English

Networking requirements for the Connector

Contributors netapp-bcammett Download PDF of this page

Set up your networking so the Connector can manage resources and processes within your public cloud environment. The most important step is ensuring outbound internet access to various endpoints.

If your network uses a proxy server for all communication to the internet, you can specify the proxy server from the Settings page. Refer to Configuring the Connector to use a proxy server.

Connection to target networks

A Connector requires a network connection to the type of working environment that you’re creating and the services that you’re planning to enable.

For example, if you install a Connector in your corporate network, then you must set up a VPN connection to the VPC or VNet in which you launch Cloud Volumes ONTAP.

Outbound internet access

The Connector requires outbound internet access to manage resources and processes within your public cloud environment. Outbound internet access is also required if you want to manually install the Connector on a Linux host or access the local UI running on the Connector.

The following sections identify the specific endpoints.

Endpoints to manage resources in AWS

A Connector contacts the following endpoints when managing resources in AWS:

Endpoints Purpose

AWS services (amazonaws.com):

  • CloudFormation

  • Elastic Compute Cloud (EC2)

  • Key Management Service (KMS)

  • Security Token Service (STS)

  • Simple Storage Service (S3)

The exact endpoint depends on the region in which you deploy Cloud Volumes ONTAP. Refer to AWS documentation for details.

Enables the Connector to deploy and manage Cloud Volumes ONTAP in AWS.

https://api.services.cloud.netapp.com:443

API requests to NetApp Cloud Central.

https://cloud.support.netapp.com.s3.us-west-1.amazonaws.com

Provides access to software images, manifests, and templates.

https://repo.cloud.support.netapp.com

Used to download Cloud Manager dependencies.

http://repo.mysql.com/

Used to download MySQL.

https://cognito-idp.us-east-1.amazonaws.com
https://cognito-identity.us-east-1.amazonaws.com
https://sts.amazonaws.com
https://cloud-support-netapp-com-accelerated.s3.amazonaws.com

Enables the Connector to access and download manifests, templates, and Cloud Volumes ONTAP upgrade images.

https://cloudmanagerinfraprod.azurecr.io

Access to software images of container components for an infrastructure that’s running Docker and provides a solution for service integrations with Cloud Manager.

https://kinesis.us-east-1.amazonaws.com

Enables NetApp to stream data from audit records.

https://cloudmanager.cloud.netapp.com

Communication with the Cloud Manager service, which includes Cloud Central accounts.

https://netapp-cloud-account.auth0.com

Communication with NetApp Cloud Central for centralized user authentication.

https://w86yt021u5.execute-api.us-east-1.amazonaws.com/production/whitelist

Used to add your AWS account ID to the list of allowed users for Backup to S3.

https://support.netapp.com/aods/asupmessage
https://support.netapp.com/asupprod/post/1.0/postAsup

Communication with NetApp AutoSupport.

https://support.netapp.com/svcgw
https://support.netapp.com/ServiceGW/entitlement
https://eval.lic.netapp.com.s3.us-west-1.amazonaws.com
https://cloud-support-netapp-com.s3.us-west-1.amazonaws.com

Communication with NetApp for system licensing and support registration.

https://client.infra.support.netapp.com.s3.us-west-1.amazonaws.com
https://cloud-support-netapp-com-accelerated.s3.us-west-1.amazonaws.com
https://trigger.asup.netapp.com.s3.us-west-1.amazonaws.com

Enables NetApp to collect information needed to troubleshoot support issues.

https://ipa-signer.cloudmanager.netapp.com

Enables Cloud Manager to generate licenses (for example, a FlexCache license for Cloud Volumes ONTAP)

https://packages.cloud.google.com/yum
https://github.com/NetApp/trident/releases/download/

Required to connect Cloud Volumes ONTAP systems with a Kubernetes cluster. The endpoints enable installation of NetApp Trident.

Various third-party locations, for example:

  • https://repo1.maven.org/maven2

  • https://oss.sonatype.org/content/repositories

  • https://repo.typesafe.org

Third-party locations are subject to change.

During upgrades, Cloud Manager downloads the latest packages for third-party dependencies.

