Create a Connector in Google Cloud from BlueXP or gcloud
A Connector is NetApp software running in your cloud network or on-premises network that gives you the ability to use all BlueXP features and services. The available installation options include creating the Connector in AWS directly from BlueXP or by using gcloud. To create a Connector in Google Cloud from BlueXP or by using gcloud, you need to set up your networking, prepare Google Cloud permissions, enable Google Cloud APIs, and then create the Connector.
-
You should have an understanding of Connectors.
-
You should review Connector limitations.
Step 1: Set up networking
Set up your networking so the Connector can manage resources and processes within your hybrid cloud environment. For example, you need to ensure that connections are available to target networks and that outbound internet access is available.
- VPC and subnet
-
When you create the Connector, you need to specify the VPC and subnet where the Connector should reside.
- Connections to target networks
-
A Connector requires a network connection to the location where you're planning to create and manage working environments. For example, the network where you plan to create Cloud Volumes ONTAP systems or a storage system in your on-premises environment.
- Outbound internet access
-
The network location where you deploy the Connector must have an outbound internet connection to contact specific endpoints.
- Endpoints contacted from the Connector
-
The Connector requires outbound internet access to contact the following endpoints in order to manage resources and processes within your public cloud environment for day-to-day operations.
Note that the endpoints listed below are all CNAME entries.
Endpoints Purpose https://www.googleapis.com/compute/v1/
https://compute.googleapis.com/compute/v1
https://cloudresourcemanager.googleapis.com/v1/projects
https://www.googleapis.com/compute/beta
https://storage.googleapis.com/storage/v1
https://www.googleapis.com/storage/v1
https://iam.googleapis.com/v1
https://cloudkms.googleapis.com/v1
https://www.googleapis.com/deploymentmanager/v2/projectsTo manage resources in Google Cloud.
https://support.netapp.com
https://mysupport.netapp.comTo obtain licensing information and to send AutoSupport messages to NetApp support.
https://*.api.bluexp.netapp.com
https://api.bluexp.netapp.com
https://*.cloudmanager.cloud.netapp.com
https://cloudmanager.cloud.netapp.com
https://netapp-cloud-account.auth0.comTo provide SaaS features and services within BlueXP.
Note that the Connector is currently contacting "cloudmanager.cloud.netapp.com" but it will start contacting "api.bluexp.netapp.com" in an upcoming release.
Choose between two sets of endpoints:
-
Option 1 (recommended) 1
https://bluexpinfraprod.eastus2.data.azurecr.io
https://bluexpinfraprod.azurecr.io -
Option 2
https://*.blob.core.windows.net
https://cloudmanagerinfraprod.azurecr.io
To obtain images for Connector upgrades.
1 The endpoints listed in option 1 are recommended because they are more secure. We recommend that you set up your firewall to allow the endpoints listed in option 1, while disallowing the endpoints listed in option 2. Note the following about these endpoints:
-
The endpoints listed in option 1 are supported starting with the 3.9.47 release of the Connector. There is no backwards compatibility with previous releases of the Connector.
-
The Connector contacts the endpoints listed in option 2 first. If those endpoints aren't accessible, the Connector automatically contacts the endpoints listed in option 1.
-
The endpoints in option 1 are not supported if you use the Connector with BlueXP backup and recovery or BlueXP ransomware protection. In this case, you can disallow the endpoints listed in option 1, while allowing the endpoints listed in option 2.
-
- Endpoints contacted from the BlueXP console
-
As you use the BlueXP web-based console that's provided through the SaaS layer, it contacts several endpoints to complete data management tasks. This includes endpoints that are contacted to deploy the Connector from the BlueXP console.
- Proxy server
-
If your business requires deployment of a proxy server for all outgoing internet traffic, obtain the following information about your HTTP or HTTPS proxy. You'll need to provide this information during installation. Note that BlueXP does not support transparent proxy servers.
-
IP address
-
Credentials
-
HTTPS certificate
-
- Ports
-
There's no incoming traffic to the Connector, unless you initiate it or if the Connector is used as a proxy to send AutoSupport messages from Cloud Volumes ONTAP to NetApp Support.
