Accessing your data within the Amazon Web Services Cloud - FSx for OpenZFS
Accessing from the same VPCAccess from a different VPC
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Accessing your data within the Amazon Web Services Cloud

Amazon VPC helps you to launch Amazon resources into a virtual network that you define. This virtual network closely resembles a traditional network that you operate in your own data center, with the benefits of using the scalable infrastructure of Amazon. For more information, see What is Amazon VPC in the Amazon Virtual Private Cloud User Guide.

Each Amazon FSx file system is associated with a Virtual Private Cloud (VPC). You can access your FSx for OpenZFS file system from anywhere in the same VPC within which it is deployed regardless of the Availability Zone (AZ). You can also access your file system from other VPCs. These VPCs can be in different accounts or regions. In addition to any requirements listed in the following sections for accessing FSx for OpenZFS resources, you also need to ensure that your file system's VPC security group has the correct settings. It needs to allow data to flow between your file system and any clients that connect to it. For more information, see Amazon VPC security groups.

Access from within the same VPC

When you create your Amazon FSx for OpenZFS file system, you select the Amazon VPC in which it is located. All volumes associated with the FSx for OpenZFS file system are also located in the same VPC. When the file system and the client mounting the volume are located in the same VPC and Amazon Web Services account, you can mount a volume using the file system's DNS name over the NFS protocol. For more information, see Step 2: Mount your file system from an Amazon EC2 instance.

You can achieve better performance and avoid data transfer charges by accessing an FSx for OpenZFS volume using a client in the same Availability Zone as the file system's subnet. To identify a file system's subnet, choose File systems in the Amazon FSx console, then choose the FSx for OpenZFS file system whose volume you are mounting. The subnet or preferred subnet (Multi-AZ) is displayed in the Subnet or Preferred subnet panel.

Accessing a Single-AZ file system using a client located in a different Availability Zone results in data transfer charges. There are no data transfer charges for accessing a Multi-AZ file system from any Availability Zone in the same region.

Access from a different VPC

The process of accessing your data from an Amazon Web Services Region outside of the file system's VPC differs between Single-AZ and Multi-AZ file systems, as Multi-AZ file systems utilize a floating IP address. The following sections describe how to access your file systems from a different VPC depending on deployment type.

Accessing Single-AZ file systems

You can access your FSx for OpenZFS file system from compute instances in a different VPC, Amazon Web Services account, or Amazon Web Services Region from that associated with your file system by using VPC peering or transit gateways. When you use a VPC peering connection or transit gateway to connect VPCs, compute instances that are in one VPC can access Amazon FSx file systems in another VPC. This access is possible even if the VPCs belong to different Amazon Web Services accounts, and even if the VPCs reside in different Amazon Web Services Regions.

A VPC peering connection is a networking connection between two VPCs that you can use to route traffic between them using private IPv4 or IPv6 addresses. You can use VPC peering to connect VPCs within the same Amazon Web Services Region or between Amazon Web Services Regions. For more information on VPC peering, see What is VPC peering? in the Amazon Virtual Private Cloud VPC Peering Guide.

A transit gateway is a network transit hub that you can use to interconnect your VPCs and on-premises networks. For more information, see Work with transit gateways in the Amazon VPC Transit Gateways.

Accessing Multi-AZ file systems

The NFS endpoints on FSx for OpenZFS Multi-AZ file systems use floating IP addresses so that connected clients seamlessly transition between the preferred and standby file servers during a failover event. For more information about failovers, see Failover process for FSx for OpenZFS.

When you create a file system, you can optionally specify the endpoint IP address range in which these floating IP addresses are created. By default, the Amazon FSx API selects a CIDR block of 16 available addresses from within the VPC's CIDR ranges. Additionally, you can optionally specify the VPC route tables in which rules for routing traffic to the correct file server will be created. By default, the Amazon FSx API selects the VPC's default route table.

Only Amazon Transit Gateway supports routing to floating IP addresses, which is also known as transitive peering. VPC Peering, Amazon Direct Connect, and Amazon VPN don't support transitive peering. Therefore, you are required to use Transit Gateway in order to access these interfaces from networks that are outside of your file system's VPC.

When you access your Multi-AZ file system from outside of the file system's VPC, FSx for OpenZFS will manage routing configurations as long as the file system's EndpointIpAddressRange is within the CIDR range of the file system's VPC. However, if you access your Multi-AZ file system from outside of the file system's VPC, and the file system's EndpointIpAddressRange is outside of the CIDR range of the file system's VPC, you will need to set up additional routing in Transit Gateway. For information on how to configure Transit Gateway to access your FSx for OpenZFS file system, see Configuring routing using Amazon Transit Gateway.

The following diagram illustrates using Transit Gateway for NFS access to a Multi-AZ file system that is in a different VPC than the clients that are accessing it.

Using Transit Gateway to access NFS endpoints with clients in a different VPC.
Note

Ensure that all of the route tables you're using are associated with your Multi-AZ file system. Doing so helps prevent loss of availability during a failover. For information about associating your Amazon VPC route tables with your file system, see Updating an Amazon FSx for OpenZFS file system.

Configuring routing using Amazon Transit Gateway

If you have a Multi-AZ file system with an EndpointIPAddressRange that's outside your VPC's CIDR range, you need to set up additional routing in your Amazon Transit Gateway to access your file system from peered or on-premises networks. No additional Transit Gateway configuration is required for Single-AZ file systems or Multi-AZ file systems with an EndpointIPAddressRange that's within your VPC's IP address range.

Important

To access a Multi-AZ file system using a Transit Gateway, each of the Transit Gateway's attachments must be created in a subnet whose route table is associated with your file system.

To configure routing using Amazon Transit Gateway

  1. Open the Amazon FSx console at https://console.amazonaws.cn/fsx/.

  2. Choose the FSx for OpenZFS file system for which you are configuring access from a peered network.

  3. In Network & security copy the Endpoint IP address range.

  4. Add a route to Transit Gateway that routes traffic destined for this IP address range to your file system's VPC. For more information, see Work with transit gateways in the Amazon VPC Transit Gateways.

  5. Confirm that you can access your FSx for OpenZFS file system from the peered network.

To add the route table to your file system, see Updating an Amazon FSx for OpenZFS file system.

Note

DNS records for the NFS endpoints are only resolvable from within the same VPC as the file system. In order to mount a volume or connect to a management port from another network, you need to use the endpoint's IP address. These IP addresses do not change over time.