AWS, networking and security requirements Edit on GitHub Request doc changes

Contributors netapp-forry netapp-aherbin

Before launching the NetApp Data Availability Services (NDAS) app and establishing hybrid cloud connectivity between NetApp Data Availability Services and an on-premises IT environment, the network administrator must ensure the IT environment is configured to support secure communication between ONTAP and AWS.

Note: NDAS PreChecker is a free stand-alone tool, available on the NetApp Support Site, to assess your environment for compliance with the requirements listed in this topic. Click here to download the tool and instructions.

The AWS cloud and StorageGRID solutions have the same AWS, networking and security requirements.

Requirements overview

You must have access to the following AWS account and configuration information in order to verify AWS requirements in your networking environment:

  • Your organization’s AWS account information and access privileges

  • Understanding of which AWS Region to enable NetApp Data Availability Services

  • AWS VPC settings

  • AWS Subnet settings

  • AWS Security Group settings

  • AWS Key Pair settings

  • Any port security restriction in AWS EC2 settings

  • Any existing AWS billing or metering rules that could affect the NDAS instances

It is recommended that the cloud administrator work with their network and security administrator counterparts to agree upon cloud and on-premises network and security configuration parameters compatible with their corporate IT guidelines. Reaching these agreements and recording configuration values before attempting to launch the NDAS app will expedite the process.

Note:
* AWS resources created by NDAS configuration — such EC2, SQS, and Load Balancer — are visible using standard AWS tools and can be identified by tags of either “NDAS” or “CRO”. Backup objects in the S3 bucket can also be browsed. Nonetheless, you should only use the NDAS app to manage these objects. Do not delete any backup objects or NDAS-created resources outside of the NDAS app itself.
* The use of AWS tiering policy (for example, to Amazon S3 Glacier or S3 Glacier Deep Archive) on the NDAS S3 instance is not currently supported. If you implement such a tiering policy, NDAS backups will continue, but NDAS will not be able to restore any data, which is no longer on its S3 instance.

AWS and networking requirements

  • AWS S3 bucket – NDAS requires an existing, empty S3 bucket to be used as a cloud target (object store) for cloud backups. The app administrator must know the bucket’s name, location, access key, and secret key in order to register the cloud target.

  • Region – NDAS is currently available in the following regions:

    • Asia Pacific (Hong Kong) (beginning with release 1.1.2)

    • Asia Pacific (Singapore) (beginning with release 1.1)

    • Asia Pacific (Sydney)

    • Asia Pacific (Tokyo)

    • EU (Frankfurt) (beginning with release 1.1)

    • EU (Ireland)

    • EU (London)

    • US East (N. Virginia)

    • US East (Ohio)

    • US West (No. California)

    • US West (Oregon)

      It is recommended that you select the supported region closest to the location of your target cluster. The selected region must include a VPC with at least two subnets.
      Refer to the AWS regions listed in the pull-down menu in the Launch Portal; additional regions will be added in later releases.

  • Virtual private cloud (VPC) – NDAS requires a VPC with these characteristics:

    • Either an internet gateway attached or a VPC endpoint with Simple Queue Service (SQS) FIFO (First-In, First-Out) and S3 resources.

    • At least 2 subnets in different availability zones are available, with a minimum 10 IP addresses in each.
      Please refer to information here about VPC.
      Note: Non-transparent (explicit) proxy servers between ONTAP clusters and VPCs are not supported for NDAS traffic.

  • Subnets and Availability Zones – NDAS runs an Elasticsearch database in two availability zones to provide improved performance and recovery from failure. One subnet must be configured in each of the two required Availability Zones. Please refer to information here about VPC and Subnets.

    • For subnet 1:

      • At least 10 assignable private IP addresses must be available to NDAS.

      • Outbound connections to S3 and SQS in the same region must be allowed.

      • No public IP address is required for EC2 instance in subnet 1 if VPC private IPs are accessible from the network where you are launching the NetApp Data Availability Services app.

      • Bi-directional communication to subnet 2 must be allowed.

    • For subnet 2:

      • At least 10 assignable private IP addresses must be available to NDAS.

      • Bi-directional communication to subnet 1 must be allowed.

  • Elastic Load Balancer (ELB) – An ELB must be permitted by NDAS. The NDAS launch process creates a public IP for an ELB that maps internally to the private IP of the NDAS app EC2 instance. The app will be always accessed through the public ELB address Please refer to information here about ELB.

  • AWS Amazon Resource Name (ARN) Certificate – ARN certificates are optional. If used for HTTPS, you must specify a certificate that is already uploaded to the AWS Certificate Manager (ACM). If a certificate is not specified, a self-signed certificate will be generated and used for the HTTPS connection.

AWS permissions requirements

When you deploy NetApp Data Availability Services from the Launch Portal, you need to use an AWS account with specific permissions.
* Go to the AWS IAM console and create a policy by copying and pasting the contents of the NDAS AWS policy.
* Attach the policy to the AWS user account that will be used to launch NetApp Data Availability Services.

Security requirements

  • Security Group – A security group must be available to launch the NDAS instance, and it should allow the following ports:

    • 433 – HTTPS

    • 8082 – HTTP
      You must add routing rules to allow inbound connections on the portal private IP address and port 8082 from ELB. To do so, select Custom TCP Rule in the Security Groups menu of the AWS EC2 console and enter 8082 for port number.
      Note: If you try select HTTP without the custom rule, AWS defaults to port 80 and does not allow you to change the port number to 8082.

    • SSH – 22 (optional)
      Required only for NDAS password reset or troubleshooting. You can add this to the security group later as needed, it is not required for initial configuration.
      Please refer to information here about Security Groups.

  • Key Pair – A key pair must be available to access a NDAS portal instance using the CLI (ssh).
    You can use an existing one that was created for another NDAS instance or other AWS software, or you can create a new one at the AWS console, then download and store it securely.
    Please refer to information here about Key Pairs.

  • Private IP addresses – It is recommended to allow access to NDAS private IP addresses only within a NDAS subnet. However, if your AWS account can only be accessed using public IP addresses from the network where you are running the NDAS portal, then it is safe to use public IP addresses.