Creating an AWS Infrastructure
This document outlines the creation of the AWS stack for the PxStat application. The steps are outlined on the assumption that the AWS web console will be used, however it can also form the basis of Cloud Formation scripts or PowerShell scripts.
- On the VPCs page, select the Create VPC button
- Enter a name for the VPC, e.g.
vpc-awspoc - Create an IPv4 CIDR block, suggested value
10.0.0.0/16
- Open the VPC page
- Select "Subnets" from the left hand Navigation pane
- Select the "Create Subnet" button
- Select the VPC you have just created
- Enter a name for the subnet (e.g.
awspoc-public-a) - Select the availability zone as eu-west-1a
- Enter an IPv4 CIDR block e.g.
10.0.0.0/24 - Press Save
Repeat for the other public subnet with the following differences:
- Name: awspoc-public-a
- Availability zone: eu-west-1b
- IPv4: e.g.
10.0.134.0/24
-
Open the VPC page
-
Select Internet Gateways from the left hand Navigation pane
-
Give the Internet Gateway a name, e.g.
ig-vpc-awspoc
- Click "Actions" on the Internet Gateway page
- Click "Attach to VPC"
- Select the VPC you just created and click Attach
- Open the VPC page
- Select "Subnets" from the left hand Navigation pane
- Select the "Create Subnet" button
- Select the VPC you have just created
- Enter a name for the subnet (e.g.
awspoc-private-a) - Select the availability zone as
eu-west-1a - Enter an IPv4 CIDR block e.g.
10.0.2.0/23 - Press Save
- Click on Route Tables in the left hand Navigation pane
- Select the Route table shown against the VPC you have just created
- Click on the Tags tab and Manage Tags
- Rename the Route table by adding a Tag called "Name" and giving a value like "route- awspoc-private"
- Click on the Subnet Associations tab and click "Edit Subnet Associations"
- Select the private subnet
- You now need to create Route Tables for the public subnets
- Click on "Create Route Table" and select the VPC
- Give the Route table a name and select "Subnet Associations"
- Associate the Route table with the first public subnet
- On the Routes Tab select Edit Routes
- Click "Add Route" with Destination
0.0.0.0/0(public internet) and for Target, select "Internet Gateway" and the Internet Gateway you created recently. Give the Route a suitable name by creating a Name tag and value in the Tags tab. - Repeat the above steps for the other public subnet
The EC2 instances are the Windows virtual servers. You will create 2 API servers and 2 Web servers. You will also need to configure Security Groups for these servers.
For reliability, there will be one API server and one Web Server in each of two availability zones.
- Select EC2 in the AWS panel
- Click on Instances and "Launch Instances"
- Select Microsoft
Windows Server 2019 Base - The exact specification depends on requirements, but I suggest selecting
t2.2xlarge - Press Next
- For "Network" select the VPC you just created
- For "Subnet" select the "A" public subnet you created previously
- For "Auto-assign Public IP" select Enable
- Press Next
- Select the type of storage you need and press Next
- Select "Add Tag", create a tag called Name and give the server a name, e.g. awspoc-api-a
- For "Assign a Security Group" select "Create a new Security Group"
- Give the Security Group a name, e.g. awspoc-api-sg. You will do some further configuration on this Security Group later on in the process.
- Press Next.
- Review the instance and if you are happy with it, press Launch. The instance will take a few minutes to set itself up.
- Select EC2 in the AWS panel
- Click on Instances and "Launch Instances"
- Select Microsoft Windows Server 2019 Base
- The exact specification depends on requirements, but I suggest selecting
t2.2xlarge - Press Next
- For "Network" select the VPC you just created
- For "Subnet" select the "B" public subnet you created previously
- For "Auto-assign Public IP" select Enable
- Press Next
- Select the type of storage you need and press Next
- Select "Add Tag", create a tag called Name and give the server a name, e.g.
awspoc-api-b - For "Assign a Security Group" select the security group you created when creating the API A server
- Press Next.
- Review the instance and if you are happy with it, press Launch. The instance will take a few minutes to set itself up.
- Select EC2 in the AWS panel
- Click on Instances and "Launch Instances"
- Select
Microsoft Windows Server 2019 Base - The exact specification depends on requirements, but I suggest selecting t2.2xlarge
- Press Next
- For "Network" select the VPC you just created
- For "Subnet" select the "A" public subnet you created previously
- For "Auto-assign Public IP" select Enable
- Press Next
- Select the type of storage you need and press Next
- Select "Add Tag", create a tag called Name and give the server a name, e.g. awspoc-web-a
- For "Assign a Security Group" select "Create a new Security Group"
- Give the Security Group a name, e.g.
awspoc-web-sg. You will do some further configuration on this Security Group later on in the process. - Press Next.
- Review the instance and if you are happy with it, press Launch. The instance will take a few minutes to set itself up.
