Skip to main content
Cloud Volumes ONTAP
All cloud providers
  • Amazon Web Services
  • Google Cloud
  • Microsoft Azure
  • All cloud providers

Deploy an HA pair in a shared subnet

Contributors netapp-bcammett netapp-rlithman

Starting with the 9.11.1 release, Cloud Volumes ONTAP HA pairs are supported in AWS with VPC sharing. VPC sharing enables your organization to share subnets with other AWS accounts. To use this configuration, you must set up your AWS environment and then deploy the HA pair using the API.

With VPC sharing, a Cloud Volumes ONTAP HA configuration is spread across two accounts:

  • The VPC owner account, which owns the networking (the VPC, subnets, route tables, and Cloud Volumes ONTAP security group)

  • The participant account, where the EC2 instances are deployed in shared subnets (this includes the two HA nodes and the mediator)

In the case of a Cloud Volumes ONTAP HA configuration that is deployed across multiple Availability Zones, the HA mediator needs specific permissions to write to the route tables in the VPC owner account. You need to provide those permissions by setting up an IAM role that the mediator can assume.

The following image shows the components involved this deployment:

A conceptual image of a Cloud Volumes ONTAP HA deployment in a shared VPC. It shows a shared VPC that is available to the VPC owner account and the participant account. The shared VPC includes the IAM role, route table, security group, and three shared subnets. The participant account includes the Cloud Volumes ONTAP HA configuration and an IAM role attached to the mediator.

As described in the steps below, you'll need to share the subnets with the participant account, and then create the IAM role and security group in the VPC owner account.

When you create the Cloud Volumes ONTAP working environment, BlueXP automatically creates and attaches an IAM role to the mediator. This role assumes the IAM role that you created in the VPC owner account in order to make changes to the route tables associated with the HA pair.

Steps
  1. Share the subnets in the VPC owner account with the participant account.

    This step is required to deploy the HA pair in shared subnets.

  2. In the VPC owner account, create a security group for Cloud Volumes ONTAP.

    Refer to the security group rules for Cloud Volumes ONTAP. Note that you don't need to create a security group for the HA mediator. BlueXP does that for you.

  3. In the VPC owner account, create an IAM role that includes the following permissions:

    Action": [
                    "ec2:AssignPrivateIpAddresses",
                    "ec2:CreateRoute",
                    "ec2:DeleteRoute",
                    "ec2:DescribeNetworkInterfaces",
                    "ec2:DescribeRouteTables",
                    "ec2:DescribeVpcs",
                    "ec2:ReplaceRoute",
                    "ec2:UnassignPrivateIpAddresses"
  4. Use the BlueXP API to create a new Cloud Volumes ONTAP working environment.

    Note that you must specify the following fields:

    • "securityGroupId"

      The "securityGroupId" field should specify the security group that you created in the VPC owner account (see step 2 above).

    • "assumeRoleArn" in the "haParams" object

      The "assumeRoleArn" field should include the ARN of the IAM role that you created in the VPC owner account (see step 3 above).

      For example:

      "haParams": {
           "assumeRoleArn": "arn:aws:iam::642991768967:role/mediator_role_assume_fromdev"
      }