Preparing to Deploy Ops Manager on AWS Manually
- Step 1: File a Ticket
- Step 2: Create S3 Buckets
- Step 3: Create an IAM User for PCF
- Step 4: Create a VPC
- Step 5: Configure a Security Group for Ops Manager
- Step 6: Configure a Security Group for PCF VMs
- Step 7: Configure a Security Group for the Web ELB
- Step 8: Configure a Security Group for the SSH ELB
- Step 9: Configure a Security Group for the TCP ELB
- Step 10: Configure a Security Group for the Outbound NAT
- Step 11: Configure a Security Group for MySQL
- Next Step
Page last updated:
This topic describes how to manually configure the Amazon Web Services (AWS) components that you need to deploy Pivotal Cloud Foundry (PCF) on AWS.
Note: To install PCF with the Enterprise Pivotal Container Service (Enterprise PKS) runtime on AWS, you must use Terraform. Manual installation is not currently supported. See Installing and Configuring Ops Manager on AWS in the Enterprise PKS documentation.
To deploy PCF on AWS, you must perform the procedures in this topic to create objects in the AWS Management Console that PCF requires.
To view the list of AWS objects created by the procedures in this topic, see Required AWS Objects.
After completing the procedures in this topic, proceed to Deploying Ops Manager on AWS Manually to continue deploying PCF.
Step 1: File a Ticket
Log in to the AWS Management Console, and file a ticket with Amazon to ensure that your account can launch more than the default 20 instances. In the ticket, ask for a limit of 50 t3.micro
instances and 20 c5.large
instances in the region you are using.
Note: To deploy PCF to AWS GovCloud (US), log in to the AWS GovCloud (US) Console instead of the standard AWS Management Console and select the us-gov-west-1
region.
Note: To deploy PCF to AWS China, set up an AWS China account and contact the Platform Architect assigned for your Pivotal account.
You can check the limits on your account by visiting the EC2 Dashboard on the AWS Management Console and clicking Limits on the left navigation.
Step 2: Create S3 Buckets
Navigate to the S3 Dashboard.
Note:S3 bucket names must be globally unique. When naming buckets, Pivotal recommends that you prefix the generic names below with an unique and helpfully identifiable string (i.e. ID-STRING-pcf-ops-manager-bucket, MY-IDENTIFIER-pcf-buildpacks-bucket, and so on). Then you should use the same prefix when naming other associated resources, such as IAM policies.
Perform the following steps to create five S3 buckets:
- Click Create Bucket.
- For Bucket name, enter
ID-STRING-pcf-ops-manager-bucket
. - For Region, select your region.
- Click Next three times.
- Click Create bucket.
- Repeat the above steps to create four more S3 buckets:
ID-STRING-pcf-buildpacks-bucket
ID-STRING-pcf-packages-bucket
ID-STRING-pcf-resources-bucket
ID-STRING-pcf-droplets-bucket
Step 3: Create an IAM User for PCF
Perform the following steps to create an Amazon Identity and Access Management (IAM) user with the minimal permissions necessary to run and install PCF:
Click IAM to access the IAM Dashboard.
Click Users and then click Add user.
Enter a user name, such as
pcf-user
.For AWS access type, select Programmatic access.
Note: If you prefer to create your keys locally and import them into AWS, see the Amazon documentation.
Click Next: Permissions.
Click Next: Review and review your choices.
Note: On the Review page you may see a warning that the user has no permissions. You can disregard this message. You do not need to set user permissions.
Click Create user.
Click Download .csv to download the user security credentials.
WARNING: The
credentials.csv
contains the IDs for your user security access key and secret access key. Keep thecredentials.csv
file for your currently active key pairs in a secure directory. You cannot recover a lost key pair.Click Close.
On the Users page, click the user name to access the user details page.
Note: On the Users page you may see a warning that the user has no permissions. You can disregard this message. You do not need to set user permissions.
Click Add inline policy. You can review your existing inline policies by clicking the down arrow.
