Deploy the Connector in restricted mode
Deploy the Connector in restricted mode so that you can use BlueXP with limited outbound connectivity to the BlueXP software as a service (SaaS) layer. To get started, install the Connector, set up BlueXP by accessing the user interface that's running on the Connector, and then provide the cloud permissions that you previously set up.
Step 1: Install the Connector
Install the Connector from your cloud provider's marketplace or by manually installing the software on your own Linux host.
You should have the following:
-
A VPC and subnet that meets networking requirements.
-
An IAM role with an attached policy that includes the required permissions for the Connector.
-
Permissions to subscribe and unsubscribe from the AWS Marketplace for your IAM user.
-
An understanding of CPU and RAM requirements for the instance.
-
A key pair for the EC2 instance.
-
On the Marketplace page, select Continue to Subscribe.
-
To subscribe to the software, select Accept Terms.
The subscription process can take a few minutes.
-
After the subscription process is complete, select Continue to Configuration.
-
On the Configure this software page, ensure that you've selected the correct region and then select Continue to Launch.
-
On the Launch this software page, under Choose Action, select Launch through EC2 and then select Launch.
These steps describe how to launch the instance from the EC2 Console because the console enables you to attach an IAM role to the Connector instance. This isn't possible using the Launch from Website action.
-
Follow the prompts to configure and deploy the instance:
-
Name and tags: Enter a name and tags for the instance.
-
Application and OS Images: Skip this section. The Connector AMI is already selected.
-
Instance type: Depending on region availability, choose an instance type that meets RAM and CPU requirements (t3.2xlarge is preselected and recommended).
-
Key pair (login): Select the key pair that you want to use to securely connect to the instance.
-
Network settings: Edit the network settings as needed:
-
Choose the desired VPC and subnet.
-
Specify whether the instance should have a public IP address.
-
Specify security group settings that enable the required connection methods for the Connector instance: SSH, HTTP, and HTTPS.
-
-
Configure storage: Keep the default size and disk type for the root volume.
If you want to enable Amazon EBS encryption on the root volume, select Advanced, expand Volume 1, select Encrypted, and then choose a KMS key.
-
Advanced details: Under IAM instance profile, choose the IAM role that includes the required permissions for the Connector.
-
Summary: Review the summary and select Launch instance.
-
AWS launches the software with the specified settings. The Connector instance and software should be running in approximately five minutes.
Set up BlueXP.
You should have the following:
-
A VPC and subnet that meets networking requirements.
-
An IAM role with an attached policy that includes the required permissions for the Connector.
-
Permissions to subscribe and unsubscribe from the AWS Marketplace for your IAM user.
-
A key pair for the EC2 instance.
-
Go to the BlueXP offering in the AWS Marketplace.
-
Open the EC2 service and select Launch instance.
-
Select AWS Marketplace.
-
Search for BlueXP and select the offering.
-
Select Continue.
-
-
Follow the prompts to configure and deploy the instance:
-
Choose an Instance Type: Depending on region availability, choose one of the supported instance types (t3.2xlarge is recommended).
-
Configure Instance Details: Select a VPC and subnet, choose the IAM role that you created in step 1, enable termination protection (recommended), and choose any other configuration options that meet your requirements.
-
Add Storage: Keep the default storage options.
-
Add Tags: Enter tags for the instance, if desired.
-
Configure Security Group: Specify the required connection methods for the Connector instance: SSH, HTTP, and HTTPS.
-
Review: Review your selections and select Launch.
-
AWS launches the software with the specified settings. The Connector instance and software should be running in approximately five minutes.
Set up BlueXP.
You should have the following:
-
A VNet and subnet that meets networking requirements.
-
An Azure custom role that includes the required permissions for the Connector.
-
Go to the NetApp Connector VM page in the Azure Marketplace.
-
Select Get it now and then select Continue.
-
From the Azure portal, select Create and follow the steps to configure the virtual machine.
Note the following as you configure the VM:
-
VM size: Choose a VM size that meets CPU and RAM requirements. We recommend Standard_D8s_v3.
-
Disks: The Connector can perform optimally with either HDD or SSD disks.
