Networking requirements for Cloud Volumes ONTAP in Azure
Set up your Azure networking so Cloud Volumes ONTAP systems can operate properly. This includes networking for the Connector and Cloud Volumes ONTAP.
Requirements for Cloud Volumes ONTAP
The following networking requirements must be met in Azure.
Outbound internet access
Cloud Volumes ONTAP requires outbound internet access to send messages to NetApp AutoSupport, which proactively monitors the health of your storage.
Routing and firewall policies must allow HTTP/HTTPS traffic to the following endpoints so Cloud Volumes ONTAP can send AutoSupport messages:
-
https://support.netapp.com/aods/asupmessage
-
https://support.netapp.com/asupprod/post/1.0/postAsup
IP addresses
Cloud Manager allocates the following number of IP addresses to Cloud Volumes ONTAP in Azure:
-
Single node: 5 IP addresses
-
HA pair: 16 IP addresses
Note that Cloud Manager creates an SVM management LIF on HA pairs, but not on single node systems in Azure.
|
A LIF is an IP address associated with a physical port. An SVM management LIF is required for management tools like SnapCenter. |
Secure connections to Azure services
Cloud Manager sets up a VNet service endpoint and an Azure Private Link endpoint so that Cloud Volumes ONTAP can privately connect to Azure services.
Service endpoint
Cloud Manager enables a VNet service endpoint to create a secure connection from Cloud Volumes ONTAP to Azure Blob storage for data tiering. No additional service endpoints are supported from Cloud Volumes ONTAP to Azure services.
Cloud Manager enables a VNet service endpoint for you if the Cloud Manager policy has these permissions:
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/routeTables/join/action",
These permissions are included in the latest Cloud Manager policy.
For details about setting up data tiering, see Tiering cold data to low-cost object storage.
Private endpoint
By default, Cloud Manager enables an Azure Private Link connection between Cloud Volumes ONTAP and its associated storage accounts. A Private Link secures connections between endpoints in Azure and provides performance benefits. In most cases, there’s nothing that you need to do—Cloud Manager manages the Azure Private Link for you. But if you use Azure Private DNS, then you’ll need to edit a configuration file. You can also disable the Private Link connection, if desired.
Connections to other ONTAP systems
To replicate data between a Cloud Volumes ONTAP system in Azure and ONTAP systems in other networks, you must have a VPN connection between the Azure VNet and the other network—for example, your corporate network.
For instructions, refer to Microsoft Azure Documentation: Create a Site-to-Site connection in the Azure portal.
Port for the HA interconnect
A Cloud Volumes ONTAP HA pair includes an HA interconnect, which allows each node to continually check whether its partner is functioning and to mirror log data for the other’s nonvolatile memory. The HA interconnect uses TCP port 10006 for communication.
By default, communication between the HA interconnect LIFs is open and there are no security group rules for this port. But if you create a firewall between the HA interconnect LIFs, then you need to ensure that TCP traffic is open for port 10006 so that the HA pair can operate properly.
Only one HA pair in an Azure resource group
You must use a dedicated resource group for each Cloud Volumes ONTAP HA pair that you deploy in Azure. Only one HA pair is supported in a resource group.
Cloud Manager experiences connection issues if you try to deploy a second Cloud Volumes ONTAP HA pair in an Azure resource group.
Security groups
You don’t need to create security groups because Cloud Manager does that for you. If you need to use your own, refer to the security group rules listed below.
Security group rules
Cloud Manager creates Azure security groups that include the inbound and outbound rules that Cloud Volumes ONTAP needs to operate successfully. You might want to refer to the ports for testing purposes or if you prefer your to use own security groups.
The security group for Cloud Volumes ONTAP requires both inbound and outbound rules.
Inbound rules for single node systems
The rules listed below allow traffic, unless the description notes that it blocks specific inbound traffic.
