Prepare for deployment in restricted mode
Prepare your environment before you deploy BlueXP in restricted mode. For example, you need to review host requirements, prepare networking, set up permissions, and more.
Step 1: Understand how restricted mode works
Before you get started, you should have an understanding of how BlueXP works in restricted mode.
For example, you should understand that you need to use the browser-based interface that is available locally from the BlueXP Connector that you need to install. You can't access BlueXP from the web-based console that's provided through the SaaS layer.
In addition, not all BlueXP services are available.
Step 2: Review installation options
In restricted mode, you can only install the Connector in the cloud. The following installation options are available:
-
From the AWS Marketplace
-
From the Azure Marketplace
-
Manually installing the Connector on your own Linux host that's running in AWS, Azure, or Google Cloud
Step 3: Review host requirements
The Connector software must run on a host that meets specific operating system requirements, RAM requirements, port requirements, and so on.
When you deploy the Connector from the AWS or Azure Marketplace, the image includes the required OS and software components. You simply need to choose an instance type that meets CPU and RAM requirements.
- Dedicated host
-
The Connector is not supported on a host that is shared with other applications. The host must be a dedicated host.
- Hypervisor
-
A bare metal or hosted hypervisor that is certified to run a supported operating system is required.
- Operating system and container requirements
-
BlueXP supports the Connector with the following operating systems when using BlueXP in standard mode or restricted mode. A container orchestration tool is required before you install the Connector.
Operating system Supported OS versions Supported Connector versions Required container tool SELinux Red Hat Enterprise Linux
9.1 to 9.4
8.6 to 8.10
3.9.40 or later with BlueXP in standard mode or restricted mode
Podman version 4.6.1 or 4.9.4
Supported in enforcing mode or permissive mode 1
Ubuntu
24.04 LTS
3.9.45 or later with BlueXP in standard mode or restricted mode
Docker Engine 26.0.0
Not supported
22.04 LTS
3.9.29 or later
Docker Engine 23.0.6 to 26.0.0
26.0.0 is supported with new Connector 3.9.44 or later installations
Not supported
Notes:
-
Management of Cloud Volumes ONTAP systems is not supported by Connectors that have SELinux enabled on the operating system.
-
The Connector is supported on English-language versions of these operating systems.
-
For RHEL, the host must be registered with Red Hat Subscription Management. If it's not registered, the host can't access repositories to update required 3rd-party software during Connector installation.
-
- CPU
-
8 cores or 8 vCPUs
- RAM
-
32 GB
- AWS EC2 instance type
-
An instance type that meets the CPU and RAM requirements above. We recommend t3.2xlarge.
- Azure VM size
-
An instance type that meets the CPU and RAM requirements above. We recommend Standard_D8s_v3.
- Google Cloud machine type
-
An instance type that meets the CPU and RAM requirements above. We recommend n2-standard-8.
The Connector is supported in Google Cloud on a VM instance with an OS that supports Shielded VM features
- Disk space in /opt
-
100 GiB of space must be available
BlueXP uses
/opt
to install the/opt/application/netapp
directory and its contents. - Disk space in /var
-
20 GiB of space must be available
BlueXP requires this space in
/var
because Docker or Podman are architected to create the containers within this directory. Specifically, they will create containers in the/var/lib/containers/storage
directory. External mounts or symlinks do not work for this space.
Step 4: Install Podman or Docker Engine
If you're planning to manually install the Connector software, you need to prepare the host by installing Podman or Docker Engine.
Depending on your operating system, either Podman or Docker Engine is required before you install the Connector.
-
Podman is required for Red Hat Enterprise Linux 8 and 9.
-
Docker Engine is required for Ubuntu.
Follow these steps to install Podman and configure it to meet the following requirements:
-
The podman.socket service must be enabled and started
-
python3 must be installed
-
The podman-compose package version 1.0.6 must be installed
-
podman-compose must be added to the PATH environment variable
-
Remove the podman-docker package if it's installed on the host.
dnf remove podman-docker rm /var/run/docker.sock
-
Install Podman.
Podman is available from official Red Hat Enterprise Linux repositories.
For Red Hat Enterprise Linux 9:
sudo dnf install podman-2:<version>
Where <version> is the supported version of Podman that you're installing. View the Podman versions that BlueXP supports.
For Red Hat Enterprise Linux 8:
sudo dnf install podman-3:<version>
Where <version> is the supported version of Podman that you're installing. View the Podman versions that BlueXP supports.
