Accessing data
You can access your Amazon FSx file systems using a variety of supported clients and methods in both the Amazon Web Services Cloud and on premises environments.
Each SVM has four endpoints that are used to access data or to manage the SVM using the NetApp ONTAP CLI or REST API:
Nfs
– For connecting using the Network File System (NFS) protocolSmb
– For connecting using the Service Message Block (SMB) protocol (If your SVM is joined to an Active Directory, or you're using a workgroup.)Iscsi
– For connecting using the Internet Small Computer Systems Interface (iSCSI) protocol (for scale-up file systems only).Management
– For managing SVMs using the NetApp ONTAP CLI or API, or NetApp BlueXP
Topics
Supported clients
FSx for ONTAP file systems support accessing data from a wide variety of compute instances and operating systems. It does this by supporting access using the Network File System (NFS) protocol (v3, v4.0, v4.1 and v4.2), all versions of the Server Message Block (SMB) protocol (including 2.0, 3.0, and 3.1.1), and the Internet Small Computer Systems Interface (iSCSI) protocol.
Important
Amazon FSx doesn't support accessing file systems from the public internet. Amazon FSx automatically detaches any Elastic IP address which is a public IP address reachable from the Internet, that gets attached to a file system's elastic network interface.
The following Amazon compute instances are supported for use with FSx for ONTAP:
-
Amazon Elastic Compute Cloud (Amazon EC2) instances running Linux with NFS or SMB support, Microsoft Windows, and MacOS. For more information, see Mounting volumes.
-
Amazon Elastic Container Service (Amazon ECS) Docker containers on Amazon EC2 Windows and Linux instances. For more information, see Using Amazon Elastic Container Service with FSx for ONTAP.
-
Amazon Elastic Kubernetes Service – To learn more, see Amazon FSx for NetApp ONTAP CSI driver in the Amazon EKS User Guide.
-
Red Hat OpenShift Service on Amazon (ROSA) – To learn more, see What is Red Hat OpenShift Service on Amazon? in the Red Hat OpenShift Service on Amazon User Guide.
-
Amazon WorkSpaces instances. For more information, see Using Amazon WorkSpaces with FSx for ONTAP.
-
Amazon AppStream 2.0 instances.
-
Amazon Lambda – For more information, see the Amazon blog post Enabling SMB access for server-less workloads with Amazon FSx
. -
Virtual machines (VMs) running in VMware Cloud on Amazon environments. For more information, see Configure Amazon FSx for NetApp ONTAP as External Storage
and VMware Cloud on Amazon with Amazon FSx for NetApp ONTAP Deployment Guide .
Once mounted, FSx for ONTAP file systems appear as a local directory or drive letter over NFS and SMB, providing fully managed, shared network file storage that can be simultaneously accessed by up to thousands of clients. iSCSI LUNS are accessible as block devices when mounted over iSCSI.
Accessing data from within Amazon
Each Amazon FSx file system is associated with a Virtual Private Cloud (VPC). You can access your FSx for ONTAP file system from anywhere in the file system's VPC, regardless of Availability Zone. You can also access your file system from other VPCs that can be in different Amazon accounts or Amazon Web Services Regions. In addition to the requirements described in the following sections for accessing FSx for ONTAP resources, you also need to ensure that your file system's VPC security group is configured so that data and management traffic can flow between your file system and clients. For more information about configuring security groups with the required ports, see Amazon VPC security groups.
Accessing data from within the same VPC
When you create your Amazon FSx for NetApp ONTAP file system, you select the Amazon VPC in which it is located. All SVMs and volumes associated with the Amazon FSx for NetApp ONTAP file system are also located in the same VPC. When mounting a volume, if the file system and the client mounting the volume are located in the same VPC and Amazon Web Services account, you can use the SVM's DNS name and volume junction or SMB share, depending on the client. For more information, see Mounting volumes.
You can achieve optimal performance if the client and the volume are located in the in the same Availability Zone as the file system's subnet, or preferred subnet for Multi-AZ file systems. To identify a file system's subnet or preferred subnet, in the Amazon FSx console, choose File systems, then choose the ONTAP file system whose volume you are mounting, and the subnet or preferred subnet (Multi-AZ) is displayed in the Subnet or Preferred subnet panel.
Accessing data from outside the deployment VPC
This section describes how to access an FSx for ONTAP file system's endpoints from Amazon locations outside of the file system's deployment VPC.