-
HTTP (80) and HTTPS (443) provide access to the local UI, which you'll use in rare circumstances.
-
SSH (22) is only needed if you need to connect to the host for troubleshooting.
-
Inbound connections over port 3128 are required if you deploy Cloud Volumes ONTAP systems in a subnet where an outbound internet connection isn't available.
If Cloud Volumes ONTAP systems don't have an outbound internet connection to send AutoSupport messages, BlueXP automatically configures those systems to use a proxy server that's included with the Connector. The only requirement is to ensure that the Connector's security group allows inbound connections over port 3128. You'll need to open this port after you deploy the Connector.
-
- Enable NTP
-
If you're planning to use BlueXP classification to scan your corporate data sources, you should enable a Network Time Protocol (NTP) service on both the BlueXP Connector system and the BlueXP classification system so that the time is synchronized between the systems. Learn more about BlueXP classification
You'll need to implement this networking requirement after you create the Connector.
Step 2: Set up permissions to create the Connector
Before you can deploy a Connector from BlueXP or by using gcloud, you need to set up permissions for the Google Cloud user who will deploy the Connector VM.
-
Create a custom role in Google Cloud:
-
Create a YAML file that includes the following permissions:
title: Connector deployment policy description: Permissions for the user who deploys the Connector from BlueXP stage: GA includedPermissions: - compute.disks.create - compute.disks.get - compute.disks.list - compute.disks.setLabels - compute.disks.use - compute.firewalls.create - compute.firewalls.delete - compute.firewalls.get - compute.firewalls.list - compute.globalOperations.get - compute.images.get - compute.images.getFromFamily - compute.images.list - compute.images.useReadOnly - compute.instances.attachDisk - compute.instances.create - compute.instances.get - compute.instances.list - compute.instances.setDeletionProtection - compute.instances.setLabels - compute.instances.setMachineType - compute.instances.setMetadata - compute.instances.setTags - compute.instances.start - compute.instances.updateDisplayDevice - compute.machineTypes.get - compute.networks.get - compute.networks.list - compute.networks.updatePolicy - compute.projects.get - compute.regions.get - compute.regions.list - compute.subnetworks.get - compute.subnetworks.list - compute.zoneOperations.get - compute.zones.get - compute.zones.list - deploymentmanager.compositeTypes.get - deploymentmanager.compositeTypes.list - deploymentmanager.deployments.create - deploymentmanager.deployments.delete - deploymentmanager.deployments.get - deploymentmanager.deployments.list - deploymentmanager.manifests.get - deploymentmanager.manifests.list - deploymentmanager.operations.get - deploymentmanager.operations.list - deploymentmanager.resources.get - deploymentmanager.resources.list - deploymentmanager.typeProviders.get - deploymentmanager.typeProviders.list - deploymentmanager.types.get - deploymentmanager.types.list - resourcemanager.projects.get - compute.instances.setServiceAccount - iam.serviceAccounts.list
-
From Google Cloud, activate cloud shell.
-
Upload the YAML file that includes the required permissions.
-
Create a custom role by using the
gcloud iam roles create
command.The following example creates a role named "connectorDeployment" at the project level:
gcloud iam roles create connectorDeployment --project=myproject --file=connector-deployment.yaml
-
-
Assign this custom role to the user who will deploy the Connector from BlueXP or by using gcloud.
The Google Cloud user now has the permissions required to create the Connector.
Step 3: Set up permissions for the Connector
A Google Cloud service account is required to provide the Connector with the permissions that BlueXP needs to manage resources in Google Cloud. When you create the Connector, you'll need to associate this service account with the Connector VM.
It's your responsibility to update the custom role as new permissions are added in subsequent releases. If new permissions are required, they will be listed in the release notes.
-
Create a custom role in Google Cloud:
-
Create a YAML file that includes the contents of the service account permissions for the Connector.
-
From Google Cloud, activate cloud shell.
-
Upload the YAML file that includes the required permissions.
-
Create a custom role by using the
gcloud iam roles create
command.The following example creates a role named "connector" at the project level:
gcloud iam roles create connector --project=myproject --file=connector.yaml
-
-
Create a service account in Google Cloud and assign the role to the service account:
-
From the IAM & Admin service, select Service Accounts > Create Service Account.
