StorageGRID network types

The grid nodes in a StorageGRID system process grid traffic, admin traffic, and client traffic. You must configure the networking appropriately to manage these three types of traffic and to provide control and security.

Traffic types

Traffic type Description Network type
Grid traffic The internal StorageGRID traffic that travels between all nodes in the grid. All grid nodes must be able to communicate with all other grid nodes over this network. Grid Network (required)
Admin traffic The traffic used for system administration and maintenance. Admin Network (optional)
Client traffic The traffic that travels between external client applications and the grid, including all object storage requests from S3 and Swift clients. Client Network (optional)

You can configure networking in the following ways:

The Grid Network is mandatory and can manage all grid traffic. The Admin and Client Networks can be included at the time of installation or added later to adapt to changes in requirements. Although the Admin Network and Client Network are optional, when you use these networks to handle administrative and client traffic, the Grid Network can be made isolated and secure.

Network interfaces

StorageGRID nodes are connected to each network using the following specific interfaces:

Network Interface name
Grid Network (required) eth0
Admin Network (optional) eth1
Client Network (optional) eth2

For details about mapping virtual or physical ports to node network interfaces, see the installation instructions.

You must configure the following for each network you enable on a node:
  • IP address
  • Subnet mask
  • Gateway IP address

You can only configure one IP address/mask/gateway combination for each of the three networks on each grid node. If you do not want to configure a gateway for a network, you should use the IP address as the gateway address.

High availability (HA) groups provide the ability to add virtual IP addresses to the Grid or Client Network interface. For more information, see the instructions for administering StorageGRID.

Grid Network

The Grid Network is required. It is used for all internal StorageGRID traffic. The Grid Network provides connectivity among all nodes in the grid, across all sites and subnets. All nodes on the Grid Network must be able to communicate with all other nodes. The Grid Network can consist of multiple subnets. Networks containing critical grid services, such as NTP, can also be added as grid subnets.

Note: StorageGRID does not support network address translation (NAT) between nodes.

The Grid Network can be used for all admin traffic and all client traffic, even if the Admin Network and Client Network are configured. The Grid Network gateway is the node default gateway unless the node has the Client Network configured.

Attention: When configuring the Grid Network, you must ensure that the network is secured from untrusted clients, such as those on the open internet.

Note the following requirements and details for the Grid Network:

Admin Network

The Admin Network is optional. When configured, it can be used for system administration and maintenance traffic. The Admin Network is typically a private network and does not need to be routable between nodes.

You can choose which grid nodes should have the Admin Network enabled on them.

By using an Admin Network, administrative and maintenance traffic does not need to travel across the Grid Network. Typical uses of the Admin Network include access to the Grid Manager user interface; access to critical services such as NTP, DNS, external key management (KMS), and Lightweight Directory Access Protocol (LDAP); access to audit logs on Admin Nodes; and Secure Shell Protocol (SSH) access for maintenance and support.

The Admin Network is never used for internal grid traffic. An Admin Network gateway is provided and allows the Admin Network to communicate with multiple external subnets. However, the Admin Network gateway is never used as the node default gateway.

Note the following requirements and details for the Admin Network:

Client Network

The Client Network is optional. When configured, it is used to provide access to grid services for client applications such as S3 and Swift. If you plan to make StorageGRID data accessible to an external resource (for example, a Cloud Storage Pool or the StorageGRID CloudMirror replication service), the external resource can also use the Client Network. Grid nodes can communicate with any subnet reachable through the Client Network gateway.

You can choose which grid nodes should have the Client Network enabled on them. All nodes do not have to be on the same Client Network, and nodes will never communicate with each other over the Client Network. The Client Network does not become operational until grid installation is complete.

For added security, you can specify that a node's Client Network interface be untrusted so that the Client Network will be more restrictive of which connections are allowed. If a node's Client Network interface is untrusted, the interface accepts outbound connections such as those used by CloudMirror replication, but only accepts inbound connections on ports that have been explicitly configured as load balancer endpoints. For more information about the Untrusted Client Network feature and the Load Balancer service, see the instructions for administering StorageGRID.

When you use a Client Network, client traffic does not need to travel across the Grid Network. Grid Network traffic can be separated onto a secure, non-routable network. The following node types are often configured with a Client Network:
  • Gateway Nodes, because these nodes provide access to the StorageGRID Load Balancer service and S3 and Swift client access to the grid.
  • Storage Nodes, because these nodes provide access to the S3 and Swift protocols and to Cloud Storage Pools and the CloudMirror replication service.
  • Admin Nodes, to ensure that tenant users can connect to theTenant Manager without needing to using the Admin Network.

Note the following for the Client Network: