All Products
Search
Document Center

File Storage NAS:Use PrivateLink to mount a NAS file system across VPCs in the same region

Last Updated:Oct 31, 2024

By default, File Storage NAS (NAS) allows you to mount a NAS file system only to an Elastic Compute Service (ECS) instance that resides in the same virtual private cloud (VPC) in the same region and within the same Alibaba Cloud account. If you want to mount a NAS file system across VPCs, you can use PrivateLink to establish a private connection between the VPCs. You do not need to use an Internet egress such as a network address translation (NAT) gateway or an elastic IP address (EIP). Data is not transmitted over the Internet, providing higher security and network quality. This topic describes how to use PrivateLink to mount and access a NAS file system across VPCs in the same region.

Feature description

PrivateLink allows you to use VPCs of Alibaba Cloud for service interaction. PrivateLink provides one-way access to services deployed in other VPCs over private connections. You do not need to create an Internet egress such as an NAT gateway or an EIP. PrivateLink provides higher data security and network quality because data is not transmitted over the Internet.

Network Load Balancer (NLB) instances can be used as service resources by the endpoint services of PrivateLink. NLB instances receive requests from clients and forward the requests to backend servers based on the forwarding rules configured for listeners. After you specify an NLB instance as a service resource of an endpoint service, the NLB instance can provide services across multiple zones. You do not need to configure an NLB instance for each zone.

Scenarios

This topic describes how to use ECS instances in VPC 1 to access a General-purpose Network File System (NFS) file system in VPC 2. VPC 1 and VPC 2 reside in the same region and belong to the same Alibaba Cloud account. You must create an NLB instance in VPC 2. The NLB instance is deployed across two zones. Create backend server groups S1 and S2 for the NLB instance, and add the two access ports 111 and 2049 of the NFS file system to S1 and S2. Create an endpoint service and add the NLB instance as a service resource of the endpoint service. Create an endpoint in VPC 1 and connect the endpoint to the endpoint service. If the status of the connection is normal, the ECS instances in VPC 1 can access the NFS file system in VPC 2.

Note

For a Server Message Block (SMB) file system, you need to create only one backend server group and add port 445 to the backend server group for the NLB instance.

The following table describes the planning of the two VPCs. The CIDR blocks of the two VPCs can overlap with each other without affecting each other.

Item

VPC 1

VPC 2

Region

China (Chengdu)

China (Chengdu)

CIDR block

  • VPC: 10.0.0.0/8

  • vSwitch 1: 10.0.23.0/24

  • vSwitch 2: 10.0.24.0/24

  • VPC: 192.168.0.0/16

  • vSwitch 3: 192.168.2.0/24

  • vSwitch 4: 192.168.4.0/24

vSwitch zone

  • vSwitch 1 is deployed in Zone A.

  • vSwitch 2 is deployed in Zone B.

  • vSwitch 3 is deployed in Zone A.

  • vSwitch 4 is deployed in Zone B.

image

Limits

  • When you create an endpoint service, select a region that supports both PrivateLink and NLB instances. For more information about the regions that support PrivateLink and NLB instances, see Regions and zones that support PrivateLink and Regions and zones in which NLB is available.

  • A connection can be established between an endpoint and an endpoint service only if they are deployed in the same zone. The zones where endpoints are deployed must be a subset of the zones where the service resources of endpoint services are deployed. Therefore, we recommend that you select all zones or as many zones as possible in a region when you deploy the service resources of endpoint services. This way, different endpoints can access the service resources.

  • By default, PrivateLink cannot be accessed over IPv6. If you need to access PrivateLink over IPv6, contact your account manager.

  • You can use PrivateLink to mount only General-purpose NAS file systems across VPCs in the same region.

Prerequisites

Step 1: Create an internal-facing NLB instance

  1. Log on to the NLB console.

  2. In the top navigation bar, select the region in which the NLB instance is deployed.

  3. On the Instances page, click Create NLB.

  4. On the NLB (Pay-As-You-Go) International Site page, configure the parameters and then click Buy Now. The following table describes the parameters.

    Parameter

    Description

    Region

    Select the region where you want to create an NLB instance. In this example, select China (Chengdu).

    Network Type

    Select a network type for the NLB instance. In this example, select Intranet.

    IP Version

    Select an IP version for the NLB instance.

    • IPv4: If you select this option, the NLB instance can be accessed only by IPv4 clients.

    • Dual-stack Networking: If you select this option, the NLB instance can be accessed by IPv4 and IPv6 clients.

    VPC

    Select a VPC where you want to deploy the NLB instance. In this example, select VPC 2.

    Zone

    Select the zones where you want to deploy the NLB instance. You must select at least two zones. In this example, select Chengdu Zone A and Chengdu Zone B and the vSwitches in both zones.

    Instance Name

    Enter a name for the NLB instance.

