Preparing to Deploy Ops Manager on AWS Manually

Page last updated:

This topic describes how to manually configure the Amazon Web Services (AWS) components that you need to deploy Pivotal Cloud Foundry (PCF) on AWS.

Note: To install PCF with the Enterprise Pivotal Container Service (Enterprise PKS) runtime on AWS, you must use Terraform. Manual installation is not currently supported. See Installing and Configuring Ops Manager on AWS in the Enterprise PKS documentation.

To deploy PCF on AWS, you must perform the procedures in this topic to create objects in the AWS Management Console that PCF requires.

To view the list of AWS objects created by the procedures in this topic, see Required AWS Objects.

After completing the procedures in this topic, proceed to Deploying Ops Manager on AWS Manually to continue deploying PCF.

Step 1: File a Ticket

Log in to the AWS Management Console, and file a ticket with Amazon to ensure that your account can launch more than the default 20 instances. In the ticket, ask for a limit of 50 t3.micro instances and 20 c5.large instances in the region you are using.

Note: To deploy PCF to AWS GovCloud (US), log in to the AWS GovCloud (US) Console instead of the standard AWS Management Console and select the us-gov-west-1 region.

Note: To deploy PCF to AWS China, set up an AWS China account and contact the Platform Architect assigned for your Pivotal account.

You can check the limits on your account by visiting the EC2 Dashboard on the AWS Management Console and clicking Limits on the left navigation.

Step 2: Create S3 Buckets

1. Navigate to the S3 Dashboard.

   Note:S3 bucket names must be globally unique. When naming buckets, Pivotal recommends that you prefix the generic names below with an unique and helpfully identifiable string (i.e. ID-STRING-pcf-ops-manager-bucket, MY-IDENTIFIER-pcf-buildpacks-bucket, and so on). Then you should use the same prefix when naming other associated resources, such as IAM policies.

2. Perform the following steps to create five S3 buckets:

   • Click Create Bucket.
   • For Bucket name, enter ID-STRING-pcf-ops-manager-bucket.
   • For Region, select your region.
   • Click Next three times.
   • Click Create bucket.
   • Repeat the above steps to create four more S3 buckets:
     1. ID-STRING-pcf-buildpacks-bucket
     2. ID-STRING-pcf-packages-bucket
     3. ID-STRING-pcf-resources-bucket
     4. ID-STRING-pcf-droplets-bucket

Step 3: Create an IAM User for PCF

Perform the following steps to create an Amazon Identity and Access Management (IAM) user with the minimal permissions necessary to run and install PCF:

1. Click IAM to access the IAM Dashboard.

2. Click Users and then click Add user.

   

3. Enter a user name, such as pcf-user.

4. For AWS access type, select Programmatic access.

   Note: If you prefer to create your keys locally and import them into AWS, see the Amazon documentation.

5. Click Next: Permissions.

6. Click Next: Review and review your choices.

   Note: On the Review page you may see a warning that the user has no permissions. You can disregard this message. You do not need to set user permissions.

7. Click Create user.

8. Click Download .csv to download the user security credentials.

   WARNING: The credentials.csv contains the IDs for your user security access key and secret access key. Keep the credentials.csv file for your currently active key pairs in a secure directory. You cannot recover a lost key pair.

9. Click Close.

10. On the Users page, click the user name to access the user details page.

    Note: On the Users page you may see a warning that the user has no permissions. You can disregard this message. You do not need to set user permissions.

11. Click Add inline policy. You can review your existing inline policies by clicking the down arrow.

    

12. On the Create policy page, define a policy:

    1. Copy the policy document included in the Pivotal Cloud Foundry for AWS Policy Document topic. You must edit the policy document so the names of the S3 buckets match the ones you created in Step 2: Create S3 Buckets.
    2. Paste the policy document into the JSON tab on the Create policy page.

