VAST on Cloud (VoC) clusters on AWS are provisioned using a cloud service called the Multi-Cluster Manager, which you deploy using a VAST Data template in the AWS CloudFormation service. Each VoC cluster is installed and configured with a management access IP, and with VIP pools pre-configured for replication and protocol access, enabling you to start running your workloads quickly.
Limitations
VoC clusters on AWS are supported only if the instance type (which is set during the creation procedure) is On-demand and Resiliency (another setting in the cluster creation procedure) is enabled.
Note
Spot instances with resiliency disabled may be preferred for the purpose of a PoC or a demo, provided risk of data loss is acceptable.
In the event of downtime, data is rebuilt while the cluster comes back online. Recovery from any subsequent failure that may occur during the rebuild is not guaranteed.
Prerequisites
For deploying an instance of the Multi-Cluster Manager:
AWS account with a Virtual Private Cloud (VPC) with at least two availability zones for private networks, connected to the internet with NAT gateway.
If you would like your Multi-cluster Manager to manage VoC instances on different AWS regions, a peering connection between the VPCs must be established prior to the deployment of the VoC instance.
For deploying VoC instances:
A VPC with at least one availability zone for private networks, connected to the internet with NAT gateway
To support replication between an on-premises cluster and a VoC cluster, a direct-connect or VPN connection established from the VPC to the on-premises network.
An AWS account with the following security policies:
For deploying Multi-Cluster Manager, both of the following:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudFromationCreator", "Effect": "Allow", "Action": [ "cloudformation:UpdateStack", "cloudformation:CreateStack" ], "Resource": "*" }, { "Sid": "CloudFromationEditor", "Effect": "Allow", "Action": [ "cloudformation:DeleteStack", "cloudformation:DescribeStackEvents" ], "Resource": "arn:aws:cloudformation:*:*:stack/*/*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "mcvms" } } }, { "Sid": "AWSLambdaCreator", "Effect": "Allow", "Action": [ "lambda:CreateFunction", "lambda:TagResource", "lambda:GetFunction" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "mcvms" } } }, { "Sid": "RollPass", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:TagRole", "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/VoC:component": "mcvms" } } }, { "Sid": "AWSLambdaEditor", "Effect": "Allow", "Action": [ "lambda:UpdateFunctionCode", "lambda:UpdateFunctionConfiguration", "lambda:DeleteFunction", "lambda:InvokeFunction" ], "Resource": "arn:aws:lambda:*:*:function:*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "mcvms" } } }, { "Sid": "EC2InstanceCreatorWithTag", "Effect": "Allow", "Action": [ "ec2:RunInstances", "ec2:CreateVolume" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "mcvms" } } }, { "Sid": "EC2InstanceEditor", "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:DeleteVolume", "ec2:TerminateInstances", "ec2:TerminateInstances" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "mcvms" } } }, { "Sid": "DescribeComponants", "Effect": "Allow", "Action": [ "ec2:DescribeKeyPairs", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "autoscaling:DescribeLaunchConfigurations", "elasticloadbalancing:DescribeLoadBalancers", "rds:DescribeDBSecurityGroups", "cloudformation:DescribeStacks", "iam:GetRole", "iam:PutRolePolicy", "iam:AddRoleToInstanceProfile", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeListeners", "ec2:CreateSecurityGroup", "rds:CreateDBSubnetGroup", "elasticloadbalancing:CreateTargetGroup", "rds:DescribeDBSubnetGroups", "kms:DescribeKey", "kms:CreateGrant", "secretsmanager:CreateSecret", "rds:DescribeDBInstances", "elasticloadbalancing:CreateListener", "iam:GetInstanceProfile", "ec2:RunInstances", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions", "ec2:CreateLaunchTemplateVersion", "iam:DeleteInstanceProfile", "iam:AttachRolePolicy", "iam:ListRolePolicies", "ec2:ModifyLaunchTemplate", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeScalingActivities", "autoscaling:DescribeAutoScalingInstances", "iam:CreateInstanceProfile", "ec2:DescribeInstances", "ec2:CreateTags", "rds:ListTagsForResource" ], "Resource": "*" }, { "Sid": "SecurityGroupTagCreator", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:*:*:security-group/*", "Condition": { "StringEquals": { "aws:RequestTag/VoC:component": "mcvms" } } }, { "Sid": "SecurityGroupTagCreator2", "Effect": "Allow", "Action": [ "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress" ], "Resource": "arn:aws:ec2:*:*:security-group/*" }, { "Sid": "InstanceProfileEditor", "Effect": "Allow", "Action": [ "iam:DeleteInstanceProfile", "iam:RemoveRoleFromInstanceProfile" ], "Resource": "arn:aws:iam::*:instance-profile/*VocInstanceProfile*" }, { "Sid": "LaunchTemplateTagCreator", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:*:*:launch-template/*", "Condition": { "StringEquals": { "aws:RequestTag/VoC:component": "mcvms" } } }, { "Sid": "LaunchTemplateTagCreatorForASG", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*McVmsASG*" }, { "Sid": "SecurityGroupEditor", "Effect": "Allow", "Action": [ "ec2:CreateSecurityGroup", "ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:CreateSecurityGroup", "ec2:DeleteSecurityGroup" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "mcvms" } } }, { "Sid": "RolePolicyCreator", "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:CreatePolicy", "iam:AttachRolePolicy", "iam:GetRolePolicy" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/VoC:component": "mcvms" } } }, { "Sid": "ASGRoleAttacher", "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:PutRolePolicy" ], "Resource": "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*-McVmsASG-*" }, { "Sid": "RolePolicyEditor", "Effect": "Allow", "Action": [ "iam:DetachRolePolicy", "iam:DeletePolicy", "iam:DetachRolePolicy", "iam:DeleteRole", "iam:DetachRolePolicy", "iam:DeleteRolePolicy", "iam:AttachRolePolicy", "iam:GetRolePolicy" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "mcvms" } } }, { "Sid": "DBSecurityGroupCreator", "Effect": "Allow", "Action": [ "rds:CreateDBSecurityGroup", "rds:AddTagsToResource", "secretsmanager:TagResource" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/VoC:component": "mcvms" } } }, { "Sid": "DBInstanceCreator", "Effect": "Allow", "Action": [ "rds:CreateDBInstance" ], "Resource": "*" }, { "Sid": "DBSecurityGroupEditor", "Effect": "Allow", "Action": [ "rds:AuthorizeDBSecurityGroupIngress", "rds:RevokeDBSecurityGroupIngress", "rds:DeleteDBSecurityGroup", "rds:DeleteDBInstance", "rds:ModifyDBInstance", "rds:AddTagsToResource" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "mcvms" } } }, { "Sid": "DBInstanceDeleter", "Effect": "Allow", "Action": [ "rds:DeleteDBInstance" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "mcvms" } } }, { "Sid": "DBSubNetGroupDeleter", "Effect": "Allow", "Action": [ "rds:DeleteDBSubnetGroup" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "mcvms" } } } ] }{ "Version": "2012-10-17", "Statement": [ { "Sid": "AutoScalingGroupCreator", "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:CreateLaunchConfiguration", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:CreateListener", "autoscaling:UpdateAutoScalingGroup", "ec2:CreateLaunchTemplate", "elasticloadbalancing:AddTags" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/VoC:component": "mcvms" } } }, { "Sid": "AutoScalingGroupEditor", "Effect": "Allow", "Action": [ "autoscaling:DeleteAutoScalingGroup", "autoscaling:DeleteLaunchConfiguration", "ec2:DeleteLaunchTemplate", "autoscaling:DeleteLaunchConfiguration", "elasticloadbalancing:CreateTargetGroup", "ec2:CreateLaunchTemplateVersion", "ec2:ModifyLaunchTemplate", "elasticloadbalancing:DeleteLoadBalancer", "autoscaling:UpdateAutoScalingGroup" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "mcvms" } } }, { "Sid": "LoadBalancerListenerDeleter", "Effect": "Allow", "Action": [ "elasticloadbalancing:DeleteListener" ], "Resource": "arn:aws:elasticloadbalancing:*:*:listener/net/LB-*/*/*" }, { "Sid": "LoadBalancerTargetGroupDeleter", "Effect": "Allow", "Action": [ "elasticloadbalancing:DeleteTargetGroup" ], "Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/TG-*/*" } ] }For deploying VoC:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CloudFromationCreator", "Effect": "Allow", "Action": [ "cloudformation:CreateStack" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "voc" } } }, { "Sid": "CloudFromationEditor", "Effect": "Allow", "Action": [ "cloudformation:UpdateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStackEvents" ], "Resource": "arn:aws:cloudformation:*:*:stack/*/*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "voc" } } }, { "Sid": "AWSLambdaCreator", "Effect": "Allow", "Action": [ "lambda:CreateFunction", "lambda:TagResource", "lambda:GetFunction", "logs:TagResource", "logs:PutRetentionPolicy", "logs:CreateLogGroup" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "voc" } } }, { "Sid": "RollPass", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:TagRole", "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/VoC:component": "voc" } } }, { "Effect": "Allow", "Action": "iam:TagRole", "Resource": "*" }, { "Sid": "AWSLambdaEditor", "Effect": "Allow", "Action": [ "lambda:UpdateFunctionCode", "lambda:UpdateFunctionConfiguration", "lambda:DeleteFunction", "lambda:InvokeFunction" ], "Resource": "arn:aws:lambda:*:*:function:*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "voc" } } }, { "Sid": "EC2InstanceCreatorWithTag", "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "voc" } } }, { "Sid": "EC2InstanceEditor", "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:DeleteVolume", "ec2:TerminateInstances" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "voc" } } }, { "Sid": "DescribeComponants", "Effect": "Allow", "Action": [ "ec2:DescribeKeyPairs", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "autoscaling:DescribeLaunchConfigurations", "cloudformation:DescribeStacks", "iam:GetRole", "iam:PutRolePolicy", "iam:AddRoleToInstanceProfile", "ec2:CreateSecurityGroup", "secretsmanager:CreateSecret", "iam:GetInstanceProfile", "ec2:RunInstances", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions", "ec2:CreateLaunchTemplateVersion", "iam:DeleteInstanceProfile", "iam:AttachRolePolicy", "iam:ListRolePolicies", "ec2:ModifyLaunchTemplate", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeScalingActivities", "autoscaling:DescribeAutoScalingInstances", "iam:CreateInstanceProfile", "ec2:DescribeInstances", "ec2:DescribeManagedPrefixLists", "ec2:CreateNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:CreateVolume", "ec2:DescribeVolumes" ], "Resource": "*" }, { "Sid": "SecurityGroupTagCreator", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:*:*:security-group/*", "Condition": { "StringEquals": { "aws:RequestTag/VoC:component": "voc" } } }, { "Sid": "SecurityGroupTagCreator2", "Effect": "Allow", "Action": [ "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "logs:PutRetentionPolicy" ], "Resource": "*" }, { "Sid": "InstanceProfileEditor", "Effect": "Allow", "Action": [ "iam:DeleteInstanceProfile", "iam:RemoveRoleFromInstanceProfile" ], "Resource": "arn:aws:iam::*:instance-profile/*VocInstanceProfile*" }, { "Sid": "LaunchTemplateTagCreator", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:*:*:launch-template/*", "Condition": { "StringEquals": { "aws:RequestTag/VoC:component": "voc" } } }, { "Sid": "VolumeTagCreator", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "StringEquals": { "aws:RequestTag/VoC:component": "voc" } } }, { "Sid": "TagInstanceComponants", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:spot-instances-request/*", "arn:aws:ec2:*:*:volume/*" ], "Condition": { "StringEquals": { "aws:RequestTag/VoC:component": "voc" } } }, { "Sid": "LaunchTemplateTagCreatorForASG", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*ASG*", "arn:aws:ec2:*:*:prefix-list/*", "arn:aws:ec2:*:*:network-interface/*" ] }, { "Sid": "CreateManagedPrefixList", "Effect": "Allow", "Action": [ "ec2:CreateManagedPrefixList" ], "Resource": "arn:aws:ec2:*:*:prefix-list/*" }, { "Sid": "SecurityGroupEditor", "Effect": "Allow", "Action": [ "ec2:CreateSecurityGroup", "ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:CreateSecurityGroup", "ec2:DeleteSecurityGroup", "ec2:DeleteManagedPrefixList", "ec2:DeleteNetworkInterface" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "voc" } } }, { "Sid": "RolePolicyCreator", "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:CreatePolicy", "iam:AttachRolePolicy", "iam:GetRolePolicy", "iam:TagRole" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/VoC:component": "voc" } } }, { "Sid": "ASGRoleAttacher", "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:PutRolePolicy" ], "Resource": "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*-McVmsASG-*" }, { "Sid": "RolePolicyEditor", "Effect": "Allow", "Action": [ "iam:DetachRolePolicy", "iam:DeletePolicy", "iam:DetachRolePolicy", "iam:DeleteRole", "iam:DetachRolePolicy", "iam:DeleteRolePolicy", "iam:AttachRolePolicy", "iam:GetRolePolicy" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "voc" } } }, { "Sid": "AutoScalingGroupCreator", "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:CreateLaunchConfiguration", "autoscaling:UpdateAutoScalingGroup", "ec2:CreateLaunchTemplate" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/VoC:component": "voc" } } }, { "Sid": "AutoScalingGroupEditor", "Effect": "Allow", "Action": [ "autoscaling:DeleteAutoScalingGroup", "autoscaling:DeleteLaunchConfiguration", "ec2:DeleteLaunchTemplate", "autoscaling:DeleteLaunchConfiguration", "ec2:CreateLaunchTemplateVersion", "ec2:ModifyLaunchTemplate", "autoscaling:UpdateAutoScalingGroup" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/VoC:component": "voc" } } }, { "Sid": "DeleteStacks", "Effect": "Allow", "Action": [ "cloudformation:DeleteStack", "cloudformation:DeleteStackInstances" ], "Resource": "*" } ] }
An EC2 KeyPair to use for SSH access to the cluster stack
Provisioning VAST on Cloud Clusters
Create a Multi-Cluster Manager Instance
Browse to the AWS Marketplace.
