AWS-Specific Configurations

AWS ID Format

The AWS ID is transparent to CloudCenter. If AWS returns a longer instance ID, the CloudCenter platform accepts this AWS ID as is. While the Java string does not have a length limit the database schema is limited to 255 characters.

CloudCenter AMI Details

If you need to share CloudCenter AMIs, contact CloudCenter Support with the following information:

  • AWS account number

  • CloudCenter version

  • Contact email

  • Customer name

  • Customer ID (CID)

On-Demand Instance

With Multiple Volumes configured when deploying the application on AWS, users have the option to select pricing by using the On-Demand Instance.

IAM Role

Identity and Access Management (IAM) Role and Security Token Service (STS) are supported by the CloudCenter platform.

Feature Depedency

These two features are dependent on the CCO being launched (and establishing a trust relationship in AWS) using an IAM role. See http://docs.aws.amazon.com for additional details.

To use IAM roles, you must launch the CCO VM using the admin role so you can use the IAM role at any point in the future. Launching a CCO VM with the admin role allows you to use either the IAM role or the classic key/secret key access at any time.

For IAM role-based accounts, the CloudCenter platform requires the EC2fullAccess role (minimum requirement). If using the CloudCenter RDS out-of-box service, your account additionally requires RDSfullAccess as well.

The CloudCenter platform requires that you launch a PaaS service using a non-IAM cloud account.

You cannot launch an AWS PaaS service using an IAM cloud account!

Instead of specifying the access key and secret key and so forth, you can manage instance types by using an IAM role. By default, this feature is disabled and you must explicitly enable the IAM role by toggling this button to ON when you configure an AWS Cloud.

Tips to use IAM roles in the CloudCenter platform:

  • You can launch RDS instances using IAM role-based accounts if you meet the following requirements:

    • If a Docker container is not part of the CCO, then you must assign the Docker container VM to the same IAM role as the CCO server.

    • Be sure to attach the following sts:GetFederationToken custom policy to IAM roles (with RDSfullAccess):

      {
          "Version": "2012-10-17",
          "Statement": [{
              "Effect": "Allow",
              "Action": ["sts:GetFederationToken"],
              "Resource": "*"
          }]
      }
  • You can assign an AWS ARN in the instance profile field in the Deployment Environments form by adding the iam:PassRole to the role used to launch the CCO VM.

    {
        "Version": "2012-10-17",
        "Statement": [{
            "Effect": "Allow",
            "Action": ["iam:PassRole"],
            "Resource": "*"
        }]
    }

Back to: AWS Configurations


Configuring an AWS Instance

To setup the CloudCenter database to be an RDS instance, see Configuring an AWS Database.

Ephemeral Disks

When you configure 100 GB of disk space, you may only get 20GB VM. This is because CloudCenter only used the root disk size in earlier CloudCenter releases. You can attach one ephemeral disks if you configure a larger size in the instance type (see Map Images > Instance Types for additional context).

Root Volume Size

See Multiple Volumes and the Submit Job (v2) API for additional context.

Instance Profile

An optional Instance Profile field is available when you configure Environments or set the Deployment Environment Defaults. If you configure this field, provide the Amazon Resource Name (ARN) used for the Instance Profile configured in your AWS Cloud account.

If you specify the Instance Profile name, the CloudCenter platform launches VMs within the IAM role that is associated with the corresponding instance profile.

To successfully launch the AWS cloud account (either using as IAM role or the account secret key) you must have the required permission to pass the IAM role associated with the specified instance profile.

VPC

If the application VMs run in isolated networks (like Amazon's VPC), be sure to setup proper NAT rule (only outgoing needed) to allow application VMs to connect to RabbitMQ. See Per CloudCenter Region Installation (Required) > AMQP for additional context.

The CCM instance that interacts with the CloudHSM server must reside inside the same VPC as the CCM. See CloudHSM for additional context.

Refer to https://aws.amazon.com/articles/0639686206802544 for additional context.

CloudCenter ELB Representation

 AWS allows either internal or internet facing ELBs and they are associated to subnets that the instances will be on. The CloudCenter platform uses this information by allowing you to select internal or external within each ELB tier of the CloudCenter application profile. From there, the subnet for the ELB is determined by where the application tier instances are instantiated.

