Manually Configuring AWS for PCF

Page last updated:

This topic describes how to manually configure the Amazon Web Services (AWS) components that you need to run Pivotal Cloud Foundry (PCF) on AWS.

To deploy PCF on AWS, you must perform the procedures in this topic to create objects in the AWS Management Console that PCF requires.

To view the list of AWS objects created by the procedures in this topic, see the Required AWS Objects section.

After completing the procedures in this topic, proceed to Manually Configuring Ops Manager Director for AWS to continue deploying PCF.

Step 1: File a Ticket

Log in to the AWS Management Console, and file a ticket with Amazon to ensure that your account can launch more than the default 20 instances. In the ticket, ask for a limit of 50 t2.micro instances and 20 c4.large instances in the region you are using.

You can check the limits on your account by visiting the EC2 Dashboard on the AWS Management Console and clicking Limits on the left navigation.

Step 2: Create S3 Buckets

  1. Navigate to the S3 Dashboard.
  2. Perform the following steps to create five S3 buckets:
    • Click Create Bucket
    • For Bucket name, enter pcf-ops-manager-bucket.
    • For Region, select your region.
    • Click Next three times.
    • Click Create bucket.
    • Repeat the above steps to create four more S3 buckets: pcf-buildpacks-bucket, pcf-packages-bucket, pcf-resources-bucket, and pcf-droplets-bucket.

Step 3: Create an IAM User for PCF

Perform the following steps to create an Amazon Identity and Access Management (IAM) user with the minimal permissions necessary to run and install PCF:

  1. Select Identity & Access Management to access the IAM Dashboard.
  2. Select Users>Create New Users.
  3. Enter a user name, such as pcf-user.

    Aws iam username

  4. Ensure that the Generate an access key for each user checkbox is selected.

    Note: If you prefer to create your keys locally and import them into AWS, see the Amazon documentation.

  5. Click Create.

  6. Click Download Credentials to download the user security credentials.

    Note: The credentials.csv contains the IDs for your user security access key and secret access key. Keep the credentials.csv file for your currently active key pairs in a secure directory.

  7. Click Close.

  8. On the User dashboard, click the user name to access the user details page.

    Aws iam select pcfuser

  9. In the Inline Policies region, click the down arrow to display the inline policies. Click the click here link to create a new policy.

    Aws iam add policy cropd

  10. On the Set Permissions page, click Custom Policy and click Select.

    Aws iam custom policy

  11. On the Review Policy page, enter pcf-iam-policy in Policy Name.

  12. Copy and paste the policy document included in the Pivotal Cloud Foundry for AWS Policy Document topic into the Policy Document field.

  13. Ensure that the Use autoformatting for policy editing checkbox is selected.

  14. Click Apply Policy and review. The Inline Policies region now displays a list of available policies and actions.

Step 4: Create a VPC

  1. Navigate to the VPC Dashboard.
  2. Click Start VPC Wizard.

    Pcf aws vpc wizard

  3. Select VPC with Public and Private Subnets and click Select.

    Pcf aws vpc config

  4. Specify the following details for your VPC:

    • IPv4 CIDR block: Enter 10.0.0.0/16.
    • IPv6 CIDR block: Select No IPv6 CIDR Block.
    • VPC name: pcf-vpc.
    • Public subnet’s IPv4 CIDR: Enter 10.0.0.0/24.
    • Set the Availability Zone fields for both subnets to REGION-#a. For example, us-west-2a.
    • Public subnet name: Enter pcf-public-subnet-az0.
    • Private subnet’s IPv4 CIDR: Enter 10.0.16.0/28.
    • Private subnet name: Enter pcf-management-subnet-az0.
    • Click Use a NAT instance instead and under Specify the details of your NAT instance, set the Instance type to t2.medium and select the pcf-ops-manager-key SSH key you created for Key Pair name.
    • Enable DNS hostnames: Click Yes.
    • Hardware tenancy: Select Default.
    • Enable ClassicLink: Select No.
    • Click Create VPC.
  5. After the VPC is successfully created, click Subnets in the left navigation.

  6. Click Create Subnet.

  7. Add the following subnets to the pcf-vpc VPC:

    Note: You created the first two subnets in the previous step: pcf-public-subnet-az0 and pcf-management-subnet-az0.

