Deploy Cloud Volumes ONTAP in AWS Secret Cloud or AWS Top Secret Cloud
Similar to a standard AWS region, you can use the NetApp Console in AWS Secret Cloud and in AWS Top Secret Cloud to deploy Cloud Volumes ONTAP, which provides enterprise-class features for your cloud storage. AWS Secret Cloud and Top Secret Cloud are closed regions specific to the U.S. Intelligence Community; the instructions on this page only apply to AWS Secret Cloud and Top Secret Cloud region users.
Before you get started, review the supported versions in AWS Secret Cloud and Top Secret Cloud, and learn about private mode in the Console.
-
Review the following supported versions in AWS Secret Cloud and Top Secret Cloud:
-
Cloud Volumes ONTAP 9.12.1 P2
-
Version 3.9.32 of the Console agent
The Console agent is required to deploy and manage Cloud Volumes ONTAP in AWS. You'll log in to the Console from the software that gets installed on the instance of the Console agent. The SaaS website for the Console isn't supported in AWS Secret Cloud and Top Secret Cloud.
-
-
Learn about private mode
In AWS Secret Cloud and Top Secret Cloud, the Console operates in private mode. In private mode, there is no connectivity to the SaaS layer from the Console. You can access the Console through a local a web-based application that can access the Console agent.
To learn more about how private mode works, refer to the private deployment mode in the Console.
Step 1: Set up your networking
Set up your AWS networking so Cloud Volumes ONTAP can operate properly.
-
Choose the VPC and subnets in which you want to launch the instance of the Console agent and Cloud Volumes ONTAP instances.
-
Ensure that your VPC and subnets will support connectivity between the Console agent and Cloud Volumes ONTAP.
-
Set up a VPC endpoint to the S3 service.
A VPC endpoint is required if you want to tier cold data from Cloud Volumes ONTAP to low-cost object storage.
Step 2: Set up permissions
Set up IAM policies and roles that provide the Console agent and Cloud Volumes ONTAP with the permissions that they need to perform actions in the AWS Secret Cloud or Top Secret Cloud.
You need an IAM policy and IAM role for each of the following:
-
The instance of the Console agent
-
Cloud Volumes ONTAP instances
-
For HA pairs, the Cloud Volumes ONTAP HA mediator instance (if you want to deploy HA pairs)
-
Go to the AWS IAM console and click Policies.
-
Create a policy for the instance of the Console agent.
You create these policies to support the S3 buckets in your AWS environment. While creating the buckets later, ensure that the bucket names are prefixed with fabric-pool-
. This requirement applies to both the AWS Secret Cloud and Top Secret Cloud regions.Secret regions{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:RunInstances", "ec2:ModifyInstanceAttribute", "ec2:DescribeRouteTables", "ec2:DescribeImages", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DescribeVolumes", "ec2:ModifyVolumeAttribute", "ec2:DeleteVolume", "ec2:CreateSecurityGroup", "ec2:DeleteSecurityGroup", "ec2:DescribeSecurityGroups", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DeleteNetworkInterface", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeDhcpOptions", "ec2:CreateSnapshot", "ec2:DeleteSnapshot", "ec2:DescribeSnapshots", "ec2:GetConsoleOutput", "ec2:DescribeKeyPairs", "ec2:DescribeRegions", "ec2:DeleteTags", "ec2:DescribeTags", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStacks", "cloudformation:DescribeStackEvents", "cloudformation:ValidateTemplate", "iam:PassRole", "iam:CreateRole", "iam:DeleteRole", "iam:PutRolePolicy", "iam:ListInstanceProfiles", "iam:CreateInstanceProfile", "iam:DeleteRolePolicy", "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:DeleteInstanceProfile", "s3:GetObject", "s3:ListBucket", "s3:GetBucketTagging", "s3:GetBucketLocation", "s3:ListAllMyBuckets", "kms:List*", "kms:Describe*", "ec2:AssociateIamInstanceProfile", "ec2:DescribeIamInstanceProfileAssociations", "ec2:DisassociateIamInstanceProfile", "ec2:DescribeInstanceAttribute", "ec2:CreatePlacementGroup", "ec2:DeletePlacementGroup" ], "Resource": "*" }, { "Sid": "fabricPoolPolicy", "Effect": "Allow", "Action": [ "s3:DeleteBucket", "s3:GetLifecycleConfiguration", "s3:PutLifecycleConfiguration", "s3:PutBucketTagging", "s3:ListBucketVersions" ], "Resource": [ "arn:aws-iso-b:s3:::fabric-pool*" ] }, { "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances", "ec2:AttachVolume", "ec2:DetachVolume" ], "Condition": { "StringLike": { "ec2:ResourceTag/WorkingEnvironment": "*" } }, "Resource": [ "arn:aws-iso-b:ec2:*:*:instance/*" ] }, { "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:DetachVolume" ], "Resource": [ "arn:aws-iso-b:ec2:*:*:volume/*" ] } ] }