Endpoints to manage resources in Azure

A Connector contacts the following endpoints when managing resources in Azure:

Endpoints Purpose

https://management.azure.com
https://login.microsoftonline.com

Enables Cloud Manager to deploy and manage Cloud Volumes ONTAP in most Azure regions.

https://management.microsoftazure.de
https://login.microsoftonline.de

Enables Cloud Manager to deploy and manage Cloud Volumes ONTAP in the Azure Germany regions.

https://management.usgovcloudapi.net
https://login.microsoftonline.com

Enables Cloud Manager to deploy and manage Cloud Volumes ONTAP in the Azure US Gov regions.

https://api.services.cloud.netapp.com:443

API requests to NetApp Cloud Central.

https://cloud.support.netapp.com.s3.us-west-1.amazonaws.com

Provides access to software images, manifests, and templates.

https://repo.cloud.support.netapp.com

Used to download Cloud Manager dependencies.

http://repo.mysql.com/

Used to download MySQL.

https://cognito-idp.us-east-1.amazonaws.com
https://cognito-identity.us-east-1.amazonaws.com
https://sts.amazonaws.com
https://cloud-support-netapp-com-accelerated.s3.amazonaws.com

Enables the Connector to access and download manifests, templates, and Cloud Volumes ONTAP upgrade images.

https://cloudmanagerinfraprod.azurecr.io

Access to software images of container components for an infrastructure that’s running Docker and provides a solution for service integrations with Cloud Manager.

https://kinesis.us-east-1.amazonaws.com

Enables NetApp to stream data from audit records.

https://cloudmanager.cloud.netapp.com

Communication with the Cloud Manager service, which includes Cloud Central accounts.

https://netapp-cloud-account.auth0.com

Communication with NetApp Cloud Central for centralized user authentication.

https://mysupport.netapp.com

Communication with NetApp AutoSupport.

https://support.netapp.com/svcgw
https://support.netapp.com/ServiceGW/entitlement
https://eval.lic.netapp.com.s3.us-west-1.amazonaws.com
https://cloud-support-netapp-com.s3.us-west-1.amazonaws.com

Communication with NetApp for system licensing and support registration.

https://client.infra.support.netapp.com.s3.us-west-1.amazonaws.com
https://cloud-support-netapp-com-accelerated.s3.us-west-1.amazonaws.com
https://trigger.asup.netapp.com.s3.us-west-1.amazonaws.com

Enables NetApp to collect information needed to troubleshoot support issues.

https://ipa-signer.cloudmanager.netapp.com

Enables Cloud Manager to generate licenses (for example, a FlexCache license for Cloud Volumes ONTAP)

https://packages.cloud.google.com/yum
https://github.com/NetApp/trident/releases/download/

Required to connect Cloud Volumes ONTAP systems with a Kubernetes cluster. The endpoints enable installation of NetApp Trident.

*.blob.core.windows.net

Required for HA pairs when using a proxy.

Various third-party locations, for example:

  • https://repo1.maven.org/maven2

  • https://oss.sonatype.org/content/repositories

  • https://repo.typesafe.org

Third-party locations are subject to change.

During upgrades, Cloud Manager downloads the latest packages for third-party dependencies.

Endpoints to manage resources in GCP

A Connector contacts the following endpoints when managing resources in GCP:

Endpoints Purpose

https://www.googleapis.com

Enables the Connector to contact Google APIs for deploying and managing Cloud Volumes ONTAP in GCP.

https://api.services.cloud.netapp.com:443

API requests to NetApp Cloud Central.

https://cloud.support.netapp.com.s3.us-west-1.amazonaws.com

Provides access to software images, manifests, and templates.

https://repo.cloud.support.netapp.com

Used to download Cloud Manager dependencies.

http://repo.mysql.com/

Used to download MySQL.

https://cognito-idp.us-east-1.amazonaws.com
https://cognito-identity.us-east-1.amazonaws.com
https://sts.amazonaws.com
https://cloud-support-netapp-com-accelerated.s3.amazonaws.com

Enables the Connector to access and download manifests, templates, and Cloud Volumes ONTAP upgrade images.

https://cloudmanagerinfraprod.azurecr.io

Access to software images of container components for an infrastructure that’s running Docker and provides a solution for service integrations with Cloud Manager.

https://kinesis.us-east-1.amazonaws.com

Enables NetApp to stream data from audit records.

https://cloudmanager.cloud.netapp.com

Communication with the Cloud Manager service, which includes Cloud Central accounts.

https://netapp-cloud-account.auth0.com

Communication with NetApp Cloud Central for centralized user authentication.

https://mysupport.netapp.com

Communication with NetApp AutoSupport.

https://support.netapp.com/svcgw
https://support.netapp.com/ServiceGW/entitlement
https://eval.lic.netapp.com.s3.us-west-1.amazonaws.com
https://cloud-support-netapp-com.s3.us-west-1.amazonaws.com

