Amazon Web Services Deployment Guide

Learn how to set up the base infrastructure required to deploy NGINX Management Suite API Connectivity Manager in Amazon Web Services (AWS).


This documentation applies to NGINX Management Suite API Connectivity Manager 1.1.0 and later.

Overview

This guide walks you through the steps needed to set up the necessary infrastructure in Amazon Web Services (AWS) for a proof of concept environment for NGINX Management Suite API Connectivity Manager (ACM). The options presented in this guide for creating AWS Instances keep cost in mind and prefer the minimum requirements for running a fully functional API Connectivity Manager environment. Keep in mind that production environments may require larger instance sizes and incur greater costs.

Before You Begin

  • Make sure you have an AWS account.
Important:
Because the minimum requirement for the NGINX Management Suite host requires 2 CPU and 4GB RAM (NOT a free tier size), completing this deployment guide will incur charges from AWS according to their price plan.

Hosts Specs

The AWS instance types and storage capacity used in this guide are based on the NGINX Management Suite Technical Specs.

Hosts AWS Instance Type AWS Storage
NGINX Management Suite Host t3.medium 100GB
Data Plane Host t2.micro 10GB
Developer Portal Host t2.micro 10GB
Table 1.1 Host Sizing

Provision AWS Instances

Complete the tasks in this section to set up the following resources in AWS:

  1. Virtual Private Cloud
  2. EC2 Instances

The instances you create by the end of this guide are:

  1. NGINX Management Suite Host
  2. Data Plane Host
  3. Developer Portal Host

Configure VPC

This section creates and configures the AWS Virtual Private Cloud (VPC) as described below. If your existing VPC is able to allow the following types of traffic, skip this section.

  1. Be able to access the internet (for install)
  2. Be able to establish an SSH connection from your workstation to the EC2 Instances
  3. Have HTTPS traffic enabled
    • To allow NGINX Management Suite user interface and/or API access
    • Communication between Data Plane or Developer Portal host and NGINX Management Suite host
  4. Have HTTP traffic enabled
    • To allow access to the Developer Portal from a workstation
    • To allow traffic for gateway proxy from a workstation

Create a New VPC

Take the steps below to create a new VPC:

  1. Go to to the VPC Service.
  2. Select Create VPC.
  3. In the VPC setting section, provide the Name (optional) and IPv4 CIDR.
  4. Select Create VPC.

Create a New Subnet

Take the steps below to create a new subnet:

  1. On the left menu, select Virtual private cloud > Subnets.
  2. Select Create subnet.
  3. In the VPC section, select the newly created VPC from above.
  4. In the Subnet settings, provide the Subnet name (optional) and IPv4 CIDR block.
  5. Select Create subnet.

Create a New Internet Gateway

Take the steps below to create a new internet gateway:

  1. On the left menu, select Virtual private cloud > Internet Gateways.
  2. Select Create internet gateway.
  3. On the main window of the newly created internet gateway, select Actions > Attach to VPC.
  4. Select the VPC created from above.
  5. Select Attach internet gateway.
Note:
The Internet Gateway is what provides a public subnet internet access.

Create a New Route Table

Take the steps below to create a route table, add a route entry that defaults to the internet gateway created above, and associate a subnet with this route table:

  1. On the left menu, select Virtual private cloud > Route tables.
  2. Select Create route table.
  3. Associate this route table to the VPC created from above.
  4. Select Create route table.
  5. Scroll down on the main window of the newly created route table then select Edit routes.
  6. Select Add route.
    1. Provide 0.0.0.0/0 for the Destination.
    2. Select the Internet Gateway created from above.
    3. Select Save changes.
  7. Scroll down on the main window on the same route table then select the Subnet associations tab.
  8. Select Edit subnet associations.
  9. Select the subnet created from above.
  10. Select Save associations.

Create EC2 Instances

At this point, the VPC created above is available when creating EC2 Instances.

Before creating the EC2 instances, create your Key Pair and Security Groups if they do not already exist. The reason why they are required is described below.

AWS Object Reason
Key Pair This is used to allow SSH connections in to EC2 Instances.
Security Groups The security group needs to enable HTTP/S traffic and allow SSH traffic from your IP.
Table 1.2 Key Pair and Security Groups Reasoning

Create a Key Pair

Take the steps below to create a Key Pair.

