Skip to main content
NetApp Console setup and administration

Deploy the Console agent in restricted mode

Contributors netapp-tonias
PDFs

Deploy the Console agent in restricted mode so that you can use the NetApp Console with limited outbound connectivity. To get started, install the Console agent, set up the Console by accessing the user interface that's running on the Console agent, and then provide the cloud permissions that you previously set up.

Step 1: Install the Console agent

Install the Console agent from your cloud provider's marketplace or manually on a Linux host.

AWS Commercial Marketplace
Before you begin

You should have the following:

Steps

  1. Go to the NetApp Console agent listing on the AWS Marketplace

  2. On the Marketplace page, select Continue to Subscribe.

  3. To subscribe to the software, select Accept Terms.

    The subscription process can take a few minutes.

  4. After the subscription process is complete, select Continue to Configuration.

  5. On the Configure this software page, ensure that you've selected the correct region and then select Continue to Launch.

  6. On the Launch this software page, under Choose Action, select Launch through EC2 and then select Launch.

    Use the EC2 Console to launch the instance and attach an IAM role. This is not possible with the Launch from Website action.

  7. Follow the prompts to configure and deploy the instance:

    • Name and tags: Enter a name and tags for the instance.

    • Application and OS Images: Skip this section. The Console agent AMI is already selected.

    • Instance type: Depending on region availability, choose an instance type that meets RAM and CPU requirements (t3.2xlarge is preselected and recommended).

    • Key pair (login): Select the key pair that you want to use to securely connect to the instance.

    • Network settings: Edit the network settings as needed:

      • Choose the desired VPC and subnet.

      • Specify whether the instance should have a public IP address.

      • Specify security group settings that enable the required connection methods for the Console agent instance: SSH, HTTP, and HTTPS.

        View security group rules for AWS.

    • Configure storage: Keep the default size and disk type for the root volume.

      If you want to enable Amazon EBS encryption on the root volume, select Advanced, expand Volume 1, select Encrypted, and then choose a KMS key.

    • Advanced details: Under IAM instance profile, choose the IAM role that includes the required permissions for the Console agent.

    • Summary: Review the summary and select Launch instance.

Result

AWS launches the software with the specified settings. The Console agent instance and software run in approximately five minutes.

What's next?

Set up the NetApp Console.

AWS Gov Marketplace
Before you begin

You should have the following:

Steps

  1. Go to the NetApp Console agent offering in the AWS Marketplace.

    1. Open the EC2 service and select Launch instance.

    2. Select AWS Marketplace.

    3. Search for NetApp Console and select the offering.

      A screenshot that shows the NetApp Console offering after searching for it in the AWS Marketplace

    4. Select Continue.

  2. Follow the prompts to configure and deploy the instance:

    • Choose an Instance Type: Depending on region availability, choose one of the supported instance types (t3.2xlarge is recommended).

      Review the instance requirements.

    • Configure Instance Details: Select a VPC and subnet, choose the IAM role that you created in step 1, enable termination protection (recommended), and choose any other configuration options that meet your requirements.

      A screenshot that shows fields on the Configure Instance page in AWS. The IAM role that you should have created in step 1 is selected.

    • Add Storage: Keep the default storage options.

    • Add Tags: Enter tags for the instance, if desired.

    • Configure Security Group: Specify the required connection methods for the Console agent instance: SSH, HTTP, and HTTPS.

    • Review: Review your selections and select Launch.

Result

AWS launches the software with the specified settings. The Console agent instance and software run in approximately five minutes.

What's next?

Set up the Console.

Azure Gov Marketplace
Before you begin

You should have the following:

Steps

  1. Go to the NetApp Console agent VM page in the Azure Marketplace.

  2. Select Get it now and then select Continue.

  3. From the Azure portal, select Create and follow the steps to configure the virtual machine.

    Note the following as you configure the VM:

    • VM size: Choose a VM size that meets CPU and RAM requirements. We recommend Standard_D8s_v3.

    • Disks: The Console agent can perform optimally with either HDD or SSD disks.

    • Public IP: If you want to use a public IP address with the Console agent VM, the IP address must use a Basic SKU to ensure that the Console uses this public IP address.

      A screenshot of the create new IP address in Azure that enables you to choose Basic under in the SKU field.

      If you use a Standard SKU IP address instead, then the Console uses the private IP address of the Console agent, instead of the public IP. If the machine that you're using to access the Console doesn't have access to that private IP address, then actions from the Console will fail.

      Azure documentation: Public IP SKU

    • Network security group: The Console agent requires inbound connections using SSH, HTTP, and HTTPS.

      View security group rules for Azure.