Search for VAST Data.
From the search results, select the product called VAST Data Platform .
Click Continue to Subscribe.
Click Continue to Configuration.
On the Configure this Software page, from the Fulfillment option dropdown, select VAST Data Platform.
Select the latest version from the Select a version dropdown.
From the Region dropdown, select the region where you want to deploy the Multi-Cluster Manager instance.
Click Continue to Launch.
On the Launch this software page, from the Choose Action dropdown, select Launch CloudFormation.
Click Launch.
On the Create stack page, click Next.
On the Specify stack details page In the Stack name field, enter a unique name for the stack. This will be the name of the Multi-Cluster Manager instance.
Under RequiredParameters, complete the template parameters:
EnableCallHome
False by default. Set to true to enable the periodic sending of logs from the MCM to VAST's support bucket.
KeyName
Select an existing EC2 KeyPair to enable SSH access to the cluster.
SecurityGroupIds
Specify one or more security groups. The following ports must be open in the security group(s):
22 (SSH)
443 (HTTPS)
DBSubnetsGroup
Provide a list of subnets from which to create the database subnet.
BucketName
Specify the name of a bucket to be used by the Multi-cluster Manager and by Vast-on-Cloud instances.
Note
The bucket must be assigned the following permissions (replace <region> and <bucket-name> with the region and bucket name respectively):
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "logs.<region>.amazonaws.com" }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::<bucket-name>" }, { "Effect": "Allow", "Principal": { "Service": "logs.<region>.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::<bucket-name>/*", "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } } ] }Click Next.
Review the details and click Submit.
The process of creating the stack begins and the status of the stack is shown as CREATE_IN_PROGRESS at first. When the process is complete, the status changes to CREATE_COMPLETE.
The CloudFormation stack output provides a link to the web user interface for the multi-cluster manager.
Register Your Multi-Cluster Manager Instance
Contact your VAST Sales Engineer and request a registration token for registering your Multi-Cluster Manager instance. You will be asked to supply your AWS account ID. This step can be performed in advance.
Browse to the web user interface of the Multi-Cluster Manager instance. You can find the link in the output of the CloudFormation stack for the multi-cluster manager.
Next to the prompt to Please provide a registration token, click Click to Update.
The Insert token to proceed dialog appears.
Enter the token provided by your Sales Engineer in the Token field.
Click Continue.
Creating a VAST on Cloud Cluster
Browse to the web user interface of the Multi-Cluster Manager instance and click Create New Cloud Cluster.
Complete these fields:
Cluster name
Enter a name for the cluster you are creating.
Regions
Select the AWS region where you want to deploy the cluster.
Capacity types
Select a capacity size for the cluster (25TB or 50TB)
Instance market type
Select an instance type:
On-demand. Choose this type in most cases. The alternate option is not supported by VAST and is subject to a risk of data loss.
spot . This option is available but not supported. It is sometimes preferred for PoCs, demos and the like. Choose this option only if the risk of data loss is not an issue for the use case.
Note
VAST supports VoC clusters on condition that On-demand is selected for instance type and resiliency is enabled.
Note
If resiliency is disabled and the cluster is brought down, the data on the cluster is lost and the cluster needs to be re-installed.
