Skip to main content
Setup and administration

Prepare for deployment in private mode

Contributors netapp-bcammett netapp-tonacki

Prepare your environment before you deploy BlueXP in private mode. For example, you need to review host requirements, prepare networking, set up permissions, and more.

Note If you want to use BlueXP in the AWS Secret Cloud or the AWS Top Secret Cloud, then you should follow separate instructions to get started in those environments. Learn how to get started with Cloud Volumes ONTAP in the AWS Secret Cloud or Top Secret Cloud

Step 1: Understand how private mode works

Before you get started, you should have an understanding of how BlueXP works in private mode.

For example, you should understand that you need to use the browser-based interface that is available locally from the BlueXP Connector that you need to install. You can't access BlueXP from the web-based console that's provided through the SaaS layer.

In addition, not all BlueXP services are available.

Step 2: Review installation options

In private mode, you can install the Connector on premises or in the cloud by manually installing the Connector on your own Linux host.

If you want to create a Cloud Volumes ONTAP system in Google Cloud, then the Connector must be running in Google Cloud—​it can't be running on premises.

Step 3: Review host requirements

The Connector software must run on a host that meets specific operating system requirements, RAM requirements, port requirements, and so on.

Dedicated host

The Connector is not supported on a host that is shared with other applications. The host must be a dedicated host.

Supported operating systems
  • Ubuntu 22.04 LTS

  • CentOS 7.6, 7.7, 7.8, and 7.9

  • Red Hat Enterprise Linux 7.6, 7.7, 7.8, and 7.9

    The host must be registered with Red Hat Subscription Management. If it's not registered, the host can't access repositories to update required 3rd-party software during Connector installation.

    The Connector is supported on English-language versions of these operating systems.

Hypervisor

A bare metal or hosted hypervisor that is certified to run Ubuntu, CentOS, or Red Hat Enterprise Linux is required.

CPU

4 cores or 4 vCPUs

RAM

14 GB

AWS EC2 instance type

An instance type that meets the CPU and RAM requirements above. We recommend t3.xlarge.

Azure VM size

An instance type that meets the CPU and RAM requirements above. We recommend DS3 v2.

Google Cloud machine type

An instance type that meets the CPU and RAM requirements above. We recommend n2-standard-4.

The Connector is supported in Google Cloud on a VM instance with an OS that supports Shielded VM features

Disk space in /opt

100 GiB of space must be available

Disk space in /var

20 GiB of space must be available

Docker Engine

Docker Engine version 19.3.1 or later is required on the host before you install the Connector. View installation instructions

Step 4: Prepare networking for the Connector

Set up your networking so the Connector can manage resources and processes within your public cloud environment. Other than having a virtual network and subnet for the Connector, you'll need to ensure that the following requirements are met.

Connections to target networks

The Connector must have a network connection to the location where you plan to manage storage. For example, the VPC or VNet where you plan to deploy Cloud Volumes ONTAP, or the data center where your on-premises ONTAP clusters reside.

Endpoints for day-to-day operations

The Connector contacts the following endpoints to manage resources and processes within your public cloud environment.

Endpoints Purpose

AWS services (amazonaws.com):

  • CloudFormation

  • Elastic Compute Cloud (EC2)

  • Identity and Access Management (IAM)

  • Key Management Service (KMS)

  • Security Token Service (STS)

  • Simple Storage Service (S3)

To manage resources in AWS. The exact endpoint depends on the AWS region that you're using. Refer to AWS documentation for details

https://management.azure.com
https://login.microsoftonline.com
https://blob.core.windows.net
https://core.windows.net

To manage resources in Azure public regions.

https://management.azure.microsoft.scloud
https://login.microsoftonline.microsoft.scloud
https://blob.core.microsoft.scloud
https://core.microsoft.scloud

To manage resources in the Azure IL6 region.

https://management.chinacloudapi.cn
https://login.chinacloudapi.cn
https://blob.core.chinacloudapi.cn
https://core.chinacloudapi.cn

To manage resources in Azure China regions.

https://www.googleapis.com/compute/v1/
https://compute.googleapis.com/compute/v1
https://cloudresourcemanager.googleapis.com/v1/projects
https://www.googleapis.com/compute/beta
https://storage.googleapis.com/storage/v1
https://www.googleapis.com/storage/v1
https://iam.googleapis.com/v1
https://cloudkms.googleapis.com/v1
https://www.googleapis.com/deploymentmanager/v2/projects

To manage resources in Google Cloud.

Public IP address in Azure

If you want to use a public IP address with the Connector VM in Azure, the IP address must use a Basic SKU to ensure that BlueXP uses this public IP address.

A screenshot of the create new IP address in Azure that enables you to choose Basic under in the SKU field.

If you use a Standard SKU IP address instead, then BlueXP uses the private IP address of the Connector, instead of the public IP. If the machine that you're using to access the BlueXP Console doesn't have access to that private IP address, then actions from the BlueXP Console will fail.

Proxy server

If your organization requires deployment of a proxy server for all outgoing internet traffic, obtain the following information about your HTTP or HTTPS proxy. You'll need to provide this information during installation.