    Resource Group

    Select the resource group to which the NLB instance belongs. In this example, select Default Resource Group.

    Service-linked Role

    When you create an NLB instance for the first time, you must click Create Service-linked Role to create a service-linked role.

Step 2: Create a backend server group for the NLB instance

  1. In the left-side navigation pane, choose NLB > Server Groups.

  2. In the top navigation bar, select a region.

  3. On the Server Groups page, click Create Server Group.

  4. In the Create Server Group dialog box, configure the parameters and then click Create. The following table describes the parameters.

    Parameter

    Description

    Server Group Type

    Select the type of the server group that you want to create. In this example, select IP.

    Server Group Name

    Enter a name for the server group. In this example, enter S1.

    VPC

    Select the VPC to which the backend server group belongs. In this example, select VPC 2.

    Backend Server Protocol

    Select a backend protocol. In this example, select TCP.

    Scheduling Algorithm

    Select a scheduling algorithm. Weighted Round-Robin is selected by default. In this example, retain the default setting.

    IPv6 Support

    Specify whether to enable IPv6.

    • If you enable IPv6, you can add IPv4 and IPv6 backend servers to the server group.

    • If you do not enable IPv6, you can add only IPv4 backend servers to the server group.

    Note

    If IPv6 is disabled for the VPC that you select for the server group, IPv6 is disabled for the server group by default.

    Enable Connection Draining

    After connection draining is enabled, connections to backend servers remain open during the specified timeout period even if the backend servers are removed or if they fail health checks.

    Connection Draining Timeout Period: If you enable connection draining, you must specify a timeout period.

    The feature is disabled by default. In this example, retain the default setting.

    Client IP Preservation

    Specify whether to enable client IP preservation. You cannot enable client IP preservation for a server group of the IP type. If you want the server group to retrieve client IP addresses, enable Proxy Protocol for the associated listener.

    Enable All-port Forwarding

    Specify whether to enable all-port forwarding. After all-port forwarding is enabled, you do not need to specify a port when you add a backend server. The NLB instance forwards requests to a backend server based on the frontend port.

    Note

    If you enable all-port forwarding for your listener, you must enable this feature for the backend server group.

    The feature is disabled by default. In this example, retain the default setting.

    Enable Health Check

    Specify whether to enable the health check feature. The feature is enabled by default. In this example, retain the default setting.

    After the health check feature is enabled, you can click Modify to modify the related configurations. In this example, retain the default settings.

  5. After you create the server group, find S1 on the Server Groups page and click its ID.

  6. Click the Backend Servers tab, and then click Add IP Address.

  7. In the Add Backend Server panel, enter the virtual IP address (VIP) of the mount target for the NAS file system and click Next.

    You can ping the mount target on the ECS instance to obtain the VIP of the mount target. Example:

    • Command:

      ping 19f04a4****-i****.cn-chengdu.nas.aliyuncs.com
    • Sample command output:

      image.png

  8. Set the port number and weight of the added NAS file system and click OK.

    Set the port number to 111 and retain the default value of the weight.

    After backend server group S1 is created, repeat the preceding steps to create backend server group S2. When you add backend servers, set the port number to 2049.

    Note

    For an SMB file system, you need to create only one backend server group and set the port number to 445.

Step 3: Configure a listener

  1. In the left-side navigation pane, choose NLB Instances.

  2. On the Instances page, click the ID of the NLB instance that you want to manage.

  3. Click the Listener tab. On the Listener tab, click Create Listener.

  4. On the Configure Listener wizard page, configure the parameters and then click Next. The following table describes the parameters.

    Parameter

    Description

    Listener Protocol

    Select a listener protocol. In this example, select TCP.

    Listen by Port Range

    Specify whether to enable listening by port range. If you enable this feature, the NLB instance listens on all ports in a specific port range, and redirects requests destined for the ports to the backend servers. The feature is disabled by default. In this example, retain the default setting.

    Listener Port Range

    Specify the listening port that is used to receive and process requests. In this example, select 111.

    Note

    For an SMB file system, select 445.

    Listener Name

    Enter a name for the listener.

    Advanced Settings

    You can click Modify to modify the advanced settings. In this example, use the default advanced settings.

  5. In the Server Group step, select backend server group S1 created in Step 2 and click Next.

    Important

    The selected backend server group must match the listening port. Otherwise, the NAS file system cannot be mounted.

  6. On the Configuration Review wizard page, confirm the configurations and click Submit.

  7. In the NLB Configuration Wizard message, click OK. Then, return to the Instances page.

    If the health check status of the listener is Healthy, the backend server (VIP of the NAS file system) can process the requests forwarded by the NLB instance.

  8. Repeat Step 4 to Step 7. Set the listening port to 2049 and set Server Group to S2.

    Note

    For an SMB file system, you only need to configure listening port 445.

