Deploy Cloud Data Sense in the cloud

Contributors netapp-tonacki netapp-bcammett juliantap

Complete a few steps to deploy Cloud Data Sense in the cloud.

Note that you can also deploy Data Sense on a Linux host that has internet access. The type of installation may be a good option if you prefer to scan on-premises ONTAP systems using a Data Sense instance that’s also located on premises — but this is not a requirement. The software functions exactly the same way regardless of which installation method you choose.

Quick start

Get started quickly by following these steps, or scroll down to the remaining sections for full details.

One Create a Connector

If you don’t already have a Connector, create a Connector now. See creating a Connector in AWS, creating a Connector in Azure, or creating a Connector in GCP.

You can also deploy the Connector on-premises on a Linux host in your network or in the cloud.

Two Review prerequisites

Ensure that your environment can meet the prerequisites. This includes outbound internet access for the instance, connectivity between the Connector and Cloud Data Sense over port 443, and more. See the complete list.

The default configuration requires 16 vCPUs for the Cloud Data Sense instance. See more details about the instance type.

Three Deploy Cloud Data Sense

Launch the installation wizard to deploy the Cloud Data Sense instance in the cloud.

Four Subscribe to the Cloud Data Sense service

The first 1 TB of data that Cloud Data Sense scans in Cloud Manager is free. A Cloud Manager subscription through your cloud provider Marketplace, or a BYOL license from NetApp, is required to continue scanning data after that point.

Create a Connector

If you don’t already have a Connector, create a Connector in your cloud provider. See creating a Connector in AWS or creating a Connector in Azure, or creating a Connector in GCP. In most cases you will probably have a Connector set up before you attempt to activate Cloud Data Sense because most Cloud Manager features require a Connector, but there are cases where you’ll you need to set one up now.

There are some scenarios where you have to use a Connector that’s deployed in a specific cloud provider:

  • When scanning data in Cloud Volumes ONTAP in AWS, Amazon FSx for ONTAP, or in AWS S3 buckets, you use a connector in AWS.

  • When scanning data in Cloud Volumes ONTAP in Azure or in Azure NetApp Files, you use a connector in Azure.

  • When scanning data in Cloud Volumes ONTAP in GCP, you use a Connector in GCP.

On-prem ONTAP systems, non-NetApp file shares, generic S3 Object storage, databases, and OneDrive folders can be scanned when using any of these cloud Connectors.

Note that you can also deploy the Connector on-premises on a Linux host in your network or in the cloud. Some users planning to install Data Sense on-prem may also choose to install the Connector on-prem.

As you can see, there may be some situations where you need to use multiple Connectors.

Note If you’re planning on scanning Azure NetApp Files volumes, you need to make sure you’re deploying in the same region as the volumes you wish to scan.

Review prerequisites

Review the following prerequisites to make sure that you have a supported configuration before you deploy Cloud Data Sense in the cloud.

Enable outbound internet access from Cloud Data Sense

Cloud Data Sense requires outbound internet access. If your virtual or physical network uses a proxy server for internet access, ensure that the Data Sense instance has outbound internet access to contact the following endpoints. When you deploy Data Sense in the cloud, it’s located in the same subnet as the Connector.

Review the appropriate table below depending on whether you are deploying Cloud Data Sense in AWS, Azure, or GCP.

Required endpoints for AWS deployments:

Endpoints Purpose

https://cloudmanager.cloud.netapp.com

Communication with the Cloud Manager service, which includes NetApp accounts.

https://netapp-cloud-account.auth0.com
https://auth0.com

Communication with NetApp Cloud Central for centralized user authentication.

https://cloud-compliance-support-netapp.s3.us-west-2.amazonaws.com
https://hub.docker.com
https://auth.docker.io
https://registry-1.docker.io
https://index.docker.io/
https://dseasb33srnrn.cloudfront.net/
https://production.cloudflare.docker.com/

Provides access to software images, manifests, and templates.

https://kinesis.us-east-1.amazonaws.com

Enables NetApp to stream data from audit records.

https://cognito-idp.us-east-1.amazonaws.com
https://cognito-identity.us-east-1.amazonaws.com
https://user-feedback-store-prod.s3.us-west-2.amazonaws.com
https://customer-data-production.s3.us-west-2.amazonaws.com

Enables Cloud Data Sense to access and download manifests and templates, and to send logs and metrics.

