Preparing to tier inactive data to AWS S3 Edit on GitHub Request doc changes

Contributors netapp-bcammett

Before you use Cloud Tiering, verify support for your ONTAP cluster, prepare your object storage, and set up a location for the Service Connector.

The following image shows each component and the connections that you need to prepare between them:

An architecture image that shows the Cloud Tiering service with a connection to the Service Connector in your cloud provider

Communication between the Service Connector and S3 is for object storage setup only.

Preparing your ONTAP clusters

Your ONTAP clusters must meet the following requirements when tiering data to AWS S3.

Supported ONTAP platforms

Cloud Tiering supports AFF systems and all-SSD aggregates on FAS systems.

Supported ONTAP version

ONTAP 9.2 or later

Cluster networking requirements
  • An inbound and outbound connection to AWS S3 is required.

    Although AWS Direct Connect provides better performance and lower data transfer charges, it is not required between the ONTAP cluster and AWS S3. Because performance is significantly better when using AWS Direct Connect, doing so is the recommended best practice.

  • An inbound connection is required from the NetApp Service Connector, which resides in an AWS VPC.

    A connection between the cluster and the Cloud Tiering service is not required.

  • An intercluster LIF is required on each ONTAP node that hosts tiered volumes. The LIF must be associated with the IPspace that ONTAP should use to connect to object storage.

    IPspaces enable network traffic segregation, allowing for separation of client traffic for privacy and security. Learn more about IPspaces.

    When you set up data tiering, Cloud Tiering prompts you for the IPspace to use. You should choose the IPspace that each LIF is associated with. That might be the "Default" IPspace or a custom IPspace that you created.

Supported volumes and aggregates

The total number of volumes that Cloud Tiering can tier might be less than the number of volumes on your ONTAP system. That’s because volumes can’t be tiered from some aggregates. For example, you can’t tier data from SnapLock volumes or from MetroCluster configurations. Refer to ONTAP documentation for functionality or features not supported by FabricPool.

Cloud Tiering supports FlexGroup volumes, starting with ONTAP 9.5. Setup works the same as any other volume.

Preparing AWS S3 for data tiering

The AWS account to which you tier inactive data must have permissions and an access key that the ONTAP cluster can use to tier data in and out of S3.

Most AWS regions are supported. Click here to see the list of supported regions.

You don’t need to create the S3 bucket. Cloud Tiering does that for you.
Steps
  1. Provide the following permissions to the IAM user:

    "s3:ListAllMyBuckets",
    "s3:ListBucket",
    "s3:GetBucketLocation",
    "s3:GetObject",
    "s3:PutObject",
    "s3:DeleteObject"
  2. Create or locate an access key.

    Cloud Tiering passes the access key on to the ONTAP cluster. The credentials are not stored in the Cloud Tiering service.

Preparing a location for the Service Connector

The Service Connector is NetApp software that communicates with your ONTAP clusters. Cloud Tiering guides you through the process of deploying the Service Connector on an EC2 instance. Make sure that your AWS account and networking are set up.

Most AWS regions are supported. Click here to see the list of supported regions.

Setting up an AWS account for the Service Connector

The AWS account where you deploy the EC2 instance must have permissions and an access key.

This account can be the same account that you use for the S3 bucket, or a different account. If it’s the same account, just use one set of credentials that contain the full set of permissions required for the S3 bucket and the EC2 instance.
Steps
  1. Provide the permissions in this policy to the IAM user.

  2. Create or locate an access key that you can provide to Cloud Tiering.

    These credentials are used by the Cloud Tiering service to launch the EC2 instance in AWS. Providing your keys is secure and private. NetApp does not save them.

Setting up AWS networking for the Service Connector

The Service Connector needs a connection to your ONTAP clusters, to AWS S3, and to the Cloud Tiering service.

Steps
  1. Identify a VPC for the Service Connector that enables the following connections:

    • An outbound internet connection to the Cloud Tiering service

    • A connection to S3

    • A connection to your ONTAP clusters

      Cloud Tiering enables you to deploy the EC2 instance with a public IP address and you can configure it to use your own proxy server.

      You don’t need to create your own security group because Cloud Tiering can do that for you. The security group that Cloud Tiering creates has no inbound connectivity and open outbound connectivity.

  2. If needed, enable a VPC Endpoint to S3.

    A VPC Endpoint to S3 is recommended if you have a Direct Connect or VPN connection from your ONTAP cluster to the VPC and you want communication between the Service Connector and S3 to stay in your AWS internal network.