Create a Console agent from the Azure Marketplace
You can create a Console agent in Azure directly from the Azure Marketplace. To create a Console agent from the Azure Marketplace, you need to set up your networking, prepare Azure permissions, review instance requirements, and then create the Console agent.
-
You should have an understanding of Console agents.
-
Review Console agent limitations.
Step 1: Set up networking
Ensure that the network location where you plan to install the Console agent supports the following requirements.These requirements enable the Console agent to manage resources in your hybrid cloud.
- Azure region
-
If you use Cloud Volumes ONTAP, the Console agent should be deployed in the same Azure region as the Cloud Volumes ONTAP systems that it manages, or in the Azure region pair for the Cloud Volumes ONTAP systems. This requirement ensures that an Azure Private Link connection is used between Cloud Volumes ONTAP and its associated storage accounts.
- VNet and subnet
-
When you create the Console agent, you need to specify the VNet and subnet where it should reside.
- Connections to target networks
-
The Console agent requires a network connection to the location where you're planning to create and manage systems. For example, the network where you plan to create Cloud Volumes ONTAP systems or a storage system in your on-premises environment.
- Outbound internet access
-
The network location where you deploy the Console agent must have an outbound internet connection to contact specific endpoints.
- Endpoints contacted from the Console agent
-
The Console agent requires outbound internet access to contact the following endpoints to manage resources and processes within your public cloud environment for day-to-day operations.
The endpoints listed below are all CNAME entries.
Endpoints Purpose https://management.azure.com
https://login.microsoftonline.com
https://blob.core.windows.net
https://core.windows.netTo manage resources in Azure public regions.
https://management.chinacloudapi.cn
https://login.chinacloudapi.cn
https://blob.core.chinacloudapi.cn
https://core.chinacloudapi.cnTo manage resources in Azure China regions.
https://mysupport.netapp.com
To obtain licensing information and to send AutoSupport messages to NetApp support.
https://signin.b2c.netapp.com
To update NetApp Support Site (NSS) credentials or to add new NSS credentials to the NetApp Console.
https://api.bluexp.netapp.com
https://netapp-cloud-account.auth0.com
https://netapp-cloud-account.us.auth0.com
https://console.netapp.com
https://components.console.bluexp.netapp.com
https://cdn.auth0.comTo provide features and services within the NetApp Console.
https://bluexpinfraprod.eastus2.data.azurecr.io
https://bluexpinfraprod.azurecr.ioTo obtain images for Console agent upgrades.
-
When you deploy a new agent, the validation check tests connectivity to current endpoints. If you use previous endpoints, the validation check fails. To avoid this failure, skip the validation check.
Although the previous endpoints are still supported, NetApp recommends updating your firewall rules to the current endpoints as soon as possible. Learn how to update your endpoint list.
-
When you update to the current endpoints in your firewall, your existing agents will continue to work.
-
- Proxy server
-
NetApp supports both explicit and transparent proxy configurations. If you are using a transparent proxy, you only need to provide the certificate for the proxy server. If you are using an explicit proxy, you'll also need the IP address and credentials.
-
IP address
-
Credentials
-
HTTPS certificate
-
- Ports
-
There's no incoming traffic to the Console agent, unless you initiate it or if it is used as a proxy to send AutoSupport messages from Cloud Volumes ONTAP to NetApp Support.
-
HTTP (80) and HTTPS (443) provide access to the local UI, which you'll use in rare circumstances.
-
SSH (22) is only needed if you need to connect to the host for troubleshooting.
-
Inbound connections over port 3128 are required if you deploy Cloud Volumes ONTAP systems in a subnet where an outbound internet connection isn't available.
If Cloud Volumes ONTAP systems don't have an outbound internet connection to send AutoSupport messages, the Console automatically configures those systems to use a proxy server that's included with the Console agent. The only requirement is to ensure that the Console agent's security group allows inbound connections over port 3128. You'll need to open this port after you deploy the Console agent.
-
- Enable NTP
-
If you're planning to use NetApp Data Classification to scan your corporate data sources, you should enable a Network Time Protocol (NTP) service on both the Console agent and the NetApp Data Classification system so that the time is synchronized between the systems. Learn more about NetApp Data classification
Implement the networking requirements after creating the Console agent.
Step 2: Review VM requirements
When you create the Console agent, choose a virtual machine type that meets the following requirements.
- CPU
-
8 cores or 8 vCPUs
- RAM
-
32 GB
- Azure VM size
-
An instance type that meets the CPU and RAM requirements above. We recommend Standard_D8s_v3.
