024).
    • Direct Connect gateway can now associate directly with AWS Cloud WAN core network without intermediate Transit Gateway (November 2024).
    • 4-byte Autonomous System (AS) number support for virtual interfaces (September 2025).

AWS Interconnect (NEW – GA April 2026)

  • is a managed connectivity service that simplifies connectivity into AWS, launched as GA in April 2026.
  • enables customers to establish private, high-speed network connections with dedicated bandwidth to and from AWS across hybrid and multicloud environments.
  • AWS Interconnect – Last Mile
    • automates the end-to-end process of establishing private, resilient connectivity between customer on-premises locations and AWS.
    • customers select their location, preferred AWS Region, and bandwidth speed—everything else is automated.
    • automates complex network configuration including BGP peering, VLAN configuration, and ASN assignment.
    • supports dynamic bandwidth scaling from 1 Gbps to 100 Gbps through the AWS console with zero downtime maintenance.
  • AWS Interconnect – Multicloud
    • enables private, secure connectivity between AWS VPCs and other cloud environments (e.g., Google Cloud).
    • uses pre-built capacity pools between AWS and partner cloud providers, eliminating physical cross-connect management.
    • connection can be established in minutes through a simple two-step creation and approval process.
  • simplifies what previously required Direct Connect setup with third-party coordination.

AWS Snow Family

⚠️ Availability Changes:

  • Snowmobile – Retired (March 2024).
  • Snowcone (HDD and SSD) – Discontinued (November 2024).
  • Previous-gen Snowball Edge devices (Storage Optimized 80TB, Compute Optimized 52 vCPU, Compute Optimized GPU) – Discontinued (November 2024).
  • Snowball Edge (latest generation) – Available to existing customers only (November 2025). New customers should use AWS DataSync for online transfers or AWS Data Transfer Terminal for physical transfers.
  • AWS Snowball Edge (latest generation)
    • is a petabyte-scale data transfer service built around a secure device that moves data into and out of the AWS Cloud quickly and efficiently.
    • transfers the data to S3 bucket.
    • transfer times are about a week from start to finish.
    • commonly used to ship terabytes or petabytes of analytics data, healthcare and life sciences data, video libraries, image repositories, backups, and archives as part of data center shutdown, tape replacement, or application migration projects.
    • contains embedded computing platform that helps perform simple processing tasks.
    • can be rack shelved and may also be clustered together, making it simpler to collect and store data in extremely remote locations.
    • commonly used in environments with intermittent connectivity (such as manufacturing, industrial, and transportation); or in extremely remote locations (such as military or maritime operations) before shipping them back to AWS data centers.
    • delivers serverless computing applications at the network edge using AWS Greengrass and Lambda functions.
    • Only available to existing customers as of November 7, 2025.
  • AWS Snowmobile (RETIRED)
    • Retired in March 2024. AWS no longer offers this service.
    • Previously moved up to 100PB of data in a 45-foot long ruggedized shipping container.
    • Was ideal for multi-petabyte or Exabyte-scale digital media migrations and datacenter shutdowns.
    • Alternatives: For large-scale transfers, use AWS Data Transfer Terminal or multiple Snowball Edge devices (existing customers), or AWS DataSync for online transfers.

AWS Import/Export (Legacy – Upgraded to Snowball)

  • accelerated moving large amounts of data into and out of AWS using secure Snowball appliances
  • AWS transferred the data directly onto and off of the storage devices using Amazon’s high-speed internal network, bypassing the Internet
  • Data Migration
    • for significant data size, AWS Import/Export was faster than Internet transfer and more cost-effective than upgrading the connectivity
    • if loading the data over the Internet would take a week or more, AWS Import/Export should be considered
    • data from appliances could be imported to S3, Glacier and EBS volumes and exported from S3
    • not suitable for applications that cannot tolerate offline transfer time
  • Security
    • Snowball uses an industry-standard Trusted Platform Module (TPM) that has a dedicated processor designed to detect any unauthorized modifications to the hardware, firmware, or software to physically secure the AWS Snowball device.
  • Note: With Snow Family availability changes, new customers should use AWS DataSync or AWS Data Transfer Terminal.

