Deploying Avantra for AWS

This section describes the deployment of Avantra for AWS using the AWS Cloud​Formation template.

Make sure the target VPC fulfills the requirements outlined in Prerequisites and Requirements, and the deployment user has the required permissions as described in Deployment User.

Launching the CloudFormation Stack

  1. After subscribing to Avantra for AWS in the AWS Marketplace, choose your Region in the Configure page and push the Continue to Launch button.

  2. Push the Launch. The AWS Console opens. Push the Next button.

    aws console create stack
  3. Adjust the Stack name and process in the following fields:

    1. For Deployment VPC select one of your VPCs the fullfil the requirements (having three public and three private networks across three AZs, an Internet Gateway, and a NAT Gateway for egress traffic from private subnets to the Internet).

    2. Select the three private subnets in Private Subnets for Avantra Server and Database.

      aws console stack details 1
    3. Fill in a Certificate ARN in ACM Certificate ARN. You will not be able to use HTTPS without a certificate (see also SSL Certificate). To retrieve the ARN from your certificate

      1. Open the AWS Certificate Manager.

      2. Click on the desired certificate and proceed to the Details section.

      3. Copy the value next to ARN

        Paste the copied value into ACM Certificate ARN.

    4. In Application Load Balancer scheme choose either internet-facing or internal. If your users connect to the Avantra UI over the Internet, you have to choose internet-facing. If they only connect through e.g. VPN or other AWS resources, you may choose internal.

    5. In Network Load Balancer scheme choose either internet-facing or internal. If your Avantra Agents connect to the Avantra Server over the Internet, you have to choose internet-facing. If they only connect through VPCs, VPC peering, Private Links, or VPN, you may choose internal. Please make sure you have selected Public Subnets …​ if you choose internet-facing

      aws console stack details 2
    6. Fill in three public subnets in Public Subnets for the Load Balancers.

    7. In User Access to Avantra Server you can restrict the access to the Avantra UI to a CIDR range. You can define only one range here, but you may extend the Security Group ${NamePrefix}-alb-sg afterwards.

    8. In Agent Access to Avantra Server you can restrict the Avantra Agent’s access to the Avantra Master to a CIDR range. You can define only one range here, but you may extend the Security Group ${NamePrefix}-instance-sg afterwards.

      During the setup of the EC2 instance its Security Group is automatically modified to allow health check traffic from the Network Load Balancer.
    9. If you want to use an AWS PrivateLink to connect Avantra Agents outside of this VPC to the Avantra Server, choose yes

      aws console stack details 3
    10. Select the EC2 Instance Type and the SSH Key Pair.

    11. Define a CIDR range for clients to access the EC2 instance by SSH in SSH Access to the Avantra Server. You can define only one range here, but you may extend the Security Group ${NamePrefix}-instance-sg afterwards.

    12. Leave IAM Instance Profile ARN blank to automatically create the instance Profile with all required and reasonable permissions. If you want to create your own, please make sure it has all required permissions outlined in Instance Profile. In order to get the ARN of an existing instance profile

      1. Open Identity and Access Management in a separate browser tab.

      2. Choose Roles and click on the Role corresponding to the instance profile in question

      3. Click on the Copy to clipboard button next to Instance Profile ARNs.

      4. Paste the value into IAM Instance Profile ARN.

        aws console stack details 4
    13. Select the RDS instance type.

    14. In Database Backup Retention choose the number of days to keep automated backups. Values can be between 0 (to turn off automated backups) and 8. This defines also the period of time during which point in time recovery is possible.

    15. If you are using Amazon Route 53, fill in the hosted zone name to use with Avantra for AWS in Route 53 Hosted Zone Name. Otherwise leave the field empty. Fill in the host names to access the Avantra UI and the Avantra Master into the fields Hostname …​.

    16. Fill in a value in the Name Tag Prefix that will be pre-pended to all resources' names created by this AWS Cloud​Formation template.

