Required AWS Objects
Page last updated:
Warning: Pivotal Operations Manager v2.5 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.
This topic describes the objects you create in Amazon Web Services (AWS) in order to deploy PCF.
Overview
Use this topic to determine the resource requirements of PCF on AWS, or to verify that you created the correct resources after completing the procedures in Preparing to Deploy Ops Manager on AWS Manually and Deploying Ops Manager on AWS Manually.
S3 Buckets for Ops Manager and PAS
You must create the following S3 buckets from the S3 Dashboard:
pcf-ops-manager-bucketpcf-buildpacks-bucketpcf-packages-bucketpcf-resources-bucketpcf-droplets-bucket
These buckets must be empty when you install or reinstall PCF.
See Step 2: Create S3 Buckets in Preparing to Deploy Ops Manager on AWS Manually.
IAM User for PCF
You must create an IAM user for PCF named pcf-user from the Identity and Access Management Dashboard, using the policy document included in the PCF for AWS Policy Document topic.
See Step 3: Create an IAM User for PCF in Preparing to Deploy Ops Manager on AWS Manually.
Key Pair
You must generate a key pair named pcf-ops-manager-key. For more information about setting up a key pair, see Amazon EC2 Key
Pairs in the AWS documentation.
VPC (Public and Private Subnets)
You must create a VPC with public and private subnets from the VPC Dashboard.
The following table lists the subnets in CIDR block 10.0.0.0/16.
| Name | AZ | IPv4 CIDR block |
|---|---|---|
pcf-public-subnet-az0 |
REGION-#a (for example, us-west-2a) |
10.0.0.0/24 |
pcf-public-subnet-az1 |
REGION-#b (for example, us-west-2b) |
10.0.1.0/24 |
pcf-public-subnet-az2 |
REGION-#c (for example, us-west-2c) |
10.0.2.0/24 |
pcf-management-subnet-az0 |
REGION-#a (for example, us-west-2a) |
10.0.16.0/28 |
pcf-management-subnet-az1 |
REGION-#b (for example, us-west-2b) |
10.0.16.16/28 |
pcf-management-subnet-az2 |
REGION-#c (for example, us-west-2c) |
10.0.16.32/28 |
pcf-ert-subnet-az0 |
REGION-#a (for example, us-west-2a) |
10.0.4.0/24 |
pcf-ert-subnet-az1 |
REGION-#b (for example, us-west-2b) |
10.0.5.0/24 |
pcf-ert-subnet-az2 |
REGION-#c (for example, us-west-2c) |
10.0.6.0/24 |
pcf-services-subnet-az0 |
REGION-#a (for example, us-west-2a) |
10.0.8.0/24 |
pcf-services-subnet-az1 |
REGION-#b (for example, us-west-2b) |
10.0.9.0/24 |
pcf-services-subnet-az2 |
REGION-#c (for example, us-west-2c) |
10.0.10.0/24 |
pcf-rds-subnet-az0 |
REGION-#a (for example, us-west-2a) |
10.0.12.0/24 |
pcf-rds-subnet-az1 |
REGION-#b (for example, us-west-2b) |
10.0.13.0/24 |
pcf-rds-subnet-az2 |
REGION-#c (for example, us-west-2c) |
10.0.14.0/24 |
See Step 4: Create a VPC in Preparing to Deploy Ops Manager on AWS Manually.
NAT Instance
You must create a NAT instance when creating a VPC. The NAT instance must have the following configuration:
- Instance type:
t3.medium - Key pair name:
pcf-ops-manager-key - Enable DNS hostnames: Yes
- Hardware tenancy: Default
See Step 4: Create a VPC in Preparing to Deploy Ops Manager on AWS Manually.
You must also assign the NAT instance to the pcf-nat-security-group. See Step 6: Secure the NAT Instance in Deploying Ops Manager on AWS Manually.
Security Groups
The following sections describe the security groups you must create from the EC2 Dashboard.
Ops Manager
The Ops Manager Security Group must be named pcf-ops-manager-security-group and have the following inbound rules:
| Type | Protocol | Port Range | Source |
|---|---|---|---|
| HTTP | TCP | 80 | My IP |
| HTTPS | TCP | 443 | My IP |
| SSH | TCP | 22 | My IP |
| BOSH Agent | TCP | 6868 | 10.0.0.0/16 |
| BOSH Director | TCP | 25555 | 10.0.0.0/16 |
See Step 5: Configure a Security Group for Ops Manager in Preparing to Deploy Ops Manager on AWS Manually.
PCF VMs
The PCF VMs Security Group must be named pcf-vms-security-group and have the following inbound rule:
| Type | Protocol | Port Range | Source | |
|---|---|---|---|---|
| All traffic | All | 0 - 65535 | Custom IP | 10.0.0.0/16 |
See Step 6: Configure a Security Group for PCF VMs in Preparing to Deploy Ops Manager on AWS Manually.
