All Products
Search

This Product

    Apsara File Storage NAS:Access a NAS file system from a data center by using VPN gateways

    Document Center

    Apsara File Storage NAS:Access a NAS file system from a data center by using VPN gateways

    Last Updated:Jul 03, 2023

    This topic describes how to access an Apsara File Storage NAS file system from a data center by using virtual private network (VPN) gateways.

    Background information

    You can mount a file system only on an ECS instance that resides in the same region as the file system. For example, a Network File System (NFS) or Server Message Block (SMB) file system that you create in the China (Hangzhou) region can be mounted only on an ECS instance that resides in the China (Hangzhou) region. You cannot mount the file system on an ECS instance that resides in a different region such as the China (Qingdao) region or on an on-premises server. To implement file system mounting across regions or in a data center, you must use Express Connect circuits to establish a connection between virtual private clouds (VPCs) or between a VPC and a data center. However, this connection significantly increases the cost of mounting the file system.

    Instead, we recommend that you use VPN Gateway to enable communication between a data center and a VPC or between VPCs that reside in different regions. You can use VPN Gateway to mount a file system in the following scenarios:

    The following figure shows the topology that is adopted when VPN gateways are used.

    拓扑图

    This topology has the following advantages and disadvantages:

    • Advantages

      • Fixes all connectivity issues.

      • Provides secure access by using IPsec to encrypt data in transit.

      • Compared with Express Connect circuits, VPN gateways help significantly reduce costs.

    • Disadvantages

      The Internet bandwidth and latency between a data center and a VPC or between VPCs restrict the I/O performance of a file system over a VPN connection.

    Mount a file system on a server that resides in a data center

    1. Create a file system and a mount target.

      1. Log on to the NAS console.

      2. Create a file system. For more information, see Create a General-purpose NAS file system in the NAS console.

      3. Create a mount target in a VPC. For more information, see Create a mount target.

    2. Create a connection between the VPC and your data center. For more information, see Connect a data center to a VPC.

    3. Verify the connection between a server that resides in the data center and an ECS instance or a mount target that resides in the VPC.

      Log on to an ECS instance that does not have a public IP address. On the ECS instance, use the ping command to ping the private IP address of a server that resides in the data center and verify the connection.

    4. After you confirm the connection by using the ping command, you can mount a file system that resides in the VPC on a server that resides in the data center. For more information, see Usage notes.

    Mount a file system on an ECS instance across regions

    Mount a file system across regions (one VPN gateway available)

    The following example shows a practical scenario of two VPCs named VPC 1 and VPC 2 that reside in different regions.

    1. Create a file system and a mount target.

      1. Log on to the NAS console.

      2. Create a file system. For more information, see Create a General-purpose NAS file system in the NAS console.

      3. Create a mount target in a VPC. For more information, see Create a mount target.

        Create a mount target in VPC 1.

    2. In VPC 2, create a VPN gateway on an ECS instance as a customer gateway.

      Note

      • You must specify a public IP address for the ECS instance to connect to the VPN gateway that resides in VPC 1.

      • For more information about how to create a VPN gateway on an ECS instance, see tutorials such as Install a strongSwan IPSec VPN Server on CentOS 7.

    3. Establish a connection between VPN gateways that reside in VPC 1 and VPC 2, respectively.

      1. Log on to the VPC console.

      2. Create a VPN connection to enable communication between VPN gateways that resides in VPC 1 and VPC 2, which you created in Step 2. For more information, see Step 3: Create an IPsec-VPN connection.

    4. Configure static routes on other ECS instances that reside in VPC 2. For more information, see Step 5: Configure routes for the VPN gateway.

      Set Destination CIDR Block to the private CIDR block of VPC 1 and set Next Hop to the customer gateway that resides in VPC 2.

    5. Verify the connection between VPC 1 and an ECS instance or mount target that resides in VPC 2.

      Log on to an ECS instance that resides in VPC 1, run the ping command to ping the IP address of an ECS instance that resides in VPC 2, and verify the connection.

    6. After you confirm the connection by using the ping command, you can mount a file system that resides in VPC 1 on an ECS instance that resides in VPC 2. For more information, see Usage notes.

    Mount a file system across regions (no VPN gateway available)

    The following example shows a practical scenario of two VPCs named VPC 1 and VPC 2 that reside in different regions.

    1. Create a file system and a mount target.

      1. Log on to the NAS console.

      2. Create a file system. For more information, see Create a General-purpose NAS file system in the NAS console.

      3. Create a mount target in a VPC. For more information, see Create a mount target.

        Create a mount target in VPC 1.

    2. Establish a connection between VPN gateways that reside in VPC 1 and VPC 2, respectively.

      1. Log on to the VPC console.

      2. Create VPN gateways in VPC 1 and VPC 2, respectively. For more information, see Step 1: Create a VPN gateway.

      3. Create customer gateways in VPC 1 and VPC 2, respectively. For more information, see Step 2: Create a customer gateway.

        When you create a customer gateway in VPC 1, set IP Address to the IP address of the VPN gateway that resides in VPC 1. When you create a customer gateway in VPC 2, set IP Address to the IP address of the VPN gateway that resides in VPC 2.

      4. Configure routes for VPN gateways that reside in VPC 1 and VPC 2, respectively. For more information, see Step 5: Configure routes for the VPN gateway.

        • When you configure routes for the VPN gateway that resides in VPC 1, set Destination CIDR Block to the private CIDR block for VPC 2 and set Next Hop to the name of the customer gateway that resides in VPC 1.

        • When you configure routes for the VPN gateway that resides in VPC 2, set Destination CIDR Block to the private CIDR block for VPC 1 and set Next Hop to the name of the customer gateway that resides in VPC 2.

    3. Verify the connection between VPC 1 and an ECS instance or mount target that resides in VPC 2.

      Log on to an ECS instance that resides in VPC 1, run the ping command to ping the IP address of an ECS instance that resides in VPC 2, and verify the connection.

    4. After you confirm the connection by using the ping command, you can mount a file system that resides in VPC 1 on an ECS instance that resides in VPC 2. For more information, see Usage notes.