1

a my
us
th
Mu

NetApp ONTAP S3
r
ma
l ku
hi
nt
Se

Digitally signed by Senthilkumar

Senthilkum Muthusamy
DN: cn=Senthilkumar
Muthusamy gn=Senthilkumar
ar Muthusamy c=IN India l=IN India
o=SAN MASTERS ou=Training
[email protected]
Muthusamy Reason: I am the author of this
document
Location:
Date: 2023-06-23 10:11+05:30

SENTHILKUMAR MUTHUSAMY | SANMASTERS 1

2

Overview
NetApp ONTAP 9.8 software supports the Amazon Simple Storage
Service (S3). ONTAP supports a subset of AWS S3 API actions and
allows data to be represented as objects in ONTAP-based systems,
including AFF, FAS, and ONTAP Select. NetApp StorageGRID® software
is, and will remain, the NetApp flagship solution for object storage.

my
ONTAP complements StorageGRID by providing an ingest and
preprocessing point on the edge, expanding the data fabric powered

a
by NetApp for object data, and increasing the value of the NetApp

us
product portfolio.
th
Mu
Primary use cases
r

The primary purpose of S3 in ONTAP is to provide support for objects

ma

on ONTAP-based systems. The ONTAP unified storage architecture

ku

now supports files (NFS and SMB), blocks (FC and iSCSI), and objects
(S3).
l
hi
nt

Native S3 applications
Se

An increasing number of customers need ONTAP to support objects

using S3. Although well suited for high-capacity archival workloads,
demand for native S3 applications is growing rapidly and includes:
• Analytics
• Artificial intelligence
• Edge-to-core ingest
• Machine learning

SENTHILKUMAR MUTHUSAMY | SANMASTERS 2

3

FabricPool endpoints
Beginning with in ONTAP 9.8, FabricPool supports tiering to buckets in
ONTAP, allowing for ONTAP-toONTAP tiering. This is an excellent
option for customers who wish to repurpose existing FAS
infrastructure as an object-store endpoint.
FabricPool supports tiering to ONTAP in two ways:
• Local cluster tiering. Inactive data is tiered to a bucket located
on the local cluster using cluster LIFs.

my
• Remote cluster tiering. Inactive data is tiered to a bucket

a
located on a remote cluster similarly to a traditional FabricPool cloud

us
tier using IC LIFs on the FabricPool client and data LIFs on the ONTAP
object store.
th
NetApp recommends using StorageGRID, the premier NetApp object
Mu
store solution, when tiering more than 300TB of inactive data. A
FabricPool license is not required when using ONTAP or StorageGRID
r
ma

as the cloud tier.

l ku

Architecture
hi

Object storage is an architecture that manages data as objects, as

nt

opposed to other storage architectures such as file or block storage.

Se

Objects are kept inside a single container (such as a bucket) and are
not nested as files inside a directory inside other directories. Although
object storage might be less performative than file or block storage, it
is significantly more scalable, and buckets containing petabytes of
data are not uncommon.

SENTHILKUMAR MUTHUSAMY | SANMASTERS 3

4

a my
us
th
Mu
r
ma
l ku
hi
nt

Object store server

Se

The SVM’s object store server manages data as objects, as opposed to

other storage architectures such as file or block storage. Management
of bucket and user permission levels also takes place at the object
store server level. ONTAP S3 supports one object store server per
SVM.

SENTHILKUMAR MUTHUSAMY | SANMASTERS 4

5

Bucket
In ONTAP, the underlying architecture for a bucket is a FlexGroup
volume—a single namespace that is made up of multiple constituent
member volumes but is managed as a single volume. Individual
objects in a bucket are allocated to individual member volumes and
are not striped across volumes or nodes. Individual buckets cannot be
provisioned smaller than 96GB.

a my
us
th
Mu
r
ma
l ku
hi

When used by buckets, FlexGroup volumes use elastic sizing, not

volume autogrow. FlexGroup volume maximums are only limited by
nt

the physical maximums of the underlying hardware and have been

Se

tested to 20PB and 400 billion files in a 10-node cluster.