Web ELB
The Web ELB Security Group must be named pcf-web-elb-security-group and have the following inbound rules:
| Type | Protocol | Port Range | Source | |
|---|---|---|---|---|
| Custom TCP rule | TCP | 4443 | Anywhere | 0.0.0.0/0 |
| HTTP | TCP | 80 | Anywhere | 0.0.0.0/0 |
| HTTPS | TCP | 443 | Anywhere | 0.0.0.0/0 |
See Step 7: Configure a Security Group for the Web ELB in Preparing to Deploy Ops Manager on AWS Manually.
SSH ELB
The SSH ELB Security Group must be named pcf-ssh-elb-security-group and have the following inbound rule:
| Type | Protocol | Port Range | Source | |
|---|---|---|---|---|
| Custom TCP rule | TCP | 2222 | Anywhere | 0.0.0.0/0 |
The SSH ELB Security Group must have the following outbound rule:
| Type | Protocol | Port Range | Source | |
|---|---|---|---|---|
| All traffic | All | All | Anywhere | 0.0.0.0/0 |
See Step 8: Configure a Security Group for the SSH ELB in Preparing to Deploy Ops Manager on AWS Manually.
TCP ELB
The TCP ELB Security Group must be named pcf-tcp-elb-security-group and have the following inbound rule:
| Type | Protocol | Port Range | Source | |
|---|---|---|---|---|
| Custom TCP rule | TCP | 1024 - 1123 | Anywhere | 0.0.0.0/0 |
The TCP ELB Security Group must have the following outbound rule:
| Type | Protocol | Port Range | Source | |
|---|---|---|---|---|
| All traffic | All | All | Anywhere | 0.0.0.0/0 |
See Step 9: Configure a Security Group for the TCP ELB in Preparing to Deploy Ops Manager on AWS Manually.
Outbound NAT
The Outbound NAT Security Group must be named pcf-nat-security-group and have the following inbound rule:
| Type | Protocol | Port Range | Source | |
|---|---|---|---|---|
| All traffic | All | All | Custom IP | 10.0.0.0/16 |
See Step 10: Configure a Security Group for the Outbound NAT in Preparing to Deploy Ops Manager on AWS Manually.
MySQL
The MySQL Security Group must be named pcf-mysql-security-group and have the following inbound rules:
| Type | Protocol | Port Range | Source | |
|---|---|---|---|---|
| MySQL | TCP | 3306 | Custom IP | 10.0.0.0/16 |
The MySQL Security Group must have the following outbound rules:
| Type | Protocol | Port Range | Destination | |
|---|---|---|---|---|
| All traffic | All | All | Custom IP | 10.0.0.0/16 |
See Step 11: Configure a Security Group for MySQL in Preparing to Deploy Ops Manager on AWS Manually.
Ops Manager AMI
You must locate the public Ops Manager AMI using the AMI ID provided by the PDF downloaded when clicking Pivotal Ops Manager for AWS on Pivotal Network.
See Step 1: Launch a Pivotal Ops Manager AMI in Deploying Ops Manager on AWS Manually.
ELBs
The following sections describe the ELBs you must create from the EC2 Dashboard.
Web ELB
You must create a web ELB with the following configuration:
- Name:
pcf-web-elb - LB Inside:
pcf-vpc - Selected Subnet:
pcf-public-subnet-az0,pcf-public-subnet-az1,pcf-public-subnet-az2 - Security Group:
pcf-elb-security-group - Health Check: TCP Port 8080, Path:
/health
See Step 2: Create Web Load Balancer in Deploying Ops Manager on AWS Manually.
SSH ELB
- Name:
pcf-ssh-elb - LB Inside:
pcf-vpc - Selected Subnet:
pcf-public-subnet-az0,pcf-public-subnet-az1,pcf-public-subnet-az2 - Security Group:
pcf-ssh-security-group - Health Check: TCP Port 2222
See Step 3: Create SSH Load Balancer in Deploying Ops Manager on AWS Manually.
TCP ELB
- Name:
pcf-tcp-elb - LB Inside:
pcf-vpc - Selected Subnet:
pcf-public-subnet-az0,pcf-public-subnet-az1,pcf-public-subnet-az2 - Security Group:
pcf-tcp-security-group - Health Check: TCP Port 80
See Step 4: Create TCP Load Balancer in Deploying Ops Manager on AWS Manually.
DNS Configuration
You must navigate to your DNS provider and create CNAME and A records for all three of your load balancers.
See Step 5: Configure DNS Records in Deploying Ops Manager on AWS Manually.
RDS Subnet Group
You must create a subnet group for RDS named pcf-rds-subnet-group from the RDS Dashboard.
See Step 7: Create RDS Subnet Group in Deploying Ops Manager on AWS Manually.
MySQL Database
You must create a MySQL database from the RDS Dashboard.
See Step 8: Create a MySQL Database using AWS RDS in Deploying Ops Manager on AWS Manually.