Skip to main content
NetApp Console setup and administration

Learn about NetApp Console deployment modes

Contributors netapp-tonias
PDFs

You can use NetApp Console through the SaaS application or install it yourself in your own environment (cloud or on-premises).

NetApp refers to these use cases as deployment modes. Each mode offers different connectivity, features, and services for your business and security needs.

Standard mode (SaaS)

The NetApp Console SaaS (software-as-a-service) application enables access to all NetApp data services, automated updates, and flexible authentication options such as identity federation and NetApp Support Site logins. This mode supports marketplace subscriptions and BYOL licensing. This mode is ideal for most users and organizations, especially those who want the most features and services available with NetApp Console.

Restricted mode (installed in your own public cloud)

Restricted mode is for organizations needing enhanced security and limited connectivity, such as governments and regulated companies. You install the NetApp Console in your own public cloud (in a government, sovereign, or commercial region), and it has limited outbound connectivity to the NetApp Console API endpoints (hosted in the SaaS application). Restricted mode provides access to key data services including Cloud Volumes ONTAP, Azure NetApp Files, NetApp Backup and Recovery (in government and commercial regions), and data classification, along with automated software upgrades and identity federation.

Private mode (installed on your premises or in the cloud)

Private mode is for organizations with strict security needs, such as those in AWS Secret Cloud, AWS Top Secret Cloud, Azure IL6, or air-gapped environments. It does not connect to the NetApp Console SaaS application or NetApp cloud-based APIs, giving you full control and blocking outside communication. Supported data services include NetApp Backup and Recovery, NetApp Data Classification, NetApp Replication, and Cloud Volumes ONTAP. All storage and authentication remain local, keeping data within your environment. Use this mode for defense contractors, financial institutions with strict data residency rules, and government agencies with classified systems.

When installed on your premises, only ONTAP storage systems are supported.

Note NetApp Console limits data flow in restricted and private modes, but you must ensure your environment complies with your regulations.

Each deployment mode differs in outbound connectivity, location, installation, authentication, data services, and charging methods.

The following table compares these modes.

Standard mode Restricted mode Private mode

Connection required to NetApp Console SaaS application?

Yes

Outbound only

No

Connection required to your cloud provider?

Yes

Yes, within the region

Yes, within the region (if using Cloud Volumes ONTAP)

Console agent installation

From the Console, cloud marketplace, or manual install

Cloud marketplace or manual install

Manual install

Console agent upgrades

Automatic upgrades of Console agent software

Automatic upgrades of Console agent software

Manual upgrade required

UI access

From the Console SaaS application

Locally from an agent VM

Locally from the agent VM

API endpoint

The Console SaaS application

an agent

an agent

Authentication

Through SaaS using auth0, NSS login, or identity federation

Through SaaS using auth0 or identity federation

Local user authentication

Multi-factor authentication

Available for local users

Not available

Not available

Storage and data services

All are supported

Many are supported

Several are supported

Data service licensing options

Marketplace subscriptions and BYOL

Marketplace subscriptions and BYOL

Bring-your-own-license (BYOL)

See the following sections for details about supported features and services in each mode.

NetApp Console in standard mode (Saas application)

The following image shows a standard mode deployment.

A conceptual image that shows the public internet where the web-based console, SaaS application and auth0 authentication are available, a virtual network in the cloud where an agent is running and managing Cloud Volumes ONTAP and an AFF cluster in an on-premises data center.

Supported features and services for NetApp Console in standard mode

The following table lists the storage management features, data services, and administrative features available in the NetApp Console SaaS application (standard mode).

Product area NetApp service or feature Console agent required

Storage systems management

This table shows which storage systems you can manage from the NetApp Console. It does not list backup destinations for NetApp Backup and Recovery.

Alerts

Yes

Amazon FSx for ONTAP

Yes for discovery and management. You can use direct discovery without a Console agent, but you need an agent to use management features.

Amazon S3

Yes

Azure Blob

No

Azure NetApp Files

No

Cloud Volumes ONTAP

Yes

E-Series

Yes

Google Cloud NetApp Volumes

No

Google Cloud Storage

Yes

On-premises ONTAP clusters

Required for discovery and management. You can use direct discovery without a Console agent, but you need an agent to use management features.