ONTAP S3 supports up to 12,000 buckets, although no more than
1,000 buckets should be created on a single FlexGroup volume. The
Amazon S3 maximum object size is 5TB. ONTAP S3 supports objects
up to 16TB. Objects greater than 5TB might result in interoperability
issues for clients that cannot exceed Amazon-defined maximum
object sizes.

SENTHILKUMAR MUTHUSAMY | SANMASTERS 5

6

S3 configuration overview

Beginning with ONTAP 9.8, you can enable an ONTAP Simple Storage
Service (S3) object storage server in an ONTAP cluster.

ONTAP supports two on-premises use case scenarios for serving S3

object storage:

 FabricPool tier to a bucket on local cluster (tier to a local bucket)

my
or remote cluster (cloud tier).

a
 S3 client app access to a bucket on the local cluster or a remote

us
cluster.
th
Mu
S3 configuration with System Manager and the ONTAP CLI
r
ma

You can configure and manage ONTAP S3 with System Manager and
the ONTAP CLI. When you enable S3 and create buckets using System
ku

Manager, ONTAP selects best-practice defaults for simplified

l

configuration. If you need to specify configuration parameters, you

hi

might want to use the ONTAP CLI.

nt

S3 Configuration Workflow
Se

Configuring S3 involves assessing physical storage and networking

requirements, and then choosing a workflow that is specific to your
goal—configuring S3 access to a new or existing SVM, or adding a
bucket and users to an existing SVM that is already fully configured for
S3 access.

SENTHILKUMAR MUTHUSAMY | SANMASTERS 6

7

Service policy
Data service policies are assigned to SVMs and provide a collection of
network services required by data LIFs to support client application
protocols. For example, data-nfs is used to support NFS traffic,
dataiscsi is used to support iSCSI traffic, and so on. New in ONTAP 9.8,
the data-s3-server service allows data LIFs to support client
application traffic using S3.

a my
Create the service policy

us
th
A service policy is required to enable S3 data traffic on the SVM LIFs.
Mu
r

 Create a SVM service policy to allow S3 Protocol service.

ma
l ku
hi
nt
Se

SENTHILKUMAR MUTHUSAMY | SANMASTERS 7

8

Create a data LIF to use with S3

SVMs hosting object store servers require data LIFs to communicate
with client applications using S3. NetApp recommends creating an S3
data LIF on all nodes as a best practice.
When configured for remote cluster tiering, FabricPool is the client
and the object store is the server. Because FabricPool requires the
object store to use an FQDN, all S3 DATA LIFs must be associated with
the FQDN used by the object store server.

a my
us
th
Mu

Install a CA certificate
r
ma

Using CA certificates creates a trusted relationship between client

applications and the ONTAP object store server. A CA certificate
ku

should be installed on ONTAP before using it as an object store that is

l

accessible to remote clients.

hi

Although ONTAP can generate self-signed certificates, using signed

nt

certificates from a third-party certificate authority is the

recommended best practice.
Se

 Create a ca certificate.

SENTHILKUMAR MUTHUSAMY | SANMASTERS 8

9

my
a
us
 Sign the ca certificate.
th
Mu
r
ma
l ku
hi
nt
Se

SENTHILKUMAR MUTHUSAMY | SANMASTERS 9

10

 Install the certificate.

a my
us
th
Mu
r

Configuration for local cluster tiering

ma

Beginning with ONTAP 9.8, FabricPool supports tiering to buckets in

ku

ONTAP, allowing for ONTAP-to-ONTAP tiering. This is an excellent

l

option for customers who wish to repurpose existing FAS

hi

infrastructure as an object store endpoint.

nt

When configured for local cluster tiering, inactive data is tiered from
local aggregates (typically SSD) to a local bucket (typically HDD) using
Se

cluster LIFs.
NetApp recommends using StorageGRID, the premier NetApp object
store solution, when tiering more than 300TB of inactive data. A
FabricPool license is not required when using ONTAP or StorageGRID
as the cloud tier.

