Skip to main content
BlueXP setup and administration

Learn about BlueXP deployment modes

Contributors netapp-bcammett

BlueXP offers multiple deployment modes that enable you to use BlueXP in a way that meets your business and security requirements. Standard mode leverages the BlueXP software as a service (SaaS) layer to provide full functionality, while restricted mode and private mode are available for organizations that have connectivity restrictions.

While BlueXP inhibits the flow of traffic, communication, and data when using restricted mode or private mode, it's your responsibility to ensure that your environment (on-premises and in the cloud) is in compliance with the required regulations.

Overview

BlueXP offers three deployment modes. Each mode differs in terms of outbound connectivity requirements, deployment location, installation process, authentication method, available data and storage services, and charging methods.

Standard mode

BlueXP is accessible to users as a cloud service from the web-based console. Depending on the BlueXP services that you're planning to use, a BlueXP admin creates one or more Connectors to manage data within your hybrid cloud environment.

This mode uses encrypted data transmission over the public internet.

Restricted mode

A BlueXP Connector is installed in the cloud (in a government region, sovereign cloud region, or commercial region) and has limited outbound connectivity to the BlueXP SaaS layer. Users access BlueXP locally from the web-based console that's available from the Connector, not from the SaaS layer.

This mode is typically used by state and local governments and regulated companies.

Private mode

A BlueXP Connector is installed on-premises or in the cloud (in a secure region, sovereign cloud region, or commercial region) and has no connectivity to the BlueXP SaaS layer. Users access BlueXP locally from the web-based console that's available from the Connector, not from the SaaS layer.

A secure region includes AWS Secret Cloud, AWS Top Secret Cloud, and Azure IL6

The following table provides a comparison of these modes.

Standard mode Restricted mode Private mode

Connection required to BlueXP SaaS layer?

Yes

Outbound only

No

Connection required to your cloud provider?

Yes

Yes, within the region

Yes, within the region (if using Cloud Volumes ONTAP)

Connector installation

From BlueXP, cloud marketplace, or manual install

Cloud marketplace or manual install

Manual install

Connector upgrades

Automatic upgrades of NetApp Connector software

Automatic upgrades of NetApp Connector software

Manual upgrade required

UI access

From the BlueXP SaaS layer

Locally from the Connector VM

Locally from the Connector VM

API endpoint

The BlueXP SaaS layer

The Connector

The Connector

Authentication

Through SaaS using auth0, NSS login, or identity federation

Through SaaS using auth0 or identity federation

Local user authentication

Storage and data services

All are supported

Many are supported

Several are supported

Licensing options

Marketplace subscriptions and BYOL

Marketplace subscriptions and BYOL

BYOL

Read through the following sections to learn more about these modes, including which BlueXP features and services are supported.

Standard mode

The following image is an example of a standard mode deployment.

A conceptual image that shows the public internet where the web-based console, SaaS layer, and auth0 authentication are available, a virtual network in the cloud where a Connector is running and managing Cloud Volumes ONTAP and an AFF cluster in an on-premises data center.

BlueXP works as follows in standard mode:

Outbound communication

Connectivity is required from the Connector to the BlueXP SaaS layer, to your cloud provider's publicly available resources, and to other essential components for day-to-day operations.

Supported location for the Connector

In standard mode, the Connector is supported in the cloud or on your premises.

Connector installation

Connector installation is possible from a setup wizard in BlueXP, from the AWS or Azure Marketplace, or using an installer to manually install the Connector on your own Linux host in your data center or in the cloud.

Connector upgrades

Automated upgrades of the Connector software are available from BlueXP with monthly updates.

User interface access

The user interface is accessible from the web-based console that's provided through the SaaS layer.

API endpoint

API calls are made to the following endpoint:
https://cloudmanager.cloud.netapp.com

Authentication

Authentication is provided through BlueXP's cloud service using auth0 or through NetApp Support Site (NSS) logins. Identity federation is available.

Supported BlueXP services

All BlueXP services are available to users.

Supported licensing options

Marketplace subscriptions and BYOL are supported with standard mode; however, the supported licensing options depends on which BlueXP service you are using. Review the documentation for each service to learn more about the available licensing options.

How to get started with standard mode

Go to the BlueXP web-based console and sign up.

Restricted mode

The following image is an example of a restricted mode deployment.