Resiliency
Enable this setting to ensure that the VoC cluster VM is resilient. This means that the VM will come back up automatically if it goes down and rebuild its local data from persistent cloud storage resources. This feature incurs the cost of AWS storage resources to provide persistent cloud storage.
If this setting is disabled, data on the VoC cluster is lost if the cluster is brought down by AWS, such as if you build the stack using a spot instance and that spot is brought down during operation. Clusters provisioned with resiliency disabled are not supported by VAST. The option is available for cases where it is preferred despite the risk of data loss, such as for PoCs and demos.
Note
VAST supports VoC clusters on condition that On-demand is selected for instance type and resiliency is enabled.
Enable Similarity
This setting is disabled by default.
Enable this setting to enable similarity-based data reduction on the cluster.
Enable Callhome
This setting is disabled by default.
Enable this setting to enable the sending of callhome logs on the cluster.
Tags
Optionally add AWS tags to the cluster.
To add a tag, enter the tag key value in the Tags field and the tag value in the value field. To add another tag, click the Add button.
Click Create.
A card for the new cluster is added to the Cards tab.
On the cluster's card, click Click to finish setup in AWS.
An AWS CloudFormation service opens.
In the Stack Name field, optionally customize the name of the cluster. By default, the name is pre-filled and is formed as <cluster name>-stack, where <cluster name> is the cluster name you provided in step 2.
Complete the parameters for the cluster:
VPC
Select the Virtual Private Cloud where you want to host the cluster.
KeyName
Select an existing EC2 KeyPair to enable SSH access to the cluster.
IgnoreNFSPermissions
This setting is disabled by default. If enabled, the VoC cluster will ignore file permissions and allow NFS and S3 clients to access data without checking permissions.
This setting is provided for the event that you do not have a way to synchronize user attributes between VoC clusters and on-premise clusters. That is, when you replicate data from an on-premises cluster to the VAST on Cloud cluster, the user and group permissions will be replicated as well. However, the provider configurations are not automatically replicated. You can either connect any relevant provider(s) to the VAST on Cloud cluster or, if you will not be able to or prefer not to connect the VAST on Cloud cluster to a provider that can authorize user and group permissions for the data that you want to replicate to the cloud, you can set this to true.
This setting cannot be changed through the VoC's VMS. Therefore, choose now whether to enable this setting.
SubnetId
Select the subnet in which the cluster should reside.
SecurityGroupId / CreateNewSecurityGroup
Either select a security group ID from the SecurityGroupId field to select an existing security group or set CreateNewSecurity to True to create a new security group.
The security group should have the following TCP ports open for ingress:
80 (HTTP)
5551 (VMS installation monitor)
443 (HTTPS)
111
445 (NETBIOS)
2049. (NFS)
6126
49002 (Replication peer initialization)
20106 (NSM)
49001 (Replication initialization)
20107 (NLM)
20048 (Mount)
All ports should be open for egress. ICMP should be open for ingress.
SecurityRulesCIDRs
Applicable if you selected CreateNewSecurityGroup. Specify up to ten CIDRs from which to allow inbound access.
Under Capabilities, select the checkboxes.
Click Create Stack.
The process of creating the stack begins and the status of the stack is shown as CREATE_IN_PROGRESS at first. In the DataSpace instance, the cluster's card also displays "In progress". When the process is complete, the status changes to CREATE_COMPLETE.
Cloud Cluster Initial Configuration
When the cluster is created, the cluster's network configuration details for the cluster appear on the Outputs tab of the CloudFormation service.
The cluster is created with the following configuration:
Configuration | Key in CloudFormat Outputs Page |
|---|---|
VMS Management IP | ClusterMgmt |
VIP pool for protocol access | ProtocolVips |
VIP pool for replication | ReplicationVips |
VMSMonitor | Links to the VMS monitor, which reports the cluster's installation progress. Use this to monitor the initial installation progress, until the VMS is up. Then use the VMS's Activities page to continue monitoring the cluster's installation. |
Managing VoC Clusters from the Multi-Cluster Manager Instance
The Multi-Cluster Manager enables you to:
Suspend and resume a cluster.
Remove a cluster.
Suspending and Resuming a VoC Cluster
To suspend a VoC cluster:
On the cluster's card, click the
.png?sv=2022-11-02&spr=https&st=2026-02-09T14%3A40%3A17Z&se=2026-02-09T15%3A37%3A17Z&sr=c&sp=r&sig=Pf6k9OWNHjN8%2BKbe%2Fn0zHAlHPWhx54mrj3mSDolPaG0%3D)
button.Click Yes to confirm the action.