    • Identity: Under Management, select Enable system assigned managed identity.

      This setting is important because a managed identity allows the Console agent virtual machine to identify itself to Microsoft Entra ID without providing any credentials. Learn more about managed identities for Azure resources.

  4. On the Review + create page, review your selections and select Create to start the deployment.

Result

Azure deploys the virtual machine with the specified settings. The virtual machine and Console agent software should be running in approximately five minutes.

What's next?

Set up the NetApp Console.

Manual install
Before you begin

You should have the following:

  • Root privileges to install the Console agent.

  • Details about a proxy server, if a proxy is required for internet access from the Console agent.

    You have the option to configure a proxy server after installation but doing so requires restarting the Console agent.

  • A CA-signed certificate, if the proxy server uses HTTPS or if the proxy is an intercepting proxy.

Note You cannot set a certificate for a transparent proxy server when manually installing the Console agent. If you need to set a certificate for a transparent proxy server, you must use the Maintenance Console after installation. Learn more about the Agent Maintenance Console.

  • You need to disable the configuration check that verifies outbound connectivity during installation. The manual install fails if this check is not disabled. Learn how to disable configuration checks for manual installations.

  • Depending on your operating system, either Podman or Docker Engine is required before you install the Console agent.

About this task

The installer that is available on the NetApp Support Site might be an earlier version. After installation, the Console agent automatically updates itself if a new version is available.

Steps

  1. If the http_proxy or https_proxy system variables are set on the host, remove them:

    unset http_proxy
unset https_proxy

    If you don't remove these system variables, the installation fails.

  2. Download the Console agent software from the NetApp Support Site, and then copy it to the Linux host.

    You should download the "online" agent installer that's meant for use in your network or in the cloud.

  3. Assign permissions to run the script.

    chmod +x NetApp_Console_Agent_Cloud_<version>

    Where <version> is the version of the Console agent that you downloaded.

  4. If installing in a Government Cloud environment, disable the configuration checks. Learn how to disable configuration checks for manual installations.

  5. Run the installation script.

     ./NetApp_Console_Agent_Cloud_<version> --proxy <HTTP or HTTPS proxy server> --cacert <path and file name of a CA-signed certificate>

    You'll need to add proxy information if your network requires a proxy for internet access. You can add either a transparent or explicit proxy. The --proxy and --cacert parameters are optional and you won't be prompted to add them. If you have a proxy server, you will need to enter the parameters as shown.

    Here is an example configuring an explicit proxy server with a CA-signed certificate:

     ./NetApp_Console_Agent_Cloud_v4.0.0--proxy https://user:password@10.0.0.30:8080/ --cacert /tmp/cacert/certificate.cer

    --proxy configures the Console agent to use an HTTP or HTTPS proxy server using one of the following formats:

    • http://address:port

    • http://user-name:password@address:port

    • http://domain-name%92user-name:password@address:port

    • https://address:port

    • https://user-name:password@address:port

    • https://domain-name%92user-name:password@address:port

      Note the following:

      • The user can be a local user or domain user.

      • For a domain user, you must use the ASCII code for a \ as shown above.

      • The Console agent doesn't support user names or passwords that include the @ character.

      • If the password includes any of the following special characters, you must escape that special character by prepending it with a backslash: & or !

        For example:

        http://bxpproxyuser:netapp1\!@address:3128

--cacert specifies a CA-signed certificate to use for HTTPS access between Console agent and the proxy server. This parameter is required for HTTPS proxy servers, intercepting proxy servers, and transparent proxy servers.

+
Here is an example configuring a transparent proxy server. When you configure a transparent proxy, you don't need to define the proxy server. You only add a CA-signed certificate to your Console agent host:

+

 ./NetApp_Console_Agent_Cloud_v4.0.0 --cacert /tmp/cacert/certificate.cer

  1. If you used Podman, you'll need to adjust the aardvark-dns port.

    1. SSH to the Console agent virtual machine.

    2. Open podman /usr/share/containers/containers.conf file and modify the chosen port for Aardvark DNS service. For example, change it to 54.

      vi /usr/share/containers/containers.conf
...
# Port to use for dns forwarding daemon with netavark in rootful bridge
# mode and dns enabled.
# Using an alternate port might be useful if other DNS services should
# run on the machine.
#
dns_bind_port = 54
...
Esc:wq

    3. Reboot the Console agent virtual machine.

Result

The Console agent is now installed. At the end of the installation, the Console agent service (occm) restarts twice if you specified a proxy server.

What's next?

Set up the NetApp Console.

Step 2: Set up NetApp Console

When you access the console for the first time, you are prompted to choose an organization for the Console agent and need to enable restricted mode.

