This section lists the prerequisites for Azure Native Qumulo (ANQ), describes the components of virtual networking for the service, explains how to configure them, and provides virtual networking best practices.

How Qumulo Manages Virtual Networking for Azure Native Qumulo

When you create an ANQ instance, Qumulo manages the underlying storage and compute resources for the service. These resources reside within Qumulo’s Azure tenant.

The ANQ instance connects to your Azure subscription by using VNet injection, an Azure-specific networking technology that establishes an automatic, direct connection between your resources and service resources without complicated manual configuration or VNet peering.

VNet injection lets you:

  • Apply routing and security policies to your ANQ service endpoints by using the Azure Portal, CLI, and API.

  • Create endpoints that allow access to ANQ by inserting special network interfaces into your subnet. This process binds these network interfaces directly to the compute resources of your ANQ instance.

When you create your ANQ instance, the Azure Portal guides you to create an appropriate subnet configuration in your virtual network. Then, VNet injection delegates privileges to Qumulo by communicating with the subnet.

Prerequisites for Configuring Virtual Networking

This section explains the prerequisites for configuring virtual networking for ANQ, such as creating roles, configuring dedicated subnets, and load-balancing endpoints.

Creating Owner and Contributor Roles

The service requires an owner or contributor role with access to your Azure subscription.

Creating A Dedicated Subnet

The service requires a dedicated subnet.

To Create a Dedicated Subnet Automatically

We recommend using the Azure Portal’s automatic subnet creation and configuration functionality.

  1. Create your ANQ instance. For detailed instructions, see Deploying and Viewing Information about Your Azure Native Qumulo Instance.

  2. In the Azure Portal, click Manage Subnet Configuration.

  3. When prompted, enter an IP address range for your subnet.

The Azure Portal configures your subnet and the required delegation for VNet injection automatically.

To Create a Dedicated Subnet Manually

To apply a specific subnet configuration, you can first create a subnet and then select it when you create your ANQ instance.

  1. Identify the region in which you want to subscribe to ANQ.

  2. In the region, create a new virtual network or select an existing virtual network.

  3. In your virtual network, create a new subnet.

    Use the default configuration or update the subnet network configuration based on your network policy.

  4. Delegate the newly created subnet to Qumulo.Storage/fileSystems.

Load-Balancing ANQ Endpoints

Qumulo provisions multiple endpoints to allow access to ANQ. Every endpoint appears in the Azure Portal as a network interface with an IP address. Qumulo creates a managed resource group under your subscription for these endpoints.

To avoid the bandwidth limits of individual endpoints, use round-robin DNS to distribute your workload traffic across your endpoints.

Configuring Virtual Networking

This section provides an overview of configuring virtual networking for ANQ, including configuration of network security groups, route tables, and back- and front-end networking.

Configuring Network Security Groups

Network security groups let administrators enforce networking traffic rules. You can assign network security groups to individual network interfaces or to entire subnets.

To ensure that your configuration doesn’t block a specific protocol, follow the guidance in Required Networking Ports for Qumulo Core.

Configuring Route Tables

To configure explicit traffic routing to and from the service, you must attach an Azure route table to a delegated subnet, and then configure your route table.

Common configuration scenarios include routing service traffic:

  • Through a firewall
  • Through a gateway appliance
  • Across multiple virtual network peering configurations

Configuring Back-End and Front-End Networking

The ANQ service uses a split-networking configuration in which different network interfaces handle back-end and front-end traffic.

Because it isn’t possible to access the back-end network configuration or affect back-end traffic within your ANQ instance, you can configure firewalls and security groups within your virtual network without having to consider back-end connectivity requirements.