All Products
Search
Document Center

Apsara File Storage NAS:Access a NAS file system from a data center by using a NAT gateway

Last Updated:Dec 11, 2023

This topic describes how to access an Apsara File Storage NAS (NAS) file system from a data center by using a Network Address Translation (NAT) gateway.

Background information

You can mount a file system only on an ECS instance that resides in the same region as the file system. For example, a Network File System (NFS) or Server Message Block (SMB) file system that you create in the China (Hangzhou) region can be mounted only on an ECS instance that resides in the China (Hangzhou) region. You cannot mount the file system on an ECS instance that resides in a different region such as the China (Qingdao) region or on an on-premises server. To implement file system mounting across regions or in a data center, you must use Express Connect circuits to establish a connection between virtual private clouds (VPCs) or between a VPC and a data center. However, this connection significantly increases the cost of mounting the file system.

If a VPN gateway is deployed in your data center, we recommend that you use Alibaba Cloud VPN Gateway to connect your data center to NAS. For more information, see Access a NAS file system from a data center by using VPN gateways.

If you need to upload only a small amount of data from your data center to NAS, we recommend that you use NAT Gateway to establish a connection.

The following figure shows the network topology that is adopted when NAT Gateway is used to establish a connection between a data center and NAS.架构图

  • Advantage: easy to configure

  • Disadvantages:

    • Any user can use an elastic IP address (EIP) to mount a file system on the mount target of the EIP because EIPs and VPCs can communicate with each other.

    • You can specify each combination of an EIP and port for only one mount target. If you want to access multiple mount targets at the same time, you must create multiple EIPs.

Create a file system and a mount target

  1. Log on to the NAS console.

  2. Create a file system. For more information, see Create a General-purpose NAS file system in the NAS console.

  3. Create a mount target in a VPC. For more information, see Create a mount target.

Configure a NAT gateway

You can perform the following steps to mount a NAS file system on a Windows or Linux host that is connected to the Internet. After the file system is mounted, you can upload files to or download files from the file system on the host.

  1. Log on to the VPC console.

  2. Create a NAT gateway. For more information, see Create and manage Internet NAT gateways.

    Note

    The VPC in which the NAT gateway resides must be the same as the VPC in which the NAS file system resides.

  3. Bind an EIP to the NAT gateway. For more information, see Apply for an EIP.

  4. Create a Destination Network Address Translation (DNAT) entry. For more information, see Create and manage DNAT entries.

    You must configure the following parameters:

    • Public IP Address: the public IP address that is generated when you create an EIP.

    • Private IP Address: the IP address of the mount target for the file system.

      To obtain the IP address, you can ping the mount target from the ECS instance on which the file system is mounted. Example:

      ping 0dc404****-****.cn-hangzhou.nas.aliyuncs.com

      For more information about mount targets, see View mount targets.

    • Port: We recommend that you select Any Port. You can also specify a port for your NFS or SMB file system.

  5. Mount the file system.

    • NFS file system

      1. Install an NFS client. For more information, see the "Step 1: Install an NFS client" section in Mount an NFS file system on a Linux ECS instance.

        If an NFS client is already installed, skip this step and mount the NFS file system.

      2. Mount the NFS file system.

        mount -t nfs4 10.10.xx.xx:/ /mnt
        • 10.10.xx.xx is the public IP address that is generated when you create an EIP. Replace the IP address with the actual value.

        • /mnt is the directory on which you want to mount the file system. Replace the directory with the actual value.

    • SMB file system

      1. Start the Workstation and TCP/IP NetBIOS Helper services. For more information, see the "Step 1: Prepare the environment" section in Mount an SMB file system on a Windows ECS instance.

      2. Check whether port 445 is in use.

        • Run the following command:

          netstat -ano | findstr ":445"
        • If the output is similar to the following information, port 445 is in use:

            TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
            TCP    [::]:445               [::]:0                 LISTENING       4

          4 is the PID of the program that is using port 445.

        If port 445 is in use, run the following command in Command Prompt, or press Win+R and type services.msc to enter the local service. Then, check the status of the Server service.

        sc query LanmanServer
        • If the Server service is in the RUNNING state, run the following command in Command Prompt, or press Win+R and type services.msc to enter the local service. Then, stop and disable the Server service. Restart the server and verify that port 445 is no longer in use.

          net stop LanmanServer && sc config LanmanServer start= disabled
        • If the Server service is in the STOPPED state, or port 445 is still in use after the server is restarted, you can run the following command to check the program that is using port 445. After you confirm that the program can be stopped, stop the program and then restart the server.

          tasklist /FI "PID eq 4"

          4 is the PID in the returned information of the netstat -ano | findstr ":445" command. Replace "4" with the actual value.

      3. Configure port forwarding.

        The default port 445 of the SMB protocol is a high-risk port. By default, the port is disabled by your Internet service provider (ISP). If you want to access NAS from a data center by using a NAT gateway over the Internet, you must configure port forwarding in the data center. Perform the following steps:

        1. Configure a DNAT entry to map port 445 of NAS to port 4456 for the EIP of a NAT gateway.

        2. Run the netsh tool on a local Windows client to forward network traffic from port 445 to port 4456.

          netsh interface portproxy add v4tov4 listenaddress=192.168.xx.xx listenport=445 connectaddress=10.10.xx.xx connectport=4456

          192.168.xx.xx is the IP address of the local server. 10.10.xx.xx is the public IP address that is generated when you create an EIP. Replace the IP addresses with the actual values. You can also use 127.0.0.1 as the IP address of the local server.

      4. Mount the SMB file system.

        net use D: \\192.168.xx.xx\myshare
        • D: is the letter of the destination drive on which you want to mount the file system. Replace the drive letter with the actual value.

        • 192.168.xx.xx is the IP address of the local server. You can also use 127.0.0.1. Replace the IP address with the actual value.

        • myshare is the name of the shared SMB directory. You cannot change the name.

  6. Verify the mount result.

    • NFS file system

      If the result similar to the following information appears after you run the mount command, the mount is successful. You can read data from and write data to the files of the NFS file system.

      挂载结果

    • SMB file system

      If you can access the SMB file system from your local File Explorer, the mount is successful. You can read data from and write data to the files of the NFS file system.

      Note

      If no drive letter is found, you can enter \\192.168.xx.xx\myshare in the File Explorer to access the drive. 192.168.xx.xx is the IP address of the local server. Replace it with the actual value.

      挂载结果

Differences between the NAT Gateway solution and the VPN Gateway solution

The following table describes the differences between the NAT Gateway solution and the VPN Gateway solution.

Item

NAT Gateway solution

VPN Gateway solution

Configuration

Easy: You can configure all settings in the Alibaba Cloud Management Console.

Complex: You must configure a VPN gateway in the Alibaba Cloud Management Console and configure a client-side VPN gateway in a data center.

Data security

Low

High

Flexibility

Low: You can map each EIP to only one mount target.

High: You can access all NAS mount targets at the same time. EIPs are not required in this solution.

Scenario

Establish a temporary connection to transfer a small amount of data.

Establish a long-term connection between a data center and NAS.