Getting started with Cloud Compliance for Cloud Volumes ONTAP, on-premises ONTAP, or Azure NetApp Files

Contributors netapp-tonacki netapp-bcammett Download PDF of this page

Complete a few steps to get started with Cloud Compliance for Cloud Volumes ONTAP, on-premises ONTAP systems, or Azure NetApp Files.

Quick start

Get started quickly by following these steps or scroll down to the remaining sections for full details.

Number 1 Discover the data sources that contain the data you want to scan

Before you can scan volumes, you must add the systems to working environments in Cloud Manager:

Number 2 Deploy the Cloud Compliance instance

Deploy Cloud Compliance in Cloud Manager if there isn’t already an instance deployed.

Number 3 Enable Cloud Compliance in your working environments and select the volumes to scan

Click Compliance, select the Configuration tab, and activate compliance scans for volumes in specific working environments.

Number 4 Ensure access to volumes

Now that Cloud Compliance is enabled, ensure that it can access volumes.

  • The Cloud Compliance instance needs a network connection to each Cloud Volumes ONTAP subnet, Azure NetApp Files subnet, or on-prem ONTAP system.

  • Security groups for Cloud Volumes ONTAP must allow inbound connections from the Cloud Compliance instance.

  • NFS volume export policies must allow access from the Cloud Compliance instance.

  • Cloud Compliance needs Active Directory credentials to scan CIFS volumes.

    Click Compliance > Scan Configuration > Edit CIFS Credentials and provide the credentials.

Number 5 Manage the volumes you want to scan

Select or deselect the volumes that you want to scan and Cloud Compliance will start or stop scanning them.

Discovering the data sources that you want to scan

If the data sources you want to scan at not already in your Cloud Manager environment, you can add them to working environments at this time.

Your Cloud Volumes ONTAP systems should already be available in working environments in Cloud Manager. For on-premises ONTAP systems you need to have Cloud Manager discover these clusters. And for Azure NetApp Files, Cloud Manager must be set up to discover the configuration.

Deploying the Cloud Compliance instance

Deploy Cloud Compliance if there isn’t already an instance deployed.

Cloud Compliance can be deployed in the cloud or in an on-premises location when scanning Cloud Volumes ONTAP or on-premises ONTAP systems.

Cloud Compliance must be deployed in the cloud when scanning Azure NetApp Files volumes, and it must be deployed in the same region as the volumes you wish to scan.

Enabling Cloud Compliance in your working environments

  1. At the top of Cloud Manager, click Compliance and then select the Configuration tab.

    A screenshot of the Scan Configuration tab immediately after deploying the Cloud Compliance instance.

  2. To scan all volumes in a working environment, click Activate Compliance for All Volumes.

    To scan only certain volumes in a working environment, click or select Volumes and then choose the volumes you want to scan.

Result

Cloud Compliance starts scanning the volumes you selected in the working environment. Results will be available in the Compliance dashboard as soon as Cloud Compliance finishes the initial scans. The time that it takes depends on the amount of data—​it could be a few minutes or hours.

Verifying that Cloud Compliance has access to volumes

Make sure that Cloud Compliance can access volumes by checking your networking, security groups, and export policies. You’ll need to provide Cloud Compliance with CIFS credentials so it can access CIFS volumes.

Steps
  1. Make sure that there’s a network connection between the Cloud Compliance instance and each network that includes volumes for Cloud Volumes ONTAP, Azure NetApp Files, or on-prem ONTAP clusters.

    For Azure NetApp Files, Cloud Compliance can only scan volumes that are in the same region as Cloud Manager.
  2. Ensure that the security group for Cloud Volumes ONTAP allows inbound traffic from the Cloud Compliance instance.

    You can either open the security group for traffic from the IP address of the Cloud Compliance instance, or you can open the security group for all traffic from inside the virtual network.

  3. Ensure that NFS volume export policies include the IP address of the Cloud Compliance instance so it can access the data on each volume.

  4. If you use CIFS, provide Cloud Compliance with Active Directory credentials so it can scan CIFS volumes.

    1. At the top of Cloud Manager, click Compliance.

    2. Click the Configuration tab.

      A screenshot of the Compliance tab that shows the Scan Status button that’s available in the top right of the content pane.

    3. For each working environment, click Edit CIFS Credentials and enter the user name and password that Cloud Compliance needs to access CIFS volumes on the system.

      The credentials can be read-only, but providing admin credentials ensures that Cloud Compliance can read any data that requires elevated permissions. The credentials are stored on the Cloud Compliance instance.

      After you enter the credentials, you should see a message that all CIFS volumes were authenticated successfully.

      A screenshot that shows the Scan Configuration page and one Cloud Volumes ONTAP system for which CIFS credentials were successfully provided.

  5. On the Scan Configuration page, click View Details to review the status for each CIFS and NFS volume and correct any errors.

    For example, the following image shows three volumes; one of which Cloud Compliance can’t scan due to network connectivity issues between the Cloud Compliance instance and the volume.

    A screenshot of the View Details page in the scan configuration that shows three volumes; one of which isn’t being scanned because of network connectivity between Cloud Compliance and the volume.

Enabling and disabling compliance scans on volumes

You can stop or start scanning volumes in a working environment at any time from the Scan Configuration page. We recommend that you scan all volumes.

A screenshot of the scan configuration page where you can enable or disable scanning of individual volumes.

To: Do this:

Disable scanning for a volume

Move the volume slider to the left

Disable scanning for all volumes

Move the Activate Compliance for all Volumes slider to the left

Enable scanning for a volume

Move the volume slider to the right

Enable scanning for all volumes

Move the Activate Compliance for all Volumes slider to the right

New volumes added to the working environment are automatically scanned only when the Activate Compliance for all Volumes setting is enabled. When this setting is disabled, you’ll need to activate scanning on each new volume you create in the working environment.

Scanning data protection volumes

By default, data protection (DP) volumes are not scanned because they are not exposed externally and Cloud Compliance cannot access them. These are the destination volumes for SnapMirror operations from an on-premises ONTAP system or from a Cloud Volumes ONTAP system.

Initially, the volume list identifies these volumes as Type DP with the Status Not Scanning and the Required Action Enable Access to DP volumes.

A screenshot showing the Enable Access to DP Volumes button that you can select to scan data protection volumes.

Steps

If you want to scan these data protection volumes:

  1. Click the Enable Access to DP volumes button at the top of the page.

  2. Review the confirmation message and click Enable Access to DP volumes again.

    • Volumes that were initially created as NFS volumes in the source ONTAP system are enabled.

    • Volumes that were initially created as CIFS volumes in the source ONTAP system require that you enter CIFS credentials to scan those DP volumes. If you already entered Active Directory credentials so that Cloud Compliance can scan CIFS volumes you can use those credentials, or you can specify a different set of Admin credentials.

      A screenshot of the two options for enabling CIFS data protection volumes.

  3. Activate each DP volume that you want to scan the same way you enabled other volumes, or use the Activate Compliance for all Volumes control to enable all volumes, including all DP volumes.

Result

Once enabled, Cloud Compliance creates an NFS share from each DP volume that was activated for Compliance so that it can be scanned. The share export policies only allow access from the Cloud Compliance instance.

Note: If you had no CIFS data protection volumes when you initially enabled access to DP volumes, and later add some, the button Enable Access to CIFS DP appears at the top of the Scan Configuration page. Click this button and add CIFS credentials to enable access to these CIFS DP volumes.