Frequently asked questions about Cloud Manager SaaS

Contributors netapp-bcammett netapp-tonacki Download PDF of this page

This FAQ answers key questions associated with the new Cloud Manager SaaS release.

What capabilities were introduced with the Cloud Manager SaaS release on Aug 3, 2020?

  • A unified API and UI

    A unified and centralized API control plane for all NetApp ONTAP-based storage solutions, providing customers with management and control of the following:

    • Azure NetApp Files

    • Cloud Volumes Service for AWS

    • Cloud Volumes Service for Google Cloud

    • Cloud Volumes ONTAP

  • Seamless integration with NetApp data services

    For smooth integration, storage solutions come built-in with data services that can be easily integrated.

  • Centralized management of multiple environments

    Deployment and management of multiple environments is now simplified. With previous releases, a customer had to deploy Cloud Manager instances in every desirable location. With the new release, the Cloud Manager agent is now renamed to Connector.

    Users with multiple NetApp Cloud Central Accounts or Connectors can easily switch between different accounts and environments.

  • Public endpoint for API and UI

    With the new release you can access the API and GUI for your Cloud Manager securely via

What will happen to the Cloud Manager instance deployed in my VPC/VNet?

As mentioned, the Cloud Manager instance deployed in a customer’s network is now called a Connector.

The role of the Connector hasn’t changed. It has the same purpose as before—​to manage resources and processes within the customer’s public cloud network.

Can I remove the Connector now that I am using the SaaS platform?

No, you should not. The Connector is the same software that was used to manage resources and processes within your public cloud environments, such as deploying and managing Cloud Volumes ONTAP, enabling Cloud Backup, deploying Cloud Data Sense, and more.

When is a SaaS-based subscription required?

A SaaS-based subscription is available from your cloud provider’s marketplace to pay for the following as you go:

  • Cloud Volumes ONTAP (starting with version 9.6 in AWS and GCP, and version 9.7 in Azure)

  • Cloud Backup

  • Cloud Data Sense

  • Cloud Tiering

For Cloud Volumes ONTAP, Cloud Backup, and Cloud Tiering, you also have the option to purchase licenses directly from NetApp. In those cases, a SaaS-based subscription isn’t required.

A SaaS-based subscription is the only way to pay for Cloud Data Sense.

When you get started with these services, Cloud Manager prompts you to subscribe if a subscription isn’t in place. You’ll only need to subscribe once—​Cloud Manager uses the same subscription for each of these services.

The following links provide pricing and subscription details for these services.

Can I still use my Cloud Manager the same way that I did before (locally through the instance deployed in my VPC)?

Yes, you can do that by clicking the Connector menu and clicking Go to local UI or by entering the Connector’s IP address directly into your web browser.

Is a migration or any specific action required to move to Cloud Manager SaaS?

Nothing is needed. Just browse to and start working. Obviously, access to Cloud Manager is only granted to authorized users.

Did Cloud Volumes ONTAP or the data that it stores change or move anywhere?

No. It’s where it’s always been—​in your VPC or VNet, under your management.

Where is the endpoint for the Cloud Manager SaaS platform?

It’s operated securely by NetApp in the public cloud.

What kind of data or metadata is stored in the Cloud Manager SaaS service layer?

No data is stored in the Cloud Manager SaaS service layer.

The SaaS platform is used as a secure pipeline for API calls (HTTPS with a NetApp-signed certificate) between the user’s web browser and the local Connector or the different NetApp services integrated into Cloud Manager.

What data or metadata is stored by the Connector that’s deployed in the VPC/VNet?

The Connector/Cloud Manager has not changed. It’s storing the same data that it did in the previous release. It only holds metadata required to manage resources and processes within your public cloud environments, such as deploying and managing Cloud Volumes ONTAP, enabling Cloud Backup, deploying and using Cloud Data Sense, and more (see the Learn about Connectors page for the complete list of services).

What are the data and metadata paths?

Data from the Connector to the customer is transported via HTTPS, encrypted and signed by a NetApp certificate. The SaaS-based UI serves as a secure pipeline between the client web browser and the Connector. That means the data from the Connector can be accessed only by authorized users.

For customers utilizing the Cloud Data Sense service, it is now encrypted end-to-end. The key exchange takes place between the web browser and the Connector, so NetApp can’t read any of the data. Learn more about Cloud Data Sense.

Is there a GDPR impact when using the Cloud Data Sense service through the SaaS endpoint?

The data is encrypted end-to-end. The key exchange takes place between the web browser and the Connector, so NetApp can’t read any of the data.

What kind of network direction access is used for the SaaS-based UI and API to access the Connector?

  • Communication from the customer’s VPC/VNet to the SaaS-based UI is only outbound, which means it’s only initiated by the Connector.

  • The Connector polls for updates from the SaaS-based service tier on a secure channel.

  • All API calls use authentication and authorization to ensure that access is secure.

    This means that no additional ports/endpoints in your network need to be opened.

  • Communication between the user’s browser client and the SaaS-based UI uses HTTPS with a NetApp-signed certificate.

Has the login flow changed?

No, the login flow has stayed the same as the previous release. When a user logs in (SSO or credentials), they are authenticated against Auth0, just like before.

Note the following:

  • If SSO or Federation is in place, the same security procedures that were being used are still in place. Access is federation at your company’s facility. When utilizing federated access, you can add MFA (at your company’s discretion) for heightened security.

  • There are no changes to roles or permissions. Only users who are registered with the Cloud Central account can access the SaaS-based endpoints.

  • Usage of Incognito Mode or a configuration where 3rd party cookies are not allowed in your client browser is currently not supported.

Is the SaaS-based Cloud Manager compliant (SOC2, FedRAMP, etc.)?

Cloud Manager is in the process of obtaining SOC2 certification.

To comply with FedRAMP certification, the SaaS-based UI is not enabled for customers who deploy a Cloud Manager Connector in Gov Cloud regions.