StorageGRID

Yes

Workloads

No

Data Services

NetApp Backup and Recovery

Yes

NetApp Classification

Yes

NetApp Copy and sync

Yes

NetApp Disaster Recovery

Yes

NetApp Ransomware Protection

Yes

NetApp Replication

No

NetApp Cloud Tiering

Yes

NetApp Volume Caching

Yes

NetApp support contract features

Digital advisor

Yes

Economic efficiency

Yes

Lifecycle Planning

Yes

Software updates

No

Sustainability

Yes

Administrative features

Audit

No

Automation hub

No

Federation

No

Identity and access management

No

Licenses and subscriptions management

  • Marketplace subscriptions and BYOL are supported with standard mode; however, the supported licensing options depends on which NetApp data service you are using. Review the documentation for each service to learn more about the available licensing options.

No

Manage cloud provider credentials

No

Multi-factor authentication (local users)

No

Notifications

No

NSS accounts

No

Organization Partnerships

No

Read-only mode

No

Notifications

No

How NetApp Console works in standard mode

The Console works as follows in standard mode:

Outbound communication

Connectivity is required from an agent to the Console SaaS application, to your cloud provider's publicly available resources, and to other essential components for day-to-day operations.

Supported location for a Console agent

In standard mode, you can install a Console agent in the cloud or on your premises.

Note Installing an agent in the cloud incurs cloud usage charges.
Console agent upgrades

NetApp automatically upgrades agent software monthly.

User interface access

You access the user interface from the Console SaaS application, which is available over the public internet.

API endpoint

API calls are made to the following endpoint:
https://api.bluexp.netapp.com

Authentication

NetApp Console provides authentication with auth0 or NetApp Support Site (NSS) logins. Identity federation is available.

How to get started with standard mode

Go to the NetApp Console and sign up.

+
Learn how to get started with standard mode.

NetApp Console in restricted mode (installed in your own public cloud)

You install a Console agent in the cloud (in a government, sovereign, or commercial region), and it has limited outbound connectivity to the NetApp Console API endpoints (hosted in the SaaS application).

Users access the local UI provided by the Console agent, not the SaaS application.

Depending on the data services and features that you plan to use, a Console organization admin creates additional Console agents to manage data within your hybrid cloud environment.

Learn more about outbound connectivity to the NetApp Console APIs.

The following image is an example of a restricted mode deployment.

A conceptual image that shows the public internet where the SaaS application and auth0 authentication are available, a virtual network in the cloud where an agent is running and providing access to the web-based console, and is managing Cloud Volumes ONTAP and an AFF cluster in an on-premises data center.

Supported features and services for NetApp Console in restricted mode

The following table lists the storage management features, data services, and administrative features available in NetApp Console when you install it in restricted mode.

Product area NetApp service or feature Console agent required

Storage systems management

This table shows which storage systems you can manage from the NetApp Console. It does not list backup destinations for NetApp Backup and Recovery.

Azure NetApp Files

No

Cloud Volumes ONTAP

Yes

On-premises ONTAP clusters

Required for discovery and management. You can use direct discovery without a Console agent, but you need an agent to use management features.

Data Services (restricted mode supports fewer data services than standard mode)

Backup and Recovery

Supported in Government regions and commercial regions with restricted mode. Not supported in sovereign regions with restricted mode.

In restricted mode, NetApp Backup and Recovery supports back up and restore of ONTAP volume data only. View the list of supported backup destinations for ONTAP data

NetApp Data Classification

  • Supported in Government regions with restricted mode. Not supported in commercial regions or in sovereign regions with restricted mode.

Yes

NetApp Replication

  • Supported in Government regions with restricted mode. Not supported in commercial regions or in sovereign regions with restricted mode.

