Create a Connector in Google Cloud from BlueXP

Contributors netapp-bcammett netapp-tonacki

A BlueXP Account Admin needs to deploy a Connector before you can use most BlueXP features. Learn when a Connector is required. The Connector enables BlueXP to manage resources and processes within your public cloud environment.

This page describes how to create a Connector in Google Cloud directly from BlueXP. Learn about other ways to deploy a Connector.

These steps must be completed by a user who has the Account Admin role. A Workspace Admin can’t create a Connector.

Tip When you create your first Cloud Volumes ONTAP working environment, BlueXP will prompt you to create a Connector if you don’t have one yet.

Quick start

Get started quickly by following these steps, or scroll down to the remaining sections for full details.

One Set up permissions
Two Set up networking

You’ll need a VPC and subnet with outbound internet access to specific endpoints. If an HTTP proxy is required for outbound internet, then you’ll need the IP address, credentials, and HTTPS certificate.

Three Enable Google Cloud APIs
  • Cloud Deployment Manager V2 API

  • Cloud Logging API

  • Cloud Resource Manager API

  • Compute Engine API

  • Identity and Access Management (IAM) API

Four Create the Connector

Click the Connector drop-down, select Add Connector and follow the prompts.

Set up permissions

Permissions are required for the following:

  • The user who will deploy the Connector VM

  • A service account that you need to attach to the Connector VM during deployment

Depending on your configuration, you might need to complete the following steps as well:

  • Set up permissions across projects

  • Set up permissions for a shared VPC

Set up permissions to deploy the Connector

Before you can deploy a Connector, you need to ensure that your Google Cloud account has the correct permissions.

Steps
  1. Create a custom role that includes the following permissions:

    title: Connector deployment policy
    description: Permissions for the user who deploys the Connector from BlueXP
    stage: GA
    includedPermissions:
    - compute.disks.create
    - compute.disks.get
    - compute.disks.list
    - compute.disks.setLabels
    - compute.disks.use
    - compute.firewalls.create
    - compute.firewalls.delete
    - compute.firewalls.get
    - compute.firewalls.list
    - compute.globalOperations.get
    - compute.images.get
    - compute.images.getFromFamily
    - compute.images.list
    - compute.images.useReadOnly
    - compute.instances.attachDisk
    - compute.instances.create
    - compute.instances.get
    - compute.instances.list
    - compute.instances.setDeletionProtection
    - compute.instances.setLabels
    - compute.instances.setMachineType
    - compute.instances.setMetadata
    - compute.instances.setTags
    - compute.instances.start
    - compute.instances.updateDisplayDevice
    - compute.machineTypes.get
    - compute.networks.get
    - compute.networks.list
    - compute.networks.updatePolicy
    - compute.projects.get
    - compute.regions.get
    - compute.regions.list
    - compute.subnetworks.get
    - compute.subnetworks.list
    - compute.zoneOperations.get
    - compute.zones.get
    - compute.zones.list
    - deploymentmanager.compositeTypes.get
    - deploymentmanager.compositeTypes.list
    - deploymentmanager.deployments.create
    - deploymentmanager.deployments.delete
    - deploymentmanager.deployments.get
    - deploymentmanager.deployments.list
    - deploymentmanager.manifests.get
    - deploymentmanager.manifests.list
    - deploymentmanager.operations.get
    - deploymentmanager.operations.list
    - deploymentmanager.resources.get
    - deploymentmanager.resources.list
    - deploymentmanager.typeProviders.get
    - deploymentmanager.typeProviders.list
    - deploymentmanager.types.get
    - deploymentmanager.types.list
    - resourcemanager.projects.get
    - compute.instances.setServiceAccount
    - iam.serviceAccounts.list
  2. Attach the custom role to the user who will deploy the Connector from BlueXP.

Result

The Google Cloud user now has the permissions required to create the Connector.

Set up a service account for the Connector

A service account is required to provide the Connector with the permission that it needs to manage resources in Google Cloud. You’ll associate this service account with the Connector VM when you create it.

The permissions for the service account are different than the permissions that you set up in the previous section.