    Name AZ IPv4 CIDR block
    pcf-public-subnet-az1 REGION-#b (for example, us-west-2b) 10.0.1.0/24
    pcf-public-subnet-az2 REGION-#c (for example, us-west-2c) 10.0.2.0/24
    pcf-management-subnet-az1 REGION-#b (for example, us-west-2b) 10.0.16.16/28
    pcf-management-subnet-az2 REGION-#c (for example, us-west-2c) 10.0.16.32/28
    pcf-ert-subnet-az0 REGION-#a (for example, us-west-2a) 10.0.4.0/24
    pcf-ert-subnet-az1 REGION-#b (for example, us-west-2b) 10.0.5.0/24
    pcf-ert-subnet-az2 REGION-#c (for example, us-west-2c) 10.0.6.0/24
    pcf-services-subnet-az0 REGION-#a (for example, us-west-2a) 10.0.8.0/24
    pcf-services-subnet-az1 REGION-#b (for example, us-west-2b) 10.0.9.0/24
    pcf-services-subnet-az2 REGION-#c (for example, us-west-2c) 10.0.10.0/24
    pcf-rds-subnet-az0 REGION-#a (for example, us-west-2a) 10.0.12.0/24
    pcf-rds-subnet-az1 REGION-#b (for example, us-west-2b) 10.0.13.0/24
    pcf-rds-subnet-az2 REGION-#c (for example, us-west-2c) 10.0.14.0/24

Step 5: Configure a Security Group for Ops Manager

  1. Return to the EC2 Dashboard.
  2. Select Security Groups>Create Security Group.
  3. For Security group name, enter pcf-ops-manager-security-group.
  4. For Description, enter a description to identify this security group.
  5. For VPC, select the VPC where you want to deploy Ops Manager.
  6. Click the Inbound tab and add rules according to the table below.

    Note: Pivotal recommends limiting access to Ops Manager to IP ranges within your organization, but you may relax the IP restrictions after configuring authentication for Ops Manager.

    Type Protocol Port Range Source
    HTTP TCP 80 My IP
    HTTPS TCP 443 My IP
    SSH TCP 22 My IP
    BOSH Agent TCP 6868 10.0.0.0/16
    BOSH Director TCP 25555 10.0.0.0/16
  7. Click Create.

Step 6: Configure a Security Group for PCF VMs

  1. From the Security Groups page, click Create Security Group to create another security group.
  2. For Security group name, enter pcf-vms-security-group.
  3. For Description, enter a description to identify this security group.
  4. For VPC, select the VPC where you want to deploy the PCF VMs.
  5. Click the Inbound tab and add rules for all traffic from your public and private subnets to your private subnet, as the table and image show. This rule configuration does the following:

    • Enables BOSH to deploy ERT and other services.
    • Enables application VMs to communicate through the router.
    • Allows the load balancer to send traffic to Elastic Runtime.
    Type Protocol Port Range Source
    All traffic All 0 - 65535 Custom IP 10.0.0.0/16
  6. Click Create.

    Pcf aws secgrp er

Step 7: Configure a Security Group for the Web ELB

  1. From the Security Groups page, click Create Security Group to create another security group.
  2. For Security group name, enter pcf-web-elb-security-group.
  3. For Description, enter a description to identify this security group.
  4. For VPC, select the VPC where you want to deploy this Elastic Load Balancer (ELB).
  5. Click the Inbound tab and add rules to allow traffic to ports 80, 443, and 4443 from 0.0.0.0/0, as the table and image show.

    Note: You can change the 0.0.0.0/0 to be more restrictive if you want finer control over what can reach the Elastic Runtime. This security group governs external access to the Elastic Runtime from applications such as the cf CLI and application URLs.

    Type Protocol Port Range Source
    Custom TCP rule TCP 4443 Anywhere 0.0.0.0/0
    HTTP TCP 80 Anywhere 0.0.0.0/0
    HTTPS TCP 443 Anywhere 0.0.0.0/0
  6. Click Create.

    Pcf aws secgrp elb

Step 8: Configure a Security Group for the SSH ELB

  1. From the Security Groups page, click Create Security Group to create another security group.
  2. For Security group name, enter pcf-ssh-elb-security-group.
  3. For Description, enter a description to identify this security group.
  4. For VPC, select the VPC where you want to deploy this ELB.
  5. Click the Inbound tab and add the following rule:
    Type Protocol Port Range Source
    Custom TCP rule TCP 2222 Anywhere 0.0.0.0/0
  6. Click Create.

