Create a Connector in Azure from BlueXP

Contributors netapp-bcammett netapp-tonacki

A BlueXP Account Admin needs to deploy a Connector before you can use most BlueXP features. The Connector enables BlueXP to manage resources and processes within your public cloud environment.

These steps describe how to create a Connector in an Azure commercial region directly from the BlueXP SaaS website.

Overview

To deploy a Connector, you need to provide BlueXP with a login that has the required permissions to create the Connector VM in Azure.

You have two options:

  1. Sign in with your Microsoft account when prompted. This account must have specific Azure permissions. This is the default option.

  2. Provide details about an Azure AD service principal. This service principal also requires specific permissions.

A note about Azure regions

The Connector should be deployed in the same Azure region as the Cloud Volumes ONTAP systems that it manages, or in the Azure region pair for the Cloud Volumes ONTAP systems. This requirement ensures that an Azure Private Link connection is used between Cloud Volumes ONTAP and its associated storage accounts.

Set up networking

Set up your networking so the Connector can manage resources and processes within your public cloud environment. Other than having a virtual network and subnet for the Connector, you’ll need to ensure that the following requirements are met.

Connection to target networks

A Connector requires a network connection to the type of working environment that you’re creating and the services that you’re planning to enable.

For example, if you install a Connector in your corporate network, then you must set up a VPN connection to the virtual network in which you launch Cloud Volumes ONTAP.

Outbound internet access

The Connector requires outbound internet access to manage resources and processes within your public cloud environment.

Endpoints Purpose

https://support.netapp.com

To obtain licensing information and to send AutoSupport messages to NetApp support.

https://*.api.bluexp.netapp.com

https://api.bluexp.netapp.com

https://*.cloudmanager.cloud.netapp.com

https://cloudmanager.cloud.netapp.com

To provide SaaS features and services within BlueXP.

Note The Connector is currently contacting "cloudmanager.cloud.netapp.com" but it will start contacting "api.bluexp.netapp.com" in an upcoming release.

https://cloudmanagerinfraprod.azurecr.io

https://*.blob.core.windows.net

To upgrade the Connector and its Docker components.

Proxy server

If your organization requires deployment of an HTTP proxy for all outgoing internet traffic, obtain the following information about your HTTP proxy:

  • IP address

  • Credentials

  • HTTPS certificate

Security group

There’s no incoming traffic to the Connector, unless you initiate it or if the Connector is used as a proxy for AutoSupport messages. HTTP and HTTPS provide access to the local UI, which you’ll use in rare circumstances. SSH is only needed if you need to connect to the host for troubleshooting.

IP address limitation

There’s a possible conflict with IP addresses in the 172 range. Learn more about this limitation.

Create a Connector using your Azure account

The default way to create a Connector in Azure is by logging in with your Azure account when prompted. The login form is owned and hosted by Microsoft. Your credentials are not provided to NetApp.

Set up permissions for your Azure account

Before you can deploy a Connector from BlueXP, you need to ensure that your Azure account has the correct permissions.

Steps
  1. Copy the required permissions for a new custom role in Azure and save them in a JSON file.

