- A PureManagement security group will need to be created in advance of stack creation in deployment VPC.
- This security group which contains inbound and outbound rules will be attached to the management ENI (Elastic Network Interface) and will allow Pure1 PhoneHome and RemoteAssist connectivity to and from the Cloud Block Store instance.
Security Group to apply to management interfaces. Must allow inbound TCP traffic on ports 22, 80, 8084, and inbound/outbound on port 443.
Management Security Group (Applies to Eth3 / VIR3):
22, 80, 443, 8084
Allow inbound ports 80, 22, 443, 8084. For Source rule enter the VPC CIDR Block where CBS resides.
Allow outbound ports 443. For Destination rule enter a specific IP range or 0.0.0.0/0 for any.
- In general, we recommend to launch the Purity instance in private subnet with a route to NAT gateway configured in adjoining public subnet. This will provide a route out to the internet via an Internet Gateway in the public subnet.
- If you are using Network ACLs, you will have to create rules allowing access to the Pure1 Phonehome CIDR block shown below. The rules should be the same as what the PureManagementSecurityGroup in the PAWS Service Catalog template allows.
General Pure1 Cloud Network Requirements:
|Transport protocol (non-RA):||HTTPS with 2-way mutual TLS authentication|
|Application protocol (non-RA):||REST|
|RA protocol :||SSH over HTTPS with 2-way mutual TLS authentication|
|Client authentication :||Unique certificate|
|Server authentication :||Server certificate verified on the array|
See: FlashArray Port Assingments for more information.
6. Phonehome connectivity will be enabled by default. You will need to contact Pure Storage Support to activate the instance over remote assist prior to using.