AWS DataSync (Recommended for Online Transfers)

  • is an online data movement service that simplifies and accelerates data migrations to AWS.
  • moves data quickly and securely between on-premises storage, edge locations, other cloud providers, and AWS Storage.
  • automates scheduling, monitoring, encryption, and end-to-end data validation.
  • recommended replacement for AWS Snow Family for new customers needing online data transfer.
  • Key Features:
    • Transfers file and object data between storage services.
    • Supports on-premises NFS, SMB, HDFS, self-managed object storage, AWS S3, EFS, FSx, and more.
    • Automatic encryption in-flight and end-to-end data integrity validation.
    • DataSync Discovery – Provides visibility into on-premises storage performance and utilization with migration recommendations.
    • Enhanced Mode (May 2025) – Supports cross-cloud transfers without requiring a DataSync agent, with higher performance and scalability.
  • Use Cases:
    • Online data migration to AWS Storage services.
    • Ongoing data replication between on-premises and cloud.
    • Cross-cloud data movement (AWS to/from other cloud providers).
    • Large-scale data migrations with automated scheduling.

AWS Data Transfer Terminal (NEW – December 2024)

  • are physical locations around the world where customers bring data storage devices and connect them to the AWS network for high-speed, secure data transfer.
  • recommended replacement for AWS Snow Family for new customers needing physical data transfer.
  • provides a secure, upload-ready, physical location—customers bring their own storage devices.
  • enables upload to any AWS endpoint including Amazon S3, Amazon EFS, or others using a high-throughput connection.
  • suited for data transfer or migration use cases where large amounts of data need to be transferred quickly.
  • customers can also bring Snowball Edge devices to these locations for upload.
  • Key Differences from Snow Family:
    • Customer brings their own storage devices (no AWS-provided appliance).
    • No shipping required—customer physically visits the terminal.
    • Direct connection to AWS high-speed network at the terminal location.
    • On-demand access without device ordering lead times.

AWS Storage Gateway

  • connects an on-premises software appliance with cloud-based storage to provide seamless and secure integration between an organization’s on-premises IT environment and the AWS storage infrastructure
  • provides low-latency performance by maintaining frequently accessed data on-premises while securely storing all of the data encrypted in S3 or Glacier.
  • for disaster recovery scenarios, Storage Gateway, together with EC2, can serve as a cloud-hosted solution that mirrors the entire production environment
  • Gateway Types:
    • S3 File Gateway – NFS/SMB access to S3 objects.
    • FSx File Gateway – Local cache for Windows-based file shares on FSx for Windows File Server. (No longer accepting new customers as of October 2024.)
    • Volume Gateway (Cached) – S3 holds primary data, frequently accessed data cached locally.
    • Volume Gateway (Stored) – Entire data stored locally, asynchronously backed up to S3.
    • Tape Gateway – iSCSI-based virtual tape library (VTL) for offline data archiving.
  • Security
    • Encrypts all data in transit to and from AWS by using SSL/TLS.
    • All data in AWS Storage Gateway is encrypted at rest using AES-256.
    • Authentication between the gateway and iSCSI initiators can be secured by using Challenge-Handshake Authentication Protocol (CHAP).
  • Recent Updates:
    • Migrating from Amazon Linux 2 to AL2023 (required before June 30, 2026 AL2 EOL).
    • IPv6 support for Storage Gateway endpoints, APIs, and appliance interfaces (September 2025).
    • Terraform modules support AL2023 with Elastic IP association for private activations (March 2026).

Simple Storage Service – S3

  • Data Transfer
    • Files up to 5GB can be transferred using single operation
    • Multipart uploads can be used to upload files up to 5 TB and speed up data uploads by dividing the file into multiple parts
    • transfer rate still limited by the network speed
    • S3 Transfer Acceleration uses CloudFront edge locations to accelerate uploads over long distances.
  • Security
    • Data in transit can be secured by using SSL/TLS or client-side encryption.
    • Encrypt data at-rest by performing server-side encryption using Amazon S3-Managed Keys (SSE-S3), AWS Key Management Service (KMS)-Managed Keys (SSE-KMS), or Customer Provided Keys (SSE-C). Or by performing client-side encryption using AWS KMS–Managed Customer Master Key (CMK) or Client-Side Master Key.
    • Note: SSE-S3 is now applied by default to all new objects (January 2023).

