| sidebar | permalink | keywords | summary |
|---|---|---|---|
sidebar |
reference_networking_cloud_manager.html |
networking, network, requirements, connection, connections, vpc, security group, security groups, subnets, proxy server, vpn, outbound, inbound, connections, jump host, URL, URLs, endpoints, endpoint, ports |
Set up your networking so that the Connector can manage resources and processes within your public cloud environment. The most important step is ensuring outbound internet access to various endpoints. |
Set up your networking so the Connector can manage resources and processes within your public cloud environment. The most important step is ensuring outbound internet access to various endpoints.
|
Tip
|
If your network uses a proxy server for all communication to the internet, you can specify the proxy server from the Settings page. Refer to Configuring the Connector to use a proxy server. |
A Connector requires a network connection to the type of working environment that you’re creating and the services that you’re planning to enable.
For example, if you install a Connector in your corporate network, then you must set up a VPN connection to the VPC or VNet in which you launch Cloud Volumes ONTAP.
If your network has a subnet configured in the 172 range, then you might experience connectivity failures from Cloud Manager. Learn more about this known issue.
The Connector requires outbound internet access to manage resources and processes within your public cloud environment. Outbound internet access is also required if you want to manually install the Connector on a Linux host or access the local UI running on the Connector.
The following sections identify the specific endpoints.
A Connector contacts the following endpoints when managing resources in AWS:
A Connector contacts the following endpoints when managing resources in Azure:
A Connector contacts the following endpoints when managing resources in GCP:
You have the option to manually install the Connector software on your own Linux host. If you do, the installer for the Connector must access the following URLs during the installation process:
The host might try to update operating system packages during installation. The host can contact different mirroring sites for these OS packages.
While you should perform almost all tasks from the SaaS user interface, a local user interface is still available on the Connector. The machine running the web browser must have connections to the following endpoints:
| Endpoints | Purpose |
|---|---|
The Connector host |
You must enter the host’s IP address from a web browser to load the Cloud Manager console. Depending on your connectivity to your cloud provider, you can use the private IP or a public IP assigned to the host:
In any case, you should secure network access by ensuring that security group rules allow access from only authorized IPs or subnets. |
https://auth0.com |
Your web browser connects to these endpoints for centralized user authentication through NetApp Cloud Central. |
For in-product chat that enables you to talk to NetApp cloud experts. |
There’s no incoming traffic to the Connector, unless you initiate it. HTTP and HTTPS provide access to the local UI, which you’ll use in rare circumstances. SSH is only needed if you need to connect to the host for troubleshooting.
The security group for the Connector requires both inbound and outbound rules.
| Protocol | Port | Purpose |
|---|---|---|
SSH |
22 |
Provides SSH access to the Connector host |
HTTP |
80 |
Provides HTTP access from client web browsers to the local user interface and connections from Cloud Compliance |
HTTPS |
443 |
Provides HTTPS access from client web browsers to the local user interface |
TCP |
3128 |
Provides the Cloud Compliance instance with internet access, if your AWS network doesn’t use a NAT or proxy |
The predefined security group for the Connector opens all outbound traffic. If that is acceptable, follow the basic outbound rules. If you need more rigid rules, use the advanced outbound rules.
The predefined security group for the Connector includes the following outbound rules.
| Protocol | Port | Purpose |
|---|---|---|
All TCP |
All |
All outbound traffic |
All UDP |
All |
All outbound traffic |
If you need rigid rules for outbound traffic, you can use the following information to open only those ports that are required for outbound communication by the Connector.
|
Note
|
The source IP address is the Connector host. |
| Service | Protocol | Port | Destination | Purpose |
|---|---|---|---|---|
Active Directory |
TCP |
88 |
Active Directory forest |
Kerberos V authentication |
TCP |
139 |
Active Directory forest |
NetBIOS service session |
|
TCP |
389 |
Active Directory forest |
LDAP |
|
TCP |
445 |
Active Directory forest |
Microsoft SMB/CIFS over TCP with NetBIOS framing |
|
TCP |
464 |
Active Directory forest |
Kerberos V change & set password (SET_CHANGE) |
|
TCP |
749 |
Active Directory forest |
Active Directory Kerberos V change & set password (RPCSEC_GSS) |
|
UDP |
137 |
Active Directory forest |
NetBIOS name service |
|
UDP |
138 |
Active Directory forest |
NetBIOS datagram service |
|
UDP |
464 |
Active Directory forest |
Kerberos key administration |
|
API calls and AutoSupport |
HTTPS |
443 |
Outbound internet and ONTAP cluster management LIF |
API calls to AWS and ONTAP, and sending AutoSupport messages to NetApp |
API calls |
TCP |
3000 |
ONTAP cluster management LIF |
API calls to ONTAP |
TCP |
8088 |
Backup to S3 |
API calls to Backup to S3 |
|
DNS |
UDP |
53 |
DNS |
Used for DNS resolve by Cloud Manager |
Cloud Compliance |
HTTP |
80 |
Cloud Compliance instance |
Cloud Compliance for Cloud Volumes ONTAP |
The security group for the Connector requires both inbound and outbound rules.