Step 3: Set up permissions
You can provide permissions in the following ways:
-
Option 1: Assign a custom role to the Azure VM using a system-assigned managed identity.
-
Option 2: Provide the Console with the credentials for an Azure service principal that has the required permissions.
Follow these steps to set up permissions for the Console.
Note that you can create an Azure custom role using the Azure portal, Azure PowerShell, Azure CLI, or REST API. The following steps show how to create the role using the Azure CLI. If you would prefer to use a different method, refer to Azure documentation
-
If you're planning to manually install the software on your own host, enable a system-assigned managed identity on the VM so that you can provide the required Azure permissions through a custom role.
-
Copy the contents of the custom role permissions for the Connector and save them in a JSON file.
-
Modify the JSON file by adding Azure subscription IDs to the assignable scope.
You should add the ID for each Azure subscription that you want to use with the NetApp Console.
Example
"AssignableScopes": [ "/subscriptions/d333af45-0d07-4154-943d-c25fbzzzzzzz", "/subscriptions/54b91999-b3e6-4599-908e-416e0zzzzzzz", "/subscriptions/398e471c-3b42-4ae7-9b59-ce5bbzzzzzzz"
-
Use the JSON file to create a custom role in Azure.
The following steps describe how to create the role by using Bash in Azure Cloud Shell.
-
Start Azure Cloud Shell and choose the Bash environment.
-
Upload the JSON file.
-
Use the Azure CLI to create the custom role:
az role definition create --role-definition Connector_Policy.json
-
Create and set up a service principal in Microsoft Entra ID and obtain the Azure credentials that the Console needs.
-
Ensure that you have permissions in Azure to create an Active Directory application and to assign the application to a role.
For details, refer to Microsoft Azure Documentation: Required permissions
-
From the Azure portal, open the Microsoft Entra ID service.
-
In the menu, select App registrations.
-
Select New registration.
-
Specify details about the application:
-
Name: Enter a name for the application.
-
Account type: Select an account type (any will work with the NetApp Console).
-
Redirect URI: You can leave this field blank.
-
-
Select Register.
You've created the AD application and service principal.
-
Create a custom role:
Note that you can create an Azure custom role using the Azure portal, Azure PowerShell, Azure CLI, or REST API. The following steps show how to create the role using the Azure CLI. If you would prefer to use a different method, refer to Azure documentation
-
Copy the contents of the custom role permissions for the Console agent and save them in a JSON file.
-
Modify the JSON file by adding Azure subscription IDs to the assignable scope.
You should add the ID for each Azure subscription from which users will create Cloud Volumes ONTAP systems.
Example
"AssignableScopes": [ "/subscriptions/d333af45-0d07-4154-943d-c25fbzzzzzzz", "/subscriptions/54b91999-b3e6-4599-908e-416e0zzzzzzz", "/subscriptions/398e471c-3b42-4ae7-9b59-ce5bbzzzzzzz"
-
Use the JSON file to create a custom role in Azure.
The following steps describe how to create the role by using Bash in Azure Cloud Shell.
-
Start Azure Cloud Shell and choose the Bash environment.
-
Upload the JSON file.
-
Use the Azure CLI to create the custom role:
az role definition create --role-definition Connector_Policy.json
You should now have a custom role called Console Operator that you can assign to the Console agent virtual machine.
-
-
-
Assign the application to the role:
-
From the Azure portal, open the Subscriptions service.
-
Select the subscription.
-
Select Access control (IAM) > Add > Add role assignment.
-
In the Role tab, select the Console Operator role and select Next.
-
In the Members tab, complete the following steps:
-
Keep User, group, or service principal selected.
-
Select Select members.
-
Search for the name of the application.
Here's an example:
-
Select the application and select Select.
-
Select Next.
-
-
Select Review + assign.
The service principal now has the required Azure permissions to deploy the Console agent.
If you want to deploy Cloud Volumes ONTAP from multiple Azure subscriptions, then you must bind the service principal to each of those subscriptions. In the NetApp Console, you can select the subscription that you want to use when deploying Cloud Volumes ONTAP.
-
-
In the Microsoft Entra ID service, select App registrations and select the application.
-
Select API permissions > Add a permission.
-
Under Microsoft APIs, select Azure Service Management.
-
Select Access Azure Service Management as organization users and then select Add permissions.
-
In the Microsoft Entra ID service, select App registrations and select the application.
-
Copy the Application (client) ID and the Directory (tenant) ID.
When you add the Azure account to the Console, you need to provide the application (client) ID and the directory (tenant) ID for the application. The Console uses the IDs to programmatically sign in.
-
Open the Microsoft Entra ID service.
-
Select App registrations and select your application.
