Deploy a Trustgrid Node AMI in AWS

Tags:

  5 minute read  

Standing up a Trustgrid node in AWS is easy using an Amazon AMI. Trustgrid nodes in AWS use two network interfaces - a management and data interface. The management interface communicates with Trustgrid Cloud Management systems. The data interface is used to terminate TLS tunnels from Edge Nodes.

Notes

  • The cloudformation template below works with an AMI currently published in US-EAST1. Deploying in other regions requires working with Trustgrid Support
  • Requires VPC and public subnet
  • Does not create security groups or roles - those have to be managed separately (more below)

Prerequisites

  • VPC with public and private subnets - Management NIC goes in the public subnet, Data NIC goes in the private subnet

    • Note: If doing a multi-AZ cluster deployment the private subnets need to use the same route table for automated route management to work

  • Security group for management NIC that allows the following traffic:

    • Inbound traffic on designated Trustgrid gateway port (typical TCP 8443) for remote nodes. Access to this port can be secured to only allow access from remote nodes if desired. This is only required if deploying a Trustgrid gateway. If the node is acting as an edge then no inbound access is required.
    • Outbound traffic to Trustgrid’s control plane IP (TCP 80/443 & 8443 to 35.171.100.16/28 & 34.223.12.192/28)
    • Outbound traffic to AWS API (TCP 443) https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html
    • Inbound & Outbound to/from management NIC security group on cluster port (typically TCP port 9000)
    • For the initial deployment outbound access for TCP 80/443 should be allowed. Upon successful registration with the Trustgrid Portal this can be removed.

  • IAM role for the instance with policies allowing changes to the routing table of the data NIC - See attached doc

  • All Interfaces on the Trustgrid Gateway should have source / destination check disabled in AWS

  • Security group for data NIC - No configuration for now

  • An IP in the private subnet that will be used by the data NIC

  • An SSH keypair that can be used to SSH to the instance if necessary

  • VPC must have unallocated public IP that will be claimed during provisioning

Process

  1. Create a new Node. When complete the Node license will copy to clipboard.

    • Note: The node will not be visible in the portal until the registration process is complete.
    • Download the license to local storage in case the clipboard is cleared. You cannot reissue a license without recreating the node.

  2. Select the appropriate Cloud Formation Template based on the AWS region being deployed in.

  3. Fill out the fields in the CloudFormation form

Instance Configuration

Stack NameUnique name to describe this deploymentInstance TypeSet the instance type of the EC2 instance to deploy (bigger instances cost more)Host IAM Role

An IAM role that can either be empty or, if the node will be clustered (Layer 3), requires the following permissions (ec2:DescribeRouteTables for all resources and ec2:CreateRoute and ec2:DeleteRoute on the route table):

Route Table Policy

{
	"Effect": "Allow",
	"Action": "ec2:DescribeRouteTables",
	"Resource": "*"
},
{
	"Effect": "Allow",
	"Action": [
		"ec2:CreateRoute",
		"ec2:DeleteRoute"
	],
	"Resource": "arn:aws:ec2:us-east-1:079972220921:route-table/rtb-f428d58b"
}

NOTE: Set the Resource field to the ARN of the Routing Table associated with the data NICs of the instance.

SSH Keypair

SSH keypair to SSH to the instance as ubuntu user if necessary

NOTE: SSH access requires a security group change allowing access. We strongly recommend that SSH is not allowed from anywhere (0.0.0.0/0).

Encrypted EBS Volume

By default the cloud formation template provided will configure an encrypted EBS volume on the Trustgrid Node. The following permissions need to be applied to the associated IAM role to provide access to the default ebs key. Note you will need to input your applicable aws account ID/region where this node is being deployed.

 {
	"Effect": "Allow",
	"Action": [
        "kms:Decrypt",
        "kms:DescribeKey",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*"
        ],
        "Resource": "arn:aws:kms:us-east-1:$aws_accountid:alias/aws/ebs"        
}

Management Configuration

Security GroupNeeds to allow outbound traffic to other gateways and our public IP range, at a minimum. If it’s a gateway node, needs to allow inbound access on desired gateway port.SubnetThe VPC subnet to put the EC2 instance in. This needs to be a subnet with public IP enables (the instance will automatically claim one; the Auto-Assign Public IP does not need to be enabled)

Data Path Configuration

Security GroupThe security group for the data path - needs to allow outbound communication to other gateways, and inbound communication on its gateway portSubnetThe VPC subnet to put the data interface in - if it’s a cloud-accessible gateway, should be a public subnet, if it’s only for internal AWS traffic, can be a private subnet. Will need outbound access either through IGW or NAT GW.Data IPThe private IP for the data path - must belong to the subnet

Trustgrid Configuration

Security Group

Copy/paste the license from the portal.

Note: It is critical that you copy/paste the license correctly.

Creating the Stack

  1. Create the stack. Check the box acknowleding that AWS CloudFormation might create IAM resources. This is required because we create an instance profile for the to-be-run EC2 instance.
  2. When the node appears in the Portal, activate it.
  3. In the EC2 console, reboot the node (it will be named trustgrid-node)
  4. You can now manage the node as you would any other in the Portal UI.