Skip to main content
NetApp Console setup and administration

Create a Console agent in Azure from NetApp Console

Contributors netapp-tonias
PDFs

To create a Console agent in Azure from the NetApp Console, you need to set up your networking, prepare Azure permissions, and then create the Console agent.

Before you begin

Step 1: Set up networking

Ensure that the network location where you plan to install the Console agent supports the following requirements. These requirements allow the Console agent to manage hybrid cloud resources.

Azure region

If you use Cloud Volumes ONTAP, the Console agent should be deployed in the same Azure region as the Cloud Volumes ONTAP systems that it manages, or in the Azure region pair for the Cloud Volumes ONTAP systems. This requirement ensures that an Azure Private Link connection is used between Cloud Volumes ONTAP and its associated storage accounts.

Learn how Cloud Volumes ONTAP uses an Azure Private Link

VNet and subnet

When you create the Console agent, you need to specify the VNet and subnet where it should reside.

Connections to target networks

The Console agent requires a network connection to the location where you're planning to create and manage systems. For example, the network where you plan to create Cloud Volumes ONTAP systems or a storage system in your on-premises environment.

Outbound internet access

The network location where you deploy the Console agent must have an outbound internet connection to contact specific endpoints.

Endpoints contacted from the Console agent

The Console agent requires outbound internet access to contact the following endpoints to manage resources and processes within your public cloud environment for day-to-day operations.

The endpoints listed below are all CNAME entries.

Endpoints Purpose

https://management.azure.com
https://login.microsoftonline.com
https://blob.core.windows.net
https://core.windows.net

To manage resources in Azure public regions.

https://management.chinacloudapi.cn
https://login.chinacloudapi.cn
https://blob.core.chinacloudapi.cn
https://core.chinacloudapi.cn

To manage resources in Azure China regions.

https://mysupport.netapp.com

To obtain licensing information and to send AutoSupport messages to NetApp support.

https://signin.b2c.netapp.com

To update NetApp Support Site (NSS) credentials or to add new NSS credentials to the NetApp Console.

https://api.bluexp.netapp.com
https://netapp-cloud-account.auth0.com
https://netapp-cloud-account.us.auth0.com
https://console.netapp.com
https://components.console.bluexp.netapp.com
https://cdn.auth0.com

To provide features and services within the NetApp Console.

https://bluexpinfraprod.eastus2.data.azurecr.io
https://bluexpinfraprod.azurecr.io

To obtain images for Console agent upgrades.

  • When you deploy a new agent, the validation check tests connectivity to current endpoints. If you use previous endpoints, the validation check fails. To avoid this failure, skip the validation check.

    Although the previous endpoints are still supported, NetApp recommends updating your firewall rules to the current endpoints as soon as possible. Learn how to update your endpoint list.

  • When you update to the current endpoints in your firewall, your existing agents will continue to work.
Endpoints contacted from the NetApp console

As you use the web-based NetApp Console that's provided through the SaaS layer, it contacts several endpoints to complete data management tasks. This includes endpoints that are contacted to deploy the Console agent from the the Console.

View the list of endpoints contacted from the NetApp console.

Proxy server

NetApp supports both explicit and transparent proxy configurations. If you are using a transparent proxy, you only need to provide the certificate for the proxy server. If you are using an explicit proxy, you'll also need the IP address and credentials.

  • IP address

  • Credentials

  • HTTPS certificate

Ports

There's no incoming traffic to the Console agent, unless you initiate it or if it is used as a proxy to send AutoSupport messages from Cloud Volumes ONTAP to NetApp Support.

  • HTTP (80) and HTTPS (443) provide access to the local UI, which you'll use in rare circumstances.

  • SSH (22) is only needed if you need to connect to the host for troubleshooting.

  • Inbound connections over port 3128 are required if you deploy Cloud Volumes ONTAP systems in a subnet where an outbound internet connection isn't available.

    If Cloud Volumes ONTAP systems don't have an outbound internet connection to send AutoSupport messages, the Console automatically configures those systems to use a proxy server that's included with the Console agent. The only requirement is to ensure that the Console agent's security group allows inbound connections over port 3128. You'll need to open this port after you deploy the Console agent.

