VAST on Cloud enables you to spin up virtual VAST Clusters as ephemeral or persistent cloud resources on a permanent or on-demand basis. It is ideal for providing a wide range of data services in the cloud for both permanent and short-term jobs. With VAST on Cloud, you get access to enterprise-class, high-performance File, Object, and Database capabilities, benefitting from the powerful VAST data reduction capabilities. When needed, you can leverage the VAST DataSpace to transfer data between your cloud and on-prem clusters.
VAST on Cloud (VoC) clusters are provisioned using a cloud service called the Multi-Cluster Manager, which you deploy using VAST Data's template in the AWS CloudFormation service. Each VoC cluster is installed and configured with a management access IP, and with VIP pools pre-configured for replication and protocol access, enabling you to start running your workloads quickly.
We recommend using the global snapshot clone feature to instantly replicate data from your on-premises cluster to a VAST on Cloud cluster, and to use async replication to periodically replicate your output to your on-premises cluster. Follow the sections below to create a VAST on Cloud cluster and start working.
Once your cluster is installed in the cloud, you can use a global snapshot clone with background sync to fully copy the data to the cloud, or without background sync in which case only the metadata is copied and data is read from the source on demand. You can alternatively replicate the data using VAST async replication. The method described below uses a global snapshot clone with or without background sync.
Limitations
As described below, the most convenient method for making your data available to the VAST on Cloud cluster is through a global snapshot clone of a snapshot on your on-premises cluster. This makes the data instantly available for your workloads. Note that ongoing changes on a data path that you cloned using a global snapshot clone are not synced with the VAST on Cloud cluster. The data you work with is sourced from the specific snapshot that you clone.
VAST on Cloud clusters do not support expansion or OS upgrade.
Prerequisites
For deploying an instance of the Multi-Cluster Manager:
AWS account with a Virtual Private Cloud (VPC) with at least two availability zones for private networks, connected to the internet with NAT gateway.
If you would like your Multi-cluster Manager to manage VoC instances on different AWS regions, a peering connection between the VPCs must be established prior to the deployment of the VoC instance.
For deploying VoC instances:
A VPC with at least one availability zone for private networks, connected to the internet with NAT gateway
To support replication between an on-premises cluster and a VoC cluster, a direct-connect or VPN connection established from the VPC to the on-premises network.
An AWS account with the following security policies:
For deploying Multi-Cluster Manager, both of the following:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudFromationCreator", "Effect": "Allow", "Action": [ "cloudformation:UpdateStack", "cloudformation:CreateStack" ], "Resource": "*" }, { "Sid": "CloudFromationEditor", "Effect": "Allow", "Action": [ "cloudformation:DeleteStack", "cloudformation:DescribeStackEvents" ], "Resource": "arn:aws:cloudformation:*:*:stack/*/*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "mcvms" } } }, { "Sid": "AWSLambdaCreator", "Effect": "Allow", "Action": [ "lambda:CreateFunction", "lambda:TagResource", "lambda:GetFunction" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "mcvms" } } }, { "Sid": "RollPass", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:TagRole", "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/VoC:component": "mcvms" } } }, { "Sid": "AWSLambdaEditor", "Effect": "Allow", "Action": [ "lambda:UpdateFunctionCode", "lambda:UpdateFunctionConfiguration", "lambda:DeleteFunction", "lambda:InvokeFunction" ], "Resource": "arn:aws:lambda:*:*:function:*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "mcvms" } } }, { "Sid": "EC2InstanceCreatorWithTag", "Effect": "Allow", "Action": [ "ec2:RunInstances", "ec2:CreateVolume" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "mcvms" } } }, { "Sid": "EC2InstanceEditor", "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:DeleteVolume", "ec2:TerminateInstances", "ec2:TerminateInstances" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "mcvms" } } }, { "Sid": "DescribeComponants", "Effect": "Allow", "Action": [ "ec2:DescribeKeyPairs", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "autoscaling:DescribeLaunchConfigurations", "elasticloadbalancing:DescribeLoadBalancers", "rds:DescribeDBSecurityGroups", "cloudformation:DescribeStacks", "iam:GetRole", "iam:PutRolePolicy", "iam:AddRoleToInstanceProfile", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeListeners", "ec2:CreateSecurityGroup", "rds:CreateDBSubnetGroup", "elasticloadbalancing:CreateTargetGroup", "rds:DescribeDBSubnetGroups", "kms:DescribeKey", "kms:CreateGrant", "secretsmanager:CreateSecret", "rds:DescribeDBInstances", "elasticloadbalancing:CreateListener", "iam:GetInstanceProfile", "ec2:RunInstances", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions", "ec2:CreateLaunchTemplateVersion", "iam:DeleteInstanceProfile", "iam:AttachRolePolicy", "iam:ListRolePolicies", "ec2:ModifyLaunchTemplate", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeScalingActivities", "autoscaling:DescribeAutoScalingInstances", "iam:CreateInstanceProfile", "ec2:DescribeInstances", "ec2:CreateTags", "rds:ListTagsForResource" ], "Resource": "*" }, { "Sid": "SecurityGroupTagCreator", "Effect": "Allow", "Action": [ "ec2:CreateTags", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupEgress" ], "Resource": "arn:aws:ec2:*:*:security-group/*", "Condition": { "StringEquals": { "ec2:ResourceTag/aws:cloudformation:logical-id": "SelfRefSecurityGroup" } } }, { "Sid": "InstanceProfileEditor", "Effect": "Allow", "Action": [ "iam:DeleteInstanceProfile", "iam:RemoveRoleFromInstanceProfile" ], "Resource": "arn:aws:iam::*:instance-profile/*VocInstanceProfile*" }, { "Sid": "LaunchTemplateTagCreator", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:*:*:launch-template/*", "Condition": { "StringEquals": { "aws:RequestTag/VoC:component": "mcvms" } } }, { "Sid": "LaunchTemplateTagCreatorForASG", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*McVmsASG*" }, { "Sid": "SecurityGroupEditor", "Effect": "Allow", "Action": [ "ec2:CreateSecurityGroup", "ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:CreateSecurityGroup", "ec2:DeleteSecurityGroup" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "mcvms" } } }, { "Sid": "RolePolicyCreator", "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:CreatePolicy", "iam:AttachRolePolicy", "iam:GetRolePolicy" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/VoC:component": "mcvms" } } }, { "Sid": "ASGRoleAttacher", "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:PutRolePolicy" ], "Resource": "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*-McVmsASG-*" }, { "Sid": "RolePolicyEditor", "Effect": "Allow", "Action": [ "iam:DetachRolePolicy", "iam:DeletePolicy", "iam:DetachRolePolicy", "iam:DeleteRole", "iam:DetachRolePolicy", "iam:DeleteRolePolicy", "iam:AttachRolePolicy", "iam:GetRolePolicy" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "mcvms" } } }, { "Sid": "DBSecurityGroupCreator", "Effect": "Allow", "Action": [ "rds:CreateDBSecurityGroup", "rds:AddTagsToResource", "secretsmanager:TagResource" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/VoC:component": "mcvms" } } }, { "Sid": "DBInstanceCreator", "Effect": "Allow", "Action": [ "rds:CreateDBInstance" ], "Resource": "*" }, { "Sid": "DBSecurityGroupEditor", "Effect": "Allow", "Action": [ "rds:AuthorizeDBSecurityGroupIngress", "rds:RevokeDBSecurityGroupIngress", "rds:DeleteDBSecurityGroup", "rds:DeleteDBInstance", "rds:ModifyDBInstance", "rds:AddTagsToResource" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "mcvms" } } }, { "Sid": "DBInstanceDeleter", "Effect": "Allow", "Action": [ "rds:DeleteDBInstance" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/aws:cloudformation:logical-id": "McVmsDB" } } }, { "Sid": "DBSubNetGroupDeleter", "Effect": "Allow", "Action": [ "rds:DeleteDBSubnetGroup" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/aws:cloudformation:logical-id": "MCVMSDBSubnetGroup" } } } ] }{ "Version": "2012-10-17", "Statement": [ { "Sid": "AutoScalingGroupCreator", "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:CreateLaunchConfiguration", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:CreateListener", "autoscaling:UpdateAutoScalingGroup", "ec2:CreateLaunchTemplate", "elasticloadbalancing:AddTags" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/VoC:component": "mcvms" } } }, { "Sid": "AutoScalingGroupEditor", "Effect": "Allow", "Action": [ "autoscaling:DeleteAutoScalingGroup", "autoscaling:DeleteLaunchConfiguration", "ec2:DeleteLaunchTemplate", "autoscaling:DeleteLaunchConfiguration", "elasticloadbalancing:CreateTargetGroup", "ec2:CreateLaunchTemplateVersion", "ec2:ModifyLaunchTemplate", "elasticloadbalancing:DeleteLoadBalancer", "autoscaling:UpdateAutoScalingGroup" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "mcvms" } } }, { "Sid": "LoadBalancerListenerDeleter", "Effect": "Allow", "Action": [ "elasticloadbalancing:DeleteListener" ], "Resource": "arn:aws:elasticloadbalancing:*:*:listener/net/LB-*/*/*" }, { "Sid": "LoadBalancerTargetGroupDeleter", "Effect": "Allow", "Action": [ "elasticloadbalancing:DeleteTargetGroup" ], "Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/TG-*/*" } ] }For deploying VoC:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudFromationCreator", "Effect": "Allow", "Action": [ "cloudformation:CreateStack" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "voc" } } }, { "Sid": "CloudFromationEditor", "Effect": "Allow", "Action": [ "cloudformation:UpdateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStackEvents" ], "Resource": "arn:aws:cloudformation:*:*:stack/*/*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "voc" } } }, { "Sid": "AWSLambdaCreator", "Effect": "Allow", "Action": [ "lambda:CreateFunction", "lambda:TagResource", "lambda:GetFunction" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "voc" } } }, { "Sid": "RollPass", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:TagRole", "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/VoC:component": "voc" } } }, { "Effect": "Allow", "Action": "iam:TagRole", "Resource": "*" }, { "Sid": "AWSLambdaEditor", "Effect": "Allow", "Action": [ "lambda:UpdateFunctionCode", "lambda:UpdateFunctionConfiguration", "lambda:DeleteFunction", "lambda:InvokeFunction" ], "Resource": "arn:aws:lambda:*:*:function:*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "voc" } } }, { "Sid": "EC2InstanceCreatorWithTag", "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "voc" } } }, { "Sid": "EC2InstanceEditor", "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:DeleteVolume", "ec2:TerminateInstances" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "voc" } } }, { "Sid": "DescribeComponants", "Effect": "Allow", "Action": [ "ec2:DescribeKeyPairs", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "autoscaling:DescribeLaunchConfigurations", "cloudformation:DescribeStacks", "iam:GetRole", "iam:PutRolePolicy", "iam:AddRoleToInstanceProfile", "ec2:CreateSecurityGroup", "secretsmanager:CreateSecret", "iam:GetInstanceProfile", "ec2:RunInstances", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions", "ec2:CreateLaunchTemplateVersion", "iam:DeleteInstanceProfile", "iam:AttachRolePolicy", "iam:ListRolePolicies", "ec2:ModifyLaunchTemplate", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeScalingActivities", "autoscaling:DescribeAutoScalingInstances", "iam:CreateInstanceProfile", "ec2:DescribeInstances", "ec2:DescribeManagedPrefixLists", "ec2:CreateNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:CreateVolume", "ec2:DescribeVolumes" ], "Resource": "*" }, { "Sid": "SecurityGroupTagCreator", "Effect": "Allow", "Action": [ "ec2:CreateTags", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupEgress" ], "Resource": "arn:aws:ec2:*:*:security-group/*", "Condition": { "StringEquals": { "ec2:ResourceTag/aws:cloudformation:logical-id": "NewSecurityGroup" } } }, { "Sid": "InstanceProfileEditor", "Effect": "Allow", "Action": [ "iam:DeleteInstanceProfile", "iam:RemoveRoleFromInstanceProfile" ], "Resource": "arn:aws:iam::*:instance-profile/*VocInstanceProfile*" }, { "Sid": "LaunchTemplateTagCreator", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:*:*:launch-template/*", "Condition": { "StringEquals": { "aws:RequestTag/VoC:component": "voc" } } }, { "Sid": "VolumeTagCreator", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "StringEquals": { "aws:RequestTag/VoC:component": "voc" } } }, { "Sid": "TagInstanceComponants", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:eu-west-1:110450271409:spot-instances-request/*", "arn:aws:ec2:eu-west-1:110450271409:volume/*" ], "Condition": { "StringEquals": { "aws:RequestTag/VoC:component": "voc" } } }, { "Sid": "LaunchTemplateTagCreatorForASG", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*ASG*", "arn:aws:ec2:*:*:prefix-list/*", "arn:aws:ec2:*:*:network-interface/*" ] }, { "Sid": "CreateManagedPrefixList", "Effect": "Allow", "Action": [ "ec2:CreateManagedPrefixList" ], "Resource": "arn:aws:ec2:*:*:prefix-list/*" }, { "Sid": "SecurityGroupEditor", "Effect": "Allow", "Action": [ "ec2:CreateSecurityGroup", "ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:CreateSecurityGroup", "ec2:DeleteSecurityGroup", "ec2:DeleteManagedPrefixList", "ec2:DeleteNetworkInterface" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "voc" } } }, { "Sid": "RolePolicyCreator", "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:CreatePolicy", "iam:AttachRolePolicy", "iam:GetRolePolicy", "iam:TagRole" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/VoC:component": "voc" } } }, { "Sid": "ASGRoleAttacher", "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:PutRolePolicy" ], "Resource": "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*-McVmsASG-*" }, { "Sid": "RolePolicyEditor", "Effect": "Allow", "Action": [ "iam:DetachRolePolicy", "iam:DeletePolicy", "iam:DetachRolePolicy", "iam:DeleteRole", "iam:DetachRolePolicy", "iam:DeleteRolePolicy", "iam:AttachRolePolicy", "iam:GetRolePolicy" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "voc" } } }, { "Sid": "AutoScalingGroupCreator", "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:CreateLaunchConfiguration", "autoscaling:UpdateAutoScalingGroup", "ec2:CreateLaunchTemplate" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/VoC:component": "voc" } } }, { "Sid": "AutoScalingGroupEditor", "Effect": "Allow", "Action": [ "autoscaling:DeleteAutoScalingGroup", "autoscaling:DeleteLaunchConfiguration", "ec2:DeleteLaunchTemplate", "autoscaling:DeleteLaunchConfiguration", "ec2:CreateLaunchTemplateVersion", "ec2:ModifyLaunchTemplate", "autoscaling:UpdateAutoScalingGroup" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "voc" } } }, { "Sid": "DeleteStacks", "Effect": "Allow", "Action": [ "cloudformation:DeleteStack", "cloudformation:DeleteStackInstances" ], "Resource": "*" } ] }
An EC2 KeyPair to use for SSH access to the cluster stack
Provisioning VAST on Cloud Clusters
Create a Multi-Cluster Manager Instance
Browse to the AWS Marketplace.
Search for VAST Data.
From the search results, select the product called VAST Data Platform .
Click Continue to Subscribe.
Click Continue to Configuration.
On the Configure this Software page, from the Fulfillment option dropdown, select VAST Data Platform.
Select the latest version from the Select a version dropdown.
From the Region dropdown, select the region where you want to deploy the Multi-Cluster Manager instance.
Click Continue to Launch.
On the Launch this software page, from the Choose Action dropdown, select Launch CloudFormation.
Click Launch.
On the Create stack page, click Next.
On the Specify stack details page In the Stack name field, enter a unique name for the stack. This will be the name of the Multi-Cluster Manager instance.
Under RequiredParameters, complete the template parameters:
EnableCallHome
False by default. Set to true to enable the periodic sending of logs from the MCM to VAST's support bucket.
KeyName
Select an existing EC2 KeyPair to enable SSH access to the cluster.
SecurityGroupIds
Specify one or more security groups. The following ports must be open in the security group(s):
22 (SSH)
443 (HTTPS)
DBSubnetsGroup
Provide a list of subnets from which to create the database subnet.
BucketName
Specify the name of a bucket to be used by the Multi-cluster Manager and by Vast-on-Cloud instances.
Note
The bucket must be assigned the following permissions (replace <region> and <bucket-name> with the region and bucket name respectively):
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "logs.<region>.amazonaws.com" }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::<bucket-name>" }, { "Effect": "Allow", "Principal": { "Service": "logs.<region>.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::<bucket-name>/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } } ] }Click Next.
Review the details and click Submit.
The process of creating the stack begins and the status of the stack is shown as CREATE_IN_PROGRESS at first. When the process is complete, the status changes to CREATE_COMPLETE.
The CloudFormation stack output provides a link to the web user interface for the multi-cluster manager.
