| sidebar | permalink | keywords | summary |
|---|---|---|---|
sidebar |
reference_networking_gcp.html |
networking, network, requirements, connection, connections, subnet, vpn, internet, proxy, HTTP, private, proxy server, routing, firewall, autosupport, connection, jump host, outbound, ports, tiering, data tiering, bucket, private google access, set up data tiering, data tiering requirement, gcp networking, google networking, shared vpc, host project, service project |
Set up your Google Cloud Platform networking so Cloud Volumes ONTAP systems can operate properly. This includes networking for the Connector and Cloud Volumes ONTAP. |
Set up your Google Cloud Platform networking so Cloud Volumes ONTAP systems can operate properly. This includes networking for the Connector and Cloud Volumes ONTAP.
If you want to deploy an HA pair, you should learn how HA pairs work in GCP.
The following requirements must be met in GCP.
- Virtual Private Cloud for single node systems
-
One VPC is required for a single node system.
Cloud Volumes ONTAP and the Connector are supported in a Google Cloud shared VPC and also in standalone VPCs.
A shared VPC enables you to configure and centrally manage virtual networks across multiple projects. You can set up shared VPC networks in the host project and deploy the Connector and Cloud Volumes ONTAP virtual machine instances in a service project. Google Cloud documentation: Shared VPC overview.
The only requirement when using a shared VPC is to provide the Compute Network User role to the Connector service account. Cloud Manager needs these permissions to query the firewalls, VPC, and subnets in the host project.
- Virtual Private Clouds for HA pairs
-
Four Virtual Private Clouds (VPCs) are required for the HA configuration. Four VPCs are required because GCP requires that each network interface resides in a separate VPC network.
Similar to a single node system, an HA pair is supported in a shared VPC and also in standalone VPCs. All VPCs can be either shared or non-shared VPCs.
The only requirement when using a shared VPC is to provide the Compute Network User role to the Connector service account. Cloud Manager needs these permissions to query the firewalls, VPC, and subnets in the host project.
Cloud Manager will prompt you to choose four VPCs when you create the HA pair:
-
VPC-0 for inbound connections to the data and nodes
-
VPC-1, VPC-2, and VPC-3 for internal communication between the nodes and the HA mediator
Note that the subnets in these VPCs must have distinct CIDR ranges. They can’t have overlapping CIDR ranges.
-
- Outbound internet access for Cloud Volumes ONTAP
-
Cloud Volumes ONTAP requires outbound internet access to send messages to NetApp AutoSupport, which proactively monitors the health of your storage.
Routing and firewall policies must allow HTTP/HTTPS traffic to the following endpoints so Cloud Volumes ONTAP can send AutoSupport messages:
-
https://support.netapp.com/asupprod/post/1.0/postAsup
TipIf you’re using an HA pair, the HA mediator doesn’t require outbound internet access.
- Number of IP addresses
-
Cloud Manager allocates the following number of IP addresses to Cloud Volumes ONTAP in GCP:
-
Single node: 3 or 4 IP addresses
You can skip creation of the storage VM (SVM) management LIF if you deploy Cloud Volumes ONTAP using the API and specify the following flag:
skipSvmManagementLif: trueA LIF is an IP address associated with a physical port. A storage VM (SVM) management LIF is required for management tools like SnapCenter.
-
HA pair: 15 or 16 IP addresses
-
8 or 9 IP addresses for VPC-0
You can skip creation of the storage VM (SVM) management LIF if you deploy Cloud Volumes ONTAP using the API and specify the following flag:
skipSvmManagementLif: true -
Two IP addresses for VPC-1
-
Two IP addresses for VPC-2
-
Three IP addresses for VPC-3
-
-
- Firewall rules
-
You don’t need to create firewall rules because Cloud Manager does that for you. If you need to use your own, refer to the firewall rules listed below.
