Azure networking requirements Edit on GitHub Request doc changes

You must set up your Azure networking so that Cloud Manager can deploy Cloud Volumes ONTAP systems and so those systems can operate properly.

Outbound internet access for Cloud Manager

Cloud Manager requires outbound internet access to contact the following endpoints when deploying and managing Cloud Volumes ONTAP in Microsoft Azure:

Endpoints Purpose

https://management.azure.com
https://login.microsoftonline.com

Enables Cloud Manager to deploy and manage Cloud Volumes ONTAP in most Azure regions.

https://management.microsoftazure.de
https://login.microsoftonline.de

Enables Cloud Manager to deploy and manage Cloud Volumes ONTAP in the Azure Germany regions.

https://management.usgovcloudapi.net
https://login.microsoftonline.com

Enables Cloud Manager to deploy and manage Cloud Volumes ONTAP in the Azure US Gov regions.

api.services.cloud.netapp.com:443

API requests to NetApp Cloud Central.

cloud.support.netapp.com.s3.us-west-1.amazonaws.com

Provides access to software images, manifests, and templates.

cognito-idp.us-east-1.amazonaws.com
cognito-identity.us-east-1.amazonaws.com
sts.amazonaws.com

Enables Cloud Manager to access and download manifests, templates, and Cloud Volumes ONTAP upgrade images.

kinesis.us-east-1.amazonaws.com

Enables NetApp to stream data from audit records.

https://netapp-cloud-account.auth0.com

Communication with NetApp Cloud Central for centralized user authentication.

https://mysupport.netapp.com

Communication with NetApp AutoSupport.

https://support.netapp.com/svcgw
https://support.netapp.com/ServiceGW/entitlement

Communication with NetApp for licensing and support registration.

Various third-party locations, for example:

  • https://repo1.maven.org/maven2

  • https://oss.sonatype.org/content/repositories

  • https://repo.typesafe.org

Third-party locations are subject to change.

During upgrades, Cloud Manager downloads the latest packages for third-party dependencies.

If your network uses a proxy server for all communication to the internet, Cloud Manager prompts you to specify the proxy during setup. You can also specify the proxy server from the Settings page. Refer to Configuring Cloud Manager to use a proxy server.
Outbound internet access for Cloud Volumes ONTAP

Cloud Volumes ONTAP requires outbound internet access to send messages to NetApp AutoSupport, which proactively monitors the health of your storage.

Routing and firewall policies must allow Azure HTTP/HTTPS traffic to mysupport.netapp.com so Cloud Volumes ONTAP can send AutoSupport messages.

Outbound internet access from your web browser

Users must access Cloud Manager from a web browser. A web browser must have connections to the following endpoints:

Endpoints Purpose

The Cloud Manager host

You must enter the host’s IP address from a web browser to load the Cloud Manager console.

If you deploy Cloud Manager in Azure, the easiest way to provide access is by allocating a public IP address. However, if you want to use a private IP address instead, users can access the console through either of the following:

  • A jump host in the VNet that has a connection to Cloud Manager

  • A host in your network that has a VPN connection to the private IP address

https://auth0.com
https://netapp-cloud-account.auth0.com
https://services.cloud.netapp.com

Your web browser connects to these endpoints for centralized user authentication through NetApp Cloud Central.

Security groups

You do not need to create security groups because Cloud Manager does that for you. If you need to use your own, refer to Security group rules.

Connection between Cloud Manager and target subnets

Cloud Manager requires a connection to the subnets in which you deploy Cloud Volumes ONTAP.

If Cloud Manager is not installed in the target VNet, it must have network connectivity to that VNet. For example, if you install Cloud Manager in AWS or in your corporate network, you must set up a VPN connection to the VNet in which you deploy Cloud Volumes ONTAP.

Connection from Cloud Volumes ONTAP to Azure Blob storage for data tiering

If you want to tier cold data to Azure Blob storage, you do not need to set up a VNet service endpoint as long as Cloud Manager has the required permission:

"Microsoft.Network/virtualNetworks/subnets/write",

That permission is included in the latest Cloud Manager policy. For details about providing permissions, see Granting Azure permissions.

For details about setting up data tiering, see Tiering cold data to low-cost object storage.

If your network configuration uses route tables, then Cloud Manager also requires the following permission: Microsoft.Network/routeTables/join/action
Connections to ONTAP systems in other networks

To replicate data between a Cloud Volumes ONTAP system in Azure and ONTAP systems in other networks, you must have a VPN connection between the Azure VNet and the other network—for example, an AWS VPC or your corporate network.