Register Your Multi-Cluster Manager Instance
Contact your VAST Sales Engineer and request a registration token for registering your Multi-Cluster Manager instance. You will be asked to supply your AWS account ID. This step can be performed in advance.
Browse to the web user interface of the Multi-Cluster Manager instance. You can find the link in the output of the CloudFormation stack for the multi-cluster manager.
Next to the prompt to Please provide a registration token, click Click to Update.
The Insert token to proceed dialog appears.
Enter the token provided by your Sales Engineer in the Token field.
Click Continue.
Creating a VAST on Cloud Cluster
Browse to the web user interface of the Multi-Cluster Manager instance and click Create New Cloud Cluster.
Complete these fields:
Cluster name
Enter a name for the cluster you are creating.
Regions
Select the AWS region where you want to deploy the cluster.
Capacity types
Select a capacity size for the cluster (25TB or 50TB)
Instance market type
Select an instance type:
On-demand
spot
Note
If resiliency is disabled and the cluster is brought down, the data on the cluster is lost and the cluster needs to be re-installed.
Resiliency
If you disable this setting, data on the VAST on Cloud is lost if the cluster is brought down by AWS, such as if you build the stack using a spot instance and that spot is brought down during operation.
If you enable this setting, the VoC cluster VM will be resilient. This means that the VM will come back up automatically if it goes down and rebuild its local data from persistent cloud storage resources. This feature incurs the cost of AWS storage resources to provide persistent cloud storage.
Enable Similarity
This setting is disabled by default.
Enable this setting to enable similarity-based data reduction on the cluster.
Enable Callhome
This setting is disabled by default.
Enable this setting to enable the sending of callhome logs on the cluster.
Tags
Optionally add AWS tags to the cluster.
To add a tag, enter the tag key value in the Tags field and the tag value in the value field. To add another tag, click the Add button.
Click Create.
A card for the new cluster is added to the Cards tab.
On the cluster's card, click Click to finish setup in AWS.
An AWS CloudFormation service opens.
In the Stack Name field, optionally customize the name of the cluster. By default, the name is pre-filled and is formed as <cluster name>-stack, where <cluster name> is the cluster name you provided in step 2.
Complete the parameters for the cluster:
VPC
Select the Virtual Private Cloud where you want to host the cluster.
KeyName
Select an existing EC2 KeyPair to enable SSH access to the cluster.
IgnoreNFSPermissions
This setting is disabled by default. If enabled, the VoC cluster will ignore file permissions and allow NFS and S3 clients to access data without checking permissions.
This setting is provided for the event that you do not have a way to synchronize user attributes between VoC clusters and on-premise clusters. That is, when you replicate data from an on-premises cluster to the VAST on Cloud cluster, the user and group permissions will be replicated as well. However, the provider configurations are not automatically replicated. You can either connect any relevant provider(s) to the VAST on Cloud cluster or, if you will not be able to or prefer not to connect the VAST on Cloud cluster to a provider that can authorize user and group permissions for the data that you want to replicate to the cloud, you can set this to true.
This setting cannot be changed through the VoC's VMS. Therefore, choose now whether to enable this setting.
SubnetId
Select the subnet in which the cluster should reside.
SecurityGroupId / CreateNewSecurityGroup
Either select a security group ID from the SecurityGroupId field to select an existing security group or set CreateNewSecurity to True to create a new security group.
The security group should have the following TCP ports open for ingress:
80 (HTTP)
5551 (VMS installation monitor)
443 (HTTPS)
111
445 (NETBIOS)
2049. (NFS)
6126
49002 (Replication peer initialization)
20106 (NSM)
49001 (Replication initialization)
20107 (NLM)
20048 (Mount)
All ports should be open for egress. ICMP should be open for ingress.
SecurityRulesCIDRs
Applicable if you selected CreateNewSecurityGroup. Specify up to ten CIDRs from which to allow inbound access.
Under Capabilities, select the checkboxes.
Click Create Stack.
The process of creating the stack begins and the status of the stack is shown as CREATE_IN_PROGRESS at first. In the DataSpace instance, the cluster's card also displays "In progress". When the process is complete, the status changes to CREATE_COMPLETE.
Cloud Cluster Initial Configuration
When the cluster is created, the cluster's network configuration details for the cluster appear on the Outputs tab of the CloudFormation service.
