Skip to main content

Create a Cloud Storage Pool

Contributors netapp-lhalbert netapp-perveilerk netapp-madkat ssantho3

A Cloud Storage Pool specifies a single external Amazon S3 bucket or other S3-compatible provider, or Azure Blob storage container.

When you create a Cloud Storage Pool, you specify the name and location of the external bucket or container that StorageGRID will use to store objects, the cloud provider type (Amazon S3/GCP or Azure Blob storage), and the information StorageGRID needs to access the external bucket or container.

StorageGRID validates the Cloud Storage Pool as soon as you save it, so you must ensure that the bucket or container specified in the Cloud Storage Pool exists and is reachable.

Before you begin
  • You are signed in to the Grid Manager using a supported web browser.

  • You have the required access permissions.

  • You have reviewed the considerations for Cloud Storage Pools.

  • The external bucket or container referenced by the Cloud Storage Pool already exists, and you know its name and location.

  • To access the bucket or container, you have the following information for the authentication type you will choose:

    S3 access key

    For the external S3 bucket

    • The access key ID for the account that owns the external bucket.

    • The associated secret access key.

    Alternatively, you can specify Anonymous for the authentication type.

    C2S access portal

    For Commercial Cloud Services (C2S) S3 service

    You have the following:

    • Complete URL that StorageGRID will use to obtain temporary credentials from the C2S access portal (CAP) server, including all the required and optional API parameters assigned to your C2S account.

    • Server CA certificate issued by an appropriate Government Certificate Authority (CA). StorageGRID uses this certificate to verify the identity of the CAP server. The server CA certificate must use PEM encoding.

    • Client certificate issued by an appropriate Government Certificate Authority (CA). StorageGRID uses this certificate to identity itself to the CAP server. The client certificate must use PEM encoding and must have been granted access to your C2S account.

    • PEM-encoded private key for the client certificate.

    • Passphrase for decrypting the private key for the client certificate, if it is encrypted.

    Note If the client certificate will be encrypted, use the traditional format for the encryption. PKCS #8 encrypted format is not supported.
    Azure Blob storage

    For the external container

    • Uniform Resource Identifier (URI) used to access the Blob Storage container.

    • Name of the storage account and the account key. You can use the Azure portal to find these values.

Steps
  1. Select ILM > Storage pools > Cloud Storage Pools.

  2. Select Create, then enter the following information:

    Field Description

    Cloud Storage Pool name

    A name that briefly describes the Cloud Storage Pool and its purpose. Use a name that will be easy to identify when you configure ILM rules.

    Provider type

    Which cloud provider you will use for this Cloud Storage Pool:

    • Amazon S3/GCP: Select this option for an Amazon S3, Commercial Cloud Services (C2S) S3, Google Cloud Platform (GCP), or other S3-compatible provider.

    • Azure Blob Storage

    Bucket or container

    The name of the external S3 bucket or Azure container. You can't change this value after the Cloud Storage Pool is saved.

  3. Based on your Provider type selection, enter the Service endpoint information.

    Amazon S3/GCP
    1. For the protocol, select either HTTPS or HTTP.

      Note Don't use HTTP connections for sensitive data.
    2. Enter the hostname. Example:

      s3-aws-region.amazonaws.com

    3. Select the URL style:

      Option Description

      Auto-detect

      Attempt to automatically detect which URL style to use, based on the information provided. For example, if you specify an IP address, StorageGRID will use a path-style URL. Select this option only if you don't know which specific style to use.

      Virtual-hosted-style

      Use a virtual-hosted-style URL to access the bucket. Virtual-hosted-style URLs include the bucket name as part of the domain name. Example: https://bucket-name.s3.company.com/key-name

      Path-style

      Use a path-style URL to access the bucket. Path-style URLs include the bucket name at the end. Example: https://s3.company.com/bucket-name/key-name

      Note: The path-style URL option is not recommended and will be deprecated in a future release of StorageGRID.

    4. Optionally, enter the port number, or use the default port: 443 for HTTPS or 80 for HTTP.

    Azure Blob Storage
    1. Using one of the following formats, enter the URI for the service endpoint.

      • https://host:port

      • http://host:port

    Example: https://myaccount.blob.core.windows.net:443

    If you don't specify a port, by default port 443 is used for HTTPS and port 80 is used for HTTP.

  1. Select Continue. Then select the authentication type and enter the required information for the Cloud Storage Pool endpoint:

    Access key

    For Amazon S3/GCP provider type only

    1. For Access key ID, enter the access key ID for the account that owns the external bucket.

    2. For Secret access key, enter the secret access key.

    CAP (C2S access portal)

    For Commercial Cloud Services (C2S) S3 service

    1. For Temporary credentials URL, enter the complete URL that StorageGRID will use to obtain temporary credentials from the CAP server, including all the required and optional API parameters assigned to your C2S account.

    2. For Server CA certificate, select Browse, and upload the PEM-encoded CA certificate that StorageGRID will use to verify the CAP server.

    3. For Client certificate, select Browse, and upload the PEM-encoded certificate that StorageGRID will use to identify itself to the CAP server.

    4. For Client private key, select Browse, and upload the PEM-encoded private key for the client certificate.

    5. If the client private key is encrypted, enter the passphrase for decrypting the client private key. Otherwise, leave the Client private key passphrase field blank.

    Azure Blob Storage
    1. For Account name, enter the name of the Blob storage account that owns the external service container.

    2. For Account key, enter the secret key for the Blob storage account.

    Anonymous

    No additional information is required.

  2. Select Continue. Then choose the type of server verification you want to use:

    Option Description

    Use root CA certificates in Storage Node OS

    Use the Grid CA certificates installed on the operating system to secure connections.

    Use custom CA certificate

    Use a custom CA certificate. Select Browse, and upload the PEM-encoded certificate.

    Do not verify certificate

    The certificate used for the TLS connection is not verified.

  3. Select Save.

    When you save a Cloud Storage Pool, StorageGRID does the following:

    • Validates that the bucket or container and the service endpoint exist and that they can be reached using the credentials that you specified.

    • Writes a marker file to the bucket or container to identify it as a Cloud Storage Pool. Never remove this file, which is named x-ntap-sgws-cloud-pool-uuid.

      If Cloud Storage Pool validation fails, you receive an error message that explains why validation failed. For example, an error might be reported if there is a certificate error or if the bucket or container you specified does not already exist.

  4. If an error occurs, see the instructions for troubleshooting Cloud Storage Pools, resolve any issues, and then try saving the Cloud Storage Pool again.