Required endpoints for Azure and GCP deployments:

Endpoints Purpose

https://cloudmanager.cloud.netapp.com

Communication with the Cloud Manager service, which includes NetApp accounts.

https://netapp-cloud-account.auth0.com
https://auth0.com

Communication with NetApp Cloud Central for centralized user authentication.

https://support.compliance.cloudmanager.cloud.netapp.com/
https://hub.docker.com
https://auth.docker.io
https://registry-1.docker.io
https://index.docker.io/
https://dseasb33srnrn.cloudfront.net/
https://production.cloudflare.docker.com/

Provides access to software images, manifests, templates, and to send logs and metrics.

https://support.compliance.cloudmanager.cloud.netapp.com/

Enables NetApp to stream data from audit records.

Ensure that Cloud Manager has the required permissions

Ensure that Cloud Manager has permissions to deploy resources and create security groups for the Cloud Data Sense instance. You can find the latest Cloud Manager permissions in the policies provided by NetApp.

Note: If you created the Connector in GCP using Cloud Manager 3.9.10 or greater, then you’re all set. If you created the Connector using an earlier version, then you’ll need to add the following permissions to the GCP service account associated with the Connector to deploy Cloud Data Sense to GCP.

compute.instances.addAccessConfig
compute.subnetworks.use
compute.subnetworks.useExternalIp
Check your vCPU limits

Ensure that your cloud provider’s vCPU limit allows for the deployment of an instance with 16 cores. You’ll need to verify the vCPU limit for the relevant instance family in the region where Cloud Manager is running. See the required instance types.

See the following links for more details on vCPU limits:

Ensure that the Cloud Manager Connector can access Cloud Data Sense

Ensure connectivity between the Connector and the Cloud Data Sense instance. The security group for the Connector must allow inbound and outbound traffic over port 443 to and from the Data Sense instance. This connection enables deployment of the Data Sense instance and enables you to view information in the Compliance and Governance tabs.

Additional inbound and outbound rules are required for AWS and AWS GovCloud deployments. See Rules for the Connector in AWS for details.

Ensure that you can keep Cloud Data Sense running

The Cloud Data Sense instance needs to stay on to continuously scan your data.

Ensure web browser connectivity to Cloud Data Sense

After Cloud Data Sense is enabled, ensure that users access the Cloud Manager interface from a host that has a connection to the Data Sense instance.

The Data Sense instance uses a private IP address to ensure that the indexed data isn’t accessible to the internet. As a result, the web browser that you use to access Cloud Manager must have a connection to that private IP address. That connection can come from a direct connection to your cloud provider (for example, a VPN), or from a host that’s inside the same network as the Data Sense instance.

Deploy Data Sense in the cloud

Follow these steps to deploy an instance of Cloud Data Sense in the cloud.

Steps
  1. In Cloud Manager, click Data Sense.

  2. Click Activate Data Sense.

    A screenshot of selecting the button to activate Cloud Data Sense.

  3. Click Activate Data Sense to start the cloud deployment wizard.

    A screenshot of selecting the button to deploy Cloud Data Sense in the cloud.

  4. The wizard displays progress as it goes through the deployment steps. It will stop and ask for input if it runs into any issues.

    A screenshot of the Cloud Data Sense wizard to deploy a new instance.

  5. When the instance is deployed, click Continue to configuration to go to the Configuration page.

Result

Cloud Manager deploys the Cloud Data Sense instance in your cloud provider.

What’s Next

From the Configuration page you can select the data sources that you want to scan.

You can also set up licensing for Cloud Data Sense at this time. You will not be charged until the amount of data exceeds 1 TB.