    Note This policy contains only the permissions needed to launch the Connector VM in Azure from BlueXP. Don’t use this policy for other situations. When BlueXP creates the Connector, it applies a new set of permissions to the Connector VM that enables the Connector to manage the resources in your public cloud environment.
    {
        "Name": "Azure SetupAsService",
        "Actions": [
            "Microsoft.Compute/disks/delete",
            "Microsoft.Compute/disks/read",
            "Microsoft.Compute/disks/write",
            "Microsoft.Compute/locations/operations/read",
            "Microsoft.Compute/operations/read",
            "Microsoft.Compute/virtualMachines/instanceView/read",
            "Microsoft.Compute/virtualMachines/read",
            "Microsoft.Compute/virtualMachines/write",
            "Microsoft.Compute/virtualMachines/delete",
            "Microsoft.Compute/virtualMachines/extensions/write",
            "Microsoft.Compute/virtualMachines/extensions/read",
            "Microsoft.Compute/availabilitySets/read",
            "Microsoft.Network/locations/operationResults/read",
            "Microsoft.Network/locations/operations/read",
            "Microsoft.Network/networkInterfaces/join/action",
            "Microsoft.Network/networkInterfaces/read",
            "Microsoft.Network/networkInterfaces/write",
            "Microsoft.Network/networkInterfaces/delete",
            "Microsoft.Network/networkSecurityGroups/join/action",
            "Microsoft.Network/networkSecurityGroups/read",
            "Microsoft.Network/networkSecurityGroups/write",
            "Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read",
            "Microsoft.Network/virtualNetworks/read",
            "Microsoft.Network/virtualNetworks/subnets/join/action",
            "Microsoft.Network/virtualNetworks/subnets/read",
            "Microsoft.Network/virtualNetworks/subnets/virtualMachines/read",
            "Microsoft.Network/virtualNetworks/virtualMachines/read",
            "Microsoft.Network/publicIPAddresses/write",
            "Microsoft.Network/publicIPAddresses/read",
            "Microsoft.Network/publicIPAddresses/delete",
            "Microsoft.Network/networkSecurityGroups/securityRules/read",
            "Microsoft.Network/networkSecurityGroups/securityRules/write",
            "Microsoft.Network/networkSecurityGroups/securityRules/delete",
            "Microsoft.Network/publicIPAddresses/join/action",
            "Microsoft.Network/locations/virtualNetworkAvailableEndpointServices/read",
            "Microsoft.Network/networkInterfaces/ipConfigurations/read",
            "Microsoft.Resources/deployments/operations/read",
            "Microsoft.Resources/deployments/read",
            "Microsoft.Resources/deployments/delete",
            "Microsoft.Resources/deployments/cancel/action",
            "Microsoft.Resources/deployments/validate/action",
            "Microsoft.Resources/resources/read",
            "Microsoft.Resources/subscriptions/operationresults/read",
            "Microsoft.Resources/subscriptions/resourceGroups/delete",
            "Microsoft.Resources/subscriptions/resourceGroups/read",
            "Microsoft.Resources/subscriptions/resourcegroups/resources/read",
            "Microsoft.Resources/subscriptions/resourceGroups/write",
            "Microsoft.Authorization/roleDefinitions/write",
            "Microsoft.Authorization/roleAssignments/write",
            "Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/read",
            "Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/write",
            "Microsoft.Network/networkSecurityGroups/delete",
            "Microsoft.Storage/storageAccounts/delete",
            "Microsoft.Storage/storageAccounts/write",
            "Microsoft.Resources/deployments/write",
            "Microsoft.Resources/deployments/operationStatuses/read",
            "Microsoft.Authorization/roleAssignments/read"
        ],
        "NotActions": [],
        "AssignableScopes": [],
        "Description": "Azure SetupAsService",
        "IsCustom": "true"
    }
  2. Modify the JSON by adding your Azure subscription ID to the assignable scope.

    Example

    "AssignableScopes": [
    "/subscriptions/d333af45-0d07-4154-943d-c25fbzzzzzzz"
    ],
  3. Use the JSON file to create a custom role in Azure.

    The following steps describe how to create the role by using Bash in Azure Cloud Shell.

    1. Start Azure Cloud Shell and choose the Bash environment.

    2. Upload the JSON file.

      A screenshot of the Azure Cloud Shell where you can choose the option to upload a file.

    3. Enter the following Azure CLI command:

      az role definition create --role-definition Policy_for_Setup_As_Service_Azure.json

    You should now have a custom role called Azure SetupAsService.

  4. Assign the role to the user who will deploy the Connector from BlueXP:

    1. Open the Subscriptions service and select the user’s subscription.

    2. Click Access control (IAM).

    3. Click Add > Add role assignment and then add the permissions:

      • Select the Azure SetupAsService role and click Next.

        Note Azure SetupAsService is the default name provided in the Connector deployment policy for Azure. If you chose a different name for the role, then select that name instead.
      • Keep User, group, or service principal selected.

      • Click Select members, choose your user account, and click Select.

      • Click Next.

      • Click Review + assign.

Result

The Azure user now has the permissions required to deploy the Connector from BlueXP.

Create the Connector by logging in with your Azure account

BlueXP enables you to create a Connector in Azure directly from its user interface.

What you’ll need
  • An Azure subscription.

  • A VNet and subnet in your Azure region of choice.

  • If you don’t want BlueXP to automatically create an Azure role for the Connector, then you’ll need to create your own using the policy on this page.

    These permissions are for the Connector instance itself. It’s a different set of permissions than what you previously set up to simply deploy the Connector.

Steps
  1. If you’re creating your first Working Environment, click Add Working Environment and follow the prompts. Otherwise, click the Connector drop-down and select Add Connector.

    A screenshot that shows the Connector icon in the header and the Add Connector action.

