Skip to main content
Cloud Tiering

Preparing to tier inactive data to Azure Blob storage

Contributors netapp-bcammett

Before you use Cloud Tiering, verify support for your ONTAP cluster, provide the required permissions, and set up your networking.

The following image shows each component and the connections that you need to prepare between them:

An architecture image that shows the Cloud Tiering service with a connection to the Service Connector in your cloud provider, the Service Connector with a connection to your ONTAP cluster, and a connection between the ONTAP cluster and object storage in your cloud provider. Active data resides on the ONTAP cluster, while inactive data resides in object storage.

Note Communication between the Service Connector and Blob storage is for object storage setup only.

Preparing your ONTAP clusters

Your ONTAP clusters must meet the following requirements when tiering data to Azure Blob storage.

Supported ONTAP platforms

Cloud Tiering supports AFF systems and all-SSD aggregates on FAS systems.

Supported ONTAP version

ONTAP 9.4 or later

Cluster networking requirements
  • The ONTAP cluster initiates an HTTPS connection over port 443 to Azure Blob storage.

    ONTAP reads and writes data to and from object storage. The object storage never initiates, it just responds.

    Although ExpressRoute provides better performance and lower data transfer charges, it is not required between the ONTAP cluster and Azure Blob storage. Because performance is significantly better when using ExpressRoute, doing so is the recommended best practice.

  • An inbound connection is required from the NetApp Service Connector, which resides in an Azure VNet.

    A connection between the cluster and the Cloud Tiering service is not required.

  • An intercluster LIF is required on each ONTAP node that hosts tiered volumes. The LIF must be associated with the IPspace that ONTAP should use to connect to object storage.

    IPspaces enable network traffic segregation, allowing for separation of client traffic for privacy and security. Learn more about IPspaces.

    When you set up data tiering, Cloud Tiering prompts you for the IPspace to use. You should choose the IPspace that each LIF is associated with. That might be the "Default" IPspace or a custom IPspace that you created.

Supported volumes and aggregates

The total number of volumes that Cloud Tiering can tier might be less than the number of volumes on your ONTAP system. That's because volumes can't be tiered from some aggregates. For example, you can't tier data from SnapLock volumes or from MetroCluster configurations. Refer to ONTAP documentation for functionality or features not supported by FabricPool.

Note Cloud Tiering supports FlexGroup volumes, starting with ONTAP 9.5. Setup works the same as any other volume.

Preparing to deploy the Service Connector in Azure

The Service Connector is NetApp software that communicates with your ONTAP clusters. Cloud Tiering guides you through the process of deploying the Service Connector on an Azure virtual machine.

A few steps are required before you can deploy the Service Connector in Azure. You'll need to provide the required permissions and set up your networking.

It's important to note that Cloud Tiering tiers data to a Blob container that resides in the same Azure subscription as the Service Connector. So be sure to complete these steps in the Azure subscription where both the Service Connector and Blob container should reside.

Granting Azure permissions

Ensure that your Azure account has the required permissions to deploy the NetApp Service Connector in an Azure VNet.

Tip During deployment, Cloud Tiering creates and assigns a role to the Service Connector that provides the required permissions so ONTAP can tier inactive data to Azure Blob storage.
  1. Create a custom role using the NetApp Cloud Central policy:

    1. Download the Cloud Central policy for Azure.

      Tip Right-click the link and click Save link as…​ to download the file.
    2. Modify the JSON file by adding your Azure subscription ID to the assignable scope.


      "AssignableScopes": [
    3. Use the JSON file to create a custom role in Azure.

      The following example shows how to create a custom role using the Azure CLI 2.0:

      az role definition create --role-definition C:\Policy_for_Setup_As_Service_Azure.json

      You should now have a custom role called Azure SetupAsService.

  2. Assign the role to the user who will deploy the Service Connector from Cloud Tiering:

    1. Open the Subscriptions service and select the user's subscription.

    2. Click Access control (IAM).

    3. Click Add > Add role assignment and then add the permissions:

      • Select the Azure SetupAsService role.

        Note Azure SetupAsService is the default name provided in the Cloud Central policy. If you chose a different name for the role, then select that name instead.
      • Assign access to an Azure AD user, group, or application.

      • Select the user account.

      • Click Save.


The Azure user now has the permissions required to deploy the Service Connector.

Setting up Azure networking

Cloud Tiering prompts you for the Azure VNet where the Service Connector should be deployed. Make sure that the VNet provides the required networking connections.

  1. Identify a VNet for the Service Connector that enables the following connections:

    • An outbound internet connection to the Cloud Tiering service over port 443 (HTTPS)

    • An HTTPS connection over port 443 to Azure Blob storage

    • An HTTPS connection over port 443 to your ONTAP clusters

      Cloud Tiering enables you to deploy the virtual machine with a public IP address and you can configure it to use your own proxy server.

      You don't need to create your own network security group because Cloud Tiering can do that for you. The security group that Cloud Tiering creates has no inbound connectivity and open outbound connectivity.

  2. If needed, enable a VNet service endpoint to Azure storage.

    A VNet service endpoint to Azure storage is recommended if you have an ExpressRoute or VPN connection from your ONTAP cluster to the VNet and you want communication between the Service Connector and Blob storage to stay in your virtual private network.