English

Networking requirements to deploy and manage Cloud Volumes ONTAP in GCP

Contributors netapp-bcammett Download PDF of this page

Set up your Google Cloud Platform networking so Cloud Volumes ONTAP systems can operate properly. This includes networking for the Connector and Cloud Volumes ONTAP.

Requirements for Cloud Volumes ONTAP

The following requirements must be met in GCP.

Shared VPC

The Connector and Cloud Volumes ONTAP are supported in a Google Cloud Platform shared VPC.

A shared VPC enables you to configure and centrally manage virtual networks across multiple projects. You can set up shared VPC networks in the host project and deploy the Connector and Cloud Volumes ONTAP virtual machine instances in a service project. Google Cloud documentation: Shared VPC overview.

The only requirement is to provide the Compute Network User role to the Connector service account.

Cloud Manager needs these permissions to query the firewalls, VPC, and subnets in the host project.

Outbound internet access for Cloud Volumes ONTAP

Cloud Volumes ONTAP requires outbound internet access to send messages to NetApp AutoSupport, which proactively monitors the health of your storage.

Routing and firewall policies must allow HTTP/HTTPS traffic to the following endpoints so Cloud Volumes ONTAP can send AutoSupport messages:

Number of IP addresses

Cloud Manager allocates 5 IP addresses to Cloud Volumes ONTAP in GCP.

Note that Cloud Manager doesn’t create an SVM management LIF for Cloud Volumes ONTAP in GCP.

A LIF is an IP address associated with a physical port. An SVM management LIF is required for management tools like SnapCenter.
Firewall rules

You don’t need to create firewall rules because Cloud Manager does that for you. If you need to use your own, refer to the firewall rules listed below.

Connection from Cloud Volumes ONTAP to Google Cloud Storage for data tiering

If you want to tier cold data to a Google Cloud Storage bucket, the subnet in which Cloud Volumes ONTAP resides must be configured for Private Google Access. For instructions, refer to Google Cloud documentation: Configuring Private Google Access.

For additional steps required to set up data tiering in Cloud Manager, see Tiering cold data to low-cost object storage.

Connections to ONTAP systems in other networks

To replicate data between a Cloud Volumes ONTAP system in GCP and ONTAP systems in other networks, you must have a VPN connection between the VPC and the other network—for example, your corporate network.

Requirements for the Connector

Set up your networking so that the Connector can manage resources and processes within your public cloud environment. The most important step is ensuring outbound internet access to various endpoints.

If your network uses a proxy server for all communication to the internet, you can specify the proxy server from the Settings page. Refer to Configuring the Connector to use a proxy server.

Connection to target networks

A Connector requires a network connection to the VPCs and VNets in which you want to deploy Cloud Volumes ONTAP.

For example, if you install a Connector in your corporate network, then you must set up a VPN connection to the VPC or VNet in which you launch Cloud Volumes ONTAP.

Outbound internet access

The Connector requires outbound internet access to manage resources and processes within your public cloud environment. A Connector contacts the following endpoints when managing resources in GCP:

Endpoints Purpose

https://www.googleapis.com

Enables the Connector to contact Google APIs for deploying and managing Cloud Volumes ONTAP in GCP.

https://api.services.cloud.netapp.com:443

API requests to NetApp Cloud Central.

https://cloud.support.netapp.com.s3.us-west-1.amazonaws.com

Provides access to software images, manifests, and templates.

https://repo.cloud.support.netapp.com

Used to download Cloud Manager dependencies.

http://repo.mysql.com/

Used to download MySQL.

https://cognito-idp.us-east-1.amazonaws.com
https://cognito-identity.us-east-1.amazonaws.com
https://sts.amazonaws.com
https://cloud-support-netapp-com-accelerated.s3.amazonaws.com

Enables the Connector to access and download manifests, templates, and Cloud Volumes ONTAP upgrade images.

https://cloudmanagerinfraprod.azurecr.io

Access to software images of container components for an infrastructure that’s running Docker and provides a solution for service integrations with Cloud Manager.

https://kinesis.us-east-1.amazonaws.com

Enables NetApp to stream data from audit records.

https://cloudmanager.cloud.netapp.com

Communication with the Cloud Manager service, which includes Cloud Central accounts.

https://netapp-cloud-account.auth0.com

Communication with NetApp Cloud Central for centralized user authentication.

https://mysupport.netapp.com

Communication with NetApp AutoSupport.

https://support.netapp.com/svcgw
https://support.netapp.com/ServiceGW/entitlement
https://eval.lic.netapp.com.s3.us-west-1.amazonaws.com
https://cloud-support-netapp-com.s3.us-west-1.amazonaws.com

Communication with NetApp for system licensing and support registration.

https://ipa-signer.cloudmanager.netapp.com

Enables Cloud Manager to generate licenses (for example, a FlexCache license for Cloud Volumes ONTAP)

https://packages.cloud.google.com/yum
https://github.com/NetApp/trident/releases/download/

Required to connect Cloud Volumes ONTAP systems with a Kubernetes cluster. The endpoints enable installation of NetApp Trident.