-
Select Certificates & secrets > New client secret.
-
Provide a description of the secret and a duration.
-
Select Add.
-
Copy the value of the client secret.
Step 4: Create the Console agent
Launch the Console agent directly from the Azure Marketplace.
Creating the Console agent from the Azure Marketplace sets up a virtual machine with a default configuration. Learn about the default configuration for the Console agent.
You should have the following:
-
An Azure subscription.
-
A VNet and subnet in your Azure region of choice.
-
Details about a proxy server, if your organization requires a proxy for all outgoing internet traffic:
-
IP address
-
Credentials
-
HTTPS certificate
-
-
An SSH public key, if you want to use that authentication method for the Console agent virtual machine. The other option for the authentication method is to use a password.
-
If you don't want the Console to automatically create an Azure role for the Console agent, then you'll need to create your own using the policy on this page.
These permissions are for the Console agent instance itself. It's a different set of permissions than what you previously set up to deploy the Console agent VM.
-
Go to the NetApp Console agent VM page in the Azure Marketplace.
-
Select Get it now and then select Continue.
-
From the Azure portal, select Create and follow the steps to configure the virtual machine.
Note the following as you configure the VM:
-
VM size: Choose a VM size that meets CPU and RAM requirements. We recommend Standard_D8s_v3.
-
Disks: The Console agent can perform optimally with either HDD or SSD disks.
-
Network security group: The Console agent requires inbound connections using SSH, HTTP, and HTTPS.
-
Identity*: Under Management, select Enable system assigned managed identity.
This setting is important because a managed identity allows the Console agent virtual machine to identify itself to Microsoft Entra ID without providing any credentials. Learn more about managed identities for Azure resources.
-
-
On the Review + create page, review your selections and select Create to start the deployment.
Azure deploys the virtual machine with the specified settings. You should see the virtual machine and Console agent software running in about ten minutes.
If the installation fails, you can view logs and a report to help you troubleshoot. Learn how to troubleshoot installation issues. -
Open a web browser from a host that has a connection to the Console agent virtual machine and enter the following URL:
https://ipaddress
-
After you log in, set up the Console agent:
-
Specify the the Console organization to associate with the Console agent.
-
Enter a name for the system.
-
Under Are you running in a secured environment? keep restricted mode disabled.
Keep restricted mode disabled to use the Console in standard mode. You should enable restricted mode only if you have a secure environment and want to disconnect this account from the Console backend services. If that's the case, follow steps to get started with the Console in restricted mode.
-
Select Let's start.
-
You have now installed the Console agent and set it up with your the Console organization.
If you have Azure Blob storage in the same Azure subscription where you created the Console agent, you'll see an Azure Blob storage system appear on the Systems page automatically. Learn how to manage Azure Blob storage from the Console
Step 5: Provide permissions to the Console agent
Now that you've created the Console agent, you need to provide it with the permissions that you previously set up. Providing the permissions enables the Console agent to manage your data and storage infrastructure in Azure.
Go to the Azure portal and assign the Azure custom role to the Console agent virtual machine for one or more subscriptions.
-
From the Azure Portal, open the Subscriptions service and select your subscription.
It's important to assign the role from the Subscriptions service because this specifies the scope of the role assignment at the subscription level. The scope defines the set of resources that the access applies to. If you specify a scope at a different level (for example, at the virtual machine level), your ability to complete actions from within the NetApp Console will be affected.
-
Select Access control (IAM) > Add > Add role assignment.
-
In the Role tab, select the Console Operator role and select Next.
Console Operator is the default name provided in the policy. If you chose a different name for the role, then select that name instead. -
In the Members tab, complete the following steps:
-
Assign access to a Managed identity.
-
Select Select members, select the subscription in which the Console agent virtual machine was created, under Managed identity, choose Virtual machine, and then select the Console agent virtual machine.
-
Select Select.
-
Select Next.
-
Select Review + assign.
-
If you want to manage resources in additional Azure subscriptions, switch to that subscription and then repeat these steps.
-
Go to the NetApp Console to start using the Console agent.
-
Select Administration > Credentials.
-
Select Add Credentials and follow the steps in the wizard.
-
Credentials Location: Select Microsoft Azure > Agent.
-
Define Credentials: Enter information about the Microsoft Entra service principal that grants the required permissions:
-
Application (client) ID
-
Directory (tenant) ID
-
Client Secret
-
-
Marketplace Subscription: Associate a Marketplace subscription with these credentials by subscribing now or by selecting an existing subscription.
-
Review: Confirm the details about the new credentials and select Add.
-
The Console now has the permissions that it needs to perform actions in Azure on your behalf.