This section lists the prerequisites for the Azure Native Qumulo Scalable File Service, describes the components of virtual networking for the service, explains how to configure them, and provides virtual networking best practices.
The underlying storage of the service resides in Qumulo’s Azure tenant. This storage system connects to your Azure subscription by using VNet injection, a process that establishes a direct connection between your resources and the service resources without using VNet peering. You can use VNet injection to apply routing and security policies to your service endpoints.
To create endpoints for accessing the Azure Native Qumulo Scalable File Service, Qumulo creates network interfaces (NICs) and inserts them into your subnet. To allow VNet injection to operate correctly, you must create and configure a new subnet within your virtual network.
Prerequisites for Configuring Virtual Networking
This section explains the prerequisites for configuring virtual networking for the Azure Native Qumulo Scalable File Service.
Owner and Contributor Roles
The service requires an Owner or Contributor role with access to your Azure subscription.
A custom role must have write permissions to the resource groups in which you create your delegated subnet and service.
A Dedicated Subnet
The service requires a dedicated subnet.
- Your subnet address range should be at least
/24(it should contain at least 256 IP addresses, including 251 free IP addresses and 5 IP addresses reserved for Azure.) - Your subnet must be in the same region as the service.
To Create a Dedicated Subnet
-
Identify the region in which you want to subscribe to the service.
-
In the region, create a new virtual network or select an existing virtual network.
-
In your virtual network, create a new subnet. Use the default configuration or update the subnet network configuration based on your network policy.
-
Delegate the newly created subnet to
Qumulo.Storage/fileSystems.
Load-Balanced Endpoints
Every endpoint created for the service appears as a NIC, with an IP address that you can use to access the service. To hold these endpoints, Qumulo creates a manage resource group under your Azure subscription. To view links to your managed resource group and NICs, see the Portal view of your Qumulo.Storage/fileSystems resource.
Qumulo provisions multiple endpoints to allow access to the service. To avoid the bandwidth limits of individual endpoints, use round-robin DNS to distribute your workload traffic across the endpoints available to you.
Configuring Virtual Networking
This section explains how to configure virtual networking for the Azure Native Qumulo Scalable File Service.
To enforce network policies for traffic to and from the service, you can apply network security groups and route tables to a delegated subnet.
Configuring Network Security Groups
Network security groups let administrators enforce networking traffic rules. You can assign network security groups to individual NICs or to entire subnets. Because it is possible to create or remove NICs from the, we recommend assigning security groups to a delegated subnet.
To ensure that your configuration doesn’t block a specific protocol, see Required Networking Ports for Qumulo Core.
Configuring Route Tables
To configure explicit traffic routing to and from the service, use an Azure route table. Before you can configure your route table, you must attach it to a delegated subnet.
Common configuration scenarios for a route table include routing service traffic:
- Through a firewall
- Through a gateway appliance
- Across multiple virtual network peering configurations
Configuring Back-End and Front-End Networking
The platform uses a split-networking configuration in which different NICs handle back-end and front-end traffic. Changes that impact one traffic type have no impact on the other traffic type. In this way, split networking lets you configure firewalls and security groups without having to consider back-end connectivity requirements.