Prerequisites to create Connector and enable SnapCenter Service

Contributors netapp-soumikd netapp-bcammett

Before you create a Connector in Azure and enable SnapCenter Service, you should ensure certain things.

  • Ensure that the subnet chosen for the Connector should not overlap with the following IP address ranges reserved for Azure Kubernetes Service (AKS): 169.254.0.0/16, 172.30.0.0/16, 172.31.0.0/16, and 192.0.2.0/24.

  • Ensure that there are no AKS running in the chosen subnet.

  • Ensure that the chosen subnet can access the SAP HANA systems on the respective ports.

  • If the VNet of the chosen subnet is different from the VNet of the SAP HANA systems, ensure that the VNets can communicate with each other through VPN gateway, peering, or other means.

  • If you want to enable SnapCenter Service behind firewall, you should perform the actions mentioned in Network requirements.

    You should upfront decide whether you want to enable SnapCenter Service behind firewall. After enabling SnapCenter Service, you cannot configure it to run behind firewall. This is an AKS limitation.

Network requirements

Set up your network so that the Connector can manage resources and processes within your cloud environment.

Firewall configuration

If you want to enable SnapCenter Service behind firewall, you should perform the following actions.

Note If you are using Azure firewall, you can perform these steps using a script. For information, see Azure Firewall configuration.

Steps

  1. Add the below network rules to the firewall.

    Destination endpoint Protocol Port Comments

    Service tags - AzureCloud.<Region>:1194

    UDP

    1194

    Not required if you are planning to have a private Connector and private SnapCenter Service cluster.

    Service tags - AzureCloud.<Region>:9000

    TCP

    9000

    Not required if you are planning to have a private Connector and private SnapCenter Service cluster.

    FQDN - ntp.ubuntu.com:123

    UDP

    123

    Required for time synchronization in Azure virtual machines.

    Service tags - AzureCloud.<Region>:443

    TCP

    443

    Not required if you are planning to have a private Connector and private SnapCenter Service cluster.

  2. Add an application rule in the firewall with the following FQDN tag and port details:

    • FQDN Tag - AzureKubernetesService

    • HTTPS: 443

  3. Add an Application rule with the below endpoints as target FQDNs with protocol and port as HTTPS: 443.

    Endpoints Purpose

    https://management.azure.com
    https://login.microsoftonline.com

    Enables Cloud Manager to deploy and manage Cloud Volumes ONTAP in most Azure regions.

    https://management.microsoftazure.de
    https://login.microsoftonline.de

    Enables Cloud Manager to deploy and manage Cloud Volumes ONTAP in the Azure Germany regions.

    https://management.usgovcloudapi.net
    https://login.microsoftonline.com

    Enables Cloud Manager to deploy and manage Cloud Volumes ONTAP in the Azure US Gov regions.

    https://api.services.cloud.netpp.com

    Allows API requests to NetApp Cloud Central.

    https://cloud.support.netapp.com.s3.us-west-1.amazonaws.com

    Provides access to software images, manifests, and templates.

    https://cognito-idp.us-east-1.amazonaws.com
    https://cognito-identity.us-east-1.amazonaws.com
    https://sts.amazonaws.com
    https://cloud-support-netapp-com-accelerated.s3.amazonaws.com

    Enables the Connector to access and download manifests, templates, and Cloud Volumes ONTAP upgrade images.

    https://cloudmanagerinfraprod.azurecr.io

    Access to software images of container components for an infrastructure that’s running Docker and provides a solution for service integrations with Cloud Manager.

    https://kinesis.us-east-1.amazonaws.com

    Enables NetApp to stream data from audit records.

    https://cloudmanager.cloud.netapp.com

    Communication with the Cloud Manager service, which includes NetApp accounts.

    https://netapp-cloud-account.auth0.com

    Communication with NetApp Cloud Central for centralized user authentication.

    https://support.netapp.com

    Communication with NetApp AutoSupport.

    https://cloud-support-netapp-com.s3.us-west-1.amazonaws.com

    Communication with NetApp for system licensing and support registration.

    https://client.infra.support.netapp.com.s3.us-west-1.amazonaws.com
    https://cloud-support-netapp-com-accelerated.s3.us-west-1.amazonaws.com

    Enables NetApp to collect information needed to troubleshoot support issues.

