Skip to main content
BlueXP setup and administration

Prepare for deployment in private mode

Contributors netapp-bcammett

Prepare your environment before you deploy BlueXP in private mode. For example, you need to review host requirements, prepare networking, set up permissions, and more.

Note If you want to use BlueXP in the AWS Secret Cloud or the AWS Top Secret Cloud, then you should follow separate instructions to get started in those environments. Learn how to get started with Cloud Volumes ONTAP in the AWS Secret Cloud or Top Secret Cloud

Step 1: Understand how private mode works

Before you get started, you should have an understanding of how BlueXP works in private mode.

For example, you should understand that you need to use the browser-based interface that is available locally from the BlueXP Connector that you need to install. You can't access BlueXP from the web-based console that's provided through the SaaS layer.

In addition, not all BlueXP services are available.

Learn how private mode works.

Step 2: Review installation options

In private mode, you can install the Connector on-premises or in the cloud by manually installing the Connector on your own Linux host.

Where you install the Connector determines which BlueXP services and features are available when using private mode. For example, the Connector must be installed in the cloud if you want to deploy and manage Cloud Volumes ONTAP. Learn more about private mode.

Step 3: Review host requirements

The Connector software must run on a host that meets specific operating system requirements, RAM requirements, port requirements, and so on.

Dedicated host

The Connector is not supported on a host that is shared with other applications. The host must be a dedicated host.

Host can be of any architecture that meets the following size requirements:

  • CPU: 8 cores or 8 vCPUs

  • RAM: 32 GB

Operating system and container requirements

BlueXP supports the Connector with the following operating systems when using BlueXP in private mode. A container orchestration tool is required before you install the Connector.

Operating system Supported OS versions Supported Connector versions Required container tool SELinux

Red Hat Enterprise Linux

9.1 to 9.4

8.6 to 8.10

3.9.42 or later with BlueXP in private mode

Podman version 4.6.1 or 4.9.4

View Podman configuration requirements.

Supported in enforcing mode or permissive mode 1

Ubuntu

22.04 LTS

3.9.29 or later

Docker Engine 23.0.6 to 26.0.0

26.0.0 is supported with new Connector 3.9.44 or later installations

Not supported

Notes:

  1. Management of Cloud Volumes ONTAP systems is not supported by Connectors that have SELinux enabled on the operating system.

  2. The Connector is supported on English-language versions of these operating systems.

  3. For RHEL, the host must be registered with Red Hat Subscription Management. If it's not registered, the host can't access repositories to update required 3rd-party software during Connector installation.

Hypervisor

A bare metal or hosted hypervisor that is certified to run a supported operating system is required.

CPU

8 cores or 8 vCPUs

RAM

32 GB

AWS EC2 instance type

An instance type that meets the CPU and RAM requirements above. We recommend t3.2xlarge.

Azure VM size

An instance type that meets the CPU and RAM requirements above. We recommend Standard_D8s_v3.

Google Cloud machine type

An instance type that meets the CPU and RAM requirements above. We recommend n2-standard-8.

The Connector is supported in Google Cloud on a VM instance with an OS that supports Shielded VM features

Disk space in /opt

100 GiB of space must be available

BlueXP uses /opt to install the /opt/application/netapp directory and its contents.

Disk space in /var

20 GiB of space must be available

BlueXP requires this space in /var because Docker or Podman are architected to create the containers within this directory. Specifically, they will create containers in the /var/lib/containers/storage directory. External mounts or symlinks do not work for this space.

Step 4: Install Podman or Docker Engine

You need to prepare the host for the Connector by installing Podman or Docker Engine.

Depending on your operating system, either Podman or Docker Engine is required before you install the Connector.

Podman

Follow these steps to install Podman and configure it to meet the following requirements:

  • The podman.socket service must be enabled and started

  • python3 must be installed

  • The podman-compose package version 1.0.6 must be installed

  • podman-compose must be added to the PATH environment variable

Steps

  1. Remove the podman-docker package if it's installed on the host.

    dnf remove podman-docker
rm /var/run/docker.sock
    Cli
    Copy

  2. Install Podman.

    Podman is available from official Red Hat Enterprise Linux repositories.

    For Red Hat Enterprise Linux 9:

    sudo dnf install podman-2:<version>
    Cli
    Copy

    Where <version> is the supported version of Podman that you're installing. View the Podman versions that BlueXP supports.

    For Red Hat Enterprise Linux 8:

    sudo dnf install podman-3:<version>
    Cli
    Copy

    Where <version> is the supported version of Podman that you're installing. View the Podman versions that BlueXP supports.

  3. Enable and start the podman.socket service.

    sudo systemctl enable --now podman.socket
    Cli
    Copy

  4. Install python3.

    sudo dnf install python3
    Cli
    Copy

  5. Install the EPEL repository package if it's not already available on your system.

    This step is required because podman-compose is available from the Extra Packages for Enterprise Linux (EPEL) repository.

