Networking requirements for Cloud Volumes ONTAP in Azure

Contributors netapp-bcammett Download PDF of this page

Set up your Azure networking so Cloud Volumes ONTAP systems can operate properly. This includes networking for the Connector and Cloud Volumes ONTAP.

Requirements for Cloud Volumes ONTAP

The following networking requirements must be met in Azure.

Outbound internet access for Cloud Volumes ONTAP

Cloud Volumes ONTAP requires outbound internet access to send messages to NetApp AutoSupport, which proactively monitors the health of your storage.

Routing and firewall policies must allow HTTP/HTTPS traffic to the following endpoints so Cloud Volumes ONTAP can send AutoSupport messages:

Security groups

You do not need to create security groups because Cloud Manager does that for you. If you need to use your own, refer to the security group rules listed below.

Number of IP addresses

Cloud Manager allocates the following number of IP addresses to Cloud Volumes ONTAP in Azure:

  • Single node: 5 IP addresses

  • HA pair: 16 IP addresses

    Note that Cloud Manager creates an SVM management LIF on HA pairs, but not on single node systems in Azure.

    A LIF is an IP address associated with a physical port. An SVM management LIF is required for management tools like SnapCenter.
Connection from Cloud Volumes ONTAP to Azure Blob storage for data tiering

If you want to tier cold data to Azure Blob storage, you don’t need to set up a connection between the performance tier and the capacity tier as long as Cloud Manager has the required permissions. Cloud Manager enables a VNet service endpoint for you if the Cloud Manager policy has these permissions:

"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/routeTables/join/action",

These permissions are included in the latest Cloud Manager policy.

For details about setting up data tiering, see Tiering cold data to low-cost object storage.

Connections to ONTAP systems in other networks

To replicate data between a Cloud Volumes ONTAP system in Azure and ONTAP systems in other networks, you must have a VPN connection between the Azure VNet and the other network—for example, an AWS VPC or your corporate network.

Requirements for the Connector

Set up your networking so that the Connector can manage resources and processes within your public cloud environment. The most important step is ensuring outbound internet access to various endpoints.

If your network uses a proxy server for all communication to the internet, you can specify the proxy server from the Settings page. Refer to Configuring the Connector to use a proxy server.

Connections to target networks

A Connector requires a network connection to the VPCs and VNets in which you want to deploy Cloud Volumes ONTAP.

For example, if you install a Connector in your corporate network, then you must set up a VPN connection to the VPC or VNet in which you launch Cloud Volumes ONTAP.

Outbound internet access

The Connector requires outbound internet access to manage resources and processes within your public cloud environment. A Connector contacts the following endpoints when managing resources in Azure:

Endpoints Purpose

https://management.azure.com
https://login.microsoftonline.com

Enables Cloud Manager to deploy and manage Cloud Volumes ONTAP in most Azure regions.

https://management.microsoftazure.de
https://login.microsoftonline.de

Enables Cloud Manager to deploy and manage Cloud Volumes ONTAP in the Azure Germany regions.

https://management.usgovcloudapi.net
https://login.microsoftonline.com

Enables Cloud Manager to deploy and manage Cloud Volumes ONTAP in the Azure US Gov regions.

https://api.services.cloud.netapp.com:443

API requests to NetApp Cloud Central.

https://cloud.support.netapp.com.s3.us-west-1.amazonaws.com

Provides access to software images, manifests, and templates.

https://repo.cloud.support.netapp.com

Used to download Cloud Manager dependencies.

http://repo.mysql.com/

Used to download MySQL.

https://cognito-idp.us-east-1.amazonaws.com
https://cognito-identity.us-east-1.amazonaws.com
https://sts.amazonaws.com
https://cloud-support-netapp-com-accelerated.s3.amazonaws.com

Enables Cloud Manager to access and download manifests, templates, and Cloud Volumes ONTAP upgrade images.

https://cloudmanagerinfraprod.azurecr.io

Access to software images of container components for an infrastructure that’s running Docker and provides a solution for service integrations with Cloud Manager.