  2. Choose Microsoft Azure as your cloud provider.

  3. On the Deploying a Connector page, review the details about what you’ll need. You have two options:

    1. Click Continue to prepare for deployment by using the in-product guide. Each step include information contained on this page of the documentation.

    2. Click Skip to Deployment if you already prepared by following the steps on this page.

  4. Follow the steps in the wizard to create the Connector:

    • If you’re prompted, log in to your Microsoft account, which should have the required permissions to create the virtual machine.

      The form is owned and hosted by Microsoft. Your credentials are not provided to NetApp.

      Tip If you’re already logged in to an Azure account, then BlueXP will automatically use that account. If you have multiple accounts, then you might need to log out first to ensure that you’re using the right account.
    • VM Authentication: Choose an Azure subscription, a location, a new resource group or an existing resource group, and then choose an authentication method.

    • Details: Enter a name for the instance, specify tags, and choose whether you want BlueXP to create a new role that has the required permissions, or if you want to select an existing role that you set up with the required permissions.

      Note that you can choose the subscriptions associated with this role. Each subscription that you choose provides the Connector with permissions to deploy Cloud Volumes ONTAP in those subscriptions.

    • Network: Choose a VNet and subnet, whether to enable a public IP address, and optionally specify a proxy configuration.

    • Security Group: Choose whether to create a new security group or whether to select an existing security group that allows inbound HTTP, HTTPS, and SSH access.

    • Review: Review your selections to verify that your set up is correct.

  5. Click Add.

    The virtual machine should be ready in about 7 minutes. You should stay on the page until the process is complete.

After you finish

You need to associate a Connector with workspaces so Workspace Admins can use those Connectors to create Cloud Volumes ONTAP systems. If you only have Account Admins, then associating the Connector with workspaces isn’t required. Account Admins have the ability to access all workspaces in BlueXP by default. Learn more.

If you have Azure Blob storage in the same Azure account where you created the Connector, you’ll see an Azure Blob working environment appear on the Canvas automatically. Learn more about what you can do with this working environment.

Create a Connector using a service principal

Rather than logging in with you Azure account, you also have the option to provide BlueXP with the credentials for an Azure service principal that has the required permissions.

Granting Azure permissions using a service principal

Grant the required permissions to deploy a Connector in Azure by creating and setting up a service principal in Azure Active Directory and by obtaining the Azure credentials that BlueXP needs.

Create an Azure Active Directory application

Create an Azure Active Directory (AD) application and service principal that BlueXP can use to deploy the Connector.

Before you begin

You must have the right permissions in Azure to create an Active Directory application and to assign the application to a role. For details, refer to Microsoft Azure Documentation: Required permissions.

Steps
  1. From the Azure portal, open the Azure Active Directory service.

    Shows the Active Directory service in Microsoft Azure.

  2. In the menu, click App registrations.

  3. Click New registration.

  4. Specify details about the application:

    • Name: Enter a name for the application.

    • Account type: Select an account type (any will work with BlueXP).

    • Redirect URI: You can leave this field blank.

  5. Click Register.

Result

You’ve created the AD application and service principal.

Assign the application to a role

You must bind the service principal to the Azure subscription in which you plan to deploy the Connector and assign it the custom "Azure SetupAsService" role.

Steps
  1. Copy the required permissions for a new custom role in Azure and save them in a JSON file.