  • IP address

  • Credentials

  • HTTPS certificate

Note that BlueXP does not support transparent proxy servers.

+
With private mode, the only time that BlueXP sends outbound traffic is to your cloud provider in order to create a Cloud Volumes ONTAP system.

Ports

There's no incoming traffic to the Connector, unless you initiate it.

HTTP (80) and HTTPS (443) provide access to the BlueXP console. SSH (22) is only needed if you need to connect to the host for troubleshooting.

Enable NTP

If you're planning to use BlueXP classification to scan your corporate data sources, you should enable a Network Time Protocol (NTP) service on both the BlueXP Connector system and the BlueXP classification system so that the time is synchronized between the systems. Learn more about BlueXP classification

Step 5: Prepare cloud permissions

If you are planning to create Cloud Volumes ONTAP systems, then BlueXP requires permissions from your cloud provider. You need to set up permissions in your cloud provider and then associate those permission with the Connector instance after you install it.

To view the required steps, select the authentication option that you'd like to use for your cloud provider.

If you're going to install the Connector on premises, then you must provide permissions using AWS access keys or an Azure service principal. The other options are not supported.

AWS IAM role

Use an IAM role to provide the Connector with permissions. You'll need to manually attach the role to the EC2 instance for the Connector.

Steps
  1. Log in to the AWS console and navigate to the IAM service.

  2. Create a policy:

    1. Select Policies > Create policy.

    2. Select JSON and copy and paste the contents of the IAM policy for the Connector.

    3. Finish the remaining steps to create the policy.

  3. Create an IAM role:

    1. Select Roles > Create role.

    2. Select AWS service > EC2.

    3. Add permissions by attaching the policy that you just created.

    4. Finish the remaining steps to create the role.

Result

You now have an IAM role for the Connector EC2 instance.

AWS access key

Set up permissions and an access key for an IAM user. You'll need to provide BlueXP with the AWS access key after you install the Connector and set up BlueXP.

Steps
  1. Log in to the AWS console and navigate to the IAM service.

  2. Create a policy:

    1. Select Policies > Create policy.

    2. Select JSON and copy and paste the contents of the IAM policy for the Connector.

    3. Finish the remaining steps to create the policy.

      Depending on the BlueXP services that you're planning to use, you might need to create a second policy.

      For standard regions, the permissions are spread across two policies. Two policies are required due to a maximum character size limit for managed policies in AWS. Learn more about IAM policies for the Connector.

  3. Attach the policies to an IAM user.

  4. Ensure that the user has an access key that you can add to BlueXP after you install the Connector.

Result

The account now has the required permissions.

Azure role

Create an Azure custom role with the required permissions. You'll assign this role to the Connector VM.

Note that you can create an Azure custom role using the Azure portal, Azure PowerShell, Azure CLI, or REST API. The following steps show how to create the role using the Azure CLI. If you would prefer to use a different method, refer to Azure documentation

Steps
  1. Enable a system-assigned managed identity on the VM where you plan to install the Connector so that you can provide the required Azure permissions through a custom role.

  2. Copy the contents of the custom role permissions for the Connector and save them in a JSON file.

  3. Modify the JSON file by adding Azure subscription IDs to the assignable scope.

    You should add the ID for each Azure subscription that you want to use with BlueXP.

    Example

    "AssignableScopes": [
    "/subscriptions/d333af45-0d07-4154-943d-c25fbzzzzzzz",
    "/subscriptions/54b91999-b3e6-4599-908e-416e0zzzzzzz",
    "/subscriptions/398e471c-3b42-4ae7-9b59-ce5bbzzzzzzz"
  4. Use the JSON file to create a custom role in Azure.

    The following steps describe how to create the role by using Bash in Azure Cloud Shell.

    1. Start Azure Cloud Shell and choose the Bash environment.

    2. Upload the JSON file.

      A screenshot of the Azure Cloud Shell where you can choose the option to upload a file.

    3. Use the Azure CLI to create the custom role:

      az role definition create --role-definition Connector_Policy.json
Result

You should now have a custom role called BlueXP Operator that you can assign to the Connector virtual machine.

Azure service principal

Create and set up a service principal in Microsoft Entra ID and obtain the Azure credentials that BlueXP needs. You'll need to provide BlueXP with these credentials after you install the Connector and set up BlueXP.

Create a Microsoft Entra application for role-based access control
  1. Ensure that you have permissions in Azure to create an Active Directory application and to assign the application to a role.

  2. From the Azure portal, open the Microsoft Entra ID service.

    Shows the Active Directory service in Microsoft Azure.

  3. In the menu, select App registrations.

  4. Select New registration.

  5. Specify details about the application:

    • Name: Enter a name for the application.

    • Account type: Select an account type (any will work with BlueXP).

    • Redirect URI: You can leave this field blank.

  6. Select Register.

    You've created the AD application and service principal.