Top Secret regions{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:RunInstances", "ec2:ModifyInstanceAttribute", "ec2:DescribeRouteTables", "ec2:DescribeImages", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DescribeVolumes", "ec2:ModifyVolumeAttribute", "ec2:DeleteVolume", "ec2:CreateSecurityGroup", "ec2:DeleteSecurityGroup", "ec2:DescribeSecurityGroups", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DeleteNetworkInterface", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeDhcpOptions", "ec2:CreateSnapshot", "ec2:DeleteSnapshot", "ec2:DescribeSnapshots", "ec2:GetConsoleOutput", "ec2:DescribeKeyPairs", "ec2:DescribeRegions", "ec2:DeleteTags", "ec2:DescribeTags", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStacks", "cloudformation:DescribeStackEvents", "cloudformation:ValidateTemplate", "iam:PassRole", "iam:CreateRole", "iam:DeleteRole", "iam:PutRolePolicy", "iam:ListInstanceProfiles", "iam:CreateInstanceProfile", "iam:DeleteRolePolicy", "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:DeleteInstanceProfile", "s3:GetObject", "s3:ListBucket", "s3:GetBucketTagging", "s3:GetBucketLocation", "s3:ListAllMyBuckets", "kms:List*", "kms:Describe*", "ec2:AssociateIamInstanceProfile", "ec2:DescribeIamInstanceProfileAssociations", "ec2:DisassociateIamInstanceProfile", "ec2:DescribeInstanceAttribute", "ec2:CreatePlacementGroup", "ec2:DeletePlacementGroup" ], "Resource": "*" }, { "Sid": "fabricPoolPolicy", "Effect": "Allow", "Action": [ "s3:DeleteBucket", "s3:GetLifecycleConfiguration", "s3:PutLifecycleConfiguration", "s3:PutBucketTagging", "s3:ListBucketVersions" ], "Resource": [ "arn:aws-iso:s3:::fabric-pool*" ] }, { "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances", "ec2:AttachVolume", "ec2:DetachVolume" ], "Condition": { "StringLike": { "ec2:ResourceTag/WorkingEnvironment": "*" } }, "Resource": [ "arn:aws-iso:ec2:*:*:instance/*" ] }, { "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:DetachVolume" ], "Resource": [ "arn:aws-iso:ec2:*:*:volume/*" ] } ] }
-
Create a policy for Cloud Volumes ONTAP.
Secret regions{ "Version": "2012-10-17", "Statement": [{ "Action": "s3:ListAllMyBuckets", "Resource": "arn:aws-iso-b:s3:::*", "Effect": "Allow" }, { "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws-iso-b:s3:::fabric-pool-*", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws-iso-b:s3:::fabric-pool-*", "Effect": "Allow" }] }
Top Secret regions{ "Version": "2012-10-17", "Statement": [{ "Action": "s3:ListAllMyBuckets", "Resource": "arn:aws-iso:s3:::*", "Effect": "Allow" }, { "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws-iso:s3:::fabric-pool-*", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws-iso:s3:::fabric-pool-*", "Effect": "Allow" }] }
For HA pairs, if you plan to deploy a Cloud Volumes ONTAP HA pair, create a policy for the HA mediator.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:AssignPrivateIpAddresses", "ec2:CreateRoute", "ec2:DeleteRoute", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables", "ec2:DescribeVpcs", "ec2:ReplaceRoute", "ec2:UnassignPrivateIpAddresses" ], "Resource": "*" } ] }
-
Create IAM roles with the role type Amazon EC2 and attach the policies that you created in the previous steps.
Create the role:Similar to the policies, you should have one IAM role for the Console agent and one for the Cloud Volumes ONTAP nodes.
For HA pairs: Similar to the policies, you should have one IAM role for the Console agent, one for the Cloud Volumes ONTAP nodes, and one for the HA mediator (if you want to deploy HA pairs).Select the role:You must select the Console agent IAM role when you launch the instance of the Console agent. You can select the IAM roles for Cloud Volumes ONTAP when you create a Cloud Volumes ONTAP system from the Console.
For HA pairs, you can select the IAM roles for Cloud Volumes ONTAP and the HA mediator when you create a Cloud Volumes ONTAP system.