Communication with NetApp for system licensing and support registration.

https://client.infra.support.netapp.com.s3.us-west-1.amazonaws.com
https://cloud-support-netapp-com-accelerated.s3.us-west-1.amazonaws.com
https://trigger.asup.netapp.com.s3.us-west-1.amazonaws.com

Enables NetApp to collect information needed to troubleshoot support issues.

https://ipa-signer.cloudmanager.netapp.com

Enables Cloud Manager to generate licenses (for example, a FlexCache license for Cloud Volumes ONTAP)

https://packages.cloud.google.com/yum
https://github.com/NetApp/trident/releases/download/

Required to connect Cloud Volumes ONTAP systems with a Kubernetes cluster. The endpoints enable installation of NetApp Trident.

Various third-party locations, for example:

  • https://repo1.maven.org/maven2

  • https://oss.sonatype.org/content/repositories

  • https://repo.typesafe.org

Third-party locations are subject to change.

During upgrades, Cloud Manager downloads the latest packages for third-party dependencies.

Endpoints to install the Connector on a Linux host

You have the option to manually install the Connector software on your own Linux host. If you do, the installer for the Connector must access the following URLs during the installation process:

  • http://dev.mysql.com/get/mysql-community-release-el7-5.noarch.rpm

  • https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

  • https://s3.amazonaws.com/aws-cli/awscli-bundle.zip

The host might try to update operating system packages during installation. The host can contact different mirroring sites for these OS packages.

Endpoints accessed from your web browser when using the local UI

While you should perform almost all tasks from the SaaS user interface, a local user interface is still available on the Connector. The machine running the web browser must have connections to the following endpoints:

Endpoints Purpose

The Connector host

You must enter the host’s IP address from a web browser to load the Cloud Manager console.

Depending on your connectivity to your cloud provider, you can use the private IP or a public IP assigned to the host:

  • A private IP works if you have a VPN and direct connect access to your virtual network

  • A public IP works in any networking scenario

In any case, you should secure network access by ensuring that security group rules allow access from only authorized IPs or subnets.

https://auth0.com
https://cdn.auth0.com
https://netapp-cloud-account.auth0.com
https://services.cloud.netapp.com

Your web browser connects to these endpoints for centralized user authentication through NetApp Cloud Central.

https://widget.intercom.io

For in-product chat that enables you to talk to NetApp cloud experts.

Ports and security groups

There’s no incoming traffic to the Connector, unless you initiate it. HTTP and HTTPS provide access to the local UI, which you’ll use in rare circumstances. SSH is only needed if you need to connect to the host for troubleshooting.

Rules for the Connector in AWS

The security group for the Connector requires both inbound and outbound rules.

Inbound rules

The source for inbound rules in the predefined security group is 0.0.0.0/0.

Protocol Port Purpose

SSH

22

Provides SSH access to the Connector host

HTTP

80

Provides HTTP access from client web browsers to the local user interface and connections from Cloud Compliance

HTTPS

443

Provides HTTPS access from client web browsers to the local user interface

TCP

3128

Provides the Cloud Compliance instance with internet access, if your AWS network doesn’t use a NAT or proxy

Outbound rules

The predefined security group for the Connector opens all outbound traffic. If that is acceptable, follow the basic outbound rules. If you need more rigid rules, use the advanced outbound rules.

Basic outbound rules

The predefined security group for the Connector includes the following outbound rules.

Protocol Port Purpose

All TCP

All

All outbound traffic

All UDP

All

All outbound traffic

Advanced outbound rules

If you need rigid rules for outbound traffic, you can use the following information to open only those ports that are required for outbound communication by the Connector.

The source IP address is the Connector host.
Service Protocol Port Destination Purpose

Active Directory

TCP

88

Active Directory forest

Kerberos V authentication

TCP

139

Active Directory forest

NetBIOS service session

TCP

389

Active Directory forest

LDAP

TCP

445

Active Directory forest

Microsoft SMB/CIFS over TCP with NetBIOS framing

TCP

464

Active Directory forest

Kerberos V change & set password (SET_CHANGE)

TCP

749

Active Directory forest

Active Directory Kerberos V change & set password (RPCSEC_GSS)

UDP

137

Active Directory forest

NetBIOS name service

UDP

138

Active Directory forest

NetBIOS datagram service

UDP

464

Active Directory forest

Kerberos key administration

API calls and AutoSupport

HTTPS

443

Outbound internet and ONTAP cluster management LIF

API calls to AWS and ONTAP, and sending AutoSupport messages to NetApp

API calls

TCP

3000

ONTAP cluster management LIF

API calls to ONTAP

TCP

8088

Backup to S3

API calls to Backup to S3

DNS

UDP

53

DNS

Used for DNS resolve by Cloud Manager

Cloud Compliance

HTTP

80

Cloud Compliance instance

Cloud Compliance for Cloud Volumes ONTAP

Rules for the Connector in Azure

The security group for the Connector requires both inbound and outbound rules.

