Skip to main content
Cloud Volumes ONTAP
All cloud providers
  • Amazon Web Services
  • Google Cloud
  • Microsoft Azure
  • All cloud providers

Deploy Cloud Volumes ONTAP in AWS Secret Cloud and Top Secret Cloud regions

Contributors netapp-manini netapp-rlithman netapp-dbagwell netapp-bcammett

Similar to a standard AWS region, you can use BlueXP in AWS Secret Cloud and in AWS Top Secret Cloud to deploy Cloud Volumes ONTAP, which provides enterprise-class features for your cloud storage. AWS Secret Cloud and Top Secret Cloud are closed regions specific to the U.S. Intelligence Community; the instructions on this page only apply to AWS Secret Cloud and Top Secret Cloud region users.

Before you begin

Before you get started, review the supported versions in AWS Secret Cloud and Top Secret Cloud, and learn about private mode in BlueXP.

  • Review the following supported versions in AWS Secret Cloud and Top Secret Cloud:

    • Cloud Volumes ONTAP 9.12.1 P2

    • Version 3.9.32 of the Connector

      The Connector is software that's required to deploy and manage Cloud Volumes ONTAP in AWS. You'll log in to BlueXP from the software that gets installed on the Connector instance. The SaaS website for BlueXP isn't supported in AWS Secret Cloud and Top Secret Cloud.

  • Learn about private mode

    In AWS Secret Cloud and Top Secret Cloud, BlueXP operates in private mode. In private mode, there is no connectivity to the BlueXP SaaS layer. Users access BlueXP locally from the web-based console that’s available from the Connector, not from the SaaS layer.

    To learn more about how private mode works, refer to BlueXP private deployment mode.

Step 1: Set up your networking

Set up your AWS networking so Cloud Volumes ONTAP can operate properly.

Steps
  1. Choose the VPC and subnets in which you want to launch the Connector instance and Cloud Volumes ONTAP instances.

  2. Ensure that your VPC and subnets will support connectivity between the Connector and Cloud Volumes ONTAP.

  3. Set up a VPC endpoint to the S3 service.

    A VPC endpoint is required if you want to tier cold data from Cloud Volumes ONTAP to low-cost object storage.

Step 2: Set up permissions

Set up IAM policies and roles that provide the Connector and Cloud Volumes ONTAP with the permissions that they need to perform actions in the AWS Secret Cloud or Top Secret Cloud.

You need an IAM policy and IAM role for each of the following:

  • The Connector instance

  • Cloud Volumes ONTAP instances

  • For HA pairs, the Cloud Volumes ONTAP HA mediator instance (if you want to deploy HA pairs)

Steps
  1. Go to the AWS IAM console and click Policies.