Step 3: Set up the AWS KMS
If you want to use Amazon encryption with Cloud Volumes ONTAP, ensure that requirements are met for the AWS Key Management Service (KMS).
-
Ensure that an active Customer Master Key (CMK) exists in your account or in another AWS account.
The CMK can be an AWS-managed CMK or a customer-managed CMK.
-
If the CMK is in an AWS account separate from the account where you plan to deploy Cloud Volumes ONTAP, then you need to obtain the ARN of that key.
You need to provide the ARN to the Console when you create the Cloud Volumes ONTAP system.
-
Add the IAM role for the instance to the list of key users for a CMK.
This gives the Console permissions to use the CMK with Cloud Volumes ONTAP.
Step 4: Install the Console agent and set up the Console
Before you can start using the Console to deploy Cloud Volumes ONTAP in AWS, you must install and set up the Console agent. It enables the Console to manage resources and processes within your public cloud environment (this includes Cloud Volumes ONTAP).
-
Obtain a root certificate signed by a certificate authority (CA) in the Privacy Enhanced Mail (PEM) Base-64 encoded X.509 format. Consult your organization's policies and procedures for obtaining the certificate.
For AWS Secret Cloud regions, you should upload the NSS Root CA 2
certificate, and for Top Secret Cloud, theAmazon Root CA 4
certificate. Ensure that you upload only these certificates and not the entire chain. The file for the certificate chain is large, and the upload can fail. If you have additional certificates, you can upload them later, as described in the next step.You need to upload the certificate during the setup process. The Console uses the trusted certificate when sending requests to AWS over HTTPS.
-
Launch the instance of the Console agent:
-
Go to the AWS Intelligence Community Marketplace page for the Console.
-
On the Custom Launch tab, choose the option to launch the instance from the EC2 console.
-
Follow the prompts to configure the instance.
Note the following as you configure the instance:
-
We recommend t3.xlarge.
-
You must choose the IAM role that you created when you set up permissions.
-
You should keep the default storage options.
-
The required connection methods for the Console agent are as follows: SSH, HTTP, and HTTPS.
-
-
-
Set up the Console from a host that has a connection to the instance:
-
Open a web browser and enter https://ipaddress where ipaddress is the IP address of the Linux host where you installed the Console agent.
-
Specify a proxy server for connectivity to AWS services.
-
Upload the certificate that you obtained in step 1.
-
Follow the prompts to set up a new system.
-
System Details: Enter a name for the Console agent and your company name.
-
Create Admin User: Create the admin user for the system.
This user account runs locally on the system. There's no connection to the auth0 service available through the Console.
-
Review: Review the details, accept the license agreement, and then select Set Up.
-
-
To complete installation of the CA-signed certificate, restart the Console agent instance from the EC2 console.
-
-
After the Console agent restarts, log in using the administrator user account that you created in the Setup wizard.
Step 5: (optional) Install a private mode certificate
This step is optional for AWS Secret Cloud and Top Secret Cloud regions, and is required only if you have additional certificates apart from the root certificates that you installed in the previous step.
-
List existing installed certificates.
-
To collect the occm container docker id (identified name “ds-occm-1”), run the following command:
docker ps
-
To get inside occm container, run the following command:
docker exec -it <docker-id> /bin/sh
-
To collect the password from “TRUST_STORE_PASSWORD” environment variable, run the following command:
env
-
To list all installed certificates in truststore, run the following command and use the password collected in the previous step:
keytool -list -v -keystore occm.truststore
-
-
Add a certificate.
-
To collect occm container docker id (identified name “ds-occm-1”), run the following command:
docker ps
-
To get inside occm container, run the following command:
docker exec -it <docker-id> /bin/sh
Save the new certificate file inside.
-
To collect the password from “TRUST_STORE_PASSWORD” environment variable, run the following command:
env
-
To add the certificate to the truststore, run the following command and use the password from the previous step:
keytool -import -alias <alias-name> -file <certificate-file-name> -keystore occm.truststore
-
To check that the certificate installed, run the following command:
keytool -list -v -keystore occm.truststore -alias <alias-name>
-
To exit occm container, run the following command:
exit
-
To reset occm container, run the following command:
docker restart <docker-id>
-
Step 6: Add a license to the Console
If you purchased a license from NetApp, you need to add it to the Console, so that you can select the license when you create a new Cloud Volumes ONTAP system. These licenses remain unassigned until you associate them with a new Cloud Volumes ONTAP system.
-
From the left navigation menu, select Licenses and subscriptions.
-
On the Cloud Volumes ONTAP panel, select View.
-
On the Cloud Volumes ONTAP tab, select Licenses > Node Based Licenses.
-
Click Unassigned.