https://kinesis.us-east-1.amazonaws.com

Enables NetApp to stream data from audit records.

https://cloudmanager.cloud.netapp.com

Communication with the Cloud Manager service, which includes Cloud Central accounts.

https://netapp-cloud-account.auth0.com

Communication with NetApp Cloud Central for centralized user authentication.

https://mysupport.netapp.com

Communication with NetApp AutoSupport.

https://support.netapp.com/svcgw
https://support.netapp.com/ServiceGW/entitlement
https://eval.lic.netapp.com.s3.us-west-1.amazonaws.com
https://cloud-support-netapp-com.s3.us-west-1.amazonaws.com

Communication with NetApp for system licensing and support registration.

https://ipa-signer.cloudmanager.netapp.com

Enables Cloud Manager to generate licenses (for example, a FlexCache license for Cloud Volumes ONTAP)

https://packages.cloud.google.com/yum
https://github.com/NetApp/trident/releases/download/

Required to connect Cloud Volumes ONTAP systems with a Kubernetes cluster. The endpoints enable installation of NetApp Trident.

*.blob.core.windows.net

Required for HA pairs when using a proxy.

Various third-party locations, for example:

  • https://repo1.maven.org/maven2

  • https://oss.sonatype.org/content/repositories

  • https://repo.typesafe.com

Third-party locations are subject to change.

During upgrades, Cloud Manager downloads the latest packages for third-party dependencies.

While you should perform almost all tasks from the SaaS user interface, a local user interface is still available on the Connector. The machine running the web browser must have connections to the following endpoints:

Endpoints Purpose

The Connector host

You must enter the host’s IP address from a web browser to load the Cloud Manager console.

Depending on your connectivity to your cloud provider, you can use the private IP or a public IP assigned to the host:

  • A private IP works if you have a VPN and direct connect access to your virtual network

  • A public IP works in any networking scenario

In any case, you should secure network access by ensuring that security group rules allow access from only authorized IPs or subnets.

https://auth0.com
https://cdn.auth0.com
https://netapp-cloud-account.auth0.com
https://services.cloud.netapp.com

Your web browser connects to these endpoints for centralized user authentication through NetApp Cloud Central.

https://widget.intercom.io

For in-product chat that enables you to talk to NetApp cloud experts.

Security group rules for Cloud Volumes ONTAP

Cloud Manager creates Azure security groups that include the inbound and outbound rules that Cloud Volumes ONTAP needs to operate successfully. You might want to refer to the ports for testing purposes or if you prefer your to use own security groups.

The security group for Cloud Volumes ONTAP requires both inbound and outbound rules.

Inbound rules for single node systems

The rules listed below allow traffic, unless the description notes that it blocks specific inbound traffic.

Priority and name Port and protocol Source and destination Description

1000
inbound_ssh

22
TCP

Any to Any

SSH access to the IP address of the cluster management LIF or a node management LIF

1001
inbound_http

80
TCP

Any to Any

HTTP access to the System Manager web console using the IP address of the cluster management LIF

1002
inbound_111_tcp

111
TCP

Any to Any

Remote procedure call for NFS

1003
inbound_111_udp

111
UDP

Any to Any

Remote procedure call for NFS

1004
inbound_139

139
TCP

Any to Any

NetBIOS service session for CIFS

1005
inbound_161-162 _tcp

161-162
TCP

Any to Any

Simple network management protocol

1006
inbound_161-162 _udp

161-162
UDP

Any to Any

Simple network management protocol

1007
inbound_443

443
TCP

Any to Any

HTTPS access to the System Manager web console using the IP address of the cluster management LIF