Yes*, (not needed if replicating from ONTAP on-premises to ONTAP on-premises)

NetApp support contract features

None

N/A

Administrative features

Audit

No

Automation hub

No

Federation

No

Identity and access management

No

Licenses and subscriptions management

Note the following:

  • Marketplace subscriptions (hourly and annual contracts)

    • For Cloud Volumes ONTAP, only capacity-based licensing is supported.

    • In Azure, annual contracts are not supported with government regions.

  • BYOL

    For Cloud Volumes ONTAP, both capacity-based licensing and node-based licensing are supported with BYOL.

No

Manage cloud provider credentials

No

Multi-factor authentication (local users)

No

Notifications

No

NSS accounts

No

Organization Partnerships

No

Read-only mode

No

Notifications

No

How NetApp Console works in restricted mode

The Console works as follows in restricted mode:

Outbound communication

An agent requires outbound connectivity to the NetApp cloud-based APIs for support of data services, software upgrades, authentication, and metadata transmission.

NetApp does not initiate communication to an agent. The agent initiates all communication and can pull or push data from or to the NetApp APIs and services as required.

A connection is also required to cloud provider resources from within the region.

Supported location for an agent

In restricted mode, you install agents in the cloud: in a government region, sovereign region, or commercial region.

Console agent upgrades

NetApp Console upgrades agent software automatically each month.

User interface access

Users access the Console from an agent virtual machine that's deployed in your cloud region.

API endpoint

API calls are made to an agent virtual machine.

Authentication

Authentication is provided through NetApp Console's cloud service using auth0. Identity federation is also available.

How to get started with restricted mode

You need to enable restricted mode when you create your NetApp Console account.
If you do not have an organization, you are prompted to create one and enable restricted mode when you first log in to your installed Console agent.

Note that the restricted mode setting is fixed after you create the organization. You cannot enable or disable restricted mode later.
Learn how to get started with restricted mode.

NetApp Console in private mode

In private mode, you install a Console agent either on-premises or in the cloud and then use NetApp Console to manage data across your hybrid cloud. There is no connectivity to the NetApp Console API endpoints or the NetApp Console SaaS application, so you access the Console from the local UI provided by the Console agent.

The following image shows an example of a private mode deployment where the Console agent is installed in the cloud and manages both Cloud Volumes ONTAP and an on-premises ONTAP cluster.

A conceptual image that shows a virtual network in the cloud where an agent is running and providing access to the web-based console, and is managing Cloud Volumes ONTAP and an AFF cluster in an on-premises data center.

The second image shows an example of a private mode deployment where the agent is installed on-premises, manages an on-premises ONTAP cluster, and provides access to supported NetApp Console data services.

A conceptual image that shows an on-premises data center where an agent is running and providing access to the web-based console, NetApp Console data services, and is managing an AFF cluster in an on-premises data center.

Supported features and services for NetApp Console in private mode

The following table lists the storage management features, data services, and administrative features available in NetApp Console when you install it in private mode. Features differ when you install the NetApp Console in the cloud versus your premises.

Private mode installed in the cloud
Product area NetApp service or feature Console agent required

Storage systems management

This portion of the table lists support for managing storage systems from the NetApp Console. It does not indicate the supported backup destinations for NetApp Backup and Recovery.

Cloud Volumes ONTAP

Yes, but because there's no internet access, the following features aren't available: automated software upgrades and AutoSupport.

On-premises ONTAP clusters

  • Requires connectivity from the cloud (where the Console agent is installed) to the on-premises environment.

    You must have an installed Console agent to discover on-premises ONTAP clusters.

You can use direct discovery without a Console agent, but you need an agent to use management features.

Data Services

Backup and Recovery

Yes

NetApp Classification

Yes

NetApp Replication

Yes* (not needed if replicating from ONTAP on-premises to ONTAP on-premises)

NetApp support contract features

None

 — 

Administrative features

Audit

No

Licenses and subscriptions management

  • Only BYOL is supported with private mode.

    For Cloud Volumes ONTAP BYOL, only node-based licensing is supported. Capacity-based licensing is not supported. Because an outbound internet connection isn't available, you need to manually upload your Cloud Volumes ONTAP licensing file in the Console.

