Getting started with Cloud Data Sense for Cloud Volumes ONTAP and on-premises ONTAP

Contributors netapp-tonacki Download PDF of this page

Complete a few steps to get started with Cloud Data Sense for Cloud Volumes ONTAP and on-premises ONTAP systems.

Quick start

Get started quickly by following these steps, or scroll down to the remaining sections for full details.

Number 1 Discover the data sources that contain the data you want to scan

Before you can scan volumes, you must add the systems as working environments in Cloud Manager:

Number 2 Deploy the Cloud Data Sense instance

Deploy Cloud Data Sense in Cloud Manager if there isn’t already an instance deployed.

Number 3 Enable Cloud Data Sense and select the volumes to scan

Click Data Sense, select the Configuration tab, and activate compliance scans for volumes in specific working environments.

Number 4 Ensure access to volumes

Now that Cloud Data Sense is enabled, ensure that it can access all volumes.

  • The Cloud Data Sense instance needs a network connection to each Cloud Volumes ONTAP subnet or on-prem ONTAP system.

  • Security groups for Cloud Volumes ONTAP must allow inbound connections from the Data Sense instance.

  • Make sure these ports are open to the Data Sense instance:

    • For NFS – ports 111 and 2049.

    • For CIFS – ports 139 and 445.

  • NFS volume export policies must allow access from the Data Sense instance.

  • Data Sense needs Active Directory credentials to scan CIFS volumes.

    Click Compliance > Configuration > Edit CIFS Credentials and provide the credentials.

Number 5 Manage the volumes you want to scan

Select or deselect the volumes that you want to scan and Cloud Data Sense will start or stop scanning them.

Discovering the data sources that you want to scan

If the data sources you want to scan are not already in your Cloud Manager environment, you can add them to the canvas at this time.

Your Cloud Volumes ONTAP systems should already be available in the Canvas in Cloud Manager. For on-premises ONTAP systems you need to have Cloud Manager discover these clusters.

Deploying the Cloud Data Sense instance

Deploy Cloud Data Sense if there isn’t already an instance deployed.

Cloud Data Sense can be deployed in the cloud or in an on-premises location when scanning Cloud Volumes ONTAP or on-premises ONTAP systems.

Enabling Cloud Data Sense in your working environments

You can enable Cloud Data Sense on Cloud Volumes ONTAP systems (in AWS and Azure) and on on-premises ONTAP clusters.

Following these steps for on-prem ONTAP systems scans the volumes directly on the on-prem ONTAP system. If you are already creating backup files from those on-prem systems using Cloud Backup, you can run compliance scans on the backup files in the cloud instead. Go to Scanning backup files from on-premises ONTAP systems to scan the volumes by scanning the backup files.
  1. At the top of Cloud Manager, click Data Sense and then select the Configuration tab.

    A screenshot of the Configuration tab immediately after deploying the Cloud Data Sense instance.

  2. To scan all volumes in a working environment, click Activate Scanning for All Volumes.

    When enabled in this manner, full "mapping and classification" scanning is performed on all volumes.

    If you want to enable scanning only for certain volumes, or if you only want to perform "mapping-only" scanning, click or select Volumes and then choose the volumes you want to scan.

Result

Cloud Data Sense starts scanning the volumes you selected in the working environment. Results will be available in the Compliance dashboard as soon as Cloud Data Sense finishes the initial scans. The time that it takes depends on the amount of data—​it could be a few minutes or hours.

Verifying that Cloud Data Sense has access to volumes

Make sure that Cloud Data Sense can access volumes by checking your networking, security groups, and export policies. You’ll need to provide Data Sense with CIFS credentials so it can access CIFS volumes.

Steps
  1. Make sure that there’s a network connection between the Cloud Data Sense instance and each network that includes volumes for Cloud Volumes ONTAP or on-prem ONTAP clusters.

  2. Ensure that the security group for Cloud Volumes ONTAP allows inbound traffic from the Data Sense instance.

    You can either open the security group for traffic from the IP address of the Data Sense instance, or you can open the security group for all traffic from inside the virtual network.

  3. Ensure the following ports are open to the Data Sense instance:

    • For NFS – ports 111 and 2049.

    • For CIFS – ports 139 and 445.

  4. Ensure that NFS volume export policies include the IP address of the Data Sense instance so it can access the data on each volume.

  5. If you use CIFS, provide Data Sense with Active Directory credentials so it can scan CIFS volumes.

    1. At the top of Cloud Manager, click Data Sense.

    2. Click the Configuration tab.

      A screenshot of the Compliance tab that shows the Scan Status button that’s available in the top right of the content pane.

    3. For each working environment, click Edit CIFS Credentials and enter the user name and password that Data Sense needs to access CIFS volumes on the system.

      The credentials can be read-only, but providing admin credentials ensures that Data Sense can read any data that requires elevated permissions. The credentials are stored on the Cloud Data Sense instance.

