Skip to main content
BlueXP setup and administration

Create a Connector from the AWS Marketplace

Contributors netapp-bcammett

A Connector is NetApp software running in your cloud network or on-premises network that gives you the ability to use all BlueXP features and services. One of the available installation options is to create a Connector in AWS directly from the AWS Marketplace. To create a Connector from the AWS Marketplace, you need to set up your networking, prepare AWS permissions, review instance requirements, and then create the Connector.

Before you begin

Step 1: Set up networking

Ensure that the network location where you plan to install the Connector supports the following requirements. Meeting these requirements enables the Connector to manage resources and processes within your hybrid cloud environment.

VPC and subnet

When you create the Connector, you need to specify the VPC and subnet where the Connector should reside.

Connections to target networks

A Connector requires a network connection to the location where you're planning to create and manage working environments. For example, the network where you plan to create Cloud Volumes ONTAP systems or a storage system in your on-premises environment.

Outbound internet access

The network location where you deploy the Connector must have an outbound internet connection to contact specific endpoints.

Endpoints contacted from the Connector

The Connector requires outbound internet access to contact the following endpoints in order to manage resources and processes within your public cloud environment for day-to-day operations.

Note that the endpoints listed below are all CNAME entries.

Endpoints Purpose

AWS services (amazonaws.com):

  • CloudFormation

  • Elastic Compute Cloud (EC2)

  • Identity and Access Management (IAM)

  • Key Management Service (KMS)

  • Security Token Service (STS)

  • Simple Storage Service (S3)

To manage resources in AWS. The exact endpoint depends on the AWS region that you're using. Refer to AWS documentation for details

https://support.netapp.com
https://mysupport.netapp.com

To obtain licensing information and to send AutoSupport messages to NetApp support.

https://*.api.bluexp.netapp.com
https://api.bluexp.netapp.com
https://*.cloudmanager.cloud.netapp.com
https://cloudmanager.cloud.netapp.com
https://netapp-cloud-account.auth0.com

To provide SaaS features and services within BlueXP.

Note that the Connector is currently contacting "cloudmanager.cloud.netapp.com" but it will start contacting "api.bluexp.netapp.com" in an upcoming release.

Choose between two sets of endpoints:

  • Option 1 (recommended) 1

    https://bluexpinfraprod.eastus2.data.azurecr.io
    https://bluexpinfraprod.azurecr.io

  • Option 2

    https://*.blob.core.windows.net
    https://cloudmanagerinfraprod.azurecr.io

To obtain images for Connector upgrades.

1 The endpoints listed in option 1 are recommended because they are more secure. We recommend that you set up your firewall to allow the endpoints listed in option 1, while disallowing the endpoints listed in option 2. Note the following about these endpoints:

  • The endpoints listed in option 1 are supported starting with the 3.9.47 release of the Connector. There is no backwards compatibility with previous releases of the Connector.

  • The Connector contacts the endpoints listed in option 2 first. If those endpoints aren't accessible, the Connector automatically contacts the endpoints listed in option 1.

  • The endpoints in option 1 are not supported if you use the Connector with BlueXP backup and recovery or BlueXP ransomware protection. In this case, you can disallow the endpoints listed in option 1, while allowing the endpoints listed in option 2.

Proxy server

If your business requires deployment of a proxy server for all outgoing internet traffic, obtain the following information about your HTTP or HTTPS proxy. You'll need to provide this information during installation. Note that BlueXP does not support transparent proxy servers.

  • IP address

  • Credentials

  • HTTPS certificate

Ports

There's no incoming traffic to the Connector, unless you initiate it or if the Connector is used as a proxy to send AutoSupport messages from Cloud Volumes ONTAP to NetApp Support.

  • HTTP (80) and HTTPS (443) provide access to the local UI, which you'll use in rare circumstances.

  • SSH (22) is only needed if you need to connect to the host for troubleshooting.

  • Inbound connections over port 3128 are required if you deploy Cloud Volumes ONTAP systems in a subnet where an outbound internet connection isn't available.

    If Cloud Volumes ONTAP systems don't have an outbound internet connection to send AutoSupport messages, BlueXP automatically configures those systems to use a proxy server that's included with the Connector. The only requirement is to ensure that the Connector's security group allows inbound connections over port 3128. You'll need to open this port after you deploy the Connector.

Enable NTP

If you're planning to use BlueXP classification to scan your corporate data sources, you should enable a Network Time Protocol (NTP) service on both the BlueXP Connector system and the BlueXP classification system so that the time is synchronized between the systems. Learn more about BlueXP classification

You'll need to implement this networking requirement after you create the Connector.