Learn how to add licenses

No

Identity and access management

No

Manage cloud provider credentials

No

Read-only mode

No

Notifications

No
Private mode installed on-premises
Product area NetApp service or feature Console agent required

Storage systems management

This portion of the table lists support for managing storage systems from the NetApp Console. It does not indicate the supported backup destinations for NetApp Backup and Recovery.

On-premises ONTAP clusters

  • Requires connectivity from the cloud (where the Console agent is installed) to the on-premises environment.

    You must have an installed Console agent to discover on-premises ONTAP clusters.

You can use direct discovery without a Console agent, but you need an agent to use management features.

Data Services

Backup and Recovery

Yes

NetApp Classification

Yes

NetApp Replication

Yes* (not needed if replicating from ONTAP on-premises to ONTAP on-premises)

NetApp support contract features

None

N/A

Administrative features

Audit

No

Licenses and subscriptions management

  • Only BYOL is supported with private mode.

No

Identity and access management

No

Manage cloud provider credentials

No

Read-only mode

No

Notifications

No

How NetApp Console works in private mode

NetApp Console works as follows in private mode:

Outbound communication

No outbound connectivity is required to the Console SaaS application (where additional API endpoints reside). All packages, dependencies, and essential components are packaged with the Console agent and served from the local machine. Connectivity to your cloud provider's publicly available resources is required only if you are deploying Cloud Volumes ONTAP.

Supported location for the Console agent

In private mode, the Console agent is supported in the cloud or on-premises.

Console agent upgrades

You must manually upgrade the Console agent software. NetApp publishes the Console agent software to the NetApp Support Site at undefined intervals.

User interface access

Users access the Console from the Console agent that's deployed in your cloud region or on-premises.

API endpoint

API calls are made to the Console agent virtual machine.

Authentication

Authentication is provided through local user management and access. Authentication is not provided through NetApp Console's cloud service.

How to get started with private mode

Private mode is available by downloading the "offline" installer from the NetApp Support Site.

+
Learn how to get started with private mode.

+
NOTE: If you want to use NetApp Console in the AWS Secret Cloud or the AWS Top Secret Cloud, then you should follow separate instructions to get started in those environments. Learn how to get started with Cloud Volumes ONTAP in the AWS Secret Cloud or Top Secret Cloud

NetApp Console service and feature comparison

This table shows which services and features are supported in restricted and private modes.

Note Standard mode (NetApp Console SaaS application) supports all features.

Note that some services might be supported with limitations. For more details about how these services are supported with restricted mode and private mode, refer to the sections above.

Product area NetApp service or feature Restricted mode Private mode

Storage systems management

This table shows which storage systems you can manage from the NetApp Console. It does not list backup destinations for NetApp Backup and Recovery.

Alerts

No

No

Amazon FSx for ONTAP

No

No

Amazon S3

No

No

Azure Blob

No

No

Azure NetApp Files

Yes

No

Cloud Volumes ONTAP

Yes

Yes

Google Cloud NetApp Volumes

No

No

Google Cloud Storage

No

No

On-premisesONTAP clusters

Yes

Yes

E-Series

No

No

StorageGRID

No

No

Workload factory

No

No

Data Services

Backup and Recovery

Yes

View the list of supported backup destinations for ONTAP volume data

Yes

View the list of supported backup destinations for ONTAP volume data

NetApp Classification

Yes

Yes

Copy and sync

No

No

NetApp Disaster Recovery

No

No

NetApp Ransomware Protection

No

No

NetApp Replication

Yes

Yes

NetApp Cloud Tiering

No

No

NetApp Volume Caching

No

No

NetApp support contract features

Digital advisor

No

No

Lifecycle Planning

No

No

Software updates

No

No

Sustainability

No

No

Administrative features

Dashboard metrics for storage and data services

No

No

Identity and access management

Yes

Yes

Manage cloud provider credentials

Yes

Yes

Federation

Yes

No

Licenses and subscriptions

Yes

Yes

Multi-factor authentication

Yes

No

NSS accounts

Yes

No

Organization Partnerships

Yes

No

Read-only mode

No

No

Notifications

Yes

No

Audit

Yes

Yes