1008
inbound_445

445
TCP

Any to Any

Microsoft SMB/CIFS over TCP with NetBIOS framing

1009
inbound_635_tcp

635
TCP

Any to Any

NFS mount

1010
inbound_635_udp

635
UDP

Any to Any

NFS mount

1011
inbound_749

749
TCP

Any to Any

Kerberos

1012
inbound_2049_tcp

2049
TCP

Any to Any

NFS server daemon

1013
inbound_2049_udp

2049
UDP

Any to Any

NFS server daemon

1014
inbound_3260

3260
TCP

Any to Any

iSCSI access through the iSCSI data LIF

1015
inbound_4045-4046_tcp

4045-4046
TCP

Any to Any

NFS lock daemon and network status monitor

1016
inbound_4045-4046_udp

4045-4046
UDP

Any to Any

NFS lock daemon and network status monitor

1017
inbound_10000

10000
TCP

Any to Any

Backup using NDMP

1018
inbound_11104-11105

11104-11105
TCP

Any to Any

SnapMirror data transfer

3000
inbound_deny _all_tcp

Any port
TCP

Any to Any

Block all other TCP inbound traffic

3001
inbound_deny _all_udp

Any port
UDP

Any to Any

Block all other UDP inbound traffic

65000
AllowVnetInBound

Any port
Any protocol

VirtualNetwork to VirtualNetwork

Inbound traffic from within the VNet

65001
AllowAzureLoad BalancerInBound

Any port
Any protocol

AzureLoadBalancer to Any

Data traffic from the Azure Standard Load Balancer

65500
DenyAllInBound

Any port
Any protocol

Any to Any

Block all other inbound traffic

Inbound rules for HA systems

The rules listed below allow traffic, unless the description notes that it blocks specific inbound traffic.

HA systems have less inbound rules than single node systems because inbound data traffic goes through the Azure Standard Load Balancer. Because of this, traffic from the Load Balancer should be open, as shown in the "AllowAzureLoadBalancerInBound" rule.
Priority and name Port and protocol Source and destination Description

100
inbound_443

443
Any protocol

Any to Any

HTTPS access to the System Manager web console using the IP address of the cluster management LIF

101
inbound_111_tcp

111
Any protocol

Any to Any

Remote procedure call for NFS

102
inbound_2049_tcp

2049
Any protocol

Any to Any

NFS server daemon

111
inbound_ssh

22
Any protocol

Any to Any

SSH access to the IP address of the cluster management LIF or a node management LIF

121
inbound_53

53
Any protocol

Any to Any

DNS and CIFS

65000
AllowVnetInBound

Any port
Any protocol

VirtualNetwork to VirtualNetwork

Inbound traffic from within the VNet

65001
AllowAzureLoad BalancerInBound

Any port
Any protocol

AzureLoadBalancer to Any

Data traffic from the Azure Standard Load Balancer

65500
DenyAllInBound

Any port
Any protocol

Any to Any

Block all other inbound traffic

Outbound rules

The predefined security group for Cloud Volumes ONTAP opens all outbound traffic. If that is acceptable, follow the basic outbound rules. If you need more rigid rules, use the advanced outbound rules.

Basic outbound rules

The predefined security group for Cloud Volumes ONTAP includes the following outbound rules.

Port Protocol Purpose

All

All TCP

All outbound traffic

All

All UDP

All outbound traffic

Advanced outbound rules

If you need rigid rules for outbound traffic, you can use the following information to open only those ports that are required for outbound communication by Cloud Volumes ONTAP.

The source is the interface (IP address) on the Cloud Volumes ONTAP system.
Service Port Protocol Source Destination Purpose

Active Directory

88

TCP

Node management LIF

Active Directory forest

Kerberos V authentication

137

UDP

Node management LIF

Active Directory forest

NetBIOS name service

138

UDP

Node management LIF

Active Directory forest

NetBIOS datagram service

139

TCP

Node management LIF

Active Directory forest

NetBIOS service session

389

TCP & UDP

Node management LIF

Active Directory forest

LDAP

445

TCP

Node management LIF

Active Directory forest

Microsoft SMB/CIFS over TCP with NetBIOS framing

464

TCP

Node management LIF

Active Directory forest

Kerberos V change & set password (SET_CHANGE)

464

UDP

Node management LIF

Active Directory forest

Kerberos key administration

749

TCP

Node management LIF

Active Directory forest

Kerberos V change & set Password (RPCSEC_GSS)

88

TCP

Data LIF (NFS, CIFS, iSCSI)

