Mount a file system across accounts and regions - File Storage NAS

By default, File Storage NAS (NAS) allows you to mount a NAS file system only on an Elastic Compute Service (ECS) instance that resides in the same virtual private cloud (VPC) in the same region and within the same Alibaba Cloud account. If your ECS instance and NAS file system belong to different accounts and reside in different VPCs in different regions, you can use Cloud Enterprise Network (CEN) to establish a private connection between the ECS instance and the NAS file system. Then, you can mount the NAS file system across accounts, regions, and VPCs. This topic describes how to use CEN to mount a NAS file system across accounts, regions, and VPCs.

Feature description

CEN is a highly available network built on the global private network of Alibaba Cloud. CEN uses transit routers to establish cross-region connections between VPCs. This enables VPCs to communicate with data centers and establish flexible, reliable, and enterprise-class networks in the cloud.

Transit routers are available in two editions: Basic Edition and Enterprise Edition. Enterprise Edition is an upgraded version of Basic Edition and supports all features of Basic Edition. In addition, Enterprise Edition supports custom routing policies. For more information, see How transit routers work. For more information about the regions supported by each edition of transit routers, see Transit router editions.

Sample scenario

A company uses Account A to deploy a VPC named VPC1 in the China (Guangzhou) region and a VPC named VPC3 in the China (Ulanqab) region. The company uses Account B to deploy a VPC named VPC2 and create a NAS file system in the China (Guangzhou) region. ECS instances are deployed in the VPCs. The VPCs cannot communicate with each other. Due to business growth, the company needs to enable the ECS instances within Account A to access the NAS file system within Account B.

The company can use CEN to connect VPC1 and VPC2 in the China (Guangzhou) region to the Basic Edition transit router in the China (Guangzhou) region within Account A, and connect VPC3 in the China (Ulanqab) region to the Basic Edition transit router in the China (Ulanqab) region within Account A. Then, the networks in the China (Guangzhou) region and the China (Ulanqab) region within Account A can communicate with each other by using a bandwidth plan and cross-region connection. This way, the three VPCs can communicate with each other, and the NAS file system can be mounted on the ECS instances.

The following table describes the CIDR blocks allocated to the VPCs. Make sure that the CIDR blocks do not overlap.

Item	VPC1	VPC2	VPC3
Network instance CIDR blocks	VPC CIDR block: 192.168.0.0/16 vSwitch CIDR block: 192.168.0.0/24	VPC CIDR block: 10.0.0.0/16 vSwitch CIDR block: 10.0.0.0/24	VPC CIDR block: 172.16.0.0/16 vSwitch CIDR block: 172.16.0.0/24
Network instance regions	China (Guangzhou)	China (Guangzhou)	China (Ulanqab)
Network instance owner account	Account A	Account B	Account A
ECS instance IP address	192.168.0.239	10.0.0.121	172.16.0.201

架构图

Prerequisites

A VPC is deployed in each of the China (Guangzhou) and China (Ulanqab) regions by using Account A. A VPC is deployed in the China (Guangzhou) region by using Account B. ECS instances are deployed in the VPCs. For more information, see Create a VPC with an IPv4 CIDR block.
You are familiar with the security group rules that apply to the ECS instances in the VPCs. Make sure that the security group rules allow the VPCs to communicate with each other. For more information, see View security group rules and Add a security group rule.
A CEN instance is created by using Account A. Basic Edition transit routers exist in the China (Guangzhou) and China (Ulanqab) regions. If you do not have a Basic Edition transit router, you can use an Enterprise Edition transit router. For more information, see Use Enterprise Edition transit routers to connect VPCs in different regions and accounts.
A file system is created in the China (Guangzhou) region by using Account B. For more information, see Create a file system.

Step 1: Grant permissions to the accounts

Before you can connect VPC2 that belongs to Account B to the transit router that belongs to Account A, you must grant the required permissions to Account A. Otherwise, the transit router that belongs to Account A cannot connect to VPC2.

Log on to the VPC console with Account B.
In the top navigation bar, select the region where VPC2 is deployed. In this example, China (Guangzhou) is selected.
On the VPCs page, find and click the ID of VPC2.
Click the Cross-account authorization tab. On the tab, click Authorize Cross Account Attach CEN.

In the Attach to CEN dialog box, configure the parameters and click OK. The following table describes the parameters.

Parameter	Description
Peer Account UID	Enter the ID of the Alibaba Cloud account that owns the transit router. In this example, enter the UID of Account A.
Peer CEN Instance ID	Enter the ID of the CEN instance to which the transit router belongs. In this example, enter the ID of the CEN instance that belongs to Account A.
Payer	Select the account that pays the fees. CEN Instance Owner Pays Bills: The owner of the transit router pays the connection fee and data transfer fee. This is the default value. VPC Owner: The owner of the VPC pays the connection fee and data transfer fee. In this example, use the default value. Note If you use Basic Edition transit routers to connect VPCs, connections and data transfer are free of charge.

Step 2: Connect the VPCs to the transit router

After Account A is granted the required permissions, you must connect VPC1, VPC2, and VPC3 to the transit router that belongs to Account A. This enables network communication between the VPCs.

Log on to the CEN console with Account A.
On the Instances page, click the ID of the CEN instance that you want to manage.
On the Basic Settings tab, click in the VPC section.

On the Connection with Peer Network Instance page, configure the following parameters and click OK:

Network Type: Select the type of network instance that you want to attach.
Region: Select the region where the network instance is deployed.
Transit Router: The transit router in the selected region is automatically displayed.
Resource Owner ID: Select the Alibaba Cloud account to which the network instance belongs.
Network Instance: Select the ID of the network instance that you want to attach.

The system connects VPC1, VPC2, and VPC3 to the transit router that belongs to Account A based on the preceding settings. The following table lists the settings of each VPC.

