This section lists the prerequisites for Azure Native Qumulo (ANQ), describes the components of virtual networking for the service, explains how to configure them, and provides virtual networking best practices.
How Qumulo Manages Virtual Networking for Azure Native Qumulo
When you create an ANQ instance, Qumulo manages the underlying storage and compute resources for the service. These resources reside within Qumulo’s Azure tenant.
The ANQ instance connects to your Azure subscription by using VNet injection, an Azure-specific networking technology that establishes an automatic, direct connection between your resources and service resources without complicated manual configuration or VNet peering.
VNet injection lets you:
-
Apply routing and security policies to your ANQ service endpoints by using the Azure Portal, CLI, and API.
-
Create endpoints that allow access to ANQ by inserting special network interfaces into your subnet. This process binds these network interfaces directly to the compute resources of your ANQ instance.
When you create your ANQ instance, the Azure Portal guides you to create an appropriate subnet configuration in your virtual network. Then, VNet injection delegates privileges to Qumulo by communicating with the subnet.
Prerequisites for Configuring Virtual Networking
This section explains the prerequisites for configuring virtual networking for ANQ, such as creating roles, configuring dedicated subnets, and load-balancing endpoints.
Creating Owner and Contributor Roles
The service requires an owner or contributor role with access to your Azure subscription.
A custom role must have write permissions to the resource groups in which you create your delegated subnet and service.
Creating A Dedicated Subnet
The service requires a dedicated subnet.
- Your subnet address range should be at least
/24(it should contain at least 256 IP addresses, including 251 free IP addresses and 5 IP addresses reserved for Azure.) - Your subnet must be in the same region as the ANQ file system.
To Create a Dedicated Subnet Automatically
We recommend using the Azure Portal’s automatic subnet creation and configuration functionality.
-
Create your ANQ instance. For detailed instructions, see Deploying and Viewing Information about Your Azure Native Qumulo Instance.
-
In the Azure Portal, click Manage Subnet Configuration.
-
When prompted, enter an IP address range for your subnet.
The Azure Portal configures your subnet and the required delegation for VNet injection automatically.
To Create a Dedicated Subnet Manually
To apply a specific subnet configuration, you can first create a subnet and then select it when you create your ANQ instance.
-
Identify the region in which you want to subscribe to ANQ.
-
In the region, create a new virtual network or select an existing virtual network.
-
In your virtual network, create a new subnet.
Use the default configuration or update the subnet network configuration based on your network policy.
-
Delegate the newly created subnet to
Qumulo.Storage/fileSystems.
Load-Balancing ANQ Endpoints
Qumulo provisions multiple endpoints to allow access to ANQ. Every endpoint appears in the Azure Portal as a network interface with an IP address. Qumulo creates a managed resource group under your subscription for these endpoints.
To view links to your managed resource groups and network interfaces, use the Portal view of your
Qumulo.Storage/fileSystems resource.To avoid the bandwidth limits of individual endpoints, use round-robin DNS to distribute your workload traffic across your endpoints.
Configuring Virtual Networking
This section provides an overview of configuring virtual networking for ANQ, including configuration of network security groups, route tables, and back- and front-end networking.
To enforce network policies for traffic to and from the service, you can apply network security groups and route tables to a delegated subnet.
Configuring Network Security Groups
Network security groups let administrators enforce networking traffic rules. You can assign network security groups to individual network interfaces or to entire subnets.
Because it is possible to create or remove network interfaces from an ANQ instance, we recommend assigning security groups to a delegated subnet.
To ensure that your configuration doesn’t block a specific protocol, follow the guidance in Required Networking Ports for Qumulo Core.
Configuring Route Tables
To configure explicit traffic routing to and from the service, you must attach an Azure route table to a delegated subnet, and then configure your route table.
Common configuration scenarios include routing service traffic:
- Through a firewall
- Through a gateway appliance
- Across multiple virtual network peering configurations
Configuring Back-End and Front-End Networking
The ANQ service uses a split-networking configuration in which different network interfaces handle back-end and front-end traffic.
Because it isn’t possible to access the back-end network configuration or affect back-end traffic within your ANQ instance, you can configure firewalls and security groups within your virtual network without having to consider back-end connectivity requirements.