Active Directory forest

Kerberos V authentication

137

UDP

Data LIF (NFS, CIFS)

Active Directory forest

NetBIOS name service

138

UDP

Data LIF (NFS, CIFS)

Active Directory forest

NetBIOS datagram service

139

TCP

Data LIF (NFS, CIFS)

Active Directory forest

NetBIOS service session

389

TCP & UDP

Data LIF (NFS, CIFS)

Active Directory forest

LDAP

445

TCP

Data LIF (NFS, CIFS)

Active Directory forest

Microsoft SMB/CIFS over TCP with NetBIOS framing

464

TCP

Data LIF (NFS, CIFS)

Active Directory forest

Kerberos V change & set password (SET_CHANGE)

464

UDP

Data LIF (NFS, CIFS)

Active Directory forest

Kerberos key administration

749

TCP

Data LIF (NFS, CIFS)

Active Directory forest

Kerberos V change & set password (RPCSEC_GSS)

DHCP

68

UDP

Node management LIF

DHCP

DHCP client for first-time setup

DHCPS

67

UDP

Node management LIF

DHCP

DHCP server

DNS

53

UDP

Node management LIF and data LIF (NFS, CIFS)

DNS

DNS

NDMP

18600–18699

TCP

Node management LIF

Destination servers

NDMP copy

SMTP

25

TCP

Node management LIF

Mail server

SMTP alerts, can be used for AutoSupport

SNMP

161

TCP

Node management LIF

Monitor server

Monitoring by SNMP traps

161

UDP

Node management LIF

Monitor server

Monitoring by SNMP traps

162

TCP

Node management LIF

Monitor server

Monitoring by SNMP traps

162

UDP

Node management LIF

Monitor server

Monitoring by SNMP traps

SnapMirror

11104

TCP

Intercluster LIF

ONTAP intercluster LIFs

Management of intercluster communication sessions for SnapMirror

11105

TCP

Intercluster LIF

ONTAP intercluster LIFs

SnapMirror data transfer

Syslog

514

UDP

Node management LIF

Syslog server

Syslog forward messages

Security group rules for the Connector

The security group for the Connector requires both inbound and outbound rules.

Inbound rules

The source for inbound rules in the predefined security group is 0.0.0.0/0.

Port Protocol Purpose

22

SSH

Provides SSH access to the Connector host

80

HTTP

Provides HTTP access from client web browsers to the local user interface

443

HTTPS

Provides HTTPS access from client web browsers to the local user interface

Outbound rules

The predefined security group for the Connector opens all outbound traffic. If that is acceptable, follow the basic outbound rules. If you need more rigid rules, use the advanced outbound rules.

Basic outbound rules

The predefined security group for the Connector includes the following outbound rules.

Port Protocol Purpose

All

All TCP

All outbound traffic

All

All UDP

All outbound traffic

Advanced outbound rules

If you need rigid rules for outbound traffic, you can use the following information to open only those ports that are required for outbound communication by the Connector.

The source IP address is the Connector host.
Service Port Protocol Destination Purpose

Active Directory

88

TCP

Active Directory forest

Kerberos V authentication

139

TCP

Active Directory forest

NetBIOS service session

389

TCP

Active Directory forest

LDAP

445

TCP

Active Directory forest

Microsoft SMB/CIFS over TCP with NetBIOS framing

464

TCP

Active Directory forest

Kerberos V change & set password (SET_CHANGE)

749

TCP

Active Directory forest

Active Directory Kerberos V change & set password (RPCSEC_GSS)

137

UDP

Active Directory forest

NetBIOS name service

138

UDP

Active Directory forest

NetBIOS datagram service

464

UDP

Active Directory forest

Kerberos key administration

API calls and AutoSupport

443

HTTPS

Outbound internet and ONTAP cluster management LIF

API calls to AWS and ONTAP, and sending AutoSupport messages to NetApp

API calls

3000

TCP

ONTAP cluster management LIF

API calls to ONTAP

DNS

53

UDP

DNS

Used for DNS resolve by Cloud Manager