In most cases, you must mount an File Storage NAS (NAS) file system on a compute node that belongs to the same Alibaba Cloud account, the same region, and the same virtual private cloud (VPC). If you want to mount a NAS file system on a data center or on a personal client, you must connect your on-premises network to the VPC where the NAS file system resides. You can configure a network address translation (NAT) gateway to connect your network to the VPC. This topic describes how to access a NAS file system from a data center by using a NAT gateway.
Background information
You can mount a file system only on an Elastic Compute Service (ECS) instance that resides in the same region as the file system. For example, a Network File System (NFS) or Server Message Block (SMB) file system that you create in the China (Hangzhou) region can be mounted only on an ECS instance that resides in the China (Hangzhou) region. You cannot mount the file system on an ECS instance that resides in a different region such as the China (Qingdao) region or on an on-premises server. To implement file system mounting across regions or in a data center, you must use Express Connect circuits to establish a connection between VPCs or between a VPC and a data center. However, this connection significantly increases the cost of mounting the file system.
If a virtual private network (VPN) gateway is deployed in your data center, we recommend that you use Alibaba Cloud VPN Gateway to connect your data center to NAS. For more information, see Access a NAS file system from a data center by using VPN gateways.
If you need to upload only a small amount of data from your data center to NAS, we recommend that you use NAT Gateway to establish a connection.
The following figure shows the network topology that is adopted when NAT Gateway is used to establish a connection between a data center and NAS.
Advantage: easy to configure
Disadvantages:
Any user can use an elastic IP address (EIP) to mount a file system on the mount target of the EIP because EIPs and VPCs can communicate with each other.
You can specify each combination of an EIP and port for only one mount target.
If you set the port to any port when you create a Destination Network Address Translation (DNAT) entry to access multiple mount targets at the same time, you must create an EIP for each mount target.
Optional. Configure a whitelist
In NAS, each permission group represents a whitelist. To ensure data access security in different scenarios, you can create a custom permission group and add rules to grant different access permissions to specific IP addresses or CIDR blocks.
Log on to the NAS console.
Create a permission group.
In the left-side navigation pane, choose .
In the top navigation bar, select a region.
On the Permission Group page, click the General-purpose NAS or Extreme NAS tab. Then, click Create Permission Group.
In the Create Permission Group dialog box, configure the required parameters.
For more information about the parameters, see Required parameters.
Add rules to the permission group.
Find the permission group that you created and click Manage Rules in the Actions column. On the page that appears, click Create Rule. In the Create Rule dialog box, configure the parameters described in the following table.
For more information about the parameters for management rules, see Parameter description.
Click OK.
Create a file system and a mount target
Log on to the NAS console.
Create a file system. For more information, see Create a General-purpose NAS file system in the NAS console.
Create a mount target in a VPC. For more information, see Create a mount target.
Configure a NAT gateway
You can perform the following steps to mount a NAS file system on a Windows or Linux host that is connected to the Internet. After the file system is mounted, you can upload files to or download files from the file system on the host.
Log on to the VPC console.
Create a NAT gateway. For more information, see Create and manage an Internet NAT gateway.
NoteThe VPC in which the NAT gateway resides must be the same as the VPC in which the NAS file system resides.
Bind an EIP to the NAT gateway. For more information, see Apply for an EIP.
Create a DNAT entry. For more information, see Create and manage DNAT entries.
You must configure the parameters that are described in the following table.
Parameter
Description
Public IP Address
The public IP address that is generated when you create an EIP.
Private IP Address
The IP address of the mount target for the file system.
To obtain the IP address, you can
pingthe mount target from the ECS instance on which the file system is mounted. Sample code:ping 0dc404****-****.cn-hangzhou.nas.aliyuncs.comFor more information about mount targets, see View mount targets.
Port Settings
Custom Port: This option is recommended.
NFS file system:
Public Port: ports 111 and 2049.
Private Port: ports 111 and 2049.
Protocol: Select TCP.
SMB file system:
Public Port: port 4456.
Private Port: port 445.
Protocol: Select TCP.
Any Port: This option is not recommended.
