Skip to main content
BlueXP classification

Deploy BlueXP classification in the cloud using BlueXP

Contributors netapp-tonacki netapp-bcammett

Complete a few steps to deploy BlueXP classification in the cloud. BlueXP will deploy the BlueXP classification instance in the same cloud provider network as the BlueXP Connector.

Note that you can also install BlueXP classification on a Linux host that has internet access. This type of installation may be a good option if you prefer to scan on-premises ONTAP systems using a BlueXP classification instance that's also located on premises — but this is not a requirement. The software functions exactly the same way regardless of which installation method you choose.

Quick start

Get started quickly by following these steps, or scroll down to the remaining sections for full details.

One Create a Connector

If you don't already have a Connector, create a Connector now. See creating a Connector in AWS, creating a Connector in Azure, or creating a Connector in GCP.

You can also install the Connector on-premises on a Linux host in your network or on a Linux host in the cloud.

Two Review prerequisites

Ensure that your environment can meet the prerequisites. This includes outbound internet access for the instance, connectivity between the Connector and BlueXP classification over port 443, and more. See the complete list.

Three Deploy BlueXP classification

Launch the installation wizard to deploy the BlueXP classification instance in the cloud.

Four Subscribe to the BlueXP classification service

The first 1 TB of data that BlueXP classification scans in BlueXP is free for 30 days. A BlueXP subscription through your cloud provider Marketplace, or a BYOL license from NetApp, is required to continue scanning data after that point.

Create a Connector

If you don't already have a Connector, create a Connector in your cloud provider. See creating a Connector in AWS or creating a Connector in Azure, or creating a Connector in GCP. In most cases you will probably have a Connector set up before you attempt to activate BlueXP classification because most BlueXP features require a Connector, but there are cases where you'll you need to set one up now.

There are some scenarios where you have to use a Connector that's deployed in a specific cloud provider:

  • When scanning data in Cloud Volumes ONTAP in AWS, Amazon FSx for ONTAP, or in AWS S3 buckets, you use a Connector in AWS.

  • When scanning data in Cloud Volumes ONTAP in Azure or in Azure NetApp Files, you use a Connector in Azure.

    • For Azure NetApp Files, it must be deployed in the same region as the volumes you wish to scan.

  • When scanning data in Cloud Volumes ONTAP in GCP, you use a Connector in GCP.

On-prem ONTAP systems, non-NetApp file shares, generic S3 Object storage, databases, OneDrive folders, SharePoint accounts, and Google Drive accounts can be scanned when using any of these cloud Connectors.

Note that you can also install the Connector on-premises on a Linux host in your network or in the cloud. Some users planning to install BlueXP classification on-prem may also choose to install the Connector on-prem.

As you can see, there may be some situations where you need to use multiple Connectors.

Government region support

BlueXP classification is supported when the Connector is deployed in a Government region (AWS GovCloud, Azure Gov, or Azure DoD). When deployed in this manner, BlueXP classification has the following restrictions:

  • OneDrive accounts, SharePoint accounts, and Google Drive accounts can't be scanned.

  • Microsoft Azure Information Protection (AIP) label functionality can't be integrated.

Review prerequisites

Review the following prerequisites to make sure that you have a supported configuration before you deploy BlueXP classification in the cloud. When you deploy BlueXP classification in the cloud, it's located in the same subnet as the Connector.

Enable outbound internet access from BlueXP classification

BlueXP classification requires outbound internet access. If your virtual or physical network uses a proxy server for internet access, ensure that the BlueXP classification instance has outbound internet access to contact the following endpoints. The proxy must be non-transparent - we don't currently support transparent proxies.

Review the appropriate table below depending on whether you are deploying BlueXP classification in AWS, Azure, or GCP.

Required endpoints for AWS
Endpoints Purpose

https://api.bluexp.netapp.com

Communication with the BlueXP service, which includes NetApp accounts.

https://netapp-cloud-account.auth0.com
https://auth0.com

Communication with the BlueXP website for centralized user authentication.

https://cloud-compliance-support-netapp.s3.us-west-2.amazonaws.com
https://hub.docker.com
https://auth.docker.io
https://registry-1.docker.io
https://index.docker.io/
https://dseasb33srnrn.cloudfront.net/
https://production.cloudflare.docker.com/

Provides access to software images, manifests, and templates.

https://kinesis.us-east-1.amazonaws.com

Enables NetApp to stream data from audit records.

https://cognito-idp.us-east-1.amazonaws.com
https://cognito-identity.us-east-1.amazonaws.com
https://user-feedback-store-prod.s3.us-west-2.amazonaws.com
https://customer-data-production.s3.us-west-2.amazonaws.com

Enables BlueXP classification to access and download manifests and templates, and to send logs and metrics.

Required endpoints for Azure
Endpoints Purpose

https://api.bluexp.netapp.com

Communication with the BlueXP service, which includes NetApp accounts.

https://netapp-cloud-account.auth0.com
https://auth0.com

Communication with the BlueXP website for centralized user authentication.

https://support.compliance.api.bluexp.netapp.com/
https://hub.docker.com
https://auth.docker.io
https://registry-1.docker.io
https://index.docker.io/
https://dseasb33srnrn.cloudfront.net/
https://production.cloudflare.docker.com/

Provides access to software images, manifests, templates, and to send logs and metrics.

https://support.compliance.api.bluexp.netapp.com/

Enables NetApp to stream data from audit records.