The cluster is created with the following configuration:
Configuration | Key in CloudFormat Outputs Page |
|---|---|
VMS Management IP | ClusterMgmt |
VIP pool for protocol access | ProtocolVips |
VIP pool for replication | ReplicationVips |
VMSMonitor | Links to the VMS monitor, which reports the cluster's installation progress. Use this to monitor the initial installation progress, until the VMS is up. Then use the VMS's Activities page to continue monitoring the cluster's installation. |
Managing VoC Clusters from the Multi-Cluster Manager Instance
The Multi-Cluster Manager enables you to:
Suspend and resume a cluster.
Remove a cluster.
Suspending and Resuming a VoC Cluster
To suspend a VoC cluster:
On the cluster's card, click the
.png?sv=2022-11-02&spr=https&st=2026-02-09T14%3A38%3A32Z&se=2026-02-09T15%3A13%3A32Z&sr=c&sp=r&sig=QFO5EqXmUQOeLjv5fdy%2B2fJ8Lp4a%2BxnRSLKRhNsi2KU%3D)
button.Click Yes to confirm the action.
The cluster is suspended.
To resume a suspended VoC cluster:
On the cluster's card, click the
.png?sv=2022-11-02&spr=https&st=2026-02-09T14%3A38%3A32Z&se=2026-02-09T15%3A13%3A32Z&sr=c&sp=r&sig=QFO5EqXmUQOeLjv5fdy%2B2fJ8Lp4a%2BxnRSLKRhNsi2KU%3D)
button.Click Yes to confirm the action.
The cluster is resumed. The cluster starts to service IOs after several minutes. It takes another approximately 45 minutes until it services IOs with the same performance level as it did prior to suspension.
Deleting a VoC Cluster
On the cluster's card, click the
.png?sv=2022-11-02&spr=https&st=2026-02-09T14%3A38%3A32Z&se=2026-02-09T15%3A13%3A32Z&sr=c&sp=r&sig=QFO5EqXmUQOeLjv5fdy%2B2fJ8Lp4a%2BxnRSLKRhNsi2KU%3D)
button.Read the warning and type DELETE in all caps in the field provided.
Click Yes, Delete.
The cluster is deleted.
Replicating Your Workload to VAST on Cloud
In order to replicate your workload to your VAST on Cloud cluster, we recommend using a global snapshot clone because it enables instant cloning of your data, providing you with instant access to the data from your VAST on Cloud cluster.
Browse to the cluster's VMS management IP, which is listed as ClusterMgmt IP in the Outputs tab of the AWS CloudFormation > Stacks page).
Alternately, from the Multi-Cluster Manager Web UI, click the button on the cluster's card to open the cluster.
The VMS VAST Web UI appears.
Log into VMS with a VMS manager user name and password.
For the default user name and password, see Managing VAST Cluster Passwords.
Verify on the Activities page that the cluster_deploy task is complete. If not, wait until it is complete before continuing.
Create a replication peer to establish a peer relationship between the on-premises cluster and the VAST on Cloud cluster.
Verify that there is a VIP pool for replication on the on-premises cluster (a VIP pool with role replication).
To create a new VIP pool for replication, see Managing Virtual IP Pools.
On either the on premises cluster or the VAST on Cloud cluster, go to the Virtual IP Pools tab of the Network Access page and record at least one of the IPs that belong to a replication VIP pool.
On the other cluster, go to the Replication Peers tab of the Data Protection page.
Click Create Peer and fill the following fields:
Peer Name
Enter a name for the peer configuration. The peer configuration will be mirrored on the other cluster and have the same name on both clusters.
For example: OnPremtoCloudRep
Remote VIP
Enter any one of the VIPs in the replication VIP pool range of the other cluster.
The remote VIP is used to establish an initial connection between the peers. Once the connection is established, the peers share their external network topology and form multiple connections between the VIPs.
If the remote peer's replication VIP pool is changed after the initial peer configuration, the new VIPs are learned automatically if the new range of IPs in the modified VIP pool intersects with the previous IP range. However, if the new IP range does not intersect with the old range, the remote VIP must be modified on the local peer.
For example: 198.51.100.200
Local VIP Pool
From the drop-down, select the replication VIP Pool configured on the local cluster.
On the VAST on Cloud cluster, this is called replicationPool.
