Concepts
Preparing to tier inactive data to Azure Blob storage
Suggest changes
PDFs
Before you use Cloud Tiering, verify support for your ONTAP cluster, provide the required permissions, and set up your networking.
The following image shows each component and the connections that you need to prepare between them:
|
Communication between the Service Connector and Blob storage is for object storage setup only. |
Preparing your ONTAP clusters
Your ONTAP clusters must meet the following requirements when tiering data to Azure Blob storage.
- Supported ONTAP platforms
-
Cloud Tiering supports AFF systems and all-SSD aggregates on FAS systems.
- Supported ONTAP version
-
ONTAP 9.4 or later
- Cluster networking requirements
-
-
The ONTAP cluster initiates an HTTPS connection over port 443 to Azure Blob storage.
ONTAP reads and writes data to and from object storage. The object storage never initiates, it just responds.
Although ExpressRoute provides better performance and lower data transfer charges, it is not required between the ONTAP cluster and Azure Blob storage. Because performance is significantly better when using ExpressRoute, doing so is the recommended best practice.
-
An inbound connection is required from the NetApp Service Connector, which resides in an Azure VNet.
A connection between the cluster and the Cloud Tiering service is not required.
-
An intercluster LIF is required on each ONTAP node that hosts tiered volumes. The LIF must be associated with the IPspace that ONTAP should use to connect to object storage.
IPspaces enable network traffic segregation, allowing for separation of client traffic for privacy and security. Learn more about IPspaces.
When you set up data tiering, Cloud Tiering prompts you for the IPspace to use. You should choose the IPspace that each LIF is associated with. That might be the "Default" IPspace or a custom IPspace that you created.
-
- Supported volumes and aggregates
-
The total number of volumes that Cloud Tiering can tier might be less than the number of volumes on your ONTAP system. That's because volumes can't be tiered from some aggregates. For example, you can't tier data from SnapLock volumes or from MetroCluster configurations. Refer to ONTAP documentation for functionality or features not supported by FabricPool.
|
|
Cloud Tiering supports FlexGroup volumes, starting with ONTAP 9.5. Setup works the same as any other volume. |
Preparing to deploy the Service Connector in Azure
The Service Connector is NetApp software that communicates with your ONTAP clusters. Cloud Tiering guides you through the process of deploying the Service Connector on an Azure virtual machine.
A few steps are required before you can deploy the Service Connector in Azure. You'll need to provide the required permissions and set up your networking.
It's important to note that Cloud Tiering tiers data to a Blob container that resides in the same Azure subscription as the Service Connector. So be sure to complete these steps in the Azure subscription where both the Service Connector and Blob container should reside.
Granting Azure permissions
Ensure that your Azure account has the required permissions to deploy the NetApp Service Connector in an Azure VNet.
|
During deployment, Cloud Tiering creates and assigns a role to the Service Connector that provides the required permissions so ONTAP can tier inactive data to Azure Blob storage. |
-
Create a custom role using the NetApp Cloud Central policy:
-
Download the Cloud Central policy for Azure.
Right-click the link and click Save link as… to download the file. -
Modify the JSON file by adding your Azure subscription ID to the assignable scope.
Example
"AssignableScopes": [ "/subscriptions/d333af45-0d07-4154-943d-c25fbzzzzzzz", ], -
Use the JSON file to create a custom role in Azure.
The following example shows how to create a custom role using the Azure CLI 2.0:
az role definition create --role-definition C:\Policy_for_Setup_As_Service_Azure.json
You should now have a custom role called Azure SetupAsService.
-
-
Assign the role to the user who will deploy the Service Connector from Cloud Tiering:
-
Open the Subscriptions service and select the user's subscription.
-
Click Access control (IAM).
-
Click Add > Add role assignment and then add the permissions:
-
Select the Azure SetupAsService role.
Azure SetupAsService is the default name provided in the Cloud Central policy. If you chose a different name for the role, then select that name instead. -
Assign access to an Azure AD user, group, or application.
-
Select the user account.
-
Click Save.
-
-
The Azure user now has the permissions required to deploy the Service Connector.
Setting up Azure networking
Cloud Tiering prompts you for the Azure VNet where the Service Connector should be deployed. Make sure that the VNet provides the required networking connections.
-
Identify a VNet for the Service Connector that enables the following connections:
-
An outbound internet connection to the Cloud Tiering service over port 443 (HTTPS)
-
An HTTPS connection over port 443 to Azure Blob storage
-
An HTTPS connection over port 443 to your ONTAP clusters
Cloud Tiering enables you to deploy the virtual machine with a public IP address and you can configure it to use your own proxy server.
You don't need to create your own network security group because Cloud Tiering can do that for you. The security group that Cloud Tiering creates has no inbound connectivity and open outbound connectivity.
-
-
If needed, enable a VNet service endpoint to Azure storage.
A VNet service endpoint to Azure storage is recommended if you have an ExpressRoute or VPN connection from your ONTAP cluster to the VNet and you want communication between the Service Connector and Blob storage to stay in your virtual private network.