-
Enable and start the podman.socket service.
sudo systemctl enable --now podman.socket
-
Install python3.
sudo dnf install python3
-
Install the EPEL repository package if it's not already available on your system.
This step is required because podman-compose is available from the Extra Packages for Enterprise Linux (EPEL) repository.
For Red Hat Enterprise Linux 9:
sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
For Red Hat Enterprise Linux 8:
sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
-
Install podman-compose package 1.0.6.
sudo dnf install podman-compose-1.0.6
Using the dnf install
command meets the requirement for adding podman-compose to the PATH environment variable. The installation command adds podman-compose to /usr/bin, which is already included in thesecure_path
option on the host.
Follow the documentation from Docker to install Docker Engine.
-
View installation instructions from Docker
Be sure to follow the steps to install a specific version of Docker Engine. Installing the latest version will install a version of Docker that BlueXP doesn't support.
-
Verify that Docker is enabled and running.
sudo systemctl enable docker && sudo systemctl start docker
Step 5: Prepare networking
Set up your networking so the Connector can manage resources and processes within your public cloud environment. Other than having a virtual network and subnet for the Connector, you'll need to ensure that the following requirements are met.
- Connections to target networks
-
The Connector must have a network connection to the location where you plan to manage storage. For example, the VPC or VNet where you plan to deploy Cloud Volumes ONTAP, or the data center where your on-premises ONTAP clusters reside.
- Prepare networking for user access to BlueXP console
-
In restricted mode, the BlueXP user interface is accessible from the Connector. As you use the BlueXP user interface, it contacts a few endpoints to complete data management tasks. These endpoints are contacted from a user's computer when completing specific actions from the BlueXP console.
Endpoints Purpose https://api.bluexp.netapp.com
The BlueXP web-based console contacts this endpoint to interact with the BlueXP API for actions related to authorization, licensing, subscriptions, credentials, notifications, and more.
https://signin.b2c.netapp.com
Required to update NetApp Support Site (NSS) credentials or to add new NSS credentials to BlueXP.
https://netapp-cloud-account.auth0.com
https://cdn.auth0.com
https://services.cloud.netapp.comYour web browser connects to these endpoints for centralized user authentication through BlueXP.
https://widget.intercom.io
For in-product chat that enables you to talk to NetApp cloud experts.
- Endpoints contacted during manual installation
-
When you manually install the Connector on your own Linux host, the installer for the Connector requires access to several URLs during the installation process.
-
The following endpoints are always contacted no matter where you install the Connector:
-
https://mysupport.netapp.com
-
https://signin.b2c.netapp.com (this endpoint is the CNAME URL for https://mysupport.netapp.com)
-
https://cloudmanager.cloud.netapp.com/tenancy
-
https://stream.cloudmanager.cloud.netapp.com
-
https://production-artifacts.cloudmanager.cloud.netapp.com
-
-
If you install the Connector in an AWS Government region, the installer also needs access to these endpoints:
-
https://*.blob.core.windows.net
-
https://cloudmanagerinfraprod.azurecr.io
-
-
If you install the Connector in an Azure Government region, the installer also needs access to these endpoints:
-
https://*.blob.core.windows.net
-
https://occmclientinfragov.azurecr.us
-
-
If you install the Connector in a commercial region or sovereign region, you can choose between two sets of endpoints:
-
Option 1 (recommended):
-
https://bluexpinfraprod.eastus2.data.azurecr.io
-
https://bluexpinfraprod.azurecr.io
-
-
Option 2:
-
https://*.blob.core.windows.net
-
https://cloudmanagerinfraprod.azurecr.io
-
The endpoints listed in option 1 are recommended because they are more secure. We recommend that you set up your firewall to allow the endpoints listed in option 1, while disallowing the endpoints listed in option 2. Note the following about these endpoints:
-
The endpoints listed in option 1 are supported starting with the 3.9.47 release of the Connector. There is no backwards compatibility with previous releases of the Connector.
-
The Connector contacts the endpoints listed in option 2 first. If those endpoints aren't accessible, the Connector automatically contacts the endpoints listed in option 1.
-
The endpoints in option 1 are not supported if you use the Connector with BlueXP backup and recovery or BlueXP ransomware protection. In this case, you can disallow the endpoints listed in option 1, while allowing the endpoints listed in option 2.
-
The host might try to update operating system packages during installation. The host can contact different mirroring sites for these OS packages.
-
- Outbound internet access for day-to-day operations
-
The network location where you deploy the Connector must have an outbound internet connection. The Connector requires outbound internet access to contact the following endpoints in order to manage resources and processes within your public cloud environment.
