Preparing NetApp Data Availability Services infrastructure Edit on GitHub Request doc changes

Contributors netapp-forry netapp-aherbin

Deployment overview

Before using NetApp Data Availability Services to create and manage data protection workflows, a number of tasks must be completed in the ONTAP and AWS environments to deploy the NetApp Data Availability Services app.

The following table provides an overview of NetApp Data Availability Services prerequisite tasks and the privileges needed to complete them.

Prerequisite Expertise and privileges required

ONTAP cluster and SnapMirror requirements

Storage administrator

Networking requirements

Network administrator

AWS account requirements

Cloud Administrator

Enabling NetApp Data Availability Services app in AWS

Cloud Administrator

Registering NetApp Data Availability Services with ONTAP secondary

NetApp Data Availability Services administrator and storage administrator

ONTAP cluster and SnapMirror requirements

ONTAP cluster that contains the volumes you are backing up.

You must have ONTAP administrator privileges to configure these pre-requisites.

ONTAP requirements for NetApp Data Availability Services:

  • The ONTAP clusters containing the source and secondary SnapMirror storage must be in a cluster peer relationship.
    ONTAP 9 documentation: Cluster and SVM Peering Express Guide

  • SnapMirror must be licensed on the source and secondary clusters.
    It is not necessary for SnapMirror relationships to be in effect before deploying NetApp Data Availability Services. NetApp Data Availability Services can configure a primary-secondary-cloud relationship. However, NetApp Data Availability Services also recognizes existing SnapMirror relationships.
    ONTAP 9 documentation: Data Protection Power Guide

  • ONTAP version 9.5P1 or later must be running on the secondary cluster.

  • ONTAP version 9.3 or later must be running on the primary cluster.

  • The ONTAP secondary cluster requires network access to AWS S3 and SQS.

Creating a NetApp Data Availability Services administrator custom role

You can optionally create a role that grants NetApp Data Availability Services administrators only those privileges needed for cloud backup and recovery. You can do so if it is not necessary or desirable for the NetApp Data Availability Services administrator to have full cluster privileges.

Before you begin

You must have cluster admin privileges to create custom roles.

*About this task

When NetApp Data Availability Services is registered with an ONTAP secondary cluster, the NetApp Data Availability Services user must enter authentication information to allow the app to perform required operations on the cluster. The app user can authenticate as the cluster administrator with full cluster privileges. Alternatively, a custom role can be created for the app user, granting only those privileges required for cloud backup and recovery.

Permission to perform the following operations on the peered clusters is required:

commands apps

cluster identity
cluster peered
job
job schedule
snapmirror
volume
volume snapshot
vserver
vserver peer

http
ontapi
service processor
ssh

Custom roles must be created on the ONTAP secondary cluster and on any primary cluster peered to it. The roles must also be created on peered clusters whenever a new target is added.

The commands for role creation are cluster-wide and should only be entered once per cluster.

Steps
  1. Log in to the secondary cluster containing the target Snapmirror destination.

  2. Find the name of the admin SVM:
    vserver show -fields type

    The admin SVM is shown in the display as Type admin. This is the value you use for <admin_vserver> in subsequent commands.
    Example
    Vserver Type
    vs1 data
    vs2 data
    cl2 admin

  3. Create roles for the secondary cluster:
    security login role create -vserver <admin_vserver> -role ndas_secondary -cmddirname "cluster identity" -access readonly
    security login role create -vserver <admin_vserver> -role ndas_secondary -cmddirname "cluster peer" -access readonly
    security login role create -vserver <admin_vserver> -role ndas_secondary -cmddirname "job" -access readonly
    security login role create -vserver <admin_vserver> -role ndas_secondary -cmddirname "job schedule" -access all
    security login role create -vserver <admin_vserver> -role ndas_secondary -cmddirname "snapmirror" -access all
    security login role create -vserver <admin_vserver> -role ndas_secondary -cmddirname "volume" -access all
    security login role create -vserver <admin_vserver> -role ndas_secondary -cmddirname "vserver" -access readonly
    security login role create -vserver <admin_vserver> -role ndas_secondary -cmddirname "vserver peer" -access readonly

  4. Verify the role has the proper settings:
    security login role show ndas_secondary

  5. Create a login for the corresponding role:
    security login create -vserver <admin_vserver> -user-or-group-name <login_name> -application console -authentication-method password -role ndas_secondary
    Enter and confirm your password when prompted.

  6. Create logins for other required applications:
    security login create -vserver <admin_vserver> -user-or-group-name <login_name> -application http -authentication-method password -role ndas_secondary
    security login create -vserver <admin_vserver> -user-or-group-name <login_name> -application ontapi -authentication-method password -role ndas_ secondary
    security login create -vserver <admin_vserver> -user-or-group-name <login_name> -application service-processor -authentication-method password -role ndas_ secondary
    security login create -vserver <admin_vserver> -user-or-group-name <login_name> -application ssh -authentication-method password -role ndas_ secondary

  7. Verify the login using ssh from a different system.
    After receiving the message "This is your first recorded login", the login can be used for the NetApp Data Availability Services app.

  8. Log in to the primary cluster containing the source Snapmirror destination.

  9. Find the name of the admin SVM:
    vserver show -fields type

  10. Create roles for the primary cluster:
    security login role create -vserver <admin_vserver> -role ndas_primary -cmddirname "cluster identity" -access readonly
    security login role create -vserver <admin_vserver> -role ndas_primary -cmddirname "job" -access readonly
    security login role create -vserver <admin_vserver> -role ndas_primary -cmddirname "job schedule" -access all
    security login role create -vserver <admin_vserver> -role ndas_primary -cmddirname "snapmirror" -access all
    security login role create -vserver <admin_vserver> -role ndas_primary -cmddirname "volume" -access readonly
    security login role create -vserver <admin_vserver> -role ndas_primary -cmddirname "volume snapshot" -access all
    security login role create -vserver <admin_vserver> -role ndas_primary -cmddirname "vserver" -access readonly

  11. Verify that the new role has the proper settings:
    security login role show ndas_primary

  12. Create a login for the corresponding role:
    security login create -vserver <admin_vserver> -user-or-group-name <login_name> -application console -authentication-method password -role ndas_primary
    Enter and confirm your password when prompted.