  2. Create a policy for the Connector instance.

    Note You create these policies to support the S3 buckets in your AWS environment. While creating the buckets later, ensure that the bucket names are prefixed with fabric-pool-. This requirement applies to both the AWS Secret Cloud and Top Secret Cloud regions.
    Secret regions
    {
        "Version": "2012-10-17",
        "Statement": [{
                "Effect": "Allow",
                "Action": [
                    "ec2:DescribeInstances",
                    "ec2:DescribeInstanceStatus",
                    "ec2:RunInstances",
                    "ec2:ModifyInstanceAttribute",
                    "ec2:DescribeRouteTables",
                    "ec2:DescribeImages",
                    "ec2:CreateTags",
                    "ec2:CreateVolume",
                    "ec2:DescribeVolumes",
                    "ec2:ModifyVolumeAttribute",
                    "ec2:DeleteVolume",
                    "ec2:CreateSecurityGroup",
                    "ec2:DeleteSecurityGroup",
                    "ec2:DescribeSecurityGroups",
                    "ec2:RevokeSecurityGroupEgress",
                    "ec2:RevokeSecurityGroupIngress",
                    "ec2:AuthorizeSecurityGroupEgress",
                    "ec2:AuthorizeSecurityGroupIngress",
                    "ec2:CreateNetworkInterface",
                    "ec2:DescribeNetworkInterfaces",
                    "ec2:DeleteNetworkInterface",
                    "ec2:ModifyNetworkInterfaceAttribute",
                    "ec2:DescribeSubnets",
                    "ec2:DescribeVpcs",
                    "ec2:DescribeDhcpOptions",
                    "ec2:CreateSnapshot",
                    "ec2:DeleteSnapshot",
                    "ec2:DescribeSnapshots",
                    "ec2:GetConsoleOutput",
                    "ec2:DescribeKeyPairs",
                    "ec2:DescribeRegions",
                    "ec2:DeleteTags",
                    "ec2:DescribeTags",
                    "cloudformation:CreateStack",
                    "cloudformation:DeleteStack",
                    "cloudformation:DescribeStacks",
                    "cloudformation:DescribeStackEvents",
                    "cloudformation:ValidateTemplate",
                    "iam:PassRole",
                    "iam:CreateRole",
                    "iam:DeleteRole",
                    "iam:PutRolePolicy",
                    "iam:ListInstanceProfiles",
                    "iam:CreateInstanceProfile",
                    "iam:DeleteRolePolicy",
                    "iam:AddRoleToInstanceProfile",
                    "iam:RemoveRoleFromInstanceProfile",
                    "iam:DeleteInstanceProfile",
                    "s3:GetObject",
                    "s3:ListBucket",
                    "s3:GetBucketTagging",
                    "s3:GetBucketLocation",
                    "s3:ListAllMyBuckets",
                    "kms:List*",
                    "kms:Describe*",
                    "ec2:AssociateIamInstanceProfile",
                    "ec2:DescribeIamInstanceProfileAssociations",
                    "ec2:DisassociateIamInstanceProfile",
                    "ec2:DescribeInstanceAttribute",
                    "ec2:CreatePlacementGroup",
                    "ec2:DeletePlacementGroup"
                ],
                "Resource": "*"
            },
            {
                "Sid": "fabricPoolPolicy",
                "Effect": "Allow",
                "Action": [
                    "s3:DeleteBucket",
                    "s3:GetLifecycleConfiguration",
                    "s3:PutLifecycleConfiguration",
                    "s3:PutBucketTagging",
                    "s3:ListBucketVersions"
                ],
                "Resource": [
                    "arn:aws-iso-b:s3:::fabric-pool*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:StartInstances",
                    "ec2:StopInstances",
                    "ec2:TerminateInstances",
                    "ec2:AttachVolume",
                    "ec2:DetachVolume"
                ],
                "Condition": {
                    "StringLike": {
                        "ec2:ResourceTag/WorkingEnvironment": "*"
                    }
                },
                "Resource": [
                    "arn:aws-iso-b:ec2:*:*:instance/*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:AttachVolume",
                    "ec2:DetachVolume"
                ],
                "Resource": [
                    "arn:aws-iso-b:ec2:*:*:volume/*"
                ]
            }
        ]
    }
    Top Secret regions
    {
        "Version": "2012-10-17",
        "Statement": [{
                "Effect": "Allow",
                "Action": [
                    "ec2:DescribeInstances",
                    "ec2:DescribeInstanceStatus",
                    "ec2:RunInstances",
                    "ec2:ModifyInstanceAttribute",
                    "ec2:DescribeRouteTables",
                    "ec2:DescribeImages",
                    "ec2:CreateTags",
                    "ec2:CreateVolume",
                    "ec2:DescribeVolumes",
                    "ec2:ModifyVolumeAttribute",
                    "ec2:DeleteVolume",
                    "ec2:CreateSecurityGroup",
                    "ec2:DeleteSecurityGroup",
                    "ec2:DescribeSecurityGroups",
                    "ec2:RevokeSecurityGroupEgress",
                    "ec2:RevokeSecurityGroupIngress",
                    "ec2:AuthorizeSecurityGroupEgress",
                    "ec2:AuthorizeSecurityGroupIngress",
                    "ec2:CreateNetworkInterface",
                    "ec2:DescribeNetworkInterfaces",
                    "ec2:DeleteNetworkInterface",
                    "ec2:ModifyNetworkInterfaceAttribute",
                    "ec2:DescribeSubnets",
                    "ec2:DescribeVpcs",
                    "ec2:DescribeDhcpOptions",
                    "ec2:CreateSnapshot",
                    "ec2:DeleteSnapshot",
                    "ec2:DescribeSnapshots",
                    "ec2:GetConsoleOutput",
                    "ec2:DescribeKeyPairs",
                    "ec2:DescribeRegions",
                    "ec2:DeleteTags",
                    "ec2:DescribeTags",
                    "cloudformation:CreateStack",
                    "cloudformation:DeleteStack",
                    "cloudformation:DescribeStacks",
                    "cloudformation:DescribeStackEvents",
                    "cloudformation:ValidateTemplate",
                    "iam:PassRole",
                    "iam:CreateRole",
                    "iam:DeleteRole",
                    "iam:PutRolePolicy",
                    "iam:ListInstanceProfiles",
                    "iam:CreateInstanceProfile",
                    "iam:DeleteRolePolicy",
                    "iam:AddRoleToInstanceProfile",
                    "iam:RemoveRoleFromInstanceProfile",
                    "iam:DeleteInstanceProfile",
                    "s3:GetObject",
                    "s3:ListBucket",
                    "s3:GetBucketTagging",
                    "s3:GetBucketLocation",
                    "s3:ListAllMyBuckets",
                    "kms:List*",
                    "kms:Describe*",
                    "ec2:AssociateIamInstanceProfile",
                    "ec2:DescribeIamInstanceProfileAssociations",
                    "ec2:DisassociateIamInstanceProfile",
                    "ec2:DescribeInstanceAttribute",
                    "ec2:CreatePlacementGroup",
                    "ec2:DeletePlacementGroup"
                ],
                "Resource": "*"
            },
            {
                "Sid": "fabricPoolPolicy",
                "Effect": "Allow",
                "Action": [
                    "s3:DeleteBucket",
                    "s3:GetLifecycleConfiguration",
                    "s3:PutLifecycleConfiguration",
                    "s3:PutBucketTagging",
                    "s3:ListBucketVersions"
                ],
                "Resource": [
                    "arn:aws-iso:s3:::fabric-pool*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:StartInstances",
                    "ec2:StopInstances",
                    "ec2:TerminateInstances",
                    "ec2:AttachVolume",
                    "ec2:DetachVolume"
                ],
                "Condition": {
                    "StringLike": {
                        "ec2:ResourceTag/WorkingEnvironment": "*"
                    }
                },
                "Resource": [
                    "arn:aws-iso:ec2:*:*:instance/*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:AttachVolume",
                    "ec2:DetachVolume"
                ],
                "Resource": [
                    "arn:aws-iso:ec2:*:*:volume/*"
                ]
            }
        ]
    }
  3. Create a policy for Cloud Volumes ONTAP.