Refer to the Amazon Documentation for additional context.

Availability Zones and Sets

  • API

    nics
    • Description: Details about the AWS Network Interface Cards (NICs) configuration. See IP Allocation Mode for additional details. The concept of Availability Sets and Zones in AWS is mapped to the subnet as you can have multiple subnets for a each zone. So you must input the list of subnets as the input for an availability set. During an API job deployment, the availability set input is provided as part of the NIC information. To be more specific the first NIC will contain the information as the comma separated subnet list as shown in the example.

    • Type: Object

      networkId                                                                                                                                        
      • Description: The network identifier for each required tier.
      • Type: String

      Required (if configured in your application profile)

      privateIPAllocationMode
      • Description: Identifies the allocation strategy used to configure the NIC for an AWS cloud
      • Type: Enumeration

        EnumerationDescription
        DHCP (default)This strategy allows the IP to be allocated by the DHCP server to the instance on server boot up. This IP address is not known prior to server boot up.
        Pre-allocate IP

        This strategy allows the cloud infrastructure IP allocation to be dynamically provided before the server boots up. This strategy is specific to the following OpenStack applications:

        • CISCO CSR1000: Configuration drive file IP populated with the pre-allocated IPs known before server boot up.
        • CISCO F5 Load Balancer: Multiple NIC support.
        Static IP (only CloudCenter 3.x)
        This strategy allows the customer to provide the IP address. As this IP address may or may not be available to the server (based on the availability), you must perform adequate checks to ensure IP availability before using this strategy.

      order
      • Description: The number at which a resource is to be attached. When updating a phase, use this order to re-order the resource to a different position in the array of resources.
      • Type: Long

      Required (if configured in your application profile)

      nicNetworkType
      • Description: The type of network for this NIC. A corresponding list of domains are attached to each option.
      • Type: Enumeration

        EnumerationDescription
        NETWORKA private network that supports IP ranges which overlap with another private network
        BRIDGE_DOMAINA set of logical ports that share the same flooding or broadcast characteristics. Used for ACI environments.
    • Example 1: Using DHCP allocation mode

      "nics": [
                  {
                    "order": 1,
                    "allocationMode": "DHCP",
                    "allocatePublicIp": "true",
                    "id": "subnet-bf7c40cb,subnet-dc3c45f4"
                  }]
    • Example2: Using Static IP allocation mode

      Attach the static private address to the NIC when you Create Cloud Instance Type instance create then use that address instead of using the DHCP allocationMode.

      nics":[  
         		{  
            "order":1,
            "allocationMode":"STATIC_IP",
            "allocatePublicIp":"false",
            "id":"subnet-7dc30d25",
            "properties":
      		[{  
                  "key":"PRIVATE_IP_LIST",
                  "values":[  
                     "12.3.6.1"
                  		]
               }]}]
    • Example 3: Using IPv6 Address

      When allocating firewall rules, CloudCenter supports IPv6, in addition to IPv4, addresses in the source for app profile, tenant, and security profiles. When you assign IPv6 addresses, the CloudCenter platform validates the security rule source before accepting the IPv6 address. This support is restricted to AWS and OpenStack clouds. If you provide an invalid IPv4/6 IP address, then the CloudCenter platform rejects the deployment as invalid. See IP Allocation Mode for additional details.

      nics":[{  
            "order":1,
            "allocationMode":"DHCP",
            "allocatePublicIp":"false",
            "assignIpv6Address": "true",
            "id":"subnet-ab4afff0",
              }
    • Example 4: Using Multiple NICs

      AWS support multiple NICs across subnets in the same availability zone

      [ 
       { 
       "order":1,
       "allocationMode":"DHCP",
       "allocatePublicIp":"true",
       "id":"subnet-74752b32"
       },
       { 
       "order":2,
       "allocationMode":"STATIC_IP",
       "allocatePublicIp":"false",
       "id":"subnet-7dc30d25",
       "properties":[ 
       { 
       "key":"PRIVATE_IP_LIST",
       "values":[ 
       "12.3.6.1"
       ] } ] } ] 



© 2017-2019 Cisco Systems, Inc. All rights reserved