Skip to main content
Setup and administration

Deploy the Connector in restricted mode

Contributors netapp-bcammett
PDFs

Deploy the Connector in restricted mode so that you can use BlueXP with limited outbound connectivity to the BlueXP SaaS layer. To get started, install the Connector, set up BlueXP by accessing the user interface that's running on the Connector, and then provide the cloud permissions that you previously set up.

Step 1: Install the Connector

Install the Connector from your cloud provider's marketplace or by manually installing the software on your own Linux host.

AWS Commercial Marketplace
Before you begin

You should have the following:

Steps

  1. Go to the BlueXP page on the AWS Marketplace

  2. On the Marketplace page, select Continue to Subscribe and then select Continue to Configuration.

    A screenshot that shows the Continue to Subscribe and Continue to Configuration buttons on the AWS Marketplace.

  3. Change any of the default options and select Continue to Launch.

  4. Under Choose Action, select Launch through EC2 and then select Launch.

    These steps describe how to launch the instance from the EC2 Console because the console enables you to attach an IAM role to the Connector instance. This isn't possible using the Launch from Website action.

  5. Follow the prompts to configure and deploy the instance:

    • Name and tags: Enter a name and tags for the instance.

    • Application and OS Image: Skip this section. The Connector AMI is already selected.

    • Instance type: Depending on region availability, choose an instance type that meets RAM and CPU requirements (t3.xlarge is recommended).

    • Key pair (login): Select the key pair that you want to use to securely connect to the instance.

    • Network settings: Edit the network settings as needed:

      • Choose the desired VPC and subnet.

      • Specify whether the instance should have a public IP address.

      • Specify firewall settings that enable the required connection methods for the Connector instance: SSH, HTTP, and HTTPS.

        A few more rule are required for specific configurations.

        View security group rules for AWS.

    • Configure storage: Keep the default size and disk type for the root volume.

      If you want to enable Amazon EBS encryption on the root volume, select Advanced, expand Volume 1, select Encrypted, and then choose a KMS key.

    • Advanced details: Under IAM instance profile, choose the IAM role that includes the required permissions for the Connector.

    • Summary: Review the summary and select Launch instance.

Result

AWS launches the software with the specified settings. The Connector instance and software should be running in approximately five minutes.

What's next?

Set up BlueXP.

AWS Gov Marketplace
Before you begin

You should have the following:

Steps

  1. Go to the BlueXP offering in the AWS Marketplace.

    1. Open the EC2 service and select Launch instance.

    2. Select AWS Marketplace.

    3. Search for BlueXP and select the offering.

      A screenshot that shows the BlueXP offering after searching for it in the AWS Marketplace

    4. Select Continue.

  2. Follow the prompts to configure and deploy the instance:

    • Choose an Instance Type: Depending on region availability, choose one of the supported instance types (t3.xlarge is recommended).

      Review the instance requirements.

    • Configure Instance Details: Select a VPC and subnet, choose the IAM role that you created in step 1, enable termination protection (recommended), and choose any other configuration options that meet your requirements.

      A screenshot that shows fields on the Configure Instance page in AWS. The IAM role that you should have created in step 1 is selected.

    • Add Storage: Keep the default storage options.

    • Add Tags: Enter tags for the instance, if desired.

    • Configure Security Group: Specify the required connection methods for the Connector instance: SSH, HTTP, and HTTPS.

    • Review: Review your selections and select Launch.

Result

AWS launches the software with the specified settings. The Connector instance and software should be running in approximately five minutes.

What's next?

Set up BlueXP.

Azure Marketplace
Before you begin

You should have the following:

Steps

  1. Go to the NetApp Connector VM page in the Azure Marketplace.

  2. Select Get it now and then select Continue.

  3. From the Azure portal, select Create and follow the steps to configure the virtual machine.

    Note the following as you configure the VM:

    • VM size: Choose a VM size that meets CPU and RAM requirements. We recommend DS3 v2.

    • Disks: The Connector can perform optimally with either HDD or SSD disks.

    • Public IP: If you want to use a public IP address with the Connector VM, the IP address must use a Basic SKU to ensure that BlueXP uses this public IP address.

      A screenshot of the create new IP address in Azure that enables you to choose Basic under in the SKU field.