On the Create policy page, define a policy:
- Copy the policy document included in the Pivotal Cloud Foundry for AWS Policy Document topic. You must edit the policy document so the names of the S3 buckets match the ones you created in Step 2: Create S3 Buckets.
- Paste the policy document into the JSON tab on the Create policy page.
Click Review policy.
In the Name field, enter
pcf-iam-policy
.Click Create policy. The Summary page displays a list of available policies and actions.
Step 4: Create a VPC
Navigate to the VPC Dashboard.
Click Start VPC Wizard.
Select VPC with Public and Private Subnets and click Select.
Specify the following details for your VPC:
- IPv4 CIDR block: Enter
10.0.0.0/16
. - IPv6 CIDR block: Select No IPv6 CIDR Block.
- VPC name:
pcf-vpc
. - Public subnet’s IPv4 CIDR: Enter
10.0.0.0/24
. - Set the Availability Zone fields for both subnets to
REGION-#a
. For example, us-west-2a. - Public subnet name: Enter
pcf-public-subnet-az0
. - Private subnet’s IPv4 CIDR: Enter
10.0.16.0/28
. - Private subnet name: Enter
pcf-management-subnet-az0
. - Click Use a NAT instance instead and do the following:
- Under Specify the details of your NAT instance, set the Instance type to t3.medium
- Create a key pair titled
pcf-ops-manager-key
. For more information about creating the key pair, see Amazon EC2 Key Pairs in the AWS documentation. - Select your newly-created
pcf-ops-manager-key
for the Key Pair name.
- Enable DNS hostnames: Click Yes.
- Hardware tenancy: Select Default.
- Click Create VPC.
- IPv4 CIDR block: Enter
After the VPC is successfully created, click Subnets in the left navigation.
Click Create Subnet.
Add the following subnets to the
pcf-vpc
VPC:Note: You created the first two subnets in the previous step:
pcf-public-subnet-az0
andpcf-management-subnet-az0
.Name AZ IPv4 CIDR block pcf-public-subnet-az1
REGION-#b
(for example,us-west-2b
)10.0.1.0/24
pcf-public-subnet-az2
REGION-#c
(for example,us-west-2c
)10.0.2.0/24
pcf-management-subnet-az1
REGION-#b
(for example,us-west-2b
)10.0.16.16/28
pcf-management-subnet-az2
REGION-#c
(for example,us-west-2c
)10.0.16.32/28
pcf-pas-subnet-az0
REGION-#a
(for example,us-west-2a
)10.0.4.0/24
pcf-pas-subnet-az1
REGION-#b
(for example,us-west-2b
)10.0.5.0/24
pcf-pas-subnet-az2
REGION-#c
(for example,us-west-2c
)10.0.6.0/24
pcf-services-subnet-az0
REGION-#a
(for example,us-west-2a
)10.0.8.0/24
pcf-services-subnet-az1
REGION-#b
(for example,us-west-2b
)10.0.9.0/24
pcf-services-subnet-az2
REGION-#c
(for example,us-west-2c
)10.0.10.0/24
pcf-rds-subnet-az0
REGION-#a
(for example,us-west-2a
)10.0.12.0/24
pcf-rds-subnet-az1
REGION-#b
(for example,us-west-2b
)10.0.13.0/24
pcf-rds-subnet-az2
REGION-#c
(for example,us-west-2c
)10.0.14.0/24
Step 5: Configure a Security Group for Ops Manager
Return to the EC2 Dashboard.
Select Security Groups>Create Security Group.
For Security group name, enter
pcf-ops-manager-security-group
.For Description, enter a description to identify this security group.
For VPC, select the VPC where you want to deploy Ops Manager.
Click the Inbound tab and add rules according to the table below.
Note: Pivotal recommends limiting access to Ops Manager to IP ranges within your organization, but you may relax the IP restrictions after configuring authentication for Ops Manager.
Type Protocol Port Range Source HTTP TCP 80 My IP HTTPS TCP 443 My IP SSH TCP 22 My IP BOSH Agent TCP 6868 10.0.0.0/16 BOSH Director TCP 25555 10.0.0.0/16 Click Create.