      After you enter the credentials, you should see a message that all CIFS volumes were authenticated successfully.

      A screenshot that shows the Configuration page and one Cloud Volumes ONTAP system for which CIFS credentials were successfully provided.

  6. On the Configuration page, click View Details to review the status for each CIFS and NFS volume and correct any errors.

    For example, the following image shows three volumes; one of which Cloud Data Sense can’t scan due to network connectivity issues between the Data Sense instance and the volume.

    A screenshot of the View Details page in the scan configuration that shows three volumes; one of which isn’t being scanned because of network connectivity between Data Sense and the volume.

Enabling and disabling compliance scans on volumes

You can stop or start mapping-only scans, or mapping and classification scans, in a working environment at any time from the Configuration page. We recommend that you scan all volumes.

A screenshot of the Configuration page where you can enable or disable scanning of individual volumes.

To: Do this:

Enable mapping-only scans on a volume

Click Map

Enable full scanning on a volume

Click Map & Classify

Enable full scanning on all volumes

Move the Map & Classify All slider to the right

Disable scanning on a volume

Click Off

Disable scanning on all volumes

Move the Map & Classify All slider to the left

New volumes added to the working environment are automatically scanned only when the Map & Classify All setting is enabled. When this setting is disabled, you’ll need to activate mapping and/or full scanning on each new volume you create in the working environment.

Scanning backup files from on-premises ONTAP systems

If you don’t want Cloud Data Sense to scan volumes directly on your on-prem ONTAP systems, a new Beta feature released in January 2021 allows you to run compliance scans on backup files created from your on-prem ONTAP volumes. So if you’re already creating backup files using Cloud Backup, you can use this new feature to run compliance scans on those backup files.

The Compliance scans you run on backup files are free - no Cloud Data Sense subscription or license is needed.

Note: When Data Sense scans backup files it uses permissions granted through the Cloud Restore instance to access the backup files. Typically the Restore instance powers down when not actively restoring files, but it remains On when scanning backup files. See more information about the Restore instance.

Steps

If you want to scan the backup files from on-prem ONTAP systems:

  1. At the top of Cloud Manager, click Data Sense and then select the Configuration tab.

  2. From the list of working environments, click the BACKUP button from the list of filters.

    All the on-premises ONTAP working environments that have backup files are listed. If you don’t have any backup files from an on-prem system, then the working environment is not shown.

    A screenshot of the Data Sense page to select volumes you want to scan.

  3. To scan all backed up volumes in a working environment, click Activate Compliance for all backed up Volumes.

    To scan only certain backed up volumes in a working environment, click or select Volumes and then choose the backup files (volumes) that you want to scan.

Scanning on-prem volumes versus backups of those volumes

When you view the entire list of working environments you will see two listings for each on-prem cluster if they have backed up files.

A screenshot showing how on-prem clusters will appear twice in the list of working environments if they have backup files.

The first item is the on-prem cluster and the actual volumes.
The second item is the backup files of those volumes from that same on-prem cluster.

Choose the first option to scan the volumes on the on-prem system. Choose the second option to scan the backup files from those volumes. Do not scan both on-prem volumes and backup files of the same cluster.

Scanning data protection volumes

By default, data protection (DP) volumes are not scanned because they are not exposed externally and Cloud Data Sense cannot access them. These are the destination volumes for SnapMirror operations from an on-premises ONTAP system or from a Cloud Volumes ONTAP system.

Initially, the volume list identifies these volumes as Type DP with the Status Not Scanning and the Required Action Enable Access to DP volumes.

A screenshot showing the Enable Access to DP Volumes button that you can select to scan data protection volumes.

Steps

If you want to scan these data protection volumes:

  1. Click Enable Access to DP volumes at the top of the page.

  2. Review the confirmation message and click Enable Access to DP volumes again.

    • Volumes that were initially created as NFS volumes in the source ONTAP system are enabled.

    • Volumes that were initially created as CIFS volumes in the source ONTAP system require that you enter CIFS credentials to scan those DP volumes. If you already entered Active Directory credentials so that Cloud Data Sense can scan CIFS volumes you can use those credentials, or you can specify a different set of Admin credentials.

      A screenshot of the two options for enabling CIFS data protection volumes.

  3. Activate each DP volume that you want to scan the same way you enabled other volumes, or use the Activate Compliance for all Volumes control to enable all volumes, including all DP volumes.

Result

Once enabled, Cloud Data Sense creates an NFS share from each DP volume that was activated for scanning. The share export policies only allow access from the Data Sense instance.

Note: If you had no CIFS data protection volumes when you initially enabled access to DP volumes, and later add some, the button Enable Access to CIFS DP appears at the top of the Configuration page. Click this button and add CIFS credentials to enable access to these CIFS DP volumes.