AWS mgn documentation change
Summary
Added network requirements section for FSx for ONTAP storage integration, including required ports, security group configurations, and package installation prerequisites.
Security assessment
The change documents security configurations (ports 3260/TCP and 443/TCP) and security group requirements for FSx for ONTAP integration but does not address a specific vulnerability or incident. It provides standard operational guidance for secure network setup.
Diff
diff --git a/mgn/latest/ug/preparing-environments.md b/mgn/latest/ug/preparing-environments.md index e7e7830e4..7acc0bf85 100644 --- a//mgn/latest/ug/preparing-environments.md +++ b//mgn/latest/ug/preparing-environments.md @@ -99,0 +100,2 @@ SSL interception should not be applied for communication between replication ser + * Network requirements for FSx for ONTAP + @@ -261,0 +264,15 @@ Without access to the AL2023 package repository, replication servers may fail to +### Network requirements for FSx for ONTAP + +When using FSx for ONTAP as the target storage type, the following additional network connectivity is required between the target instances and the FSx for ONTAP file system. + +Port | Protocol | Direction | Purpose +---|---|---|--- +3260 | TCP | Target instance → FSx for ONTAP | iSCSI data transfer for block storage replication +443 | TCP | Target instance → FSx for ONTAP | ONTAP REST API for storage management (certificate-based authentication) + +These ports must be allowed in the security groups attached to both the target instances and the FSx for ONTAP file system. For detailed security group configuration, see [Step 1: Configure security groups](./fsx-ontap.html#fsx-ontap-step1-security-groups) in the [FSx for ONTAP configuration guide](./fsx-ontap.html). + +###### Note + +The target instance also requires outbound internet access or access to OS package repositories to install iSCSI initiator and multipath tools. For details, see [Step 6: Configure launch template and launch settings](./fsx-ontap.html#fsx-ontap-step6-launch-settings). + @@ -286 +303 @@ These instructions are intended for the default OS firewall and allow outbound c - 4. If the Enabled status of the rule is **No** , right-click it and select **Enable Rule** from the pop-up menu. + 4. If the Enabled status of the rule is **No** , open the context menu for it and select **Enable Rule** from the pop-up menu.