AWS networking requirements

A few networking requirements must be met so Cloud Manager can launch and manage ONTAP Cloud instances in AWS.

Outbound internet access

You can choose whether the subnets in your VPC are public or private, but they must allow outbound internet access. Outbound internet access is required to enable communication between Cloud Manager and AWS services, to access software images in Amazon S3, and to enable technical support from NetApp.

If the subnets are private, you can route outbound internet access through a NAT device, proxy server, or VPN connection. If you have a proxy, you must configure Cloud Manager to use it. You can do so when using the Cloud Manager Setup wizard.

AWS Documentation: NAT

Note the following about providing internet access for NetApp AutoSupport, which is a troubleshooting tool that proactively monitors the health of your storage:
  • For a NAT instance, you must define an inbound security group rule that allows HTTPS traffic from the private subnet to the internet.
  • For VPN configurations, routing and firewall policies must allow AWS HTTP/HTTPS traffic to support.netapp.com.

Security groups

You do not need to create security groups because Cloud Manager does that for you.

Security group rules

Connection between Cloud Manager and ONTAP Cloud subnets

Cloud Manager requires a connection to the subnets in which you launch ONTAP Cloud systems, including the HA mediator.

If Cloud Manager is not installed in the target VPC, it must have network connectivity to that VPC. For example, if you install Cloud Manager in Azure or in your corporate network, then you must set up a VPN connection to the VPC in which you launch ONTAP Cloud systems.

Connection to the Cloud Manager web console

Users must access Cloud Manager from a web browser. If you deploy Cloud Manager in AWS, the easiest way to provide access is by launching Cloud Manager in a public subnet with a public IP address. However, if you want to use a private IP address instead, users can access the console through either of the following:
  • A jump host in the VPC that has a connection to Cloud Manager
  • A host in your network that has a VPN connection to the private IP address

Connections to ONTAP systems in other networks (Storage System View only)

To replicate data between an ONTAP Cloud system in AWS and ONTAP systems in other networks, you must have a VPN connection between the AWS VPC and the other network—for example, an Azure VNet or your corporate network.

Connection to key managers (Storage System View only)

If you want to use the ONTAP Cloud data encryption feature, ONTAP Cloud instances must have a connection to one or more key managers that are either in AWS or in your network.

Key manager requirements for ONTAP Cloud encryption

DNS and Active Directory for CIFS (Storage System View only)

If you want to provision CIFS storage, you must set up DNS and Active Directory in AWS or extend your on-premises setup to AWS.

The DNS server must provide name resolution services for the Active Directory environment. You can configure DHCP option sets to use the default EC2 DNS server, which must not be the DNS server used by the Active Directory environment.

AWS: Active Directory Domain Services on the AWS Cloud Quick Start Reference Deployment