AWS Migration Strategy Summary

Use Case Recommended Service (2025+) Previous Service
Migration planning & discovery AWS Transform Migration Hub + Application Discovery Service
Lift-and-shift server migration AWS Transform MGN SMS → Application Migration Service
Database migration AWS DMS / DMS Serverless AWS DMS
Online data transfer AWS DataSync Snow Family / Storage Gateway
Physical bulk data transfer AWS Data Transfer Terminal Snow Family (Snowball/Snowmobile)
Private network connectivity AWS Direct Connect / AWS Interconnect AWS Direct Connect
Hybrid storage AWS Storage Gateway AWS Storage Gateway
VM image import VM Import/Export VM Import/Export

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. Your must architect the migration of a web application to AWS. The application consists of Linux web servers running a custom web server. You are required to save the logs generated from the application to a durable location. What options could you select to migrate the application to AWS? (Choose 2)
    1. Create an AWS Elastic Beanstalk application using the custom web server platform. Specify the web server executable and the application project and source files. Enable log file rotation to Amazon Simple Storage Service (S3). (EB does not work with Custom server executable)
    2. Create Dockerfile for the application. Create an AWS OpsWorks stack consisting of a custom layer. Create custom recipes to install Docker and to deploy your Docker container using the Dockerfile. Create custom recipes to install and configure the application to publish the logs to Amazon CloudWatch Logs (OpsWorks Stacks is now deprecated (EOL May 2024). Also, the last sentence mentions configure the application to push the logs to S3, which would need changes to application as it needs to use SDK or CLI)
    3. Create Dockerfile for the application. Create an AWS OpsWorks stack consisting of a Docker layer that uses the Dockerfile. Create custom recipes to install and configure Amazon Kinesis to publish the logs into Amazon CloudWatch. (Kinesis not needed, OpsWorks deprecated)
    4. Create a Dockerfile for the application. Create an AWS Elastic Beanstalk application using the Docker platform and the Dockerfile. Enable logging the Docker configuration to automatically publish the application logs. Enable log file rotation to Amazon S3. (Use Docker configuration with awslogs and EB with Docker)
    5. Use VM import/Export to import a virtual machine image of the server into AWS as an AMI. Create an Amazon Elastic Compute Cloud (EC2) instance from AMI, and install and configure the Amazon CloudWatch Logs agent. Create a new AMI from the instance. Create an AWS Elastic Beanstalk application using the AMI platform and the new AMI. (Use VM Import/Export to create AMI and CloudWatch logs agent to log)
  2. Your company hosts an on-premises legacy engineering application with 900GB of data shared via a central file server. The engineering data consists of thousands of individual files ranging in size from megabytes to multiple gigabytes. Engineers typically modify 5-10 percent of the files a day. Your CTO would like to migrate this application to AWS, but only if the application can be migrated over the weekend to minimize user downtime. You calculate that it will take a minimum of 48 hours to transfer 900GB of data using your company’s existing 45-Mbps Internet connection. After replicating the application’s environment in AWS, which option will allow you to move the application’s data to AWS without losing any data and within the given timeframe?
    1. Copy the data to Amazon S3 using multiple threads and multi-part upload for large files over the weekend, and work in parallel with your developers to reconfigure the replicated application environment to leverage Amazon S3 to serve the engineering files. (Still limited by 45 Mbps speed with minimum 48 hours when utilized to max)
    2. Sync the application data to Amazon S3 starting a week before the migration, on Friday morning perform a final sync, and copy the entire data set to your AWS file server after the sync completes. (Works best as the data changes can be propagated over the week and are fractional and downtime would be known. Note: AWS DataSync would be ideal for this use case today.)
    3. Copy the application data to a 1-TB USB drive on Friday and immediately send overnight, with Saturday delivery, the USB drive to AWS Import/Export to be imported as an EBS volume, mount the resulting EBS volume to your AWS file server on Sunday. (Downtime is not known when the data upload would be done, although Amazon says the same day the package is received)
    4. Leverage the AWS Storage Gateway to create a Gateway-Stored volume. On Friday copy the application data to the Storage Gateway volume. After the data has been copied, perform a snapshot of the volume and restore the volume as an EBS volume to be attached to your AWS file server on Sunday. (Still uses the internet)
  3. You are tasked with moving a legacy application from a virtual machine running inside your datacenter to an Amazon VPC. Unfortunately this app requires access to a number of on-premises services and no one who configured the app still works for your company. Even worse there’s no documentation for it. What will allow the application running inside the VPC to reach back and access its internal dependencies without being reconfigured? (Choose 3 answers)
    1. An AWS Direct Connect link between the VPC and the network housing the internal services
    2. An Internet Gateway to allow a VPN connection. (Virtual and Customer gateway is needed)
    3. An Elastic IP address on the VPC instance
    4. An IP address space that does not conflict with the one on-premises
    5. Entries in Amazon Route 53 that allow the Instance to resolve its dependencies’ IP addresses
    6. A VM Import of the current virtual machine
  4. An enterprise runs 103 line-of-business applications on virtual machines in an on-premises data center. Many of the applications are simple PHP, Java, or Ruby web applications, are no longer actively developed, and serve little traffic. Which approach should be used to migrate these applications to AWS with the LOWEST infrastructure costs?
    1. Deploy the applications to single-instance AWS Elastic Beanstalk environments without a load balancer.
    2. Use AWS SMS to create AMIs for each virtual machine and run them in Amazon EC2. (Note: AWS SMS is deprecated. AWS Transform MGN would be the equivalent today.)
    3. Convert each application to a Docker image and deploy to a small Amazon ECS cluster behind an Application Load Balancer.
    4. Use VM Import/Export to create AMIs for each virtual machine and run them in single-instance AWS Elastic Beanstalk environments by configuring a custom image.
  5. [NEW] A company needs to migrate 500 VMware virtual machines to AWS with minimal downtime. The company wants automated dependency mapping, wave planning, and network conversion. Which service should they use?
    1. AWS Server Migration Service
    2. AWS Migration Hub with Application Migration Service
    3. AWS Transform for VMware (AWS Transform for VMware provides automated dependency mapping, wave planning, and network configuration conversions using agentic AI.)
    4. VM Import/Export with CloudFormation
  6. [NEW] A company needs to transfer 50TB of data to AWS S3 as quickly as possible. They are a new AWS customer. Which combination of services should they consider? (Choose 2)
    1. AWS Snowball Edge (Not available to new customers since November 2025)
    2. AWS Data Transfer Terminal (Physical location for high-speed upload using customer’s own devices. Available to new customers.)
    3. AWS DataSync (Online data transfer with automated scheduling, encryption, and validation.)
    4. AWS Snowmobile (Retired in March 2024)
  7. [NEW] A company wants to establish private connectivity between their AWS VPCs and Google Cloud environment without managing physical cross-connects. Which service should they use?
    1. AWS Direct Connect with VPN overlay
    2. AWS Site-to-Site VPN
    3. AWS Interconnect – Multicloud (Provides pre-built capacity pools between AWS and partner cloud providers, eliminating physical cross-connect management. GA April 2026.)
    4. AWS Transit Gateway with peering
  8. [NEW] A company wants to migrate databases to AWS with minimal infrastructure management. They need automatic scaling and don’t want to manage replication instances. Which service option should they use?
    1. AWS DMS with provisioned replication instances
    2. AWS DMS Serverless (Automatically provisions, scales, and manages migration resources. Supports automatic storage scaling and premigration assessments.)
    3. AWS SCT with manual migration
    4. AWS Glue ETL jobs

