Set up networking for the Connector

Contributors netapp-bcammett netapp-tonacki

Set up your networking so the Connector can manage resources and processes within your public cloud environment. The most important step is ensuring outbound internet access to various endpoints.

The information on this page is for a typical deployment where the Connector has outbound internet access.

Tip If your network uses a proxy server for all communication to the internet, you can specify the proxy server from the Settings page. Refer to Configuring the Connector to use a proxy server.

Connection to target networks

A Connector requires a network connection to the type of working environment that you’re creating and the services that you’re planning to enable.

For example, if you install a Connector in your corporate network, then you must set up a VPN connection to the VPC or VNet in which you launch Cloud Volumes ONTAP.

Possible conflict with IP addresses in the 172 range

Cloud Manager deploys the Connector with two interfaces that have IP addresses in the 172.17.0.0/16 and 172.18.0.0/16 ranges.

If your network has a subnet configured with either of these ranges, then you might experience connectivity failures from Cloud Manager. For example, discovering on-prem ONTAP clusters in Cloud Manager might fail.

The workaround is to change the IP addresses of the Connector’s interfaces. Contact NetApp Support for help.

Outbound internet access

Outbound internet access is required from the Connector.

Endpoints to manage resources in your public cloud environment

The Connector requires outbound internet access to manage resources and processes within your public cloud environment.

Endpoints Purpose

https://support.netapp.com

To obtain licensing information and to send AutoSupport messages to NetApp support.

https://*.cloudmanager.cloud.netapp.com

To provide SaaS features and services within Cloud Manager.

https://cloudmanagerinfraprod.azurecr.io

https://*.blob.core.windows.net

To upgrade the Connector and its Docker components.

Endpoints to install the Connector on a Linux host

You have the option to manually install the Connector software on your own Linux host. If you do, the installer for the Connector must access the following URLs during the installation process:

  • https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

  • https://s3.amazonaws.com/aws-cli/awscli-bundle.zip

  • https://*.blob.core.windows.net or https://hub.docker.com

The host might try to update operating system packages during installation. The host can contact different mirroring sites for these OS packages.

Ports and security groups

There’s no incoming traffic to the Connector, unless you initiate it. HTTP and HTTPS provide access to the local UI, which you’ll use in rare circumstances. SSH is only needed if you need to connect to the host for troubleshooting.

Rules for the Connector in AWS

The security group for the Connector requires both inbound and outbound rules.

Inbound rules

Protocol Port Purpose

SSH

22

Provides SSH access to the Connector host

HTTP

80

Provides HTTP access from client web browsers to the local user interface

HTTPS

443

Provides HTTPS access from client web browsers to the local user interface, and connections from the Cloud Data Sense instance

TCP

3128

Provides the Cloud Data Sense instance with internet access, if your AWS network doesn’t use a NAT or proxy

TCP

9060

Provides the ability to enable and use Cloud Data Sense (required only for GovCloud deployments)

Outbound rules

The predefined security group for the Connector opens all outbound traffic. If that is acceptable, follow the basic outbound rules. If you need more rigid rules, use the advanced outbound rules.

Basic outbound rules

The predefined security group for the Connector includes the following outbound rules.

Protocol Port Purpose

All TCP

All

All outbound traffic

All UDP

All

All outbound traffic

Advanced outbound rules

If you need rigid rules for outbound traffic, you can use the following information to open only those ports that are required for outbound communication by the Connector.

Note The source IP address is the Connector host.
Service Protocol Port Destination Purpose

API calls and AutoSupport

HTTPS

443

Outbound internet and ONTAP cluster management LIF

API calls to AWS and ONTAP, to Cloud Data Sense, to the Ransomware service, and sending AutoSupport messages to NetApp

API calls

TCP

3000

ONTAP HA mediator

Communication with the ONTAP HA mediator

TCP

8088

Backup to S3

API calls to Backup to S3

DNS

UDP

53

DNS

Used for DNS resolve by Cloud Manager

Rules for the Connector in Azure

The security group for the Connector requires both inbound and outbound rules.

Inbound rules

Protocol Port Purpose

SSH

22

Provides SSH access to the Connector host

HTTP

80

Provides HTTP access from client web browsers to the local user interface

HTTPS

443

Provides HTTPS access from client web browsers to the local user interface, and connections from the Cloud Data Sense instance

TCP

9060

Provides the ability to enable and use Cloud Data Sense (required only for Government Cloud deployments)

Outbound rules

The predefined security group for the Connector opens all outbound traffic. If that is acceptable, follow the basic outbound rules. If you need more rigid rules, use the advanced outbound rules.

Basic outbound rules

The predefined security group for the Connector includes the following outbound rules.

Protocol Port Purpose

All TCP

All

All outbound traffic

All UDP

All

All outbound traffic

Advanced outbound rules

If you need rigid rules for outbound traffic, you can use the following information to open only those ports that are required for outbound communication by the Connector.

Note The source IP address is the Connector host.
Service Protocol Port Destination Purpose

API calls and AutoSupport

HTTPS

443

Outbound internet and ONTAP cluster management LIF

API calls to AWS and ONTAP, to Cloud Data Sense, to the Ransomware service, and sending AutoSupport messages to NetApp

DNS

UDP

53

DNS

Used for DNS resolve by Cloud Manager

Rules for the Connector in GCP

The firewall rules for the Connector requires both inbound and outbound rules.

Inbound rules

Protocol Port Purpose

SSH

22

Provides SSH access to the Connector host

HTTP

80

Provides HTTP access from client web browsers to the local user interface

HTTPS

443

Provides HTTPS access from client web browsers to the local user interface

Outbound rules

The predefined firewall rules for the Connector opens all outbound traffic. If that is acceptable, follow the basic outbound rules. If you need more rigid rules, use the advanced outbound rules.

Basic outbound rules

The predefined firewall rules for the Connector includes the following outbound rules.

Protocol Port Purpose

All TCP

All

All outbound traffic

All UDP

All

All outbound traffic

Advanced outbound rules

If you need rigid rules for outbound traffic, you can use the following information to open only those ports that are required for outbound communication by the Connector.

Note The source IP address is the Connector host.
Service Protocol Port Destination Purpose

API calls and AutoSupport

HTTPS

443

Outbound internet and ONTAP cluster management LIF

API calls to GCP and ONTAP, to Cloud Data Sense, to the Ransomware service, and sending AutoSupport messages to NetApp

DNS

UDP

53

DNS

Used for DNS resolve by Cloud Manager

Ports for the on-prem Connector

The Connector uses the following inbound ports when installed manually on an on-premises Linux host.

These inbound rules apply to both deployment models for the on-prem Connector: installed with internet access or without internet access.

Protocol Port Purpose

HTTP

80

Provides HTTP access from client web browsers to the local user interface

HTTPS

443

Provides HTTPS access from client web browsers to the local user interface