Priority and name | Port and protocol | Source and destination | Description |
---|---|---|---|
1000 |
22 |
Any to Any |
SSH access to the IP address of the cluster management LIF or a node management LIF |
1001 |
80 |
Any to Any |
HTTP access to the System Manager web console using the IP address of the cluster management LIF |
1002 |
111 |
Any to Any |
Remote procedure call for NFS |
1003 |
111 |
Any to Any |
Remote procedure call for NFS |
1004 |
139 |
Any to Any |
NetBIOS service session for CIFS |
1005 |
161-162 |
Any to Any |
Simple network management protocol |
1006 |
161-162 |
Any to Any |
Simple network management protocol |
1007 |
443 |
Any to Any |
HTTPS access to the System Manager web console using the IP address of the cluster management LIF |
1008 |
445 |
Any to Any |
Microsoft SMB/CIFS over TCP with NetBIOS framing |
1009 |
635 |
Any to Any |
NFS mount |
1010 |
635 |
Any to Any |
NFS mount |
1011 |
749 |
Any to Any |
Kerberos |
1012 |
2049 |
Any to Any |
NFS server daemon |
1013 |
2049 |
Any to Any |
NFS server daemon |
1014 |
3260 |
Any to Any |
iSCSI access through the iSCSI data LIF |
1015 |
4045-4046 |
Any to Any |
NFS lock daemon and network status monitor |
1016 |
4045-4046 |
Any to Any |
NFS lock daemon and network status monitor |
1017 |
10000 |
Any to Any |
Backup using NDMP |
1018 |
11104-11105 |
Any to Any |
SnapMirror data transfer |
3000 |
Any port |
Any to Any |
Block all other TCP inbound traffic |
3001 |
Any port |
Any to Any |
Block all other UDP inbound traffic |
65000 |
Any port |
VirtualNetwork to VirtualNetwork |
Inbound traffic from within the VNet |
65001 |
Any port |
AzureLoadBalancer to Any |
Data traffic from the Azure Standard Load Balancer |
65500 |
Any port |
Any to Any |
Block all other inbound traffic |
Inbound rules for HA systems
The rules listed below allow traffic, unless the description notes that it blocks specific inbound traffic.
|
HA systems have less inbound rules than single node systems because inbound data traffic goes through the Azure Standard Load Balancer. Because of this, traffic from the Load Balancer should be open, as shown in the "AllowAzureLoadBalancerInBound" rule. |
Priority and name | Port and protocol | Source and destination | Description |
---|---|---|---|
100 |
443 |
Any to Any |
HTTPS access to the System Manager web console using the IP address of the cluster management LIF |
101 |
111 |
Any to Any |
Remote procedure call for NFS |
102 |
2049 |
Any to Any |
NFS server daemon |
111 |
22 |
Any to Any |
SSH access to the IP address of the cluster management LIF or a node management LIF |
121 |
53 |
Any to Any |
DNS and CIFS |
65000 |
Any port |
VirtualNetwork to VirtualNetwork |
Inbound traffic from within the VNet |
65001 |
Any port |
AzureLoadBalancer to Any |
Data traffic from the Azure Standard Load Balancer |
65500 |
Any port |
Any to Any |
Block all other inbound traffic |
Outbound rules
The predefined security group for Cloud Volumes ONTAP opens all outbound traffic. If that is acceptable, follow the basic outbound rules. If you need more rigid rules, use the advanced outbound rules.
Basic outbound rules
The predefined security group for Cloud Volumes ONTAP includes the following outbound rules.
Port | Protocol | Purpose |
---|---|---|
All |
All TCP |
All outbound traffic |
All |
All UDP |
All outbound traffic |
Advanced outbound rules
If you need rigid rules for outbound traffic, you can use the following information to open only those ports that are required for outbound communication by Cloud Volumes ONTAP.
|
The source is the interface (IP address) on the Cloud Volumes ONTAP system. |
Service | Port | Protocol | Source | Destination | Purpose |
---|---|---|---|---|---|
Active Directory |
88 |
TCP |
Node management LIF |
Active Directory forest |
Kerberos V authentication |
137 |
UDP |
Node management LIF |
Active Directory forest |
NetBIOS name service |
|
138 |
UDP |
Node management LIF |
Active Directory forest |
NetBIOS datagram service |
|
139 |
TCP |
Node management LIF |
Active Directory forest |
NetBIOS service session |
|
389 |
TCP & UDP |
Node management LIF |
Active Directory forest |
LDAP |
|
445 |
TCP |
Node management LIF |
Active Directory forest |
Microsoft SMB/CIFS over TCP with NetBIOS framing |
|
464 |
TCP |
Node management LIF |
Active Directory forest |
Kerberos V change & set password (SET_CHANGE) |
|
464 |
UDP |
Node management LIF |
Active Directory forest |
Kerberos key administration |
|
749 |
TCP |
Node management LIF |
Active Directory forest |
Kerberos V change & set Password (RPCSEC_GSS) |
|
88 |
TCP |
Data LIF (NFS, CIFS, iSCSI) |
Active Directory forest |
Kerberos V authentication |
|
137 |