References

AWS Storage Gateway

AWS Storage Gateway

  • AWS Storage Gateway connects on-premises software appliances with cloud-based storage to provide seamless integration with data security features between on-premises and the AWS storage infrastructure.
  • AWS Storage Gateway is a hybrid cloud storage service that gives you on-premises access to virtually unlimited cloud storage.
  • Storage Gateway allows storage of data in the AWS cloud for scalable and cost-effective storage while maintaining data security.
  • Storage Gateway can run either on-premises, as a VM appliance (on VMware ESXi, Microsoft Hyper-V, or Linux KVM), or in AWS, as an EC2 instance. So if the on-premises data center goes offline and there is no available host, the gateway can be deployed on an EC2 instance.
  • Gateways hosted on EC2 instances can be used for disaster recovery, data mirroring, and providing storage for applications hosted on EC2.
  • Storage Gateway, by default, uploads data using SSL and provides data encryption at rest when stored in S3 or Glacier using AES-256.
  • Storage Gateway performs encryption of data-in-transit and at-rest.
  • Storage Gateway supports four key hybrid cloud use cases:
    • Move backups and archives to the cloud
    • Reduce on-premises storage with cloud-backed file shares
    • Provide on-premises applications low-latency access to data stored in AWS
    • Data lake access for pre and post processing workflows
  • Storage Gateway offers multiple types:
    • Amazon S3 File Gateway
    • Amazon FSx File Gateway (no longer available to new customers as of October 28, 2024)
    • Volume Gateway
    • Tape Gateway
  • Storage Gateway integrates with AWS Backup for centralized backup management of Volume Gateway volumes.
  • Storage Gateway supports public, Amazon VPC, and FIPS service endpoints.
  • Storage Gateway supports IPv6 via dual-stack endpoints (announced September 2025).
  • Storage Gateway supports VPC endpoint policies for granular access control (announced September 2025).

