Configuring Global Access

  • Updated on Feb 6, 2026
  • Published on Jan 28, 2026
  • 5 minute(s) read
Prev Next

Prerequisites

  • All participating clusters must be running VAST Cluster 5.1 as a minimum version.

Workflow

If the Clusters are Connected through the Management Network

DataSpace provides a simplified flow for configuring global access. This option is available specifically where the source and destination cluster(s) have interconnectivity through their management networks. For details of this procedure, see Configuring Async Replication from DataSpace.

If the clusters are not connected over their management networks, proceed with If the Clusters are not Connected through the Management Network.

If the Clusters are not Connected through the Management Network

  1. Make sure there is a Virtual IP pool for replication on the source cluster and on each of the destination clusters. The Virtual IP pool role must be set to replication. You can use this Virtual IP pool to control which CNodes are used to service replication and global access, although this is not mandatory.Managing Virtual IP Pools

  2. Optional: If you want to configure secure mode on the connection between the clusters used for GA, with mTLS encryption, make sure that mTLS certificates are installed on every participating cluster.

  3. On the source cluster, create a replication peer for each of the destination clusters.  Creating a Replication Peer

  4. Create a global access protected path on the source cluster.

Procedures for Workflow Steps

Creating a Replication Peer

This step involves establishing a connection to a remote cluster that will be the destination peer. The replication peer configuration is mirrored on the remote cluster as well.

Creating a Replication Peer via the VAST Web UI

  1. From the left navigation menu, select Data Protection and then Replication Peers.

  2. Click Create Peer.

  3. Complete the fields:

    Field

    Description

    Peer Name

    Enter a name for the peer configuration. The peer configuration will be mirrored on the remote cluster and have the same name on both clusters.

    For example: VASTmain-VASTbackup

    Remote VIP

    Enter any one of the virtual IPs belonging to the replication virtual IP pool to use as the leading remote virtual IP.

    The remote virtual IP is used to establish an initial connection between the peers. Once the connection is established, the peers share their external network topology and form multiple connections between the VIPs.

    If the remote peer's replication virtual IP pool is changed after the initial peer configuration, the new virtual IPs are learned automatically if the new range of IPs in the modified virtual IP pool intersects with the previous IP range. However, if the new IP range does not intersect with the old range, the remote virtual IP must be modified on the local peer.

    Local VIP Pool

    From the drop-down, select the replication virtual IP pool configured on the local cluster.

    For example: vippool_rep

    Secure Mode

    Select a secure mode for the peer:

    • Secure. Replication to this peer will be encrypted over the wire with mTLS.

      Secure mode requires a certificate, key and root certificate to be uploaded to VMS for mTLS encryption.

    • None. Replication to this peer will not be encrypted over the wire.

    Caution

    This setting cannot be changed after creating the replication peer.

  4. Click Create.

    The replication peer is created and mirrored to the remote cluster. The details are displayed in the Replication Peers page on both the local cluster and the remote cluster.

Creating a Replication Peer via the VAST CLI

To create a replication peer via the VAST CLI, run replicationpeer create.

For example:

vcli: admin> replicationpeer create --name vastnativebackup --remote-leading-vip 198.51.100.200 --local-vip-pool-id 3

Creating a Global Access Protected Path

Creating a Protected Path for Global Access via the VAST Web UI

  1. In the left navigation menu, select Data Protection and then Protected Paths.

  2. On the Protected Paths tab, click Create Protected Path.

  3. In the Add Protected Path dialog, click Add Source and complete the fields:

    Tenant

    Select the tenant under which the source path resides.

    Name

    Enter a name for the protected path.

    Path

    The path you want to replicate. A snapshot of this directory will be taken periodically according to the protection policy.

    Note

    • If you specify '/' (the root directory), this includes data written via S3.

    • To specify a path to a specific S3 bucket with name bucket, enter /bucket.

  4. Click Save.

  5. Click Add a Peer VIA Replication Or Global Access.

  6. In the Create Destination dialog, select Global Access from the Capability dropdown and complete these fields:

    Protection policy

    Select a protection policy from the dropdown or select the option to create a new one, configure the new one in the dialog provided and save it.  

    Warning

    After adding a destination to a protected path, it is not possible to change which policy is associated with the destination. All changes to a streams's snapshot schedule, replication schedule, and snapshot expiration must be done by modifying the protection policy. Those modifications affect all destinations that use the same protection policy. To work around this limitation, use one protection policy per destination.

    Cluster

    Select the remote peer cluster on which you want to create a destination path at which to provide access to the source path's data.

    Remote tenant

    This field appears only if the remote peer has more than one tenant. If it appears, select a tenant on the remote peer from the dropdown. The remote path will be created on the selected tenant.

    Path

    Specify the directory on the remote peer where the data should be shared for access. This must be a directory that does not yet exist on the remote peer.

    Global Access - Lease expiration time

    Set the lease expiration time, which is the duration for which data that was already requested at the destination path can be read locally from cache without the destination peer requesting it from the source peer. When the lease expires, the cache is invalidated and the next read request for the data is requested again from the source peer.

    Enter a number in the field provided and select the time units from the  dropdown.

  7. Click Create.

    The protected path is added to the Protected Paths tab. Initially, the state Initializing is displayed in the State column for the protected path.

  8. When the protected path status changes to Active, you can add another destination:

    1. Right-click the protected path and select Edit.

Creating a Protected Path for Global Access from the VAST CLI

  1. Use the protectedpath create command to create the protected path with one destination.protectedpath create

    For example:

    vcli: admin> protectedpath create --name ga1 --source-dir /gasource --local-tenant-id 1 --remote-target-id 4 --target-exported-dir /ga_destination --remote-tenant-name default --lease-expiry-time 1200

  2. Use the protectedpath add-stream command to add each additional destination, one at a time.

Related articles
  • Configuring Global Access
    VAST Cluster > Version 5.2 > VAST Cluster 5.2 Administrator's Guide > Global Namespace > Global Access
  • Configuring Global Access
    VAST Cluster > Version 5.3 > VAST Cluster 5.3 Administrator's Guide > The VAST DataSpace > Global Access
  • Configuring Global Access
    VAST Cluster > Version 5.4 > VAST Cluster 5.4 Administrator's Guide > The VAST DataSpace > Global Access