Getting started with Cloud Compliance for Cloud Volumes ONTAP
Complete a few steps to get started with Cloud Compliance for Cloud Volumes ONTAP in AWS or Azure.
Quick start
Get started quickly by following these steps or scroll down to the remaining sections for full details.
Verify that your configuration can meet the requirements
-
Ensure that the Cloud Compliance instance will have outbound internet access.
Cloud Manager deploys the instance in the same VPC or VNet as the first Cloud Volumes ONTAP system in the request.
-
Ensure that users can access the Cloud Manager interface from a host that has a direct connection to AWS or Azure, or from a host that's inside the same network as the Cloud Compliance instance (the instance will have a private IP address).
-
Ensure that you can keep the Cloud Compliance instance running.
Enable Cloud Compliance on Cloud Volumes ONTAP
-
New working environments: Be sure to keep Cloud Compliance enabled when you create the working environment (it's enabled by default).
-
Existing working environments: Click Compliance, optionally edit the list of working environments, and click Show Compliance Dashboard.
Ensure access to volumes
Now that Cloud Compliance is enabled, ensure that it can access volumes.
-
The Cloud Compliance instance needs a network connection to each Cloud Volumes ONTAP subnet.
-
Security groups for Cloud Volumes ONTAP must allow inbound connections from the Cloud Compliance instance.
-
NFS Volume export policies must allow access from the Cloud Compliance instance.
-
Cloud Compliance needs Active Directory credentials to scan CIFS volumes.
Click Compliance > CIFS Scan Status > Edit CIFS Credentials and provide the credentials. The credentials can be read-only, but providing admin credentials ensures that Cloud Compliance can read data that requires elevated permissions.
Ensure connectivity between Cloud Manager and Cloud Compliance
-
The security group for Cloud Manager must allow inbound and outbound traffic over port 80 to and from the Cloud Compliance instance.
-
If your AWS network doesn’t use a NAT or proxy for internet access, then the security group for Cloud Manager must allow inbound traffic over TCP port 3128 from the Cloud Compliance instance.
Reviewing prerequisites
Review the following prerequisites to make sure that you have a supported configuration before you enable Cloud Compliance. You'll need to ensure connectivity between components after you enable Cloud Compliance. That's covered below.
- Enable outbound internet access
-
Cloud Compliance requires outbound internet access. If your virtual network uses a proxy server for internet access, ensure that the Cloud Compliance instance has outbound internet access to contact the following endpoints:
Endpoints Purpose https://cloudmanager.cloud.netapp.com
Communication with the Cloud Manager service, which includes Cloud Central accounts.
https://netapp-cloud-account.auth0.com
Communication with NetApp Cloud Central for centralized user authentication.
https://cloud-compliance-support-netapp.s3.us-west-1.amazonaws.com
https://hub.docker.comProvides access to software images, manifests, and templates.
https://kinesis.us-east-1.amazonaws.com
Enables NetApp to stream data from audit records.
https://cognito-idp.us-east-1.amazonaws.com
https://cognito-identity.us-east-1.amazonaws.comEnables Cloud Compliance to access and download manifests and templates, and to send logs and metrics.
- Verify web browser connectivity to Cloud Compliance
-
The Cloud Compliance instance uses a private IP address to ensure that the indexed data isn't accessible to the internet. As a result, the web browser that you use to access Cloud Manager must have a connection to that private IP address. That connection can come from a direct connection to AWS or Azure (for example, a VPN), or from a host that's inside the same network as the Cloud Compliance instance.
If you're accessing Cloud Manager from a public IP address, then your web browser probably isn't running on a host inside the network. - Keep Cloud Compliance running
-
The Cloud Compliance instance needs to stay on to continuously scan your data.
Enabling Cloud Compliance on a new working environment
Cloud Compliance is enabled by default in the working environment wizard. Be sure to keep the option enabled.
-
Click Create Cloud Volumes ONTAP.
-
Select Amazon Web Services or Microsoft Azure as the cloud provider and then choose a single node or HA system.