⚠️ Important Notices

  • Hardware Appliance End of Availability: As of May 12, 2025, the AWS Storage Gateway Hardware Appliance is no longer available for new purchases. Existing customers can continue to use and receive support until May 2028.
  • Amazon FSx File Gateway: No longer available to new customers as of October 28, 2024. Existing customers can continue to use the service. AWS recommends using Amazon FSx for Windows File Server directly with multi-AZ support.
  • AL2 to AL2023 Migration: All AL2-based Storage Gateway appliances must be migrated to Amazon Linux 2023 (AL2023) before June 30, 2026, after which they will no longer receive software updates, security patches, or bug fixes.

Storage Gateway Deployment Options

  • Storage Gateway can be deployed in several ways:
    • Virtual Machine (VM) – on VMware ESXi, Microsoft Hyper-V, or Linux KVM on-premises
    • Hardware Appliance – dedicated on-premises hardware (end of availability May 12, 2025)
    • VM in VMware Cloud on AWS – for VMware-based cloud environments
    • Amazon EC2 instance – deployed within Amazon VPC
  • Storage Gateway provides high availability on VMware through VMware vSphere High Availability (VMware HA), automatically recovering from most service interruptions in under 60 seconds.
  • Storage Gateway supports local cache of up to 64 TB for all gateway types.

Amazon S3 File Gateway

S3 File Gateway Architecture

  • Amazon S3 File Gateway supports a file interface into S3 and combines the service with a virtual software appliance.
  • Allows storing and retrieving of objects in S3 using industry-standard file protocols such as NFS and SMB.
  • Software appliance, or gateway, is deployed into the on-premises environment as a VM running on VMware ESXi, Microsoft Hyper-V, or Linux KVM hypervisor.
  • Provides access to objects in S3 as files or file share mount points. It can be considered as a file system mount on S3.
  • Durably stores POSIX-style metadata, including ownership, permissions, and timestamps in S3 as object user metadata associated with the file.
  • Provides a cost-effective alternative to on-premises storage.
  • Provides low-latency access to data through transparent local caching (up to 64 TiB).
  • Manages data transfer to and from AWS, buffers applications from network congestion, optimizes and streams data in parallel, and manages bandwidth consumption.
  • Easily integrates with services like IAM, KMS, CloudWatch, CloudTrail, etc.
  • S3 File Gateway publishes audit logs for SMB file share user operations to Amazon CloudWatch.
  • S3 File Gateway supports the following Amazon S3 storage classes:
    • S3 Standard
    • S3 Standard-Infrequent Access (S3 Standard-IA)
    • S3 One Zone-Infrequent Access (S3 One Zone-IA)
    • S3 Intelligent-Tiering
    • S3 Glacier Flexible Retrieval (via lifecycle policies)
    • S3 Glacier Deep Archive (via lifecycle policies)
  • S3 File Gateway does NOT support S3 Glacier Instant Retrieval storage class directly.
  • S3 File Gateway allows you to:
    • Store and retrieve files directly using the NFS version 3 or 4.1 protocol.
    • Store and retrieve files directly using the SMB file system version 2 and 3 protocol.
    • Access the data directly in S3 from any AWS Cloud application or service.
    • Manage S3 data using lifecycle policies, cross-region replication, and versioning.
  • Use cases include backing up on-premises file data to S3, hybrid cloud workflows, machine learning, and big data analytics.

Volume Gateways

  • Volume gateways provide cloud-backed storage volumes that can be mounted as Internet Small Computer System Interface (iSCSI) devices from the on-premises application servers.
  • All data is securely stored in AWS; the approach differs in how much data is stored on-premises.
  • Exposes a compatible iSCSI interface on the front end to easily integrate with existing backup applications and represents another disk drive.
  • Backs up the data incrementally by taking snapshots which are stored as EBS snapshots in S3. These snapshots can be restored as gateway storage volumes or used to create EBS volumes to be attached to an EC2 instance.
  • Volume Gateway integrates with AWS Backup for centralized backup management, supporting both cached and stored volumes.
  • Data written to volumes can be backed up using either the Storage Gateway native snapshot scheduler or AWS Backup service.

