Preparing to tier inactive data to Google Cloud Storage Edit on GitHub Request doc changes

Contributors netapp-bcammett

Before you start tiering data, verify support for your ONTAP cluster, provide the required permissions, and set up your networking.

The following image shows each component and the connections that you need to prepare between them:

An architecture image that shows the Cloud Tiering service with a connection to the Service Connector in your cloud provider

Communication between the Service Connector and Google Cloud Storage is for object storage setup only.

Preparing your ONTAP clusters

Your ONTAP clusters must meet the following requirements when tiering data to Google Cloud Storage.

Supported ONTAP platforms

Cloud Tiering supports AFF systems and all-SSD aggregates on FAS systems.

Supported ONTAP versions

ONTAP 9.6 or later

Cluster networking requirements
  • The ONTAP cluster initiates an HTTPS connection over port 443 to Google Cloud Storage.

    ONTAP reads and writes data to and from object storage. The object storage never initiates, it just responds.

    Although a Google Cloud Interconnect provides better performance and lower data transfer charges, it is not required between the ONTAP cluster and Google Cloud Storage. Because performance is significantly better when using Google Cloud Interconnect, doing so is the recommended best practice.

  • An inbound connection is required from the NetApp Service Connector, which resides in an Google Cloud Platform VPC.

    A connection between the cluster and the Cloud Tiering service is not required.

  • An intercluster LIF is required on each ONTAP node that hosts tiered volumes. The LIF must be associated with the IPspace that ONTAP should use to connect to object storage.

    IPspaces enable network traffic segregation, allowing for separation of client traffic for privacy and security. Learn more about IPspaces.

    When you set up data tiering, Cloud Tiering prompts you for the IPspace to use. You should choose the IPspace that each LIF is associated with. That might be the "Default" IPspace or a custom IPspace that you created.

Supported volumes and aggregates

The total number of volumes that Cloud Tiering can tier might be less than the number of volumes on your ONTAP system. That’s because volumes can’t be tiered from some aggregates. For example, you can’t tier data from SnapLock volumes or from MetroCluster configurations. Refer to ONTAP documentation for functionality or features not supported by FabricPool.

Preparing Google Cloud Storage for data tiering

When you set up tiering, you need to provide Cloud Tiering with storage access keys for a service account that has Storage Admin permissions. A service account enables Cloud Tiering to authenticate and access Cloud Storage buckets used for data tiering. The keys are required so that Google Cloud Storage knows who is making the request.

Steps
  1. Create a service account that has the predefined Storage Admin role.

  2. Go to GCP Storage Settings and create access keys for the service account:

    1. Select a project, and click Interoperability. If you haven’t already done so, click Enable interoperability access.

    2. Under Access keys for service accounts, click Create a key for a service account, select the service account that you just created, and click Create Key.

      You’ll need to enter the keys in Cloud Tiering later when you set up tiering.

Setting up GCP permissions to deploy the Service Connector

Ensure that your GCP user has the required permissions to deploy the NetApp Service Connector in a Google Cloud Platform VPC. You also need to enable a few APIs in the project.

Steps
  1. Ensure that the GCP user who deploys the Service Connector has the permissions in the Cloud Central policy for GCP.

    You can create a custom role using the YAML file and then attach it to the user. You’ll need to use the gcloud command line to create the role.

  2. Enable the following Google Cloud APIs in your project:

    • Cloud Deployment Manager V2 API

    • Cloud Resource Manager API

    • Compute Engine API

Result

The GCP user now has the permissions required to deploy the Service Connector in GCP from Cloud Tiering.

Setting up a service account for the Service Connector instance

When you deploy the Service Connector from Cloud Tiering, you need to select a service account to associate with the VM instance. This service account needs specific permissions to enable management of tiering.

Steps
  1. Create a role in GCP that includes the permissions defined in the Service Connector policy for GCP.

    You’ll need to use the gcloud command line to create the role.

  2. Create a GCP service account and apply the custom role that you just created.

Setting up GCP networking for the Service Connector

Cloud Tiering guides you through the process of deploying the Service Connector on a GCP virtual machine instance. Make sure that the VPC provides the required networking connections.

Steps
  1. Identify a VPC for the Service Connector that enables the following connections:

    • An outbound internet connection to the Cloud Tiering service over port 443 (HTTPS)

    • An HTTPS connection over port 443 to Google Cloud Storage

    • An HTTPS connection over port 443 to your ONTAP clusters

      Cloud Tiering enables you to deploy the virtual machine with a public IP address and you can configure it to use your own proxy server.

      You don’t need to create your own firewall rules for the instance because Cloud Tiering can do that for you. The firewall rules that Cloud Tiering creates allows inbound connectivity over HTTP, HTTPS, and SSH. Outbound connectivity is open.

  2. Optional: Enable Private Google Access on the subnet where you plan to deploy the Service Connector.

    Private Google Access is recommended if you have a direct connection from your ONTAP cluster to the VPC and you want communication between the Service Connector and Google Cloud Storage to stay in your virtual private network. Note that Private Google Access works with VM instances that have only internal (private) IP addresses (no external IP addresses).