Step 4: Create an endpoint service

  1. Log on to the endpoint service console.

  2. In the top navigation bar, select the region where you want to create an endpoint service. In this example, select China (Chengdu).

  3. On the Endpoints Service page, click Create Endpoint Service.

  4. On the Create Endpoint Service page, configure the parameters and then click OK. The following table describes the parameters.

    Parameter

    Description

    Service Resource Type

    Select the type of the service resource that you want to add to the endpoint service. In this example, select NLB.

    Select Service Resource

    Select the zones where the service resource is deployed and then select the service resource.

    In this example, select Chengdu Zone A and click +Add Service Resource to select Chengdu Zone B. Select the NLB instance created in Step 1 as the service resource for Chengdu Zone A and Chengdu Zone B.

    Automatically Accept Endpoint Connections

    Specify whether the endpoint service automatically accepts connection requests from endpoints. In this example, select No.

    Enable Zone Affinity

    Specify whether to first resolve the domain name of the nearest endpoint that is associated with the endpoint service. In this example, select No.

    Resource Group

    Select the resource group to which the endpoint service belongs.

    Description

    Enter a description for the endpoint service.

Step 5: Create an endpoint

  1. Log on to the endpoint console.

  2. In the top navigation bar, select the region where you want to create an endpoint. In this example, select China (Chengdu).

  3. On the Endpoints page, click the Interface Endpoint tab and then click Create Endpoint.

  4. On the Create Endpoint page, configure the parameters for the endpoint and then click OK. The following table describes the parameters.

    Parameter

    Description

    Endpoint Name

    Enter a name for the endpoint.

    Endpoint Type

    Select a type for the endpoint. In this example, select Interface Endpoint.

    Endpoints Service

    Select the endpoint service.

    In this example, click Select Service and select the endpoint service created in Step 4: Create an endpoint service.

    VPC

    Select the VPC to which the endpoint belongs. In this example, select VPC 1.

    Security Groups

    Select the security group that you want to associate with the elastic network interface (ENI) of the endpoint. The security group is used to control data transfer from VPC 1 to the endpoint ENI.

    Note

    Make sure that the rules in the security group allow clients to access the endpoint ENI.

    Zone and vSwitch

    Select the zone where the endpoint service is deployed and select a vSwitch in the zone. The system automatically creates an endpoint ENI and attaches it to the vSwitch.

    In this example, select Chengdu Zone A and a vSwitch in Chengdu Zone A. Then, click +Add vSwitch, select Chengdu Zone B, and then select a vSwitch in Chengdu Zone B.

    Resource Group

    Select the resource group to which the endpoint belongs.

    Description

    Enter a description for the endpoint.

    After you create the endpoint, you can view the domain names and IP addresses of the zones.

    image.png

Step 6: Accept connection requests

To establish an endpoint connection, the endpoint service must accept the connection requests from the associated endpoint. Then, VPC 1 can use the endpoint to access the endpoint service.

Note

Skip this step if you set the Automatically Accept Endpoint Connections parameter to Yes in Step 4.

  1. Log on to the endpoint service console.

  2. In the top navigation bar, select the region where the endpoint service is created. In this example, select China (Chengdu).

  3. On the Endpoints Service page, find the endpoint service that you created in Step 4 and click its ID.

  4. On the details page of the endpoint service, click the Endpoint Connections tab, find the endpoint that you want to manage, and then click Allow in the Actions column.

    After the connection requests are accepted, the state of the endpoint connection changes from Disconnected to Connected. Then, the endpoint service can process requests from the endpoint. You can use the domain names and IP addresses of the zones that are generated in Step 5 to access the endpoint service.

Step 7: Mount the file system

  1. Connect to the ECS instance. For more information, see Connection method overview.

  2. Test the network connectivity between VPC 1 and VPC 2.

    In this example, Telnet is used to test the network connectivity. Make sure that Telnet is installed. Make sure that the IP addresses of the endpoint generated in Step 5 can be pinged. Run the following command. Replace the IP address and port number of the endpoint based on your business requirements.

    telnet 10.0.23.151 2049

    If no error message is returned after you run the command, the network between VPC 1 and VPC 2 is connected.

  3. Mount the file system.

    1. Install an NFS client. For more information, see Step 1: Install an NFS client.

      Note

      For more information about how to mount a file system on Windows, see Mount an SMB file system.

    2. Mount the file system.

      Use an IP address of the endpoint generated in Step 5 to mount the file system. Run the following command:

      sudo mount -t nfs -o vers=3,nolock,proto=tcp,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport 10.0.23.117:/ /mnt
      Note

      To mount a file system on Windows, run the following command:

      net use Z: \\10.0.23.151\myshare

What to do next

If you no longer use the NAS file system on the ECS instance, unmount the file system before you delete resources such as the NLB instance and endpoint. If you delete resources such as the NLB instance and endpoint before you unmount the file system, the operating system may give a slow response or does not respond.

References