    For Red Hat Enterprise Linux 9:

    sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
    Cli
    Copy

    For Red Hat Enterprise Linux 8:

    sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
    Cli
    Copy

  6. Install podman-compose package 1.0.6.

    sudo dnf install podman-compose-1.0.6
    Cli
    Copy
    Note Using the dnf install command meets the requirement for adding podman-compose to the PATH environment variable. The installation command adds podman-compose to /usr/bin, which is already included in the secure_path option on the host.

Step 5: Prepare networking

Set up your networking so the Connector can manage resources and processes within your public cloud environment. Other than having a virtual network and subnet for the Connector, you'll need to ensure that the following requirements are met.

Connections to target networks

The Connector must have a network connection to the location where you plan to manage storage. For example, the VPC or VNet where you plan to deploy Cloud Volumes ONTAP, or the data center where your on-premises ONTAP clusters reside.

Endpoints for day-to-day operations

If you are planning to create Cloud Volumes ONTAP systems, the Connector needs connectivity to endpoints in your cloud provider's publicly available resources.

Endpoints Purpose

AWS services (amazonaws.com):

  • CloudFormation

  • Elastic Compute Cloud (EC2)

  • Identity and Access Management (IAM)

  • Key Management Service (KMS)

  • Security Token Service (STS)

  • Simple Storage Service (S3)

To manage resources in AWS. The exact endpoint depends on the AWS region that you're using. Refer to AWS documentation for details

https://management.azure.com
https://login.microsoftonline.com
https://blob.core.windows.net
https://core.windows.net

To manage resources in Azure public regions.

https://management.azure.microsoft.scloud
https://login.microsoftonline.microsoft.scloud
https://blob.core.microsoft.scloud
https://core.microsoft.scloud

To manage resources in the Azure IL6 region.

https://management.chinacloudapi.cn
https://login.chinacloudapi.cn
https://blob.core.chinacloudapi.cn
https://core.chinacloudapi.cn

To manage resources in Azure China regions.

https://www.googleapis.com/compute/v1/
https://compute.googleapis.com/compute/v1
https://cloudresourcemanager.googleapis.com/v1/projects
https://www.googleapis.com/compute/beta
https://storage.googleapis.com/storage/v1
https://www.googleapis.com/storage/v1
https://iam.googleapis.com/v1
https://cloudkms.googleapis.com/v1
https://www.googleapis.com/deploymentmanager/v2/projects

To manage resources in Google Cloud.
Public IP address in Azure

If you want to use a public IP address with the Connector VM in Azure, the IP address must use a Basic SKU to ensure that BlueXP uses this public IP address.

A screenshot of the create new IP address in Azure that enables you to choose Basic under in the SKU field.

If you use a Standard SKU IP address instead, then BlueXP uses the private IP address of the Connector, instead of the public IP. If the machine that you're using to access the BlueXP Console doesn't have access to that private IP address, then actions from the BlueXP Console will fail.

Azure documentation: Public IP SKU

Proxy server

If your business requires deployment of a proxy server for all outgoing internet traffic, obtain the following information about your HTTP or HTTPS proxy. You'll need to provide this information during installation. Note that BlueXP does not support transparent proxy servers.

  • IP address

  • Credentials

  • HTTPS certificate

    With private mode, the only time that BlueXP sends outbound traffic is to your cloud provider in order to create a Cloud Volumes ONTAP system.

Ports

There's no incoming traffic to the Connector, unless you initiate it.

HTTP (80) and HTTPS (443) provide access to the BlueXP console. SSH (22) is only needed if you need to connect to the host for troubleshooting.

Enable NTP

If you're planning to use BlueXP classification to scan your corporate data sources, you should enable a Network Time Protocol (NTP) service on both the BlueXP Connector system and the BlueXP classification system so that the time is synchronized between the systems. Learn more about BlueXP classification

Step 6: Prepare cloud permissions

If the Connector is installed in the cloud and you are planning to create Cloud Volumes ONTAP systems, then BlueXP requires permissions from your cloud provider. You need to set up permissions in your cloud provider and then associate those permission with the Connector instance after you install it.

To view the required steps, select the authentication option that you'd like to use for your cloud provider.

AWS IAM role

Use an IAM role to provide the Connector with permissions. You'll need to manually attach the role to the EC2 instance for the Connector.

Steps

  1. Log in to the AWS console and navigate to the IAM service.

  2. Create a policy:

    1. Select Policies > Create policy.

    2. Select JSON and copy and paste the contents of the IAM policy for the Connector.

    3. Finish the remaining steps to create the policy.

  3. Create an IAM role:

    1. Select Roles > Create role.

    2. Select AWS service > EC2.

    3. Add permissions by attaching the policy that you just created.

    4. Finish the remaining steps to create the role.

Result

You now have an IAM role for the Connector EC2 instance.

Step 7: Enable Google Cloud APIs

Several APIs are required to deploy Cloud Volumes ONTAP in Google Cloud.

Step

  1. Enable the following Google Cloud APIs in your project

    • Cloud Deployment Manager V2 API

    • Cloud Logging API

    • Cloud Resource Manager API

    • Compute Engine API

    • Identity and Access Management (IAM) API

    • Cloud Key Management Service (KMS) API

      (Required only if you are planning to use BlueXP backup and recovery with customer-managed encryption keys (CMEK))