English

Important changes in Cloud Manager

Contributors netapp-bcammett Download PDF of this page

This page highlights important changes in Cloud Manager that can help you use the service as we introduce new enhancements. You should continue to read the What’s new page to learn about all new features and enhancements.

SaaS changes

We have introduced a software-as-a-service experience for Cloud Manager. This new experience makes it easier for you to use Cloud Manager and enables us to provide additional features to manage your hybrid cloud infrastructure.

Machine type changes

To ensure that adequate resources are available for new and upcoming features in Cloud Manager, we’ve changed the minimum required instance, VM, and machine type as follows:

  • AWS: t3.xlarge

  • Azure: DS3 v2

  • GCP: n1-standard-4

When you upgrade the machine type, you’ll get access to features like a new Kubernetes experience, Global File Cache, Monitoring, and more.

These default sizes are the minimum supported based on CPU and RAM requirements.

Cloud Manager will prompt you with instructions to change the machine type of the Connector.

Account settings

We introduced Cloud Central accounts to provide multi-tenancy, to help you organize users and resources in isolated workspaces, and to manage access to Connectors and subscriptions.

New permissions

Cloud Manager occasionally requires additional cloud provider permissions as we introduce new features and enhancements. This section identifies new permissions that are now required.

You can find the latest list of permissions on the Cloud Manager policies page.

AWS

Starting with the 3.8.1 release, the following permissions are required to use Backup to Cloud with Cloud Volumes ONTAP. Learn more.

{
            "Sid": "backupPolicy",
            "Effect": "Allow",
            "Action": [
                "s3:DeleteBucket",
                "s3:GetLifecycleConfiguration",
                "s3:PutLifecycleConfiguration",
                "s3:PutBucketTagging",
                "s3:ListBucketVersions",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:ListAllMyBuckets",
                "s3:GetBucketTagging",
                "s3:GetBucketLocation",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetBucketAcl",
                "s3:GetBucketPolicy",
                "s3:PutBucketPublicAccessBlock"
            ],
            "Resource": [
                "arn:aws:s3:::netapp-backup-*"
            ]
        },

Azure

  • To avoid Azure deployment failures, make sure that your Cloud Manager policy in Azure includes the following permission:

    "Microsoft.Resources/deployments/operationStatuses/read"
  • Starting with the 3.8.7 release, the following permission is required to encrypt Azure managed disks on single node Cloud Volumes ONTAP systems using external keys from another account. Learn more.

    "Microsoft.Compute/diskEncryptionSets/read"
  • The following permissions are required to enable Global File Cache on Cloud Volumes ONTAP. Learn more.

    "Microsoft.Resources/deployments/operationStatuses/read",
    "Microsoft.Insights/Metrics/Read",
    "Microsoft.Compute/virtualMachines/extensions/write",
    "Microsoft.Compute/virtualMachines/extensions/read",
    "Microsoft.Compute/virtualMachines/extensions/delete",
    "Microsoft.Compute/virtualMachines/delete",
    "Microsoft.Network/networkInterfaces/delete",
    "Microsoft.Network/networkSecurityGroups/delete",
    "Microsoft.Resources/deployments/delete",

GCP

New permissions for HA pairs

Starting with the 3.9 release, the service account for a Connector requires additional permissions to deploy a Cloud Volumes ONTAP HA pair in GCP:

- compute.addresses.list
- compute.backendServices.create
- compute.networks.updatePolicy
- compute.regionBackendServices.create
- compute.regionBackendServices.get
- compute.regionBackendServices.list
- iam.serviceAccounts.actAs
- storage.objects.get
- storage.objects.list

New permissions for Kubernetes management

Starting with the 3.8.8 release, the service account for a Connector requires additional permissions to discover and manage Kubernetes clusters running in Google Kubernetes Engine (GKE):

- container.*

New permissions for data tiering

Starting with the 3.8 release, the following permissions are now required to use a service account for data tiering. Learn more about this change.

- storage.buckets.update
- compute.instances.setServiceAccount
- iam.serviceAccounts.getIamPolicy
- iam.serviceAccounts.list

New endpoints

The Connector requires outbound internet access to manage resources and processes within your public cloud environment. This section identifies new endpoints that are now required.

  • Users need to access Cloud Manager from a web browser by contacting the following endpoint:

    https://cloudmanager.netapp.com

  • Connectors require access to the following endpoint to obtain software images of container components for a Docker infrastructure:

    https://cloudmanagerinfraprod.azurecr.io

    Ensure that your firewall enables access to this endpoint from the Connector.