Oracle Cloud Infrastructure File Storage service provides a durable, scalable, distributed, enterprise-grade network file system. You can connect to a File Storage service file system from any bare metal, virtual machine, or container instance in your Virtual Cloud Network (VCN). You can also access a file system from outside the VCN using Oracle Cloud Infrastructure FastConnect and Internet Protocol security (IPSec) virtual private network (VPN).
Large Compute clusters of thousands of instances can use the File Storage service for high-performance shared storage. Storage provisioning is fully managed and automatic as your use scales from a single byte to exabytes without upfront provisioning. You have redundant storage for resilient data protection.
The File Storage service supports the Network File System version 3.0 (NFSv3) protocol. The service supports the Network Lock Manager (NLM) protocol for file locking functionality.
Use the File Storage service when your application or workload includes big data and analytics, media processing, or content management, and you require Portable Operating System Interface (POSIX)-compliant file system access semantics and concurrently-accessible storage. The File Storage service is designed to meet the needs of applications and users that need an enterprise file system across a wide range of use cases, including the following:
- General Purpose File Storage: Access to an unlimited pool of file systems to manage growth of structured and unstructured data.
- Big Data and Analytics: Run analytic workloads and use shared file systems to store persistent data.
- Lift and Shift of Enterprise Applications: Migrate existing Oracle applications that need NFS storage, such as Oracle E-Business Suite and PeopleSoft.
- Databases and Transactional Applications: Run test and development workloads with Oracle, MySQL, or other databases.
- Backups, Business Continuity, and Disaster Recovery: Host a secondary copy of relevant file systems from on premises to the cloud for backup and disaster recovery purposes.
- MicroServices and Docker: Deliver stateful persistence for containers. Easily scale as your container-based environments grow.
Watch a video introduction to the service and its capabilities.
File Systems Concepts
Using the File Storage service requires an understanding of the following concepts, including some that pertain to Oracle Cloud Infrastructure Networking:
- Mount Target
- An NFS endpoint that lives in a subnet of your choice and is highly available. It provides the IP address or DNS name that is used in the mount command when connecting NFS clients to the File Storage service. By default, you can create two mount targets per account per availability domain, but you can request an increase. See Service Limits for a list of applicable limits and instructions for requesting a limit increase.
- Export Path
- A path that is specified when a file system is associated with a mount target. It uniquely identifies the file system within the mount target, letting you associate up to 100 file systems to a single mount target. It is appended to the mount target IP address, and used to mount the file system. This path is unrelated to any path within the file system itself, or the client mount point path.
- The File Storage service adds an export that pairs the file system's Oracle Cloud Identifier (OCID) and path.
- See Paths in File Systems for more information.
- Export Sets
- Collections of one or more exports that control what file systems the mount target exports using NFSv3 protocol and how those file systems are found using the NFS mount protocol. Each export set is composed of exports. Each mount target has an export set.
- Exports control how file systems are accessed by NFS clients when they connect to a mount target. The information stored in an export includes the file system OCID, export path, and export options. For more information, see Working with NFS Export Options.
- Export Options
- A set of parameters that specify the level of access granted to NFS clients when they connect to a mount target. Options are applied to a specific client IP address or CIDR block range. For more information, see Working with NFS Export Options.
- Virtual Cloud Network (VCN)
- A private network that you set up in the Oracle data centers, with firewall rules and specific types of communication gateways that you can choose to use. A VCN covers a single, contiguous IPv4 CIDR block of your choice. For more information about VCNs, see VCNs and Subnets in the Oracle Cloud Infrastructure Networking documentation.
- Subdivisions you define in a VCN (for example, 10.0.0.0/24 and 10.0.1.0/24). Subnets contain virtual network interface cards (VNICs), which attach to instances. Each subnet exists in a single One or more isolated, fault-tolerant Oracle data centers that host cloud resources such as instances, volumes, and subnets. A region contains several availability domains. and consists of a contiguous range of IP addresses that do not overlap with other subnets in the VCN. Each mount target has an address on a subnet of your choice. For more information about subnets, see VCNs and Subnets in the Oracle Cloud Infrastructure Networking documentation.
- Security lists
- Virtual firewall rules for your VCN. Your VCN comes with a default security list, and you can add more. These security lists provide ingress and egress rules that specify the types of traffic allowed in and out of the instances. You can choose whether a given rule is stateful or stateless. Security list rules must be set up so that clients can connect to file system mount targets. For more information about how security lists work in Oracle Cloud Infrastructure, see Security Lists in the Networking documentation. For information about setting up specific security list rules required for mount target traffic, see Configuring VCN Security List Rules for File Storage. About Security explains how security lists interact with other types of security in your file system.
