Skip to main content

Create traffic classification policies

Contributors netapp-lhalbert

You can create traffic classification policies if you want to monitor, and optionally limit network traffic by bucket, bucket regex, CIDR, load balancer endpoint, or tenant. Optionally, you can set limits for a policy based on bandwidth, the number of concurrent requests, or the request rate.

Before you begin
  • You are signed in to the Grid Manager using a supported web browser.

  • You have the Root access permission.

  • You have created any load balancer endpoints you want to match.

  • You have created any tenants you want to match.

Steps
  1. Select CONFIGURATION > Network > Traffic classification.

  2. Select Create.

  3. Enter a name and a description (optional) for the policy and select Continue.

    For example, describe what this traffic classification policy applies to and what it will limit.

  4. Select Add rule and specify the following details to create one or more matching rules for the policy. Any policy that you create should have at least one matching rule. Select Continue.

    Field Description

    Type

    Select the types of traffic that the matching rule applies to. Traffic types are bucket, bucket regex, CIDR, load balancer endpoint, and tenant.

    Match value

    Enter the value that matches the selected Type.

    • Bucket: Enter one or more bucket names.

    • Bucket regex: Enter one or more regular expressions used to match a set of bucket names.

      The regular expression is unanchored. Use the ^ anchor to match at the beginning of the bucket name, and use the $ anchor to match at the end of the name. Regular expression matching supports a subset of PCRE (Perl compatible regular expression) syntax.

    • CIDR: Enter one or more IPv4 subnets, in CIDR notation, that matches the desired subnet.

    • Load balancer endpoint: Select an endpoint name. These are the load balancer endpoints you defined on the Configure load balancer endpoints.

    • Tenant: Tenant matching uses the access key ID. If the request does not contain an access key ID (for example, anonymous access), then the ownership of the bucket accessed is used to determine the tenant.

    Inverse match

    If you want to match all network traffic except traffic consistent with the Type and Match Value just defined, select the Inverse match checkbox. Otherwise, leave the checkbox cleared.

    For example, if you want this policy to apply to all but one of the load balancer endpoints, specify the load balancer endpoint to be excluded, and select Inverse match.

    For a policy containing multiple matchers where at least one is an inverse matcher, be careful not to create a policy that matches all requests.

  5. Optionally, select Add a limit and select the following details to add one or more limits to control the network traffic matched by a rule.

    Note StorageGRID collects metrics even if you don't add any limits, so you can understand traffic trends.
    Field Description

    Type

    The type of limit you want to apply to the network traffic matched by the rule. For example, you can limit bandwidth or request rate.

    Note: You can create policies to limit aggregate bandwidth or to limit per-request bandwidth. However, StorageGRID can't limit both types of bandwidth at the same time. When aggregate bandwidth is in use, per-request bandwidth is unavailable. Conversely, when per-request bandwidth is in use, aggregate bandwidth is unavailable. Aggregate bandwidth limits might impose an additional minor performance impact on non-limited traffic.

    For bandwidth limits, StorageGRID applies the policy that best matches the type of limit set. For example, if you have a policy that limits traffic in only one direction, then traffic in the opposite direction will be unlimited, even if there is traffic that matches additional policies that have bandwidth limits. StorageGRID implements "best" matches for bandwidth limits in the following order:

    • Exact IP address (/32 mask)

    • Exact bucket name

    • Bucket regex

    • Tenant

    • Endpoint

    • Non-exact CIDR matches (not /32)

    • Inverse matches

    Applies to

    Whether this limit applies to client read requests (GET or HEAD) or write requests (PUT, POST, or DELETE).

    Value

    The value that network traffic will be limited to, based on the Unit you select. For example, enter 10 and select MiB/s to prevent the network traffic matched by this rule from exceeding 10 MiB/s.

    Note: Depending on the units setting, the available units will be either binary (for example, GiB) or decimal (for example, GB). To change the units setting, select the user drop-down in the upper right of the Grid Manager, then select User Preferences.

    Unit

    The unit that describes the value you entered.

    For example, if you want to create a 40 GB/s bandwidth limit for an SLA tier, create two Aggregate bandwidth limits: GET/HEAD at 40 GB/s and PUT/POST/DELETE at 40 GB/s.

  6. Select Continue.

  7. Read and review the Traffic classification policy. Use the Previous button to go back and make changes as required. When you are satisfied with the policy, select Save and continue.

    S3 client traffic is now handled according to the traffic classification policy.

After you finish

View network traffic metrics to verify that the polices are enforcing the traffic limits you expect.