    Note This policy contains only the permissions needed to launch the Connector VM in Azure from BlueXP. Don’t use this policy for other situations. When BlueXP creates the Connector, it applies a new set of permissions to the Connector VM that enables the Connector to manage the resources in your public cloud environment.
    {
        "Name": "Azure SetupAsService",
        "Actions": [
            "Microsoft.Compute/disks/delete",
            "Microsoft.Compute/disks/read",
            "Microsoft.Compute/disks/write",
            "Microsoft.Compute/locations/operations/read",
            "Microsoft.Compute/operations/read",
            "Microsoft.Compute/virtualMachines/instanceView/read",
            "Microsoft.Compute/virtualMachines/read",
            "Microsoft.Compute/virtualMachines/write",
            "Microsoft.Compute/virtualMachines/delete",
            "Microsoft.Compute/virtualMachines/extensions/write",
            "Microsoft.Compute/virtualMachines/extensions/read",
            "Microsoft.Compute/availabilitySets/read",
            "Microsoft.Network/locations/operationResults/read",
            "Microsoft.Network/locations/operations/read",
            "Microsoft.Network/networkInterfaces/join/action",
            "Microsoft.Network/networkInterfaces/read",
            "Microsoft.Network/networkInterfaces/write",
            "Microsoft.Network/networkInterfaces/delete",
            "Microsoft.Network/networkSecurityGroups/join/action",
            "Microsoft.Network/networkSecurityGroups/read",
            "Microsoft.Network/networkSecurityGroups/write",
            "Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read",
            "Microsoft.Network/virtualNetworks/read",
            "Microsoft.Network/virtualNetworks/subnets/join/action",
            "Microsoft.Network/virtualNetworks/subnets/read",
            "Microsoft.Network/virtualNetworks/subnets/virtualMachines/read",
            "Microsoft.Network/virtualNetworks/virtualMachines/read",
            "Microsoft.Network/publicIPAddresses/write",
            "Microsoft.Network/publicIPAddresses/read",
            "Microsoft.Network/publicIPAddresses/delete",
            "Microsoft.Network/networkSecurityGroups/securityRules/read",
            "Microsoft.Network/networkSecurityGroups/securityRules/write",
            "Microsoft.Network/networkSecurityGroups/securityRules/delete",
            "Microsoft.Network/publicIPAddresses/join/action",
            "Microsoft.Network/locations/virtualNetworkAvailableEndpointServices/read",
            "Microsoft.Network/networkInterfaces/ipConfigurations/read",
            "Microsoft.Resources/deployments/operations/read",
            "Microsoft.Resources/deployments/read",
            "Microsoft.Resources/deployments/delete",
            "Microsoft.Resources/deployments/cancel/action",
            "Microsoft.Resources/deployments/validate/action",
            "Microsoft.Resources/resources/read",
            "Microsoft.Resources/subscriptions/operationresults/read",
            "Microsoft.Resources/subscriptions/resourceGroups/delete",
            "Microsoft.Resources/subscriptions/resourceGroups/read",
            "Microsoft.Resources/subscriptions/resourcegroups/resources/read",
            "Microsoft.Resources/subscriptions/resourceGroups/write",
            "Microsoft.Authorization/roleDefinitions/write",
            "Microsoft.Authorization/roleAssignments/write",
            "Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/read",
            "Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/write",
            "Microsoft.Network/networkSecurityGroups/delete",
            "Microsoft.Storage/storageAccounts/delete",
            "Microsoft.Storage/storageAccounts/write",
            "Microsoft.Resources/deployments/write",
            "Microsoft.Resources/deployments/operationStatuses/read",
            "Microsoft.Authorization/roleAssignments/read"
        ],
        "NotActions": [],
        "AssignableScopes": [],
        "Description": "Azure SetupAsService",
        "IsCustom": "true"
    }
  2. Modify the JSON file by adding your Azure subscription ID to the assignable scope.

    Example

    "AssignableScopes": [
    "/subscriptions/398e471c-3b42-4ae7-9b59-ce5bbzzzzzzz"
  3. Use the JSON file to create a custom role in Azure.

    The following steps describe how to create the role by using Bash in Azure Cloud Shell.

    1. Start Azure Cloud Shell and choose the Bash environment.

    2. Upload the JSON file.

      A screenshot of the Azure Cloud Shell where you can choose the option to upload a file.

    3. Enter the following Azure CLI command:

      az role definition create --role-definition Policy_for_Setup_As_Service_Azure.json

    You should now have a custom role called Azure SetupAsService.

  4. Assign the application to the role:

    1. From the Azure portal, open the Subscriptions service.

    2. Select the subscription.

    3. Click Access control (IAM) > Add > Add role assignment.

    4. In the Role tab, select the Azure SetupAsService role and click Next.

    5. In the Members tab, complete the following steps:

      • Keep User, group, or service principal selected.

      • Click Select members.

        A screenshot of the Azure portal that shows the Members tab when adding a role to an application.

      • Search for the name of the application.

        Here’s an example:

        A screenshot of the Azure portal that shows the Add role assignment form in the Azure portal.

      • Select the application and click Select.

      • Click Next.

    6. Click Review + assign.

      The service principal now has the required Azure permissions to deploy the Connector.

Add Windows Azure Service Management API permissions

The service principal must have "Windows Azure Service Management API" permissions.

Steps
  1. In the Azure Active Directory service, click App registrations and select the application.

  2. Click API permissions > Add a permission.

  3. Under Microsoft APIs, select Azure Service Management.

    A screenshot of the Azure portal that shows the Azure Service Management API permissions.