-
Public IP: If you want to use a public IP address with the Connector VM, the IP address must use a Basic SKU to ensure that BlueXP uses this public IP address.
If you use a Standard SKU IP address instead, then BlueXP uses the private IP address of the Connector, instead of the public IP. If the machine that you're using to access the BlueXP Console doesn't have access to that private IP address, then actions from the BlueXP Console will fail.
-
Network security group: The Connector requires inbound connections using SSH, HTTP, and HTTPS.
-
Identity: Under Management, select Enable system assigned managed identity.
This setting is important because a managed identity allows the Connector virtual machine to identify itself to Microsoft Entra ID without providing any credentials. Learn more about managed identities for Azure resources.
-
-
On the Review + create page, review your selections and select Create to start the deployment.
Azure deploys the virtual machine with the specified settings. The virtual machine and Connector software should be running in approximately five minutes.
Set up BlueXP.
You should have the following:
-
Root privileges to install the Connector.
-
Details about a proxy server, if a proxy is required for internet access from the Connector.
You have the option to configure a proxy server after installation but doing so requires restarting the Connector.
Note that BlueXP does not support transparent proxy servers.
-
A CA-signed certificate, if the proxy server uses HTTPS or if the proxy is an intercepting proxy.
-
Depending on your operating system, either Podman or Docker Engine is required before you install the Connector.
The installer that is available on the NetApp Support Site might be an earlier version. After installation, the Connector automatically updates itself if a new version is available.
-
If the http_proxy or https_proxy system variables are set on the host, remove them:
unset http_proxy unset https_proxy
If you don't remove these system variables, the installation will fail.
-
Download the Connector software from the NetApp Support Site, and then copy it to the Linux host.
You should download the "online" Connector installer that's meant for use in your network or in the cloud. A separate "offline" installer is available for the Connector, but it's only supported with private mode deployments.
-
Assign permissions to run the script.
chmod +x BlueXP-Connector-Cloud-<version>
Where <version> is the version of the Connector that you downloaded.
-
Run the installation script.
./BlueXP-Connector-Cloud-<version> --proxy <HTTP or HTTPS proxy server> --cacert <path and file name of a CA-signed certificate>
The --proxy and --cacert parameters are optional. If you have a proxy server, you will need to enter the parameters as shown. The installer doesn't prompt you to provide information about a proxy.
Here's an example of the command using both optional parameters:
./BlueXP-Connector-Cloud-v3.9.40--proxy https://user:password@10.0.0.30:8080/ --cacert /tmp/cacert/certificate.cer
--proxy configures the Connector to use an HTTP or HTTPS proxy server using one of the following formats:
-
http://address:port
-
http://user-name:password@address:port
-
http://domain-name%92user-name:password@address:port
-
https://address:port
-
https://user-name:password@address:port
-
https://domain-name%92user-name:password@address:port
Note the following:
-
The user can be a local user or domain user.
-
For a domain user, you must use the ASCII code for a \ as shown above.
-
BlueXP doesn't support user names or passwords that include the @ character.
-
If the password includes any of the following special characters, you must escape that special character by prepending it with a backslash: & or !
For example:
http://bxpproxyuser:netapp1\!@address:3128
-
--cacert specifies a CA-signed certificate to use for HTTPS access between the Connector and the proxy server. This parameter is required only if you specify an HTTPS proxy server or if the proxy is an intercepting proxy.
-
The Connector is now installed. At the end of the installation, the Connector service (occm) restarts twice if you specified a proxy server.
Set up BlueXP.
Step 2: Set up BlueXP
When you access the BlueXP console for the first time, you'll be prompted to choose an account to associate the Connector with and you'll need to enable restricted mode.
The person who sets up the BlueXP Connector must log in to BlueXP using a login that doesn't belong to a BlueXP account or organization.
If your BlueXP login is associated with another account or organization, you'll need to sign up with a new BlueXP login. Otherwise, you won't see the option to enable restricted mode on the setup screen.
-
Open a web browser from a host that has a connection to the Connector instance and enter the following URL:
https://ipaddress
-
Sign up or log in to BlueXP.
-
After you're logged in, set up BlueXP:
-
Enter a name for the Connector.
