Restrictions and best practices for a deployment

There are several restrictions, requirements, and suggested best practices that apply when deploying NAS Bridge. You should be aware of these guidelines when planning a deployment.

Virtual machine resources

The NAS Bridge virtual machine should have 64 GB of RAM and 16 vCPUs.

Client access protocols
For storage clients to access NAS Bridge, they must use one of the supported protocols. NAS Bridge 2.1 supports the following client access protocols:
  • Network File System (NFS) version 3
  • Server Message Block (SMB) versions 2.1 and 3.0
Note: An "Unsupported operation" error occurs if you attempt to connect to NAS Bridge using an unsupported client access protocol.
Selecting and configuring network services
You must define at least one DNS (Domain Name System) server and one Network Time Protocol (NTP) server.

The following best practices and restrictions apply when configuring these network services:

  • Option 1: Use the Active Directory server to provide DNS and NTP services.

    An Active Directory server is required for SMB file systems. If you anticipate creating one or more SMB file systems, you can use the Active Directory server to provide the DNS and NTP services. The Active Directory server can also be used to authenticate users for NFS access.

    • Using the same server for Active Directory and NTP ensures that the NAS Bridge node is using the same time as the Active Directory service.

    • Using the same server for Active Directory and DNS ensures that the NAS Bridge node can resolve the fully qualified domain name of the Active Directory server.

    • If you are using a single server, you must specify the same IP address for all three services. You will complete the Active Directory definition after you add the DNS and NTP entries.

    • If you define an Active Directory server, it must have the highest DNS priority. If another DNS server is defined with a priority higher than the Active Directory server, unpredictable results can occur.
  • Option 2: Use separate servers for DNS and NTP

    You can specify two separate servers for DNS and NTP. If you anticipate creating one or more SMB file systems, you can use a third server for Active Directory.

    • If you use separate servers for Active Directory and NTP, you must synchronize the time on the two servers to ensure that the NAS Bridge node uses the same time as the Active Directory service.

    • If you use separate servers for Active Directory and DNS, you must ensure that the DNS server can resolve the fully qualified domain name of the Active Directory server.

    • If you are using separate servers, you must know the IP address of the actual, dedicated DNS and NTP servers.

  • Because of the tight integration of NAS Bridge and StorageGRID Webscale, you should use the same DNS and NTP servers (whether a single Active Directory server or two standalone servers) for both systems.
Separation of the management and data networks

Most storage networks are segregated according to management and data traffic. NAS Bridge supports this separation by allowing multiple LIFs to be defined. You should configure NAS Bridge to maintain the network traffic separation as appropriate for your environment. If you do not need to maintain this separation, you can optionally use a single LIF to handle both the management and data traffic. Note that these LIF types are available for convenience only; there is no functional difference between them.

Cache devices and network storage
You must associate a cache device with each NFS and SMB file system. The cache devices hold the data maintained in the writeback cache for each file system. Defining multiple cache devices allows the cache data traffic to be separated and performance to be improved. Further, when you use network storage drives to back the cache, recovery and re-creation of NAS Bridge virtual machines can be performed more quickly.

The best practice is to associate each file system with its own dedicated cache device.

Accessibility of StorageGRID Webscale and network storage
Initially, you might deploy a single NAS Bridge node. However, over time you can add nodes or relocate the nodes within your organization. To enable the most adaptable network configuration, you should make sure that the StorageGRID Webscale system, network services, and network storage can all be accessed from anywhere that a NAS Bridge node is deployed or might be deployed in the future.
Firewall ports
Depending on your network environment, you may need to make changes to the network configuration. Your firewall and other security devices should allow traffic on the following ports as indicated by the direction relative to the NAS Bridge node (inbound to, outbound from):
  • Management and configuration
    • SSH (22) - Inbound
    • HTTP/HTTPS (80, 443) - Inbound
    • SMTP (25) - Outbound
    • NTP (123) - Outbound
    • DNS (53) - Outbound
  • Active Directory
    • DCE endpoint resolution (135) - Outbound
    • LDAP (389) - Outbound
    • msft-gc/msft-gc-ssl (3268, 3269) - Outbound
  • NFS
    • statd (32766) - Inbound
    • mount (32767) - Inbound
    • lockd (32768) - Inbound
    • NFS (2049) - Inbound
    • Portmapper (111) - Inbound
  • SMB
    • 445 - Inbound
  • StorageGRID Webscale
    • 8082 - Outbound