Supported access environments - FSx for ONTAP

Supported access environments

Following, you can find information about how to access your FSx for ONTAP file systems.

Amazon VPC enables you to launch AWS resources into a virtual network that you've defined. This virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of AWS. For more information, see What is Amazon VPC in the Amazon Virtual Private Cloud User Guide.

Accessing Amazon FSx for NetApp ONTAP file systems from within the same VPC and AWS account

When you create your Amazon FSx for NetApp ONTAP file system, you select the Amazon VPC in which it is located. All SVM's and volumes associated with the Amazon FSx for NetApp ONTAP file system are also located in the same VPC. When the file system and the client mounting the storage virtual machine (SVM) volume are located in the same VPC and AWS account, you can mount a volume using the SVM's DNS name and volume junction or SMB share, depending on the client. For more information, see Mounting FSx for ONTAP volumes.

You can achieve better performance and avoid data transfer charges between Availability Zones by accessing an SVM volume using a client that is located in the same Availability Zone as the file system's preferred subnet. To identify a file system's preferred subnet, in the Amazon FSx console, choose File systems, then choose the ONTAP file system whose volume you are mounting, and the preferred subnet is displayed in the Preferred subnet panel.

VPC peering

FSx for ONTAP supports the use of Transit Gateway, AWS Direct Connect or AWS VPN to access your file systems from peered networks over NFS and SMB.

A VPC peering connection is a networking connection between two VPCs. This type of connection enables you to route traffic between them using private Internet Protocol version 4 (IPv4) addresses. You can use VPC peering to connect VPCs within the same AWS Region or between different AWS Regions. For more information on VPC peering, see What is VPC peering? in the Amazon VPC Peering Guide.

Using AWS Direct Connect, you can access your file system over a dedicated network connection from your on premises environment. Using AWS VPN, you can access your file system from your on premises environment over a secure and private tunnel. For more information about AWS Direct Connect, see What is AWS Direct Connect? in the AWS Direct Connect User Guide. For more information on setting up AWS VPN connections, see VPN connections in the Amazon VPC User Guide.

Access from peered networks

This section describes how to access Amazon FSx for NetApp ONTAP file systems from peered networks.

Access NFS, SMB, or the ONTAP CLI and REST API from peered networks

The endpoints used for accesing Amazon FSx for NetApp ONTAP over NFS or SMB, or for administering file systems using the ONTAP CLI or REST API, are floating IP addresses that are created in the VPC route tables you associate with your file system. These IP addresses are within an EndpointIpAddressRange that you can specify when creating a file system. By default, Amazon FSx chooses an IP address range for you from within the IP address range.

To access these floating IP address endpoints from a peered network, you need to configure your peered network to route traffic destined to your file system's EndpointIpAddressRange to the VPC in which your file system is created. Alternatively, if you are using NetApp Global File Cache or NetApp FlexCache for remote office caching, both of these technologies communicate with your FSx for ONTAP file system using your file system's inter-cluster endpoint, which is not a floating IP address. As a result, you don't need to configure Transit Gateway if all of your clients are accessing Amazon FSx using one of these caching technologies.

For example, to configure routing using AWS Transit Gateway, use the following procedure.

To configure routing using AWS Transit Gateway

  1. Open the Amazon FSx console at

  2. Choose the FSx for ONTAP file system for which you are configuring access from a peered network.

  3. In Network & security> copy the Endpoint IP address range.

    The file system's Network & security tab in the Amazon FSx console, showing the Endpoint IP address range value to copy.
  4. Add a route to Transit Gateway that routes traffic destined for this IP address range to your file system's VPC. For more information, see Working with transit gateways in the Amazon VPC Transit Gateways.

  5. Confirm that you can access your FSx for ONTAP file system from the peered network.


DNS records for the management, NFS, and SMB endpoints are only resolvable from within the same VPC as the file system. In order to mount a volume or connect to a management port from another network, you need to use the endpoint's IP address. Theese IP addresses do not change over time.

Access over iSCSI from peered networks

AWS Transit Gateway isn't required when accessing data over iSCSI. You can use VPC peering, Transit Gateway, AWS Direct Connect, AWS VPN to access the iSCSI port using it's IP address. You do not need to configure any additional routing.