You must set up your AWS networking so that ONTAP Cloud can operate properly.
Requirement | Description |
---|---|
Internet access to send AutoSupport messages and to access an S3 bucket for upgrades | ONTAP Cloud needs outbound Internet access to do the following:
Because ONTAP Cloud is most likely running in a private subnet, you can use a NAT device, VPN, or proxy server (in your network or in AWS) to enable Internet access. If you have a proxy, you must configure Cloud Manager to use it. You can do so when using the Cloud Manager Setup wizard. Note the following about providing Internet access for AutoSupport:
|
A security group with the required rules | When you launch ONTAP Cloud instances from Cloud Manager, you can select a predefined security group that includes the required rules. It is best to use that predefined security group, but if you need to use your own, it must include the required inbound and outbound rules. |
Connection to key managers | If you want to use the ONTAP Cloud data encryption feature, ONTAP Cloud instances must have a connection to one or more key managers that are either in AWS or in your network. If the key managers are in AWS, make sure that there is a route to the subnet in which you deploy ONTAP Cloud instances. If the key managers are in your network, a VPN connection provides a route to the subnets in a VPC. |
DNS and Active Directory for CIFS | If you want to provision CIFS storage, you must set up DNS and Active Directory in AWS or extend your on-premises setup to AWS. The DNS server must provide name resolution services for the Active Directory environment. You can configure DHCP option sets to use the default EC2 DNS server, which must not be the DNS server used by the Active Directory environment. AWS: Active Directory Domain Services on the AWS Cloud Quick Start Reference Deployment |
Inbound rules
Type | Port range | Used for |
---|---|---|
All ICMP | All | Pinging the instance |
Custom TCP Rule | 111 | Portmapper |
Custom TCP Rule | 139 | NetBIOS |
Custom TCP Rule | 161-162 | SNMP |
Custom TCP Rule | 445 | Microsoft SMB |
Custom TCP Rule | 635 | NFS mount |
Custom TCP Rule | 749 | Kerberos |
Custom TCP Rule | 2049 | NFS |
Custom TCP Rule | 3260 | iSCSI |
Custom TCP Rule | 4045-4046 | NFS mountd |
Custom TCP Rule | 10000 | NDMP |
Custom TCP Rule | 11104-11105 | Intercluster management and data |
Custom UDP Rule | 111 | Portmapper |
Custom UDP Rule | 161-162 | SNMP |
Custom UDP Rule | 635 | NFS mount |
Custom UDP Rule | 2049 | NFS |
Custom UDP Rule | 4045-4046 | NFS mountd |
HTTP | 80 | System Manager access |
HTTPS | 443 | System Manager access |
SSH | 22 | SSH to the CLI |
Outbound rules
Type | Port range | Used for |
---|---|---|
All ICMP | All | All outbound traffic (SnapMirror and SnapVault) |
All TCP | All | All outbound traffic |
All UDP | All | All outbound traffic |