Step 9: Configure a Security Group for the TCP ELB

  1. From the Security Groups page, click Create Security Group to create another security group.
  2. For Security group name, enter pcf-tcp-elb-security-group.
  3. For Description, enter a description to identify this security group.
  4. For VPC, select the VPC where you want to deploy this ELB.
  5. Click the Inbound tab and add the following rule:
    Type Protocol Port Range Source
    Custom TCP rule TCP 1024 - 1123 Anywhere 0.0.0.0/0
  6. Click Create.

Step 10: Configure a Security Group for the Outbound NAT

  1. From the Security Groups page, click Create Security Group to create another security group.
  2. For Security group name, enter pcf-nat-security-group.
  3. For Description, enter a description to identify this security group.
  4. For VPC, select the VPC where you want to deploy the Outbound NAT.
  5. Click the Inbound tab and add a rule to allow all traffic from your VPCs, as the table and image show.

    Type Protocol Port Range Source
    All traffic All All Custom IP 10.0.0.0/16
  6. Click Create.

    Pcf aws secgrp nat

Step 11: Configure a Security Group for MySQL

Note: If you plan to use an internal database, skip this step. If you are using RDS, you must configure a security group that enables the Ops Manager VM and Ops Manager Director VM to access the database.

  1. From the Security Groups page, click Create Security Group to create another security group.
  2. For Security group name, enter MySQL.
  3. For Description, enter a description to identify this security group.
  4. For VPC, select the VPC where you want to deploy MySQL.
  5. Click the Inbound tab. Add a rule of type MySQL and specify the subnet of your VPC in Source, as the table and image show.
    Type Protocol Port Range Source
    MySQL TCP 3306 Custom IP 10.0.0.0/16
  6. Click the Outbound tab and remove the default All traffic entry with destination 0.0.0.0/0.
  7. Add a rule of type All traffic and specify the subnet of your VPC in Destination, as the table and image show.
    Type Protocol Port Range Destination
    All traffic All All Custom IP 10.0.0.0/16
  8. Click Create.

    Pcf aws secgrp mysql

Step 12: Launch a Pivotal Ops Manager AMI

  1. Navigate to the Pivotal Cloud Foundry Operations Manager section of Pivotal Network.
  2. Select the version of PCF you want to install and click Pivotal Cloud Foundry Ops Manager for AWS to download the PDF.
  3. Open the PDF and identify the AMI ID for your region.
  4. Return to the EC2 Dashboard.
  5. Click AMIs.
  6. Click Owned by me and select Public image.
  7. Paste the AMI ID for your region into the search bar and press enter.

    Note: There is a different AMI for each region. If you cannot locate the AMI for your region, verify that you have set your AWS Management Console to your desired region. If you still cannot locate the AMI, log in to the Pivotal Network and file a support ticket.

    Pcf aws ami

  8. Select the Ops Manager API and click Launch.

  9. Choose m3.large for your instance type and click Next: Configure Instance Details.

    Aws ami m3large

  10. Configure the following for your instance:

    • Network: Select the VPC that you created.
    • Subnet: Select pcf-public-subnet-az0.
    • Auto-assign for Public IP: Select Enable.
    • For all other fields, accept the default values.

    Pcf aws configure instance

  11. Click Next: Add Storage and adjust the Size (GiB) value. The default persistent disk value is 50 GB. Pivotal recommends increasing this value to a minimum of 100 GB.

    Pcf aws add storage

  12. Click Next: Tag Instance

  13. On the Add Tags page, add a tag with the key Name and value pcf-ops-manager.

  14. Click Next: Configure Security Group.

  15. Select the pcf-ops-manager-security-group that you created in Step 5: Configure a Security Group for Ops Manager.

  16. Click Review and Launch and confirm the instance launch details.

  17. Click Launch.

  18. Select the pcf-ops-manager-key key pair, confirm that you have access to the private key file, and click Launch Instances. You use this key pair to access the Ops Manager VM.

