Preparing to tier inactive data to Azure Blob storage Edit on GitHub Request doc changes

Contributors netapp-bcammett

Before you use Cloud Tiering, verify support for your ONTAP cluster, provide the required permissions, and set up your networking.

The following image shows each component and the connections that you need to prepare between them:

An architecture image that shows the Cloud Tiering service with a connection to the Service Connector in your cloud provider

Communication between the Service Connector and Blob storage is for object storage setup only.

Preparing your ONTAP clusters

Your ONTAP clusters must meet the following requirements when tiering data to Azure Blob storage.

Supported ONTAP platforms

Cloud Tiering supports AFF systems and all-SSD aggregates on FAS systems.

Supported ONTAP version

ONTAP 9.4 or later

Cluster networking requirements
  • An inbound and outbound connection to Azure Blob storage is required.

    Although ExpressRoute provides better performance and lower data transfer charges, it is not required between the ONTAP cluster and Azure Blob storage. Because performance is significantly better when using ExpressRoute, doing so is the recommended best practice.

  • An inbound connection is required from the NetApp Service Connector, which resides in an Azure VNet.

    A connection between the cluster and the Cloud Tiering service is not required.

  • An intercluster LIF is required on each ONTAP node that hosts tiered volumes. The LIF must be associated with the IPspace that ONTAP should use to connect to object storage.

    IPspaces enable network traffic segregation, allowing for separation of client traffic for privacy and security. Learn more about IPspaces.

    When you set up data tiering, Cloud Tiering prompts you for the IPspace to use. You should choose the IPspace that each LIF is associated with. That might be the "Default" IPspace or a custom IPspace that you created.

Supported volumes and aggregates

The total number of volumes that Cloud Tiering can tier might be less than the number of volumes on your ONTAP system. That’s because volumes can’t be tiered from some aggregates. For example, you can’t tier data from SnapLock volumes or from MetroCluster configurations. Refer to ONTAP documentation for functionality or features not supported by FabricPool.

Granting Azure permissions

Ensure that your Azure account has the required permissions to deploy the NetApp Service Connector in an Azure VNet. The Service Connector is NetApp software that communicates with your ONTAP clusters.

During deployment, Cloud Tiering creates and assigns a role to the Service Connector that provides the required permissions so ONTAP can tier inactive data to Azure Blob storage.
Steps
  1. Create a custom role using the NetApp Cloud Central policy:

    1. Download the Cloud Central policy for Azure.

    2. Modify the JSON file by adding your Azure subscription ID to the assignable scope.

      Example

      "AssignableScopes": [
      "/subscriptions/d333af45-0d07-4154-943d-c25fbzzzzzzz",
      ],
    3. Use the JSON file to create a custom role in Azure.

      The following example shows how to create a custom role using the Azure CLI 2.0:

      az role definition create --role-definition C:\Policy_for_Setup_As_Service_Azure.json

      You should now have a custom role called Azure SetupAsService.

  2. Assign the role to the user who will deploy the Service Connector from Cloud Tiering:

    1. Open the Subscriptions service and select the user’s subscription.

    2. Click Access control (IAM).

    3. Click Add > Add role assignment and then add the permissions:

      • Select the Azure SetupAsService role.

        Azure SetupAsService is the default name provided in the Cloud Central policy. If you chose a different name for the role, then select that name instead.
      • Assign access to an Azure AD user, group, or application.

      • Select the user account.

      • Click Save.

Result

The Azure user now has the permissions required to deploy the Service Connector.

Setting up Azure networking for the Service Connector

Cloud Tiering guides you through the process of deploying the Service Connector on an Azure virtual machine. Make sure that the Azure VNet provides the required networking connections.

Steps
  1. Identify a VNet for the Service Connector that enables the following connections:

    • An outbound internet connection to the Cloud Tiering service

    • A connection to Azure Blob storage

    • A connection to your ONTAP clusters

      Cloud Tiering enables you to deploy the virtual machine with a public IP address and you can configure it to use your own proxy server.

      You don’t need to create your own network security group because Cloud Tiering can do that for you. The security group that Cloud Tiering creates has no inbound connectivity and open outbound connectivity.

  2. If needed, enable a VNet service endpoint to Azure storage.

    A VNet service endpoint to Azure storage is recommended if you have an ExpressRoute or VPN connection from your ONTAP cluster to the VNet and you want communication between the Service Connector and Blob storage to stay in your virtual private network.