-
Enter a name for a new BlueXP account.
-
Select Are you running in a secured environment?
-
Select Enable restricted mode on this account.
Note that you can't change this setting after BlueXP creates the account. You can't enable restricted mode later and you can't disable it later.
If you deployed the Connector in a Government region, the checkbox is already enabled and can't be changed. This is because restricted mode is the only mode supported in Government regions.
-
Select Let's start.
-
The Connector is now installed and set up with your BlueXP account. All users need to access BlueXP using the IP address of the Connector instance.
Provide BlueXP with the permissions that you previously set up.
Step 3: Provide permissions to BlueXP
If you deployed the Connector from the Azure Marketplace or if you manually installed the Connector software, you need to provide the permissions that you previously set up so that you can use BlueXP services.
These steps don't apply if you deployed the Connector from the AWS Marketplace because you chose the required IAM role during deployment.
Attach the IAM role that you previously created to the EC2 instance where you installed the Connector.
These steps apply only if you manually installed the Connector in AWS. For AWS Marketplace deployments, you already associated the Connector instance with an IAM role that includes the required permissions.
-
Go to the Amazon EC2 console.
-
Select Instances.
-
Select the Connector instance.
-
Select Actions > Security > Modify IAM role.
-
Select the IAM role and select Update IAM role.
BlueXP now has the permissions that it needs to perform actions in AWS on your behalf.
Provide BlueXP with the AWS access key for an IAM user that has the required permissions.
-
In the upper right of the BlueXP console, select the Settings icon, and select Credentials.
-
Select Add Credentials and follow the steps in the wizard.
-
Credentials Location: Select Amazon Web Services > Connector.
-
Define Credentials: Enter an AWS access key and secret key.
-
Marketplace Subscription: Associate a Marketplace subscription with these credentials by subscribing now or by selecting an existing subscription.
-
Review: Confirm the details about the new credentials and select Add.
-
BlueXP now has the permissions that it needs to perform actions in AWS on your behalf.
Go to the Azure portal and assign the Azure custom role to the Connector virtual machine for one or more subscriptions.
-
From the Azure Portal, open the Subscriptions service and select your subscription.
It's important to assign the role from the Subscriptions service because this specifies the scope of the role assignment at the subscription level. The scope defines the set of resources that the access applies to. If you specify a scope at a different level (for example, at the virtual machine level), your ability to complete actions from within BlueXP will be affected.
-
Select Access control (IAM) > Add > Add role assignment.
-
In the Role tab, select the BlueXP Operator role and select Next.
BlueXP Operator is the default name provided in the BlueXP policy. If you chose a different name for the role, then select that name instead. -
In the Members tab, complete the following steps:
-
Assign access to a Managed identity.
-
Select Select members, select the subscription in which the Connector virtual machine was created, under Managed identity, choose Virtual machine, and then select the Connector virtual machine.
-
Select Select.
-
Select Next.
-
Select Review + assign.
-
If you want to manage resources in additional Azure subscriptions, switch to that subscription and then repeat these steps.
-
BlueXP now has the permissions that it needs to perform actions in Azure on your behalf.
Provide BlueXP with the credentials for the Azure service principal that you previously setup.
-
In the upper right of the BlueXP console, select the Settings icon, and select Credentials.
-
Select Add Credentials and follow the steps in the wizard.
-
Credentials Location: Select Microsoft Azure > Connector.
-
Define Credentials: Enter information about the Microsoft Entra service principal that grants the required permissions:
-
Application (client) ID
-
Directory (tenant) ID
-
Client Secret
-
-
Marketplace Subscription: Associate a Marketplace subscription with these credentials by subscribing now or by selecting an existing subscription.
-
Review: Confirm the details about the new credentials and select Add.
-
BlueXP now has the permissions that it needs to perform actions in Azure on your behalf.
Associate the service account with the Connector VM.
-
Go to the Google Cloud portal and assign the service account to the Connector VM instance.
-
If you want to manage resources in other projects, grant access by adding the service account with the BlueXP role to that project. You'll need to repeat this step for each project.
BlueXP now has the permissions that it needs to perform actions in Google Cloud on your behalf.