UDP |
Data LIF (NFS, CIFS) |
Active Directory forest |
NetBIOS name service |
|
138 |
UDP |
Data LIF (NFS, CIFS) |
Active Directory forest |
NetBIOS datagram service |
|
139 |
TCP |
Data LIF (NFS, CIFS) |
Active Directory forest |
NetBIOS service session |
|
389 |
TCP & UDP |
Data LIF (NFS, CIFS) |
Active Directory forest |
LDAP |
|
445 |
TCP |
Data LIF (NFS, CIFS) |
Active Directory forest |
Microsoft SMB/CIFS over TCP with NetBIOS framing |
|
464 |
TCP |
Data LIF (NFS, CIFS) |
Active Directory forest |
Kerberos V change & set password (SET_CHANGE) |
|
464 |
UDP |
Data LIF (NFS, CIFS) |
Active Directory forest |
Kerberos key administration |
|
749 |
TCP |
Data LIF (NFS, CIFS) |
Active Directory forest |
Kerberos V change & set password (RPCSEC_GSS) |
|
AutoSupport |
HTTPS |
443 |
Node management LIF |
support.netapp.com |
AutoSupport (HTTPS is the default) |
HTTP |
80 |
Node management LIF |
support.netapp.com |
AutoSupport (only if the transport protocol is changed from HTTPS to HTTP) |
|
DHCP |
68 |
UDP |
Node management LIF |
DHCP |
DHCP client for first-time setup |
DHCPS |
67 |
UDP |
Node management LIF |
DHCP |
DHCP server |
DNS |
53 |
UDP |
Node management LIF and data LIF (NFS, CIFS) |
DNS |
DNS |
NDMP |
18600–18699 |
TCP |
Node management LIF |
Destination servers |
NDMP copy |
SMTP |
25 |
TCP |
Node management LIF |
Mail server |
SMTP alerts, can be used for AutoSupport |
SNMP |
161 |
TCP |
Node management LIF |
Monitor server |
Monitoring by SNMP traps |
161 |
UDP |
Node management LIF |
Monitor server |
Monitoring by SNMP traps |
|
162 |
TCP |
Node management LIF |
Monitor server |
Monitoring by SNMP traps |
|
162 |
UDP |
Node management LIF |
Monitor server |
Monitoring by SNMP traps |
|
SnapMirror |
11104 |
TCP |
Intercluster LIF |
ONTAP intercluster LIFs |
Management of intercluster communication sessions for SnapMirror |
11105 |
TCP |
Intercluster LIF |
ONTAP intercluster LIFs |
SnapMirror data transfer |
|
Syslog |
514 |
UDP |
Node management LIF |
Syslog server |
Syslog forward messages |
Requirements for the Connector
Set up your networking so that the Connector can manage resources and processes within your public cloud environment. The most important step is ensuring outbound internet access to various endpoints.
|
If your network uses a proxy server for all communication to the internet, you can specify the proxy server from the Settings page. Refer to Configuring the Connector to use a proxy server. |
Connections to target networks
A Connector requires a network connection to the VPCs and VNets in which you want to deploy Cloud Volumes ONTAP.
For example, if you install a Connector in your corporate network, then you must set up a VPN connection to the VPC or VNet in which you launch Cloud Volumes ONTAP.
Outbound internet access
The Connector requires outbound internet access to manage resources and processes within your public cloud environment.
Endpoints | Purpose |
---|---|
https://support.netapp.com |
To obtain licensing information and to send AutoSupport messages to NetApp support. |
https://*.cloudmanager.cloud.netapp.com |
To provide SaaS features and services within Cloud Manager. |
https://cloudmanagerinfraprod.azurecr.io |
To upgrade the Connector and its Docker components. |
Security group rules
The security group for the Connector requires both inbound and outbound rules.
Inbound rules
Port | Protocol | Purpose |
---|---|---|
22 |
SSH |
Provides SSH access to the Connector host |
80 |
HTTP |
Provides HTTP access from client web browsers to the local user interface |
443 |
HTTPS |
Provides HTTPS access from client web browsers to the local user interface |
Outbound rules
The predefined security group for the Connector opens all outbound traffic. If that is acceptable, follow the basic outbound rules. If you need more rigid rules, use the advanced outbound rules.
Basic outbound rules
The predefined security group for the Connector includes the following outbound rules.
Port | Protocol | Purpose |
---|---|---|
All |
All TCP |
All outbound traffic |
All |
All UDP |
All outbound traffic |
Advanced outbound rules
If you need rigid rules for outbound traffic, you can use the following information to open only those ports that are required for outbound communication by the Connector.
|
The source IP address is the Connector host. |
Service | Port | Protocol | Destination | Purpose |
---|---|---|---|---|
API calls and AutoSupport |
443 |
HTTPS |
Outbound internet and ONTAP cluster management LIF |
API calls to Azure and ONTAP, to Cloud Data Sense, to the Ransomware service, and sending AutoSupport messages to NetApp |
DNS |
53 |
UDP |
DNS |
Used for DNS resolve by Cloud Manager |