Note that two sets of firewall rules are required for an HA configuration:
-
One set of rules for HA components in VPC-0. These rules enable data access to Cloud Volumes ONTAP. Learn more.
-
Another set of rules for HA components in VPC-1, VPC-2, and VPC-3. These rules are open for inbound & outbound communication between the HA components. Learn more.
-
- Connection from Cloud Volumes ONTAP to Google Cloud Storage for data tiering
-
If you want to tier cold data to a Google Cloud Storage bucket, the subnet in which Cloud Volumes ONTAP resides must be configured for Private Google Access (if you’re using an HA pair, this is the subnet in VPC-0). For instructions, refer to Google Cloud documentation: Configuring Private Google Access.
For additional steps required to set up data tiering in Cloud Manager, see Tiering cold data to low-cost object storage.
- Connections to ONTAP systems in other networks
-
To replicate data between a Cloud Volumes ONTAP system in GCP and ONTAP systems in other networks, you must have a VPN connection between the VPC and the other network—for example, your corporate network.
For instructions, refer to Google Cloud documentation: Cloud VPN overview.
Set up your networking so that the Connector can manage resources and processes within your public cloud environment. The most important step is ensuring outbound internet access to various endpoints.
|
Tip
|
If your network uses a proxy server for all communication to the internet, you can specify the proxy server from the Settings page. Refer to Configuring the Connector to use a proxy server. |
A Connector requires a network connection to the VPCs in which you want to deploy Cloud Volumes ONTAP. If you’re deploying an HA pair, then the Connector needs a connection to all four VPCs.
The Connector requires outbound internet access to manage resources and processes within your public cloud environment. A Connector contacts the following endpoints when managing resources in GCP:
While you should perform almost all tasks from the SaaS user interface, a local user interface is still available on the Connector. The machine running the web browser must have connections to the following endpoints:
| Endpoints | Purpose |
|---|---|
The Connector host |
You must enter the host’s IP address from a web browser to load the Cloud Manager console. Depending on your connectivity to your cloud provider, you can use the private IP or a public IP assigned to the host:
In any case, you should secure network access by ensuring that security group rules allow access from only authorized IPs or subnets. |
https://auth0.com |
Your web browser connects to these endpoints for centralized user authentication through NetApp Cloud Central. |
For in-product chat that enables you to talk to NetApp cloud experts. |
Cloud Manager creates GCP firewall rules that include the inbound and outbound rules that Cloud Volumes ONTAP needs to operate successfully. You might want to refer to the ports for testing purposes or if you prefer your to use own firewall rules.
The firewall rules for Cloud Volumes ONTAP requires both inbound and outbound rules.
If you’re deploying an HA configuration, these are the firewall rules for Cloud Volumes ONTAP in VPC-0.
The source for inbound rules in the predefined security group is 0.0.0.0/0.
| Protocol | Port | Purpose |
|---|---|---|
All ICMP |
All |
Pinging the instance |
HTTP |
80 |
HTTP access to the System Manager web console using the IP address of the cluster management LIF |
HTTPS |
443 |
HTTPS access to the System Manager web console using the IP address of the cluster management LIF |
SSH |
22 |
SSH access to the IP address of the cluster management LIF or a node management LIF |
TCP |
111 |
Remote procedure call for NFS |
TCP |
139 |
NetBIOS service session for CIFS |
TCP |
161-162 |
Simple network management protocol |
TCP |
445 |
Microsoft SMB/CIFS over TCP with NetBIOS framing |
TCP |
635 |
NFS mount |
TCP |
749 |
Kerberos |
TCP |
2049 |
NFS server daemon |
TCP |
3260 |
iSCSI access through the iSCSI data LIF |
TCP |
4045 |
NFS lock daemon |
TCP |
4046 |
Network status monitor for NFS |
TCP |
10000 |
Backup using NDMP |
TCP |
11104 |
Management of intercluster communication sessions for SnapMirror |
TCP |
11105 |
SnapMirror data transfer using intercluster LIFs |
TCP |
63001-63050 |
Load balance probe ports to determine which node is healthy (required for HA pairs only) |
UDP |
111 |
Remote procedure call for NFS |
UDP |
161-162 |
Simple network management protocol |
UDP |
635 |
NFS mount |
UDP |
2049 |
NFS server daemon |
UDP |
4045 |
NFS lock daemon |
UDP |
4046 |
Network status monitor for NFS |
UDP |
4049 |
NFS rquotad protocol |
The predefined security group for Cloud Volumes ONTAP opens all outbound traffic. If that is acceptable, follow the basic outbound rules. If you need more rigid rules, use the advanced outbound rules.