Steps
  1. Create a custom role that includes the following permissions:

    title: NetApp BlueXP
    description: Permissions for the service account associated with the Connector instance.
    stage: GA
    includedPermissions:
    - iam.serviceAccounts.actAs
    - compute.regionBackendServices.create
    - compute.regionBackendServices.get
    - compute.regionBackendServices.list
    - compute.networks.updatePolicy
    - compute.backendServices.create
    - compute.addresses.list
    - compute.disks.create
    - compute.disks.createSnapshot
    - compute.disks.delete
    - compute.disks.get
    - compute.disks.list
    - compute.disks.setLabels
    - compute.disks.use
    - compute.firewalls.create
    - compute.firewalls.delete
    - compute.firewalls.get
    - compute.firewalls.list
    - compute.globalOperations.get
    - compute.images.get
    - compute.images.getFromFamily
    - compute.images.list
    - compute.images.useReadOnly
    - compute.instances.addAccessConfig
    - compute.instances.attachDisk
    - compute.instances.create
    - compute.instances.delete
    - compute.instances.detachDisk
    - compute.instances.get
    - compute.instances.getSerialPortOutput
    - compute.instances.list
    - compute.instances.setDeletionProtection
    - compute.instances.setLabels
    - compute.instances.setMachineType
    - compute.instances.setMetadata
    - compute.instances.setTags
    - compute.instances.start
    - compute.instances.stop
    - compute.instances.updateDisplayDevice
    - compute.machineTypes.get
    - compute.networks.get
    - compute.networks.list
    - compute.projects.get
    - compute.regions.get
    - compute.regions.list
    - compute.snapshots.create
    - compute.snapshots.delete
    - compute.snapshots.get
    - compute.snapshots.list
    - compute.snapshots.setLabels
    - compute.subnetworks.get
    - compute.subnetworks.list
    - compute.subnetworks.use
    - compute.subnetworks.useExternalIp
    - compute.zoneOperations.get
    - compute.zones.get
    - compute.zones.list
    - compute.instances.setServiceAccount
    - deploymentmanager.compositeTypes.get
    - deploymentmanager.compositeTypes.list
    - deploymentmanager.deployments.create
    - deploymentmanager.deployments.delete
    - deploymentmanager.deployments.get
    - deploymentmanager.deployments.list
    - deploymentmanager.manifests.get
    - deploymentmanager.manifests.list
    - deploymentmanager.operations.get
    - deploymentmanager.operations.list
    - deploymentmanager.resources.get
    - deploymentmanager.resources.list
    - deploymentmanager.typeProviders.get
    - deploymentmanager.typeProviders.list
    - deploymentmanager.types.get
    - deploymentmanager.types.list
    - logging.logEntries.list
    - logging.privateLogEntries.list
    - resourcemanager.projects.get
    - storage.buckets.create
    - storage.buckets.delete
    - storage.buckets.get
    - storage.buckets.list
    - cloudkms.cryptoKeyVersions.useToEncrypt
    - cloudkms.cryptoKeys.get
    - cloudkms.cryptoKeys.list
    - cloudkms.keyRings.list
    - storage.buckets.update
    - iam.serviceAccounts.getIamPolicy
    - iam.serviceAccounts.list
    - storage.objects.get
    - storage.objects.list
    - monitoring.timeSeries.list
    - storage.buckets.getIamPolicy
  2. Create a Google Cloud service account and apply the custom role that you just created.

  3. If you want to deploy Cloud Volumes ONTAP in other projects, grant access by adding the service account with the BlueXP role to that project. You’ll need to repeat this step for each project.

Result

The service account for the Connector VM is set up.

Set up permissions across projects

If you plan to deploy Cloud Volumes ONTAP systems in different projects than the project where the Connector resides, then you’ll need to provide the Connector’s service account with access to those projects.

For example, let’s say the Connector is in project 1 and you want to create Cloud Volumes ONTAP systems in project 2. You’ll need to grant access to the service account in project 2.

Steps
  1. In the Google Cloud console, go to the IAM service and select the project where you want to create Cloud Volumes ONTAP systems.

  2. On the IAM page, select Grant Access and provide the required details.

    • Enter the email of the Connector’s service account.

    • Select the Connector’s custom role.

    • Click Save.

For more details, refer to Google Cloud documentation

Set up shared VPC permissions

If you are using a shared VPC to deploy resources into a service project, then the following permissions are required. This table is for reference and your environment should reflect the permissions table when IAM configuration is complete.