Secure Mode
Select a secure mode for the peer:
Secure. Replication to this peer will be encrypted over the wire with mTLS.
Secure mode requires a certificate, key and root certificate to be uploaded to VMS for mTLS encryption.
None. Replication to this peer will not be encrypted over the wire.
Caution
This setting cannot be changed after creating the replication peer.
Click Create.
On the on-premises cluster, make sure you have a suitable snapshot to clone to the VAST on Cloud cluster for the workload. You can use a snapshot that was created by a protected path if the point in time meets your needs, or you can create a snapshot of the current data. To create a single current snapshot:
From the left navigation menu, select Data Protection and then Snapshots.
Click Create Snapshot.
Complete the fields:
Field
Description
Tenant
Select a tenant where the local path that you want to capture resides.
Name (required)
Enter a name for the snapshot.
Path (required)
Enter the path to a directory. The snapshot will include all files and folders under the specified directory at the time of taking the snapshot.
Expiration time
If you want to make sure the snapshot expires some time in the future, specify that time here.
Indestructible
Enable this setting if you want the snapshot to be indestructible. This setting protects the snapshot from accidental or malicious deletion. For more information about indestructibility, see Indestructible Backups.
Caution
After saving the snapshot, you won't be able to delete the snapshot or disable its indestructibility without performing an authorized unlocking of the cluster's indestructibility mechanism.
Click Create.
The snapshot is created and is listed on the Snapshots page.
On the VAST on Cloud cluster, open the Global Snapshot Clones tab of the Data Protection page.
Click Create Global Snapshot Clone and complete the fields:
Name
Enter a name for the snapshot clone.
Background sync
This is an optional setting that causes all of the snapshot data to be copied from the source to the destination after the clone is created. During the copying stage, read requests are directed to the source if the requested data is not yet copied. When the copying is complete, the clone becomes a local directory.
Leave this setting disabled if you want to ensure that only the data required for use on the VAST on Cloud cluster is copied. By default, snapshot data will be copied only when there is a request to read data.
Target tenant
The tenant on the local cluster to which you want to clone the snapshot.
Target Path
The local path on the target tenant to create, where you want the clone to reside. An existing path is not valid.
Source cluster
Select the replication peer that you configured in step Step 4.
Source tenant
Select the tenant on the on premises cluster where the path that you want to clone resides.
Source path
After selecting Source cluster, select a path on the on premises cluster that you want to clone. The dropdown offers you a selection of paths that are protected by protected paths or by manual snapshots.
Source snapshot
After selecting the source path, select the specific snapshot to clone. The dropdown shows you all available snapshots for the selected source path.
Click Create.
The path that you specified as the Source path is now cloned on the VAST on Cloud cluster. The directory structure of the data that was captured by the cloned snapshot is immediately accessible to clients. If you chose to disable background sync, data will be read from the source cluster and copied on request. If you enabled background sync, all of the data will be synced to the VAST on Cloud cluster and then accessible on the VAST on Cloud cluster.
Accessing the Cloned Data Path
To access the cloned data path from a client:
Client mounts should use the protocolsPool VIP pool on the VAST on Cloud cluster.
To find the IPs in the protocols VIP pool, open the Virtual IP Pools tab of the Network Access page. The IP ranges included in the pool are displayed in the IP Ranges column.
File permissions are replicated with the data. If you set IgnoreNFSPermissions to False in the template parameters, make sure to connect the provider(s) that store the relevant user and group entries to the VAST on Cloud cluster.
Configuration of view, view policy and provider may be needed to enable client access to the cloned path depending on the client's chosen access protocol.
Note
The default cluster configuration provides a view of the root path of the file system, exposed to NFSv3 with no IP restrictions. So it is possible to mount the root path '/' from an NFSv3 client with no further configurations and access the cloned directory under that.
Replicate the Workload Output to the On-Premises Cluster
Replication can be used to move data from the cloud cluster to an on-premises cluster.
There are at least two ways to do this:
Configuring Replication of the Workload Output Using Multi-Cluster Management from the On-Premises Cluster's VMS
Connect the VoC cluster to the on-premises cluster's Multi Cluster Management page (see Connecting Clusters).
Use the on-premises cluster's Multi Cluster Management page to configure replication with the VoC cluster as the source cluster and the on premises cluster as the destination cluster (see Configuring Replication from Multi-Cluster Management).
