Networking Deployment Overview, Cloud Provider IP Ranges, Proxy Configuration

• Overview
• PowerScale Networking Options
• S3 Target IP ranges that must be reachable to the Golden Copy Virtual Nodes
• Networking Options on Golden Copy
• Firewall Requirements
• Deployment Networking Diagram
• Proxy Configuration to Reach Internet Cloud Providers
• Variable Definitions
• Example of AWS Proxy configuration
• Disk Space Management
• Phone Home Proxy Configuration

Overview

This section provides information on how the Golden Copy VM must be configured for access to PowerScale, how files are copied to Internet S3 targets, and options that exist to configure.

PowerScale Networking Options

S3 Target IP ranges that must be reachable to the Golden Copy Virtual Nodes

If you control outbound connections, each Golden copy node will require a firewall rule providing access to the Storage services for Cloud providers.

1. AWS:
   1. If you need to secure outbound access to a range of ip addresses, you can follow AWS documents here:
      1. Range of IP's by service type https://ip-ranges.amazonaws.com/ip-ranges.json  follow guide here to firewall ports needed for your region https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html 
2. Azure:
   1.  Download the IP range json file from here .
   2. Search the file for the word "AzureStorage". Locate your region to get a specific list of IP addresses that must be accessible to whitelist to the PowerScale nodes that will copy files.

Networking Options on Golden Copy

Rate limiting feature on each folder or global default can be configured within Golden Copy.  See the Configuration section for details on adding a folder with a rate limit applied.

1. Default networking:
   1. Golden Copy VM's require access to ip addresses of PowerScale nodes within the System Zone over NFS and REST API port 8080.
   2. File copy traffic will use the default route table on Golden Copy virtual nodes to reach the Internet S3 targets.

Firewall Requirements

Deployment Networking Diagram

Proxy Configuration to Reach Internet Cloud Providers

1. If transparent source IP NAT is not available to reach Internet storage providers, Golden Copy supports proxy access through standard proxy devices.  Follow the steps below to enable proxy copy configuration.
   1. NOTE:  if using AWS or any S3 compliant target devices use the AWS proxy configuration steps.
2. login to Golden Copy VM as ecaadmin over ssh
3. nano /opt/superna/eca/eca-env-common.conf
4. Add the variables defined below to configure a proxy target.  Then restart the Golden copy software.
   1. example variable to add and then save the file with control+x key and answer yes
   2. export AWS_PROXY_HOST=x.x.x.x
   3. export AWS_PROXY_PORT=xxxx   
   4. export AWS_PROXY_PROTOCOL=https 
5. ecactl cluster down
6. ecactl cluster up

Variable Definitions

Example of AWS Proxy configuration

Disk Space Management

1. The appliance comes with a 400G disk to store queued data to copy and reporting data on jobs.  This space may need to be increased under the following conditions:
   1. The reporting records are unique per folder, folder counts over 25 may need to add disk space on all nodes.  Suggested increments of 100GB per 25 folders.
   2. If rate limiting is applied to the WAN copy,  the space consumed by queued file records can also increase age beyond the 400GB default.
   3. If exports of job summaries are run and stored on the appliance additional space may need to be added.
   4. If the error the rate is high, this will consume space until the issue is resolved.
   5. Multiple full archive jobs 

Phone Home Proxy Configuration

1. To allow the phone home service to use a proxy, the operating system proxy needs to be used.  Follow these steps here that also applies to  Golden Copy VM.
2. Open Suse OS proxy configuration guide