Gateway Cached Volumes

Storage Gateway Cached Volume
  • Gateway Cached Volumes store data in S3, which acts as primary data storage, and retains a copy of recently read data locally for low latency access to the frequently accessed data.
  • Gateway-cached volumes offer substantial cost savings on primary storage and minimize the need to scale the storage on-premises.
  • All gateway-cached volume data and snapshot data are stored in S3 encrypted at rest using server-side encryption (SSE) and it cannot be accessed with S3 API or any other tools.
  • Each gateway configured for gateway-cached volumes can support up to 32 volumes, with each volume ranging from 1 GiB to 32 TiB, for a total maximum storage volume of 1,024 TiB (1 PiB).
  • If you create a snapshot from a cached volume that is more than 16 TiB in size, you can restore it to a Storage Gateway volume but not to an Amazon EBS volume.
  • Gateway VM can be allocated disks:
    • Cache storage
      • Cache storage acts as the on-premises durable storage, stores the data before uploading it to S3.
      • Cache storage also stores recently read data for low-latency access.
      • Maximum cache size: 64 TiB.
    • Upload buffer
      • Upload buffer acts as a staging area before the data is uploaded to S3.
      • Gateway uploads data over an encrypted SSL connection to AWS, where it is stored encrypted in S3.

Gateway Stored Volumes

Storage Gateway Stored Volume
  • Gateway stored volumes maintain the entire data set locally to provide low-latency access.
  • Gateway asynchronously backs up point-in-time snapshots (in the form of EBS snapshots) of the data to S3 which provides durable off-site backups.
  • Gateway stored volume configuration provides durable and inexpensive off-site backups that you can recover to your local data center or EC2 for e.g., if you need replacement capacity for disaster recovery, you can recover the backups to EC2.
  • Each gateway configured for gateway-stored volumes can support up to 32 volumes, ranging from 1 GiB to 16 TiB, and total volume storage of 512 TiB.
  • Gateway VM can be allocated disks:
    • Volume Storage
      • For storing the actual data.
      • Can be mapped to on-premises direct-attached storage (DAS) or storage area network (SAN) disks.
    • Upload buffer
      • Upload buffer acts as a staging area before the data is uploaded to S3.
      • Gateway uploads data over an encrypted SSL connection to AWS, where it is stored encrypted in Amazon S3.

Tape Gateway – Gateway-Virtual Tape Library (VTL)

Storage Gateway VTL
  • Tape Gateway offers a durable, cost-effective data archival solution.
  • VTL interface can help leverage existing tape-based backup application infrastructure to store data on virtual tape cartridges created on the tape gateway.
  • Each Tape Gateway is preconfigured with a media changer and tape drives, which are available to the existing client backup applications as iSCSI devices. Tape cartridges can be added as needed to archive the data.
  • Tape Gateway provides a virtual tape infrastructure that scales seamlessly with business needs and eliminates the operational burden of provisioning, scaling, and maintaining a physical tape infrastructure.
  • Tape Gateway compresses data and transitions virtual tapes between Amazon S3 and Amazon S3 Glacier Flexible Retrieval (formerly S3 Glacier) or Amazon S3 Glacier Deep Archive to minimize storage costs.
  • Tape Gateway on AWS Snowball Edge enables offline migration of petabytes of physical tape data to AWS without network bandwidth constraints.
  • Tape Gateway has the following components:
    • Virtual Tape
      • Virtual tape is similar to the physical tape cartridge, except that the data is stored in the AWS storage solution.
      • Each gateway can contain 1500 tapes or up to 1 PiB of total tape data, with each tape ranging from 100 GiB to 15 TiB (increased from 5 TiB in 2022).
    • Virtual Tape Library (VTL)
      • Virtual tape library is similar to the physical tape library with tape drives (replaced with VTL tape drive) and robotic arms (replaced with Media changer).
      • Tapes in the Virtual tape library are backed up in Amazon S3.
      • Backup software writes data to the gateway, the gateway stores data locally, and then asynchronously uploads it to virtual tapes in S3.
    • Archive (Virtual Tape Shelf – VTS)
      • Virtual tape shelf is similar to the offsite tape holding facility.
      • Archived tapes are stored in Amazon S3 Glacier Flexible Retrieval (formerly S3 Glacier) or Amazon S3 Glacier Deep Archive for extremely low-cost storage for data archiving.
      • VTS is located in the same region where the gateway was created and every region would have a single VTS irrespective of the number of gateways.
      • Archiving tapes:
        • When the backup software ejects a tape, the gateway moves the tape to the VTS (S3 Glacier Flexible Retrieval or S3 Glacier Deep Archive based on the tape pool).
      • Retrieving tapes:
        • Tapes archived in S3 Glacier Flexible Retrieval are typically available within 3-5 hours.
        • Tapes archived in S3 Glacier Deep Archive are typically available within 12 hours.
      • Tapes can be moved from S3 Glacier Flexible Retrieval to S3 Glacier Deep Archive to further reduce costs, but cannot be moved back.
  • Gateway VM can be allocated disks for:
    • Cache storage
      • Cache storage acts as the on-premises durable storage, stores the data before uploading it to S3.
      • Cache storage also stores recently read data for low-latency access.
      • Maximum cache size: 64 TiB.
    • Upload buffer
      • Upload buffer acts as a staging area before the data is uploaded to the Virtual tape.
      • Gateway uploads data over an encrypted SSL connection to AWS, where it is stored encrypted in S3.
      • Maximum upload buffer: 2 TiB.