Step 6: Configure a Security Group for PCF VMs
From the Security Groups page, click Create Security Group to create another security group.
For Security group name, enter
pcf-vms-security-group
.For Description, enter a description to identify this security group.
For VPC, select the VPC where you want to deploy the PCF VMs.
Click the Inbound tab and add rules for all traffic from your public and private subnets to your private subnet, as the table and image show. This rule configuration does the following:
- Enables BOSH to deploy PAS and other services.
- Enables application VMs to communicate through the router.
- Allows the load balancer to send traffic to Pivotal Application Service (PAS).
Type Protocol Port Range Source All traffic All 0 - 65535 Custom IP 10.0.0.0/16 Click Create.
Step 7: Configure a Security Group for the Web ELB
From the Security Groups page, click Create Security Group to create another security group.
For Security group name, enter
pcf-web-elb-security-group
.For Description, enter a description to identify this security group.
For VPC, select the VPC where you want to deploy this Elastic Load Balancer (ELB).
Click the Inbound tab and add rules to allow traffic to ports
80
,443
, and4443
from0.0.0.0/0
, as the table and image show.Note: Allow traffic to port
4443
only if you are in an AWS cloud region that does not support AWS ALBs. For example, the GovCloud region. For more information about AWS regoins and availability zones, see AWS Global Infrastructure.Note: For finer control over what can reach PAS, change
0.0.0.0/0
to be more restrictive. This security group governs external access to PAS from apps such as the cf CLI and app URLs.Type Protocol Port Range Source Custom TCP rule TCP 4443 Anywhere 0.0.0.0/0 HTTP TCP 80 Anywhere 0.0.0.0/0 HTTPS TCP 443 Anywhere 0.0.0.0/0 Click Create.
Step 8: Configure a Security Group for the SSH ELB
From the Security Groups page, click Create Security Group to create another security group.
For Security group name, enter
pcf-ssh-elb-security-group
.For Description, enter a description to identify this security group.
For VPC, select the VPC where you want to deploy this ELB.
Click the Inbound tab and add the following rule:
Type Protocol Port Range Source Custom TCP rule TCP 2222 Anywhere 0.0.0.0/0 Click Create.
Step 9: Configure a Security Group for the TCP ELB
From the Security Groups page, click Create Security Group to create another security group.
For Security group name, enter
pcf-tcp-elb-security-group
.For Description, enter a description to identify this security group.
For VPC, select the VPC where you want to deploy this ELB.
Click the Inbound tab and add the following rule:
Type Protocol Port Range Source Custom TCP rule TCP 1024 - 1123 Anywhere 0.0.0.0/0 Click Create.
Step 10: Configure a Security Group for the Outbound NAT
From the Security Groups page, click Create Security Group to create another security group.
For Security group name, enter
pcf-nat-security-group
.For Description, enter a description to identify this security group.
For VPC, select the VPC where you want to deploy the Outbound NAT.
Click the Inbound tab and add a rule to allow all traffic from your VPCs, as the table and image show.
Type Protocol Port Range Source All traffic All All Custom IP 10.0.0.0/16 Click Create.
Step 11: Configure a Security Group for MySQL
Note: If you plan to use an internal database, skip this step. If you are using RDS, you must configure a security group that enables the Ops Manager VM and BOSH Director VM to access the database.
From the Security Groups page, click Create Security Group to create another security group.
For Security group name, enter
pcf-mysql-security-group
.For Description, enter a description to identify this security group.
For VPC, select the VPC where you want to deploy MySQL.
Click the Inbound tab. Add a rule of type
MySQL
and specify the subnet of your VPC in Source, as the table and image show.Type Protocol Port Range Source MySQL TCP 3306 Custom IP 10.0.0.0/16 Click the Outbound tab. Add a rule of type
All traffic
and specify the subnet of your VPC in Destination, as the table and image show.Type Protocol Port Range Destination All traffic All All Custom IP 10.0.0.0/16 Click Create.
Next Step
Proceed to the next step, Deploying Ops Manager on AWS Manually.