- Select EC2 in the AWS panel
- Click on Instances and "Launch Instances"
- Select
Microsoft Windows Server 2019 Base - The exact specification depends on requirements, but I suggest selecting
t2.2xlarge - Press Next
- For "Network" select the VPC you just created
- For "Subnet" select the "B" public subnet you created previously
- For "Auto-assign Public IP" select Enable
- Press Next
- Select the type of storage you need and press Next
- Select "Add Tag", create a tag called Name and give the server a name, e.g.
awspoc-web-b - For "Assign a Security Group" select the security group you created when creating the WEB A server
- Press Next.
- Review the instance and if you are happy with it, press Launch. The instance will take a few minutes to set itself up.
- You will connect to your EC2 instances using RDP (Remote Desktop). The security groups you used when creating the instances are by default configured to accept RDP traffic from the public internet.
- An Administrator account and password are created automatically. The password is encrypted using a public/private key pair. To get your key pair, you will need to set it up in AWS.
- Go to the EC2 page and select "Key Pairs" under "Network and Security"
- Select "Create Key Pair"
- Select the ".pem" (OpenSSH) option
- Give the key pair a name
- Select "Create Key Pair"
- The key pair you created will be automatically downloaded by your browser. Save it to a safe place.
- You may use this key for all your EC2 instances, so you do not have to repeat this for each instance.
- To connect, select the EC2 instance and press the Connect button
- Select the RDP Client tab
- Select Download RDP file. This will download to your browser. Save the file to a safe place.
- Select "Get Password".
- Browse to where you have stored the key pair on your PC
- Select "Decrypt Password". Your Administrator password will be displayed on the screen.
Once you have access to the EC2 instance, login via RDP. You will need to change some settings and features as follows:
- Change the location and culture to your own
- Under "Server Manager" and "Local Server", switch off "IE enhanced security configuration"
- Import Chrome and set it as the default browser
- Under "Control Panel", "Programs" select "Turn Windows Features On and Off"
- Select "Next" until you see "Web Server" as an option on a list. Use this to enable IIS on the server.
You may wish to investigate scripting these changes in Powershell. A Powershell script may be included in a Cloud Formation Json Script.
We are creating a SQL Server database. This will not run directly on a server, rather it will exist as a stand-alone database. In AWS, this service is called RDS.
- Select RDS in the AWS control panel
- Select "Create Database"
- Select Microsoft SQL Server
- Select the required edition
- Give the database a name
- Select a username and password for the admin account
- If you have selected the Standard Edition or the Enterprise Edition, you may also select whether this is a DEV or Production environment
- Select your Multi-AZ, storage and auto-scaling requirements
- Under VPC, select the VPC you created earlier
- For Public Access, select "No"
- For Security Group, select to create a new Security Group. You will configure this further later. Give the security group a name.
- Open the "Additional Configuration" and select your preferred options. I would suggest that you check "Enable Deletion Protection".
- Select "Create Database". This will take a few minutes to complete.
There will be no direct http or https access to the EC2 instances from the internet. There will instead be https access to two Load Balancers (one for API, the other for WEB). Traffic will be routed as http from the Load Balancers to the servers on a round robin basis.
You will need a certificate to enable https on the load balancers.
- Select Certificate Manager in the AWS Services panel
- Select Request a Certificate
- Select "Request a Public Certificate"
- Press "Request a Certificate"
- Add the domain and press "Next"
- Select DNS validation and press "Next"
- Add a name tag and press "Next"
- Press "Confirm and Request"
- When the Certificate is ready, the status will change to "Issued" on the Certificates page
- Open the EC2 page
- Select "Load Balancers" in the Navigation page on the left
- Select "Application Load Balancer"
- Select a name for the load balancer, e.g.
lb-awspoc-api - Select "internet facing" for the Scheme
- Select address type IPv4
- Change the listener to HTTPS
- Select the VPC your created earlier
- Check the availability zones where you created the public subnets, i.e. eu-west-1a and eu-west-1b and select "Next"
- Select "Choose a certificate from ACM"
- Select the certificate from the drop down list
- Select Security Policy ELBSecurityPolicy-2016-08 and press "Next"
- Select to create a new Security Group for the load balancer
- Add an inbound rule to accept traffic from
0.0.0.0/0(pubic internet) using https - Give a name to the security group and press "Next"
- Select "New Target Group"
- Select Target Type "Instance", Protocol Type HTTP1 and press "Next"
- Select the two API instances and add them to the target group
- Press Review and Create
- Open the EC2 page
- Select "Load Balancers" in the Navigation page on the left
- Select "Application Load Balancer"
- Select a name for the load balancer, e.g.
lb-awspoc-web - Select "internet facing" for the Scheme
- Select address type IPv4
- Change the listener to HTTPS
- Select the VPC your created earlier
- Check the availability zones where you created the public subnets, i.e.
eu-west-1aandeu-west-1band select "Next" - Select "Choose a certificate from ACM"
- Select the certificate from the drop down list
- Select Security Policy
ELBSecurityPolicy-2016-08and press "Next" - Select to create a new Security Group for the load balancer
- Add an inbound rule to accept traffic from
0.0.0.0/0(pubic internet) using https - Give a name to the security group and press "Next"
- Select "New Target Group"
- Select Target Type "Instance", Protocol Type HTTP1 and press "Next"
- Select the two WEB instances and add them to the target group
- Press Review and Create
The Security Groups are the rules that allow traffic to pass between the various entities.