The cluster is suspended.
To resume a suspended VoC cluster:
On the cluster's card, click the
.png?sv=2022-11-02&spr=https&st=2026-02-09T14%3A40%3A17Z&se=2026-02-09T15%3A37%3A17Z&sr=c&sp=r&sig=Pf6k9OWNHjN8%2BKbe%2Fn0zHAlHPWhx54mrj3mSDolPaG0%3D)
button.Click Yes to confirm the action.
The cluster is resumed. The cluster starts to service IOs after several minutes. It takes another approximately 45 minutes until it services IOs with the same performance level as it did prior to suspension.
Deleting a VoC Cluster
On the cluster's card, click the
.png?sv=2022-11-02&spr=https&st=2026-02-09T14%3A40%3A17Z&se=2026-02-09T15%3A37%3A17Z&sr=c&sp=r&sig=Pf6k9OWNHjN8%2BKbe%2Fn0zHAlHPWhx54mrj3mSDolPaG0%3D)
button.Read the warning and type DELETE in all caps in the field provided.
Click Yes, Delete.
The cluster is deleted.
Replicating Your Workload to VAST on Cloud
In order to replicate your workload to your VAST on Cloud cluster, we recommend using a global snapshot clone because it enables instant cloning of your data, providing you with instant access to the data from your VAST on Cloud cluster.
Browse to the cluster's VMS management IP, which is listed as ClusterMgmt IP in the Outputs tab of the AWS CloudFormation > Stacks page).
Alternately, from the Multi-Cluster Manager Web UI, click the button on the cluster's card to open the cluster.
The VMS VAST Web UI appears.
Log into VMS with a VMS manager user name and password.
For the default user name and password, see Managing VAST Cluster Passwords.
Verify on the Activities page that the cluster_deploy task is complete. If not, wait until it is complete before continuing.
Create a replication peer to establish a peer relationship between the on-premises cluster and the VAST on Cloud cluster.
Verify that there is a virtual IP pool for replication on the on-premises cluster (a virtual IP pool with role replication).
To create a new virtual IP pool for replication, see Managing Virtual IP Pools.
On either the on premises cluster or the VAST on Cloud cluster, go to the Virtual IP Pools tab of the Network Access page and record at least one of the IPs that belong to a replication virtual IP pool.
On the other cluster, go to the Replication Peers tab of the Data Protection page.
Click Create Peer and fill the following fields:
Peer Name
Enter a name for the peer configuration. The peer configuration will be mirrored on the other cluster and have the same name on both clusters.
For example: OnPremtoCloudRep
Remote VIP
Enter any one of the VIPs in the replication virtual IP pool range of the other cluster.
The remote virtual IP is used to establish an initial connection between the peers. Once the connection is established, the peers share their external network topology and form multiple connections between the VIPs.
If the remote peer's replication virtual IP pool is changed after the initial peer configuration, the new VIPs are learned automatically if the new range of IPs in the modified virtual IP pool intersects with the previous IP range. However, if the new IP range does not intersect with the old range, the remote virtual IP must be modified on the local peer.
For example: 198.51.100.200
Local VIP Pool
From the drop-down, select the replication virtual IP pool configured on the local cluster.
On the VAST on Cloud cluster, this is called replicationPool.
Secure Mode
Select a secure mode for the peer:
Secure. Replication to this peer will be encrypted over the wire with mTLS.
Secure mode requires a certificate, key and root certificate to be uploaded to VMS for mTLS encryption.
None. Replication to this peer will not be encrypted over the wire.
Caution
This setting cannot be changed after creating the replication peer.
Click Create.
On the on-premises cluster, make sure you have a suitable snapshot to clone to the VAST on Cloud cluster for the workload. You can use a snapshot that was created by a protected path if the point in time meets your needs, or you can create a snapshot of the current data. To create a single current snapshot:
From the left navigation menu, select Data Protection and then Snapshots.
Click Create Snapshot.
Complete the fields:
Field
Description
Tenant
Select a tenant where the local path that you want to capture resides.
Name (required)
Enter a name for the snapshot.
Path (required)
Enter the path to a directory. The snapshot will include all files and folders under the specified directory at the time of taking the snapshot.
Expiration time
If you want to make sure the snapshot expires some time in the future, specify that time here.