Parameter	VPC1	VPC2	VPC3
Network Type	VPC	VPC	VPC
Region	China (Guangzhou)	China (Guangzhou)	China (Ulanqab)
Resource Owner ID	Current Account	Different Account If you select Different Account, you must specify the ID of Account B.	Current Account
Network Instance	VPC1	VPC2	VPC3

After you complete the preceding steps, VPC1, VPC2, and VPC3 automatically learn routes from each other. VPC1 and VPC2 can communicate with each other. Inter-region connections are established between VPC1 and VPC3, and between VPC2 and VPC3. By default, CEN provides 1 Kbit/s of bandwidth for connectivity testing (IPv4 addresses). The bandwidth is used only for testing and does not support service-level inter-region connections. For example, you can create an ECS in each VPC and run the ping command in ECS instances to test connectivity.

Step 3: Purchase a bandwidth plan

To establish connections between VPC1 and VPC3, and between VPC2 and VPC3, you must purchase a bandwidth plan that provides bandwidth for inter-region connections.

Log on to the CEN console with Account A.
On the Instances page, click the ID of the CEN instance that you want to manage.
On the details page of the CEN instance, choose Basic Settings > Bandwidth Plans, and click Purchase Bandwidth Plan (Subscription).

On the buy page, configure the parameters, click Buy Now, and then complete the payment. The following table describes the parameters.

Parameter	Description
CEN ID	Select the CEN instance for which you want to purchase a bandwidth plan. After you complete the payment, the bandwidth plan is automatically associated with the CEN instance. In this example, select the CEN instance that belongs to Account A.
Area A	Select one of the areas where you want to enable inter-region communication. In this example, select Mainland China. Note You cannot change the areas after the bandwidth plan is purchased. For more information about the regions and areas that support bandwidth plans, see Work with a bandwidth plan.
Area B	Select one of the areas where you want to enable inter-region communication. In this example, select Mainland China.
Billing Method	The billing method of the bandwidth plan. Default value: Pay-By-Bandwidth. For more information, see Billing rules.
Bandwidth	Select a bandwidth value based on your business requirements. Unit: Mbit/s.
Bandwidth Package Name	Enter a name for the bandwidth plan.
Order time	Select a subscription duration for the bandwidth plan. You can select Auto-renewal to enable auto-renewal for the bandwidth plan.
Resource Group	Select the resource group to which the bandwidth plan belongs.

Step 4: Create an inter-region connection

Log on to the CEN console with Account A.
On the Instances page, click the ID of the CEN instance that you want to manage.
Go to the Basic Settings > Bandwidth Plans tab and click Assign Bandwidth.

On the Connection with Peer Network Instance page, configure the parameters and click OK. The following table describes the parameters.

Parameter	Description
Instance Type	In this example, select Inter-region Connection.
Region	Select one of the regions to be connected. In this example, select China (Guangzhou).
Transit Router	The ID of the transit router in the selected region is automatically displayed.
Peer Region	Select the other region to be connected. In this example, select China (Ulanqab).
Transit Router	The ID of the transit router in the selected region is automatically displayed.
Bandwidth Plan	Select a bandwidth plan that is associated with the CEN instance.
Bandwidth	Specify a bandwidth value for inter-region connections. Unit: Mbit/s.

Step 5: Test network connectivity

After you complete the preceding steps, VPC1, VPC2, and VPC3 are connected to each other. This section describes how to test the network connectivity between the VPCs.

Note

In this example, ECS instances in VPC1, VPC2, and VPC3 run the Alibaba Cloud Linux operating system. For more information about how to use the ping command on other operating systems, see the manual of the operating system that you use.

Test the network connectivity between VPC1 and VPC2.
1. Log on to an ECS instance in VPC 1. For more information, see Connection method overview.
2. On the ECS instance, run the ping command to test whether you can access the ECS instance in VPC2.
  ping
```
<The IP address of the ECS instance in VPC2>
```
  The following echo reply packet indicates that VPC1 can communicate with VPC2.
Test the network connectivity between VPC1 and VPC3.
1. Log on to an ECS instance in VPC 3.
2. On the ECS instance, run the ping command to test whether you can access an ECS instance in VPC1.
```
# Send a ping packet that is 2,000 bytes in length to test whether VPC1 and VPC3 can communicate with each other across regions. 
ping <The IP address of the ECS instance in VPC1>  -s 2000
```
  The following echo reply packet indicates that VPC1 can communicate with VPC3.
Test the network connectivity between VPC2 and VPC3.
1. Log on to an ECS instance in VPC 3.
2. On the ECS instance, run the ping command to test whether you can access an ECS instance in VPC2.
```
# Send a ping packet that is 2,000 bytes in length to test whether VPC2 and VPC3 can communicate with each other across regions. 
ping <The IP address of the ECS instance in VPC2>   -s 2000
```
  The following echo reply packet indicates that VPC2 can communicate with VPC3.

Step 6: Mount the file system

After you complete the preceding configurations, mount the file system on an ECS instance across accounts and regions.

For information about how to mount a Network File System (NFS) file system on a Linux ECS instance, see Mount an NFS file system on a Linux ECS instance.
For information about how to mount a Server Message Block (SMB) file system on a Windows ECS instance, see Mount an SMB file system on a Windows ECS instance.

References

You can mount a NAS file system across VPCs by using PrivateLink or CEN. For more information, see Use PrivateLink to mount a NAS file system across VPCs in the same region or Use CEN to mount a NAS file system across VPCs in the same region.
You can mount a NAS file system in an on-premises data center. For more information, see Access file systems in on-premises data centers.
You can migrate data from an on-premises storage system or Object Storage Service (OSS) bucket to a NAS file system. For more information, see Data migration.