Tape Gateway on AWS Snowball Edge

  • Tape Gateway on Snowball Edge enables offline migration of petabytes of physical tape data to AWS without changing existing tape-based backup workflows.
  • A standard Tape Gateway uses the network connection to transfer data asynchronously; Tape Gateway on Snowball Edge stores data on the device itself until returned to AWS.
  • After receiving the device, unlock it, set up a Tape Gateway on it, copy tape data to it, and ship it back to AWS.
  • AWS stores tape data in S3 Glacier Flexible Retrieval or S3 Glacier Deep Archive.
  • Each Snowball Edge device can migrate up to 80 TB of tape data.
  • Ideal for environments with network-connectivity limitations, bandwidth constraints, or high connection costs.

Amazon FSx File Gateway (No Longer Available to New Customers)

⚠️ Notice: Amazon FSx File Gateway is no longer available to new customers as of October 28, 2024. Existing customers can continue to use the service normally. AWS recommends using Amazon FSx for Windows File Server directly with multi-AZ support for similar capabilities.

  • Amazon FSx File Gateway provided low-latency, on-premises access to fully managed file shares in Amazon FSx for Windows File Server.
  • Used SMB protocol for user or team file shares and file-based application migrations.
  • Maintained a local cache for low-latency access to frequently accessed data.
  • For new deployments, use Amazon FSx for Windows File Server directly.