13. Click Review policy.

14. In the Name field, enter pcf-iam-policy.

15. Click Create policy. The Summary page displays a list of available policies and actions.

Step 4: Create a VPC

1. Navigate to the VPC Dashboard.

2. Click Start VPC Wizard.

   

3. Select VPC with Public and Private Subnets and click Select.

   

4. Specify the following details for your VPC:

   • IPv4 CIDR block: Enter 10.0.0.0/16.
   • IPv6 CIDR block: Select No IPv6 CIDR Block.
   • VPC name: pcf-vpc.
   • Public subnet’s IPv4 CIDR: Enter 10.0.0.0/24.
   • Set the Availability Zone fields for both subnets to REGION-#a. For example, us-west-2a.
   • Public subnet name: Enter pcf-public-subnet-az0.
   • Private subnet’s IPv4 CIDR: Enter 10.0.16.0/28.
   • Private subnet name: Enter pcf-management-subnet-az0.
   • Click Use a NAT instance instead and do the following:
     • Under Specify the details of your NAT instance, set the Instance type to t3.medium
     • Create a key pair titled pcf-ops-manager-key. For more information about creating the key pair, see Amazon EC2 Key Pairs in the AWS documentation.
     • Select your newly-created pcf-ops-manager-key for the Key Pair name.
   • Enable DNS hostnames: Click Yes.
   • Hardware tenancy: Select Default.
   • Click Create VPC.

5. After the VPC is successfully created, click Subnets in the left navigation.

6. Click Create Subnet.

7. Add the following subnets to the pcf-vpc VPC:

   Note: You created the first two subnets in the previous step: pcf-public-subnet-az0 and pcf-management-subnet-az0.

   Name	AZ	IPv4 CIDR block
   pcf-public-subnet-az1	REGION-#b (for example, us-west-2b)	10.0.1.0/24
   pcf-public-subnet-az2	REGION-#c (for example, us-west-2c)	10.0.2.0/24
   pcf-management-subnet-az1	REGION-#b (for example, us-west-2b)	10.0.16.16/28
   pcf-management-subnet-az2	REGION-#c (for example, us-west-2c)	10.0.16.32/28
   pcf-pas-subnet-az0	REGION-#a (for example, us-west-2a)	10.0.4.0/24
   pcf-pas-subnet-az1	REGION-#b (for example, us-west-2b)	10.0.5.0/24
   pcf-pas-subnet-az2	REGION-#c (for example, us-west-2c)	10.0.6.0/24
   pcf-services-subnet-az0	REGION-#a (for example, us-west-2a)	10.0.8.0/24
   pcf-services-subnet-az1	REGION-#b (for example, us-west-2b)	10.0.9.0/24
   pcf-services-subnet-az2	REGION-#c (for example, us-west-2c)	10.0.10.0/24
   pcf-rds-subnet-az0	REGION-#a (for example, us-west-2a)	10.0.12.0/24
   pcf-rds-subnet-az1	REGION-#b (for example, us-west-2b)	10.0.13.0/24
   pcf-rds-subnet-az2	REGION-#c (for example, us-west-2c)	10.0.14.0/24

Step 5: Configure a Security Group for Ops Manager

1. Return to the EC2 Dashboard.

2. Select Security Groups>Create Security Group.

3. For Security group name, enter pcf-ops-manager-security-group.

4. For Description, enter a description to identify this security group.

5. For VPC, select the VPC where you want to deploy Ops Manager.

6. Click the Inbound tab and add rules according to the table below.

   Note: Pivotal recommends limiting access to Ops Manager to IP ranges within your organization, but you may relax the IP restrictions after configuring authentication for Ops Manager.

   Type	Protocol	Port Range	Source
   HTTP	TCP	80	My IP
   HTTPS	TCP	443	My IP
   SSH	TCP	22	My IP
   BOSH Agent	TCP	6868	10.0.0.0/16
   BOSH Director	TCP	25555	10.0.0.0/16

7. Click Create.

Step 6: Configure a Security Group for PCF VMs

1. From the Security Groups page, click Create Security Group to create another security group.

2. For Security group name, enter pcf-vms-security-group.

3. For Description, enter a description to identify this security group.

4. For VPC, select the VPC where you want to deploy the PCF VMs.

5. Click the Inbound tab and add rules for all traffic from your public and private subnets to your private subnet, as the table and image show. This rule configuration does the following:

   • Enables BOSH to deploy PAS and other services.
   • Enables application VMs to communicate through the router.
   • Allows the load balancer to send traffic to Pivotal Application Service (PAS).