  1. Go to the EC2 Service.
  2. On the left menu, select Network & Security > Key Pairs.
  3. You can either create a new Key Pair or import your own.
    • To create a new Key Pair:
      1. Select Create key pair.
      2. Provide the Name. Key pair type, and Private key file format.
    • To import your existing Key Pair:
      1. Select Actions > Import key pair.
      2. Provide the key pair Name and your public key content.

Create a Security Group

The table below summarizes the two security groups that you should create.

Security Group Name HTTP Type HTTPS Type SSH Type
sg-controller NA Anywhere-IPv4 My IP
sg-data Anywhere-IPv4 Anywhere-IPv4 My IP
Table 1.3 AWS Inbound Security Group Source

Note:

Select My IP as the Source for SSH Type to prevent SSH connection attempts by anyone other than yourself.

If you are not allowed to do this, refer to the Terminal Access Using Session Manager section below.


Each host needs to be associated to a security group. The mapping of each host to the correct security group is shown below.

Host Security Group
NGINX Management Suite Host sg-controller
Data Plane Host sg-data
Developer Portal Host sg-data
Table 1.4 Host to Security Group Mapping


Take the steps below to create a security group for access. Repeat these steps twice, once for sg-controller and once for sg-data.

  1. Go to the EC2 Service.
  2. On the left menu, select Network & Security > Security Groups.
  3. Select Create security group.
  4. In the Basic details section, provide the Security group name, Description, and select the VPC created from above.
  5. In the Inbound rules section, refer to each traffic Type that corresponds to the security group being created from Table 1.2 above.
  6. The Outbound rules should already allow all traffic by default. If it isn’t, modify the rules so that it allows all traffic.
  7. Select Create security group.

Create EC2 Instance

Take the steps below to create an EC2 Instance. Repeat these steps three times, once for each host shown in Table 1.1.

  1. Go to the EC2 Service.
  2. On the left menu, select Instances > Instances.
  3. Select Launch Instances.
  4. Provide the Name of your instance.
  5. In the Application and OS Images section, select your supported OS of choice.
  6. Select your instance size in the Instance Type section. Refer to Table 1.1 for the suggested size of your host. Refer to Technical Specifications for additional information.
  7. In the Key pair (login) section, select the key pair that was created above.
  8. In the Network settings section, select the Edit button.
    • Provide your VPC and Subnet information.
    • Select Enable for Auto-assign public IP.
    • Select Select existing security group.
    • Provide the security group created above shown in Table 1.4 that corresponds to your host for Common security groups.
  9. In the Configure Storage section, select the storage amount required by your host. Refer to Table 1.1 for guidance to determine the suggested size. Refer to Technical Specifications for additional information.

Access EC2 Instance

Take the steps below to obtain the public IP so you can access the instance through an SSH connection.

  1. Select Instances > Instances on the left menu.
  2. Select your instance.
  3. Select the Details tab.
  4. The public IP address is shown in the Public IPv4 address section. This is the IP that allows external access (such as from your workstation) to the selected EC2 Instance.
    Note:
    It takes about a minute for the instance to become available for SSH connections.

Hosts Installation

Follow the steps in the appropriate NGINX Management Suite installation guides for each host.

Terminal Access Using Session Manager (Optional)

AWS allows you to enable SSH traffic to a specific Source IP Address which is much safer than exposing it to everyone on the internet. Even though exposing it to one IP may be good enough, it might not be sufficient for your company policy. It is possible to completely disable SSH traffic yet still have terminal access to your EC2 Instances. There are different ways of doing this, and one way covered here is using AWS System Manager Session Manger.

There are two methods of gaining terminal access via Session Manager:

  1. AWS Management Console
  2. AWS Command Line Interface Tool

Whichever method you decide, you need to take the following steps to properly configure your instances to allow connections from AWS Session Manager. Before continuing, ensure the Session Manager Prerequisites are met.

IAM Role

You must create a new IAM Role that grants Session Manager access to EC2 Instances. This will be associated with the EC2 Instances needing terminal access. Take the instructions below to create an IAM Role for Session Manager.

