To access a File Storage NAS (NAS) file system from an on-premises or personal client, you can connect the on-premises network to the NAS file system by using the NAT Gateway or VPN Gateway service.
Background information
By default, you must mount a NAS file system on a compute node in the same account, region, and virtual private cloud (VPC). You cannot directly mount a NAS file system from an on-premises data center or a personal client because the on-premises network is not connected to Alibaba Cloud. To mount a NAS file system across regions or from an on-premises data center, you can use Express Connect. However, this usually results in high costs. To resolve this issue, we recommend that you use the NAT Gateway or VPN Gateway service to connect your on-premises data center to Alibaba Cloud NAS.
Network architecture
NAT Gateway
The following figure shows the network topology for establishing a connection between a data center and NAS via a NAT gateway.
Advantage: easy to configure
Disadvantages:
Any user can use an elastic IP address (EIP) to mount a file system on the mount target of the EIP because EIPs and VPCs can communicate with each other.
You can specify each combination of an EIP and port for only one mount target.
If you set the port to any port when you create a Destination Network Address Translation (DNAT) entry to access multiple mount targets at the same time, you must create an EIP for each mount target.
VPN Gateway
The following figure shows the network topology for establishing a connection between a data center and NAS via VPN gateways.
This topology has the following advantages and disadvantages:
Advantages
Provides secure access by using IPsec to encrypt data in transit.
Compared with Express Connect circuits, VPN gateways help significantly reduce costs.
Disadvantages
The Internet bandwidth and latency between a data center and a VPC or between VPCs restrict the I/O performance of a file system over a VPN connection.
Differences between the NAT Gateway solution and the VPN Gateway solution
The following table describes the differences between the NAT Gateway solution and the VPN Gateway solution.
Item | NAT Gateway solution | VPN Gateway solution |
Configuration | Easy: You can configure all settings in the Alibaba Cloud Management Console. | Complex: You must configure a VPN gateway in the Alibaba Cloud Management Console and configure a client-side VPN gateway in a data center. |
Data security | Low: No encryption and advanced security measures. | High: Provides encrypted channels to protect data in transit. |
Flexibility | Low: You can map each EIP and port number to only one mount target. | High: You can access all NAS mount targets at the same time. EIPs are not required in this solution. |
Scenario | Suitable for temporarily transferring a small amount of data. | Suitable for frequently transferring a large amount of data with high security. |
What to do next
If your business scenario requires high data security, use the VPN Gateway solution. For more information, see Access a NAS file system from a data center by using VPN gateways and Mount an SMB file system on a macOS client over a VPN.
If your business scenario requires low data security, use the NAT Gateway solution. For more information, see Access a NAS file system from a data center by using a NAT gateway.