This topic describes how to access an Apsara File Storage NAS (NAS) file system from a data center by using a Network Address Translation (NAT) gateway.
Background information
You can mount a file system only on an ECS instance that resides in the same region as the file system. For example, a Network File System (NFS) or Server Message Block (SMB) file system that you create in the China (Hangzhou) region can be mounted only on an ECS instance that resides in the China (Hangzhou) region. You cannot mount the file system on an ECS instance that resides in a different region such as the China (Qingdao) region or on an on-premises server. To implement file system mounting across regions or in a data center, you must use Express Connect circuits to establish a connection between virtual private clouds (VPCs) or between a VPC and a data center. However, this connection significantly increases the cost of mounting the file system.
If a VPN gateway is deployed in your data center, we recommend that you use Alibaba Cloud VPN Gateway to connect your data center to NAS. For more information, see Access a NAS file system from a data center by using VPN gateways.
If you need to upload only a small amount of data from your data center to NAS, we recommend that you use NAT Gateway to establish a connection.
The following figure shows the network topology that is adopted when NAT Gateway is used to establish a connection between a data center and NAS.
Advantage: easy to configure
Disadvantages:
Any user can use an elastic IP address (EIP) to mount a file system on the mount target of the EIP because EIPs and VPCs can communicate with each other.
You can specify each combination of an EIP and port for only one mount target. If you want to access multiple mount targets at the same time, you must create multiple EIPs.
Create a file system and a mount target
Log on to the NAS console.
Create a file system. For more information, see Create a General-purpose NAS file system in the NAS console.
Create a mount target in a VPC. For more information, see Create a mount target.
Configure a NAT gateway
You can perform the following steps to mount a NAS file system on a Windows or Linux host that is connected to the Internet. After the file system is mounted, you can upload files to or download files from the file system on the host.
Log on to the VPC console.
Create a NAT gateway. For more information, see Create and manage Internet NAT gateways.
NoteThe VPC in which the NAT gateway resides must be the same as the VPC in which the NAS file system resides.
Bind an EIP to the NAT gateway. For more information, see Apply for an EIP.
Create a Destination Network Address Translation (DNAT) entry. For more information, see Create and manage DNAT entries.
You must configure the following parameters:
Public IP Address: the public IP address that is generated when you create an EIP.
Private IP Address: the IP address of the mount target for the file system.
To obtain the IP address, you can
ping
the mount target from the ECS instance on which the file system is mounted. Example:ping 0dc404****-****.cn-hangzhou.nas.aliyuncs.com
For more information about mount targets, see View mount targets.
Port: We recommend that you select Any Port. You can also specify a port for your NFS or SMB file system.
Mount the file system.
NFS file system
Install an NFS client. For more information, see the "Step 1: Install an NFS client" section in Mount an NFS file system on a Linux ECS instance.
If an NFS client is already installed, skip this step and mount the NFS file system.
Mount the NFS file system.
mount -t nfs4 10.10.xx.xx:/ /mnt
10.10.xx.xx is the public IP address that is generated when you create an EIP. Replace the IP address with the actual value.
/mnt is the directory on which you want to mount the file system. Replace the directory with the actual value.
SMB file system
Start the Workstation and TCP/IP NetBIOS Helper services. For more information, see the "Step 1: Prepare the environment" section in Mount an SMB file system on a Windows ECS instance.
Check whether port 445 is in use.
Run the following command:
netstat -ano | findstr ":445"
If the output is similar to the following information, port 445 is in use:
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 TCP [::]:445 [::]:0 LISTENING 4
4
is the PID of the program that is using port 445.
If port 445 is in use, run the following command in Command Prompt, or press
Win+R
and typeservices.msc
to enter the local service. Then, check the status of the Server service.sc query LanmanServer
If the Server service is in the RUNNING state, run the following command in Command Prompt, or press
Win+R
and typeservices.msc
to enter the local service. Then, stop and disable the Server service. Restart the server and verify that port 445 is no longer in use.net stop LanmanServer && sc config LanmanServer start= disabled
If the Server service is in the STOPPED state, or port 445 is still in use after the server is restarted, you can run the following command to check the program that is using port 445. After you confirm that the program can be stopped, stop the program and then restart the server.
tasklist /FI "PID eq 4"
4
is the PID in the returned information of thenetstat -ano | findstr ":445"
command. Replace "4" with the actual value.
Configure port forwarding.
The default port 445 of the SMB protocol is a high-risk port. By default, the port is disabled by your Internet service provider (ISP). If you want to access NAS from a data center by using a NAT gateway over the Internet, you must configure port forwarding in the data center. Perform the following steps:
Configure a DNAT entry to map port 445 of NAS to port 4456 for the EIP of a NAT gateway.
Run the netsh tool on a local Windows client to forward network traffic from port 445 to port 4456.
netsh interface portproxy add v4tov4 listenaddress=192.168.xx.xx listenport=445 connectaddress=10.10.xx.xx connectport=4456
192.168.xx.xx
is the IP address of the local server.10.10.xx.xx
is the public IP address that is generated when you create an EIP. Replace the IP addresses with the actual values. You can also use127.0.0.1
as the IP address of the local server.
Mount the SMB file system.
net use D: \\192.168.xx.xx\myshare
D: is the letter of the destination drive on which you want to mount the file system. Replace the drive letter with the actual value.
192.168.xx.xx is the IP address of the local server. You can also use 127.0.0.1. Replace the IP address with the actual value.
myshare is the name of the shared SMB directory. You cannot change the name.
Verify the mount result.
NFS file system
If the result similar to the following information appears after you run the
mount
command, the mount is successful. You can read data from and write data to the files of the NFS file system.SMB file system
If you can access the SMB file system from your local File Explorer, the mount is successful. You can read data from and write data to the files of the NFS file system.
NoteIf no drive letter is found, you can enter
\\192.168.xx.xx\myshare
in the File Explorer to access the drive.192.168.xx.xx
is the IP address of the local server. Replace it with the actual value.
Differences between the NAT Gateway solution and the VPN Gateway solution
The following table describes the differences between the NAT Gateway solution and the VPN Gateway solution.
Item | NAT Gateway solution | VPN Gateway solution |
Configuration | Easy: You can configure all settings in the Alibaba Cloud Management Console. | Complex: You must configure a VPN gateway in the Alibaba Cloud Management Console and configure a client-side VPN gateway in a data center. |
Data security | Low | High |
Flexibility | Low: You can map each EIP to only one mount target. | High: You can access all NAS mount targets at the same time. EIPs are not required in this solution. |
Scenario | Establish a temporary connection to transfer a small amount of data. | Establish a long-term connection between a data center and NAS. |