    Select pcfpem keypair

  19. Click View Instances to access the Instances page on the EC2 Dashboard.

Step 13: Create Web Load Balancer

  1. On the EC2 Dashboard, click Load Balancers.
  2. Click Create Load Balancer.
  3. Select Classic Load Balancer.
  4. Configure the load balancer with the following information:

    • Load Balancer name: Enter pcf-web-elb.
    • Create LB Inside: Select the pcf-vpc VPC that you created in Step 4: Create a VPC.
    • Ensure that the Create an internal load balancer checkbox is not selected.

    Config elb

  5. Under Listener Configuration, add the following rules:

    Load Balancer Protocol Load Balancer Port Instance Protocol Instance Port
    HTTP 80 HTTP 80
    HTTPS 443 HTTP 80
    SSL 4443 TCP 80
  6. Under Select Subnets, select the public subnets you configured in Step 4: Create a VPC, and click Next: Assign Security Groups.

  7. On the Assign Security Groups page, select the security group pcf-elb-security-group you configured in Step 7: Configure a Security Group for the Web ELB, and click Next: Configure Security Settings.

    Lb assign sec groups

  8. On the Configure Security Settings page, select Upload a new SSL certificate to AWS Identity and Access Management (IAM). For a production environment, use a certificate from a Certificate Authority. For a development environment, use a self-signed certificate.

    Note: In this configuration, SSL traffic will be decrypted at the load balancer and then sent to Gorouter instances in the VPC.

  9. On the Configure Health Check page, enter the following values:

    • Ping Protocol: Select HTTP.
    • Ping Port: Set to 8080.
    • Ping Path: Set to /health.
    • Interval: Set to 5 seconds.
    • Response Timeout: Set to 3 seconds.
    • Unhealthy threshold: Set to 3.
    • Health threshold: Set to 6.
  10. Click Next: Add EC2 Instances.

    Lb health check

  11. Accept the defaults on the Add EC2 Instances page and click Next: Add Tags.

  12. Accept the defaults on the Add Tags page and click Review and Create.

  13. Review and confirm the load balancer details, and click Create.

Step 14: Create SSH Load Balancer

  1. From the Load Balancers page, click Create Load Balancer.
  2. Select Classic Load Balancer.
  3. Configure the load balancer with the following information:

    • Load Balancer name: Enter pcf-ssh-elb.
    • Create LB Inside: Select the pcf-vpc VPC that you created in Step 4: Create a VPC.
    • Ensure that the Create an internal load balancer checkbox is not selected. Config elb
  4. Under Listener Configuration, add the following rules:

    Load Balancer Protocol Load Balancer Port Instance Protocol Instance Port
    TCP 2222 TCP 2222
  5. Under Select Subnets, select the public subnets you configured in Step 4: Create a VPC, and click Next: Assign Security Groups.

  6. On the Assign Security Groups page, select the security group pcf-ssh-elb-security-group you configured in Step 8: Configure a Security Group for the SSH ELB, and click Next: Configure Security Settings.

    Lb assign sec groups

  7. On the Configure Security Settings page, ignore the Improve your load balancer’s security error message and click Next: Configure Health Check.

  8. On the Configure Health Check page, enter the following values:

    • Ping Protocol: Select TCP.
    • Ping Port: Set to 2222.
    • Interval: Set to 5 seconds.
    • Response Timeout: Set to 3 seconds.
    • Unhealthy threshold: Set to 3.
    • Health threshold: Set to 6.
  9. Click Next: Add EC2 Instances.

    Lb health check

  10. Accept the defaults on the Add EC2 Instances page and click Next: Add Tags.

  11. Accept the defaults on the Add Tags page and click Review and Create.

  12. Review and confirm the load balancer details, and click Create.

Step 15: Create TCP Load Balancer

  1. From the Load Balancers page, click Create Load Balancer.
  2. Select Classic Load Balancer.
  3. Configure the load balancer with the following information:

    • Load Balancer name: Enter pcf-tcp-elb.
    • Create LB Inside: Select the pcf-vpc VPC that you created in Step 4: Create a VPC.
    • Ensure that the Create an internal load balancer checkbox is not selected.

    Config elb

  4. Under Listener Configuration, add the following rules:

    Load Balancer Protocol Load Balancer Port Instance Protocol Instance Port
    TCP 1024 TCP 1024
    TCP 1025 TCP 1025
    TCP 1026 TCP 1026
    TCP 1123 TCP 1123


    The ... entry above indicates that you must add listening rules for each port between 1026 and 1123.