-
Click Add Unassigned Licenses.
-
Enter the serial number of the license or upload the license file.
-
If you don't have the license file yet, you'll need to manually upload the license file from netapp.com.
-
Go to the NetApp License File Generator and log in using your NetApp Support Site credentials.
-
Enter your password, choose your product, enter the serial number, confirm that you have read and accepted the privacy policy, and then click Submit.
-
Choose whether you want to receive the serialnumber.NLF JSON file through email or direct download.
-
-
Click Add License.
The Console adds the license as unassigned until you associate it with a new Cloud Volumes ONTAP system. You can see the license on the left navigation menu under Licenses and subscriptions > Cloud Volumes ONTAP > View > Licenses.
Step 7: Launch Cloud Volumes ONTAP from the Console
You can launch Cloud Volumes ONTAP instances in AWS Secret Cloud and Top Secret Cloud by creating new systems in the Console.
For HA pairs, a key pair is required to enable key-based SSH authentication to the HA mediator.
-
On the Systems page, click Add System.
-
Under Create, select Cloud Volumes ONTAP.
For HA: Under Create, select Cloud Volumes ONTAP or Cloud Volumes ONTAP HA.
-
Complete the steps in the wizard to launch the Cloud Volumes ONTAP system.
While making selections through the wizard, do not select Data Sense & Compliance and Backup to Cloud under Services. Under Preconfigured Packages, select Change Configuration only, and ensure that you haven't selected any other option. Preconfigured packages aren't supported in AWS Secret Cloud and Top Secret Cloud regions, and if selected, your deployment will fail.
Note the following as you complete the wizard for HA pairs.
-
You should configure a transit gateway when you deploy Cloud Volumes ONTAP HA in multiple Availability Zones (AZs). For instructions, refer to Set up an AWS transit gateway.
-
Deploy the configuration as the following because only two AZs were available in the AWS Top Secret Cloud at the time of publication:
-
Node 1: Availability Zone A
-
Node 2: Availability Zone B
-
Mediator: Availability Zone A or B
-
Note the following as you complete the wizard:
-
You should leave the default option to use a generated security group.
The predefined security group includes the rules that Cloud Volumes ONTAP needs to operate successfully. If you have a requirement to use your own, you can refer to the security group section below.
-
You must choose the IAM role that you created when preparing your AWS environment.
-
The underlying AWS disk type is for the initial Cloud Volumes ONTAP volume.
You can choose a different disk type for subsequent volumes.
-
The performance of AWS disks is tied to disk size.
You should choose the disk size that gives you the sustained performance that you need. Refer to the AWS documentation for more details about EBS performance.
-
The disk size is the default size for all disks on the system.
If you need a different size later, you can use the Advanced allocation option to create an aggregate that uses disks of a specific size.
The Cloud Volumes ONTAP instance is launched. You can track the progress in the Audit page.
Step 8: Install security certificates for data tiering
You need to manually install security certificates for enabling data tiering in AWS Secret Cloud and Top Secret Cloud regions.
-
Create S3 buckets.
Ensure that the bucket names are prefixed with fabric-pool-.
For examplefabric-pool-testbucket
. -
Keep the root certificates that you installed in
step 4
handy.
-
Copy the text from the root certificates that you installed in
step 4
. -
Securely connect to the Cloud Volumes ONTAP system by using the CLI.
-
Install the root certificates. You might need to press the
ENTER
key multiple times:security certificate install -type server-ca -cert-name <certificate-name>
-
When prompted, enter the entire copied text, including and from
----- BEGIN CERTIFICATE -----
to----- END CERTIFICATE -----
. -
Keep a copy of the CA-signed digital certificate for future reference.
-
Retain the CA name and certificate serial number.
-
Configure the object store for AWS Secret Cloud and Top Secret Cloud regions:
set -privilege advanced -confirmations off
-
Run this command to configure the object store.
All Amazon Resource Names (ARNs) should be suffixed with -iso-b
, such asarn:aws-iso-b
. For example, if a resource requires an ARN with a region, for Top Secret Cloud, use the naming convention asus-iso-b
for the-server
flag. For AWS Secret Cloud, useus-iso-b-1
.storage aggregate object-store config create -object-store-name <S3Bucket> -provider-type AWS_S3 -auth-type EC2-IAM -server <s3.us-iso-b-1.server_name> -container-name <fabric-pool-testbucket> -is-ssl-enabled true -port 443
-
Verify that the object store was created successfully:
storage aggregate object-store show -instance
-
Attach the object store to the aggregate. This should be repeated for every new aggregate:
storage aggregate object-store attach -aggregate <aggr1> -object-store-name <S3Bucket>