Using an Azure Private Link with Cloud Volumes ONTAP

Contributors netapp-bcammett

By default, Cloud Manager enables an Azure Private Link connection between Cloud Volumes ONTAP and its associated storage accounts. A Private Link secures connections between endpoints in Azure and provides performance benefits. Learn more.

In most cases, there’s nothing that you need to do—​Cloud Manager manages the Azure Private Link for you. But if you use Azure Private DNS, then you’ll need to edit a configuration file. You can also disable the Private Link connection, if desired.

Connector location in Azure

The Connector should be deployed in the same Azure region as the Cloud Volumes ONTAP systems that it manages, or in the Azure region pair for the Cloud Volumes ONTAP systems. This requirement ensures that an Azure Private Link connection is used between Cloud Volumes ONTAP and its associated storage accounts. Learn how Cloud Volumes ONTAP uses an Azure Private Link.

When Cloud Manager deploys Cloud Volumes ONTAP in Azure, it creates a private endpoint in the resource group. The private endpoint is associated with the storage account for Cloud Volumes ONTAP. As a result, access to Cloud Volumes ONTAP storage travels through the Microsoft backbone network.

Client access goes through the private link when clients are within the same VNet as Cloud Volumes ONTAP, within peered VNets, or in your on-premises network when using a private VPN or ExpressRoute connection to the VNet.

Here’s an example that shows client access over a private link from within the same VNet and from an on-prem network that has either a private VPN or ExpressRoute connection.

A conceptual image that shows data access going to Cloud Volumes ONTAP and through a private endpoint and private link to the storage account.

Provide Cloud Manager with details about your Azure Private DNS

If you use Azure Private DNS, then you need to modify a configuration file on each Connector. Otherwise, Cloud Manager can’t enable the Azure Private Link connection between Cloud Volumes ONTAP and its associated storage accounts.

Note that the DNS name must match Azure DNS naming requirements as shown in Azure documentation.

Steps
  1. SSH to the Connector host and log in.

  2. Navigate to the following directory: /opt/application/netapp/cloudmanager/docker_occm/data

  3. Edit app.conf by modifying the following parameters as shown:

    "user-private-dns-zone-settings": {
       "use-existing": true,
       "resource-group": "<resource group name of the DNS zone>",
       "subscription": "<subscription ID>"
      }

    The subscription parameter is required only if the Private DNS Zone exists in a different subscription than the Connector.

  4. Save the file and log off the Connector.

    A reboot isn’t required.

Enable rollback on failures

If Cloud Manager fails to create an Azure Private Link as part of specific actions, it completes the action without the Azure Private Link connection. This can happen when creating a new working environment (single node or HA pair), or when the following actions occur on an HA pair: creating a new aggregate, adding disks to an existing aggregate, or creating a new storage account when going above 32 TiB.

You can change this default behavior by enabling rollback if Cloud Manager fails to create the Azure Private Link. This can help to ensure that you’re fully compliant with your company’s security regulations.

If you enable rollback, Cloud Manager stops the action and rolls back all resources that were created as part of the action.

Enabling rollback is supported through the API only.

Step
  1. Use the PUT /occm/config API call with the following request body:

    { "rollbackOnAzurePrivateLinkFailure": true }

If required for your Azure configuration, you can disable the Azure Private Link connection between Cloud Volumes ONTAP and storage accounts.

Steps
  1. In the upper right of the Cloud Manager console, click the Settings icon, and select Connector Settings.

  2. Under Azure, click Use Azure Private Link.

  3. Deselect Private Link connection between Cloud Volumes ONTAP and storage accounts.

  4. Click Save.