Install and set up a Connector on-premises
A Connector is NetApp software running in your cloud network or on-premises network that gives you the ability to use all BlueXP features and services. To run the Connector on-premises, you need to review host requirements, set up your networking, prepare cloud permissions, install the Connector, set up the Connector, and then provide the permissions that you prepared.
-
You should have an understanding of Connectors.
-
You should review Connector limitations.
Step 1: Review host requirements
The Connector software must run on a host that meets specific operating system requirements, RAM requirements, port requirements, and so on. Ensure that your host meets these requirements before you install the Connector.
- Dedicated host
-
The Connector is not supported on a host that is shared with other applications. The host must be a dedicated host.
Host can be of any architecture that meets the following size requirements:
-
CPU: 8 cores or 8 vCPUs
-
RAM: 32 GB
-
- Hypervisor
-
A bare metal or hosted hypervisor that is certified to run a supported operating system is required.
- Operating system and container requirements
-
BlueXP supports the Connector with the following operating systems when using BlueXP in standard mode or restricted mode. A container orchestration tool is required before you install the Connector.
Operating system Supported OS versions Supported Connector versions Required container tool SELinux Red Hat Enterprise Linux
9.1 to 9.4
8.6 to 8.10
3.9.40 or later with BlueXP in standard mode or restricted mode
Podman version 4.6.1 or 4.9.4
Supported in enforcing mode or permissive mode 1
Ubuntu
24.04 LTS
3.9.45 or later with BlueXP in standard mode or restricted mode
Docker Engine 26.0.0
Not supported
22.04 LTS
3.9.29 or later
Docker Engine 23.0.6 to 26.0.0
26.0.0 is supported with new Connector 3.9.44 or later installations
Not supported
Notes:
-
Management of Cloud Volumes ONTAP systems is not supported by Connectors that have SELinux enabled on the operating system.
-
The Connector is supported on English-language versions of these operating systems.
-
For RHEL, the host must be registered with Red Hat Subscription Management. If it's not registered, the host can't access repositories to update required 3rd-party software during Connector installation.
-
- Disk space in /opt
-
100 GiB of space must be available
BlueXP uses
/opt
to install the/opt/application/netapp
directory and its contents. - Disk space in /var
-
20 GiB of space must be available
BlueXP requires this space in
/var
because Docker or Podman are architected to create the containers within this directory. Specifically, they will create containers in the/var/lib/containers/storage
directory. External mounts or symlinks do not work for this space.
Step 2: Install Podman or Docker Engine
Depending on your operating system, either Podman or Docker Engine is required before you install the Connector.
-
Podman is required for Red Hat Enterprise Linux 8 and 9.
-
Docker Engine is required for Ubuntu.
Follow these steps to install Podman and configure it to meet the following requirements:
-
The podman.socket service must be enabled and started
-
python3 must be installed
-
The podman-compose package version 1.0.6 must be installed
-
podman-compose must be added to the PATH environment variable
-
Remove the podman-docker package if it's installed on the host.
-
Install Podman.
Podman is available from official Red Hat Enterprise Linux repositories.
For Red Hat Enterprise Linux 9:
Where <version> is the supported version of Podman that you're installing. View the Podman versions that BlueXP supports.
For Red Hat Enterprise Linux 8:
Where <version> is the supported version of Podman that you're installing. View the Podman versions that BlueXP supports.
-
Enable and start the podman.socket service.
-
Install python3.
-
Install the EPEL repository package if it's not already available on your system.
This step is required because podman-compose is available from the Extra Packages for Enterprise Linux (EPEL) repository.
For Red Hat Enterprise Linux 9:
For Red Hat Enterprise Linux 8:
-
Install podman-compose package 1.0.6.
Using the dnf install
command meets the requirement for adding podman-compose to the PATH environment variable. The installation command adds podman-compose to /usr/bin, which is already included in thesecure_path
option on the host.
