Skip to main content

Configuring network settings

Contributors netapp-lhalbert

You can configure various network settings from the Grid Manager to fine tune the operation of your StorageGRID system.

Domain names

If you plan to support S3 virtual hosted-style requests, you must configure the list of endpoint domain names that S3 clients connect to. Examples include s3.example.com, s3.example.co.uk, and s3-east.example.com.

Note The configured server certificates must match the endpoint domain names.

High availability groups

High availability groups use virtual IP addresses (VIPs) to provide active-backup access to Gateway Node or Admin Node services. An HA group consists of one or more network interfaces on Admin Nodes and Gateway Nodes. When creating an HA group, you select network interfaces belonging to the Grid Network (eth0) or the Client Network (eth2).

Note The Admin Network does not support HA VIPs.

An HA group maintains one or more virtual IP addresses that are added to the active interface in the group. If the active interface becomes unavailable, the virtual IP addresses are moved to another interface. This failover process generally takes only a few seconds and is fast enough that client applications should experience little impact and can rely on normal retry behaviors to continue operation.

You might want to use high availability (HA) groups for several reasons.

  • An HA group can provide highly available administrative connections to the Grid Manager or the Tenant Manager.

  • An HA group can provide highly available data connections for S3 and Swift clients.

  • An HA group that contains only one interface allows you to provide many VIP addresses and to explicitly set IPv6 addresses.

You can adjust link costs to reflect the latency between sites. When two or more data center sites exist, link costs prioritize which data center site should provide a requested service.

Load balancer endpoints

You can use a load balancer to handle ingest and retrieval workloads from S3 and Swift clients. Load balancing maximizes speed and connection capacity by distributing the workloads and connections across multiple Storage Nodes.

If you want to use the StorageGRID load balancer service, which is included on Admin Nodes and Gateway Nodes, you must configure one or more load balancer endpoints. Each endpoint defines a Gateway Node or Admin Node port for S3 and Swift requests to Storage Nodes.

Proxy settings

If you are using S3 platform services or Cloud Storage Pools, you can configure a non-transparent proxy server between Storage Nodes and the external S3 endpoints. If you send AutoSupport messages using HTTPS or HTTP, you can configure a non-transparent proxy server between Admin Nodes and technical support.

Proxy Settings Menu - Storage

Server certificates

You can upload two types of server certificates:

  • Management Interface Server Certificate, which is the certificate used for accessing the management interface.

  • Object Storage API Service Endpoints Server Certificate, which secures the S3 and Swift endpoints for connections directly to Storage Nodes or when using the CLB service on a Gateway Node.

    Note The CLB service is deprecated.

Load balancer certificates are configured on the Load Balancer Endpoints page. Key management server (KMS) certificates are configured on the Key Management Server page.

Traffic classification policies

Traffic classification policies allow you to create rules for identifying and handling different types of network traffic, including traffic related to specific buckets, tenants, client subnets, or load balancer endpoints. These policies can assist with traffic limiting and monitoring.

Untrusted Client Networks

If you are using a Client Network, you can help secure StorageGRID from hostile attacks by specifying that the Client Network on each node be untrusted. If a node's Client Network is untrusted, the node only accepts inbound connections on ports explicitly configured as load balancer endpoints.

For example, you might want a Gateway Node to refuse all inbound traffic on the Client Network except for HTTPS S3 requests. Or, you might want to enable outbound S3 platform service traffic from a Storage Node, while preventing any inbound connections to that Storage Node on the Client Network.

Related information

Administer StorageGRID