How do I access FSx for ONTAP using a transit gateway across different VPCs in the same Region?

4 minute read
0

I have Amazon FSx for NetApp ONTAP file systems in different Amazon Virtual Private Clouds (Amazon VPCs) in the same AWS Region. I want to use AWS Transit Gateway to access my file systems.

Short description

FSx for ONTAP file systems have floating IP addresses that are outside of the VPC's CIDR. If the client and the file system use the same route table, then you can access your FSx for ONTAP file systems from the VPC. However, this makes VPC peering impossible. To share the file system across VPCs or Regions, you must use a transit gateway.

Resolution

The following resolution uses the following examples:

  • VPC-A: The VPC that has the FSx for ONTAP file system. The CIDR is 172.31.0.0/16.
  • VPC-B: The VPC that has the Amazon Elastic Compute Cloud (Amazon EC2) instance. The CIDR is 10.0.0.0/16.

It's a best practice to choose an endpoint IP address range that's within your VPC's IP address range. This simplifies your networking setup, especially when you access your data from other AWS services or other networks (on-premises networks or peered networks in AWS). By default, Amazon FSx chooses an IP address range at the end of your VPC's IP address range, but you can choose your own range.

Step 1: Create a transit gateway

  1. Open the VPC console, and then choose Transit gateways.
  2. Create a transit gateway.
    Note: Choose the default options. You don't need to select a CIDR range on the console.

Step 2: Create transit gateway attachments

Create two attachments for the transit gateway:

  1. Open the VPC console.
  2. Choose Transit gateway attachments, Create transit gateway attachment.
  3. Create a transit gateway attachment. For Transit gateway ID, make sure that you select the transit gateway that you just created.
  4. Repeat steps 1-3 to create a second transit gateway attachment.
  5. Select the transit gateway you just created.

Step 3: Create routes

You must configure the routes as shown in the following example:

EC2 instance to VPC-B route table to tgw-attachment-VPC-B to TGW route table (198.19.0.0/16) to tgw-attachment-VPC-A to FSx for ONTAP file system

Note: 198.19.0.0/16 CIDR is an example CIDR range for the FSx for ONTAP file system.

VPC-B Route Table to tgw-attachment-VPC-B

  1. Open the VPC console, and then choose Route tables.
  2. Open the route table of VPC-B.
  3. In the Routes section, choose Edit Routes, Add route.
  4. For Destination, enter the CIDR Range 198.19.0.0/16.
  5. For Target, choose Transit Gateway, and then select the tgw-xxx that you created.
  6. Choose Save changes.

To access the file system over iSCSI or a SnapMirror relationship, add another route to 172.31.0.0/16 over the same target (tgw-xxx). This is because iSCSI and snapmirror relationships use intercluster endpoints. Intercluster endpoints have IP addresses that belong to the VPC-A CIDR range.
TGW route table (198.19.0.0/16) to tgw-attachment-VPC-A

This routing must be within the transit gateway. This means that you need to create a static route in the transit gateway route table.

  1. Open the VPC console, and then choose Transit gateways, Transit gateway route tables.
  2. Select the route table that corresponds to the transit gateway Id tgw-xxx. Then, choose the Routes tab.
  3. Choose Create static route, and then enter the CIDR 198.19.0.0/16.
  4. For the attachment, choose tgw-attachment-VPC-A.
  5. Choose Create static route.

tgw-attachment-VPC-A to FSxN Ontap
This route already exists. The 198.19.x.x/y destination hits one of the target elastic network interfaces (eni-xxx) on the VPC-A route table. These are the routes that Amazon FSx service creates on the selected route table when the ONTAP file system is provisioned. However, the flow in the previous example represents a unidirectional packet flow. To make the flow a symmetric route so that packets can travel back to the EC2 instance, add another route on the VPC-A route table.

  1. Open the VPC console, and then choose Route tables.
  2. Open the route table of VPC-A.
  3. In the Routes section, choose Edit routes, Add routes.
  4. For Destination, enter the CIDR Range 10.0.0.0/16.
  5. For Target, choose Transit gateway, and then select the tgw-xxx that you created.
  6. Choose Save changes.
AWS OFFICIAL
AWS OFFICIALUpdated 9 months ago
2 Comments

Noted that there's need to clarify 'gateway attachment.' instead of just gateway "Step 2: Create transit gateway attachments"

Create two attachments for the transit gateway by doing the following:

Open the VPC console.
Select Transit gateway attachments, Create transit gateway attachment.
Create a transit gateway attachment. For Transit gateway ID, make sure that you select the transit gateway you just created.
  • Repeat steps 1-3 to create a second transit gateway.

  • Repeat steps 1-3 to create a second transit gateway attachment.

Noted some that step 4 is misleading in the section "Step 3: Create routes"

TGW route table (198.19.0.0/16) to tgw-attachment-VPC-A

This routing must be within the transit gateway. This means that you need to create a static route in the transit gateway route table.

Open the VPC console, and then select Transit gateways, Transit gateway route tables.
Select the route table corresponding to the transit gateway Id tgw-xxx and then select the Routes tab.
Select Create static route, and enter the CIDR 198.19.0.0/16.
Choose tgw-attachment-VPC-B as the attachment.
Select Create static route.

Step 4 should be as follows;

  • Choose tgw-attachment-VPC-A as the attachment.
replied 10 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 10 months ago