Create a Connector in AWS from BlueXP

Contributors netapp-bcammett netapp-tonacki

A BlueXP Account Admin needs to deploy a Connector before you can use most BlueXP features. The Connector enables BlueXP to manage resources and processes within your public cloud environment. Learn when a Connector is required.

This page describes how to create a Connector in AWS directly from BlueXP. Learn about other ways to deploy a Connector.

These steps must be completed by a user who has the Account Admin role. A Workspace Admin can’t create a Connector.

Quick start

Get started quickly by following these steps, or scroll down to the remaining sections for full details.

One Set up authentication

To launch the Connector in AWS, BlueXP needs to authenticate with AWS by either assuming an IAM role or by using AWS access keys. With either option, an IAM policy is required.

Two Set up networking

You’ll need a VPC and subnet with outbound internet access to specific endpoints. If an HTTP proxy is required for outbound internet, then you’ll need the IP address, credentials, and HTTPS certificate.

Three Create the Connector

Click the Connector drop-down, select Add Connector and follow the prompts.

Set up AWS authentication

BlueXP needs to authenticate with AWS before it can deploy the Connector instance in your VPC. You can choose one of these authentication methods:

  • Let BlueXP assume an IAM role that has the required permissions

  • Provide an AWS access key and secret key for an IAM user who has the required permissions

With either option, you first need to start by creating an IAM policy that includes the required permissions.

Create an IAM policy

This policy contains only the permissions needed to launch the Connector instance in AWS from BlueXP. Don’t use this policy for other situations.

When BlueXP creates the Connector, it applies a new set of permissions to the Connector instance that enables the Connector to manage the resources in your public cloud environment.

Steps
  1. Go to the AWS IAM console.

  2. Click Policies > Create policy.

  3. Click JSON.

  4. Copy and paste the following policy:

    {
        "Version": "2012-10-17",
        "Statement": [{
                "Effect": "Allow",
                "Action": [
                    "iam:CreateRole",
                    "iam:DeleteRole",
                    "iam:PutRolePolicy",
                    "iam:CreateInstanceProfile",
                    "iam:DeleteRolePolicy",
                    "iam:AddRoleToInstanceProfile",
                    "iam:RemoveRoleFromInstanceProfile",
                    "iam:DeleteInstanceProfile",
                    "iam:PassRole",
                    "ec2:DescribeInstanceStatus",
                    "ec2:RunInstances",
                    "ec2:ModifyInstanceAttribute",
                    "ec2:CreateSecurityGroup",
                    "ec2:DeleteSecurityGroup",
                    "ec2:DescribeSecurityGroups",
                    "ec2:RevokeSecurityGroupEgress",
                    "ec2:AuthorizeSecurityGroupEgress",
                    "ec2:AuthorizeSecurityGroupIngress",
                    "ec2:RevokeSecurityGroupIngress",
                    "ec2:CreateNetworkInterface",
                    "ec2:DescribeNetworkInterfaces",
                    "ec2:DeleteNetworkInterface",
                    "ec2:ModifyNetworkInterfaceAttribute",
                    "ec2:DescribeSubnets",
                    "ec2:DescribeVpcs",
                    "ec2:DescribeDhcpOptions",
                    "ec2:DescribeKeyPairs",
                    "ec2:DescribeRegions",
                    "ec2:DescribeInstances",
                    "ec2:CreateTags",
                    "ec2:DescribeImages",
                    "cloudformation:CreateStack",
                    "cloudformation:DeleteStack",
                    "cloudformation:DescribeStacks",
                    "cloudformation:DescribeStackEvents",
                    "cloudformation:ValidateTemplate",
                    "ec2:AssociateIamInstanceProfile",
                    "ec2:DescribeIamInstanceProfileAssociations",
                    "ec2:DisassociateIamInstanceProfile",
                    "iam:GetRole",
                    "iam:TagRole",
                    "iam:ListRoles",
                    "kms:ListAliases"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:TerminateInstances"
                ],
                "Condition": {
                    "StringLike": {
                        "ec2:ResourceTag/OCCMInstance": "*"
                    }
                },
                "Resource": [
                    "arn:aws:ec2:*:*:instance/*"
                ]
            }
        ]
    }
  5. Click Next and add tags, if needed.

  6. Click Next and enter a name and description.

  7. Click Create policy.

What’s next?

Either attach the policy to an IAM role that BlueXP can assume or to an IAM user.

Set up an IAM role

Set up an IAM role that BlueXP can assume in order to deploy the Connector in AWS.

Steps
  1. Go to the AWS IAM console in the target account.

  2. Under Access Management, click Roles > Create Role and follow the steps to create the role.

    Be sure to do the following:

    • Under Trusted entity type, select AWS account.

    • Select Another AWS account and enter the ID of the BlueXP SaaS account: 952013314444

    • Select the policy that you created in the previous section.

  3. After you create the role, copy the Role ARN so that you can paste it in BlueXP when you create the Connector.

Result

The IAM role now has the required permissions.

