Storage
Mobility
Protection
Analysis and control
TOPICShare
No matter how you use your data, BlueXP can help you take control of it, providing a unified way to manage your entire data estate, whether it’s entirely on-premises or spread across hybrid environments that use different clouds. But BlueXP also gives you a choice for the level of connectivity your deployment has with the internet, making it adaptable to different enterprise security requirements.
This blog will introduce the three BlueXP deployment options—Standard, Restricted, and Private—providing an in-depth analysis and comparison so you can choose the mode that best suits your organizational needs.
Read on or jump down using the links below:
- No Two Deployments Are the Same
- BlueXP Deployment Modes: Standard, Restricted, Private
- Deployment Mode Comparison Charts
- Which Is Right For You?
No Two Deployments Are the Same
Organizations aren’t all the same. Standard operating procedure in one business segment just isn’t possible in another. These differences come down to the nature of the business being conducted: your big box retail giant has a completely different set of objectives than a major military contractor.
Many of these objectives are reflected in differing levels of adherence to security, privacy, and regulations. That has a large impact on what level of cloud computing it’s possible for those industries to adopt.
For instance, Amazon developed the software that would grow into the cloud largely to support its own e-commerce business, so it’s no coincidence that many of the companies that have embraced the cloud-first and cloud-only approaches are similar online retailers. The security requirements for these companies are mostly focused on protecting customer data and private information, something that the cloud poses no major obstacles to achieving.
Contrast that ease of adoption with the case of governmental organizations. After long being hesitant about migration, government agencies are finally beginning to embrace the cloud. While there are many reasons behind the delay, the most significant reason for the reluctance is that such organizations are subject to the strictest data security and privacy requirements. What has changed recently is that the cloud hyperscalers are finally able to provide cloud services that are able to store and process sensitive data in controlled and secure environments.
Now, between different government agencies, the demands for restricted cloud use vary. Consider the difference between these three types of US governmental types:
- Civilian agencies
Most governmental agencies, such as local government agencies, state offices, and civilian federal agencies are considered non-secret: they can take advantage of the gov cloud options offered by the hyperscalers and the general-purpose commercial regions (ranging from FedRAMP certification and up to DoD IL5 certification). - DoD agencies
These are more secure governmental organizations that operate under the US Department of Defense. They require use of the DoD Secret Clouds (IL6) and Top-Secret Clouds (C2S and C2E). - Dark site
Some governmental bodies must act with the highest levels of secrecy. They can only allow on-premises deployment and/or cloud software stacks (e.g., AWS Outposts) with no outbound internet connection.
Different types of customers may have different types of requirements, based on the strictness of regulation and the level of security they need to provide for their environments. NetApp helps those varying deployment requirements by providing BlueXP in three different modes: SaaS, Restricted, and Private.
BlueXP Deployment Modes: Standard, Restricted, Private
To cater to different cloud security needs, BlueXP is equipped with three deployment options: Standard, Restricted, and Private.
While the standard BlueXP service mode (aka SaaS mode) is used by most customers, the two additional deployment modes are aimed at serving the special security requirements of regulated and governmental customers. This is accomplished by reducing or eliminating internet connectivity to minimize the attack surface.
The three deployment modes are tailored for different customer verticals and use cases, and allow different functionality in terms of installation process, deployment location, authentication methods, available data and storage services, and charging methods.
BlueXP Standard Mode
This is the basic BlueXP deployment option: you get access to all of the NetApp services that it supports, any of the subscription options, with SaaS-based updates. This BlueXP mode has the most flexibility, but it isn’t the right choice for restricted use cases as it depends on outbound internet access and public cloud connectivity.
BlueXP Restricted Mode
In the Restricted deployment mode, BlueXP will be installed locally in the sovereign cloud region and will have only outbound unidirectional connectivity to the BlueXP SaaS backend, which allows Cloud Volumes ONTAP, BlueXP backup and recovery (Cloud Backup), BlueXP classification (Cloud Data Sense), automatic upgrades, and Auth0-based authentication (including private Auth0 federation). Outgoing connection to the BlueXP backend service is limited only to charging data for PAYGO charging.
