Configuring SyncIQ source and target clusters with NAT

Source and target clusters can use NAT (network address translation) for SyncIQ failover and failback purposes, but must be configured appropriately.

In this scenario, source and target clusters are typically at different physical locations, use private, non-routable address space, and do not have direct connections to the Internet. Each cluster typically is assigned a range of private IP addresses. For example, a cluster with 12 nodes might be assigned IP addresses 192.168.10.11 to 192.168.10.22.

To communicate over the public Internet, source and target clusters must have all incoming and outgoing data packets appropriately translated and redirected by a NAT-enabled firewall or router.

Caution Image
SyncIQ data is not encrypted. Running SyncIQ jobs over the public Internet provides no protection against data theft.

SyncIQ enables you to limit replication jobs to particular nodes within your cluster. For example, if your cluster was made up of 12 nodes, you could limit replication jobs to just three of those nodes. For NAT support, you would need to establish a one-for-one association between the source and target clusters. So, if you are limiting replication jobs to three nodes on your source cluster, you must associate three nodes on your target cluster.

In this instance, you would need to configure static NAT, sometimes referred to as inbound mapping. On both the source and target clusters, for the private address assigned to each node, you would associate a static NAT address. For example:

Source cluster
Target Cluster
Node name
Private address
NAT address
Node name
Private address
NAT address
source-1
192.168.10.11
10.8.8.201
target-1
192.168.55.101
10.1.2.11
source-2
192.168.10.12
10.8.8.202
target-2
192.168.55.102
10.1.2.12
source-3
192.168.10.13
10.8.8.203
target-3
192.168.55.103
10.1.2.13

To configure static NAT, you would need to edit the /etc/local/hosts file on all six nodes, and associate them with their counterparts by adding the appropriate NAT address and node name. For example, in the /etc/local/hosts file on the three nodes of the source cluster, the entries would look like:

10.1.2.11 target-1

10.1.2.12 target-2

10.1.2.13 target-3

Similarly, on the three nodes of the target cluster, you would edit the /etc/local/hosts file, and insert the NAT address and name of the associated node on the source cluster. For example, on the three nodes of the target cluster, the entries would look like:

10.8.8.201 source-1

10.8.8.202 source-2

10.8.8.203 source-3

When the NAT server receives packets of SyncIQ data from a node on the source cluster, the NAT server replaces the packet headers and the node's port number and internal IP address with the NAT server's own port number and external IP address. The NAT server on the source network then sends the packets through the Internet to the target network, where another NAT server performs a similar process to transmit the data to the target node. The process is reversed when the data fails back.

With this type of configuration, SyncIQ can determine the correct addresses to connect with, so that SyncIQ can send and receive data. In this scenario, no SmartConnect zone configuration is required.

For information about the ports used by SyncIQ, see the OneFS Security Configuration Guide for your OneFS version.