    *.blob.core.windows.net

    Required for HA pairs when using a proxy.

    https://auth0.com

    Required for Auth0 authentication.

    https://registry-1.docker.io
    https://auth.docker.io
    https://production.cloudflare.docker.com

    Retrieves the dependencies of SnapCenter Service workflow engine.

    https://exteranl-log.cloudmanager.netapp.com

    Allows communication to transfer the logs to the Cloud Manager log repository.

  4. Select the subnet where you are planning to install SnapCenter Service.

  5. Create a route table with routes:

    • to forward the traffic from the subnet to the firewall internal IP address

    • to forward the traffic from firewall public IP address to the internet.

  6. Attach the route table to the subnet.

For information on the networking requirements for Cloud Manager Connector, see Networking requirements for the Connector.

Azure Firewall configuration

If you want to enable SnapCenter Service behind Azure firewall, you should perform the following actions.

What you will need

  • You should have created the firewall (classic mode).

  • You should have created the VNet and subnet for SnapCenter Service.

  • If your firewall resource and VNet of the SnapCenter Service are in different tenants, you should log into both the tenants in the Azure shell.

  • If your Firewall VNet and SnapCenter VNet are different, you should establish peering between the VNets.

Steps

  1. Download the scs_azure_firewall_config.sh script to your local system.

  2. Log into Microsoft Azure portal.

  3. Click A screenshot of the Azure cloud shell to open the cloud shell and select the Bash console.

    1. Upload the script to Azure cloud shell.

    2. Assign the permission to run the script.

      chmod +x ./scs_azure_firewall_config.sh

    3. Run the script.

      ./scs_azure_firewall_config.sh -fwsubid <Firewall_SubscriptionID> -fwname <Firewall_name> -fwrg <Firewall_Resource_group> -scssubid <SnapCenter_Service_SubscriptionID> -scsvnet <SnapCenter_Service_VNet_name> -scssubnet <SnapCenter_Service_Subnet_name> -scsvnetrg <SnapCenter_Service_VNet_Resource_Group> -scsrg <SnapCenter_Service_Resource_group>

      Note If you have not created the resource group, the script creates the resource group. While creating the Connector, you can use the same resource group so that all the SnapCenter Service related resources are in the same resource group.

Results

  • Firewall rules are configured.

  • A resource group is created for SnapCenter Service.

  • A route table is created in the SnapCenter Service resource group.

  • The route table rules are configured.

  • The route table is attached to the subnet.

Connectivity to HANA Systems

SnapCenter Service cluster needs to communicate with HANA systems in the user’s network using HDBSQL command. The communication channel between SnapCenter cluster and HANA systems need to be allowed using various network architecture such as:

  • Connector and SnapCenter Service cluster are deployed in the same VNet as that of HANA systems

  • Connector and SnapCenter Service cluster are deployed in a different VNet as that of HANA systems and the communication is established using VNet peering between the 2 VNets.

  • Connector and SnapCenter Service cluster are deployed in a different VNet as that of HANA systems, and the communication is established using VPN gateway between the 2 VNets.

Security Group configuration

If network security group (NSG) is configured in the HANA Systems, it should allow inbound communication from the port of the SnapCenter Service to the port of HANA System as specified in User Store Key.

  • Protocol: All TCP

  • Subnet: SnapCenter AKS cluster subnet

  • Purpose: To execute HDBSQL command

The HANA services running in the SnapCenter AKS cluster supports SSL communication with HANA systems that have SSL enabled.