Networking requirements for the Connector

Contributors netapp-bcammett netapp-tonacki

Set up your networking so the Connector can manage resources and processes within your public cloud environment. The most important step is ensuring outbound internet access to various endpoints.

The information on this page is for a typical deployment where the Connector has outbound internet access.

Tip If your network uses a proxy server for all communication to the internet, you can specify the proxy server from the Settings page. Refer to Configuring the Connector to use a proxy server.

Connection to target networks

A Connector requires a network connection to the type of working environment that you’re creating and the services that you’re planning to enable.

For example, if you install a Connector in your corporate network, then you must set up a VPN connection to the VPC or VNet in which you launch Cloud Volumes ONTAP.

Possible conflict with IP addresses in the 172 range

If your network has a subnet configured in the 172 range, then you might experience connectivity failures from Cloud Manager. Learn more about this known issue.

Outbound internet access

Outbound internet access is required from the Connector.

Endpoints to manage resources in your public cloud environment

The Connector requires outbound internet access to manage resources and processes within your public cloud environment.

Endpoints Purpose

https://support.netapp.com

To obtain licensing information and to send AutoSupport messages to NetApp support.

https://*.cloudmanager.cloud.netapp.com

To provide SaaS features and services within Cloud Manager.

https://cloudmanagerinfraprod.azurecr.io

To upgrade the Connector and its Docker components.

Endpoints to install the Connector on a Linux host

You have the option to manually install the Connector software on your own Linux host. If you do, the installer for the Connector must access the following URLs during the installation process:

  • https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

  • https://s3.amazonaws.com/aws-cli/awscli-bundle.zip

  • *.blob.core.windows.net or https://hub.docker.com

The host might try to update operating system packages during installation. The host can contact different mirroring sites for these OS packages.

Ports and security groups

There’s no incoming traffic to the Connector, unless you initiate it. HTTP and HTTPS provide access to the local UI, which you’ll use in rare circumstances. SSH is only needed if you need to connect to the host for troubleshooting.

Rules for the Connector in AWS

The security group for the Connector requires both inbound and outbound rules.

Inbound rules

Protocol Port Purpose

SSH

22

Provides SSH access to the Connector host

HTTP

80

Provides HTTP access from client web browsers to the local user interface and connections from Cloud Data Sense

HTTPS

443

Provides HTTPS access from client web browsers to the local user interface

TCP

3128

Provides the Cloud Data Sense instance with internet access, if your AWS network doesn’t use a NAT or proxy

TCP

9060

Provides the ability to enable and use Cloud Data Sense (required only for GovCloud deployments)

Outbound rules

The predefined security group for the Connector opens all outbound traffic. If that is acceptable, follow the basic outbound rules. If you need more rigid rules, use the advanced outbound rules.

Basic outbound rules

The predefined security group for the Connector includes the following outbound rules.

Protocol Port Purpose

All TCP

All

All outbound traffic

All UDP

All

All outbound traffic

Advanced outbound rules

If you need rigid rules for outbound traffic, you can use the following information to open only those ports that are required for outbound communication by the Connector.

Note The source IP address is the Connector host.
Service Protocol Port Destination Purpose

Active Directory

TCP

88

Active Directory forest

Kerberos V authentication

TCP

139

Active Directory forest

NetBIOS service session

TCP

389

Active Directory forest

LDAP

TCP

445

Active Directory forest

Microsoft SMB/CIFS over TCP with NetBIOS framing

TCP

464

Active Directory forest

Kerberos V change & set password (SET_CHANGE)

TCP

749

Active Directory forest

Active Directory Kerberos V change & set password (RPCSEC_GSS)

UDP

137

Active Directory forest

NetBIOS name service

UDP

138

Active Directory forest

NetBIOS datagram service

UDP

464

Active Directory forest

Kerberos key administration

API calls and AutoSupport

HTTPS

443

Outbound internet and ONTAP cluster management LIF

API calls to AWS and ONTAP, and sending AutoSupport messages to NetApp

API calls

TCP

3000

ONTAP HA mediator

Communication with the ONTAP HA mediator

TCP

8088

Backup to S3

API calls to Backup to S3

DNS

UDP

53

DNS

Used for DNS resolve by Cloud Manager

Cloud Data Sense

HTTP

80

Cloud Data Sense instance

Cloud Data Sense for Cloud Volumes ONTAP

Rules for the Connector in Azure

The security group for the Connector requires both inbound and outbound rules.

