Skip to main content
BlueXP setup and administration

Create a Connector from the Azure Marketplace

Contributors netapp-bcammett

A Connector is NetApp software running in your cloud network or on-premises network that gives you the ability to use all BlueXP features and services. One of the available installation options is to create a Connector in Azure directly from the Azure Marketplace. To create a Connector from the Azure Marketplace, you need to set up your networking, prepare Azure permissions, review instance requirements, and then create the Connector.

Before you begin

Step 1: Set up networking

Ensure that the network location where you plan to install the Connector supports the following requirements. Meeting these requirements enables the Connector to manage resources and processes within your hybrid cloud environment.

Azure region

If you use Cloud Volumes ONTAP, the Connector should be deployed in the same Azure region as the Cloud Volumes ONTAP systems that it manages, or in the Azure region pair for the Cloud Volumes ONTAP systems. This requirement ensures that an Azure Private Link connection is used between Cloud Volumes ONTAP and its associated storage accounts.

VNet and subnet

When you create the Connector, you need to specify the VNet and subnet where the Connector should reside.

Connections to target networks

A Connector requires a network connection to the location where you're planning to create and manage working environments. For example, the network where you plan to create Cloud Volumes ONTAP systems or a storage system in your on-premises environment.

Outbound internet access

The network location where you deploy the Connector must have an outbound internet connection to contact specific endpoints.

Endpoints contacted from the Connector

The Connector requires outbound internet access to contact the following endpoints in order to manage resources and processes within your public cloud environment for day-to-day operations.

Note that the endpoints listed below are all CNAME entries.

Endpoints Purpose

https://management.azure.com
https://login.microsoftonline.com
https://blob.core.windows.net
https://core.windows.net

To manage resources in Azure public regions.

https://management.chinacloudapi.cn
https://login.chinacloudapi.cn
https://blob.core.chinacloudapi.cn
https://core.chinacloudapi.cn

To manage resources in Azure China regions.

https://support.netapp.com
https://mysupport.netapp.com

To obtain licensing information and to send AutoSupport messages to NetApp support.

https://*.api.bluexp.netapp.com
https://api.bluexp.netapp.com
https://*.cloudmanager.cloud.netapp.com
https://cloudmanager.cloud.netapp.com
https://netapp-cloud-account.auth0.com

To provide SaaS features and services within BlueXP.

Note that the Connector is currently contacting "cloudmanager.cloud.netapp.com" but it will start contacting "api.bluexp.netapp.com" in an upcoming release.

Choose between two sets of endpoints:

  • Option 1 (recommended) 1

    https://bluexpinfraprod.eastus2.data.azurecr.io
    https://bluexpinfraprod.azurecr.io

  • Option 2

    https://*.blob.core.windows.net
    https://cloudmanagerinfraprod.azurecr.io

To obtain images for Connector upgrades.

1 The endpoints listed in option 1 are recommended because they are more secure. We recommend that you set up your firewall to allow the endpoints listed in option 1, while disallowing the endpoints listed in option 2. Note the following about these endpoints:

  • The endpoints listed in option 1 are supported starting with the 3.9.47 release of the Connector. There is no backwards compatibility with previous releases of the Connector.

  • The Connector contacts the endpoints listed in option 2 first. If those endpoints aren't accessible, the Connector automatically contacts the endpoints listed in option 1.

  • The endpoints in option 1 are not supported if you use the Connector with BlueXP backup and recovery or BlueXP ransomware protection. In this case, you can disallow the endpoints listed in option 1, while allowing the endpoints listed in option 2.

Proxy server

If your business requires deployment of a proxy server for all outgoing internet traffic, obtain the following information about your HTTP or HTTPS proxy. You'll need to provide this information during installation. Note that BlueXP does not support transparent proxy servers.

  • IP address

  • Credentials

  • HTTPS certificate

Ports

There's no incoming traffic to the Connector, unless you initiate it or if the Connector is used as a proxy to send AutoSupport messages from Cloud Volumes ONTAP to NetApp Support.

  • HTTP (80) and HTTPS (443) provide access to the local UI, which you'll use in rare circumstances.

  • SSH (22) is only needed if you need to connect to the host for troubleshooting.

  • Inbound connections over port 3128 are required if you deploy Cloud Volumes ONTAP systems in a subnet where an outbound internet connection isn't available.

    If Cloud Volumes ONTAP systems don't have an outbound internet connection to send AutoSupport messages, BlueXP automatically configures those systems to use a proxy server that's included with the Connector. The only requirement is to ensure that the Connector's security group allows inbound connections over port 3128. You'll need to open this port after you deploy the Connector.

Enable NTP

If you're planning to use BlueXP classification to scan your corporate data sources, you should enable a Network Time Protocol (NTP) service on both the BlueXP Connector system and the BlueXP classification system so that the time is synchronized between the systems. Learn more about BlueXP classification

You'll need to implement this networking requirement after you create the Connector.

Step 2: Review VM requirements

When you create the Connector, you need to choose a virtual machine type that meets the following requirements.

CPU

8 cores or 8 vCPUs

RAM

32 GB

Azure VM size

An instance type that meets the CPU and RAM requirements above. We recommend Standard_D8s_v3.

Step 3: Set up permissions

You can provide permissions in the following ways:

  • Option 1: Assign a custom role to the Azure VM using a system-assigned managed identity.

  • Option 2: Provide BlueXP with the credentials for an Azure service principal that has the required permissions.

Follow these steps to set up permissions for BlueXP.

