Networking requirements to deploy and manage Cloud Volumes ONTAP in GCP
Suggest changes
PDFs
Set up your Google Cloud Platform networking so Cloud Volumes ONTAP systems can operate properly. This includes networking for the Connector and Cloud Volumes ONTAP.
Requirements for Cloud Volumes ONTAP
The following requirements must be met in GCP.
- Virtual Private Cloud
-
Cloud Volumes ONTAP and the Connector are supported in a Google Cloud shared VPC and also in non-shared VPCs.
A shared VPC enables you to configure and centrally manage virtual networks across multiple projects. You can set up shared VPC networks in the host project and deploy the Connector and Cloud Volumes ONTAP virtual machine instances in a service project. Google Cloud documentation: Shared VPC overview.
The only requirement when using a shared VPC is to provide the Compute Network User role to the Connector service account. Cloud Manager needs these permissions to query the firewalls, VPC, and subnets in the host project.
- Outbound internet access for Cloud Volumes ONTAP
-
Cloud Volumes ONTAP requires outbound internet access to send messages to NetApp AutoSupport, which proactively monitors the health of your storage.
Routing and firewall policies must allow HTTP/HTTPS traffic to the following endpoints so Cloud Volumes ONTAP can send AutoSupport messages:
-
https://support.netapp.com/aods/asupmessage
-
https://support.netapp.com/asupprod/post/1.0/postAsup
-
- Number of IP addresses
-
Cloud Manager allocates 5 IP addresses to Cloud Volumes ONTAP in GCP.
Note that Cloud Manager doesn't create an SVM management LIF for Cloud Volumes ONTAP in GCP.
A LIF is an IP address associated with a physical port. An SVM management LIF is required for management tools like SnapCenter. - Firewall rules
-
You don't need to create firewall rules because Cloud Manager does that for you. If you need to use your own, refer to the firewall rules listed below.
- Connection from Cloud Volumes ONTAP to Google Cloud Storage for data tiering
-
If you want to tier cold data to a Google Cloud Storage bucket, the subnet in which Cloud Volumes ONTAP resides must be configured for Private Google Access. For instructions, refer to Google Cloud documentation: Configuring Private Google Access.
For additional steps required to set up data tiering in Cloud Manager, see Tiering cold data to low-cost object storage.
- Connections to ONTAP systems in other networks
-
To replicate data between a Cloud Volumes ONTAP system in GCP and ONTAP systems in other networks, you must have a VPN connection between the VPC and the other network—for example, your corporate network.
For instructions, refer to Google Cloud documentation: Cloud VPN overview.
Requirements for the Connector
Set up your networking so that the Connector can manage resources and processes within your public cloud environment. The most important step is ensuring outbound internet access to various endpoints.
|
|
If your network uses a proxy server for all communication to the internet, you can specify the proxy server from the Settings page. Refer to Configuring the Connector to use a proxy server. |
Connection to target networks
A Connector requires a network connection to the VPCs and VNets in which you want to deploy Cloud Volumes ONTAP.
For example, if you install a Connector in your corporate network, then you must set up a VPN connection to the VPC or VNet in which you launch Cloud Volumes ONTAP.
Outbound internet access
The Connector requires outbound internet access to manage resources and processes within your public cloud environment. A Connector contacts the following endpoints when managing resources in GCP:
| Endpoints | Purpose |
|---|---|
https://www.googleapis.com |
Enables the Connector to contact Google APIs for deploying and managing Cloud Volumes ONTAP in GCP. |
https://api.services.cloud.netapp.com:443 |
API requests to NetApp Cloud Central. |
https://cloud.support.netapp.com.s3.us-west-1.amazonaws.com |
Provides access to software images, manifests, and templates. |
https://repo.cloud.support.netapp.com |
Used to download Cloud Manager dependencies. |
http://repo.mysql.com/ |
Used to download MySQL. |
https://cognito-idp.us-east-1.amazonaws.com |
Enables the Connector to access and download manifests, templates, and Cloud Volumes ONTAP upgrade images. |
https://cloudmanagerinfraprod.azurecr.io |
Access to software images of container components for an infrastructure that's running Docker and provides a solution for service integrations with Cloud Manager. |
https://kinesis.us-east-1.amazonaws.com |
Enables NetApp to stream data from audit records. |
https://cloudmanager.cloud.netapp.com |
Communication with the Cloud Manager service, which includes Cloud Central accounts. |
https://netapp-cloud-account.auth0.com |
Communication with NetApp Cloud Central for centralized user authentication. |
https://mysupport.netapp.com |
Communication with NetApp AutoSupport. |
https://support.netapp.com/svcgw |
Communication with NetApp for system licensing and support registration. |
https://ipa-signer.cloudmanager.netapp.com |
Enables Cloud Manager to generate licenses (for example, a FlexCache license for Cloud Volumes ONTAP) |
https://packages.cloud.google.com/yum |
Required to connect Cloud Volumes ONTAP systems with a Kubernetes cluster. The endpoints enable installation of NetApp Trident. |
Various third-party locations, for example:
Third-party locations are subject to change. |
During upgrades, Cloud Manager downloads the latest packages for third-party dependencies. |
While you should perform almost all tasks from the SaaS user interface, a local user interface is still available on the Connector. The machine running the web browser must have connections to the following endpoints:
| Endpoints | Purpose |
|---|---|
The Connector host |
You must enter the host's IP address from a web browser to load the Cloud Manager console. Depending on your connectivity to your cloud provider, you can use the private IP or a public IP assigned to the host:
In any case, you should secure network access by ensuring that security group rules allow access from only authorized IPs or subnets. |
https://auth0.com |
Your web browser connects to these endpoints for centralized user authentication through NetApp Cloud Central. |
https://widget.intercom.io |
For in-product chat that enables you to talk to NetApp cloud experts. |
Firewall rules for Cloud Volumes ONTAP
Cloud Manager creates GCP firewall rules that include the inbound and outbound rules that Cloud Manager and Cloud Volumes ONTAP need to operate successfully. You might want to refer to the ports for testing purposes or if you prefer your to use own security groups.