-
Enter service account details and select Create and Continue.
-
Select the role that you just created.
-
Finish the remaining steps to create the role.
-
-
If you plan to deploy Cloud Volumes ONTAP systems in different projects than the project where the Connector resides, then you'll need to provide the Connector's service account with access to those projects.
For example, let's say the Connector is in project 1 and you want to create Cloud Volumes ONTAP systems in project 2. You'll need to grant access to the service account in project 2.
-
From the IAM & Admin service, select the Google Cloud project where you want to create Cloud Volumes ONTAP systems.
-
On the IAM page, select Grant Access and provide the required details.
-
Enter the email of the Connector's service account.
-
Select the Connector's custom role.
-
Select Save.
-
For more details, refer to Google Cloud documentation
-
The service account for the Connector VM is set up.
Step 4: Set up shared VPC permissions
If you are using a shared VPC to deploy resources into a service project, then you'll need to prepare your permissions.
This table is for reference and your environment should reflect the permissions table when IAM configuration is complete.
View shared VPC permissions
Identity | Creator | Hosted in | Service project permissions | Host project permissions | Purpose |
---|---|---|---|---|---|
Google account to deploy the Connector |
Custom |
Service Project |
compute.networkUser |
Deploying the Connector in the service project |
|
Connector service account |
Custom |
Service project |
compute.networkUser |
Deploying and maintaining Cloud Volumes ONTAP and services in the service project |
|
Cloud Volumes ONTAP service account |
Custom |
Service project |
storage.admin |
N/A |
(Optional) For data tiering and BlueXP backup and recovery |
Google APIs service agent |
Google Cloud |
Service project |
(Default) Editor |
compute.networkUser |
Interacts with Google Cloud APIs on behalf of deployment. Allows BlueXP to use the shared network. |
Google Compute Engine default service account |
Google Cloud |
Service project |
(Default) Editor |
compute.networkUser |
Deploys Google Cloud instances and compute infrastructure on behalf of deployment. Allows BlueXP to use the shared network. |
Notes:
-
deploymentmanager.editor is only required at the host project if you are not passing firewall rules to the deployment and are choosing to let BlueXP create them for you. BlueXP will create a deployment in the host project which contains the VPC0 firewall rule if no rule is specified.
-
firewall.create and firewall.delete are only required if you are not passing firewall rules to the deployment and are choosing to let BlueXP create them for you. These permissions reside in the BlueXP account .yaml file. If you are deploying an HA pair using a shared VPC, these permissions will be used to create the firewall rules for VPC1, 2 and 3. For all other deployments, these permissions will also be used to create rules for VPC0.
-
For data tiering, the tiering service account must have the serviceAccount.user role on the service account, not just at the project level. Currently if you assign serviceAccount.user at the project level, the permissions don't show when you query the service account with getIAMPolicy.
Step 5: Enable Google Cloud APIs
Several Google Cloud APIs must be enabled before you can deploy the Connector and Cloud Volumes ONTAP in Google Cloud.
-
Enable the following Google Cloud APIs in your project:
-
Cloud Deployment Manager V2 API
-
Cloud Logging API
-
Cloud Resource Manager API
-
Compute Engine API
-
Identity and Access Management (IAM) API
-
Cloud Key Management Service (KMS) API
(Required only if you are planning to use BlueXP backup and recovery with customer-managed encryption keys (CMEK))
-
Step 6: Create the Connector
Create a Connector directly from the BlueXP web-based console or by using gcloud.
Creating the Connector deploys a virtual machine instance in Google Cloud using a default configuration. After you create the Connector, you should not change to a smaller VM instance that has less CPU or RAM. Learn about the default configuration for the Connector.
You should have the following:
-
The required Google Cloud permissions to create the Connector and a service account for the Connector VM.
-
A VPC and subnet that meets networking requirements.
-
Details about a proxy server, if a proxy is required for internet access from the Connector.
-
Select the Connector drop-down and select Add Connector.
-
Choose Google Cloud Platform as your cloud provider.
