All Products
Search
Document Center

File Storage NAS:Access a NAS file system from a data center by using VPN gateways

Last Updated:Jul 02, 2024

In most cases, you must mount a NAS file system on a compute node that belongs to the same Alibaba Cloud account, the same region, and the same virtual private cloud (VPC). If you want to mount a NAS file system on an on-premises server or on a personal client, you must connect your on-premises network to the VPC where the NAS file system resides. You can configure virtual private network (VPN) gateways to connect your on-premises network to the VPC. This topic describes how to access a NAS file system from a data center by using VPN gateways.

Background information

You can mount a file system only on an ECS instance that resides in the same region as the file system. For example, a Network File System (NFS) or Server Message Block (SMB) file system that you create in the China (Hangzhou) region can be mounted only on an ECS instance that resides in the China (Hangzhou) region. You cannot mount the file system on an ECS instance that resides in a different region such as the China (Qingdao) region or on an on-premises server. To implement file system mounting across regions or in a data center, you must use Express Connect circuits to establish a connection between VPCs or between a VPC and a data center. However, this connection significantly increases the cost of mounting the file system.

Instead, we recommend that you use VPN Gateway to enable communication between a data center and a VPC or between VPCs that reside in different regions. You can use VPN Gateway to mount a file system in the following scenarios:

The following figure shows the topology that is adopted when VPN gateways are used.

拓扑图

This topology has the following advantages and disadvantages:

  • Advantages

    • Fixes all connectivity issues.

    • Provides secure access by using IPsec to encrypt data in transit.

    • Compared with Express Connect circuits, VPN gateways help significantly reduce costs.

  • Disadvantages

    The Internet bandwidth and latency between a data center and a VPC or between VPCs restrict the I/O performance of a file system over a VPN connection.

Mount a file system on an on-premises server

  1. Create a file system and a mount target.

    1. Log on to the NAS console.

    2. Create a file system. For more information, see Create a General-purpose NAS file system in the NAS console.

    3. Create a mount target in a VPC. For more information, see Create a mount target.

  2. Create a connection between the VPC and your data center. For more information, see Connect a data center to a VPC.

  3. Verify the connection between the on-premises server and an ECS instance or a mount target that resides in the VPC.

    Log on to an ECS instance that does not have a public IP address. On the ECS instance, use the ping command to ping the private IP address of the on-premises server and verify the connection.

  4. After you confirm the connection by using the ping command, you can mount a file system that resides in the VPC on the on-premises server. For more information, see Usage notes.

Mount a file system on an ECS instance across regions

Mount a file system across regions (one VPN gateway available)

The following example shows a practical scenario of two VPCs named VPC 1 and VPC 2 that reside in different regions.

  1. Create a file system and a mount target.

    1. Log on to the NAS console.

    2. Create a file system. For more information, see Create a General-purpose NAS file system in the NAS console.

    3. Create a mount target in a VPC. For more information, see Create a mount target.

      Create a mount target in VPC 1.

  2. In VPC 2, create a VPN gateway on an ECS instance as a customer gateway.

    Note
    • You must specify a public IP address for the ECS instance to connect to the VPN gateway that resides in VPC 1.

    • For more information about how to create a VPN gateway on an ECS instance, see tutorials such as Install a strongSwan IPSec VPN Server on CentOS 7.

  3. Establish a connection between VPN gateways that reside in VPC 1 and VPC 2, respectively.

    1. Log on to the VPC console.

    2. Create a VPN connection to enable communication between VPN gateways that resides in VPC 1 and VPC 2, which you created in Step 2. For more information, see Step 3: Create an IPsec-VPN connection.

  4. Configure static routes on other ECS instances that reside in VPC 2. For more information, see Step 5: Configure routes for the VPN gateway.

    Set Destination CIDR Block to the private CIDR block of VPC 1 and set Next Hop to the customer gateway that resides in VPC 2.

  5. Verify the connection between VPC 1 and an ECS instance or mount target that resides in VPC 2.

    Log on to an ECS instance that resides in VPC 1, and run the ping command to ping the IP address of an ECS instance that resides in VPC 2.

  6. After you confirm the connection by using the ping command, you can mount a file system that resides in VPC 1 on an ECS instance that resides in VPC 2. For more information, see Usage notes.

Mount a file system across regions (no VPN gateway available)

The following example shows a practical scenario of two VPCs named VPC 1 and VPC 2 that reside in different regions.

  1. Create a file system and a mount target.

    1. Log on to the NAS console.

    2. Create a file system. For more information, see Create a General-purpose NAS file system in the NAS console.

    3. Create a mount target in a VPC. For more information, see Create a mount target.

      Create a mount target in VPC 1.

  2. Establish a connection between VPN gateways that reside in VPC 1 and VPC 2, respectively.

    1. Log on to the VPC console.

    2. Create VPN gateways in VPC 1 and VPC 2, respectively. For more information, see Step 1: Create a VPN gateway.

    3. Create customer gateways in VPC 1 and VPC 2, respectively. For more information, see Step 2: Create a customer gateway.

      When you create a customer gateway in VPC 1, set IP Address to the IP address of the VPN gateway that resides in VPC 1. When you create a customer gateway in VPC 2, set IP Address to the IP address of the VPN gateway that resides in VPC 2.

    4. Configure routes for VPN gateways that reside in VPC 1 and VPC 2, respectively. For more information, see Step 5: Configure routes for the VPN gateway.

      • When you configure routes for the VPN gateway that resides in VPC 1, set Destination CIDR Block to the private CIDR block for VPC 2 and set Next Hop to the name of the customer gateway that resides in VPC 1.

      • When you configure routes for the VPN gateway that resides in VPC 2, set Destination CIDR Block to the private CIDR block for VPC 1 and set Next Hop to the name of the customer gateway that resides in VPC 2.

  3. Verify the connection between VPC 1 and an ECS instance or mount target that resides in VPC 2.

    Log on to an ECS instance that resides in VPC 1, and run the ping command to ping the IP address of an ECS instance that resides in VPC 2.

  4. After you confirm the connection by using the ping command, you can mount a file system that resides in VPC 1 on an ECS instance that resides in VPC 2. For more information, see Usage notes.