The firewall rules for Cloud Volumes ONTAP requires both inbound and outbound rules.
Inbound rules
The source for inbound rules in the predefined security group is 0.0.0.0/0.
| Protocol | Port | Purpose |
|---|---|---|
All ICMP |
All |
Pinging the instance |
HTTP |
80 |
HTTP access to the System Manager web console using the IP address of the cluster management LIF |
HTTPS |
443 |
HTTPS access to the System Manager web console using the IP address of the cluster management LIF |
SSH |
22 |
SSH access to the IP address of the cluster management LIF or a node management LIF |
TCP |
111 |
Remote procedure call for NFS |
TCP |
139 |
NetBIOS service session for CIFS |
TCP |
161-162 |
Simple network management protocol |
TCP |
445 |
Microsoft SMB/CIFS over TCP with NetBIOS framing |
TCP |
635 |
NFS mount |
TCP |
749 |
Kerberos |
TCP |
2049 |
NFS server daemon |
TCP |
3260 |
iSCSI access through the iSCSI data LIF |
TCP |
4045 |
NFS lock daemon |
TCP |
4046 |
Network status monitor for NFS |
TCP |
10000 |
Backup using NDMP |
TCP |
11104 |
Management of intercluster communication sessions for SnapMirror |
TCP |
11105 |
SnapMirror data transfer using intercluster LIFs |
UDP |
111 |
Remote procedure call for NFS |
UDP |
161-162 |
Simple network management protocol |
UDP |
635 |
NFS mount |
UDP |
2049 |
NFS server daemon |
UDP |
4045 |
NFS lock daemon |
UDP |
4046 |
Network status monitor for NFS |
UDP |
4049 |
NFS rquotad protocol |
Outbound rules
The predefined security group for Cloud Volumes ONTAP opens all outbound traffic. If that is acceptable, follow the basic outbound rules. If you need more rigid rules, use the advanced outbound rules.
Basic outbound rules
The predefined security group for Cloud Volumes ONTAP includes the following outbound rules.
| Protocol | Port | Purpose |
|---|---|---|
All ICMP |
All |
All outbound traffic |
All TCP |
All |
All outbound traffic |
All UDP |
All |
All outbound traffic |
Advanced outbound rules
If you need rigid rules for outbound traffic, you can use the following information to open only those ports that are required for outbound communication by Cloud Volumes ONTAP.
|
The source is the interface (IP address) on the Cloud Volumes ONTAP system. |
| Service | Protocol | Port | Source | Destination | Purpose |
|---|---|---|---|---|---|
Active Directory |
TCP |
88 |
Node management LIF |
Active Directory forest |
Kerberos V authentication |
UDP |
137 |
Node management LIF |
Active Directory forest |
NetBIOS name service |
|
UDP |
138 |
Node management LIF |
Active Directory forest |
NetBIOS datagram service |
|
TCP |
139 |
Node management LIF |
Active Directory forest |
NetBIOS service session |
|
TCP & UDP |
389 |
Node management LIF |
Active Directory forest |
LDAP |
|
TCP |
445 |
Node management LIF |
Active Directory forest |
Microsoft SMB/CIFS over TCP with NetBIOS framing |
|
TCP |
464 |
Node management LIF |
Active Directory forest |
Kerberos V change & set password (SET_CHANGE) |
|
UDP |
464 |
Node management LIF |
Active Directory forest |
Kerberos key administration |
|
TCP |
749 |
Node management LIF |
Active Directory forest |
Kerberos V change & set Password (RPCSEC_GSS) |
|
TCP |
88 |
Data LIF (NFS, CIFS, iSCSI) |
Active Directory forest |
Kerberos V authentication |
|
UDP |
137 |
Data LIF (NFS, CIFS) |
Active Directory forest |
NetBIOS name service |
|
UDP |
138 |
Data LIF (NFS, CIFS) |
Active Directory forest |
NetBIOS datagram service |
|
TCP |
139 |
Data LIF (NFS, CIFS) |
Active Directory forest |
NetBIOS service session |
|
TCP & UDP |
389 |
Data LIF (NFS, CIFS) |
Active Directory forest |
LDAP |
|
TCP |
445 |
Data LIF (NFS, CIFS) |
Active Directory forest |
Microsoft SMB/CIFS over TCP with NetBIOS framing |
|
TCP |
464 |
Data LIF (NFS, CIFS) |
Active Directory forest |
Kerberos V change & set password (SET_CHANGE) |