Step 2: Set up AWS permissions

To prepare for a marketplace deployment, create IAM policies in AWS and attach them to an IAM role. When you create the Connector from the AWS Marketplace, you'll be prompted to select that IAM role.

Steps
  1. Log in to the AWS console and navigate to the IAM service.

  2. Create a policy:

    1. Select Policies > Create policy.

    2. Select JSON and copy and paste the contents of the IAM policy for the Connector.

    3. Finish the remaining steps to create the policy.

      Depending on the BlueXP services that you're planning to use, you might need to create a second policy. For standard regions, the permissions are spread across two policies. Two policies are required due to a maximum character size limit for managed policies in AWS. Learn more about IAM policies for the Connector.

  3. Create an IAM role:

    1. Select Roles > Create role.

    2. Select AWS service > EC2.

    3. Add permissions by attaching the policy that you just created.

    4. Finish the remaining steps to create the role.

Result

You now have an IAM role that you can associate with the EC2 instance during deployment from the AWS Marketplace.

Step 3: Review instance requirements

When you create the Connector, you need to choose an EC2 instance type that meets the following requirements.

CPU

8 cores or 8 vCPUs

RAM

32 GB

AWS EC2 instance type

An instance type that meets the CPU and RAM requirements above. We recommend t3.2xlarge.

Step 4: Create the Connector

Create the Connector directly from the AWS Marketplace.

About this task

Creating the Connector from the AWS Marketplace deploys an EC2 instance in AWS using a default configuration. Learn about the default configuration for the Connector.

Before you begin

You should have the following:

  • A VPC and subnet that meets networking requirements.

  • An IAM role with an attached policy that includes the required permissions for the Connector.

  • Permissions to subscribe and unsubscribe from the AWS Marketplace for your IAM user.

  • An understanding of CPU and RAM requirements for the instance.

  • A key pair for the EC2 instance.

Steps
  1. Go to the BlueXP Connector listing on the AWS Marketplace

  2. On the Marketplace page, select Continue to Subscribe.

    A screenshot that shows the Continue to Subscribe and Continue to Configuration buttons on the AWS Marketplace.

  3. To subscribe to the software, select Accept Terms.

    The subscription process can take a few minutes.

  4. After the subscription process is complete, select Continue to Configuration.

    A screenshot that shows the Continue to Subscribe and Continue to Configuration buttons on the AWS Marketplace.

  5. On the Configure this software page, ensure that you've selected the correct region and then select Continue to Launch.

  6. On the Launch this software page, under Choose Action, select Launch through EC2 and then select Launch.

    These steps describe how to launch the instance from the EC2 Console because the console enables you to attach an IAM role to the Connector instance. This isn't possible using the Launch from Website action.

  7. Follow the prompts to configure and deploy the instance:

    • Name and tags: Enter a name and tags for the instance.

    • Application and OS Images: Skip this section. The Connector AMI is already selected.

    • Instance type: Depending on region availability, choose an instance type that meets RAM and CPU requirements (t3.2xlarge is preselected and recommended).

    • Key pair (login): Select the key pair that you want to use to securely connect to the instance.

    • Network settings: Edit the network settings as needed:

      • Choose the desired VPC and subnet.

      • Specify whether the instance should have a public IP address.

      • Specify security group settings that enable the required connection methods for the Connector instance: SSH, HTTP, and HTTPS.

    • Configure storage: Keep the default size and disk type for the root volume.

      If you want to enable Amazon EBS encryption on the root volume, select Advanced, expand Volume 1, select Encrypted, and then choose a KMS key.

    • Advanced details: Under IAM instance profile, choose the IAM role that includes the required permissions for the Connector.

    • Summary: Review the summary and select Launch instance.

    AWS launches the software with the specified settings. The Connector instance and software should be running in approximately five minutes.

  8. Open a web browser from a host that has a connection to the Connector virtual machine and enter the following URL:

    https://ipaddress

  9. After you log in, set up the Connector:

    1. Specify the BlueXP organization to associate with the Connector.

    2. Enter a name for the system.

    3. Under Are you running in a secured environment? keep restricted mode disabled.

      You should keep restricted mode disabled because these steps describe how to use BlueXP in standard mode. You should enable restricted mode only if you have a secure environment and want to disconnect this account from BlueXP backend services. If that's the case, follow steps to get started with BlueXP in restricted mode.

    4. Select Let's start.

Result

The Connector is now installed and set up with your BlueXP organization.

Open a web browser and go to the BlueXP console to start using the Connector with BlueXP.

If you have Amazon S3 buckets in the same AWS account where you created the Connector, you'll see an Amazon S3 working environment appear on the BlueXP canvas automatically. Learn how to manage S3 buckets from BlueXP