-
Fill out the Details & Credentials page.
-
On the Services page, leave Cloud Compliance enabled and click Continue.
-
Complete the pages in the wizard to deploy the system.
For help, see Launching Cloud Volumes ONTAP in AWS and Launching Cloud Volumes ONTAP in Azure.
Cloud Compliance is enabled on the Cloud Volumes ONTAP system. If this the first time that you enabled Cloud Compliance, Cloud Manager deploys the Cloud Compliance instance in your cloud provider. As soon as the instance is available, it starts scanning data as its written to each volume that you create.
Enabling Cloud Compliance on existing working environments
Enable Cloud Compliance on your existing Cloud Volumes ONTAP systems from the Compliance tab in Cloud Manager.
Another option is to enable Cloud Compliance from the Working Environments tab by selecting each working environment individually. That'll take you longer to complete, unless you have just one system.
-
At the top of Cloud Manager, click Compliance.
-
If you want to enable Cloud Compliance on specific working environments, click the edit icon.
Otherwise, Cloud Manager is set to enable Cloud Compliance on all working environments to which you have access.
-
Click Show Compliance Dashboard.
-
At the top of Cloud Manager, click Working Environments.
-
Select a working environment.
-
In the pane on the right, click Enable Compliance.
If this the first time that you enabled Cloud Compliance, Cloud Manager deploys the Cloud Compliance instance in your cloud provider.
Cloud Compliance starts scanning the data on each working environment. Data will be available in the Compliance dashboard as soon as Cloud Compliance finishes the initial scans. The time that it takes depends on the amount of data—it could be a few minutes or hours.
Verifying that Cloud Compliance has access to volumes
Make sure that Cloud Compliance can access volumes on Cloud Volumes ONTAP by checking your networking, security groups, and export policies. You'll need to provide Cloud Compliance with CIFS credentials so it can access CIFS volumes.
-
Make sure that there's a network connection between the Cloud Compliance instance and each Cloud Volumes ONTAP subnet.
Cloud Manager deploys the Cloud Compliance instance in the same VPC or VNet as the first Cloud Volumes ONTAP system in the request. So this step is important if some Cloud Volumes ONTAP systems are in different subnets or virtual networks.
-
Ensure that the security group for Cloud Volumes ONTAP allows inbound traffic from the Cloud Compliance instance.
You can either open the security group for traffic from the IP address of the Cloud Compliance instance, or you can open the security group for all traffic from inside the virtual network.
-
Ensure that NFS volume export policies include the IP address of the Cloud Compliance instance so it can access the data on each volume.
-
If you use CIFS, provide Cloud Compliance with Active Directory credentials so it can scan CIFS volumes.
-
At the top of Cloud Manager, click Compliance.
-
In the top right, click CIFS Scan Status.
-
For each Cloud Volumes ONTAP system, click Edit CIFS Credentials and enter the user name and password that Cloud Compliance needs to access CIFS volumes on the system.
The credentials can be read-only, but providing admin credentials ensures that Cloud Compliance can read any data that requires elevated permissions. The credentials are stored on the Cloud Compliance instance.
After you enter the credentials, you should see a message that all CIFS volumes were authenticated successfully.
-
Verifying that Cloud Manager can access Cloud Compliance
Ensure connectivity between Cloud Manager and Cloud Compliance so you can view the compliance insights that Cloud Compliance found.
-
Make sure that the security group for Cloud Manager allows inbound and outbound traffic over port 80 to and from the Cloud Compliance instance.
This connection enables you to view information in the Compliance tab.
-
If your AWS network doesn’t use a NAT or proxy for internet access, modify the security group for Cloud Manager to allow inbound traffic over TCP port 3128 from the Cloud Compliance instance.
This is required because the Cloud Compliance instance uses Cloud Manager as a proxy to access the internet.
This port is open by default on all new Cloud Manager instances, starting with version 3.7.5. It's not open on Cloud Manager instances created prior to that version.