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. Which of the following services natively encrypts data at rest within an AWS region? Choose 2 answers
    1. AWS Storage Gateway
    2. Amazon DynamoDB
    3. Amazon CloudFront
    4. Amazon Glacier
    5. Amazon Simple Queue Service
  2. What does the AWS Storage Gateway provide?
    1. It allows to integrate on-premises IT environments with Cloud Storage
    2. A direct encrypted connection to Amazon S3.
    3. It’s a backup solution that provides an on-premises Cloud storage.
    4. It provides an encrypted SSL endpoint for backups in the Cloud.
  3. You’re running an application on-premises due to its dependency on non-x86 hardware and want to use AWS for data backup. Your backup application is only able to write to POSIX-compatible block-based storage. You have 140TB of data and would like to mount it as a single folder on your file server. Users must be able to access portions of this data while the backups are taking place. What backup solution would be most appropriate for this use case?
    1. Use Storage Gateway and configure it to use Gateway Cached volumes.
    2. Configure your backup software to use S3 as the target for your data backups.
    3. Configure your backup software to use Glacier as the target for your data backups
    4. Use Storage Gateway and configure it to use Gateway Stored volumes (Data is hosted on the On-premise server as well. The requirement for 140TB is for file server On-Premise more to confuse and not in AWS. Just need a backup solution hence stored instead of cached volumes)
  4. A customer has a single 3-TB volume on-premises that is used to hold a large repository of images and print layout files. This repository is growing at 500 GB a year and must be presented as a single logical volume. The customer is becoming increasingly constrained with their local storage capacity and wants an off-site backup of this data, while maintaining low-latency access to their frequently accessed data. Which AWS Storage Gateway configuration meets the customer requirements?
    1. Gateway-Cached volumes with snapshots scheduled to Amazon S3
    2. Gateway-Stored volumes with snapshots scheduled to Amazon S3
    3. Gateway-Virtual Tape Library with snapshots to Amazon S3
    4. Gateway-Virtual Tape Library with snapshots to Amazon Glacier
  5. You have a proprietary data store on-premises that must be backed up daily by dumping the data store contents to a single compressed 50GB file and sending the file to AWS. Your SLAs state that any dump file backed up within the past 7 days can be retrieved within 2 hours. Your compliance department has stated that all data must be held indefinitely. The time required to restore the data store from a backup is approximately 1 hour. Your on-premise network connection is capable of sustaining 1gbps to AWS. Which backup methods to AWS would be most cost-effective while still meeting all of your requirements?
    1. Send the daily backup files to Glacier immediately after being generated (will not meet the RTO)
    2. Transfer the daily backup files to an EBS volume in AWS and take daily snapshots of the volume (Not cost effective)
    3. Transfer the daily backup files to S3 and use appropriate bucket lifecycle policies to send to Glacier (Store in S3 for seven days and then archive to Glacier)
    4. Host the backup files on a Storage Gateway with Gateway-Cached Volumes and take daily snapshots (Not Cost effective as local storage as well as S3 storage)
  6. A customer implemented AWS Storage Gateway with a gateway-cached volume at their main office. An event takes the link between the main and branch office offline. Which methods will enable the branch office to access their data? Choose 3 answers
    1. Use a HTTPS GET to the Amazon S3 bucket where the files are located (gateway volumes are only accessible from the AWS Storage Gateway and cannot be directly accessed using Amazon S3 APIs)
    2. Restore by implementing a lifecycle policy on the Amazon S3 bucket.
    3. Make an Amazon Glacier Restore API call to load the files into another Amazon S3 bucket within four to six hours.
    4. Launch a new AWS Storage Gateway instance AMI in Amazon EC2, and restore from a gateway snapshot
    5. Create an Amazon EBS volume from a gateway snapshot, and mount it to an Amazon EC2 instance.
    6. Launch an AWS Storage Gateway virtual iSCSI device at the branch office, and restore from a gateway snapshot
  7. A company uses on-premises servers to host its applications. The company is running out of storage capacity. The applications use both block storage and NFS storage. The company needs a high-performing solution that supports local caching without rearchitecting its existing applications. Which combination of actions should a solutions architect take to meet these requirements? (Choose two.)
    1. Mount Amazon S3 as a file system to the on-premises servers.
    2. Deploy an AWS Storage Gateway file gateway to replace NFS storage.
    3. Deploy AWS Snowball Edge to provision NFS mounts to on-premises servers.
    4. Deploy an AWS Storage Gateway volume gateway to replace the block storage.
    5. Deploy Amazon Elastic File System (Amazon EFS) volumes and mount them to on-premises servers.
  8. A company has petabytes of data stored on physical tapes in an offsite tape library. The company wants to migrate this tape data to AWS but has limited network bandwidth. Which solution meets these requirements with MINIMAL network usage?
    1. Set up a Tape Gateway and transfer tapes over the internet connection.
    2. Use AWS Snowball Edge with Tape Gateway to migrate tape data offline.
    3. Use AWS Direct Connect to transfer tape data to S3 Glacier.
    4. Set up an S3 File Gateway and copy tape contents as files.
  9. A company wants to archive virtual tapes at the lowest possible cost for long-term retention. The data is accessed less than once a year and can tolerate a 12-hour retrieval time. Which Tape Gateway archive storage class should they use?
    1. Amazon S3 Standard
    2. Amazon S3 Glacier Instant Retrieval
    3. Amazon S3 Glacier Flexible Retrieval
    4. Amazon S3 Glacier Deep Archive (Lowest cost, 12-hour retrieval time acceptable for once-a-year access)
  10. A solutions architect needs to provide on-premises applications with low-latency access to data stored in AWS while ensuring all data is backed up using a centralized backup service. Which combination of services should be used? (Choose two.)
    1. AWS Storage Gateway Volume Gateway
    2. Amazon S3 with cross-region replication
    3. Amazon EFS with AWS DataSync
    4. AWS Backup
    5. Amazon S3 Glacier

References

  1. AWS Storage Gateway – Volume Gateway User Guide
  2. Amazon S3 File Gateway User Guide
  3. Tape Gateway User Guide
  4. AWS Storage Gateway Features
  5. AWS Storage Gateway FAQs