BlueXP Private Mode
BlueXP Private mode is designed for highly secure environments, which do not allow outgoing traffic to anything outside the data center or the cloud region. BlueXP Private mode allows deployments to be completely isolated from any internet connection or cloud service. Any updates that have to take place are taken care of manually, allowing for additional security scanning. This mode is typically useful for defense organizations operating in dark sites that are strictly on-premises.
Private mode deployment does not have connectivity to BlueXP SaaS nor connectivity outside the cloud region or data center. This mode can be deployed in a restricted cloud region (such as AWS C2S/SC2S or Azure IL6) or in an on-prem environment. It allows local authentication only and will support BYOL licensing only, with support for LDAP on the roadmap. The UI and API are served locally and won’t allow the use of BlueXP’s SaaS-based UI. Any BlueXP updates are carried out manually.
Deployment Mode Comparison Charts
Let’s take a look at how each of the three BlueXP deployment modes compare to each other. Finding the right one for your organization means evaluating which one applies to your business model and restrictions.
|
Standard |
Restricted |
Private |
|
|
Connectivity to NetApp SaaS |
Yes |
Unidirectional: Outbound to BlueXP SaaS only, Azure (for image pulling), Auth0 |
No |
|
Cloud Provider Connectivity |
Yes: public cloud |
Yes: within the region |
No: Optional connectivity within the private region |
|
Installation |
SaaS/ Marketplace/ Manual |
Marketplace/Manual |
Manual |
|
Authentication Methods |
Auth0/Private Auth0 |
Auth0/Private Auth0 |
Local/LDAP* |
|
Charging Modes |
PAYGO BYOL by capacity BYOL by node |
PAYGO BYOL by capacity BYOL by node |
BYOL by node BYOL by capacity* |
|
API/UI |
SaaS/Local |
Local |
Local |
|
Available Services |
All |
See chart below |
See chart below |
|
Update Process |
SaaS |
SaaS |
Manual |
*Roadmap Item
What NetApp Services Do Private and Restricted Mode Support?
Because of the limits on connectivity that are inherent to using BlueXP in Restricted and Private mode, not all NetApp services are available using these options. Review the list below to see which services can be used with each mode.
|
|
Private |
Restricted |
|
Cloud Volumes ONTAP |
Yes |
Yes |
|
BlueXP backup and recovery (Cloud Backup) |
Yes |
Yes |
|
Replication |
Yes |
Yes |
|
BlueXP classification (Data Sense) |
Yes |
Yes |
|
StorageGRID |
Roadmap |
Roadmap |
|
ONTAP |
Yes |
Yes |
|
ONTAP direct |
Roadmap |
No |
|
E-Series |
Roadmap |
Roadmap |
|
Cloud Volumes Service |
No |
No |
|
FSx for ONTAP |
No |
Yes |
|
Azure NetApp Files |
No |
Yes |
|
Timeline |
Yes |
Yes |
|
Credentials |
Yes |
Yes |
|
UI Notifications |
No |
Yes |
|
Email Notifications |
No |
Yes |
|
NSS accounts |
No |
Yes |
|
ActiveIQ |
No |
No |
|
App templates |
No |
No |
|
Digital Wallet |
Partial |
Yes |
|
Ransomware protection |
No |
No |
|
Cloud Insights |
No |
No |
|
Cloud Sync |
No |
No |
|
Cloud Tiering |
Roadmap |
Roadmap |
|
Cloud Volumes Edge Cache |
No |
No |
|
System Manager (indirect) |
Yes |
No |
|
Amazon S3 |
No |
No |
|
Azure Blob |
No |
No |
|
Google Cloud Storage |
No |
No |
|
Kubernetes clusters |
No |
No |
Which Is Right For You?
Is your organization the type that supports a public clientele that requires a high level of availability for your commercial operations? Are you running IT for a government organization that deals with particularly sensitive data that needs an extra level of protection? Or are you running an organization that simply cannot risk any breach via the internet due to the nature of your mission?
Whatever the answer is, you’ll find a deployment mode on BlueXP that can suit your operational needs with the choice between Standard, Restricted, and Private mode.
To find out more, check out the official documentation on BlueXP deployment modes here.