  5. Under Select Subnets, select the public subnets you configured in Step 4: Create a VPC, and click Next: Assign Security Groups.

  6. On the Assign Security Groups page, select the security group pcf-tcp-elb-security-group you configured in Step 9: Configure a Security Group for the TCP ELB, and click Next: Configure Security Settings.

    Lb assign sec groups

  7. On the Configure Security Settings page, ignore the Improve you load balancer’s security error message and click Next: Configure Health Check.

  8. On the Configure Health Check page, enter the following values:

    • Ping Protocol: Select TCP.
    • Ping Port: Set to 80.
    • Interval: Set to 5 seconds.
    • Response Timeout: Set to 3 seconds.
    • Unhealthy threshold: Set to 3.
    • Health threshold: Set to 6.
  9. Click Next: Add EC2 Instances.

    Lb health check

  10. Accept the defaults on the Add EC2 Instances page and click Next: Add Tags.

  11. Accept the defaults on the Add Tags page and click Review and Create.

  12. Review and confirm the load balancer details, and click Create.

Step 16: Configure DNS Records

  1. Perform the following steps for all three of the load balancers you created in previous steps, named pcf-web-elb, pcf-ssh-elb, and pcf-tcp-elb:
    1. From the Load Balancers page, select the load balancer.
    2. On the Description tab, locate the Basic Configuration section and record the DNS name of the load balancer.
  2. Click Instances on the left navigation to view your EC2 instances.
  3. Select the pcf-ops-manager instance you created in Step 12: Launch a Pivotal Ops Manager AMI.
  4. On the Description tab, record the value for IPv4 Public IP.
  5. Navigate to your DNS provider and create the following CNAME and A records:
    • CNAME: *.apps.YOUR-SYSTEM-DOMAIN.com and *.system.YOUR-SYSTEM-DOMAIN.com points to the DNS name of the pcf-web-elb load balancer.
    • CNAME: ssh.YOUR-SYSTEM-DOMAIN.com points to the DNS name of the pcf-ssh-elb load balancer.
    • CNAME: tcp.YOUR-SYSTEM-DOMAIN.com points to the DNS name of the pcf-tcp-elb load balancer.
    • A: pcf.YOUR-SYSTEM-DOMAIN.com points to the public IP address of the pcf-ops-manager EC2 instance.

Step 17: Secure the NAT Instance

  1. On the EC2 Dashboard, click Instances.
  2. Select the NAT instance, which has an instance type of t2.medium.
  3. From the Actions menu, select Networking>Change Security Groups.
  4. Change the NAT security group from the default group to the pcf-nat-security-group NAT security group that you created in Step 10: Configure a Security Group for the Outbound NAT. Pcf aws select security group
  5. Click Assign Security Groups.

Step 18: Create RDS Subnet Group

  1. Navigate to the RDS Dashboard.

  2. Perform the following steps to create a RDS Subnet Group for the two RDS subnets:

    1. Click Subnet Groups>Create DB Subnet Group.
    2. Enter the following values:
      • Name: Enter pcf-rds-subnet-group.
      • Description: Enter a description to identify this subnet group.
      • VPC ID: Select pcf-vpc.
      • Availability Zone and Subnet ID: Choose the AZ and subnet for pcf-rds-subnet-az0 and click Add.
    3. Repeat the steps above to add pcf-rds-subnet-az1 and pcf-rds-subnet-az2 to the group.
    4. Click Create.

    The following screenshot shows a completed subnet group.

    Rds pcf subnet group

    Note: On the Subnet Group page, you may need to refresh the page to view the new group.

Step 19: Create a MySQL Database Using AWS RDS

Note: You must have an empty MySQL database when you install or reinstall PCF on AWS.

  1. Navigate to the RDS Dashboard.
  2. Click Instances>Launch DB Instance to launch the wizard.
  3. Select MySQL.
  4. Select the MySQL radio button under Production to create a database for production environments.
  5. Click Next Step.
  6. Specify the following database details:

    • DB Instance Class: Select db.m3.large - 2 vCPU, 7.5 GiB RAM.
    • Multi-AZ Deployment: Select Yes.
    • Storage Type: Select Provisioned IOPS (SSD).
    • Allocated Storage: Enter 100 GB.
    • DB Instance Identifier: Enter pcf-ops-manager-director.
    • Enter a secure Master Username and Master Password.