      If you use a Standard SKU IP address instead, then BlueXP uses the private IP address of the Connector, instead of the public IP. If the machine that you're using to access the BlueXP Console doesn't have access to that private IP address, then actions from the BlueXP Console will fail.

      Azure documentation: Public IP SKU

    • Network security group: The Connector requires inbound connections using SSH, HTTP, and HTTPS.

      View security group rules for Azure.

    • Identity: Under Management, select Enable system assigned managed identity.

      This setting is important because a managed identity allows the Connector virtual machine to identify itself to Microsoft Entra ID without providing any credentials. Learn more about managed identities for Azure resources.

  4. On the Review + create page, review your selections and select Create to start the deployment.

Result

Azure deploys the virtual machine with the specified settings. The virtual machine and Connector software should be running in approximately five minutes.

What's next?

Set up BlueXP.

Manual install
Before you begin

You should have the following:

  • Root privileges to install the Connector.

  • Details about a proxy server, if a proxy is required for internet access from the Connector.

    You have the option to configure a proxy server after installation but doing so requires restarting the Connector.

    Note that BlueXP does not support transparent proxy servers.

  • A CA-signed certificate, if the proxy server uses HTTPS or if the proxy is an intercepting proxy.

About this task

The installer that is available on the NetApp Support Site might be an earlier version. After installation, the Connector automatically updates itself if a new version is available.

Steps

  1. Verify that docker is enabled and running.

    sudo systemctl enable docker && sudo systemctl start docker

  2. If the http_proxy or https_proxy system variables are set on the host, remove them:

    unset http_proxy
unset https_proxy

    If you don't remove these system variables, the installation will fail.

  3. Download the Connector software from the NetApp Support Site, and then copy it to the Linux host.

    You should download the "online" Connector installer that's meant for use in your network or in the cloud. A separate "offline" installer is available for the Connector, but it's only supported with private mode deployments.

  4. Assign permissions to run the script.

    chmod +x BlueXP-Connector-Cloud-<version>

    Where <version> is the version of the Connector that you downloaded.

  5. Run the installation script.

     ./BlueXP-Connector-Cloud-<version> --proxy <HTTP or HTTPS proxy server> --cacert <path and file name of a CA-signed certificate>

    The --proxy and --cacert parameters are optional. If you have a proxy server, you will need to enter the parameters as shown. The installer doesn't prompt you to provide information about a proxy.

    Here's an example of the command using both optional parameters:

     ./BlueXP-Connector-Cloud-v3.9.38 --proxy https://user:password@10.0.0.30:8080/ --cacert /tmp/cacert/certificate.cer

    --proxy configures the Connector to use an HTTP or HTTPS proxy server using one of the following formats:

    • http://address:port

    • http://user-name:password@address:port

    • http://domain-name%92user-name:password@address:port

    • https://address:port

    • https://user-name:password@address:port

    • https://domain-name%92user-name:password@address:port

      Note the following:

      • The user can be a local user or domain user.

      • For a domain user, you must use the ASCII code for the \ as shown above.

      • BlueXP doesn't support passwords that include the @ character.

    --cacert specifies a CA-signed certificate to use for HTTPS access between the Connector and the proxy server. This parameter is required only if you specify an HTTPS proxy server or if the proxy is an intercepting proxy.

Result

The Connector is now installed. At the end of the installation, the Connector service (occm) restarts twice if you specified a proxy server.

What's next?

Set up BlueXP.

Step 2: Set up BlueXP

When you access the BlueXP console for the first time, you'll be prompted to choose an account to associate the Connector with and you'll need to enable restricted mode.

Note If you already have an account and you want to create another one, then you need to use the Tenancy API. Learn how to create an additional BlueXP account.
Steps

  1. Open a web browser from a host that has a connection to the Connector instance and enter the following URL:

    https://ipaddress

  2. Sign up or log in to BlueXP.

  3. After you're logged in, set up BlueXP:

    1. Enter a name for the Connector.

    2. Enter a name for a new BlueXP account or select an existing account.

      You can select an existing account if your log in is already associated with a BlueXP account.

    3. Select Are you running in a secured environment?

    4. Select Enable restricted mode on this account.

      Note that you can't change this setting after BlueXP creates the account. You can't enable restricted mode later and you can't disable it later.

