Skip to main content
NetApp Knowledgebase

Can the configuration of AWS External Security Groups for CVO be changed?

  1. Last updated
  2. Save as PDF
Views:
52
Visibility:
Public
Votes:
0
Category:
cloud-manager
Specialty:
cloud
Last Updated:

Applies to

  • Cloud Volumes ONTAP (CVO)
  • Amazon Web Services (AWS)
  • Cloud Manager
  • Internal and External Security Group configuration
 

Answer

Cloud Manager creates AWS security groups that include the inbound and outbound rules that Cloud Manager and Cloud Volumes ONTAP need to operate successfully.

You can create your own rules or edit the predefined ones if required. 
 
For example, the predefined external security group for the Cloud Volumes ONTAP HA mediator includes 2 Inbound Rules allowing SSH access (port 22) as as well as TCP port 3000 for RESTful API access from Cloud Manager. By default those two rules allow all IPs to connect (source is 0.0.0.0/0)
 
You can restrict the source IPs for those rules if needed, for example:
SSH port 22 - allow only trusted Public IPs or disable SSH access from outside of the network
TCP port 3000 - allow only Cloud Manager IP
 
Please refer to the Cloud Manager - Security group rules for AWS documentation for more information regarding necessary ports and protocols for each instance. 

Additional Information

See also: https://kb.netapp.com/@api/deki/files/82755/1080795_-_Troubleshooting%3A_Cloud_Volumes_ONTAP_HA%3A_Mediator_Security_Group.pdf (needs to be migrated first)