Connector security group rules in AWS

04/08/2024 Contributors

The AWS security group for the Connector requires both inbound and outbound rules. BlueXP automatically creates this security group when you create a Connector from BlueXP. You need to set up this security group for all other installation options.

Inbound rules

Protocol	Port	Purpose
SSH	22	Provides SSH access to the Connector host
HTTP	80	Provides HTTP access from client web browsers to the local user interface Used during the Cloud Volumes ONTAP upgrade process
HTTPS	443	Provides HTTPS access from client web browsers to the local user interface, and connections from the BlueXP classification instance
TCP	3128	Provides Cloud Volumes ONTAP with internet access to send AutoSupport messages to NetApp Support. You must manually open this port after deployment. Learn how the Connector is used as a proxy for AutoSupport messages
TCP	9060, 9061	Provides the ability to enable and use BlueXP classification and BlueXP backup and recovery in Government regions.

Protocol

Port

Purpose

SSH

Provides SSH access to the Connector host

HTTP

Provides HTTP access from client web browsers to the local user interface
Used during the Cloud Volumes ONTAP upgrade process

HTTPS

443

Provides HTTPS access from client web browsers to the local user interface, and connections from the BlueXP classification instance

TCP

3128

Provides Cloud Volumes ONTAP with internet access to send AutoSupport messages to NetApp Support. You must manually open this port after deployment. Learn how the Connector is used as a proxy for AutoSupport messages

TCP

9060, 9061

Provides the ability to enable and use BlueXP classification and BlueXP backup and recovery in Government regions.

Outbound rules

The predefined security group for the Connector opens all outbound traffic. If that is acceptable, follow the basic outbound rules. If you need more rigid rules, use the advanced outbound rules.

Basic outbound rules

The predefined security group for the Connector includes the following outbound rules.

Protocol	Port	Purpose
All TCP	All	All outbound traffic
All UDP	All	All outbound traffic

Protocol

Port

Purpose

All TCP

All

All outbound traffic

All UDP

All

All outbound traffic

Advanced outbound rules

If you need rigid rules for outbound traffic, you can use the following information to open only those ports that are required for outbound communication by the Connector.

The source IP address is the Connector host.

Service	Protocol	Port	Destination	Purpose
API calls and AutoSupport	HTTPS	443	Outbound internet and ONTAP cluster management LIF	API calls to AWS, to ONTAP, to BlueXP classification, and sending AutoSupport messages to NetApp
API calls	TCP	3000	ONTAP HA mediator	Communication with the ONTAP HA mediator
TCP	8080	BlueXP classification	Probe to BlueXP classification instance during deployment
DNS	UDP	53	DNS	Used for DNS resolve by BlueXP

Service

Protocol

Port

Destination

Purpose

API calls and AutoSupport

HTTPS

443

Outbound internet and ONTAP cluster management LIF

API calls to AWS, to ONTAP, to BlueXP classification, and sending AutoSupport messages to NetApp

API calls

TCP

3000

ONTAP HA mediator

Communication with the ONTAP HA mediator

TCP

8080

BlueXP classification

Probe to BlueXP classification instance during deployment

DNS

UDP

DNS

Used for DNS resolve by BlueXP

Connector security group rules in AWS

Creating your file...

Inbound rules

Outbound rules

Basic outbound rules

Advanced outbound rules