I have Amazon FSx for NetApp ONTAP file systems in different Amazon Virtual Private Clouds (Amazon VPCs) in the same AWS Region. I want to use AWS Transit Gateway to access my file systems.
Short description
FSx for ONTAP file systems have floating IP addresses that are outside of the VPC's CIDR. If the client and the file system use the same route table, then you can access your FSx for ONTAP file systems from the VPC. However, this makes VPC peering impossible. To share the file system across VPCs or Regions, you must use a transit gateway.
Resolution
The following resolution uses the following examples:
- VPC-A: The VPC that has the FSx for ONTAP file system. The CIDR is 172.31.0.0/16.
- VPC-B: The VPC that has the Amazon Elastic Compute Cloud (Amazon EC2) instance. The CIDR is 10.0.0.0/16.
It's a best practice to choose an endpoint IP address range that's within your VPC's IP address range. This simplifies your networking setup, especially when you access your data from other AWS services or other networks (on-premises networks or peered networks in AWS). By default, Amazon FSx chooses an IP address range at the end of your VPC's IP address range, but you can choose your own range.
Step 1: Create a transit gateway
- Open the VPC console, and then choose Transit gateways.
- Create a transit gateway.
Note: Choose the default options. You don't need to select a CIDR range on the console.
Step 2: Create transit gateway attachments
Create two attachments for the transit gateway:
- Open the VPC console.
- Choose Transit gateway attachments, Create transit gateway attachment.
- Create a transit gateway attachment. For Transit gateway ID, make sure that you select the transit gateway that you just created.
- Repeat steps 1-3 to create a second transit gateway attachment.
- Select the transit gateway you just created.
Step 3: Create routes
You must configure the routes as shown in the following example:
EC2 instance to VPC-B route table to tgw-attachment-VPC-B to TGW route table (198.19.0.0/16) to tgw-attachment-VPC-A to FSx for ONTAP file system
Note: 198.19.0.0/16 CIDR is an example CIDR range for the FSx for ONTAP file system.
VPC-B Route Table to tgw-attachment-VPC-B
- Open the VPC console, and then choose Route tables.
- Open the route table of VPC-B.
- In the Routes section, choose Edit Routes, Add route.
- For Destination, enter the CIDR Range 198.19.0.0/16.
- For Target, choose Transit Gateway, and then select the tgw-xxx that you created.
- Choose Save changes.
To access the file system over iSCSI or a SnapMirror relationship, add another route to 172.31.0.0/16 over the same target (tgw-xxx). This is because iSCSI and snapmirror relationships use intercluster endpoints. Intercluster endpoints have IP addresses that belong to the VPC-A CIDR range.
TGW route table (198.19.0.0/16) to tgw-attachment-VPC-A
This routing must be within the transit gateway. This means that you need to create a static route in the transit gateway route table.
- Open the VPC console, and then choose Transit gateways, Transit gateway route tables.
- Select the route table that corresponds to the transit gateway Id tgw-xxx. Then, choose the Routes tab.
- Choose Create static route, and then enter the CIDR 198.19.0.0/16.
- For the attachment, choose tgw-attachment-VPC-A.
- Choose Create static route.
tgw-attachment-VPC-A to FSxN Ontap
This route already exists. The 198.19.x.x/y destination hits one of the target elastic network interfaces (eni-xxx) on the VPC-A route table. These are the routes that Amazon FSx service creates on the selected route table when the ONTAP file system is provisioned. However, the flow in the previous example represents a unidirectional packet flow. To make the flow a symmetric route so that packets can travel back to the EC2 instance, add another route on the VPC-A route table.
- Open the VPC console, and then choose Route tables.
- Open the route table of VPC-A.
- In the Routes section, choose Edit routes, Add routes.
- For Destination, enter the CIDR Range 10.0.0.0/16.
- For Target, choose Transit gateway, and then select the tgw-xxx that you created.
- Choose Save changes.