    Secret regions
    {
        "Version": "2012-10-17",
        "Statement": [{
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws-iso-b:s3:::*",
            "Effect": "Allow"
        }, {
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws-iso-b:s3:::fabric-pool-*",
            "Effect": "Allow"
        }, {
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws-iso-b:s3:::fabric-pool-*",
            "Effect": "Allow"
        }]
    }
    Top Secret regions
    {
        "Version": "2012-10-17",
        "Statement": [{
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws-iso:s3:::*",
            "Effect": "Allow"
        }, {
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws-iso:s3:::fabric-pool-*",
            "Effect": "Allow"
        }, {
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws-iso:s3:::fabric-pool-*",
            "Effect": "Allow"
        }]
    }

    For HA pairs, if you plan to deploy a Cloud Volumes ONTAP HA pair, create a policy for the HA mediator.

    {
    	"Version": "2012-10-17",
    	"Statement": [{
    			"Effect": "Allow",
    			"Action": [
    				"ec2:AssignPrivateIpAddresses",
    				"ec2:CreateRoute",
    				"ec2:DeleteRoute",
    				"ec2:DescribeNetworkInterfaces",
    				"ec2:DescribeRouteTables",
    				"ec2:DescribeVpcs",
    				"ec2:ReplaceRoute",
    				"ec2:UnassignPrivateIpAddresses"
    			],
    			"Resource": "*"
    		}
    	]
    }
  4. Create IAM roles with the role type Amazon EC2 and attach the policies that you created in the previous steps.

    Create the role:

    Similar to the policies, you should have one IAM role for the Connector and one for the Cloud Volumes ONTAP nodes.
    For HA pairs: Similar to the policies, you should have one IAM role for the Connector, one for the Cloud Volumes ONTAP nodes, and one for the HA mediator (if you want to deploy HA pairs).

    Select the role:

    You must select the Connector IAM role when you launch the Connector instance. You can select the IAM roles for Cloud Volumes ONTAP when you create a Cloud Volumes ONTAP working environment from BlueXP.
    For HA pairs, you can select the IAM roles for Cloud Volumes ONTAP and the HA mediator when you create a Cloud Volumes ONTAP working environment from BlueXP.

Step 3: Set up the AWS KMS

If you want to use Amazon encryption with Cloud Volumes ONTAP, ensure that requirements are met for the AWS Key Management Service (KMS).

Steps
  1. Ensure that an active Customer Master Key (CMK) exists in your account or in another AWS account.

    The CMK can be an AWS-managed CMK or a customer-managed CMK.

  2. If the CMK is in an AWS account separate from the account where you plan to deploy Cloud Volumes ONTAP, then you need to obtain the ARN of that key.

    You'll need to provide the ARN to BlueXP when you create the Cloud Volumes ONTAP system.