Identity Creator Hosted in Service project permissions Host project permissions Purpose

Google account used to deploy the Connector

Custom

Service Project

  • compute.networkUser

Deploying the Connector in the service project

Connector service account

Custom

Service project

  • compute.networkUser

  • deploymentmanager.editor

Deploying and maintaining Cloud Volumes ONTAP and services in the service project

Cloud Volumes ONTAP service account

Custom

Service project

  • storage.admin

  • member: BlueXP service account as serviceAccount.user

N/A

(Optional) For data tiering and Cloud Backup

Google APIs service agent

Google Cloud

Service project

  • (Default) Editor

  • compute.networkUser

Interacts with Google Cloud APIs on behalf of deployment. Allows BlueXP to use the shared network.

Google Compute Engine default service account

Google Cloud

Service project

  • (Default) Editor

  • compute.networkUser

Deploys Google Cloud instances and compute infrastructure on behalf of deployment. Allows BlueXP to use the shared network.

Notes:

  1. deploymentmanager.editor is only required at the host project if you are not passing firewall rules to the deployment and are choosing to let BlueXP create them for you. BlueXP will create a deployment in the host project which contains the VPC0 firewall rule if no rule is specified.

  2. firewall.create and firewall.delete are only required if you are not passing firewall rules to the deployment and are choosing to let BlueXP create them for you. These permissions reside in the BlueXP account .yaml file. If you are deploying an HA pair using a shared VPC, these permissions will be used to create the firewall rules for VPC1, 2 and 3. For all other deployments, these permissions will also be used to create rules for VPC0.

  3. For data tiering, the tiering service account must have the serviceAccount.user role on the service account, not just at the project level. Currently if you assign serviceAccount.user at the project level, the permissions don’t show when you query the service account with getIAMPolicy.

Set up networking

Set up your networking so the Connector can manage resources and processes within your public cloud environment. Other than having a virtual network and subnet for the Connector, you’ll need to ensure that the following requirements are met.

Connection to target networks

A Connector requires a network connection to the type of working environment that you’re creating and the services that you’re planning to enable.

For example, if you install a Connector in your corporate network, then you must set up a VPN connection to the virtual network in which you launch Cloud Volumes ONTAP.

Outbound internet access

The Connector requires outbound internet access to manage resources and processes within your public cloud environment.

Endpoints Purpose

https://support.netapp.com

To obtain licensing information and to send AutoSupport messages to NetApp support.

https://*.api.bluexp.netapp.com

https://api.bluexp.netapp.com

https://*.cloudmanager.cloud.netapp.com

https://cloudmanager.cloud.netapp.com

To provide SaaS features and services within BlueXP.

Note The Connector is currently contacting "cloudmanager.cloud.netapp.com" but it will start contacting "api.bluexp.netapp.com" in an upcoming release.

https://cloudmanagerinfraprod.azurecr.io

https://*.blob.core.windows.net

To upgrade the Connector and its Docker components.

Proxy server

If your organization requires deployment of an HTTP proxy for all outgoing internet traffic, obtain the following information about your HTTP proxy:

  • IP address

  • Credentials

  • HTTPS certificate

Security group

There’s no incoming traffic to the Connector, unless you initiate it or if the Connector is used as a proxy for AutoSupport messages. HTTP and HTTPS provide access to the local UI, which you’ll use in rare circumstances. SSH is only needed if you need to connect to the host for troubleshooting.

IP address limitation

There’s a possible conflict with IP addresses in the 172 range. Learn more about this limitation.

Enable Google Cloud APIs

Several APIs are required to deploy the Connector and Cloud Volumes ONTAP.

Step
  1. Enable the following Google Cloud APIs in your project.

    • Cloud Deployment Manager V2 API

    • Cloud Logging API

    • Cloud Resource Manager API

    • Compute Engine API

    • Identity and Access Management (IAM) API

Create a Connector

Create a Connector in Google Cloud directly from the BlueXP user interface or by using gcloud.

BlueXP
  1. If you’re creating your first Working Environment, click Add Working Environment and follow the prompts. Otherwise, click the Connector drop-down and select Add Connector.

    A screenshot that shows the Connector icon in the header and the Add Connector action.

  2. Choose Google Cloud Platform as your cloud provider.

  3. On the Deploying a Connector page, review the details about what you’ll need. You have two options:

    1. Click Continue to prepare for deployment by using the in-product guide. Each step in the in-product guide includes the information that’s contained on this page of the documentation.