Endpoints Purpose AWS services (amazonaws.com):
-
CloudFormation
-
Elastic Compute Cloud (EC2)
-
Identity and Access Management (IAM)
-
Key Management Service (KMS)
-
Security Token Service (STS)
-
Simple Storage Service (S3)
To manage resources in AWS. The exact endpoint depends on the AWS region that you're using. Refer to AWS documentation for details
https://management.azure.com
https://login.microsoftonline.com
https://blob.core.windows.net
https://core.windows.netTo manage resources in Azure public regions.
https://management.usgovcloudapi.net
https://login.microsoftonline.us
https://blob.core.usgovcloudapi.net
https://core.usgovcloudapi.netTo manage resources in Azure Government regions.
https://management.chinacloudapi.cn
https://login.chinacloudapi.cn
https://blob.core.chinacloudapi.cn
https://core.chinacloudapi.cnTo manage resources in Azure China regions.
https://www.googleapis.com/compute/v1/
https://compute.googleapis.com/compute/v1
https://cloudresourcemanager.googleapis.com/v1/projects
https://www.googleapis.com/compute/beta
https://storage.googleapis.com/storage/v1
https://www.googleapis.com/storage/v1
https://iam.googleapis.com/v1
https://cloudkms.googleapis.com/v1
https://www.googleapis.com/deploymentmanager/v2/projectsTo manage resources in Google Cloud.
https://support.netapp.com
https://mysupport.netapp.comTo obtain licensing information and to send AutoSupport messages to NetApp support.
https://*.api.bluexp.netapp.com
https://api.bluexp.netapp.com
https://*.cloudmanager.cloud.netapp.com
https://cloudmanager.cloud.netapp.com
https://netapp-cloud-account.auth0.comTo provide SaaS features and services within BlueXP.
Note that the Connector is currently contacting "cloudmanager.cloud.netapp.com" but it will start contacting "api.bluexp.netapp.com" in an upcoming release.
If the Connector is in an AWS Government region:
https://*.blob.core.windows.net
https://cloudmanagerinfraprod.azurecr.ioTo obtain images for Connector upgrades when the Connector is installed in an AWS Government region.
If the Connector is in an Azure Government region:
https://*.blob.core.windows.net
https://occmclientinfragov.azurecr.usTo obtain images for Connector upgrades when the Connector is installed in an Azure Government region.
If the Connector is in a commercial region or sovereign region, you can choose between two sets of endpoints:
-
Option 1 (recommended) 1
https://bluexpinfraprod.eastus2.data.azurecr.io
https://bluexpinfraprod.azurecr.io -
Option 2
https://*.blob.core.windows.net
https://cloudmanagerinfraprod.azurecr.io
To obtain images for Connector upgrades when the Connector is installed in a commercial region or sovereign region.
1 The endpoints listed in option 1 are recommended because they are more secure. We recommend that you set up your firewall to allow the endpoints listed in option 1, while disallowing the endpoints listed in option 2. Note the following about these endpoints:
-
The endpoints listed in option 1 are supported starting with the 3.9.47 release of the Connector. There is no backwards compatibility with previous releases of the Connector.
-
The Connector contacts the endpoints listed in option 2 first. If those endpoints aren't accessible, the Connector automatically contacts the endpoints listed in option 1.
-
The endpoints in option 1 are not supported if you use the Connector with BlueXP backup and recovery or BlueXP ransomware protection. In this case, you can disallow the endpoints listed in option 1, while allowing the endpoints listed in option 2.
-
- Public IP address in Azure
-
If you want to use a public IP address with the Connector VM in Azure, the IP address must use a Basic SKU to ensure that BlueXP uses this public IP address.
If you use a Standard SKU IP address instead, then BlueXP uses the private IP address of the Connector, instead of the public IP. If the machine that you're using to access the BlueXP Console doesn't have access to that private IP address, then actions from the BlueXP Console will fail.
- Proxy server
-
If your business requires deployment of a proxy server for all outgoing internet traffic, obtain the following information about your HTTP or HTTPS proxy. You'll need to provide this information during installation. Note that BlueXP does not support transparent proxy servers.
-
IP address
-
Credentials
-
HTTPS certificate
-
- Ports
-
There's no incoming traffic to the Connector, unless you initiate it or if the Connector is used as a proxy to send AutoSupport messages from Cloud Volumes ONTAP to NetApp Support.
-
HTTP (80) and HTTPS (443) provide access to the local UI, which you'll use in rare circumstances.