  13. Create logins for other required applications:
    security login create -vserver <admin_vserver> -user-or-group-name <login_name> -application http -authentication-method password -role ndas_primary
    security login create -vserver <admin_vserver> -user-or-group-name <login_name> -application ontapi -authentication-method password -role ndas_primary
    security login create -vserver <admin_vserver> -user-or-group-name <login_name> -application service-processor -authentication-method password -role ndas_primary
    security login create -vserver <admin_vserver> -user-or-group-name <login_name> -application ssh -authentication-method password -role ndas_primary

  14. Verify the login using ssh from a different system.

    After receiving the message "This is your first recorded login", the login can be used for the NetApp Data Availability Services app.

A NetApp Data Availability Services administrator can now use the new logins to authenticate with ONTAP clusters when registering new targets.

For more information, see “Defining custom roles.”

Concurrent transfer limits for Copy to Cloud relationships

Copy to Cloud relationships include two kinds of transfers; data and metadata, which is used for cataloging of files in a backup.

In ONTAP 9.5, the maximum concurrent SnapMirror transfers per node are limited to 100. Out of these 100, a maximum of 32 can be Copy to Cloud data transfers. On nodes with DP_Optimized (DPO) licenses, the concurrent transfer limit increases to 200; however, Copy to Cloud data transfers are still limited to 32 out of 200.

In addition to data transfers, a node running ONTAP 9.5 (DPO or non-DPO) can have up to 32 Copy to Cloud Metadata transfers running in parallel.

Networking and security requirements

Before launching the NetApp Data Availability Services app in the AWS Marketplace and establishing hybrid cloud connectivity between NetApp Data Availability Services and an on-premises IT environment, the NetApp Data Availability Services administrator must ensure the IT environment is configured to support secure communication between ONTAP and AWS.

It is recommended that the NetApp Data Availability Services administrator work with their network, security and cloud administrator counterparts to agree upon NetApp Data Availability Services and on-premises network and security configuration parameters compatible with their corporate IT guidelines. Reaching these agreements before attempting to launch the NetApp Data Availability Services app will expedite the process.

Networking requirements include:

  • Region – NetApp Data Availability Services can be deployed only in Northern Virginia and some other regions. Please refer to information here about Amazon Regions.

  • Virtual private cloud (VPC) – NetApp Data Availability Services requires a VPC. The VPC should have either an internet gateway attached or a VPC endpoint for SQS and S3 resources. Please refer to information here about VPC.
    Note: Non-transparent (explicit) proxy servers between ONTAP clusters and VPCs are not supported for NetApp Data Availability Services traffic.

  • Subnets – One subnet must be configured in each of the two Availability Zone required for a NetApp Data Availability Services deployment. Please refer to information here about VPC and Subnets.

    • For subnet 1, as shown in Figure 1:

      • At least 10 assignable private IP addresses must be available to NetApp Data Availability Services.

      • Outbound connections to S3 and SQS in the same region must be allowed.

      • You must add routing rules to allow inbound connections on the portal private IP address and port 8082 from ELB. This inbound connection is needed only during the time access to the portal is required.

      • No public IP address is required for EC2 instance in subnet 1

      • Bi-directional communication to subnet 2 must be allowed.

    • For subnet 2, as shown in Figure 2 [figure numbering TBA]:

      • At least 10 assignable private IP addresses must be available to NetApp Data Availability Services.

      • Bi-directional communication to subnet 1 must be allowed.

  • Elastic Load Balancer (ELB) – Must be permitted by NetApp Data Availability Services. The NetApp Data Availability Services launch process creates a public IP for an ELB that maps internally to the private IP of the NetApp Data Availability Services app EC2 instance. The NetApp Data Availability Services app will be always accessed through the public ELB address Please refer to information here about ELB.

  • AWS Certificate Manager (ACM) – The account user should have access to the ACM. For HTTPS support, the user should have a certificate that is already exported to the ACM; otherwise, a self-signed certificate will be used for the HTTPS connection.

Verify with your IT team that you have the requisite capacity and permissions described in the following table:

AWS Resource Permission check Description

EC2 Instance

Create EC2

Checks whether permissions and capacity exist to create Elasticsearch EC2 servers.

Elastic Block Storage

Create EBS

Checks whether Elastic Block storage create and attach permissions exist for the user.

EC2 Subnet Access

Check-subnet

Create SQS

Check-Create SQS

Check permissions to create SQS for the user.

Create, List Load Balancer

Security requirements include:

  • The security group used to launch the NetApp Data Availability Services instance should allow ports 22, 433, and 8082.

  • It is recommended to allow access to NetApp Data Availability Services private IPs only within a NetApp Data Availability Services subnet.

  • A Key Pair must be created to access a NetApp Data Availability Services portal instance using the CLI (ssh).

Using the NetApp Data Availability Services Connectivity Checker

After you have configured your network environment for the NetApp Data Availability Services app, you should run the Connectivity Checker to verify that all requirements are met and that system components are connected.

The Connectivity Checker is a free tool available from the Tool Chest [https://mysupport.netapp.com/tools/index.html] on the NetApp Support Site.