A conceptual image that shows the public internet where the SaaS layer and auth0 authentication are available, a virtual network in the cloud where a Connector is running and providing access to the web-based console, and is managing Cloud Volumes ONTAP and an AFF cluster in an on-premises data center.

BlueXP works as follows in restricted mode:

Outbound communication

Outbound connectivity is required from the Connector to the BlueXP SaaS layer to use BlueXP data services, to enable automatic software upgrades of the Connector, to use auth0-based authentication, and to send metadata for charging purposes (storage VM name, allocated capacity, and volume UUID, type, and IOPS).

The BlueXP SaaS layer does not initiate communication to the Connector. All communication is initiated by the Connector, which can pull or push data from or to the SaaS layer as required.

A connection is also required to cloud provider resources from within the region.

Supported location for the Connector

In restricted mode, the Connector is supported in the cloud: in a government region, sovereign region, or commercial region.

Connector installation

Connector installation is possible from the AWS or Azure Marketplace or a manual installation on your own Linux host.

Connector upgrades

Automated upgrades of the Connector software are available from BlueXP with monthly updates.

User interface access

The user interface is accessible from the Connector virtual machine that's deployed in your cloud region.

API endpoint

API calls are made to the Connector virtual machine.

Authentication

Authentication is provided through BlueXP's cloud service using auth0. Identity federation is also available.

Supported BlueXP services

BlueXP supports the following storage and data services with restricted mode:

Supported services Notes

Azure NetApp Files

Full support

Backup and recovery

Supported in Government regions and commercial regions with restricted mode. Not supported in sovereign regions with restricted mode.

In restricted mode, BlueXP backup and recovery supports back up and restore of ONTAP volume data only. View the list of supported backup destinations for ONTAP data

Back up and restore of application data and virtual machine data is not supported.

Classification

Supported in Government regions with restricted mode. Not supported in commercial regions or in sovereign regions with restricted mode.

Cloud Volumes ONTAP

Full support

Digital wallet

You can use the digital wallet with the supported licensing options listed below for restricted mode.

On-premises ONTAP clusters

Discovery with a Connector and discovery without a Connector (direct discovery) are both supported.

When you discover an on-prem cluster with a Connector, the Advanced view (System Manager) is not supported.

Replication

Supported in Government regions with restricted mode. Not supported in commercial regions or in sovereign regions with restricted mode.

Supported licensing options

The following licensing options are supported with restricted mode:

  • Marketplace subscriptions (hourly and annual contracts)

    Note the following:

    • For Cloud Volumes ONTAP, only capacity-based licensing is supported.

    • In Azure, annual contracts are not supported with government regions.

  • BYOL

    For Cloud Volumes ONTAP, both capacity-based licensing and node-based licensing are supported with BYOL.

How to get started with restricted mode

You need to enable restricted mode when you create your BlueXP account.

If you don't have an account yet, you'll be prompted to create your account and enable restricted mode when you log in to BlueXP for the first time from a Connector that you manually installed or that you created from your cloud provider's marketplace.

If you already have an account and you want to create another one, then you need to use the Tenancy API.

Note that you can't change the restricted mode setting after BlueXP creates the account. You can't enable restricted mode later and you can't disable it later. It must be set at time of account creation.

Private mode

In private mode, you can install a Connector either on-premises or in the cloud and then use BlueXP to manage data across your hybrid cloud. There is no connectivity to the BlueXP SaaS layer.

The following image shows an example of a private mode deployment where the Connector is installed in the cloud and manages both Cloud Volumes ONTAP and an on-premises ONTAP cluster.

A conceptual image that shows a virtual network in the cloud where a Connector is running and providing access to the web-based console, and is managing Cloud Volumes ONTAP and an AFF cluster in an on-premises data center.

Meanwhile, the second image shows an example of a private mode deployment where the Connector is installed on-premises, manages an on-premises ONTAP cluster, and provides access to supported BlueXP data services.

A conceptual image that shows an on-premises data center where a Connector is running and providing access to the web-based console, BlueXP data services, and is managing an AFF cluster in an on-premises data center.

BlueXP works as follows in private mode:

Outbound communication

No outbound connectivity is required to the BlueXP SaaS layer. All packages, dependencies, and essential components are packaged with the Connector and served from the local machine. Connectivity to your cloud provider's publicly available resources is required only if you are deploying Cloud Volumes ONTAP.

