Skip to main content
NetApp Console setup and administration

Create a Console agent from the AWS Marketplace

Contributors netapp-tonias
PDFs

You create a Console agent in AWS directly from the AWS Marketplace. To create a Console agent from the AWS Marketplace, you need to set up your networking, prepare AWS permissions, review instance requirements, and then create the Console agent.

Before you begin

Step 1: Set up networking

Ensure the network location for the Console agent meets the following requirements to manage hybrid cloud resources.

VPC and subnet

When you create the Console agent, you need to specify the VPC and subnet where it should reside.

Connections to target networks

The Console agent requires a network connection to the location where you're planning to create and manage systems. For example, the network where you plan to create Cloud Volumes ONTAP systems or a storage system in your on-premises environment.

Outbound internet access

The network location where you deploy the Console agent must have an outbound internet connection to contact specific endpoints.

Endpoints contacted from the Console agent

The Console agent requires outbound internet access to contact the following endpoints to manage resources and processes within your public cloud environment for day-to-day operations.

The endpoints listed below are all CNAME entries.

Endpoints Purpose

AWS services (amazonaws.com):

  • CloudFormation

  • Elastic Compute Cloud (EC2)

  • Identity and Access Management (IAM)

  • Key Management Service (KMS)

  • Security Token Service (STS)

  • Simple Storage Service (S3)

To manage AWS resources. The endpoint depends on your AWS region. Refer to AWS documentation for details

https://mysupport.netapp.com

To obtain licensing information and to send AutoSupport messages to NetApp support.

https://signin.b2c.netapp.com

To update NetApp Support Site (NSS) credentials or to add new NSS credentials to the NetApp Console.

https://api.bluexp.netapp.com
https://netapp-cloud-account.auth0.com
https://netapp-cloud-account.us.auth0.com
https://console.netapp.com
https://components.console.bluexp.netapp.com
https://cdn.auth0.com

To provide features and services within the NetApp Console.

https://bluexpinfraprod.eastus2.data.azurecr.io
https://bluexpinfraprod.azurecr.io

To obtain images for Console agent upgrades.

  • When you deploy a new agent, the validation check tests connectivity to current endpoints. If you use previous endpoints, the validation check fails. To avoid this failure, skip the validation check.

    Although the previous endpoints are still supported, NetApp recommends updating your firewall rules to the current endpoints as soon as possible. Learn how to update your endpoint list.

  • When you update to the current endpoints in your firewall, your existing agents will continue to work.
Proxy server

NetApp supports both explicit and transparent proxy configurations. If you are using a transparent proxy, you only need to provide the certificate for the proxy server. If you are using an explicit proxy, you'll also need the IP address and credentials.

  • IP address

  • Credentials

  • HTTPS certificate

Ports

There's no incoming traffic to the Console agent, unless you initiate it or if it is used as a proxy to send AutoSupport messages from Cloud Volumes ONTAP to NetApp Support.

  • HTTP (80) and HTTPS (443) provide access to the local UI, which you'll use in rare circumstances.

  • SSH (22) is only needed if you need to connect to the host for troubleshooting.

  • Inbound connections over port 3128 are required if you deploy Cloud Volumes ONTAP systems in a subnet where an outbound internet connection isn't available.

    If Cloud Volumes ONTAP systems don't have an outbound internet connection to send AutoSupport messages, the Console automatically configures those systems to use a proxy server that's included with the Console agent. The only requirement is to ensure that the Console agent's security group allows inbound connections over port 3128. You'll need to open this port after you deploy the Console agent.

Enable NTP

If you're planning to use NetApp Data Classification to scan your corporate data sources, you should enable a Network Time Protocol (NTP) service on both the Console agent and the NetApp Data Classification system so that the time is synchronized between the systems. Learn more about NetApp Data classification

Implement this network access after you create the Console agent.

Step 2: Set up AWS permissions

To prepare for a marketplace deployment, create IAM policies in AWS and attach them to an IAM role. When you create the Console agent from the AWS Marketplace, you are prompted to select that IAM role.

