Accessing data from on-premises - FSx for ONTAP
Accessing NFS, SMB, or the ONTAP CLI or REST API endpoints from on-premisesAccessing inter-cluster endpoints from on-premises

Accessing data from on-premises

You can access your FSx for ONTAP file systems from on-premises using AWS VPN and AWS Direct Connect; more specific use case guidelines are available in the following sections. In addition to any requirements listed below for accessing different FSx for ONTAP resources from on-premises, you also need to ensure that your file system's VPC security group allows data to flow between your file system and clients; for a list of required ports, see Amazon VPC security groups.

Accessing NFS, SMB, or the ONTAP CLI or REST API endpoints from on-premises

This section describes how to access the NFS, SMB, and ONTAP management ports on FSx for ONTAP file systems from on-premises networks.

Accessing Multi-AZ file systems

Amazon FSx requires that you use AWS Transit Gateway or that you configure remote NetApp Global File Cache or NetApp FlexCache to access Multi-AZ file systems from an on-premises network. In order to support failover across AZs for Multi-AZ file systems, Amazon FSx uses floating IP addresses for the interfaces used for NFS, SMB, and ONTAP management endpoints. Because the NFS, SMB, and management endpoints use floating IPs, you must use AWS Transit Gateway in conjunction with AWS Direct Connect or AWS VPN to access these interfaces from an on-premises network. The floating IP addresses used for these interfaces are within the EndpointIpAddressRange you specify when creating your Multi-AZ file system. If you create your file system from the Amazon FSx console, by default Amazon FSx chooses the last 64 IP addresses from the VPC's primary CIDR range to be used as the endpoint IP address range for the file system. If you create your file system from the AWS CLI or the Amazon FSx API, by default Amazon FSx chooses an IP address range from within the 198.19.0.0/16 IP address range. The floating IP addresses are used to enable a seamless transition of your clients to the standby file system in the event a failover is required. For more information, see Failover process for FSx for ONTAP.

Important

To access a Multi-AZ file system using a Transit Gateway, each of the Transit Gateway's attachments must be created in a subnet whose route table is associated with your file system.

To configure AWS Transit Gateway for access from outside of your VPC

If you have a Multi-AZ file system with an EndpointIPAddressRange that's outside your VPC's CIDR range, you need to set up additional routing in your AWS Transit Gateway to access your file system from peered or on-premises networks.

Note

No additional Transit Gateway configuration is required for Single-AZ file systems or Multi-AZ file systems with an EndpointIPAddressRange that's within your VPC's IP address range.

  1. Open the Amazon FSx console at https://console.aws.amazon.com/fsx/.

  2. Choose the FSx for ONTAP file system for which you are configuring access from a peered network.

  3. In Network & security copy the Endpoint IP address range.

    The Network & security panel in the Amazon FSx console.

  4. Add a route to the Transit Gateway that routes traffic destined for this IP address range to your file system's VPC. For more information, see Work with transit gateways in the Amazon VPC Transit Gateway User Guide.

  5. Confirm that you can access your FSx for ONTAP file system from the peered network.

Important

To access a Multi-AZ file system using a Transit Gateway, each of the Transit Gateway's attachments must be created in a subnet whose route table is associated with your file system.

To add a route table to your file system, see Updating a file system.

Accessing Single-AZ file systems

The requirement to use AWS Transit Gateway to access data from an on-premises network doesn’t exist for Single-AZ file systems. Single-AZ file systems are deployed in a single subnet, and a floating IP address is not required to provide failover between nodes. Instead, the IP addresses you access on Single-AZ file systems are implemented as secondary IP addresses within the file system’s VPC CIDR range, enabling you to access your data from another network without requiring AWS Transit Gateway.

Accessing inter-cluster endpoints from on-premises

FSx for ONTAP’s inter-cluster endpoints are dedicated to replication traffic between NetApp ONTAP file systems, including between on-premises NetApp deployments and FSx for ONTAP. Replication traffic includes SnapMirror, FlexCache, and FlexClone relationships between storage virtual machines (SVMs) and volumes across different file systems, and NetApp Global File Cache. The inter-cluster endpoints are also used for Active Directory traffic.

Because a file system's inter-cluster endpoints use IP addresses that are within the CIDR range of the VPC you provide when you create your FSx for ONTAP file system, you are not required to use a Transit Gateway for routing inter-cluster traffic between on-premises and the AWS Cloud. However, on-premises clients still must use AWS VPN or AWS Direct Connect to establish a secure connection to your VPC.