  1. Log in to your AWS Account on your web browser.
  2. Go to the IAM service.
  3. On the left menu, select Access management > Roles.
  4. Select Create role.
  5. In the Trusted entity type section, select AWS service.
  6. In the Use case section, select EC2.
  7. Select Next.
  8. In the Permissions policies section, select AmazonSSMManagedInstanceCore. You can filter for this name in the filter box.
  9. Select Next.
  10. Provide the Role name and Tag (optional) for this IAM Role specifically allowing Session Manager access to EC2 Instances.
  11. Select Create role.
Note:
Creating an IAM Role from the AWS Management Console and choosing EC2 as the AWS Service also creates an AWS Instance Profile associated with EC2 Instances. Additional details can be found in the AWS knowledge article.

Associating IAM Instance Profile to EC2 Instance

When you associate an IAM Role created from the IAM service to an EC2 Instance, you are really associating an IAM Instance Profile. Again, when you create an IAM Role from AWS Management Console and choose EC2 as the AWS Service, it also creates an IAM Instance Profile. Take the steps in this section to associate an IAM Instance Profile to an EC2 Instance.

There are two situations that can happen here:

  1. Associating IAM Instance Profile to an existing instance
  2. Associating an IAM Instance Profile to a new instance

Associating IAM Instance Profile to Existing Instance

Take the steps below to associate an IAM Instance Profile to an existing EC2 Instance:

  1. Go to the EC2 Service.
  2. On the left menu, select Instances > Instances.
  3. Right-click on the instance of interest.
  4. Select Security > Modify IAM role.
  5. Select the IAM Instance Profile from the list.

Associating IAM Instance Profile on New Instance

Associating an IAM Instance Profile to a new instance happens before the instance is created. The steps below assume you know how to get to the page where you provide information for the new instance you are about to create. You see this page after selecting Launch instances from Instances > Instances on the EC2 Service.

  1. In the Advanced details section, expand the entire section.
  2. Select your IAM Instance Profile for IAM instance profile.

Accessing EC2 Instance Terminal

You can access the terminal of your instance by either:

  • AWS Management Console
  • AWS Command Line Interface Tool

AWS Management Console

Take the steps below to get terminal access using Session Manager.

  1. Go to the System Manager Service.
  2. On the left menu, select Node Management > Session Manager.
  3. Verify you are on the Sessions tab.
  4. Select Create session.
  5. In the Target Instances section, select the instance of interest.
  6. Select Start session. This takes you to the terminal where you are logged in as ssm-user.
  7. When you are done, select Terminate at the top.
Note:

If you do not see your instance in the Target Instances section:

  • Verify the IAM Instance Profile is associated to your instance.
  • Verify the IAM Role has SSM permissions properly configured.
  • The instance allows outbound HTTPS traffic to the endpoints shown in the Connectivity to endpoints row from the Session Manager Prerequisites page.
  • Wait about 15 minutes if you attached the IAM Instance Profile to an existing instance.

AWS Command Line Interface Tool

Another way to get terminal access to instances is through AWS’s CLI Tool.

Take the steps below to fulfill prerequisites for using Session Manager on the command line interface:

  1. Install AWS CLI Tool.
  2. You must also install the Session Manager Plugin.
  3. You need AWS Access Key ID and AWS Secret Access Key, which you can set up by referring to the AWS CLI Prerequisite page.

Take the steps below to get terminal access on an instance:

  1. Run aws configure to set up access to your AWS account.

    $ aws configure
    AWS Access Key ID []: ****************DLVT
    AWS Secret Access Key []: ****************666r
    Default region name []: <yourRegionName>
    Default output format []: json
    
    Note:

    If your AWS account is configured to use temporary credentials, you need to provide the aws_session_token by running the command below:

    aws configure set aws_session_token <sessionToken>
  2. Run aws ssm start-session --target "<instanceId>" to start a session which provides terminal access.

    $ aws ssm start-session --target "<instanceId>"
    
    Starting session with SessionId: aaaaaaaa-0538f063ab275aeed
    $
    
  3. To exit out of the session, type exit as if you were going to close a normal terminal screen.