SENTHILKUMAR MUTHUSAMY | SANMASTERS 10

11

a my
us
th
Mu
r
ma

Create a user
ku

User authorization is required on all ONTAP object stores to restrict

l

connectivity to authorized clients.

hi

All S3 users with valid access and a secret key-pair can access all
nt

buckets and objects in the SVM.

Se

To create a user by using the ONTAP CLI, run the following command:

SENTHILKUMAR MUTHUSAMY | SANMASTERS 11

12

 Login to Cluster1 ONTAP System Manager, select storage VM’s

and configure the S3 protocol service.
 Specify the Object store Name (Ex:s3-senthil)

my
a
us
th
Mu

 View the S3 server details.

r
ma
l ku
hi
nt
Se

SENTHILKUMAR MUTHUSAMY | SANMASTERS 12

13

 Download the certificate details with access key and Secret key.

amy
us
th
Mu
 ONTAP S3 is enabled now.
r
ma
l ku
hi
nt
Se

SENTHILKUMAR MUTHUSAMY | SANMASTERS 13

14

 Using ONTAP CLI run the following command to list object store
details. (Object Store – Cluster1)

a my
us
Create the bucket
th
Mu
Beginning with ONTAP 9.11.1, ONTAP S3 supports bucket versioning.
Enabling versioning allows for the creation of multiple versions of an
r

object. Much like Snapshot copies, these objects can be retrieved and
ma

restored, enabling client applications to restore deleted objects or

retrieve earlier versions of an object.
ku

 In Cluster1, create a bucket.

l
hi
nt
Se

SENTHILKUMAR MUTHUSAMY | SANMASTERS 14

15

 Login to Cluster2 System Manager, select the cloud tier and add
the ONTAP S3.

my
a
us
th
Mu
r
ma
l ku
hi

 To add a ONTAP S3 Cloud Tier, Specify the following:

 Cloud Tier Name (Ex: ontap_s3_new)
nt

 Object Store Name (Ex: s3-senthil)

Se

 Copy and paste the certificate details

 Access key and secret key which you downloaded
 Bucket Name (Ex: mybucket1)

SENTHILKUMAR MUTHUSAMY | SANMASTERS 15

16

my
a
us
th
Mu
r
ma
l ku
hi
nt

 ONTAP S3 Cloud Tier added successfully.

Se

SENTHILKUMAR MUTHUSAMY | SANMASTERS 16

17

 Login to Cluster2 ONTAP CLI, list the object store configuration

details.
 Provider Type – ONTAP_S3

a my
us
th
Mu
r
ma
l ku

S3 SnapMirror overview
hi
nt

Beginning with ONTAP 9.10.1, you can protect buckets in ONTAP S3

object stores using familiar SnapMirror mirroring and backup
Se

functionality. In addition, unlike standard SnapMirror, S3 SnapMirror

can have non-NetApp destinations.

S3 SnapMirror supports active mirrors and backup tiers from ONTAP

S3 buckets to the following destinations:

SENTHILKUMAR MUTHUSAMY | SANMASTERS 17

18

Target Supports active Supports backup

mirrors and and restore?
takeover?

ONTAP S3

 buckets in the same

SVM
 buckets in different
SVMs on the same cluster

my
 buckets in SVMs on
different clusters

a
us
StorageGRID

AWS S3 th
Mu
Cloud Volumes ONTAP for
Azure
r

(beginning with ONTAP 9.9.0)

ma
ku

Cloud Volumes ONTAP for

AWS
l

(beginning with ONTAP

hi

9.11.0)
nt

Cloud Volumes ONTAP for

Google Cloud
Se

(beginning with ONTAP

9.12.0)

You can protect existing buckets on ONTAP S3 servers or you can

create new buckets with data protection enabled immediately.

 While you are creating Bucket, select more options and select
Protection.

SENTHILKUMAR MUTHUSAMY | SANMASTERS 18

19

a my
us
 Enable the Snapmirror (ONTAP or Cloud)

th
 Select the destination DR as a ONTAP System or any
Mu
other Cloud Storage (Ex: AWS, StorageGRID and
Cloud Volumes ONTAP)
r
ma
l ku
hi
nt
Se

SENTHILKUMAR MUTHUSAMY | SANMASTERS 19