Steps

  1. Log in to the AWS console and navigate to the IAM service.

  2. Create a policy:

    1. Select Policies > Create policy.

    2. Select JSON and copy and paste the contents of the IAM policy for the Console agent.

    3. Finish the remaining steps to create the policy.

      You may need to create a second policy based on the NetApp data services you plan to use. For standard regions, the permissions are spread across two policies. Two policies are required due to a maximum character size limit for managed policies in AWS. Learn more about IAM policies for the Console agent.

  3. Create an IAM role:

    1. Select Roles > Create role.

    2. Select AWS service > EC2.

    3. Add permissions by attaching the policy that you just created.

    4. Finish the remaining steps to create the role.

Result

You now have an IAM role that you can associate with the EC2 instance during deployment from the AWS Marketplace.

Step 3: Review instance requirements

When you create the Console agent, you need to choose an EC2 instance type that meets the following requirements.

CPU

8 cores or 8 vCPUs

RAM

32 GB

AWS EC2 instance type

An instance type that meets the CPU and RAM requirements above. We recommend t3.2xlarge.

Step 4: Create the Console agent

Create the Console agent directly from the AWS Marketplace.

About this task

Creating the Console agent from the AWS Marketplace deploys an EC2 instance in AWS using a default configuration. Learn about the default configuration for the Console agent.

Before you begin

You should have the following:

  • A VPC and subnet that meets networking requirements.

  • An IAM role with an attached policy that includes the required permissions for the Console agent.

  • Permissions to subscribe and unsubscribe from the AWS Marketplace for your IAM user.

  • An understanding of CPU and RAM requirements for the instance.

  • A key pair for the EC2 instance.

Steps

  1. Go to the NetApp Console agent listing on the AWS Marketplace

  2. On the Marketplace page, select Continue to Subscribe.

  3. To subscribe to the software, select Accept Terms.

    The subscription process can take a few minutes.

  4. After the subscription process is complete, select Continue to Configuration.

  5. On the Configure this software page, ensure that you've selected the correct region and then select Continue to Launch.

  6. On the Launch this software page, under Choose Action, select Launch through EC2 and then select Launch.

    Use the EC2 Console to launch the instance and attach an IAM role. This is not possible with the Launch from Website action.

  7. Follow the prompts to configure and deploy the instance:

    • Name and tags: Enter a name and tags for the instance.

    • Application and OS Images: Skip this section. The Console agent AMI is already selected.

    • Instance type: Depending on region availability, choose an instance type that meets RAM and CPU requirements (t3.2xlarge is preselected and recommended).

    • Key pair (login): Select the key pair that you want to use to securely connect to the instance.

    • Network settings: Edit the network settings as needed:

      • Choose the desired VPC and subnet.

      • Specify whether the instance should have a public IP address.

      • Specify security group settings that enable the required connection methods for the Console agent instance: SSH, HTTP, and HTTPS.

        View security group rules for AWS.

    • Configure storage: Keep the default size and disk type for the root volume.

      If you want to enable Amazon EBS encryption on the root volume, select Advanced, expand Volume 1, select Encrypted, and then choose a KMS key.

    • Advanced details: Under IAM instance profile, choose the IAM role that includes the required permissions for the Console agent.

    • Summary: Review the summary and select Launch instance.

      AWS launches the Console agent with the specified settings, and the Console agent runs in about ten minutes.

    Note If the installation fails, you can view logs and a report to help you troubleshoot. Learn how to troubleshoot installation issues.

  8. Open a web browser from a host that has a connection to the Console agent virtual machine and URL of the Console agent.

  9. After you log in, set up the Console agent:

    1. Specify the Console organization to associate with the Console agent.

    2. Enter a name for the system.

    3. Under Are you running in a secured environment? keep restricted mode disabled.

      Keep restricted mode disabled to use the Console in standard mode. You should enable restricted mode only if you have a secure environment and want to disconnect this account from the Console backend services. If that's the case, follow steps to get started with NetApp Console in restricted mode.

    4. Select Let's start.

Result

The Console agent is now installed and set up with your Console organization.

Open a web browser and go to the NetApp Console to start using the Console agent with the Console.

If you have Amazon S3 buckets in the same AWS account where you created the Console agent, you'll see an Amazon S3 working environment appear on the Systems page automatically. Learn how to manage S3 buckets from NetApp Console