    17. Leave the field Snapshot Name or Identifier empty.

    Push the Next button.

    aws console stack details 5
  4. Fill in any desired Tags for the AWS Cloud​Formation stack and the corresponding resources.

    aws console stack options 1
  5. Enable Rollback on failure and Termination protection, and push Next.

    aws console stack options 2
  6. In case you left the field Instance Profile ARN empty, you need to set the flag I acknowledge that AWS CloudFormation might create IAM resources with custom names.

    aws console stack capabilities
  7. Push the Create Stack button.

The stack will be created which can take up to 20 minutes. At the end you should be in status CREATE_COMPLETE. It will also show an event in the Events tab for the Logical ID Ec2AutoScalingGroup reading Received SUCCESS signal with UniqueId i-0????????????????. This is the instance ID of the Avantra Server, but more importantly it serves as initial password for Avantra for AWS.

aws console stack create complete

The Outputs tab will look like

aws console stack outputs

Changing the Administrator Password

Although the initial application password is only known to you it is good practice to immediately change it:

  1. Open your browser and goto the URL displayed in UiUrl in the Outputs tab of the AWS Cloud​Formation stack (or click on the link in there).

  2. Fill in admin in the field User and the instance ID displayed in the Events tab as Password and push the Sign in button.

  3. Close the Tip of the Day and choose Change Password from the menu. Fill in the Old Password and set a New Password and push the Change button.

Subscribe to the SNS Topic

It is highly recommended to subscribe to the Amazon Simple Notification Service Topic created by the AWS Cloud​Formation stack. You can find the topic ARN in the Outputs tab of the stack:

  1. Open the AWS console and choose Amazon SNS Subscriptions. Push the Create subscription button.

  2. Click in the field Topic ARN and choose the ARN displayed in the Outputs tab of the stack.

  3. In Protocol choose the value Email, fill in your email address in field Endpoint And push the Create subscription button. Of course you can choose any other subscription method if you prefer.

You may use AWS PrivateLink technology to have Avantra Agents access the Avantra Server that are deployed to a different VPC unconnected to the Avantra for AWS deployment VPC. The private link consists of two components: the VPC Endpoint Service which is installed with the AWS Cloud​Formation stack, and a VPC Endpoint you need to create in every VPC you deploy Avantra Agents to.

Optional Whitelisting of another AWS Account

If you want to create the Endpoint in a different AWS account, you need to whitelist this account first:

  1. Open the AWS Console and choose https://console.aws.amazon.com/vpc/home?EndpointServices[VPC Dashboard Endpoint Services^]. Choose the Endpoint Service corresponding to the #EndpointServiceID in the Outputs tab of the AWS Cloud​Formation stack.

  2. Choose the Whitelisted principals tab and push the Add principals to whitelist button.

  3. If all the EC2 instances you plane to deploy Avantra Agents to share a common IAM Role (or a couple of roles), you can add each IAM Role’s ARN as a Principal. The ARN format is arn:aws:iam::<aws-account-id>:role/<role-name>.

  4. If there is no such role, or you use too many different roles, you can whitelist the whole AWS account by using the Principal in format arn:aws:iam::<aws-account-id>:root

  5. Push Add tho whitelisted principals.

Creating a Security Group

  1. In the AWS account you want to create the Endpoint in, open the AWS Console and choose VPC Dashboard Security Groups and push Create Security Group

  2. Fill in a Security group name, a Description, and choose a VPC.

  3. Create an Inbound rule with Protocol TCP and Port Range 9050.

  4. For Source either fill in a CIDR range of the EC2 instances you want to install Avantra Agents on in this VPC, or choose an appropriate input security group.

  5. Push the Create button.

Creating the Endpoint

  1. In the AWS account you want to create the Endpoint in, open the AWS Console and choose VPC Dashboard Endpoints and push Create Endpoint.

  2. For Service Category select Find service by name, in Service Name fill in the value from EndpointServiceName of the Outputs tab of the AWS Cloud​Formation stack. you just copied, and push Verify.

  3. In VPC choose the same VPC you created the Security Group in, and choose (up to) three subnets to create the Endpoint in.

  4. For Security Group choose the Security Group you created in the previous step.

  5. Push the Create endpoint button.

  6. Wait until the Status of the endpoint turns to available.

  7. Copy the first value from the field DNS names and paste it to a safe location.

aws console endpoint details