The database should allow access only to the API servers. This is done by adding MSSQL access from the API server security group as an inbound rule
- Open the EC2 page
- Select Security Groups from the Navigation page on the left
- Select the Database security group
- Add an inbound rule: port 443, MSSQL, source [api security group]
The API security group should only allow access on RDS from the public internet and http from the API load balancer.
- Open the EC2 page
- Select Security Groups from the Navigation page on the left
- Select the API load balancer security group
- Add an inbound rule: port 80, TCP, source [api load balancer security group]
- Add an inbound rule (if it doesn't exist already) : port 3389, RDP, source public internet (0.0.0.0/0)
The WEB security group should only allow access on RDS from the public internet and http from the WEB load balancer.
- Open the EC2 page
- Select Security Groups from the Navigation page on the left
- Select the API load balancer security group
- Add an inbound rule: port 80, TCP, source [web load balancer security group]
- Add an inbound rule (if it doesn't exist already) : port 3389, RDP, source public internet (0.0.0.0/0)
An Active Directory Service can be used to:
- Control access to EC2 instances
- Enable file shares
- Connect the AWS Active Directory to a corporate AD on a federated basis
- On the Services panel choose "Directory Service"
- Select "Set up Directory"
- Select "AWS Managed Microsoft AD" and press Next
- Select whether you need the Standard or Enterprise Edition
- Enter a domain name for the Directory, see note – it doesn't have to be publicly resolvable
- Enter matching passwords and press Next
- Select the VPC that you create earlier
- Select the two public subnets that you created earlier
- Press "Next" and "Create Directory"
- AWS can take some time to fully set up a Directory – up to 40 minutes
A shared drive can be useful in a load-balanced network, ensuring that applications need only be deployed in one place. For an FSx you also need:
- A Directory Service
- A Security group to allow access from the EC2 instances to the share
- Open the EC2 panel
- On the left hand navigation page, select Security Groups
- Select Create Security Group and press Next
- Select the VPC you added earlier
- Give a name and a description to the Security Group
- AWS recommend giving access according to the following rules:
| Protocol | Ports | Role |
|---|---|---|
| TCP/UDP | 53 | Domain Name System (DNS) |
| --- | --- | --- |
| TCP/UDP | 88 | Kerberos authentication |
| TCP/UDP | 464 | Change/Set password |
| TCP/UDP | 389 | Lightweight Directory Access Protocol (LDAP) |
| UDP | 123 | Network Time Protocol (NTP) |
| TCP | 135 | Distributed Computing Environment / End Point Mapper (DCE / EPMAP) |
| TCP | 445 | Directory Services SMB file sharing |
| TCP | 636 | Lightweight Directory Access Protocol over TLS/SSL (LDAPS) |
| TCP | 3268 | Microsoft Global Catalog |
| TCP | 3269 | Microsoft Global Catalog over SSL |
| TCP | 5985 | WinRM 2.0 (Microsoft Windows Remote Management) |
| TCP | 9389 | Microsoft AD DS Web Services, PowerShell |
| TCP | 49152 - 65535 | Ephemeral ports for RPC |
- Also, ensure that you give inbound access to the API and WEB security groups that you created earlier
- Select "Create Security Group"
- Select FSx from the AWS panel
- Select "Create File System"
- Select "Amazon FSx for Windows File Server" and press Next
- Select the VPC you created earlier
- Select the Security Group for FSx that you just created
- Select "AWS Managed Microsoft Active Directory"
- Select the AD that you just created
- Enter the required storage capacity
- Select "Create File System". This might take some time – up to 40 minutes.
- On the FSx page, select the drive
- Press the Attach button
- AWS will list a set of instructions to be followed using the command window of each instance.
You may wish to investigate scripting the details of attachment in Windows via Powershell. A Powershell script may be included in a Cloud Formation Json Script.
Deployment of the PxStat client, APIs and database will be mostly similar to where a conventional stack is used but with the following differences:
- Different PowerShell scripts are required for creating and updating the database. These don't work directly on the database, rather they create SQL scripts that achieve the same objective. Please see the installation wiki for details
- A different version of the database.sql file is needed. Again, see the installation wiki for details.