Step 3: Set up networking
Set up your networking so the Connector can manage resources and processes within your hybrid cloud environment. For example, you need to ensure that connections are available to target networks and that outbound internet access is available.
- Connections to target networks
-
A Connector requires a network connection to the location where you're planning to create and manage working environments. For example, the network where you plan to create Cloud Volumes ONTAP systems or a storage system in your on-premises environment.
- Outbound internet access
-
The network location where you deploy the Connector must have an outbound internet connection to contact specific endpoints.
- Endpoints contacted from computers when using the BlueXP web-based console
-
Computers that access the BlueXP console from a web browser must have the ability to contact several endpoints. You'll need to use the BlueXP console to set up the Connector and for day-to-day use of BlueXP.
- Endpoints contacted during manual installation
-
When you manually install the Connector on your own Linux host, the installer for the Connector requires access to the following URLs during the installation process:
-
https://mysupport.netapp.com
-
https://signin.b2c.netapp.com (this endpoint is the CNAME URL for https://mysupport.netapp.com)
-
https://cloudmanager.cloud.netapp.com/tenancy
-
https://stream.cloudmanager.cloud.netapp.com
-
https://production-artifacts.cloudmanager.cloud.netapp.com
-
To obtain images, the installer needs access to one of these two sets of endpoints:
-
Option 1 (recommended):
-
https://bluexpinfraprod.eastus2.data.azurecr.io
-
https://bluexpinfraprod.azurecr.io
-
-
Option 2:
-
https://*.blob.core.windows.net
-
https://cloudmanagerinfraprod.azurecr.io
-
The endpoints listed in option 1 are recommended because they are more secure. We recommend that you set up your firewall to allow the endpoints listed in option 1, while disallowing the endpoints listed in option 2. Note the following about these endpoints:
-
The endpoints listed in option 1 are supported starting with the 3.9.47 release of the Connector. There is no backwards compatibility with previous releases of the Connector.
-
The Connector contacts the endpoints listed in option 2 first. If those endpoints aren't accessible, the Connector automatically contacts the endpoints listed in option 1.
-
The endpoints in option 1 are not supported if you use the Connector with BlueXP backup and recovery or BlueXP ransomware protection. In this case, you can disallow the endpoints listed in option 1, while allowing the endpoints listed in option 2.
-
The host might try to update operating system packages during installation. The host can contact different mirroring sites for these OS packages.
-
- Endpoints contacted from the Connector
-
The Connector requires outbound internet access to contact the following endpoints in order to manage resources and processes within your public cloud environment for day-to-day operations.
Note that the endpoints listed below are all CNAME entries.
Endpoints Purpose AWS services (amazonaws.com):
-
CloudFormation
-
Elastic Compute Cloud (EC2)
-
Identity and Access Management (IAM)
-
Key Management Service (KMS)
-
Security Token Service (STS)
-
Simple Storage Service (S3)
To manage resources in AWS. The exact endpoint depends on the AWS region that you're using. Refer to AWS documentation for details
https://management.azure.com
https://login.microsoftonline.com
https://blob.core.windows.net
https://core.windows.netTo manage resources in Azure public regions.
https://management.chinacloudapi.cn
https://login.chinacloudapi.cn
https://blob.core.chinacloudapi.cn
https://core.chinacloudapi.cnTo manage resources in Azure China regions.
https://www.googleapis.com/compute/v1/
https://compute.googleapis.com/compute/v1
https://cloudresourcemanager.googleapis.com/v1/projects
https://www.googleapis.com/compute/beta
https://storage.googleapis.com/storage/v1
https://www.googleapis.com/storage/v1
https://iam.googleapis.com/v1
https://cloudkms.googleapis.com/v1
https://www.googleapis.com/deploymentmanager/v2/projectsTo manage resources in Google Cloud.
https://support.netapp.com
https://mysupport.netapp.comTo obtain licensing information and to send AutoSupport messages to NetApp support.
https://*.api.bluexp.netapp.com
https://api.bluexp.netapp.com
https://*.cloudmanager.cloud.netapp.com
https://cloudmanager.cloud.netapp.com
https://netapp-cloud-account.auth0.comTo provide SaaS features and services within BlueXP.