Note that you can create an Azure custom role using the Azure portal, Azure PowerShell, Azure CLI, or REST API. The following steps show how to create the role using the Azure CLI. If you would prefer to use a different method, refer to Azure documentation

Steps
  1. If you're planning to manually install the software on your own host, enable a system-assigned managed identity on the VM so that you can provide the required Azure permissions through a custom role.

  2. Copy the contents of the custom role permissions for the Connector and save them in a JSON file.

  3. Modify the JSON file by adding Azure subscription IDs to the assignable scope.

    You should add the ID for each Azure subscription that you want to use with BlueXP.

    Example

    "AssignableScopes": [
    "/subscriptions/d333af45-0d07-4154-943d-c25fbzzzzzzz",
    "/subscriptions/54b91999-b3e6-4599-908e-416e0zzzzzzz",
    "/subscriptions/398e471c-3b42-4ae7-9b59-ce5bbzzzzzzz"
    JSON
  4. Use the JSON file to create a custom role in Azure.

    The following steps describe how to create the role by using Bash in Azure Cloud Shell.

    1. Start Azure Cloud Shell and choose the Bash environment.

    2. Upload the JSON file.

      A screenshot of the Azure Cloud Shell where you can choose the option to upload a file.

    3. Use the Azure CLI to create the custom role:

      az role definition create --role-definition Connector_Policy.json
      Azurecli
Result

You should now have a custom role called BlueXP Operator that you can assign to the Connector virtual machine.

Step 4: Create the Connector

Launch the Connector directly from the Azure Marketplace.

About this task

Creating the Connector from the Azure Marketplace deploys a virtual machine in Azure using a default configuration. Learn about the default configuration for the Connector.

Before you begin

You should have the following:

  • An Azure subscription.

  • A VNet and subnet in your Azure region of choice.

  • Details about a proxy server, if your organization requires a proxy for all outgoing internet traffic:

    • IP address

    • Credentials

    • HTTPS certificate

  • An SSH public key, if you want to use that authentication method for the Connector virtual machine. The other option for the authentication method is to use a password.

  • If you don't want BlueXP to automatically create an Azure role for the Connector, then you'll need to create your own using the policy on this page.

    These permissions are for the Connector instance itself. It's a different set of permissions than what you previously set up to deploy the Connector VM.

Steps
  1. Go to the NetApp Connector VM page in the Azure Marketplace.

  2. Select Get it now and then select Continue.

  3. From the Azure portal, select Create and follow the steps to configure the virtual machine.

    Note the following as you configure the VM:

    • VM size: Choose a VM size that meets CPU and RAM requirements. We recommend Standard_D8s_v3.

    • Disks: The Connector can perform optimally with either HDD or SSD disks.

    • Network security group: The Connector requires inbound connections using SSH, HTTP, and HTTPS.

    • Identity: Under Management, select Enable system assigned managed identity.

      This setting is important because a managed identity allows the Connector virtual machine to identify itself to Microsoft Entra ID without providing any credentials. Learn more about managed identities for Azure resources.

  4. On the Review + create page, review your selections and select Create to start the deployment.

    Azure deploys the virtual machine with the specified settings. The virtual machine and Connector software should be running in approximately five minutes.

  5. Open a web browser from a host that has a connection to the Connector virtual machine and enter the following URL:

    https://ipaddress

  6. After you log in, set up the Connector:

    1. Specify the BlueXP organization to associate with the Connector.

    2. Enter a name for the system.

    3. Under Are you running in a secured environment? keep restricted mode disabled.

      You should keep restricted mode disabled because these steps describe how to use BlueXP in standard mode. You should enable restricted mode only if you have a secure environment and want to disconnect this account from BlueXP backend services. If that's the case, follow steps to get started with BlueXP in restricted mode.

    4. Select Let's start.

Result

The Connector is now installed and is set up with your BlueXP organization.

If you have Azure Blob storage in the same Azure subscription where you created the Connector, you'll see an Azure Blob storage working environment appear on the BlueXP canvas automatically. Learn how to manage Azure Blob storage from BlueXP

Step 5: Provide permissions to BlueXP

Now that you've created the Connector, you need to provide BlueXP with the permissions that you previously set up. Providing the permissions enables BlueXP to manage your data and storage infrastructure in Azure.

Go to the Azure portal and assign the Azure custom role to the Connector virtual machine for one or more subscriptions.

Steps
  1. From the Azure Portal, open the Subscriptions service and select your subscription.

    It's important to assign the role from the Subscriptions service because this specifies the scope of the role assignment at the subscription level. The scope defines the set of resources that the access applies to. If you specify a scope at a different level (for example, at the virtual machine level), your ability to complete actions from within BlueXP will be affected.

  2. Select Access control (IAM) > Add > Add role assignment.

  3. In the Role tab, select the BlueXP Operator role and select Next.

    Note BlueXP Operator is the default name provided in the BlueXP policy. If you chose a different name for the role, then select that name instead.
  4. In the Members tab, complete the following steps:

    1. Assign access to a Managed identity.

    2. Select Select members, select the subscription in which the Connector virtual machine was created, under Managed identity, choose Virtual machine, and then select the Connector virtual machine.

    3. Select Select.

    4. Select Next.

    5. Select Review + assign.

    6. If you want to manage resources in additional Azure subscriptions, switch to that subscription and then repeat these steps.

Result

BlueXP now has the permissions that it needs to perform actions in Azure on your behalf.

What's next?

Go to the BlueXP console to start using the Connector with BlueXP.