|
UDP |
464 |
Data LIF (NFS, CIFS) |
Active Directory forest |
Kerberos key administration |
|
TCP |
749 |
Data LIF (NFS, CIFS) |
Active Directory forest |
Kerberos V change & set password (RPCSEC_GSS) |
|
Cluster |
All traffic |
All traffic |
All LIFs on one node |
All LIFs on the other node |
Intercluster communications (Cloud Volumes ONTAP HA only) |
TCP |
3000 |
Node management LIF |
HA mediator |
ZAPI calls (Cloud Volumes ONTAP HA only) |
|
ICMP |
1 |
Node management LIF |
HA mediator |
Keep alive (Cloud Volumes ONTAP HA only) |
|
DHCP |
UDP |
68 |
Node management LIF |
DHCP |
DHCP client for first-time setup |
DHCPS |
UDP |
67 |
Node management LIF |
DHCP |
DHCP server |
DNS |
UDP |
53 |
Node management LIF and data LIF (NFS, CIFS) |
DNS |
DNS |
NDMP |
TCP |
18600–18699 |
Node management LIF |
Destination servers |
NDMP copy |
SMTP |
TCP |
25 |
Node management LIF |
Mail server |
SMTP alerts, can be used for AutoSupport |
SNMP |
TCP |
161 |
Node management LIF |
Monitor server |
Monitoring by SNMP traps |
UDP |
161 |
Node management LIF |
Monitor server |
Monitoring by SNMP traps |
|
TCP |
162 |
Node management LIF |
Monitor server |
Monitoring by SNMP traps |
|
UDP |
162 |
Node management LIF |
Monitor server |
Monitoring by SNMP traps |
|
SnapMirror |
TCP |
11104 |
Intercluster LIF |
ONTAP intercluster LIFs |
Management of intercluster communication sessions for SnapMirror |
TCP |
11105 |
Intercluster LIF |
ONTAP intercluster LIFs |
SnapMirror data transfer |
|
Syslog |
UDP |
514 |
Node management LIF |
Syslog server |
Syslog forward messages |
Firewall rules for the Connector
The firewall rules for the Connector requires both inbound and outbound rules.
Inbound rules
The source for inbound rules in the predefined firewall rules is 0.0.0.0/0.
| Protocol | Port | Purpose |
|---|---|---|
SSH |
22 |
Provides SSH access to the Connector host |
HTTP |
80 |
Provides HTTP access from client web browsers to the local user interface |
HTTPS |
443 |
Provides HTTPS access from client web browsers to the local user interface |
Outbound rules
The predefined firewall rules for the Connector opens all outbound traffic. If that is acceptable, follow the basic outbound rules. If you need more rigid rules, use the advanced outbound rules.
Basic outbound rules
The predefined firewall rules for the Connector includes the following outbound rules.
| Protocol | Port | Purpose |
|---|---|---|
All TCP |
All |
All outbound traffic |
All UDP |
All |
All outbound traffic |
Advanced outbound rules
If you need rigid rules for outbound traffic, you can use the following information to open only those ports that are required for outbound communication by the Connector.
|
|
The source IP address is the Connector host. |
| Service | Protocol | Port | Destination | Purpose |
|---|---|---|---|---|
Active Directory |
TCP |
88 |
Active Directory forest |
Kerberos V authentication |
TCP |
139 |
Active Directory forest |
NetBIOS service session |
|
TCP |
389 |
Active Directory forest |
LDAP |
|
TCP |
445 |
Active Directory forest |
Microsoft SMB/CIFS over TCP with NetBIOS framing |
|
TCP |
464 |
Active Directory forest |
Kerberos V change & set password (SET_CHANGE) |
|
TCP |
749 |
Active Directory forest |
Active Directory Kerberos V change & set password (RPCSEC_GSS) |
|
UDP |
137 |
Active Directory forest |
NetBIOS name service |
|
UDP |
138 |
Active Directory forest |
NetBIOS datagram service |
|
UDP |
464 |
Active Directory forest |
Kerberos key administration |
|
API calls and AutoSupport |
HTTPS |
443 |
Outbound internet and ONTAP cluster management LIF |
API calls to GCP and ONTAP, and sending AutoSupport messages to NetApp |
API calls |
TCP |
3000 |
ONTAP cluster management LIF |
API calls to ONTAP |
DNS |
UDP |
53 |
DNS |
Used for DNS resolve by Cloud Manager |