Note that the Connector is currently contacting "cloudmanager.cloud.netapp.com" but it will start contacting "api.bluexp.netapp.com" in an upcoming release.
Choose between two sets of endpoints:
-
Option 1 (recommended) 1
https://bluexpinfraprod.eastus2.data.azurecr.io
https://bluexpinfraprod.azurecr.io -
Option 2
https://*.blob.core.windows.net
https://cloudmanagerinfraprod.azurecr.io
To obtain images for Connector upgrades.
1 The endpoints listed in option 1 are recommended because they are more secure. We recommend that you set up your firewall to allow the endpoints listed in option 1, while disallowing the endpoints listed in option 2. Note the following about these endpoints:
-
The endpoints listed in option 1 are supported starting with the 3.9.47 release of the Connector. There is no backwards compatibility with previous releases of the Connector.
-
The Connector contacts the endpoints listed in option 2 first. If those endpoints aren't accessible, the Connector automatically contacts the endpoints listed in option 1.
-
The endpoints in option 1 are not supported if you use the Connector with BlueXP backup and recovery or BlueXP ransomware protection. In this case, you can disallow the endpoints listed in option 1, while allowing the endpoints listed in option 2.
-
- Proxy server
-
If your business requires deployment of a proxy server for all outgoing internet traffic, obtain the following information about your HTTP or HTTPS proxy. You'll need to provide this information during installation. Note that BlueXP does not support transparent proxy servers.
-
IP address
-
Credentials
-
HTTPS certificate
-
- Ports
-
There's no incoming traffic to the Connector, unless you initiate it or if the Connector is used as a proxy to send AutoSupport messages from Cloud Volumes ONTAP to NetApp Support.
-
HTTP (80) and HTTPS (443) provide access to the local UI, which you'll use in rare circumstances.
-
SSH (22) is only needed if you need to connect to the host for troubleshooting.
-
Inbound connections over port 3128 are required if you deploy Cloud Volumes ONTAP systems in a subnet where an outbound internet connection isn't available.
If Cloud Volumes ONTAP systems don't have an outbound internet connection to send AutoSupport messages, BlueXP automatically configures those systems to use a proxy server that's included with the Connector. The only requirement is to ensure that the Connector's security group allows inbound connections over port 3128. You'll need to open this port after you deploy the Connector.
-
- Enable NTP
-
If you're planning to use BlueXP classification to scan your corporate data sources, you should enable a Network Time Protocol (NTP) service on both the BlueXP Connector system and the BlueXP classification system so that the time is synchronized between the systems. Learn more about BlueXP classification
Step 4: Set up cloud permissions
If you want to use BlueXP services in AWS or Azure with an on-premises Connector, then you need to set up permissions in your cloud provider so that you can add the credentials to the Connector after you install it.
|
Why not Google Cloud? When the Connector is installed on your premises, it can't manage your resources in Google Cloud. The Connector must be installed in Google Cloud to manage any resources that reside there. |
When the Connector is installed on-premises, you need to provide BlueXP with AWS permissions by adding access keys for an IAM user who has the required permissions.
You must use this authentication method if the Connector is installed on-premises. You can't use an IAM role.
-
Log in to the AWS console and navigate to the IAM service.
-
Create a policy:
-
Select Policies > Create policy.
-
Select JSON and copy and paste the contents of the IAM policy for the Connector.
-
Finish the remaining steps to create the policy.
Depending on the BlueXP services that you're planning to use, you might need to create a second policy.
For standard regions, the permissions are spread across two policies. Two policies are required due to a maximum character size limit for managed policies in AWS. Learn more about IAM policies for the Connector.
-
-
Attach the policies to an IAM user.
-
Ensure that the user has an access key that you can add to BlueXP after you install the Connector.
You should now have access keys for an IAM user who has the required permissions. After you install the Connector, you'll need to associate these credentials with the Connector from BlueXP.
