Skip to main content

Use cases

Contributors netapp-lenida
PDFs

There are three primary use cases for client access to ONTAP S3 services:

  • For ONTAP systems using ONTAP S3 as a remote FabricPool capacity (cloud) tier

    The S3 server and bucket containing the capacity tier (for cold data) is on a different cluster than the performance tier (for hot data).

  • For ONTAP systems using ONTAP S3 as a local FabricPool tier

    The S3 server and bucket containing the capacity tier is on the same cluster, but on a different HA pair, as the performance tier.

  • For external S3 client apps

    ONTAP S3 serves S3 client apps run on non-NetApp systems.

It is a best practice to provide access to ONTAP S3 buckets using HTTPS. When HTTPS is enabled, security certificates are required for proper integration with SSL/TLS. Client users' access and secret keys are then required to authenticate the user with ONTAP S3 as well as authorizing the users' access permissions for operations within ONTAP S3. The client application should also have access to the root CA certificate (the ONTAP S3 server's signed certificate) to be able to authenticate the server and create a secure connection between client and server.

Users are created within the S3-enabled SVM, and their access permissions can be controlled at the bucket or SVM level; that is, they can be granted access to one or more buckets within the SVM.

HTTPS is enabled by default on ONTAP S3 servers. It is possible to disable HTTPS and enable HTTP for client access, in which case authentication using CA certificates is not required. However, when HTTP is enabled and HTTPS is disabled, all communication with the ONTAP S3 server are sent over the network in clear text.

For additional information, see Technical Report: S3 in ONTAP Best Practices

Related information

FlexGroup volumes management