Various third-party locations, for example:

  • https://repo1.maven.org/maven2

  • https://oss.sonatype.org/content/repositories

  • https://repo.typesafe.org

Third-party locations are subject to change.

During upgrades, Cloud Manager downloads the latest packages for third-party dependencies.

While you should perform almost all tasks from the SaaS user interface, a local user interface is still available on the Connector. The machine running the web browser must have connections to the following endpoints:

Endpoints Purpose

The Connector host

You must enter the host’s IP address from a web browser to load the Cloud Manager console.

Depending on your connectivity to your cloud provider, you can use the private IP or a public IP assigned to the host:

  • A private IP works if you have a VPN and direct connect access to your virtual network

  • A public IP works in any networking scenario

In any case, you should secure network access by ensuring that security group rules allow access from only authorized IPs or subnets.

https://auth0.com
https://cdn.auth0.com
https://netapp-cloud-account.auth0.com
https://services.cloud.netapp.com

Your web browser connects to these endpoints for centralized user authentication through NetApp Cloud Central.

https://widget.intercom.io

For in-product chat that enables you to talk to NetApp cloud experts.

Firewall rules for Cloud Volumes ONTAP

Cloud Manager creates GCP firewall rules that include the inbound and outbound rules that Cloud Manager and Cloud Volumes ONTAP need to operate successfully. You might want to refer to the ports for testing purposes or if you prefer your to use own security groups.

The firewall rules for Cloud Volumes ONTAP requires both inbound and outbound rules.

Inbound rules

The source for inbound rules in the predefined security group is 0.0.0.0/0.

Protocol Port Purpose

All ICMP

All

Pinging the instance

HTTP

80

HTTP access to the System Manager web console using the IP address of the cluster management LIF

HTTPS

443

HTTPS access to the System Manager web console using the IP address of the cluster management LIF

SSH

22

SSH access to the IP address of the cluster management LIF or a node management LIF

TCP

111

Remote procedure call for NFS

TCP

139

NetBIOS service session for CIFS

TCP

161-162

Simple network management protocol

TCP

445

Microsoft SMB/CIFS over TCP with NetBIOS framing

TCP

635

NFS mount

TCP

749

Kerberos

TCP

2049

NFS server daemon

TCP

3260

iSCSI access through the iSCSI data LIF

TCP

4045

NFS lock daemon

TCP

4046

Network status monitor for NFS

TCP

10000

Backup using NDMP

TCP

11104

Management of intercluster communication sessions for SnapMirror

TCP

11105

SnapMirror data transfer using intercluster LIFs

UDP

111

Remote procedure call for NFS

UDP

161-162

Simple network management protocol

UDP

635

NFS mount

UDP

2049

NFS server daemon

UDP

4045

NFS lock daemon

UDP

4046

Network status monitor for NFS

UDP

4049

NFS rquotad protocol

Outbound rules

The predefined security group for Cloud Volumes ONTAP opens all outbound traffic. If that is acceptable, follow the basic outbound rules. If you need more rigid rules, use the advanced outbound rules.

Basic outbound rules

The predefined security group for Cloud Volumes ONTAP includes the following outbound rules.

Protocol Port Purpose

All ICMP

All

All outbound traffic

All TCP

All

All outbound traffic

All UDP

All

All outbound traffic

Advanced outbound rules

If you need rigid rules for outbound traffic, you can use the following information to open only those ports that are required for outbound communication by Cloud Volumes ONTAP.

The source is the interface (IP address) on the Cloud Volumes ONTAP system.
Service Protocol Port Source Destination Purpose

Active Directory

TCP

88

Node management LIF

Active Directory forest

Kerberos V authentication

UDP

137

Node management LIF

Active Directory forest

NetBIOS name service

UDP

138

Node management LIF

Active Directory forest

NetBIOS datagram service

TCP

139

Node management LIF

Active Directory forest

NetBIOS service session

TCP & UDP

389

Node management LIF

Active Directory forest

LDAP

TCP

445

Node management LIF

Active Directory forest

Microsoft SMB/CIFS over TCP with NetBIOS framing

TCP

464

Node management LIF

Active Directory forest

Kerberos V change & set password (SET_CHANGE)

