Table of ContentsView in Frames

AWS networking requirements for ONTAP Cloud

You must set up your AWS networking so that ONTAP Cloud can operate properly.

Requirement Description
Internet access to send AutoSupport messages and to access an S3 bucket for upgrades ONTAP Cloud needs outbound Internet access to do the following:
  • Communicate with NetApp AutoSupport, which is a troubleshooting tool that proactively monitors the health of your system and automatically sends messages to NetApp technical support
  • Access a NetApp-managed S3 bucket to obtain the latest software image when users upgrade ONTAP Cloud software directly from Cloud Manager

Because ONTAP Cloud is most likely running in a private subnet, you can use a NAT device, VPN, or proxy server (in your network or in AWS) to enable Internet access. If you have a proxy, you must configure Cloud Manager to use it. You can do so when using the Cloud Manager Setup wizard.

Note the following about providing Internet access for AutoSupport:

  • For a NAT instance, you must define an inbound security group rule that allows HTTPS traffic from the private subnet to the Internet.

    AWS Documentation: NAT Instances

  • For VPN configurations, routing and firewall policies must allow AWS HTTP/HTTPS traffic to
A security group with the required rules When you launch ONTAP Cloud instances from Cloud Manager, you can select a predefined security group that includes the required rules. It is best to use that predefined security group, but if you need to use your own, it must include the required inbound and outbound rules.

AWS Documentation: Security Groups for Your VPC

Connection to key managers If you want to use the ONTAP Cloud data encryption feature, ONTAP Cloud instances must have a connection to one or more key managers that are either in AWS or in your network.

If the key managers are in AWS, make sure that there is a route to the subnet in which you deploy ONTAP Cloud instances.

If the key managers are in your network, a VPN connection provides a route to the subnets in a VPC.

Ways to encrypt ONTAP Cloud data

DNS and Active Directory for CIFS If you want to provision CIFS storage, you must set up DNS and Active Directory in AWS or extend your on-premises setup to AWS.

The DNS server must provide name resolution services for the Active Directory environment. You can configure DHCP option sets to use the default EC2 DNS server, which must not be the DNS server used by the Active Directory environment.

AWS: Active Directory Domain Services on the AWS Cloud Quick Start Reference Deployment

Security group rules for ONTAP Cloud

Inbound rules

Note: The source for inbound rules is
Type Port range Used for
All ICMP All Pinging the instance
Custom TCP Rule 111 Portmapper
Custom TCP Rule 139 NetBIOS
Custom TCP Rule 161-162 SNMP
Custom TCP Rule 445 Microsoft SMB
Custom TCP Rule 635 NFS mount
Custom TCP Rule 749 Kerberos
Custom TCP Rule 2049 NFS
Custom TCP Rule 3260 iSCSI
Custom TCP Rule 4045-4046 NFS mountd
Custom TCP Rule 10000 NDMP
Custom TCP Rule 11104-11105 Intercluster management and data
Custom UDP Rule 111 Portmapper
Custom UDP Rule 161-162 SNMP
Custom UDP Rule 635 NFS mount
Custom UDP Rule 2049 NFS
Custom UDP Rule 4045-4046 NFS mountd
HTTP 80 System Manager access
HTTPS 443 System Manager access
SSH 22 SSH to the CLI

Outbound rules

Type Port range Used for
All ICMP All All outbound traffic (SnapMirror and SnapVault)
All TCP All All outbound traffic
All UDP All All outbound traffic