Preparing to tier inactive data to AWS S3 Edit on GitHub Request doc changes

Contributors netapp-bcammett

Before you use Cloud Tiering, verify support for your ONTAP cluster, prepare your object storage, and set up a location for the Service Connector.

The following image shows each component and the connections that you need to prepare between them:

An architecture image that shows the Cloud Tiering service with a connection to the Service Connector in your cloud provider

Communication between the Service Connector and S3 is for object storage setup only. The Service Connector can reside on your premises, instead of in the cloud.

Preparing your ONTAP clusters

Your ONTAP clusters must meet the following requirements when tiering data to AWS S3.

Supported ONTAP platforms

Cloud Tiering supports AFF systems and all-SSD aggregates on FAS systems.

Supported ONTAP version

ONTAP 9.2 or later

Cluster networking requirements
  • The ONTAP cluster initiates an HTTPS connection over port 443 to AWS S3.

    ONTAP reads and writes data to and from object storage. The object storage never initiates, it just responds.

    Although AWS Direct Connect provides better performance and lower data transfer charges, it is not required between the ONTAP cluster and AWS S3. Because performance is significantly better when using AWS Direct Connect, doing so is the recommended best practice.

  • An inbound connection is required from the NetApp Service Connector, which can reside in an AWS VPC or on your premises.

    A connection between the cluster and the Cloud Tiering service is not required.

  • An intercluster LIF is required on each ONTAP node that hosts tiered volumes. The LIF must be associated with the IPspace that ONTAP should use to connect to object storage.

    IPspaces enable network traffic segregation, allowing for separation of client traffic for privacy and security. Learn more about IPspaces.

    When you set up data tiering, Cloud Tiering prompts you for the IPspace to use. You should choose the IPspace that each LIF is associated with. That might be the "Default" IPspace or a custom IPspace that you created.

Supported volumes and aggregates

The total number of volumes that Cloud Tiering can tier might be less than the number of volumes on your ONTAP system. That’s because volumes can’t be tiered from some aggregates. For example, you can’t tier data from SnapLock volumes or from MetroCluster configurations. Refer to ONTAP documentation for functionality or features not supported by FabricPool.

Cloud Tiering supports FlexGroup volumes, starting with ONTAP 9.5. Setup works the same as any other volume.

Preparing AWS S3 for data tiering

The AWS account to which you tier inactive data must have permissions and an access key that the ONTAP cluster can use to tier data in and out of S3.

Most AWS regions are supported. Click here to see the list of supported regions.

You don’t need to create the S3 bucket. Cloud Tiering does that for you.
Steps
  1. Provide the following permissions to the IAM user:

    "s3:ListAllMyBuckets",
    "s3:ListBucket",
    "s3:GetBucketLocation",
    "s3:GetObject",
    "s3:PutObject",
    "s3:DeleteObject"
  2. Create or locate an access key.

    Cloud Tiering passes the access key on to the ONTAP cluster. The credentials are not stored in the Cloud Tiering service.

Choosing a location for the Service Connector

The Service Connector is NetApp software that communicates with your ONTAP clusters. You can deploy the Service Connector on your premises or in an AWS VPC.

Preparing to deploy the Service Connector in an AWS VPC

Cloud Tiering guides you through the process of deploying the Service Connector on an EC2 instance. Make sure that your AWS account and networking are set up.

Most AWS regions are supported. Click here to see the list of supported regions.

Setting up an AWS account for the Service Connector

The AWS account where you deploy the EC2 instance must have permissions and an access key.

This account can be the same account that you use for the S3 bucket, or a different account. If it’s the same account, just use one set of credentials that contain the full set of permissions required for the S3 bucket and the EC2 instance.
Steps
  1. Provide the permissions in this policy to the IAM user.

  2. Create or locate an access key that you can provide to Cloud Tiering.

    These credentials are used by the Cloud Tiering service to launch the EC2 instance in AWS. Providing your keys is secure and private. NetApp does not save them.

Setting up AWS networking for the Service Connector

The Service Connector needs a connection to your ONTAP clusters, to AWS S3, and to the Cloud Tiering service.

Steps
  1. Identify a VPC for the Service Connector that enables the following connections:

    • An outbound internet connection to the Cloud Tiering service over port 443 (HTTPS)

    • An HTTPS connection over port 443 to S3

    • An HTTPS connection over port 443 to your ONTAP clusters

      Cloud Tiering enables you to deploy the EC2 instance with a public IP address and you can configure it to use your own proxy server.

      You don’t need to create your own security group because Cloud Tiering can do that for you. The security group that Cloud Tiering creates has no inbound connectivity and open outbound connectivity.

  2. If needed, enable a VPC Endpoint to S3.

    A VPC Endpoint to S3 is recommended if you have a Direct Connect or VPN connection from your ONTAP cluster to the VPC and you want communication between the Service Connector and S3 to stay in your AWS internal network.