Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Internetwork traffic privacy

This topic describes how Amazon FSx secures connections from the service to other locations.

Traffic between Amazon FSx and on-premises clients

You have two connectivity options between your private network and Amazon:

You can access FSx for Lustre over the network to reach Amazon-published API operations for performing administrative tasks and Lustre ports to interact with the file system.

Encrypting API traffic

To access Amazon-published API operations, clients must support Transport Layer Security (TLS) 1.2 or later. We require TLS 1.2 and recommend TLS 1.3. Clients must also support cipher suites with Perfect Forward Secrecy (PFS), such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Diffie-Hellman Ephemeral (ECDHE). Most modern systems such as Java 7 and later support these modes. Additionally, requests must be signed by using an access key ID and a secret access key that is associated with an IAM principal. Or you can use the Amazon Security Token Service (STS) to generate temporary security credentials to sign requests.

Encrypting data traffic

Encryption of data in transit is enabled from supported EC2 instances accessing the file systems from within the Amazon Web Services Cloud. For more information, see Encrypting data in transit. FSx for Lustre does not natively offer encryption in transit between on-premise clients and file systems.