Indestructible
Enable this setting if you want the snapshot to be indestructible. This setting protects the snapshot from accidental or malicious deletion. For more information about indestructibility, see Managing the Indestructibility Mechanism.
Caution
After saving the snapshot, you won't be able to delete the snapshot or disable its indestructibility without performing an authorized unlocking of the cluster's indestructibility mechanism.
Click Create.
The snapshot is created and is listed on the Snapshots page.
On the VAST on Cloud cluster, open the Global Snapshot Clones tab of the Data Protection page.
Click Create Global Snapshot Clone and complete the fields:
Name
Enter a name for the snapshot clone.
Background sync
This is an optional setting that causes all of the snapshot data to be copied from the source to the destination after the clone is created. During the copying stage, read requests are directed to the source if the requested data is not yet copied. When the copying is complete, the clone becomes a local directory.
Leave this setting disabled if you want to ensure that only the data required for use on the VAST on Cloud cluster is copied. By default, snapshot data will be copied only when there is a request to read data.
Target tenant
The tenant on the local cluster to which you want to clone the snapshot.
Target Path
The local path on the target tenant to create, where you want the clone to reside. An existing path is not valid.
Source cluster
Select the replication peer that you configured in step Step 4.
Source tenant
Select the tenant on the on premises cluster where the path that you want to clone resides.
Source path
After selecting Source cluster, select a path on the on premises cluster that you want to clone. The dropdown offers you a selection of paths that are protected by protected paths or by manual snapshots.
Source snapshot
After selecting the source path, select the specific snapshot to clone. The dropdown shows you all available snapshots for the selected source path.
Click Create.
The path that you specified as the Source path is now cloned on the VAST on Cloud cluster. The directory structure of the data that was captured by the cloned snapshot is immediately accessible to clients. If you chose to disable background sync, data will be read from the source cluster and copied on request. If you enabled background sync, all of the data will be synced to the VAST on Cloud cluster and then accessible on the VAST on Cloud cluster.
Accessing the Cloned Data Path
To access the cloned data path from a client:
Client mounts should use the protocolsPool virtual IP pool on the VAST on Cloud cluster.
To find the IPs in the protocols virtual IP pool, open the Virtual IP Pools tab of the Network Access page. The IP ranges included in the pool are displayed in the IP Ranges column.
File permissions are replicated with the data. If you set IgnoreNFSPermissions to False in the template parameters, make sure to connect the provider(s) that store the relevant user and group entries to the VAST on Cloud cluster.
Configuration of view, view policy and provider may be needed to enable client access to the cloned path depending on the client's chosen access protocol.
Note
The default cluster configuration provides a view of the root path of the file system, exposed to NFSv3 with no IP restrictions. So it is possible to mount the root path '/' from an NFSv3 client with no further configurations and access the cloned directory under that.
Replicate the Workload Output to the On-Premises Cluster
Replication can be used to move data from the cloud cluster to an on-premises cluster.
There are at least two ways to do this:
Configuring Replication of the Workload Output Using DataSpace from the On-Premises Cluster's VMS
Connect the VoC cluster to the on-premises cluster's DataSpace page (see Connecting Clusters to DataSpace).
Use the on-premises cluster's DataSpace page to configure replication with the VoC cluster as the source cluster and the on premises cluster as the destination cluster (see Configuring Asynchronous Replication from DataSpace).
Configuring Replication of the Workload Output from the VoC cluster's VMS
Create a protection policy on the VAST on Cloud cluster and then a protected path on the output folder:
On the VAST on Cloud cluster, open the left navigation menu, select Data Protection and then select Protection Policies.
Click Create Protection Policy.
In the Add Protection Policy dialog, complete the fields:
Field
Description
Policy name
Enter a name for the protection policy.
Peer
Select the replication peer that you created already.
Snapshot prefix
Enter a prefix for the snapshot names.
The name of each snapshot will be <prefix>_<timestamp>, where <prefix> is the prefix specified here and <timestamp> is the time the snapshot is created, in the format
yyyy-mm-ddTHH:MM:SS.SSSSSSzzz(Tdenotes time and doesn't represent a value,zzzis the timezone, and the time is accurate to the microsecond). For example, if the prefix is dev, a snapshot taken at 8:15 pm UTC on 20th November 2024 would be named dev_2024-11-20T20:15:06.144783UTC.If you want to make the protection policy indestructible, enable the Indestructible setting. This setting protects the policy and its snapshots from accidental or malicious deletion. For more information about indestructibility, see Managing the Indestructibility Mechanism.