    2. Click Skip to Deployment if you already prepared by following the steps on this page.

  4. Follow the steps in the wizard to create the Connector:

    • If you’re prompted, log in to your Google account, which should have the required permissions to create the virtual machine instance.

      The form is owned and hosted by Google. Your credentials are not provided to NetApp.

    • Details: Enter a name for the virtual machine instance, specify tags, select a project, and then select the service account that has the required permissions (refer to the section above for details).

    • Location: Specify a region, zone, VPC, and subnet for the instance.

    • Network: Choose whether to enable a public IP address and optionally specify a proxy configuration.

    • Firewall Policy: Choose whether to create a new firewall policy or whether to select an existing firewall policy that allows inbound HTTP, HTTPS, and SSH access.

    • Review: Review your selections to verify that your set up is correct.

  5. Click Add.

    The instance should be ready in about 7 minutes. You should stay on the page until the process is complete.

gcloud
  1. Log in to the gcloud SDK using your preferred methodology.

    In our examples, we’ll use a local shell with the gcloud SDK installed, but you could use the native Google Cloud Shell in the Google Cloud console.

    For more information about the Google Cloud SDK, visit the Google Cloud SDK documentation page.

  2. Verify that you are logged in as a user who has the required permissions that are defined in the section above:

    gcloud auth list

    The output should show the following where the * user account is the desired user account to be logged in as:

    Credentialed Accounts
    ACTIVE  ACCOUNT
         some_user_account@domain.com
    *    desired_user_account@domain.com
    To set the active account, run:
     $ gcloud config set account `ACCOUNT`
    Updates are available for some Cloud SDK components. To install them,
    please run:
    $ gcloud components update
  3. Run the gcloud compute instances create command:

    gcloud compute instances create <instance-name>
      --machine-type=n2-standard-4
      --image-project=netapp-cloudmanager
      --image-family=cloudmanager
      --scopes=cloud-platform
      --project=<project>
      --service-account=<service-account>
      --zone=<zone>
      --no-address
      --tags <network-tag>
      --network <network-path>
      --subnet <subnet-path>
      --boot-disk-kms-key <kms-key-path>
    instance-name

    The desired instance name for the VM instance.

    project

    (Optional) The project where you want to deploy the VM.

    service-account

    The service account specified in the output from step 2.

    zone

    The zone where you want to deploy the VM

    no-address

    (Optional) No external IP address is used (you need a cloud NAT or proxy to route traffic to the public internet)

    network-tag

    (Optional) Add network tagging to link a firewall rule using tags to the Connector instance

    network-path

    (Optional) Add the name of the network to deploy the Connector into (for a Shared VPC, you need the full path)

    subnet-path

    (Optional) Add the name of the subnet to deploy the Connector into (for a Shared VPC, you need the full path)

    kms-key-path

    (Optional) Add a KMS key to encrypt the Connector’s disks (IAM permissions also need to be applied)

    For more information about these flags, visit the Google Cloud compute SDK documentation.

    Running the command deploys the Connector using the NetApp golden image. The Connector instance and software should be running in approximately five minutes.

  4. Open a web browser from a host that has a connection to the Connector instance and enter the following URL:

    https://ipaddress

  5. After you log in, set up the Connector:

    1. Specify the NetApp account to associate with the Connector.

    2. Enter a name for the system.

Result

The Connector is now installed and set up with your NetApp account. BlueXP will automatically use this Connector when you create new working environments. But if you have more than one Connector, you’ll need to switch between them.

If you have Google Cloud Storage buckets in the same Google Cloud account where you created the Connector, you’ll see a Google Cloud Storage working environment appear on the Canvas automatically. Learn more about what you can do with this working environment.

Open port 3128 for AutoSupport messages

If you plan to deploy Cloud Volumes ONTAP systems in a subnet where an outbound internet connection won’t be available, then BlueXP automatically configures Cloud Volumes ONTAP to use the Connector as a proxy server.

The only requirement is to ensure that the Connector’s security group allows inbound connections over port 3128. You’ll need to open this port after you deploy the Connector.

If you use the default security group for Cloud Volumes ONTAP, then no changes are needed to its security group. But if you plan to define strict outbound rules for Cloud Volumes ONTAP, then you’ll also need to ensure that the Cloud Volumes ONTAP security group allows outbound connections over port 3128.