Preparing to tier inactive data to AWS S3
Contributors Download PDF of this page
Before you use Cloud Tiering, verify support for your ONTAP cluster, prepare your object storage, and set up a location for the Service Connector.
The following image shows each component and the connections that you need to prepare between them:
|Communication between the Service Connector and S3 is for object storage setup only. The Service Connector can reside on your premises, instead of in the cloud.|
Preparing your ONTAP clusters
Your ONTAP clusters must meet the following requirements when tiering data to AWS S3.
- Supported ONTAP platforms
Cloud Tiering supports AFF systems and all-SSD aggregates on FAS systems.
- Supported ONTAP version
ONTAP 9.2 or later
- Cluster networking requirements
The ONTAP cluster initiates an HTTPS connection over port 443 to AWS S3.
ONTAP reads and writes data to and from object storage. The object storage never initiates, it just responds.
Although AWS Direct Connect provides better performance and lower data transfer charges, it is not required between the ONTAP cluster and AWS S3. Because performance is significantly better when using AWS Direct Connect, doing so is the recommended best practice.
An inbound connection is required from the NetApp Service Connector, which can reside in an AWS VPC or on your premises.
A connection between the cluster and the Cloud Tiering service is not required.
An intercluster LIF is required on each ONTAP node that hosts tiered volumes. The LIF must be associated with the IPspace that ONTAP should use to connect to object storage.
IPspaces enable network traffic segregation, allowing for separation of client traffic for privacy and security. Learn more about IPspaces.
When you set up data tiering, Cloud Tiering prompts you for the IPspace to use. You should choose the IPspace that each LIF is associated with. That might be the "Default" IPspace or a custom IPspace that you created.
- Supported volumes and aggregates
The total number of volumes that Cloud Tiering can tier might be less than the number of volumes on your ONTAP system. That’s because volumes can’t be tiered from some aggregates. For example, you can’t tier data from SnapLock volumes or from MetroCluster configurations. Refer to ONTAP documentation for functionality or features not supported by FabricPool.
|Cloud Tiering supports FlexGroup volumes, starting with ONTAP 9.5. Setup works the same as any other volume.|
Choosing a location for the Service Connector
The Service Connector is NetApp software that communicates with your ONTAP clusters. You can deploy the Service Connector on your premises or in an AWS VPC.
Be sure to set up the Service Connector in the same AWS account to which you want to tier data.
Preparing to deploy the Service Connector in an AWS VPC
Cloud Tiering guides you through the process of deploying the Service Connector on an EC2 instance. Make sure that your AWS account and networking are set up.
Setting up an AWS account for the Service Connector
The AWS account where you deploy the EC2 instance must have permissions and an access key. Cloud Tiering tiers data to an S3 bucket that resides in the same AWS account as the Service Connector.
Provide the permissions in this policy to the IAM user.
Create or locate an access key that you can provide to Cloud Tiering.
These credentials are used by the Cloud Tiering service to launch the EC2 instance in AWS. Providing your keys is secure and private. NetApp does not save them.
Setting up AWS networking for the Service Connector
The Service Connector needs a connection to your ONTAP clusters, to AWS S3, and to the Cloud Tiering service.
Identify a VPC for the Service Connector that enables the following connections:
An outbound internet connection to the Cloud Tiering service over port 443 (HTTPS)
An HTTPS connection over port 443 to S3
An HTTPS connection over port 443 to your ONTAP clusters
Cloud Tiering enables you to deploy the EC2 instance with a public IP address and you can configure it to use your own proxy server.
You don’t need to create your own security group because Cloud Tiering can do that for you. The security group that Cloud Tiering creates has no inbound connectivity and open outbound connectivity.
If needed, enable a VPC Endpoint to S3.
A VPC Endpoint to S3 is recommended if you have a Direct Connect or VPN connection from your ONTAP cluster to the VPC and you want communication between the Service Connector and S3 to stay in your AWS internal network.
Preparing AWS S3 for data tiering
When you set up data tiering to a new cluster, Cloud Tiering prompts you to create an S3 bucket or select an existing S3 bucket in the AWS account where you set up the Service Connector.
The AWS account must have permissions and an access key that you can enter in Cloud Tiering. The ONTAP cluster uses the access key to tier data in and out of S3.
Provide the following permissions to the IAM user:
"s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObject", "s3:PutObject", "s3:DeleteObject"
Create or locate an access key.
Cloud Tiering passes the access key on to the ONTAP cluster. The credentials are not stored in the Cloud Tiering service.