      If you deployed the Connector in a Government region, the checkbox is already enabled and can't be changed. This is because restricted mode is the only mode supported in Government regions.

      A screenshot that shows the welcome page where you need to enter a Connector name, account name, and can enable restricted mode on this account.

    5. Select Let's start.

Result

The Connector is now installed and set up with your BlueXP account. All users need to access BlueXP using the IP address of the Connector instance.

What's next?

Provide BlueXP with the permissions that you previously set up.

Step 3: Provide permissions to BlueXP

If you deployed the Connector from the Azure Marketplace or if you manually installed the Connector software, you need to provide the permissions that you previously set up so that you can use BlueXP services.

These steps don't apply if you deployed the Connector from the AWS Marketplace because you chose the required IAM role during deployment.

Learn how to prepare cloud permissions.

AWS IAM role

Attach the IAM role that you previously created to the EC2 instance where you installed the Connector.

These steps apply only if you manually installed the Connector in AWS. For AWS Marketplace deployments, you already associated the Connector instance with an IAM role that includes the required permissions.

Steps

  1. Go to the Amazon EC2 console.

  2. Select Instances.

  3. Select the Connector instance.

  4. Select Actions > Security > Modify IAM role.

  5. Select the IAM role and select Update IAM role.

Result

BlueXP now has the permissions that it needs to perform actions in AWS on your behalf.

AWS access key

Provide BlueXP with the AWS access key for an IAM user that has the required permissions.

Steps

  1. In the upper right of the BlueXP console, select the Settings icon, and select Credentials.

    A screenshot that shows the Settings icon in the upper right of the BlueXP console.

  2. Select Add Credentials and follow the steps in the wizard.

    1. Credentials Location: Select Amazon Web Services > Connector.

    2. Define Credentials: Enter an AWS access key and secret key.

    3. Marketplace Subscription: Associate a Marketplace subscription with these credentials by subscribing now or by selecting an existing subscription.

    4. Review: Confirm the details about the new credentials and select Add.

Result

BlueXP now has the permissions that it needs to perform actions in AWS on your behalf.

Azure role

Go to the Azure portal and assign the Azure custom role to the Connector virtual machine for one or more subscriptions.

Steps

  1. From the Azure Portal, open the Subscriptions service and select your subscription.

  2. Select Access control (IAM) > Add > Add role assignment.

  3. In the Role tab, select the BlueXP Operator role and select Next.

    Note BlueXP Operator is the default name provided in the BlueXP policy. If you chose a different name for the role, then select that name instead.

  4. In the Members tab, complete the following steps:

    1. Assign access to a Managed identity.

    2. Select Select members, select the subscription in which the Connector virtual machine was created, choose Virtual machine, and then select the Connector virtual machine.

    3. Select Select.

    4. Select Next.

    5. Select Review + assign.

    6. If you want to manage resources in additional Azure subscriptions, switch to that subscription and then repeat these steps.

Result

BlueXP now has the permissions that it needs to perform actions in Azure on your behalf.

Azure service principal

Provide BlueXP with the credentials for the Azure service principal that you previously setup.

Steps

  1. In the upper right of the BlueXP console, select the Settings icon, and select Credentials.

    A screenshot that shows the Settings icon in the upper right of the BlueXP console.

  2. Select Add Credentials and follow the steps in the wizard.

    1. Credentials Location: Select Microsoft Azure > Connector.

    2. Define Credentials: Enter information about the Microsoft Entra service principal that grants the required permissions:

      • Application (client) ID

      • Directory (tenant) ID

      • Client Secret

    3. Marketplace Subscription: Associate a Marketplace subscription with these credentials by subscribing now or by selecting an existing subscription.

    4. Review: Confirm the details about the new credentials and select Add.

Result

BlueXP now has the permissions that it needs to perform actions in Azure on your behalf.

Google Cloud service account

Associate the service account with the Connector VM.

Steps

  1. Go to the Google Cloud portal and assign the service account to the Connector VM instance.

    Google Cloud documentation: Changing the service account and access scopes for an instance

  2. If you want to manage resources in other projects, grant access by adding the service account with the BlueXP role to that project. You'll need to repeat this step for each project.

Result

BlueXP now has the permissions that it needs to perform actions in Google Cloud on your behalf.