Prerequisites to create Connector and enable SnapCenter Service
Before you create a Connector in Azure and enable SnapCenter Service, you should ensure certain things.
-
Ensure that the subnet chosen for the Connector should not overlap with the following IP address ranges reserved for Azure Kubernetes Service (AKS): 169.254.0.0/16, 172.30.0.0/16, 172.31.0.0/16, and 192.0.2.0/24.
-
Ensure that there are no AKS running in the chosen subnet.
-
Ensure that the chosen subnet can access the SAP HANA systems on the respective ports.
-
If the VNet of the chosen subnet is different from the VNet of the SAP HANA systems, ensure that the VNets can communicate with each other through VPN gateway, peering, or other means.
-
If you want to enable SnapCenter Service behind firewall, you should perform the actions mentioned in Network requirements.
You should upfront decide whether you want to enable SnapCenter Service behind firewall. After enabling SnapCenter Service, you cannot configure it to run behind firewall. This is an AKS limitation.
Network requirements
Set up your network so that the Connector can manage resources and processes within your cloud environment.
Firewall configuration
If you want to enable SnapCenter Service behind firewall, you should perform the following actions.
|
If you are using Azure firewall, you can perform these steps using a script. For information, see Azure Firewall configuration. |
Steps
-
Add the below network rules to the firewall.
Destination endpoint Protocol Port Comments Service tags - AzureCloud.<Region>:1194
UDP
1194
Not required if you are planning to have a private Connector and private SnapCenter Service cluster.
Service tags - AzureCloud.<Region>:9000
TCP
9000
Not required if you are planning to have a private Connector and private SnapCenter Service cluster.
FQDN - ntp.ubuntu.com:123
UDP
123
Required for time synchronization in Azure virtual machines.
Service tags - AzureCloud.<Region>:443
TCP
443
Not required if you are planning to have a private Connector and private SnapCenter Service cluster.
-
Add an application rule in the firewall with the following FQDN tag and port details:
-
FQDN Tag - AzureKubernetesService
-
HTTPS: 443
-
-
Add an Application rule with the below endpoints as target FQDNs with protocol and port as HTTPS: 443.
Endpoints Purpose https://management.azure.com
https://login.microsoftonline.comEnables Cloud Manager to deploy and manage Cloud Volumes ONTAP in most Azure regions.
https://management.microsoftazure.de
https://login.microsoftonline.deEnables Cloud Manager to deploy and manage Cloud Volumes ONTAP in the Azure Germany regions.
https://management.usgovcloudapi.net
https://login.microsoftonline.comEnables Cloud Manager to deploy and manage Cloud Volumes ONTAP in the Azure US Gov regions.
https://api.services.cloud.netpp.com
Allows API requests to NetApp Cloud Central.
https://cloud.support.netapp.com.s3.us-west-1.amazonaws.com
Provides access to software images, manifests, and templates.
https://cognito-idp.us-east-1.amazonaws.com
https://cognito-identity.us-east-1.amazonaws.com
https://sts.amazonaws.com
https://cloud-support-netapp-com-accelerated.s3.amazonaws.comEnables the Connector to access and download manifests, templates, and Cloud Volumes ONTAP upgrade images.
https://cloudmanagerinfraprod.azurecr.io
Access to software images of container components for an infrastructure that’s running Docker and provides a solution for service integrations with Cloud Manager.
https://kinesis.us-east-1.amazonaws.com
Enables NetApp to stream data from audit records.
https://cloudmanager.cloud.netapp.com
Communication with the Cloud Manager service, which includes NetApp accounts.
https://netapp-cloud-account.auth0.com
Communication with NetApp Cloud Central for centralized user authentication.
https://support.netapp.com
Communication with NetApp AutoSupport.
https://cloud-support-netapp-com.s3.us-west-1.amazonaws.com
Communication with NetApp for system licensing and support registration.
https://client.infra.support.netapp.com.s3.us-west-1.amazonaws.com
https://cloud-support-netapp-com-accelerated.s3.us-west-1.amazonaws.comEnables NetApp to collect information needed to troubleshoot support issues.
*.blob.core.windows.net
Required for HA pairs when using a proxy.
https://auth0.com
Required for Auth0 authentication.
https://registry-1.docker.io
https://auth.docker.io
https://production.cloudflare.docker.comRetrieves the dependencies of SnapCenter Service workflow engine.
https://exteranl-log.cloudmanager.netapp.com
Allows communication to transfer the logs to the Cloud Manager log repository.
-
Select the subnet where you are planning to install SnapCenter Service.
-
Create a route table with routes:
-
to forward the traffic from the subnet to the firewall internal IP address
-
to forward the traffic from firewall public IP address to the internet.
-
-
Attach the route table to the subnet.
For information on the networking requirements for Cloud Manager Connector, see Networking requirements for the Connector.
Azure Firewall configuration
If you want to enable SnapCenter Service behind Azure firewall, you should perform the following actions.
What you will need
-
You should have created the firewall (classic mode).
-
You should have created the VNet and subnet for SnapCenter Service.
-
If your firewall resource and VNet of the SnapCenter Service are in different tenants, you should log into both the tenants in the Azure shell.
-
If your Firewall VNet and SnapCenter VNet are different, you should establish peering between the VNets.
Steps
-
Download the scs_azure_firewall_config.sh script to your local system.
-
Log into Microsoft Azure portal.
-
Click
to open the cloud shell and select the Bash console.
-
Upload the script to Azure cloud shell.
-
Assign the permission to run the script.
chmod +x ./scs_azure_firewall_config.sh
-
Run the script.
./scs_azure_firewall_config.sh -fwsubid <Firewall_SubscriptionID> -fwname <Firewall_name> -fwrg <Firewall_Resource_group> -scssubid <SnapCenter_Service_SubscriptionID> -scsvnet <SnapCenter_Service_VNet_name> -scssubnet <SnapCenter_Service_Subnet_name> -scsvnetrg <SnapCenter_Service_VNet_Resource_Group> -scsrg <SnapCenter_Service_Resource_group>
If you have not created the resource group, the script creates the resource group. While creating the Connector, you can use the same resource group so that all the SnapCenter Service related resources are in the same resource group.
-
Results
-
Firewall rules are configured.
-
A resource group is created for SnapCenter Service.
-
A route table is created in the SnapCenter Service resource group.
-
The route table rules are configured.
-
The route table is attached to the subnet.
Connectivity to HANA Systems
SnapCenter Service cluster needs to communicate with HANA systems in the user’s network using HDBSQL command. The communication channel between SnapCenter cluster and HANA systems need to be allowed using various network architecture such as:
-
Connector and SnapCenter Service cluster are deployed in the same VNet as that of HANA systems
-
Connector and SnapCenter Service cluster are deployed in a different VNet as that of HANA systems and the communication is established using VNet peering between the 2 VNets.
-
Connector and SnapCenter Service cluster are deployed in a different VNet as that of HANA systems, and the communication is established using VPN gateway between the 2 VNets.
Security Group configuration
If network security group (NSG) is configured in the HANA Systems, it should allow inbound communication from the port of the SnapCenter Service to the port of HANA System as specified in User Store Key.
-
Protocol: All TCP
-
Subnet: SnapCenter AKS cluster subnet
-
Purpose: To execute HDBSQL command
The HANA services running in the SnapCenter AKS cluster supports SSL communication with HANA systems that have SSL enabled.