Internetwork traffic privacy
This topic describes how Amazon FSx secures connections from the service to other locations.
Traffic between Amazon FSx and on-premises clients
You have two connectivity options between your private network and Amazon:
An Amazon Site-to-Site VPN connection. For more information, see What is Amazon Site-to-Site VPN?
An Amazon Direct Connect connection. For more information, see What is Amazon Direct Connect?
You can access FSx for Lustre over the network to reach Amazon-published API operations for performing administrative tasks and Lustre ports to interact with the file system.
Encrypting API traffic
To access Amazon-published API operations, clients must support Transport Layer Security (TLS) 1.2 or later. We require TLS 1.2 and recommend TLS 1.3. Clients must also support cipher suites with Perfect Forward Secrecy (PFS), such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Diffie-Hellman Ephemeral (ECDHE). Most modern systems such as Java 7 and later support these modes. Additionally, requests must be signed by using an access key ID and a secret access key that is associated with an IAM principal. Or you can use the Amazon Security Token Service (STS) to generate temporary security credentials to sign requests.
Encrypting data traffic
Encryption of data in transit is enabled from supported EC2 instances accessing the file systems from within the Amazon Web Services Cloud. For more information, see Encrypting data in transit. FSx for Lustre does not natively offer encryption in transit between on-premise clients and file systems.