Inbound rules

Port Protocol Purpose

22

SSH

Provides SSH access to the Connector host

80

HTTP

Provides HTTP access from client web browsers to the local user interface

443

HTTPS

Provides HTTPS access from client web browsers to the local user interface

Outbound rules

The predefined security group for the Connector opens all outbound traffic. If that is acceptable, follow the basic outbound rules. If you need more rigid rules, use the advanced outbound rules.

Basic outbound rules

The predefined security group for the Connector includes the following outbound rules.

Port Protocol Purpose

All

All TCP

All outbound traffic

All

All UDP

All outbound traffic

Advanced outbound rules

If you need rigid rules for outbound traffic, you can use the following information to open only those ports that are required for outbound communication by the Connector.

Note The source IP address is the Connector host.
Service Port Protocol Destination Purpose

Active Directory

88

TCP

Active Directory forest

Kerberos V authentication

139

TCP

Active Directory forest

NetBIOS service session

389

TCP

Active Directory forest

LDAP

445

TCP

Active Directory forest

Microsoft SMB/CIFS over TCP with NetBIOS framing

464

TCP

Active Directory forest

Kerberos V change & set password (SET_CHANGE)

749

TCP

Active Directory forest

Active Directory Kerberos V change & set password (RPCSEC_GSS)

137

UDP

Active Directory forest

NetBIOS name service

138

UDP

Active Directory forest

NetBIOS datagram service

464

UDP

Active Directory forest

Kerberos key administration

API calls and AutoSupport

443

HTTPS

Outbound internet and ONTAP cluster management LIF

API calls to AWS and ONTAP, and sending AutoSupport messages to NetApp

DNS

53

UDP

DNS

Used for DNS resolve by Cloud Manager

Rules for the Connector in GCP

The firewall rules for the Connector requires both inbound and outbound rules.

Inbound rules

Protocol Port Purpose

SSH

22

Provides SSH access to the Connector host

HTTP

80

Provides HTTP access from client web browsers to the local user interface

HTTPS

443

Provides HTTPS access from client web browsers to the local user interface

Outbound rules

The predefined firewall rules for the Connector opens all outbound traffic. If that is acceptable, follow the basic outbound rules. If you need more rigid rules, use the advanced outbound rules.

Basic outbound rules

The predefined firewall rules for the Connector includes the following outbound rules.

Protocol Port Purpose

All TCP

All

All outbound traffic

All UDP

All

All outbound traffic

Advanced outbound rules

If you need rigid rules for outbound traffic, you can use the following information to open only those ports that are required for outbound communication by the Connector.

Note The source IP address is the Connector host.
Service Protocol Port Destination Purpose

Active Directory

TCP

88

Active Directory forest

Kerberos V authentication

TCP

139

Active Directory forest

NetBIOS service session

TCP

389

Active Directory forest

LDAP

TCP

445

Active Directory forest

Microsoft SMB/CIFS over TCP with NetBIOS framing

TCP

464

Active Directory forest

Kerberos V change & set password (SET_CHANGE)

TCP

749

Active Directory forest

Active Directory Kerberos V change & set password (RPCSEC_GSS)

UDP

137

Active Directory forest

NetBIOS name service

UDP

138

Active Directory forest

NetBIOS datagram service

UDP

464

Active Directory forest

Kerberos key administration

API calls and AutoSupport

HTTPS

443

Outbound internet and ONTAP cluster management LIF

API calls to GCP and ONTAP, and sending AutoSupport messages to NetApp

DNS

UDP

53

DNS

Used for DNS resolve by Cloud Manager

Ports for the on-prem Connector

The Connector uses the following ports when installed manually on an on-premises Linux host:

  • 80 for HTTP access

  • 443 for HTTPS access

  • 3306 for the Cloud Manager database

  • 8080 for the Cloud Manager API proxy

  • 8666 for the Service Manager API

  • 8777 for the Health-Checker Container Service API