All requests to access the EIP are forwarded to the destination NAS file system. We recommend that you specify the ports.
Mount the file system
NFS file system
Install an NFS client. For more information, see Step 1: Install an NFS client.
If an NFS client is already installed, skip this step and mount the NFS file system.
Mount the NFS file system. For more information about the mount command parameters, see Parameters.
mount -t nfs4 100.10.xx.xx:/ /mnt100.10.xx.xx is the public IP address that is generated when you create an EIP. Replace the IP address with the actual value.
/mnt is the directory on which you want to mount the file system. Replace the directory with the actual value.
SMB file system
Start the Workstation and TCP/IP NetBIOS Helper services. For more information, see Mount an SMB file system.
Check whether port 445 is in use.
Run the following command:
netstat -ano | findstr ":445"If the output is similar to the following information, port 445 is in use:
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 TCP [::]:445 [::]:0 LISTENING 44is the PID of the program that is using port 445.
If port 445 is in use, run the following command in Command Prompt, or press
Win+Rand typeservices.mscto enter the local service. Then, check the status of the Server service.sc query LanmanServerIf the Server service is in the RUNNING state, run the following command in Command Prompt, or press
Win+Rand typeservices.mscto enter the local service. Then, stop and disable the Server service. Restart the server and verify that port 445 is no longer in use.net stop LanmanServer && sc config LanmanServer start= disabledIf the Server service is in the STOPPED state, or port 445 is still in use after the server is restarted, you can run the following command to check the program that is using port 445. After you confirm that the program can be stopped, stop the program and then restart the server.
tasklist /FI "PID eq 4"4is the PID in the returned information of thenetstat -ano | findstr ":445"command. Replace "4" with the actual value.
Configure local port forwarding.
The default port 445 of the SMB protocol is a high-risk port. By default, the port is disabled by your Internet service provider (ISP). If you want to access NAS from a data center by using a NAT gateway over the Internet, you must configure port forwarding in the data center.
Run the
netshtool on a local Windows client to forward network traffic from port 445 to port 4456.netsh interface portproxy add v4tov4 listenaddress=192.168.xx.xx listenport=445 connectaddress=100.10.xx.xx connectport=4456192.168.xx.xxis the IP address of the on-premises server, and100.10.xx.xxis the public IP address that is generated when you create an EIP. Replace the IP addresses with the actual values. You can also use127.0.0.1as the IP address of the on-premises server.NoteIf the public port of the DNAT entry is port 445 or if the port is set to any port, you do not need to configure local port forwarding. You can directly use the EIP to mount the file system.
Mount the SMB file system. For more information, see Mount an SMB file system.
net use D: \\192.168.xx.xx\myshareD is the letter of the destination drive on which you want to mount a file system. Replace the drive letter based on your business requirements.
192.168.xx.xx is the IP address of the on-premises server. You can also use 127.0.0.1. Replace the IP address with the actual value.
myshare is the name of the shared SMB directory. You cannot change the name.
Verify the mount result
NFS file system
If the result similar to the following information appears after you run the mount command, the mount is successful. You can read data from and write data to the files of the NFS file system.
SMB file system
If you can access the SMB file system from your local File Explorer, the mount is successful. You can read data from and write data to the files of the NFS file system.
If no drive letter is found, you can enter \\192.168.xx.xx\myshare in the File Explorer to access the drive. 192.168.xx.xx is the IP address of the on-premises server. Replace it with the actual value.
Differences between the NAT Gateway solution and the VPN Gateway solution
The following table describes the differences between the NAT Gateway solution and the VPN Gateway solution.
Item | NAT Gateway solution | VPN Gateway solution |
Configuration | Easy: You can configure all settings in the Alibaba Cloud Management Console. | Complex: You must configure a VPN gateway in the Alibaba Cloud Management Console and configure a client-side VPN gateway in a data center. |
Data security | Low | High |
Flexibility | Low: You can map each EIP to only one mount target. | High: You can access all NAS mount targets at the same time. EIPs are not required in this solution. |
Scenario | Establish a temporary connection to transfer a small amount of data. | Establish a long-term connection between a data center and NAS. |