Configuring Replication of the Workload Output from the VoC cluster's VMS
Create a protection policy on the VAST on Cloud cluster and then a protected path on the output folder:
On the VAST on Cloud cluster, open the left navigation menu, select Data Protection and then select Protection Policies.
Click + Create Protection Policy.
In the Add Protection Policy dialog, complete the fields:
Field
Description
Policy name
Enter a name for the protection policy.
Peer
Select the replication peer that you created already.
Snapshot prefix
Enter a prefix for the snapshot names.
The name of each snapshot will be <prefix>_<timestamp>, where <prefix> is the prefix specified here and <timestamp> is the time the snapshot is created, in the format
yyyy-mm-ddTHH:MM:SS.SSSSSSzzz(Tdenotes time and doesn't represent a value,zzzis the timezone, and the time is accurate to the microsecond). For example, if the prefix is dev, a snapshot taken at 8:15 pm UTC on 20th November 2024 would be named dev_2024-11-20T20:15:06.144783UTC.If you want to make the protection policy indestructible, enable the Indestructible setting. This setting protects the policy and its snapshots from accidental or malicious deletion. For more information about indestructibility, see Indestructible Backups.
Caution
After saving the protection policy, you won't be able to delete the policy or disable its indestructibility without performing a procedure for authorized unlocking of the cluster's indestructibility mechanism.
Note
If a replication peer is configured, the indestructibility setting will be replicated to the peer.
Set up one or more replication schedules:
Note
If you want to set up multiple schedules, click the Add Schedule button to display more scheduling fields in the dialog.
To set the start time, click in the Start at field. In the calendar that appears, click the start date you want and adjust the start time:
.png?sv=2022-11-02&spr=https&st=2026-02-09T14%3A38%3A32Z&se=2026-02-09T15%3A13%3A32Z&sr=c&sp=r&sig=QFO5EqXmUQOeLjv5fdy%2B2fJ8Lp4a%2BxnRSLKRhNsi2KU%3D)
Note
When a protected path is active, it performs an initial data sync to the replication peer immediately after being created. The initial sync creates the first restore point. Therefore, the restore point created on the start date is in fact the second restore point.
To set a period, select a time unit from the Period dropdown and enter the number of time units in the Every field.
Note
The minimum interval is 15 seconds.
Leave the Keep local copy for field blank if you want to delete snapshots immediately after they are replicated to the on premises cluster.
Alternatively, if you do want to retain backups on the VAST on Cloud cluster, you can set the Keep local copy for period. This is the amount of time for which local snapshots are retained on the local cluster. Select a time unit from the Period dropdown and enter the number of time units in the Keep local copy for field.
Set the Keep remote copy for period. This is the amount of time restore points are retained on the on premises cluster.
Select a time unit from the Period dropdown and enter the number of time units in the Keep remote copy for field.
Click Create.
The protection policy is created and listed in the Protection Policies tab.
On the Protected Paths tab, click + Create Protected Path.
In the Add Protected Path dialog, complete the fields:
Field
Description
Name
Enter a name for the protected path.
Local Path
Enter the path to the output directory. A snapshot of this directory will be taken periodically according to the protection policy.
Protection policy
From the dropdown, select the protection policy you created in step 8.
Warning
After creating a replication stream, it is not possible to change which policy is associated with the replication stream. All changes to a streams's snapshot schedule, replication schedule, and snapshot expiration must be done by modifying the protection policy. Those modifications affect all replication streams that use the same protection policy. To work around this limitation, create only one replication stream per protected path.
(Remote peer)
This field is filled automatically with the remote peer specified in the protection policy, which should be the on premises cluster.
Remote path
Specify a path on the remote peer where the data should be replicated. This must be a directory that does not yet exist on the remote peer.
Remote tenant
This field appears only if the remote peer has more than one tenant. If it appears, select a tenant on the remote peer from the dropdown. The remote path will be created on the selected tenant.
Click Create.
The protected path is created and listed in the Protected Paths tab. Replication will now run from the VAST on Cloud cluster to the on premises cluster on the schedule defined in the protection policy.
Note
If the remote peer is running an earlier version of VAST Cluster, no further replication streams may be added to the protected path. If the remote peer is running VAST Cluster 4.7, you can add additional replication streams to the protected path.