| Port | Protocol | Purpose |
|---|---|---|
22 |
SSH |
Provides SSH access to the Connector host |
80 |
HTTP |
Provides HTTP access from client web browsers to the local user interface |
443 |
HTTPS |
Provides HTTPS access from client web browsers to the local user interface |
The predefined security group for the Connector opens all outbound traffic. If that is acceptable, follow the basic outbound rules. If you need more rigid rules, use the advanced outbound rules.
The predefined security group for the Connector includes the following outbound rules.
| Port | Protocol | Purpose |
|---|---|---|
All |
All TCP |
All outbound traffic |
All |
All UDP |
All outbound traffic |
If you need rigid rules for outbound traffic, you can use the following information to open only those ports that are required for outbound communication by the Connector.
|
Note
|
The source IP address is the Connector host. |
| Service | Port | Protocol | Destination | Purpose |
|---|---|---|---|---|
Active Directory |
88 |
TCP |
Active Directory forest |
Kerberos V authentication |
139 |
TCP |
Active Directory forest |
NetBIOS service session |
|
389 |
TCP |
Active Directory forest |
LDAP |
|
445 |
TCP |
Active Directory forest |
Microsoft SMB/CIFS over TCP with NetBIOS framing |
|
464 |
TCP |
Active Directory forest |
Kerberos V change & set password (SET_CHANGE) |
|
749 |
TCP |
Active Directory forest |
Active Directory Kerberos V change & set password (RPCSEC_GSS) |
|
137 |
UDP |
Active Directory forest |
NetBIOS name service |
|
138 |
UDP |
Active Directory forest |
NetBIOS datagram service |
|
464 |
UDP |
Active Directory forest |
Kerberos key administration |
|
API calls and AutoSupport |
443 |
HTTPS |
Outbound internet and ONTAP cluster management LIF |
API calls to AWS and ONTAP, and sending AutoSupport messages to NetApp |
API calls |
3000 |
TCP |
ONTAP cluster management LIF |
API calls to ONTAP |
DNS |
53 |
UDP |
DNS |
Used for DNS resolve by Cloud Manager |
The firewall rules for the Connector requires both inbound and outbound rules.
| Protocol | Port | Purpose |
|---|---|---|
SSH |
22 |
Provides SSH access to the Connector host |
HTTP |
80 |
Provides HTTP access from client web browsers to the local user interface |
HTTPS |
443 |
Provides HTTPS access from client web browsers to the local user interface |
The predefined firewall rules for the Connector opens all outbound traffic. If that is acceptable, follow the basic outbound rules. If you need more rigid rules, use the advanced outbound rules.
The predefined firewall rules for the Connector includes the following outbound rules.
| Protocol | Port | Purpose |
|---|---|---|
All TCP |
All |
All outbound traffic |
All UDP |
All |
All outbound traffic |
If you need rigid rules for outbound traffic, you can use the following information to open only those ports that are required for outbound communication by the Connector.
|
Note
|
The source IP address is the Connector host. |
| Service | Protocol | Port | Destination | Purpose |
|---|---|---|---|---|
Active Directory |
TCP |
88 |
Active Directory forest |
Kerberos V authentication |
TCP |
139 |
Active Directory forest |
NetBIOS service session |
|
TCP |
389 |
Active Directory forest |
LDAP |
|
TCP |
445 |
Active Directory forest |
Microsoft SMB/CIFS over TCP with NetBIOS framing |
|
TCP |
464 |
Active Directory forest |
Kerberos V change & set password (SET_CHANGE) |
|
TCP |
749 |
Active Directory forest |
Active Directory Kerberos V change & set password (RPCSEC_GSS) |
|
UDP |
137 |
Active Directory forest |
NetBIOS name service |
|
UDP |
138 |
Active Directory forest |
NetBIOS datagram service |
|
UDP |
464 |
Active Directory forest |
Kerberos key administration |
|
API calls and AutoSupport |
HTTPS |
443 |
Outbound internet and ONTAP cluster management LIF |
API calls to GCP and ONTAP, and sending AutoSupport messages to NetApp |
API calls |
TCP |
3000 |
ONTAP cluster management LIF |
API calls to ONTAP |
DNS |
UDP |
53 |
DNS |
Used for DNS resolve by Cloud Manager |