-
SSH (22) is only needed if you need to connect to the host for troubleshooting.
-
Inbound connections over port 3128 are required if you deploy Cloud Volumes ONTAP systems in a subnet where an outbound internet connection isn't available.
If Cloud Volumes ONTAP systems don't have an outbound internet connection to send AutoSupport messages, BlueXP automatically configures those systems to use a proxy server that's included with the Connector. The only requirement is to ensure that the Connector's security group allows inbound connections over port 3128. You'll need to open this port after you deploy the Connector.
-
- Enable NTP
-
If you're planning to use BlueXP classification to scan your corporate data sources, you should enable a Network Time Protocol (NTP) service on both the BlueXP Connector system and the BlueXP classification system so that the time is synchronized between the systems. Learn more about BlueXP classification
If you're planning to create the Connector from your cloud provider's marketplace, then you'll need to implement this networking requirement after you create the Connector.
Step 6: Prepare cloud permissions
BlueXP requires permissions from your cloud provider to deploy Cloud Volumes ONTAP in a virtual network and to use BlueXP data services. You need to set up permissions in your cloud provider and then associate those permissions with the Connector.
To view the required steps, select the authentication option that you'd like to use for your cloud provider.
Use an IAM role to provide the Connector with permissions.
If you're creating the Connector from the AWS Marketplace, you'll be prompted to select that IAM role when you launch the EC2 instance.
If you're manually installing the Connector on your own Linux host, you'll need to attach the role to the EC2 instance.
-
Log in to the AWS console and navigate to the IAM service.
-
Create a policy:
-
Select Policies > Create policy.
-
Select JSON and copy and paste the contents of the IAM policy for the Connector.
-
Finish the remaining steps to create the policy.
-
-
Create an IAM role:
-
Select Roles > Create role.
-
Select AWS service > EC2.
-
Add permissions by attaching the policy that you just created.
-
Finish the remaining steps to create the role.
-
You now have an IAM role for the Connector EC2 instance.
Set up permissions and an access key for an IAM user. You'll need to provide BlueXP with the AWS access key after you install the Connector and set up BlueXP.
-
Log in to the AWS console and navigate to the IAM service.
-
Create a policy:
-
Select Policies > Create policy.
-
Select JSON and copy and paste the contents of the IAM policy for the Connector.
-
Finish the remaining steps to create the policy.
Depending on the BlueXP services that you're planning to use, you might need to create a second policy.
For standard regions, the permissions are spread across two policies. Two policies are required due to a maximum character size limit for managed policies in AWS. Learn more about IAM policies for the Connector.
-
-
Attach the policies to an IAM user.
-
Ensure that the user has an access key that you can add to BlueXP after you install the Connector.
The account now has the required permissions.
Create an Azure custom role with the required permissions. You'll assign this role to the Connector VM.
Note that you can create an Azure custom role using the Azure portal, Azure PowerShell, Azure CLI, or REST API. The following steps show how to create the role using the Azure CLI. If you would prefer to use a different method, refer to Azure documentation
-
If you're planning to manually install the software on your own host, enable a system-assigned managed identity on the VM so that you can provide the required Azure permissions through a custom role.
-
Copy the contents of the custom role permissions for the Connector and save them in a JSON file.
-
Modify the JSON file by adding Azure subscription IDs to the assignable scope.
You should add the ID for each Azure subscription that you want to use with BlueXP.
Example
"AssignableScopes": [ "/subscriptions/d333af45-0d07-4154-943d-c25fbzzzzzzz", "/subscriptions/54b91999-b3e6-4599-908e-416e0zzzzzzz", "/subscriptions/398e471c-3b42-4ae7-9b59-ce5bbzzzzzzz"
-
Use the JSON file to create a custom role in Azure.
The following steps describe how to create the role by using Bash in Azure Cloud Shell.
-
Start Azure Cloud Shell and choose the Bash environment.
-
Upload the JSON file.
-
Use the Azure CLI to create the custom role:
az role definition create --role-definition Connector_Policy.json
-
You should now have a custom role called BlueXP Operator that you can assign to the Connector virtual machine.
Create and set up a service principal in Microsoft Entra ID and obtain the Azure credentials that BlueXP needs. You'll need to provide BlueXP with these credentials after you install the Connector and set up BlueXP.
-
Ensure that you have permissions in Azure to create an Active Directory application and to assign the application to a role.
For details, refer to Microsoft Azure Documentation: Required permissions
-
From the Azure portal, open the Microsoft Entra ID service.
-
In the menu, select App registrations.