  3. Add the IAM role for the Connector instance to the list of key users for a CMK.

    This gives BlueXP permissions to use the CMK with Cloud Volumes ONTAP.

Step 4: Install the Connector and set up BlueXP

Before you can start using BlueXP to deploy Cloud Volumes ONTAP in AWS, you must install and set up the BlueXP Connector. The Connector enables BlueXP to manage resources and processes within your public cloud environment (this includes Cloud Volumes ONTAP).

Steps
  1. Obtain a root certificate signed by a certificate authority (CA) in the Privacy Enhanced Mail (PEM) Base-64 encoded X.509 format. Consult your organization's policies and procedures for obtaining the certificate.

    Note For AWS Secret Cloud regions, you should upload the NSS Root CA 2 certificate, and for Top Secret Cloud, the Amazon Root CA 4 certificate. Ensure that you upload only these certificates and not the entire chain. The file for the certificate chain is large, and the upload can fail. If you have additional certificates, you can upload them later, as described in the next step.

    You'll need to upload the certificate during the setup process. BlueXP uses the trusted certificate when sending requests to AWS over HTTPS.

  2. Launch the Connector instance:

    1. Go to the AWS Intelligence Community Marketplace page for BlueXP.

    2. On the Custom Launch tab, choose the option to launch the instance from the EC2 console.

    3. Follow the prompts to configure the instance.

      Note the following as you configure the instance:

      • We recommend t3.xlarge.

      • You must choose the IAM role that you created when you set up permissions.

      • You should keep the default storage options.

      • The required connection methods for the Connector are as follows: SSH, HTTP, and HTTPS.

  3. Set up BlueXP from a host that has a connection to the Connector instance:

    1. Open a web browser and enter https://ipaddress where ipaddress is the IP address of the Linux host where you installed the Connector.

    2. Specify a proxy server for connectivity to AWS services.

    3. Upload the certificate that you obtained in step 1.

    4. Select Set Up New BlueXP and follow the prompts to set up the system.

      • System Details: Enter a name for the Connector and your company name.

      • Create Admin User: Create the admin user for the system.

        This user account runs locally on the system. There's no connection to the auth0 service available through BlueXP.

      • Review: Review the details, accept the license agreement, and then select Set Up.

    5. To complete installation of the CA-signed certificate, restart the Connector instance from the EC2 console.

  4. After the Connector restarts, log in using the administrator user account that you created in the Setup wizard.

Step 5: (optional) Install a private mode certificate

This step is optional for AWS Secret Cloud and Top Secret Cloud regions, and is required only if you have additional certificates apart from the root certificates that you installed in the previous step.

Steps
  1. List existing installed certificates.

    1. To collect the occm container docker id (identified name “ds-occm-1”), run the following command:

      docker ps
    2. To get inside occm container, run the following command:

      docker exec -it <docker-id> /bin/sh
    3. To collect the password from “TRUST_STORE_PASSWORD” environment variable, run the following command:

      env
    4. To list all installed certificates in truststore, run the following command and use the password collected in the previous step:

      keytool -list -v -keystore occm.truststore
  2. Add a certificate.

    1. To collect occm container docker id (identified name “ds-occm-1”), run the following command:

      docker ps
    2. To get inside occm container, run the following command:

      docker exec -it <docker-id> /bin/sh

      Save the new certificate file inside.

    3. To collect the password from “TRUST_STORE_PASSWORD” environment variable, run the following command:

      env
    4. To add the certificate to the truststore, run the following command and use the password from the previous step:

      keytool -import -alias <alias-name> -file <certificate-file-name> -keystore occm.truststore
    5. To check that the certificate installed, run the following command:

      keytool -list -v -keystore occm.truststore -alias <alias-name>
    6. To exit occm container, run the following command:

      exit
    7. To reset occm container, run the following command:

      docker restart <docker-id>

Step 6: Add a license to the BlueXP digital wallet

If you purchased a license from NetApp, you need to add it to the BlueXP digital wallet so that you can select the license when you create a new Cloud Volumes ONTAP system. The digital wallet identifies these licenses as unassigned.

Steps
  1. From the BlueXP navigation menu, select Governance > Digital wallet.

  2. On the Cloud Volumes ONTAP tab, select Node Based Licenses from the drop-down.

  3. Click Unassigned.

  4. Click Add Unassigned Licenses.

  5. Enter the serial number of the license or upload the license file.

  6. If you don't have the license file yet, you'll need to manually upload the license file from netapp.com.

    1. Go to the NetApp License File Generator and log in using your NetApp Support Site credentials.

    2. Enter your password, choose your product, enter the serial number, confirm that you have read and accepted the privacy policy, and then click Submit.

