Accessing data from on-premises
You can access your FSx for ONTAP file systems from on-premises using AWS VPN
Accessing NFS, SMB, or the ONTAP CLI or REST API endpoints from on-premises
This section describes how to access the NFS, SMB, and ONTAP management ports on FSx for ONTAP file systems from on-premises networks.
Accessing Multi-AZ file systems
Amazon FSx requires that you use AWS Transit Gateway or that you configure remote NetApp
Global File Cache or NetApp FlexCache to access Multi-AZ file systems from an
on-premises network. In order to support failover across AZs for Multi-AZ file
systems, Amazon FSx uses floating IP addresses for the interfaces used for NFS, SMB,
and ONTAP management endpoints. Because the NFS, SMB, and
management endpoints use floating IPs, you must use AWS Transit GatewayEndpointIpAddressRange
you specify
when creating your Multi-AZ file system. If you create your file system from the
Amazon FSx console, by default Amazon FSx chooses the
last 64 IP addresses from the VPC's primary CIDR range to be used as the endpoint
IP address range for the file system. If you create your file system from
the AWS CLI or the Amazon FSx API, by default Amazon FSx chooses an IP address range from within
the 198.19.0.0/16
IP address range.
The floating IP addresses are used to enable a seamless transition of your clients to the
standby file system in the event a failover is required. For more information,
see Failover process for FSx for ONTAP.
Important
To access a Multi-AZ file system using a Transit Gateway, each of the Transit Gateway's attachments must be created in a subnet whose route table is associated with your file system.
To configure AWS Transit Gateway for access from outside of your VPC
If you have a Multi-AZ file system with an EndpointIPAddressRange
that's outside your VPC's CIDR range, you need to set up additional routing
in your AWS Transit Gateway to access your file system from peered or on-premises networks.
Note
No additional Transit Gateway configuration is required for Single-AZ file systems
or Multi-AZ file systems with an EndpointIPAddressRange
that's within
your VPC's IP address range.
Open the Amazon FSx console at https://console.aws.amazon.com/fsx/
. -
Choose the FSx for ONTAP file system for which you are configuring access from a peered network.
-
In Network & security copy the Endpoint IP address range.
-
Add a route to the Transit Gateway that routes traffic destined for this IP address range to your file system's VPC. For more information, see Work with transit gateways in the Amazon VPC Transit Gateway User Guide.
-
Confirm that you can access your FSx for ONTAP file system from the peered network.
Important
To access a Multi-AZ file system using a Transit Gateway, each of the Transit Gateway's attachments must be created in a subnet whose route table is associated with your file system.
To add a route table to your file system, see Updating a file system.
Accessing Single-AZ file systems
The requirement to use AWS Transit Gateway to access data from an on-premises network doesn’t exist for Single-AZ file systems. Single-AZ file systems are deployed in a single subnet, and a floating IP address is not required to provide failover between nodes. Instead, the IP addresses you access on Single-AZ file systems are implemented as secondary IP addresses within the file system’s VPC CIDR range, enabling you to access your data from another network without requiring AWS Transit Gateway.
Accessing inter-cluster endpoints from on-premises
FSx for ONTAP’s inter-cluster endpoints are dedicated to replication traffic between NetApp ONTAP file systems, including between on-premises NetApp deployments and FSx for ONTAP. Replication traffic includes SnapMirror, FlexCache, and FlexClone relationships between storage virtual machines (SVMs) and volumes across different file systems, and NetApp Global File Cache. The inter-cluster endpoints are also used for Active Directory traffic.
Because a file system's inter-cluster endpoints use IP addresses that are within the CIDR range of the VPC you provide when you create your FSx for ONTAP file system, you are not required to use a Transit Gateway for routing inter-cluster traffic between on-premises and the AWS Cloud. However, on-premises clients still must use AWS VPN or AWS Direct Connect to establish a secure connection to your VPC.