Accessing data from on-premises - FSx for ONTAP

Accessing data from on-premises

You can access your FSx for ONTAP file systems from on-premises using AWS VPN and AWS Direct Connect; more specific use case guidelines are available in the following sections. In addition to any requirements listed below for accessing different FSx for ONTAP resources from on-premises, you also need to ensure that your file system's VPC security group allows data to flow between your file system and clients; for a list of required ports, see Amazon VPC security groups.

Accessing NFS, SMB, or the ONTAP CLI or REST API endpoints from on-premises

FSx for ONTAP uses a floating IP address for the interface used for NFS, SMB, and management traffic (ONTAP CLI and REST API). The IP addresses these interfaces use are within the EndpointIpAddressRange you specify when creating your file system. By default, Amazon FSx chooses an IP address range for you within the range. The floating IP address is used for Multi-AZ failover of that interface to enable seamless transition for your clients to the standby file system in the event a failover is required. More information is available in the Failover process for FSx for ONTAP section.

Because the NFS, SMB, and management endpoints use a floating IP, you must use AWS Transit Gateway in conjunction with AWS Direct Connect or AWS VPN to access those interfaces from on-premises. AWS Direct Connect and AWS VPN do not support routing to floating IP addresses without the use of AWS Transit Gateway.

To configure AWS Transit Gateway for access from outside of your VPC

  1. Open the Amazon FSx console at

  2. Choose the FSx for ONTAP file system for which you are configuring access from a peered network.

  3. In Network & security> copy the Endpoint IP address range.

  4. Add a route to the Transit Gateway that routes traffic destined for this IP address range to your file system's VPC. For more information, see Working with transit gateways in the Amazon VPC Transit Gateways.

  5. Confirm that you can access your FSx for ONTAP file system from the peered network.

Accessing inter-cluster endpoints from on-premises

FSx for ONTAP’s inter-cluster endpoints are dedicated to replication traffic between NetApp ONTAP file systems, including between on-premises NetApp deployments and FSx for ONTAP. Replication traffic includes SnapMirror, FlexCache, and FlexClone relationships between storage virtual machines (SVMs) and volumes across different file systems, and NetApp Global File Cache. The inter-cluster endpoints are also used for Active Directory traffic.

The inter-cluster endpoints of your file system are IP addresses within the CIDR range of the VPC you provide when you thecreate your FSx for ONTAP file system, so Transit Gateway is not required for routing inter-cluster traffic between on-premises and the AWS cloud. However, on-premises clients still must use AWS VPN or AWS Direct Connect to establish a secure connection to your VPC.