Supported location for the Connector

In private mode, the Connector is supported in the cloud or on-premises.

Connector installation

Manual installations of the Connector are supported on your own Linux host in the cloud or on-premises.

Connector upgrades

You need to upgrade the Connector software manually. The Connector software is published to the NetApp Support Site at undefined intervals.

User interface access

The user interface is accessible from the Connector that's deployed in your cloud region or on-premises.

API endpoint

API calls are made to the Connector virtual machine.

Authentication

Authentication is provided through local user management and access. Authentication is not provided through BlueXP's cloud service.

Supported BlueXP services in cloud deployments

BlueXP supports the following storage and data services with private mode when the Connector is installed in the cloud:

Supported services Notes

Backup and recovery

Supported in AWS and Azure commercial regions.

Not supported in Google Cloud or in AWS Secret Cloud, AWS Top Secret Cloud, or Azure IL6

In private mode, BlueXP backup and recovery supports back up and restore of ONTAP volume data only. View the list of supported backup destinations for ONTAP data

Back up and restore of application data and virtual machine data is not supported.

Cloud Volumes ONTAP

Because there's no internet access, the following features aren't available: automated software upgrades and AutoSupport.

Digital wallet

You can use the digital wallet with the supported licensing options listed below for private mode.

On-premises ONTAP clusters

Requires connectivity from the cloud (where the Connector is installed) to the on-premises environment.

Discovery without a Connector (direct discovery) is not supported.

Supported BlueXP services in on-prem deployments

BlueXP supports the following storage and data services with private mode when the Connector is installed on your premises:

Supported services Notes

Backup and recovery

In private mode, BlueXP backup and recovery supports back up and restore of ONTAP volume data only. View the list of supported backup destinations for ONTAP volume data

Back up and restore of application data and virtual machine data is not supported.

Classification

Digital wallet

You can use the digital wallet with the supported licensing options listed below for private mode.

On-premises ONTAP clusters

Discovery without a Connector (direct discovery) is not supported.

Replication

Full support

Supported licensing options

Only BYOL is supported with private mode.

For Cloud Volumes ONTAP BYOL, only node-based licensing is supported. Capacity-based licensing is not supported. Because an outbound internet connection isn't available, you will need to manually upload your Cloud Volumes ONTAP licensing file in the BlueXP digital wallet.

How to get started with private mode

Private mode is available by downloading the "offline" installer from the NetApp Support Site.

Note If you want to use BlueXP in the AWS Secret Cloud or the AWS Top Secret Cloud, then you should follow separate instructions to get started in those environments. Learn how to get started with Cloud Volumes ONTAP in the AWS Secret Cloud or Top Secret Cloud

Service and feature comparison

The following table can help you quickly identify which BlueXP services and features are supported with restricted mode and private mode.

Note that some services might be supported with limitations. For more details about how these services are supported with restricted mode and private mode, refer to the sections above.

Product area BlueXP service or feature Restricted mode Private mode

Working environments

This portion of the table lists support for working environment management from the BlueXP canvas. It does not indicate the supported backup destinations for BlueXP backup and recovery.

Amazon FSx for ONTAP

No

No

Amazon S3

No

No

Azure Blob

No

No

Azure NetApp Files

Yes

No

Cloud Volumes ONTAP

Yes

Yes

Cloud Volumes Service for Google Cloud

No

No

Google Cloud Storage

No

No

On-prem ONTAP clusters

Yes

Yes

E-Series

No

No

StorageGRID

No

No

Services

Alerts

No

No

Backup and recovery

Yes

View the list of supported backup destinations for ONTAP volume data

Yes

View the list of supported backup destinations for ONTAP volume data

Classification

Yes

Yes

Cloud ops

No

No

Copy and sync

No

No

Digital advisor

No

No

Digital wallet

Yes

Yes

Disaster recovery

No

No

Economic efficiency

No

No

Operational resiliency

No

No

Ransomware protection

No

No

Replication

Yes

Yes

Software updates

No

No

Sustainability

No

No

Tiering

No

No

Volume caching

No

No

Workload factory

No

No

Features

BlueXP identity and access management

No

No

BlueXP accounts

Yes

Yes

Credentials

Yes

Yes

NSS accounts

Yes

No

Notifications

Yes

No

Search

Yes

No

Timeline

Yes

Yes