Caution
After saving the protection policy, you won't be able to delete the policy or disable its indestructibility without performing a procedure for authorized unlocking of the cluster's indestructibility mechanism.
Note
If a replication peer is configured, the indestructibility setting will be replicated to the peer.
Set up one or more replication schedules:
Note
If you want to set up multiple schedules, click the Add Schedule button to display more scheduling fields in the dialog.
To set the start time, click in the Start at field. In the calendar that appears, click the start date you want and adjust the start time:
.png?sv=2022-11-02&spr=https&st=2026-02-09T14%3A40%3A17Z&se=2026-02-09T15%3A37%3A17Z&sr=c&sp=r&sig=Pf6k9OWNHjN8%2BKbe%2Fn0zHAlHPWhx54mrj3mSDolPaG0%3D)
Note
When a protected path is active, it performs an initial data sync to the replication peer immediately after being created. The initial sync creates the first restore point. Therefore, the restore point created on the start date is in fact the second restore point.
To set a period, select a time unit from the Period dropdown and enter the number of time units in the Every field.
Note
The minimum interval is 15 seconds.
Leave the Keep local copy for field blank if you want to delete snapshots immediately after they are replicated to the on premises cluster.
Alternatively, if you do want to retain backups on the VAST on Cloud cluster, you can set the Keep local copy for period. This is the amount of time for which local snapshots are retained on the local cluster. Select a time unit from the Period dropdown and enter the number of time units in the Keep local copy for field.
Set the Keep remote copy for period. This is the amount of time restore points are retained on the on premises cluster.
Select a time unit from the Period dropdown and enter the number of time units in the Keep remote copy for field.
Click Create.
The protection policy is created and listed in the Protection Policies tab.
On the Protected Paths tab, click Create Protected Path.
In the Add Protected Path dialog, click Add Source and complete the fields:
Tenant
Select the tenant under which the output directory resides.
Name
Enter a name for the protected path.
Path
Enter the path to the output directory. A snapshot of this directory will be taken periodically according to the protection policy.
Click Save.
Click Add a Peer VIA Replication Or Global Access.
In the Create Destination dialog, complete the fields: select Replication from the Capability dropdown and complete these fields:
Protection policy
From the dropdown, select the protection policy you created in step 8.
Warning
After adding a destination to a protected path, it is not possible to change which policy is associated with the destination. All changes to a destination's snapshot schedule, replication schedule, and snapshot expiration must be done by modifying the protection policy. Those modifications affect all destinations that use the same protection policy. To work around this limitation, use one protection policy per destination.
Cluster
This field is filled automatically with the cluster specified as the peer in the protection policy, which should be the on-premises cluster.
Remote tenant
This field appears only if the remote peer has more than one tenant. If it appears, select a tenant on the remote peer from the dropdown. The remote path will be created on the selected tenant.
Path
Specify a path on the remote peer where the data should be replicated. This must be a directory that does not yet exist on the remote peer.
Click Create.
The protected path is created and listed in the Protected Paths tab. Replication will now run from the VAST on Cloud cluster to the on premises cluster on the schedule defined in the protection policy.
Upgrading VoC Clusters
Upgrading a VoC cluster requires that the Multi-Cluster Manager is first upgraded to the required version. Therefore, to upgrade a VoC cluster, first follow the steps here to upgrade the Multi-Cluster Manager instance and then perform upgrade on the cluster.
To upgrade the Multi-Cluster Manager instance:
AWS console home click CloudFormation. All the VM stacks are listed.
Select the Multi-Cluster Manager's stack from the list and click Update.
On the Update stack page, select Replace existing template.
Under Specify template, select Amazon S3 URL.
In the Amazon S3 URL field, insert the URL to the upgrade bundle (obtain this from VAST Support). For example,
https://vastdata-releases.s3.eu-west-1.amazonaws.com/release_bundles/#######/release/mcvms-cf-#######.json.Click Next.
In the Required Parameters page, click Next (no need to change any settings).
On the Configure stack options page, click Next (no need to change any settings).
Note
If you encounter an error, "Failed to retrieve SNS topics", no action is needed.
In the review page, scroll down to the Capabilities section and check the box I acknowledge that AWS CloudFormation might create IAM resources.
Click Submit.
You are directed to the Stacks page, where the Multi-Cluster Manager stack is listed and you can monitor its status until the upgrade is complete.