This topic describes how to access an Apsara File Storage NAS file system from a local data center by configuring a VPN gateway.

Background information

You can only mount a file system on an ECS instance that resides in the same region as the file system. For example, an NFS or SMB file system that you create in China (Hangzhou) can only be mounted on an ECS instance that resides in China (Hangzhou). You cannot mount a file system that resides in China (Hangzhou) on a local data center or on an ECS instance that resides in a different region such as China (Qingdao). To resolve these issues, you can establish a connection over an Express Connect circuit. To enable a file system mount on a local data center, you can establish the connection between the data center and the Virtual Private Cloud (VPC) where the file system resides. To enable a cross-region file system mount, you can establish the connection between the VPC where the ECS instance resides and the VPC where the file system resides. However, high costs incur for establishing the connection.

Instead, we recommend that you use VPN Gateway to enable communication between a local data center and a VPC or between VPCs that reside in different regions. With VPN Gateway, you can mount a file system on the following target instances:
  • A server that resides in a local data center
  • An ECS instance that resides in a different region different from the region of the file system

    If you have created a VPN gateway on an ECS instance in one VPC, you need to create another VPN gateway in the other VPC. Then, you need to establish a connection between the two VPN gateways. For more information about detailed operations, see Enable a cross-region mount (one VPN gateway available). If no VPN gateway exists in your environment, we recommend that you create VPN gateways in the two VPCs and connect the gateways. For more information about detailed operations, see Enable a cross-region mount (no VPN gateway available).

The following figure shows the topology that is adopted when VPN gateways are used.

Topology
The advantages and disadvantages are listed as follows:
  • Advantages
    • Fixes all connectivity issues.
    • Provides secure access by using IPsec to encrypt data in transit.
    • Compared with Express Connect, VPN Gateway helps you reduce a large number of costs.
  • Disadvantages

    The Internet bandwidth and latency between a local data center and a VPC or between VPCs restrict I/O performance of a file system over a VPN connection.

Mount a file system on a server that resides in a local data center

  1. Create a file system and mount target.
    1. Log on to the Apsara File Storage NAS console.
    2. Create a file system. For more information, see Create file systems.
    3. Create a mount target of the VPC type. For more information, see Add a mount target.
  2. Create a connection between the VPC and your local data center. For more information, see Establish a connection between a VPC and an on-premises data center.
  3. Verify the connection between a server that resides in the local data center and an ECS instance or a mount target that resides in the VPC.

    Log on to an ECS instance that does not have an Internet IP address. On the ECS instance, use the ping command to ping the internal IP address of a server that resides in the local data center and verify the connection.

  4. After you confirm the connection by using the ping command, you can mount a file system that resides in the VPC on a server that resides in the local data center. For more information, see Mount a file system.

Enable a cross-region mount (one VPN gateway available)

The following example shows a practical scenario of two VPCs named VPC 1 and VPC 2 that reside in different regions.

  1. Create a file system and mount target.
    1. Log on to the Apsara File Storage NAS console.
    2. Create a file system. For more information, see Create file systems.
    3. Create a mount target of the VPC type. For more information, see Add a mount target.
      Create a mount target in VPC 1.
  2. In VPC 2, create a VPN gateway on an ECS instance as a customer gateway.
    Note
    • You must specify an Internet IP address for the ECS instance to connect to the VPN gateway that resides in VPC 1.
    • For more information about how to create a VPN gateway on an ECS instance, see tutorials such as Using StrongSwan for IPsec VPN on CentOS 7.
  3. Establish a connection between VPN gateways that reside in VPC 1 and VPC 2, respectively.
    1. Log on to the VPC console.
    2. Create a VPN connection to enable communication between VPN gateways that resides in VPC 1 and VPC 2, which you created in Step 2. For more information, see Create an IPsec connection.
  4. Configure static routes on other ECS instances that reside in VPC 2. For more information, see Configure routes on a VPN gateway. The required settings are described as follows.
    Destination CIDR Block specifies the private classless inter-domain routing (CIDR) Block of VPC 1.Next Hop specifies the customer gateway that resides in VPC 2.
  5. Verify the connection between VPC 1 and an ECS instance (or mount target) that resides in VPC 2.

    Log on to an ECS instance that resides in VPC 1, use the ping command to ping the IP address of an ECS instance that resides in VPC 2, and verify the connection.

  6. After you confirm the connection by using the ping command, you can mount a file system that resides in VPC 1 on an ECS instance that resides in VPC 2. For more information, see Mount a file system.

Enable a cross-region mount (no VPN gateway available)

The following example shows a practical scenario of two VPCs named VPC 1 and VPC 2 that reside in different regions.

  1. Create a file system and mount target.
    1. Log on to the Apsara File Storage NAS console.
    2. Create a file system. For more information, see Create file systems.
    3. Create a mount target of the VPC type. For more information, see Add a mount target.
      Create a mount target in VPC 1.
  2. Establish a connection between VPN gateways that reside in VPC 1 and VPC 2, respectively.
    1. Log on to the VPC console.
    2. Create VPN gateways in VPC 1 and VPC 2, respectively. For more information, see Create a VPN gateway.
    3. Create customer gateways in VPC 1 and VPC 2, respectively. For more information, see Create a customer gateway. The required settings are described as follows.
      IP Address specifies an IP address for the VPN gateway that resides in VPC 1 and a different IP address for the VPN gateway that resides in VPC 2.
    4. Configure routes for VPN gateways that reside in VPC 1 and VPC 2, respectively. For more information, see Configure routes for a VPN gateway.
      • The following information is important when you configure routes for the VPN gateway that resides in VPC 1. Destination CIDR Block specifies the private CIDR block for VPC 2. Next Hop specifies the name of the customer gateway that resides in VPC 1.
      • The following information is important when you configure routes for the VPN gateway that resides in VPC 2. Destination CIDR Block specifies the private CIDR block for VPC 1. Next Hop specifies the name of the customer gateway that resides in VPC 2.
  3. Verify the connection between VPC 1 and an ECS instance (or mount target) that resides in VPC 2.

    Log on to an ECS instance that resides in VPC 1, use the ping command to ping the IP address of an ECS instance that resides in VPC 2, and verify the connection.

  4. After you confirm the connection by using the ping command, you can mount a file system that resides in VPC 1 on an ECS instance that resides in VPC 2. For more information, see Mount a file system.