Before you begin

The person who sets up the Console agent must log in to the Console using a login that doesn't already belong to a Console organization.

If your login is associated with another organization, you'll need to sign up with a new login. Otherwise, you won't see the option to enable restricted mode on the setup screen.

Steps

  1. Open a web browser from a host that has a connection to the Console agent instance and enter the following URL of the Console agent you installed.

  2. Sign up or log in to the NetApp Console.

  3. After you're logged in, set up the Console:

    1. Enter a name for the Console agent.

    2. Enter a name for a new Console organization.

    3. Select Are you running in a secured environment?

    4. Select Enable restricted mode on this account.

      Note that you can't change this setting after the account is created. You can't enable restricted mode later and you can't disable it later.

      If you deployed the Console agent in a Government region, the checkbox is already enabled and can't be changed. This is because restricted mode is the only mode supported in Government regions.

    5. Select Let's start.

Result

The Console agent is now installed and set up with your Console organization. All users need to access the Console using the IP address of the Console agent instance.

What's next?

Provide the Console with the permissions that you previously set up.

Step 3: Provide permissions to NetApp Console

If you deployed the Console agent from the Azure Marketplace or if you manually installed the Console agent software, you need to provide the permissions that you previously set up.

These steps don't apply if you deployed the Console agent from the AWS Marketplace because you chose the required IAM role during deployment.

Learn how to prepare cloud permissions.

AWS IAM role

Attach the IAM role that you previously created to the EC2 instance where you installed the Console agent.

These steps apply only if you manually installed the Console agent in AWS. For AWS Marketplace deployments, you already associated the Console agent instance with an IAM role that includes the required permissions.

Steps

  1. Go to the Amazon EC2 console.

  2. Select Instances.

  3. Select the Console agent instance.

  4. Select Actions > Security > Modify IAM role.

  5. Select the IAM role and select Update IAM role.

AWS access key

Provide the NetApp Console with the AWS access key for an IAM user that has the required permissions.

Steps

  1. Select Administration > Credentials.

  2. Select Organization credentials.

  3. Select Add Credentials and follow the steps in the wizard.

    1. Credentials Location: Select *Amazon Web Services > Agent.

    2. Define Credentials: Enter an AWS access key and secret key.

    3. Marketplace Subscription: Associate a Marketplace subscription with these credentials by subscribing now or by selecting an existing subscription.

    4. Review: Confirm the details about the new credentials and select Add.

Azure role

Go to the Azure portal and assign the Azure custom role to the Console agent virtual machine for one or more subscriptions.

Steps

  1. From the Azure Portal, open the Subscriptions service and select your subscription.

    It's important to assign the role from the Subscriptions service because this specifies the scope of the role assignment at the subscription level. The scope defines the set of resources that the access applies to. If you specify a scope at a different level (for example, at the virtual machine level), your ability to complete actions from within the NetApp Console will be affected.

    Microsoft Azure documentation: Understand scope for Azure RBAC

  2. Select Access control (IAM) > Add > Add role assignment.

  3. In the Role tab, select the Console Operator role and select Next.

    Note Console Operator is the default name provided in the policy. If you chose a different name for the role, then select that name instead.

  4. In the Members tab, complete the following steps:

    1. Assign access to a Managed identity.

    2. Select Select members, select the subscription in which the Console agent virtual machine was created, under Managed identity, choose Virtual machine, and then select the Console agent virtual machine.

    3. Select Select.

    4. Select Next.

    5. Select Review + assign.

    6. If you want to manage resources in additional Azure subscriptions, switch to that subscription and then repeat these steps.

Azure service principal

Provide the NetApp Console with the credentials for the Azure service principal that you previously setup.

Steps

  1. Select Administration > Credentials.

  2. Select Add Credentials and follow the steps in the wizard.

    1. Credentials Location: Select Microsoft Azure > Agent.

    2. Define Credentials: Enter information about the Microsoft Entra service principal that grants the required permissions:

      • Application (client) ID

      • Directory (tenant) ID

      • Client Secret

    3. Marketplace Subscription: Associate a Marketplace subscription with these credentials by subscribing now or by selecting an existing subscription.

    4. Review: Confirm the details about the new credentials and select Add.

Result

the NetApp Console now has the permissions that it needs to perform actions in Azure on your behalf.

Google Cloud service account

Associate the service account with the Console agent VM.

Steps

  1. Go to the Google Cloud portal and assign the service account to the Console agent VM instance.

    Google Cloud documentation: Changing the service account and access scopes for an instance

  2. If you want to manage resources in other projects, grant access by adding the service account with the Console agent role to that project. You'll need to repeat this step for each project.