| sidebar | permalink | keywords | summary |
|---|---|---|---|
sidebar |
reference_key_changes.html |
what's new, key changes, saas, accounts, workspaces, users, connectors, endpoints, urls, permissions, permission changes |
This page highlights _important_ changes in Cloud Manager that can help you use the service as we introduce new enhancements. You should continue to read the What's new page to learn about all new features and enhancements. |
This page highlights important changes in Cloud Manager that can help you use the service as we introduce new enhancements. You should continue to read the What’s new page to learn about all new features and enhancements.
Starting with the 9.8 release, the Cloud Volumes ONTAP PAYGO AMI is no longer available in the AWS Marketplace. If you use the Cloud Manager API to deploy Cloud Volumes ONTAP PAYGO, you’ll need to subscribe to the Cloud Manager subscription in the AWS Marketplace before deploying a 9.8 system.
We have introduced a software-as-a-service experience for Cloud Manager. This new experience makes it easier for you to use Cloud Manager and enables us to provide additional features to manage your hybrid cloud infrastructure.
To ensure that adequate resources are available for new and upcoming features in Cloud Manager, we’ve changed the minimum required instance, VM, and machine type as follows:
-
AWS: t3.xlarge
-
Azure: DS3 v2
-
GCP: n1-standard-4
When you upgrade the machine type, you’ll get access to features like a new Kubernetes experience, Global File Cache, Monitoring, and more.
These default sizes are the minimum supported based on CPU and RAM requirements.
Cloud Manager will prompt you with instructions to change the machine type of the Connector.
We introduced Cloud Central accounts to provide multi-tenancy, to help you organize users and resources in isolated workspaces, and to manage access to Connectors and subscriptions.
Cloud Manager occasionally requires additional cloud provider permissions as we introduce new features and enhancements. This section identifies new permissions that are now required.
You can find the latest list of permissions on the Cloud Manager policies page.
Starting with the 3.8.1 release, the following permissions are required to use Cloud Backup with Cloud Volumes ONTAP. Learn more.
{
"Sid": "backupPolicy",
"Effect": "Allow",
"Action": [
"s3:DeleteBucket",
"s3:GetLifecycleConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutBucketTagging",
"s3:ListBucketVersions",
"s3:GetObject",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:GetBucketTagging",
"s3:GetBucketLocation",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
"s3:PutBucketPublicAccessBlock"
],
"Resource": [
"arn:aws:s3:::netapp-backup-*"
]
},-
To avoid Azure deployment failures, make sure that your Cloud Manager policy in Azure includes the following permission:
"Microsoft.Resources/deployments/operationStatuses/read" -
Starting with the 3.8.7 release, the following permission is required to encrypt Azure managed disks on single node Cloud Volumes ONTAP systems using external keys from another account. Learn more.
"Microsoft.Compute/diskEncryptionSets/read" -
The following permissions are required to enable Global File Cache on Cloud Volumes ONTAP. Learn more.
"Microsoft.Resources/deployments/operationStatuses/read", "Microsoft.Insights/Metrics/Read", "Microsoft.Compute/virtualMachines/extensions/write", "Microsoft.Compute/virtualMachines/extensions/read", "Microsoft.Compute/virtualMachines/extensions/delete", "Microsoft.Compute/virtualMachines/delete", "Microsoft.Network/networkInterfaces/delete", "Microsoft.Network/networkSecurityGroups/delete", "Microsoft.Resources/deployments/delete",
Starting with the 3.9 release, the service account for a Connector requires additional permissions to deploy a Cloud Volumes ONTAP HA pair in GCP:
- compute.addresses.list
- compute.backendServices.create
- compute.networks.updatePolicy
- compute.regionBackendServices.create
- compute.regionBackendServices.get
- compute.regionBackendServices.listStarting with the 3.9 release, additional permissions are required to set a service account on the Cloud Volumes ONTAP instance. This service account provides permissions for data tiering to a Google Cloud Storage bucket.
-
iam.serviceAccounts.actAs
-
storage.objects.get
-
storage.objects.list
Starting with the 3.8.8 release, the service account for a Connector requires additional permissions to discover and manage Kubernetes clusters running in Google Kubernetes Engine (GKE):
- container.*Starting with the 3.8 release, the following permissions are now required to use a service account for data tiering. Learn more about this change.
- storage.buckets.update
- compute.instances.setServiceAccount
- iam.serviceAccounts.getIamPolicy
- iam.serviceAccounts.listThe Connector requires outbound internet access to manage resources and processes within your public cloud environment. This section identifies new endpoints that are now required.
You can find the full list of endpoints accessed from your web browser here and the full list of endpoints accessed by the Connector here.
-
Users need to access Cloud Manager from a web browser by contacting the following endpoint:
-
Connectors require access to the following endpoint to obtain software images of container components for a Docker infrastructure:
Ensure that your firewall enables access to this endpoint from the Connector.