   Type	Protocol	Port Range	Source
   All traffic	All	0 - 65535	Custom IP	10.0.0.0/16

6. Click Create.

   

Step 7: Configure a Security Group for the Web ELB

1. From the Security Groups page, click Create Security Group to create another security group.

2. For Security group name, enter pcf-web-elb-security-group.

3. For Description, enter a description to identify this security group.

4. For VPC, select the VPC where you want to deploy this Elastic Load Balancer (ELB).

5. Click the Inbound tab and add rules to allow traffic to ports 80, 443, and 4443 from 0.0.0.0/0, as the table and image show.

   Note: Allow traffic to port 4443 only if you are in an AWS cloud region that does not support AWS ALBs. For example, the GovCloud region. For more information about AWS regoins and availability zones, see AWS Global Infrastructure.

   Note: For finer control over what can reach PAS, change 0.0.0.0/0 to be more restrictive. This security group governs external access to PAS from apps such as the cf CLI and app URLs.

   Type	Protocol	Port Range	Source
   Custom TCP rule	TCP	4443	Anywhere	0.0.0.0/0
   HTTP	TCP	80	Anywhere	0.0.0.0/0
   HTTPS	TCP	443	Anywhere	0.0.0.0/0

6. Click Create.

   

Step 8: Configure a Security Group for the SSH ELB

1. From the Security Groups page, click Create Security Group to create another security group.

2. For Security group name, enter pcf-ssh-elb-security-group.

3. For Description, enter a description to identify this security group.

4. For VPC, select the VPC where you want to deploy this ELB.

5. Click the Inbound tab and add the following rule:

   Type	Protocol	Port Range	Source
   Custom TCP rule	TCP	2222	Anywhere	0.0.0.0/0

6. Click Create.

Step 9: Configure a Security Group for the TCP ELB

1. From the Security Groups page, click Create Security Group to create another security group.

2. For Security group name, enter pcf-tcp-elb-security-group.

3. For Description, enter a description to identify this security group.

4. For VPC, select the VPC where you want to deploy this ELB.

5. Click the Inbound tab and add the following rule:

   Type	Protocol	Port Range	Source
   Custom TCP rule	TCP	1024 - 1123	Anywhere	0.0.0.0/0

6. Click Create.

Step 10: Configure a Security Group for the Outbound NAT

1. From the Security Groups page, click Create Security Group to create another security group.

2. For Security group name, enter pcf-nat-security-group.

3. For Description, enter a description to identify this security group.

4. For VPC, select the VPC where you want to deploy the Outbound NAT.

5. Click the Inbound tab and add a rule to allow all traffic from your VPCs, as the table and image show.

   Type	Protocol	Port Range	Source
   All traffic	All	All	Custom IP	10.0.0.0/16

6. Click Create.

   

Step 11: Configure a Security Group for MySQL

Note: If you plan to use an internal database, skip this step. If you are using RDS, you must configure a security group that enables the Ops Manager VM and BOSH Director VM to access the database.

1. From the Security Groups page, click Create Security Group to create another security group.

2. For Security group name, enter pcf-mysql-security-group.

3. For Description, enter a description to identify this security group.

4. For VPC, select the VPC where you want to deploy MySQL.

5. Click the Inbound tab. Add a rule of type MySQL and specify the subnet of your VPC in Source, as the table and image show.

   Type	Protocol	Port Range	Source
   MySQL	TCP	3306	Custom IP	10.0.0.0/16

6. Click the Outbound tab. Add a rule of type All traffic and specify the subnet of your VPC in Destination, as the table and image show.

   Type	Protocol	Port Range	Destination
   All traffic	All	All	Custom IP	10.0.0.0/16

7. Click Create.

   

Next Step

Proceed to the next step, Deploying Ops Manager on AWS Manually.