-
On the Deploying a Connector page, review the details about what you'll need. You have two options:
-
Select Continue to prepare for deployment by using the in-product guide. Each step in the in-product guide includes the information that's contained on this page of the documentation.
-
Select Skip to Deployment if you already prepared by following the steps on this page.
-
-
Follow the steps in the wizard to create the Connector:
-
If you're prompted, log in to your Google account, which should have the required permissions to create the virtual machine instance.
The form is owned and hosted by Google. Your credentials are not provided to NetApp.
-
Details: Enter a name for the virtual machine instance, specify tags, select a project, and then select the service account that has the required permissions (refer to the section above for details).
-
Location: Specify a region, zone, VPC, and subnet for the instance.
-
Network: Choose whether to enable a public IP address and optionally specify a proxy configuration.
-
Firewall Policy: Choose whether to create a new firewall policy or whether to select an existing firewall policy that allows the required inbound and outbound rules.
-
Review: Review your selections to verify that your set up is correct.
-
-
Select Add.
The instance should be ready in about 7 minutes. You should stay on the page until the process is complete.
After the process is complete, the Connector is available for use from BlueXP.
If you have Google Cloud Storage buckets in the same Google Cloud account where you created the Connector, you'll see a Google Cloud Storage working environment appear on the BlueXP canvas automatically. Learn how to manage Google Cloud Storage from BlueXP
You should have the following:
-
The required Google Cloud permissions to create the Connector and a service account for the Connector VM.
-
A VPC and subnet that meets networking requirements.
-
An understanding of VM instance requirements.
-
CPU: 8 cores or 8 vCPUs
-
RAM: 32 GB
-
Machine type: We recommend n2-standard-8.
The Connector is supported in Google Cloud on a VM instance with an OS that supports Shielded VM features.
-
-
Log in to the gcloud SDK using your preferred methodology.
In our examples, we'll use a local shell with the gcloud SDK installed, but you could use the native Google Cloud Shell in the Google Cloud console.
For more information about the Google Cloud SDK, visit the Google Cloud SDK documentation page.
-
Verify that you are logged in as a user who has the required permissions that are defined in the section above:
gcloud auth list
The output should show the following where the * user account is the desired user account to be logged in as:
Credentialed Accounts ACTIVE ACCOUNT some_user_account@domain.com * desired_user_account@domain.com To set the active account, run: $ gcloud config set account `ACCOUNT` Updates are available for some Cloud SDK components. To install them, please run: $ gcloud components update
-
Run the
gcloud compute instances create
command:gcloud compute instances create <instance-name> --machine-type=n2-standard-8 --image-project=netapp-cloudmanager --image-family=cloudmanager --scopes=cloud-platform --project=<project> --service-account=<service-account> --zone=<zone> --no-address --tags <network-tag> --network <network-path> --subnet <subnet-path> --boot-disk-kms-key <kms-key-path>
- instance-name
-
The desired instance name for the VM instance.
- project
-
(Optional) The project where you want to deploy the VM.
- service-account
-
The service account specified in the output from step 2.
- zone
-
The zone where you want to deploy the VM
- no-address
-
(Optional) No external IP address is used (you need a cloud NAT or proxy to route traffic to the public internet)
- network-tag
-
(Optional) Add network tagging to link a firewall rule using tags to the Connector instance
- network-path
-
(Optional) Add the name of the network to deploy the Connector into (for a Shared VPC, you need the full path)
- subnet-path
-
(Optional) Add the name of the subnet to deploy the Connector into (for a Shared VPC, you need the full path)
- kms-key-path
-
(Optional) Add a KMS key to encrypt the Connector's disks (IAM permissions also need to be applied)
For more information about these flags, visit the Google Cloud compute SDK documentation.
Running the command deploys the Connector using the NetApp golden image. The Connector instance and software should be running in approximately five minutes.
-
Open a web browser from a host that has a connection to the Connector instance and enter the following URL:
https://ipaddress
-
After you log in, set up the Connector:
-
Specify the BlueXP organization to associate with the Connector.
-
Enter a name for the system.
-
The Connector is now installed and set up with your BlueXP organization.
Open a web browser and go to the BlueXP console to start using the Connector with BlueXP.