Accessing NFS, SMB, and ONTAP management endpoints on Multi-AZ file systems
The NFS, SMB, and ONTAP management endpoints on Amazon FSx for NetApp ONTAP Multi-AZ file systems use floating internet protocol (IP) addresses so that connected clients seamlessly transition between the preferred and standby file servers during a failover event. For more information about failovers, see Failover process for FSx for ONTAP.
These floating IP addresses are created in the VPC route tables that you associate
with your file system, and are within the file system's EndpointIpAddressRange
which you can specify during creation. The EndpointIpAddressRange
uses the
following address ranges, depending on how a file system is created:
Multi-AZ file systems created using the Amazon FSx console use the last 64 IP addresses in the VPC's primary CIDR range for the file system's
EndpointIpAddressRange
by default.Multi-AZ file systems created using the Amazon CLI or Amazon FSx API use an IP address range within the
198.19.0.0/16
address block for theEndpointIpAddressRange
by default.
Only Amazon Transit Gateway
The following diagram illustrates using Transit Gateway for NFS, SMB, or management access to a Multi-AZ file system that is in a different VPC than the clients that are accessing it.
Note
Ensure that all of the route tables you're using are associated with your Multi-AZ file system. Doing so helps prevent unavailability during a failover. For information about associating your Amazon VPC route tables with your file system, see Updating a file system.
For information about when you need to use Transit Gateway to access your FSx for ONTAP file system, see When is Transit Gateway required?.
Accessing NFS, SMB, or the ONTAP CLI and API for Single-AZ file systems
The endpoints used to access FSx for ONTAP Single-AZ file systems over NFS or SMB, and for administering file systems using the ONTAP CLI or REST API, are secondary IP addresses on the ENI of the active file server. The secondary IP addresses are within the VPC’s CIDR range, so clients can access data and management ports using VPC Peering, Amazon Direct Connect, or Amazon VPN without requiring Amazon Transit Gateway.
The following diagram illustrates using Amazon VPN or Amazon Direct Connect for NFS, SMB, or management access to a Single-AZ file system that is in a different VPC than the clients accessing it.
When is Transit Gateway required?
Whether or not Transit Gateway is required for your Multi-AZ file systems depends on the method you use to access your file system data. Single-AZ file systems do not require Transit Gateway. The following table describes when you will need to use Amazon Transit Gateway to access Multi-AZ file systems.
Data access | Requires Transit Gateway? |
---|---|
Accessing FSx over NFS, SMB, or the NetApp ONTAP REST API, CLI or BlueXP |
Only if:
|
Accessing data over iSCSI | No |
Joining an SVM to an Active Directory | No |
SnapMirror | No |
FlexCache Caching | No |
Global File Cache | No |
Configuring routing using Amazon Transit Gateway
If you have a Multi-AZ file system with an EndpointIPAddressRange
that's outside your VPC's CIDR range, you need to set up additional routing
in your Amazon Transit Gateway to access your file system from peered or on-premises networks.
Important
To access a Multi-AZ file system using a Transit Gateway, each of the Transit Gateway's attachments must be created in a subnet whose route table is associated with your file system.
Note
No additional Transit Gateway configuration is required for Single-AZ file systems
or Multi-AZ file systems with an EndpointIPAddressRange
that's within
your VPC's IP address range.
To configure routing using Amazon Transit Gateway
Open the Amazon FSx console at https://console.amazonaws.cn/fsx/
. -
Choose the FSx for ONTAP file system for which you are configuring access from a peered network.
-
In Network & security copy the Endpoint IP address range.
-
Add a route to Transit Gateway that routes traffic destined for this IP address range to your file system's VPC. For more information, see Work with transit gateways in the Amazon VPC Transit Gateways.
-
Confirm that you can access your FSx for ONTAP file system from the peered network.
To add the route table to your file system, see Updating a file system.
Note
DNS records for the management, NFS, and SMB endpoints are only resolvable from within the same VPC as the file system. In order to mount a volume or connect to a management port from another network, you need to use the endpoint's IP address. These IP addresses do not change over time.
Accessing iSCSI or inter-cluster endpoints outside of the deployment VPC
You can use either VPC Peering or Amazon Transit Gateway to access your file system's iSCSI or inter-cluster endpoints from outside of the file system's deployment VPC. You can use VPC Peering to route iSCSI and inter-cluster traffic between VPCs. A VPC peering connection is a networking connection between two VPCs, and is used to route traffic between them using private IPv4 addresses. You can use VPC peering to connect VPCs within the same Amazon Web Services Region or between different Amazon Web Services Regions. For more information on VPC peering, see What is VPC peering? in the Amazon VPC Peering Guide.