Get started with Cloud Data Sense for Amazon FSx for ONTAP

Contributors netapp-tonacki

Complete a few steps to get started scanning Amazon FSx for ONTAP volume with Cloud Data Sense.

Before you begin

Quick start

Get started quickly by following these steps or scroll down for full details.

One Discover the FSx for ONTAP file systems you want to scan

Before you can scan FSx for ONTAP volumes, you must have an FSx working environment with volumes configured.

Two Deploy the Cloud Data Sense instance

Deploy Cloud Data Sense in Cloud Manager if there isn’t already an instance deployed.

Three Enable Cloud Data Sense and select the volumes to scan

Click Data Sense, select the Configuration tab, and activate compliance scans for volumes in specific working environments.

Four Ensure access to volumes

Now that Cloud Data Sense is enabled, ensure that it can access all volumes.

  • The Cloud Data Sense instance needs a network connection to each FSx for ONTAP subnet.

  • Make sure the following ports are open to the Data Sense instance:

    • For NFS – ports 111 and 2049.

    • For CIFS – ports 139 and 445.

  • NFS volume export policies must allow access from the Data Sense instance.

  • Data Sense needs Active Directory credentials to scan CIFS volumes.

    Click Compliance > Configuration > Edit CIFS Credentials and provide the credentials.

Five Manage the volumes you want to scan

Select or deselect the volumes you want to scan and Cloud Data Sense will start or stop scanning them.

Discovering the FSx for ONTAP file system that you want to scan

If the FSx for ONTAP file system you want to scan is not already in Cloud Manager as a working environment, you can add it to the canvas at this time.

Deploying the Cloud Data Sense instance

Deploy Cloud Data Sense if there isn’t already an instance deployed.

You should deploy Data Sense in the same AWS network as the Connector for AWS and the FSx volumes you wish to scan.

Note: Deploying Cloud Data Sense in an on-premises location is not currently supported when scanning FSx volumes.

Upgrades to Data Sense software is automated as long as the instance has internet connectivity.

Enabling Cloud Data Sense in your working environments

You can enable Cloud Data Sense for FSx for ONTAP volumes.

  1. At the top of Cloud Manager, click Data Sense and then select the Configuration tab.

    A screenshot of the Configuration tab immediately after deploying the Cloud Data Sense instance.

  2. Select how you want to scan the volumes in each working environment. Learn about mapping and classification scans:

    • To map all volumes, click Map all Volumes.

    • To map and classify all volumes, click Map & Classify all Volumes.

    • To customize scanning for each volume, click Or select scanning type for each volume, and then choose the volumes you want to map and/or classify.

  3. In the confirmation dialog box, click Approve to have Data Sense start scanning your volumes.

Result

Cloud Data Sense starts scanning the volumes you selected in the working environment. Results will be available in the Compliance dashboard as soon as Cloud Data Sense finishes the initial scans. The time that it takes depends on the amount of data—​it could be a few minutes or hours.

Verifying that Cloud Data Sense has access to volumes

Make sure Cloud Data Sense can access volumes by checking your networking, security groups, and export policies.

You’ll need to provide Data Sense with CIFS credentials so it can access CIFS volumes.

Steps
  1. On the Configuration page, click View Details to review the status and correct any errors.

    For example, the following image shows a volume Cloud Data Sense can’t scan due to network connectivity issues between the Data Sense instance and the volume.

    A screenshot of the View Details page in the scan configuration showing volume not being scanned because of network connectivity between Data Sense and the volume.

  2. Make sure there’s a network connection between the Cloud Data Sense instance and each network that includes volumes for FSx for ONTAP.

    Note For FSx for ONTAP, Cloud Data Sense can scan volumes only in the same region as Cloud Manager.
  3. Ensure the following ports are open to the Data Sense instance.

    • For NFS – ports 111 and 2049.

    • For CIFS – ports 139 and 445.

  4. Ensure NFS volume export policies include the IP address of the Data Sense instance so it can access the data on each volume.

  5. If you use CIFS, provide Data Sense with Active Directory credentials so it can scan CIFS volumes.

    1. At the top of Cloud Manager, click Data Sense.

    2. Click the Configuration tab.

    3. For each working environment, click Edit CIFS Credentials and enter the user name and password that Data Sense needs to access CIFS volumes on the system.

      The credentials can be read-only, but providing admin credentials ensures that Data Sense can read any data that requires elevated permissions. The credentials are stored on the Cloud Data Sense instance.

      After you enter the credentials, you should see a message that all CIFS volumes were authenticated successfully.

Enabling and disabling compliance scans on volumes

You can start or stop mapping-only scans, or mapping and classification scans, in a working environment at any time from the Configuration page. You can also change from mapping-only scans to mapping and classification scans, and vice-versa. We recommend that you scan all volumes.

A screenshot of the Configuration page where you can enable or disable scanning of individual volumes.

To: Do this:

Enable mapping-only scans on a volume

In the volume area, click Map

Enable full scanning on a volume

In the volume area, click Map & Classify

Disable scanning on a volume

In the volume area, click Off

Enable mapping-only scans on all volumes

In the heading area, click Map

Enable full scanning on all volumes

In the heading area, click Map & Classify

Disable scanning on all volumes

In the heading area, click Off

Note New volumes added to the working environment are automatically scanned only when you have set the Map or Map & Classify setting in the heading area. When set to Custom or Off in the heading area, you’ll need to activate mapping and/or full scanning on each new volume you add in the working environment.

Scanning data protection volumes

By default, data protection (DP) volumes are not scanned because they are not exposed externally and Cloud Data Sense cannot access them. These are the destination volumes for SnapMirror operations from an FSx for ONTAP file system.

Initially, the volume list identifies these volumes as Type DP with the Status Not Scanning and the Required Action Enable Access to DP volumes.

A screenshot showing the Enable Access to DP Volumes button that you can select to scan data protection volumes.

Steps

If you want to scan these data protection volumes:

  1. Click Enable Access to DP volumes at the top of the page.

  2. Review the confirmation message and click Enable Access to DP volumes again.

    • Volumes that were initially created as NFS volumes in the source FSx for ONTAP file system are enabled.

    • Volumes that were initially created as CIFS volumes in the source FSx for ONTAP file system require that you enter CIFS credentials to scan those DP volumes. If you already entered Active Directory credentials so that Cloud Data Sense can scan CIFS volumes you can use those credentials, or you can specify a different set of Admin credentials.

      A screenshot of the two options for enabling CIFS data protection volumes.

  3. Activate each DP volume that you want to scan the same way you enabled other volumes.

Result

Once enabled, Cloud Data Sense creates an NFS share from each DP volume that was activated for scanning. The share export policies only allow access from the Data Sense instance.

Note: If you had no CIFS data protection volumes when you initially enabled access to DP volumes, and later add some, the button Enable Access to CIFS DP appears at the top of the Configuration page. Click this button and add CIFS credentials to enable access to these CIFS DP volumes.

Note Active Directory credentials are only registered in the storage VM of the first CIFS DP volume, so all DP volumes on that SVM will be scanned. Any volumes that reside on other SVMs will not have the Active Directory credentials registered, so those DP volumes won’t be scanned.