Step 5: Install the Connector
Download and install the Connector software on an existing Linux host on-premises.
You should have the following:
-
Root privileges to install the Connector.
-
Details about a proxy server, if a proxy is required for internet access from the Connector.
You have the option to configure a proxy server after installation but doing so requires restarting the Connector.
Note that BlueXP does not support transparent proxy servers.
-
A CA-signed certificate, if the proxy server uses HTTPS or if the proxy is an intercepting proxy.
The installer that is available on the NetApp Support Site might be an earlier version. After installation, the Connector automatically updates itself if a new version is available.
-
If the http_proxy or https_proxy system variables are set on the host, remove them:
If you don't remove these system variables, the installation will fail.
-
Download the Connector software from the NetApp Support Site, and then copy it to the Linux host.
You should download the "online" Connector installer that's meant for use in your network or in the cloud. A separate "offline" installer is available for the Connector, but it's only supported with private mode deployments.
-
Assign permissions to run the script.
Where <version> is the version of the Connector that you downloaded.
-
Run the installation script.
The --proxy and --cacert parameters are optional. If you have a proxy server, you will need to enter the parameters as shown. The installer doesn't prompt you to provide information about a proxy.
Here's an example of the command using both optional parameters:
--proxy configures the Connector to use an HTTP or HTTPS proxy server using one of the following formats:
-
http://address:port
-
http://user-name:password@address:port
-
http://domain-name%92user-name:password@address:port
-
https://address:port
-
https://user-name:password@address:port
-
https://domain-name%92user-name:password@address:port
Note the following:
-
The user can be a local user or domain user.
-
For a domain user, you must use the ASCII code for a \ as shown above.
-
BlueXP doesn't support user names or passwords that include the @ character.
-
If the password includes any of the following special characters, you must escape that special character by prepending it with a backslash: & or !
For example:
http://bxpproxyuser:netapp1\!@address:3128
-
--cacert specifies a CA-signed certificate to use for HTTPS access between the Connector and the proxy server. This parameter is required only if you specify an HTTPS proxy server or if the proxy is an intercepting proxy.
-
The Connector is now installed. At the end of the installation, the Connector service (occm) restarts twice if you specified a proxy server.
Step 6: Set up the Connector
Sign up or log in and then set up the Connector to work with your BlueXP organization.
-
Open a web browser and enter the following URL:
https://ipaddress
ipaddress can be localhost, a private IP address, or a public IP address, depending on the configuration of the host. For example, if the Connector is in the public cloud without a public IP address, you must enter a private IP address from a host that has a connection to the Connector host.
-
Sign up or log in.
-
After you log in, set up BlueXP:
-
Specify the BlueXP organization to associate with the Connector.
-
Enter a name for the system.
-
Under Are you running in a secured environment? keep restricted mode disabled.
You should keep restricted mode disabled because these steps describe how to use BlueXP in standard mode. (In addition, restricted mode isn't supported when the Connector is installed on-premises.)
-
Select Let's start.
-
BlueXP is now set up with the Connector that you just installed.
Step 7: Provide permissions to BlueXP
After you install and set up the Connector, add your cloud credentials so that BlueXP has the required permissions to perform actions in AWS or Azure.
If you just created these credentials in AWS, it might take a few minutes until they are available for use. Wait a few minutes before you add the credentials to BlueXP.
-
In the upper right of the BlueXP console, select the Settings icon, and select Credentials.
-
Select Add Credentials and follow the steps in the wizard.
-
Credentials Location: Select Amazon Web Services > Connector.
-
Define Credentials: Enter an AWS access key and secret key.
-
Marketplace Subscription: Associate a Marketplace subscription with these credentials by subscribing now or by selecting an existing subscription.
-
Review: Confirm the details about the new credentials and select Add.
-
BlueXP now has the permissions that it needs to perform actions in AWS on your behalf.
You can now go to the BlueXP console to start using the Connector with BlueXP.