ONTAP S3 architecture and use cases
In ONTAP, the underlying architecture for a bucket is a FlexGroup volume—a single namespace that is made up of multiple constituent member volumes but is managed as a single volume.
Buckets are only limited by the physical maximums of the underlying hardware, architectural maximums could be higher. Buckets can take advantage of FlexGroup elastic sizing to automatically grow a constituent of a FlexGroup volume if it is running out of space. There is a limit of 1000 buckets per FlexGroup volume, or 1/3 of the FlexGroup volume’s capacity (to account for data growth in buckets).
No NAS or SAN protocol access is permitted to the FlexGroup volume that contain S3 buckets.
Access to the bucket is provided through authorized users and client applications.
There are three primary use cases for client access to ONTAP S3 services:
For ONTAP systems using ONTAP S3 as a remote FabricPool capacity (cloud) tier
The S3 server and bucket containing the capacity tier (for cold data) is on a different cluster than the performance tier (for hot data).
For ONTAP systems using ONTAP S3 as a local FabricPool tier
The S3 server and bucket containing the capacity tier is on the same cluster, but on a different HA pair, as the performance tier.
For external S3 client apps
ONTAP S3 serves S3 client apps run on non-NetApp systems.
It is a best practice to provide access to ONTAP S3 buckets using HTTPS. When HTTPS is enabled, security certificates are required for proper integration with SSL/TLS. Client users’ access and secret keys are then required to authenticate the user with ONTAP S3 as well as authorizing the users’ access permissions for operations within ONTAP S3. The client application should also have access to the root CA certificate (the ONTAP S3 server’s signed certificate) to be able to authenticate the server and create a secure connection between client and server.
Users are created within the S3-enabled SVM, and their access permissions can be controlled at the bucket or SVM level; that is, they can be granted access to one or more buckets within the SVM.
HTTPS is enabled by default on ONTAP S3 servers. It is possible to disable HTTPS and enable HTTP for client access, in which case authentication using CA certificates is not required. However, when HTTP is enabled and HTTPS is disabled, all communication with the ONTAP S3 server are sent over the network in clear text.
For additional information, see Technical Report: S3 in ONTAP Best Practices