Inbound rules

The source for inbound rules in the predefined security group is 0.0.0.0/0.

Port Protocol Purpose

22

SSH

Provides SSH access to the Connector host

80

HTTP

Provides HTTP access from client web browsers to the local user interface

443

HTTPS

Provides HTTPS access from client web browsers to the local user interface

Outbound rules

The predefined security group for the Connector opens all outbound traffic. If that is acceptable, follow the basic outbound rules. If you need more rigid rules, use the advanced outbound rules.

Basic outbound rules

The predefined security group for the Connector includes the following outbound rules.

Port Protocol Purpose

All

All TCP

All outbound traffic

All

All UDP

All outbound traffic

Advanced outbound rules

If you need rigid rules for outbound traffic, you can use the following information to open only those ports that are required for outbound communication by the Connector.

The source IP address is the Connector host.
Service Port Protocol Destination Purpose

Active Directory

88

TCP

Active Directory forest

Kerberos V authentication

139

TCP

Active Directory forest

NetBIOS service session

389

TCP

Active Directory forest

LDAP

445

TCP

Active Directory forest

Microsoft SMB/CIFS over TCP with NetBIOS framing

464

TCP

Active Directory forest

Kerberos V change & set password (SET_CHANGE)

749

TCP

Active Directory forest

Active Directory Kerberos V change & set password (RPCSEC_GSS)

137

UDP

Active Directory forest

NetBIOS name service

138

UDP

Active Directory forest

NetBIOS datagram service

464

UDP

Active Directory forest

Kerberos key administration

API calls and AutoSupport

443

HTTPS

Outbound internet and ONTAP cluster management LIF

API calls to AWS and ONTAP, and sending AutoSupport messages to NetApp

API calls

3000

TCP

ONTAP cluster management LIF

API calls to ONTAP

DNS

53

UDP

DNS

Used for DNS resolve by Cloud Manager

Rules for the Connector in GCP

The firewall rules for the Connector requires both inbound and outbound rules.

Inbound rules

The source for inbound rules in the predefined firewall rules is 0.0.0.0/0.

Protocol Port Purpose

SSH

22

Provides SSH access to the Connector host

HTTP

80

Provides HTTP access from client web browsers to the local user interface

HTTPS

443

Provides HTTPS access from client web browsers to the local user interface

Outbound rules

The predefined firewall rules for the Connector opens all outbound traffic. If that is acceptable, follow the basic outbound rules. If you need more rigid rules, use the advanced outbound rules.

Basic outbound rules

The predefined firewall rules for the Connector includes the following outbound rules.

Protocol Port Purpose

All TCP

All

All outbound traffic

All UDP

All

All outbound traffic

Advanced outbound rules

If you need rigid rules for outbound traffic, you can use the following information to open only those ports that are required for outbound communication by the Connector.

The source IP address is the Connector host.
Service Protocol Port Destination Purpose

Active Directory

TCP

88

Active Directory forest

Kerberos V authentication

TCP

139

Active Directory forest

NetBIOS service session

TCP

389

Active Directory forest

LDAP

TCP

445

Active Directory forest

Microsoft SMB/CIFS over TCP with NetBIOS framing

TCP

464

Active Directory forest

Kerberos V change & set password (SET_CHANGE)

TCP

749

Active Directory forest

Active Directory Kerberos V change & set password (RPCSEC_GSS)

UDP

137

Active Directory forest

NetBIOS name service

UDP

138

Active Directory forest

NetBIOS datagram service

UDP

464

Active Directory forest

Kerberos key administration

API calls and AutoSupport

HTTPS

443

Outbound internet and ONTAP cluster management LIF

API calls to GCP and ONTAP, and sending AutoSupport messages to NetApp

API calls

TCP

3000

ONTAP cluster management LIF

API calls to ONTAP

DNS

UDP

53

DNS

Used for DNS resolve by Cloud Manager