BlueXP Blog

BlueXP Restricted and Private Deployment Modes

Written by Danny Tzidony, Technical Marketing Engineer, NetApp | Jun 13, 2023 8:27:38 AM

No matter how you use your data, BlueXP can help you take control of it, providing a unified way to manage your entire data estate, whether it’s entirely on-premises or spread across hybrid environments that use different clouds. But BlueXP also gives you a choice for the level of connectivity your deployment has with the internet, making it adaptable to different enterprise security requirements.

This blog will introduce the three BlueXP deployment options—Standard, Restricted, and Private—providing an in-depth analysis and comparison so you can choose the mode that best suits your organizational needs.

Read on or jump down using the links below:

No Two Deployments Are the Same

Organizations aren’t all the same. Standard operating procedure in one business segment just isn’t possible in another. These differences come down to the nature of the business being conducted: your big box retail giant has a completely different set of objectives than a major military contractor.

Many of these objectives are reflected in differing levels of adherence to security, privacy, and regulations. That has a large impact on what level of cloud computing it’s possible for those industries to adopt.

For instance, Amazon developed the software that would grow into the cloud largely to support its own e-commerce business, so it’s no coincidence that many of the companies that have embraced the cloud-first and cloud-only approaches are similar online retailers. The security requirements for these companies are mostly focused on protecting customer data and private information, something that the cloud poses no major obstacles to achieving.

Contrast that ease of adoption with the case of governmental organizations. After long being hesitant about migration, government agencies are finally beginning to embrace the cloud. While there are many reasons behind the delay, the most significant reason for the reluctance is that such organizations are subject to the strictest data security and privacy requirements. What has changed recently is that the cloud hyperscalers are finally able to provide cloud services that are able to store and process sensitive data in controlled and secure environments.

Now, between different government agencies, the demands for restricted cloud use vary. Consider the difference between these three types of US governmental types:

  • Civilian agencies
    Most governmental agencies, such as local government agencies, state offices, and civilian federal agencies are considered non-secret: they can take advantage of the gov cloud options offered by the hyperscalers and the general-purpose commercial regions (ranging from FedRAMP certification and up to DoD IL5 certification).
  • DoD agencies
    These are more secure governmental organizations that operate under the US Department of Defense. They require use of the DoD Secret Clouds (IL6) and Top-Secret Clouds (C2S and C2E).
  • Dark site
    Some governmental bodies must act with the highest levels of secrecy. They can only allow on-premises deployment and/or cloud software stacks (e.g., AWS Outposts) with no outbound internet connection.


Different types of customers may have different types of requirements, based on the strictness of regulation and the level of security they need to provide for their environments. NetApp helps those varying deployment requirements by providing BlueXP in three different modes: SaaS, Restricted, and Private.

BlueXP Deployment Modes: Standard, Restricted, Private

To cater to different cloud security needs, BlueXP is equipped with three deployment options: Standard, Restricted, and Private.

While the standard BlueXP service mode (aka SaaS mode) is used by most customers, the two additional deployment modes are aimed at serving the special security requirements of regulated and governmental customers. This is accomplished by reducing or eliminating internet connectivity to minimize the attack surface.

The three deployment modes are tailored for different customer verticals and use cases, and allow different functionality in terms of installation process, deployment location, authentication methods, available data and storage services, and charging methods.

BlueXP Standard Mode

This is the basic BlueXP deployment option: you get access to all of the NetApp services that it supports, any of the subscription options, with SaaS-based updates. This BlueXP mode has the most flexibility, but it isn’t the right choice for restricted use cases as it depends on outbound internet access and public cloud connectivity.

BlueXP Restricted Mode

In the Restricted deployment mode, BlueXP will be installed locally in the sovereign cloud region and will have only outbound unidirectional connectivity to the BlueXP SaaS backend, which allows Cloud Volumes ONTAP, BlueXP backup and recovery (Cloud Backup), BlueXP classification (Cloud Data Sense), automatic upgrades, and Auth0-based authentication (including private Auth0 federation). Outgoing connection to the BlueXP backend service is limited only to charging data for PAYGO charging.