The predefined security group for Cloud Volumes ONTAP includes the following outbound rules.
| Protocol | Port | Purpose |
|---|---|---|
All ICMP |
All |
All outbound traffic |
All TCP |
All |
All outbound traffic |
All UDP |
All |
All outbound traffic |
If you need rigid rules for outbound traffic, you can use the following information to open only those ports that are required for outbound communication by Cloud Volumes ONTAP.
|
Note
|
The source is the interface (IP address) on the Cloud Volumes ONTAP system. |
| Service | Protocol | Port | Source | Destination | Purpose |
|---|---|---|---|---|---|
Active Directory |
TCP |
88 |
Node management LIF |
Active Directory forest |
Kerberos V authentication |
UDP |
137 |
Node management LIF |
Active Directory forest |
NetBIOS name service |
|
UDP |
138 |
Node management LIF |
Active Directory forest |
NetBIOS datagram service |
|
TCP |
139 |
Node management LIF |
Active Directory forest |
NetBIOS service session |
|
TCP & UDP |
389 |
Node management LIF |
Active Directory forest |
LDAP |
|
TCP |
445 |
Node management LIF |
Active Directory forest |
Microsoft SMB/CIFS over TCP with NetBIOS framing |
|
TCP |
464 |
Node management LIF |
Active Directory forest |
Kerberos V change & set password (SET_CHANGE) |
|
UDP |
464 |
Node management LIF |
Active Directory forest |
Kerberos key administration |
|
TCP |
749 |
Node management LIF |
Active Directory forest |
Kerberos V change & set Password (RPCSEC_GSS) |
|
TCP |
88 |
Data LIF (NFS, CIFS, iSCSI) |
Active Directory forest |
Kerberos V authentication |
|
UDP |
137 |
Data LIF (NFS, CIFS) |
Active Directory forest |
NetBIOS name service |
|
UDP |
138 |
Data LIF (NFS, CIFS) |
Active Directory forest |
NetBIOS datagram service |
|
TCP |
139 |
Data LIF (NFS, CIFS) |
Active Directory forest |
NetBIOS service session |
|
TCP & UDP |
389 |
Data LIF (NFS, CIFS) |
Active Directory forest |
LDAP |
|
TCP |
445 |
Data LIF (NFS, CIFS) |
Active Directory forest |
Microsoft SMB/CIFS over TCP with NetBIOS framing |
|
TCP |
464 |
Data LIF (NFS, CIFS) |
Active Directory forest |
Kerberos V change & set password (SET_CHANGE) |
|
UDP |
464 |
Data LIF (NFS, CIFS) |
Active Directory forest |
Kerberos key administration |
|
TCP |
749 |
Data LIF (NFS, CIFS) |
Active Directory forest |
Kerberos V change & set password (RPCSEC_GSS) |
|
Cluster |
All traffic |
All traffic |
All LIFs on one node |
All LIFs on the other node |
Intercluster communications (Cloud Volumes ONTAP HA only) |
TCP |
3000 |
Node management LIF |
HA mediator |
ZAPI calls (Cloud Volumes ONTAP HA only) |
|
ICMP |
1 |
Node management LIF |
HA mediator |
Keep alive (Cloud Volumes ONTAP HA only) |
|
DHCP |
UDP |
68 |
Node management LIF |
DHCP |
DHCP client for first-time setup |
DHCPS |
UDP |
67 |
Node management LIF |
DHCP |
DHCP server |
DNS |
UDP |
53 |
Node management LIF and data LIF (NFS, CIFS) |
DNS |
DNS |
NDMP |
TCP |
18600–18699 |
Node management LIF |
Destination servers |
NDMP copy |
SMTP |
TCP |
25 |
Node management LIF |
Mail server |
SMTP alerts, can be used for AutoSupport |
SNMP |