Set up permissions for an IAM user

When you create a Connector, you can provide an AWS access key and secret key for an IAM user who has the required permissions to deploy the Connector instance.

Steps
  1. From the AWS IAM console, click Users and then select the user name.

  2. Click Add permissions > Attach existing policies directly.

  3. Select the policy that you created.

  4. Click Next and then click Add permissions.

  5. Ensure that you have access to an access key and secret key for the IAM user.

Result

The AWS user now has the permissions required to create the Connector from BlueXP. You’ll need to specify AWS access keys for this user when you’re prompted by BlueXP.

Set up networking

Set up your networking so the Connector can manage resources and processes within your public cloud environment. Other than having a VPC and subnet for the Connector, you’ll need to ensure that the following requirements are met.

Connection to target networks

A Connector requires a network connection to the type of working environment that you’re creating and the services that you’re planning to enable.

For example, if you install a Connector in your corporate network, then you must set up a VPN connection to the VPC in which you launch Cloud Volumes ONTAP.

Outbound internet access

The Connector requires outbound internet access to manage resources and processes within your public cloud environment.

Endpoints Purpose

https://support.netapp.com

To obtain licensing information and to send AutoSupport messages to NetApp support.

https://*.cloudmanager.cloud.netapp.com

https://cloudmanager.cloud.netapp.com

To provide SaaS features and services within BlueXP.

https://cloudmanagerinfraprod.azurecr.io

https://*.blob.core.windows.net

To upgrade the Connector and its Docker components.

Proxy server

If your organization requires deployment of an HTTP proxy for all outgoing internet traffic, obtain the following information about your HTTP proxy:

  • IP address

  • Credentials

  • HTTPS certificate

Security group

There’s no incoming traffic to the Connector, unless you initiate it or if the Connector is used as a proxy for AutoSupport messages. HTTP and HTTPS provide access to the local UI, which you’ll use in rare circumstances. SSH is only needed if you need to connect to the host for troubleshooting.

IP address limitation

There’s a possible conflict with IP addresses in the 172 range. Learn more about this limitation.

Create a Connector

BlueXP enables you to create a Connector in AWS directly from its user interface.

Steps
  1. If you’re creating your first Working Environment, click Add Working Environment and follow the prompts. Otherwise, click the Connector drop-down and select Add Connector.

    A screenshot that shows the Connector icon in the header and the Add Connector action.

  2. Choose Amazon Web Services as your cloud provider and click Continue.

  3. On the Deploying a Connector page, review the details about what you’ll need. You have two options:

    1. Click Continue to prepare for deployment by using the in-product guide. Each step in the in-product guide includes the information that’s contained on this page of the documentation.

    2. Click Skip to Deployment if you already prepared by following the steps on this page.

  4. Follow the steps in the wizard to create the Connector:

    • Get Ready: Review what you’ll need.

    • AWS Credentials: Specify your AWS region and then choose an authentication method, which is either an IAM role that BlueXP can assume or an AWS access key and secret key.

      Tip If you choose Assume Role, you can create the first set of credentials from the Connector deployment wizard. Any additional set of credentials must be created from the Credentials page. They will then be available from the wizard in a drop-down list. Learn how to add additional credentials.
    • Details: Provide details about the Connector.

      • Enter a name for the instance.

      • Add custom tags (metadata) to the instance.

      • Choose whether you want BlueXP to create a new role that has the required permissions, or if you want to select an existing role that you set up with the required permissions.

      • Choose whether you want to encrypt the Connector’s EBS disks. You have the option to use the default encryption key or to use a custom key.

    • Network: Specify a VPC, subnet, and key pair for the instance, choose whether to enable a public IP address, and optionally specify a proxy configuration.

      Make sure that you have the correct key pair to use with the Connector. Without a key pair, you will not be able to access the Connector virtual machine.

    • Security Group: Choose whether to create a new security group or whether to select an existing security group that allows inbound HTTP, HTTPS, and SSH access.

    • Review: Review your selections to verify that your set up is correct.

  5. Click Add.

    The instance should be ready in about 7 minutes. You should stay on the page until the process is complete.

After you finish

If you have Amazon S3 buckets in the same AWS account where you created the Connector, you’ll see an Amazon S3 working environment appear on the Canvas automatically. Learn more about what you can do with this working environment.

Open port 3128 for AutoSupport messages

If you plan to deploy Cloud Volumes ONTAP systems in a subnet where an outbound internet connection won’t be available, then BlueXP automatically configures Cloud Volumes ONTAP to use the Connector as a proxy server.

The only requirement is to ensure that the Connector’s security group allows inbound connections over port 3128. You’ll need to open this port after you deploy the Connector.

If you use the default security group for Cloud Volumes ONTAP, then no changes are needed to its security group. But if you plan to define strict outbound rules for Cloud Volumes ONTAP, then you’ll also need to ensure that the Cloud Volumes ONTAP security group allows outbound connections over port 3128.