Enable NTP

If you're planning to use NetApp Data Classification to scan your corporate data sources, you should enable a Network Time Protocol (NTP) service on both the Console agent and the NetApp Data Classification system so that the time is synchronized between the systems. Learn more about NetApp Data classification

You need to implement this networking requirement after you create the Console agent.

Step 2: Create a Console agent deployment policy (custom role)

You need to create a custom role that has permissions to deploy the Console agent in Azure.

Create an Azure custom role that you can assign to your Azure account or to a Microsoft Entra service principal. The Console authenticates with Azure and uses these permissions to create the Console agent instance on your behalf.

The Console deploys the Console agent VM in Azure, enables a system-assigned managed identity, creates the required role, and assigns it to the VM. Review how the Console uses the permissions.

Note that you can create an Azure custom role using the Azure portal, Azure PowerShell, Azure CLI, or REST API. The following steps show how to create the role using the Azure CLI. If you would prefer to use a different method, refer to Azure documentation

Steps

  1. Copy the required permissions for a new custom role in Azure and save them in a JSON file.

    Note This custom role contains only the permissions needed to launch the Console agent VM in Azure from the Console. Don't use this policy for other situations. When the Console creates the Console agent, it applies a new set of permissions to the Console agent VM that enables the Console agent to manage Azure resources. 
    {
    "Name": "Azure SetupAsService",
    "Actions": [
        "Microsoft.Compute/disks/delete",
        "Microsoft.Compute/disks/read",
        "Microsoft.Compute/disks/write",
        "Microsoft.Compute/locations/operations/read",
        "Microsoft.Compute/operations/read",
        "Microsoft.Compute/virtualMachines/instanceView/read",
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Compute/virtualMachines/write",
        "Microsoft.Compute/virtualMachines/delete",
        "Microsoft.Compute/virtualMachines/extensions/write",
        "Microsoft.Compute/virtualMachines/extensions/read",
        "Microsoft.Compute/availabilitySets/read",
        "Microsoft.Network/locations/operationResults/read",
        "Microsoft.Network/locations/operations/read",
        "Microsoft.Network/networkInterfaces/join/action",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/networkInterfaces/write",
        "Microsoft.Network/networkInterfaces/delete",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Network/networkSecurityGroups/read",
        "Microsoft.Network/networkSecurityGroups/write",
        "Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/virtualMachines/read",
        "Microsoft.Network/virtualNetworks/virtualMachines/read",
        "Microsoft.Network/publicIPAddresses/write",
        "Microsoft.Network/publicIPAddresses/read",
        "Microsoft.Network/publicIPAddresses/delete",
        "Microsoft.Network/networkSecurityGroups/securityRules/read",
        "Microsoft.Network/networkSecurityGroups/securityRules/write",
        "Microsoft.Network/networkSecurityGroups/securityRules/delete",
        "Microsoft.Network/publicIPAddresses/join/action",
        "Microsoft.Network/locations/virtualNetworkAvailableEndpointServices/read",
        "Microsoft.Network/networkInterfaces/ipConfigurations/read",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Resources/deployments/delete",
        "Microsoft.Resources/deployments/cancel/action",
        "Microsoft.Resources/deployments/validate/action",
        "Microsoft.Resources/resources/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/resourceGroups/delete",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/resourcegroups/resources/read",
        "Microsoft.Resources/subscriptions/resourceGroups/write",
        "Microsoft.Authorization/roleDefinitions/write",
        "Microsoft.Authorization/roleAssignments/write",
        "Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/read",
        "Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/write",
        "Microsoft.Network/networkSecurityGroups/delete",
        "Microsoft.Storage/storageAccounts/delete",
        "Microsoft.Storage/storageAccounts/write",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/deployments/operationStatuses/read",
        "Microsoft.Authorization/roleAssignments/read"
    ],
    "NotActions": [],
    "AssignableScopes": [],
    "Description": "Azure SetupAsService",
    "IsCustom": "true"
}

  2. Modify the JSON by adding your Azure subscription ID to the assignable scope.

    Example

    "AssignableScopes": [
"/subscriptions/d333af45-0d07-4154-943d-c25fbzzzzzzz"
],

  3. Use the JSON file to create a custom role in Azure.

    The following steps describe how to create the role by using Bash in Azure Cloud Shell.