- Snapshots provide a consistent, point-in-time view of your file system, and you can take as many snapshots as you need. You pay only for the storage used by your data and metadata, including storage capacity used by snapshots. Each snapshot reflects only data that changed from the previous snapshot. For more information, see Managing Snapshots.
To simplify file system management, exports and export sets are managed through the Console by the File Storage service. More advanced configuration options for exports and export sets are available in the Command Line Interface (CLI) and API.
All files are encrypted at rest by default.
FastConnect offers you the ability to accelerate data transfers. You can leverage the integration between FastConnect and the File Storage service to perform initial data migration, workflow data transfers for large files, and disaster recovery scenarios between two regions, among other things.
How File Storage Permissions Work
File Storage service resources include file systems, mount targets, and export sets. The AUTH_UNIX style of authentication and permission checking is supported for remote NFS client requests. You use Oracle Cloud Infrastructure Identity and Access Management (IAM) policy language to define access to Oracle Cloud Infrastructure resources. You can consider exports and snapshots subsidiary resources of export sets and file systems, respectively. As such, they do not need their own permissions. Related resources include Oracle Cloud Infrastructure Compute instances and Oracle Cloud Infrastructure Networking virtual cloud networks (VCNs).
Oracle Cloud Infrastructure users require resource permissions to create, delete, and manage resources. Without the appropriate IAM permissions, you cannot export a file system through a mount target. Until a file system has been exported, Compute instances can't mount it. For more information about creating an IAM policy, see Let users create, manage, and delete file systems.
If you have successfully exported a file system on a subnet, then you use Networking security lists to control traffic to and from the subnet and, therefore, the mount target. Security lists act as a virtual firewall, allowing only the network traffic you specify to and from the IP addresses and port ranges configured in your ingress and egress rules. The security list you create for the subnet lets hosts send and receive packets and mount the file system. If you have firewalls on individual instances, use FastConnect, or use a virtual private network (VPN), the settings for those might also impact security at the networking layer. For more information about creating a security list for the File Storage service, see Creating File Systems. See About Security for more information on how different types of security work together in your file system.
Regions and Availability Domains
You can use the File Storage service in all regions. For a list of supported regions, see Regions and Availability Domains.
When you create a mount target for a file system, you can share it among local bare metal and virtual Compute resources within a region. The service runs locally within each availability domain. When you create a file system or mount target, you specify the availability domain it is created in. Within an availability domain, the File Storage service uses synchronous replication and high availability failover to keep your data safe and available.
Most types of Oracle Cloud Infrastructure resources have a unique, Oracle-assigned identifier called an Oracle Cloud ID (OCID). For information about the OCID format and other ways to identify your resources, see Resource Identifiers.
Ways to Access Oracle Cloud Infrastructure
You can access Oracle Cloud Infrastructure using the Console (a browser-based interface) or the REST API. Instructions for the Console and API are included in topics throughout this guide. For a list of available SDKs, see Software Development Kits and Command Line Interface.
To access the Console, you must use a supported browser. You can use the Console link at the top of this page to go to the sign-in page. You will be prompted to enter your cloud tenant, your user name, and your password.
Authentication and Authorization
Each service in Oracle Cloud Infrastructure integrates with IAM for authentication and authorization, for all interfaces (the Console, SDK or CLI, and REST API).
An administrator in your organization needs to set up A collection of users who all need a particular type of access to a set of resources or compartment., A collection of related resources that can be accessed only by certain groups that have been given permission by an administrator in your organization., and An IAM document that specifies who has what type of access to your resources. It is used in different ways: to mean an individual statement written in the policy language; to mean a collection of statements in a single, named "policy" document (which has an Oracle Cloud ID (OCID) assigned to it); and to mean the overall body of policies your organization uses to control access to resources. that control which users can access which services, which resources, and the type of access. For example, the policies control who can create new users, create and manage the cloud network, launch instances, create buckets, download objects, etc. For more information, see Getting Started with Policies. For specific details about writing policies for each of the different services, see Policy Reference.
If you’re a regular user (not an administrator) who needs to use the Oracle Cloud Infrastructure resources that your company owns, contact your administrator to set up a user ID for you. The administrator can confirm which compartment or compartments you should be using.
Limits on Your File Storage Components
See Service Limits for a list of applicable limits and instructions for requesting a limit increase.