UDP

464

Node management LIF

Active Directory forest

Kerberos key administration

TCP

749

Node management LIF

Active Directory forest

Kerberos V change & set Password (RPCSEC_GSS)

TCP

88

Data LIF (NFS, CIFS, iSCSI)

Active Directory forest

Kerberos V authentication

UDP

137

Data LIF (NFS, CIFS)

Active Directory forest

NetBIOS name service

UDP

138

Data LIF (NFS, CIFS)

Active Directory forest

NetBIOS datagram service

TCP

139

Data LIF (NFS, CIFS)

Active Directory forest

NetBIOS service session

TCP & UDP

389

Data LIF (NFS, CIFS)

Active Directory forest

LDAP

TCP

445

Data LIF (NFS, CIFS)

Active Directory forest

Microsoft SMB/CIFS over TCP with NetBIOS framing

TCP

464

Data LIF (NFS, CIFS)

Active Directory forest

Kerberos V change & set password (SET_CHANGE)

UDP

464

Data LIF (NFS, CIFS)

Active Directory forest

Kerberos key administration

TCP

749

Data LIF (NFS, CIFS)

Active Directory forest

Kerberos V change & set password (RPCSEC_GSS)

Cluster

All traffic

All traffic

All LIFs on one node

All LIFs on the other node

Intercluster communications (Cloud Volumes ONTAP HA only)

TCP

3000

Node management LIF

HA mediator

ZAPI calls (Cloud Volumes ONTAP HA only)

ICMP

1

Node management LIF

HA mediator

Keep alive (Cloud Volumes ONTAP HA only)

DHCP

UDP

68

Node management LIF

DHCP

DHCP client for first-time setup

DHCPS

UDP

67

Node management LIF

DHCP

DHCP server

DNS

UDP

53

Node management LIF and data LIF (NFS, CIFS)

DNS

DNS

NDMP

TCP

18600–18699

Node management LIF

Destination servers

NDMP copy

SMTP

TCP

25

Node management LIF

Mail server

SMTP alerts, can be used for AutoSupport

SNMP

TCP

161

Node management LIF

Monitor server

Monitoring by SNMP traps

UDP

161

Node management LIF

Monitor server

Monitoring by SNMP traps

TCP

162

Node management LIF

Monitor server

Monitoring by SNMP traps

UDP

162

Node management LIF

Monitor server

Monitoring by SNMP traps

SnapMirror

TCP

11104

Intercluster LIF

ONTAP intercluster LIFs

Management of intercluster communication sessions for SnapMirror

TCP

11105

Intercluster LIF

ONTAP intercluster LIFs

SnapMirror data transfer

Syslog

UDP

514

Node management LIF

Syslog server

Syslog forward messages

Firewall rules for the Connector

The firewall rules for the Connector requires both inbound and outbound rules.

Inbound rules

The source for inbound rules in the predefined firewall rules is 0.0.0.0/0.

Protocol Port Purpose

SSH

22

Provides SSH access to the Connector host

HTTP

80

Provides HTTP access from client web browsers to the local user interface

HTTPS

443

Provides HTTPS access from client web browsers to the local user interface

Outbound rules

The predefined firewall rules for the Connector opens all outbound traffic. If that is acceptable, follow the basic outbound rules. If you need more rigid rules, use the advanced outbound rules.

Basic outbound rules

The predefined firewall rules for the Connector includes the following outbound rules.

Protocol Port Purpose

All TCP

All

All outbound traffic

All UDP

All

All outbound traffic

Advanced outbound rules

If you need rigid rules for outbound traffic, you can use the following information to open only those ports that are required for outbound communication by the Connector.

The source IP address is the Connector host.
Service Protocol Port Destination Purpose

Active Directory

TCP

88

Active Directory forest

Kerberos V authentication

TCP

139

Active Directory forest

NetBIOS service session

TCP

389

Active Directory forest

LDAP

TCP

445

Active Directory forest

Microsoft SMB/CIFS over TCP with NetBIOS framing

TCP

464

Active Directory forest

Kerberos V change & set password (SET_CHANGE)

TCP

749

Active Directory forest

Active Directory Kerberos V change & set password (RPCSEC_GSS)

UDP

137

Active Directory forest

NetBIOS name service

UDP

138

Active Directory forest

NetBIOS datagram service

UDP

464

Active Directory forest

Kerberos key administration

API calls and AutoSupport

HTTPS

443

Outbound internet and ONTAP cluster management LIF

API calls to GCP and ONTAP, and sending AutoSupport messages to NetApp

API calls

TCP

3000

ONTAP cluster management LIF

API calls to ONTAP

DNS

UDP

53

DNS

Used for DNS resolve by Cloud Manager