    1. Start Azure Cloud Shell and choose the Bash environment.

    2. Upload the JSON file.

      A screenshot of the Azure Cloud Shell where you can choose the option to upload a file.

    3. Enter the following Azure CLI command:

      az role definition create --role-definition Policy_for_Setup_As_Service_Azure.json

    You now have a custom role called Azure SetupAsService. You can apply this custom role to your user account or to a service principal.

Step 3: Set up authentication

When creating the Console agent from the Console, you need to provide a login that enables the Console to authenticate with Azure and deploy the VM. You have two options:

  1. Sign in with your Azure account when prompted. This account must have specific Azure permissions. This is the default option.

  2. Provide details about a Microsoft Entra service principal. This service principal also requires specific permissions.

Follow the steps to prepare one of these authentication methods for use with the Console.

Azure account

Assign the custom role to the user who will deploy the Console agent from the Console.

Steps

  1. In the Azure portal, open the Subscriptions service and select the user's subscription.

  2. Click Access control (IAM).

  3. Click Add > Add role assignment and then add the permissions:

    1. Select the Azure SetupAsService role and click Next.

      Note Azure SetupAsService is the default name provided in the Console agent deployment policy for Azure. If you chose a different name for the role, then select that name instead.

    2. Keep User, group, or service principal selected.

    3. Click Select members, choose your user account, and click Select.

    4. Click Next.

    5. Click Review + assign.

Service principal

Rather than logging in with your Azure account, you can provide the Console with the credentials for an Azure service principal that has the required permissions.

Create and set up a service principal in Microsoft Entra ID and obtain the Azure credentials that the Console needs.

Create a Microsoft Entra application for role-based access control

  1. Ensure that you have permissions in Azure to create an Active Directory application and to assign the application to a role.

    For details, refer to Microsoft Azure Documentation: Required permissions

  2. From the Azure portal, open the Microsoft Entra ID service.

    Shows the Active Directory service in Microsoft Azure.

  3. In the menu, select App registrations.

  4. Select New registration.

  5. Specify details about the application:

    • Name: Enter a name for the application.

    • Account type: Select an account type (any will work with the NetApp Console).

    • Redirect URI: You can leave this field blank.

  6. Select Register.

    You've created the AD application and service principal.

Assign the custom role to the application

  1. From the Azure portal, open the Subscriptions service.

  2. Select the subscription.

  3. Click Access control (IAM) > Add > Add role assignment.

  4. In the Role tab, select the Console Operator role and click Next.

  5. In the Members tab, complete the following steps:

    1. Keep User, group, or service principal selected.

    2. Click Select members.

      A screenshot of the Azure portal that shows the Members page when adding a role to an application.

    3. Search for the name of the application.

      Here's an example:

      A screenshot of the Azure portal that shows the Add role assignment form in the Azure portal.

    4. Select the application and click Select.

    5. Click Next.

  6. Click Review + assign.

    The service principal now has the required Azure permissions to deploy the Console agent.

    If you want to manage resources in multiple Azure subscriptions, then you must bind the service principal to each of those subscriptions. For example, the Console enables you to select the subscription that you want to use when deploying Cloud Volumes ONTAP.

Add Windows Azure Service Management API permissions

  1. In the Microsoft Entra ID service, select App registrations and select the application.

  2. Select API permissions > Add a permission.

  3. Under Microsoft APIs, select Azure Service Management.

    A screenshot of the Azure portal that shows the Azure Service Management API permissions.

  4. Select Access Azure Service Management as organization users and then select Add permissions.

    A screenshot of the Azure portal that shows adding the Azure Service Management APIs.

Get the application ID and directory ID for the application

  1. In the Microsoft Entra ID service, select App registrations and select the application.

  2. Copy the Application (client) ID and the Directory (tenant) ID.

    A screenshot that shows the application (client) ID and directory (tenant) ID for an application in Microsoft Entra IDy.

    When you add the Azure account to the Console, you need to provide the application (client) ID and the directory (tenant) ID for the application. The Console uses the IDs to programmatically sign in.