  4. Click Access Azure Service Management as organization users and then click Add permissions.

    A screenshot of the Azure portal that shows adding the Azure Service Management APIs.

Get the application ID and directory ID

When you create the Connector from BlueXP, you need to provide the application (client) ID and the directory (tenant) ID for the application. BlueXP uses the IDs to programmatically sign in.

Steps
  1. In the Azure Active Directory service, click App registrations and select the application.

  2. Copy the Application (client) ID and the Directory (tenant) ID.

    A screenshot that shows the application (client) ID and directory (tenant) ID for an application in Azure Active Directory.

Create a client secret

You need to create a client secret and then provide BlueXP with the value of the secret so BlueXP can use it to authenticate with Azure AD.

Steps
  1. Open the Azure Active Directory service.

  2. Click App registrations and select your application.

  3. Click Certificates & secrets > New client secret.

  4. Provide a description of the secret and a duration.

  5. Click Add.

  6. Copy the value of the client secret.

    A screenshot of the Azure portal that shows a client secret for the Azure AD service principal.

Result

Your service principal is now setup and you should have copied the application (client) ID, the directory (tenant) ID, and the value of the client secret. You need to enter this information in BlueXP when you create the Connector.

Create the Connector by logging in with the service principal

BlueXP enables you to create a Connector in Azure directly from its user interface.

What you’ll need
  • An Azure subscription.

  • A VNet and subnet in your Azure region of choice.

  • Details about an HTTP proxy, if your organization requires a proxy for all outgoing internet traffic:

    • IP address

    • Credentials

    • HTTPS certificate

  • If you don’t want BlueXP to automatically create an Azure role for the Connector, then you’ll need to create your own using the policy on this page.

    These permissions are for the Connector instance itself. It’s a different set of permissions than what you previously set up to simply deploy the Connector.

Steps
  1. If you’re creating your first Working Environment, click Add Working Environment and follow the prompts. Otherwise, click the Connector drop-down and select Add Connector.

    A screenshot that shows the Connector icon in the header and the Add Connector action.

  2. Choose Microsoft Azure as your cloud provider.

  3. On the Deploying a Connector page:

    1. Under Authentication, click Active Directory service principal and enter information about the Azure Active Directory service principal that grants the required permissions:

    2. Click Log in.

    3. You now have two options:

      • Click Continue to prepare for deployment by using the in-product guide. Each step in the in-product guide includes the information that’s contained on this page of the documentation.

      • Click Skip to Deployment if you already prepared by following the steps on this page.

  4. Follow the steps in the wizard to create the Connector:

    • VM Authentication: Choose an Azure subscription, a location, a new resource group or an existing resource group, and then choose an authentication method.

    • Details: Enter a name for the instance, specify tags, and choose whether you want BlueXP to create a new role that has the required permissions, or if you want to select an existing role that you set up with the required permissions.

      Note that you can choose the subscriptions associated with this role. Each subscription that you choose provides the Connector with permissions to deploy Cloud Volumes ONTAP in those subscriptions.

    • Network: Choose a VNet and subnet, whether to enable a public IP address, and optionally specify a proxy configuration.

    • Security Group: Choose whether to create a new security group or whether to select an existing security group that allows inbound HTTP, HTTPS, and SSH access.

    • Review: Review your selections to verify that your set up is correct.

  5. Click Add.

    The virtual machine should be ready in about 7 minutes. You should stay on the page until the process is complete.

After you finish

You need to associate a Connector with workspaces so Workspace Admins can use those Connectors to create Cloud Volumes ONTAP systems. If you only have Account Admins, then associating the Connector with workspaces isn’t required. Account Admins have the ability to access all workspaces in BlueXP by default. Learn more.

If you have Azure Blob storage in the same Azure account where you created the Connector, you’ll see an Azure Blob working environment appear on the Canvas automatically. Learn more about what you can do with this working environment.

Open port 3128 for AutoSupport messages

If you plan to deploy Cloud Volumes ONTAP systems in a subnet where an outbound internet connection won’t be available, then BlueXP automatically configures Cloud Volumes ONTAP to use the Connector as a proxy server.

The only requirement is to ensure that the Connector’s security group allows inbound connections over port 3128. You’ll need to open this port after you deploy the Connector.

If you use the default security group for Cloud Volumes ONTAP, then no changes are needed to its security group. But if you plan to define strict outbound rules for Cloud Volumes ONTAP, then you’ll also need to ensure that the Cloud Volumes ONTAP security group allows outbound connections over port 3128.