Required endpoints for GCP
Endpoints Purpose

https://api.bluexp.netapp.com

Communication with the BlueXP service, which includes NetApp accounts.

https://netapp-cloud-account.auth0.com
https://auth0.com

Communication with the BlueXP website for centralized user authentication.

https://support.compliance.api.bluexp.netapp.com/
https://hub.docker.com
https://auth.docker.io
https://registry-1.docker.io
https://index.docker.io/
https://dseasb33srnrn.cloudfront.net/
https://production.cloudflare.docker.com/

Provides access to software images, manifests, templates, and to send logs and metrics.

https://support.compliance.api.bluexp.netapp.com/

Enables NetApp to stream data from audit records.

Ensure that BlueXP has the required permissions

Ensure that BlueXP has permissions to deploy resources and create security groups for the BlueXP classification instance. You can find the latest BlueXP permissions in the policies provided by NetApp.

Ensure that the BlueXP Connector can access BlueXP classification

Ensure connectivity between the Connector and the BlueXP classification instance. The security group for the Connector must allow inbound and outbound traffic over port 443 to and from the BlueXP classification instance. This connection enables deployment of the BlueXP classification instance and enables you to view information in the Compliance and Governance tabs. BlueXP classification is supported in Government regions in AWS and Azure.

Additional inbound and outbound security group rules are required for AWS and AWS GovCloud deployments. See Rules for the Connector in AWS for details.

Additional inbound and outbound security group rules are required for Azure and Azure Government deployments. See Rules for the Connector in Azure for details.

Ensure that you can keep BlueXP classification running

The BlueXP classification instance needs to stay on to continuously scan your data.

Ensure web browser connectivity to BlueXP classification

After BlueXP classification is enabled, ensure that users access the BlueXP interface from a host that has a connection to the BlueXP classification instance.

The BlueXP classification instance uses a private IP address to ensure that the indexed data isn't accessible to the internet. As a result, the web browser that you use to access BlueXP must have a connection to that private IP address. That connection can come from a direct connection to your cloud provider (for example, a VPN), or from a host that's inside the same network as the BlueXP classification instance.

Check your vCPU limits

Ensure that your cloud provider's vCPU limit allows for the deployment of an instance with the necessary number of cores. You'll need to verify the vCPU limit for the relevant instance family in the region where BlueXP is running. See the required instance types.

See the following links for more details on vCPU limits:

Note that you can deploy BlueXP classification on an instance in AWS cloud environments with fewer CPUs and less RAM, but there are limitations when using these systems. See Using a smaller instance type for details.

Deploy BlueXP classification in the cloud

Follow these steps to deploy an instance of BlueXP classification in the cloud. The Connector will deploy the instance in the cloud, and then install BlueXP classification software on that instance.

Note that when deploying BlueXP classification from a BlueXP Connector in an AWS environment, you can select the default instance size or you can select from two smaller instance types. See the available instance types and limitations. In regions where the default instance type isn't available, BlueXP classification runs on an alternate instance type.

Deploy in AWS
Steps
  1. From the BlueXP left navigation menu, click Governance > Classification.

    A screenshot of selecting the button to activate BlueXP classification.

  2. Click Activate Data Sense.

  3. From the Installation page, click Deploy > Deploy to use the "Large" instance size and start the cloud deployment wizard.

  4. The wizard displays progress as it goes through the deployment steps. It will stop and prompt for input if it runs into any issues.

    A screenshot of the BlueXP classification wizard to deploy a new instance.

  5. When the instance is deployed and BlueXP classification is installed, click Continue to configuration to go to the Configuration page.

Deploy in Azure
Steps
  1. From the BlueXP left navigation menu, click Governance > Classification.

  2. Click Activate Data Sense.

    A screenshot of selecting the button to activate BlueXP classification.

  3. Click Deploy to start the cloud deployment wizard.

    A screenshot of selecting the button to deploy BlueXP classification in the cloud.

  4. The wizard displays progress as it goes through the deployment steps. It will stop and prompt for input if it runs into any issues.

    A screenshot of the BlueXP classification wizard to deploy a new instance.

  5. When the instance is deployed and BlueXP classification is installed, click Continue to configuration to go to the Configuration page.

Deploy in Google Cloud
Steps
  1. From the BlueXP left navigation menu, click Governance > Classification.

  2. Click Activate Data Sense.

    A screenshot of selecting the button to activate BlueXP classification.

  3. Click Deploy to start the cloud deployment wizard.

    A screenshot of selecting the button to deploy BlueXP classification in the cloud.

  4. The wizard displays progress as it goes through the deployment steps. It will stop and prompt for input if it runs into any issues.

    A screenshot of the BlueXP classification wizard to deploy a new instance.

  5. When the instance is deployed and BlueXP classification is installed, click Continue to configuration to go to the Configuration page.

Result

BlueXP deploys the BlueXP classification instance in your cloud provider.

Upgrades to the BlueXP Connector and BlueXP classification software is automated as long as the instances have internet connectivity.

What's Next

From the Configuration page you can select the data sources that you want to scan.

You can also set up licensing for BlueXP classification at this time. You will not be charged until your 30-day free trial ends.