Create a client secret

  1. Open the Microsoft Entra ID service.

  2. Select App registrations and select your application.

  3. Select Certificates & secrets > New client secret.

  4. Provide a description of the secret and a duration.

  5. Select Add.

  6. Copy the value of the client secret.

    A screenshot of the Azure portal that shows a client secret for the Microsoft Entra service principal.

Result

Your service principal is now setup and you should have copied the application (client) ID, the directory (tenant) ID, and the value of the client secret. You need to enter this information in the Console when you create the Console agent.

Step 4: Create the Console agent

Create the Console agent directly from the NetApp Console.

About this task

  • Creating the Console agent from the Console deploys a virtual machine in Azure using a default configuration. Do not switch to a smaller VM instance with fewer CPUs or less RAM after creating the Console agent. Learn about the default configuration for the Console agent.

  • When the Console deploys the Console agent, it creates a custom role and assigns it to the Console agent VM. This role includes permissions that enables the Console agent to manage Azure resources. You need to ensure that the role is kept up to date as new permissions are added in subsequent releases. Learn more about the custom role for the Console agent.

Before you begin

You should have the following:

  • An Azure subscription.

  • A VNet and subnet in your Azure region of choice.

  • Details about a proxy server, if your organization requires a proxy for all outgoing internet traffic:

    • IP address

    • Credentials

    • HTTPS certificate

  • An SSH public key, if you want to use that authentication method for the Console agent virtual machine. The other option for the authentication method is to use a password.

    Learn about connecting to a Linux VM in Azure

  • If you don't want the Console to automatically create an Azure role for the Console agent, then you'll need to create your own using the policy on this page.

    These permissions are for the Console agent instance itself. It's a different set of permissions than what you previously set up to deploy the Console agent VM.

Steps

  1. Select Administration > Agents.

  2. On the Overview page, select Deploy agent > Azure

  3. On the Review page, review the requirements for deploying an agent. Those requirements are also detailed above on this page.

  4. On the Virtual Machine Authentication page, select the authentication option that matches how you set up Azure permissions:

    • Select Log in to log in to your Microsoft account, which should have the required permissions.

      The form is owned and hosted by Microsoft. Your credentials are not provided to NetApp.

      Tip If you're already logged in to an Azure account, then the Console automatically uses that account. If you have multiple accounts, then you might need to log out first to ensure that you're using the right account.

    • Select Active Directory service principal to enter information about the Microsoft Entra service principal that grants the required permissions:

      • Application (client) ID

      • Directory (tenant) ID

      • Client Secret

    Learn how to obtain these values for a service principal.

  5. On the Virtual Machine Authentication page, choose an Azure subscription, a location, a new resource group or an existing resource group, and then choose an authentication method for the Console agent virtual machine that you're creating.

    The authentication method for the virtual machine can be a password or an SSH public key.

    Learn about connecting to a Linux VM in Azure

  6. On the Details page, enter a name for the instance, specify tags, and choose whether you want the Console to create a new role that has the required permissions, or if you want to select an existing role that you set up with the required permissions.

    Note that you can choose the Azure subscriptions associated with this role. Each subscription that you choose provides the Console agent permissions to manage resources in that subscription (for example, Cloud Volumes ONTAP).

  7. On the Network page, choose a VNet and subnet, whether to enable a public IP address, and optionally specify a proxy configuration.

    • On the Security Group page, choose whether to create a new security group or whether to select an existing security group that allows the required inbound and outbound rules.

      View security group rules for Azure.

  8. Review your selections to verify that your set up is correct.

    1. The Validate agent configuration check box is marked by default to have the Console validate the network connectivity requirements when you deploy. If the Console fails to deploy the agent, it provides a report to help you troubleshoot. If the deployment succeeds, no report is provided.

    If you are still using the previous endpoints used for agent upgrades, the validation fails with an error. To avoid this, unmark the check box to skip the validation check.

  9. Select Add.

    The Console prepares the instance in about 10 minutes. Stay on the page until the process completes.

Result

After the process is complete, the Console agent is available for use from the Console.

Note If the deployment fails, you can download a report and logs from the Console to help you fix the issues. Learn how to troubleshoot installation issues.

If you have Azure Blob storage in the same Azure subscription where you created the Console agent, you'll see an Azure Blob storage system appear on the Systems page automatically. Learn how to manage Azure Blob storage from NetApp Console