-
Select New registration.
-
Specify details about the application:
-
Name: Enter a name for the application.
-
Account type: Select an account type (any will work with BlueXP).
-
Redirect URI: You can leave this field blank.
-
-
Select Register.
You've created the AD application and service principal.
-
Create a custom role:
Note that you can create an Azure custom role using the Azure portal, Azure PowerShell, Azure CLI, or REST API. The following steps show how to create the role using the Azure CLI. If you would prefer to use a different method, refer to Azure documentation
-
Copy the contents of the custom role permissions for the Connector and save them in a JSON file.
-
Modify the JSON file by adding Azure subscription IDs to the assignable scope.
You should add the ID for each Azure subscription from which users will create Cloud Volumes ONTAP systems.
Example
"AssignableScopes": [ "/subscriptions/d333af45-0d07-4154-943d-c25fbzzzzzzz", "/subscriptions/54b91999-b3e6-4599-908e-416e0zzzzzzz", "/subscriptions/398e471c-3b42-4ae7-9b59-ce5bbzzzzzzz"
-
Use the JSON file to create a custom role in Azure.
The following steps describe how to create the role by using Bash in Azure Cloud Shell.
-
Start Azure Cloud Shell and choose the Bash environment.
-
Upload the JSON file.
-
Use the Azure CLI to create the custom role:
az role definition create --role-definition Connector_Policy.json
You should now have a custom role called BlueXP Operator that you can assign to the Connector virtual machine.
-
-
-
Assign the application to the role:
-
From the Azure portal, open the Subscriptions service.
-
Select the subscription.
-
Select Access control (IAM) > Add > Add role assignment.
-
In the Role tab, select the BlueXP Operator role and select Next.
-
In the Members tab, complete the following steps:
-
Keep User, group, or service principal selected.
-
Select Select members.
-
Search for the name of the application.
Here's an example:
-
Select the application and select Select.
-
Select Next.
-
-
Select Review + assign.
The service principal now has the required Azure permissions to deploy the Connector.
If you want to deploy Cloud Volumes ONTAP from multiple Azure subscriptions, then you must bind the service principal to each of those subscriptions. BlueXP enables you to select the subscription that you want to use when deploying Cloud Volumes ONTAP.
-
-
In the Microsoft Entra ID service, select App registrations and select the application.
-
Select API permissions > Add a permission.
-
Under Microsoft APIs, select Azure Service Management.
-
Select Access Azure Service Management as organization users and then select Add permissions.
-
In the Microsoft Entra ID service, select App registrations and select the application.
-
Copy the Application (client) ID and the Directory (tenant) ID.
When you add the Azure account to BlueXP, you need to provide the application (client) ID and the directory (tenant) ID for the application. BlueXP uses the IDs to programmatically sign in.
-
Open the Microsoft Entra ID service.
-
Select App registrations and select your application.
-
Select Certificates & secrets > New client secret.
-
Provide a description of the secret and a duration.
-
Select Add.
-
Copy the value of the client secret.
You now have a client secret that BlueXP can use it to authenticate with Microsoft Entra ID.
Your service principal is now setup and you should have copied the application (client) ID, the directory (tenant) ID, and the value of the client secret. You need to enter this information in BlueXP when you add an Azure account.
Create a role and apply it to a service account that you'll use for the Connector VM instance.
-
Create a custom role in Google Cloud:
-
Create a YAML file that includes the permissions defined in the Connector policy for Google Cloud.
-
From Google Cloud, activate cloud shell.
-
Upload the YAML file that includes the required permissions for the Connector.
-
Create a custom role by using the
gcloud iam roles create
command.The following example creates a role named "connector" at the project level:
gcloud iam roles create connector --project=myproject --file=connector.yaml
-
-
Create a service account in Google Cloud:
-
From the IAM & Admin service, select Service Accounts > Create Service Account.
-
Enter service account details and select Create and Continue.
-
Select the role that you just created.
-
Finish the remaining steps to create the role.
-
You now have a service account that you can assign to the Connector VM instance.
Step 7: Enable Google Cloud APIs
Several APIs are required to deploy Cloud Volumes ONTAP in Google Cloud.
-
Enable the following Google Cloud APIs in your project
-
Cloud Deployment Manager V2 API
-
Cloud Logging API
-
Cloud Resource Manager API
-
Compute Engine API
-
Identity and Access Management (IAM) API
-
Cloud Key Management Service (KMS) API
(Required only if you are planning to use BlueXP backup and recovery with customer-managed encryption keys (CMEK))
-