BlueXP Private Mode

BlueXP Private mode is designed for highly secure environments, which do not allow outgoing traffic to anything outside the data center or the cloud region. BlueXP Private mode allows deployments to be completely isolated from any internet connection or cloud service. Any updates that have to take place are taken care of manually, allowing for additional security scanning. This mode is typically useful for defense organizations operating in dark sites that are strictly on-premises.

Private mode deployment does not have connectivity to BlueXP SaaS nor connectivity outside the cloud region or data center. This mode can be deployed in a restricted cloud region (such as AWS C2S/SC2S or Azure IL6) or in an on-prem environment. It allows local authentication only and will support BYOL licensing only, with support for LDAP on the roadmap. The UI and API are served locally and won’t allow the use of BlueXP’s SaaS-based UI. Any BlueXP updates are carried out manually.

Deployment Mode Comparison Charts

Let’s take a look at how each of the three BlueXP deployment modes compare to each other. Finding the right one for your organization means evaluating which one applies to your business model and restrictions.

 

Standard

Restricted

Private

Connectivity to NetApp SaaS

Yes

Unidirectional: Outbound to BlueXP SaaS only, Azure (for image pulling), Auth0

No

Cloud Provider Connectivity

Yes: public cloud

Yes: within the region

No: Optional connectivity within the private region

Installation

SaaS/

Marketplace/

Manual

Marketplace/Manual

Manual

Authentication Methods

Auth0/Private Auth0

Auth0/Private Auth0

Local/LDAP*

Charging Modes

PAYGO

BYOL by capacity

BYOL by node

PAYGO

BYOL by capacity

BYOL by node

BYOL by node

BYOL by capacity*

API/UI

SaaS/Local

Local

Local

Available Services

All

See chart below

See chart below

Update Process

SaaS

SaaS

Manual

*Roadmap Item

What NetApp Services Do Private and Restricted Mode Support?

Because of the limits on connectivity that are inherent to using BlueXP in Restricted and Private mode, not all NetApp services are available using these options. Review the list below to see which services can be used with each mode.

 

Private

Restricted

Cloud Volumes ONTAP

Yes

Yes

BlueXP backup and recovery (Cloud Backup)

Yes

Yes

Replication

Yes

Yes

BlueXP classification (Data Sense)

Yes

Yes

StorageGRID

Roadmap

Roadmap

ONTAP

Yes

Yes

ONTAP direct

Roadmap

No

E-Series

Roadmap

Roadmap

Cloud Volumes Service

No

No

FSx for ONTAP

No

Yes

Azure NetApp Files

No

Yes

Timeline

Yes

Yes

Credentials

Yes

Yes

UI Notifications

No

Yes

Email Notifications

No

Yes

NSS accounts

No

Yes

ActiveIQ

No

No

App templates

No

No

Digital Wallet

Partial

Yes

Ransomware protection

No

No

Cloud Insights

No

No

Cloud Sync

No

No

Cloud Tiering

Roadmap

Roadmap

Cloud Volumes Edge Cache

No

No

System Manager (indirect)

Yes

No

Amazon S3

No

No

Azure Blob

No

No

Google Cloud Storage

No

No

Kubernetes clusters

No

No

Which Is Right For You?

Is your organization the type that supports a public clientele that requires a high level of availability for your commercial operations? Are you running IT for a government organization that deals with particularly sensitive data that needs an extra level of protection? Or are you running an organization that simply cannot risk any breach via the internet due to the nature of your mission?

Whatever the answer is, you’ll find a deployment mode on BlueXP that can suit your operational needs with the choice between Standard, Restricted, and Private mode.

To find out more, check out the official documentation on BlueXP deployment modes here.