Setting configuration options

You can set various options from the Grid Manager to configure and fine tune the operation of your StorageGRID system.

Endpoint domain names

If you plan to support S3 virtual hosted-style requests, you must configure the list of endpoint domain names that S3 clients connect to. Examples include,, and

Note: The configured server certificates must match the endpoint domain names.

Link costs

You can adjust link costs to reflect the latency between sites. When two or more data center sites exist, link costs prioritize which data center site should provide a requested service.

Grid options

Grid options apply to the compression, encryption, and hashing of stored objects and to S3 and Swift client operations.

Storage options

Storage options allow you to control object segmentation and to define storage watermarks to manage a Storage Node’s usable storage space.

Display options

Display options allow you to specify the timeout period for user sessions and to manage email notifications for alarms and AutoSupport.

Server certificates

You can upload two types of server certificates:

Note: Load balancer certificates are managed separately and are configured on the Load Balancer Endpoints page.


You can enable compliance for your StorageGRID system if S3 tenant accounts need to comply with regulatory requirements when saving object data. When compliance is enabled globally and the active ILM policy includes one or more compliant ILM rules, S3 tenant users with the appropriate permissions can perform these tasks:
  • Create compliant buckets.
  • Set and increase the retention period for bucket objects.
  • Specify how objects can be deleted at the end of their retention period, either automatically by StorageGRID or by user request.
  • Optionally place all objects in the bucket under a legal hold or lift a legal hold. (When the bucket is under a legal hold, objects cannot be deleted, even if their retention period has expired.)
For example, this tenant user is creating a compliant bucket named bank-records in the default us-east-1 region. Objects in this bucket will be retained for 6 years and then deleted automatically. This bucket is not currently under a legal hold.
screenshot showing example Create Bucket UI when compliance is enabled

Proxy settings

If you are using S3 platform services or Cloud Storage Pools, you can configure a non-transparent proxy server between Storage Nodes and the external S3 endpoints. If you send AutoSupport messages using HTTPS or HTTP, you can configure a non-transparent proxy server between Admin Nodes and technical support.

Proxy Settings Menu - Storage

Load balancer endpoints

Load balancer endpoints define Gateway Node and Admin Node ports that accept and load balance S3 and Swift requests to Storage Nodes. HTTPS endpoint certificates are configured per endpoint.

High availability groups

High availability groups use virtual IP addresses (VIPs) to provide active-backup access to Gateway Node or Admin Node services. An HA group consists of one or more network interfaces on Admin Nodes and Gateway Nodes. When creating an HA group, you select network interfaces belonging to the Grid Network (eth0) or the Client Network (eth2).
Note: The Admin Network does not support HA VIPs.

An HA group maintains one or more virtual IP addresses that are added to the active interface in the group. If the active interface becomes unavailable, the virtual IP addresses are moved to another interface. This failover process generally takes only a few seconds and is fast enough that client applications should experience little impact and can rely on normal retry behaviors to continue operation.

You might want to use high availability (HA) groups for several reasons.

Traffic classification policies

Traffic classification policies allow you to create rules for identifying and handling different types of network traffic, including traffic related to specific buckets, tenants, client subnets, or load balancer endpoints. These policies can assist with traffic limiting and monitoring.

Untrusted Client Networks

If you are using a Client Network, you can help secure StorageGRID from hostile attacks by specifying that the Client Network on each node be untrusted. If a node's Client Network is untrusted, the node only accepts inbound connections on ports explicitly configured as load balancer endpoints.

For example, you might want a Gateway Node to refuse all inbound traffic on the Client Network except for HTTPS S3 requests. Or, you might want to enable outbound S3 platform service traffic from a Storage Node, while preventing any inbound connections to that Storage Node on the Client Network.