    3. Choose whether you want to receive the serialnumber.NLF JSON file through email or direct download.

  7. Click Add License.

Result

BlueXP adds the license to the digital wallet. The license will be identified as unassigned until you associate it with a new Cloud Volumes ONTAP system. After that happens, the license moves to the BYOL tab in the digital wallet.

Step 7: Launch Cloud Volumes ONTAP from BlueXP

You can launch Cloud Volumes ONTAP instances in AWS Secret Cloud and Top Secret Cloud by creating new working environments in BlueXP.

Before you begin

For HA pairs, a key pair is required to enable key-based SSH authentication to the HA mediator.

Steps
  1. On the Working Environments page, click Add Working Environment.

  2. Under Create, select Cloud Volumes ONTAP.

    For HA: Under Create, select Cloud Volumes ONTAP or Cloud Volumes ONTAP HA.

  3. Complete the steps in the wizard to launch the Cloud Volumes ONTAP system.

    Caution While making selections through the wizard, do not select Data Sense & Compliance and Backup to Cloud under Services. Under Preconfigured Packages, select Change Configuration only, and ensure that you haven't selected any other option. Preconfigured packages aren't supported in AWS Secret Cloud and Top Secret Cloud regions, and if selected, your deployment will fail.
Notes for deploying Cloud Volumes ONTAP HA in multiple Availability Zones

Note the following as you complete the wizard for HA pairs.

  • You should configure a transit gateway when you deploy Cloud Volumes ONTAP HA in multiple Availability Zones (AZs). For instructions, refer to Set up an AWS transit gateway.

  • Deploy the configuration as the following because only two AZs were available in the AWS Top Secret Cloud at the time of publication:

    • Node 1: Availability Zone A

    • Node 2: Availability Zone B

    • Mediator: Availability Zone A or B

Notes for deploying Cloud Volumes ONTAP in both single and HA nodes

Note the following as you complete the wizard:

  • You should leave the default option to use a generated security group.

    The predefined security group includes the rules that Cloud Volumes ONTAP needs to operate successfully. If you have a requirement to use your own, you can refer to the security group section below.

  • You must choose the IAM role that you created when preparing your AWS environment.

  • The underlying AWS disk type is for the initial Cloud Volumes ONTAP volume.

    You can choose a different disk type for subsequent volumes.

  • The performance of AWS disks is tied to disk size.

    You should choose the disk size that gives you the sustained performance that you need. Refer to AWS documentation for more details about EBS performance.

  • The disk size is the default size for all disks on the system.

    Note If you need a different size later, you can use the Advanced allocation option to create an aggregate that uses disks of a specific size.
Result

BlueXP launches the Cloud Volumes ONTAP instance. You can track the progress in the timeline.

Step 8: Install security certificates for data tiering

You need to manually install security certificates for enabling data tiering in AWS Secret Cloud and Top Secret Cloud regions.

Before you begin
  1. Create S3 buckets.

    Note Ensure that the bucket names are prefixed with fabric-pool-. For example fabric-pool-testbucket.
  2. Keep the root certificates that you installed in step 4 handy.

Steps
  1. Copy the text from the root certificates that you installed in step 4.

  2. Securely connect to the Cloud Volumes ONTAP system by using the CLI.

  3. Install the root certificates. You might need to press the ENTER key multiple times:

    security certificate install -type server-ca -cert-name <certificate-name>
  4. When prompted, enter the entire copied text, including and from ----- BEGIN CERTIFICATE ----- to ----- END CERTIFICATE -----.

  5. Keep a copy of the CA-signed digital certificate for future reference.

  6. Retain the CA name and certificate serial number.

  7. Configure the object store for AWS Secret Cloud and Top Secret Cloud regions: set -privilege advanced -confirmations off

  8. Run this command to configure the object store.

    Note All Amazon Resource Names (ARNs) should be suffixed with -iso-b, such as arn:aws-iso-b. For example, if a resource requires an ARN with a region, for Top Secret Cloud, use the naming convention as us-iso-b for the -server flag. For AWS Secret Cloud, use us-iso-b-1.
    storage aggregate object-store config create -object-store-name <S3Bucket> -provider-type AWS_S3 -auth-type EC2-IAM -server <s3.us-iso-b-1.server_name> -container-name <fabric-pool-testbucket> -is-ssl-enabled true -port 443
  9. Verify that the object store was created successfully: storage aggregate object-store show -instance

  10. Attach the object store to the aggregate. This should be repeated for every new aggregate: storage aggregate object-store attach -aggregate <aggr1> -object-store-name <S3Bucket>