Assign the application to a role
  1. Create a custom role:

    Note that you can create an Azure custom role using the Azure portal, Azure PowerShell, Azure CLI, or REST API. The following steps show how to create the role using the Azure CLI. If you would prefer to use a different method, refer to Azure documentation

    1. Copy the contents of the custom role permissions for the Connector and save them in a JSON file.

    2. Modify the JSON file by adding Azure subscription IDs to the assignable scope.

      You should add the ID for each Azure subscription from which users will create Cloud Volumes ONTAP systems.

      Example

      "AssignableScopes": [
      "/subscriptions/d333af45-0d07-4154-943d-c25fbzzzzzzz",
      "/subscriptions/54b91999-b3e6-4599-908e-416e0zzzzzzz",
      "/subscriptions/398e471c-3b42-4ae7-9b59-ce5bbzzzzzzz"
    3. Use the JSON file to create a custom role in Azure.

      The following steps describe how to create the role by using Bash in Azure Cloud Shell.

      • Start Azure Cloud Shell and choose the Bash environment.

      • Upload the JSON file.

        A screenshot of the Azure Cloud Shell where you can choose the option to upload a file.

      • Use the Azure CLI to create the custom role:

        az role definition create --role-definition Connector_Policy.json

        You should now have a custom role called BlueXP Operator that you can assign to the Connector virtual machine.

  2. Assign the application to the role:

    1. From the Azure portal, open the Subscriptions service.

    2. Select the subscription.

    3. Select Access control (IAM) > Add > Add role assignment.

    4. In the Role tab, select the BlueXP Operator role and select Next.

    5. In the Members tab, complete the following steps:

      • Keep User, group, or service principal selected.

      • Select Select members.

        A screenshot of the Azure portal that shows the Members tab when adding a role to an application.

      • Search for the name of the application.

        Here's an example:

        A screenshot of the Azure portal that shows the Add role assignment form in the Azure portal.

      • Select the application and select Select.

      • Select Next.

    6. Select Review + assign.

      The service principal now has the required Azure permissions to deploy the Connector.

      If you want to deploy Cloud Volumes ONTAP from multiple Azure subscriptions, then you must bind the service principal to each of those subscriptions. BlueXP enables you to select the subscription that you want to use when deploying Cloud Volumes ONTAP.

Add Windows Azure Service Management API permissions
  1. In the Microsoft Entra ID service, select App registrations and select the application.

  2. Select API permissions > Add a permission.

  3. Under Microsoft APIs, select Azure Service Management.

    A screenshot of the Azure portal that shows the Azure Service Management API permissions.

  4. Select Access Azure Service Management as organization users and then select Add permissions.

    A screenshot of the Azure portal that shows adding the Azure Service Management APIs.

Get the application ID and directory ID for the application
  1. In the Microsoft Entra ID service, select App registrations and select the application.

  2. Copy the Application (client) ID and the Directory (tenant) ID.

    A screenshot that shows the application (client) ID and directory (tenant) ID for an application in Microsoft Entra IDy.

    When you add the Azure account to BlueXP, you need to provide the application (client) ID and the directory (tenant) ID for the application. BlueXP uses the IDs to programmatically sign in.

Create a client secret
  1. Open the Microsoft Entra ID service.

  2. Select App registrations and select your application.

  3. Select Certificates & secrets > New client secret.

  4. Provide a description of the secret and a duration.

  5. Select Add.

  6. Copy the value of the client secret.

    A screenshot of the Azure portal that shows a client secret for the Microsoft Entra service principal.

    You now have a client secret that BlueXP can use it to authenticate with Microsoft Entra ID.

Result

Your service principal is now setup and you should have copied the application (client) ID, the directory (tenant) ID, and the value of the client secret. You need to enter this information in BlueXP when you add an Azure account.

Google Cloud service account

Create a role and apply it to a service account that you'll use for the Connector VM instance.

Steps
  1. Create a custom role in Google Cloud:

    1. Create a YAML file that includes the permissions defined in the Connector policy for Google Cloud.

    2. From Google Cloud, activate cloud shell.

    3. Upload the YAML file that includes the required permissions for the Connector.

    4. Create a custom role by using the gcloud iam roles create command.

      The following example creates a role named "connector" at the project level:

      gcloud iam roles create connector --project=myproject --file=connector.yaml
  2. Create a service account in Google Cloud:

    1. From the IAM & Admin service, select Service Accounts > Create Service Account.

    2. Enter service account details and select Create and Continue.

    3. Select the role that you just created.

    4. Finish the remaining steps to create the role.

Result

You now have a service account that you can assign to the Connector VM instance.

Step 6: Enable Google Cloud APIs

Several APIs are required to deploy Cloud Volumes ONTAP in Google Cloud.

Step
  1. Enable the following Google Cloud APIs in your project

    • Cloud Deployment Manager V2 API

    • Cloud Logging API

    • Cloud Resource Manager API

    • Compute Engine API

    • Identity and Access Management (IAM) API

    • Cloud Key Management Service (KMS) API

      (Required only if you are planning to use BlueXP backup and recovery with customer-managed encryption keys (CMEK))