TCP |
161 |
Node management LIF |
Monitor server |
Monitoring by SNMP traps |
UDP |
161 |
Node management LIF |
Monitor server |
Monitoring by SNMP traps |
|
TCP |
162 |
Node management LIF |
Monitor server |
Monitoring by SNMP traps |
|
UDP |
162 |
Node management LIF |
Monitor server |
Monitoring by SNMP traps |
|
SnapMirror |
TCP |
11104 |
Intercluster LIF |
ONTAP intercluster LIFs |
Management of intercluster communication sessions for SnapMirror |
TCP |
11105 |
Intercluster LIF |
ONTAP intercluster LIFs |
SnapMirror data transfer |
|
Syslog |
UDP |
514 |
Node management LIF |
Syslog server |
Syslog forward messages |
In GCP, an HA configuration is deployed across four VPCs. The firewall rules needed for the HA configuration in VPC-0 are listed above for Cloud Volumes ONTAP.
Meanwhile, the predefined firewall policy that Cloud Manager creates for instances in VPC-1, VPC-2, and VPC-3 enables ingress communication over all protocols and ports. These rules enable communication between the HA nodes and the HA mediator.
The firewall rules for the Connector requires both inbound and outbound rules.
| Protocol | Port | Purpose |
|---|---|---|
SSH |
22 |
Provides SSH access to the Connector host |
HTTP |
80 |
Provides HTTP access from client web browsers to the local user interface |
HTTPS |
443 |
Provides HTTPS access from client web browsers to the local user interface |
The predefined firewall rules for the Connector opens all outbound traffic. If that is acceptable, follow the basic outbound rules. If you need more rigid rules, use the advanced outbound rules.
The predefined firewall rules for the Connector includes the following outbound rules.
| Protocol | Port | Purpose |
|---|---|---|
All TCP |
All |
All outbound traffic |
All UDP |
All |
All outbound traffic |
If you need rigid rules for outbound traffic, you can use the following information to open only those ports that are required for outbound communication by the Connector.
|
Note
|
The source IP address is the Connector host. |
| Service | Protocol | Port | Destination | Purpose |
|---|---|---|---|---|
Active Directory |
TCP |
88 |
Active Directory forest |
Kerberos V authentication |
TCP |
139 |
Active Directory forest |
NetBIOS service session |
|
TCP |
389 |
Active Directory forest |
LDAP |
|
TCP |
445 |
Active Directory forest |
Microsoft SMB/CIFS over TCP with NetBIOS framing |
|
TCP |
464 |
Active Directory forest |
Kerberos V change & set password (SET_CHANGE) |
|
TCP |
749 |
Active Directory forest |
Active Directory Kerberos V change & set password (RPCSEC_GSS) |
|
UDP |
137 |
Active Directory forest |
NetBIOS name service |
|
UDP |
138 |
Active Directory forest |
NetBIOS datagram service |
|
UDP |
464 |
Active Directory forest |
Kerberos key administration |
|
API calls and AutoSupport |
HTTPS |
443 |
Outbound internet and ONTAP cluster management LIF |
API calls to GCP and ONTAP, and sending AutoSupport messages to NetApp |
API calls |
TCP |
3000 |
ONTAP cluster management LIF |
API calls to ONTAP |
DNS |
UDP |
53 |
DNS |
Used for DNS resolve by Cloud Manager |