      Note: Record the username and password. You need these credentials later when configuring the Director Config page in the Ops Manager Director tile.

      Db details
  7. Click Next Step.

  8. On the Configure Advanced Settings page, enter the following values:

    Advanced db settings

  9. Click Launch DB Instance. Launching the instance may take several minutes.

  10. When the instance has launched, proceed to Manually Configuring Ops Manager Director for AWS to continue deploying PCF.

Required AWS Objects

This section describes the AWS objects you create in the procedures above in order to deploy PCF.

Use this section to determine the resource requirements of PCF on AWS, or to verify that you created the correct resources after completing the procedures above.

S3 Buckets for Ops Manager and Elastic Runtime

You must create the following S3 buckets from the S3 Dashboard:

  • pcf-ops-manager-bucket
  • pcf-buildpacks-bucket
  • pcf-packages-bucket
  • pcf-resources-bucket
  • pcf-droplets-bucket

These buckets must be empty when you install or reinstall PCF.

See Step 2: Create S3 Buckets.

IAM User for PCF

You must create an IAM user for PCF named pcf-user from the Identity and Access Management Dashboard, using the policy document included in the Pivotal Cloud Foundry for AWS Policy Document topic.

See Step 3: Create an IAM User for PCF.

Key Pair

You must generate a key pair named pcf-ops-manager-key when creating an IAM user.

See Step 3: Create an IAM User for PCF.

VPC (Public and Private Subnets)

You must create a VPC with public and private subnets from the VPC Dashboard.

The following table lists the subnets in CIDR block 10.0.0.0/16.

Name AZ IPv4 CIDR block
pcf-public-subnet-az0 REGION-#a (for example, us-west-2a) 10.0.0.0/24
pcf-public-subnet-az1 REGION-#b (for example, us-west-2b) 10.0.1.0/24
pcf-public-subnet-az2 REGION-#c (for example, us-west-2c) 10.0.2.0/24
pcf-management-subnet-az0 REGION-#a (for example, us-west-2a) 10.0.16.0/28
pcf-management-subnet-az1 REGION-#b (for example, us-west-2b) 10.0.16.16/28
pcf-management-subnet-az2 REGION-#c (for example, us-west-2c) 10.0.16.32/28
pcf-ert-subnet-az0 REGION-#a (for example, us-west-2a) 10.0.4.0/24
pcf-ert-subnet-az1 REGION-#b (for example, us-west-2b) 10.0.5.0/24
pcf-ert-subnet-az2 REGION-#c (for example, us-west-2c) 10.0.6.0/24
pcf-services-subnet-az0 REGION-#a (for example, us-west-2a) 10.0.8.0/24
pcf-services-subnet-az1 REGION-#b (for example, us-west-2b) 10.0.9.0/24
pcf-services-subnet-az2 REGION-#c (for example, us-west-2c) 10.0.10.0/24
pcf-rds-subnet-az0 REGION-#a (for example, us-west-2a) 10.0.12.0/24
pcf-rds-subnet-az1 REGION-#b (for example, us-west-2b) 10.0.13.0/24
pcf-rds-subnet-az2 REGION-#c (for example, us-west-2c) 10.0.14.0/24

See Step 4: Create a VPC.

NAT Instance

You must create a NAT instance when creating a VPC. The NAT instance must have the following configuration:

  • Instance type: t2.medium
  • Key pair name: pcf-ops-manager-key
  • Enable DNS hostnames: Yes
  • Hardware tenancy: Default

See Step 4: Create a VPC.

You must also assign the NAT instance to the pcf-nat-security-group. See Step 17: Secure the NAT Instance.

Security Groups

The following sections describe the security groups you must create from the EC2 Dashboard.

Ops Manager

The Ops Manager Security Group must be named pcf-ops-manager-security-group and have the following inbound rules:

Type Protocol Port Range Source
HTTP TCP 80 My IP
HTTPS TCP 443 My IP
SSH TCP 22 My IP
BOSH Agent TCP 6868 10.0.0.0/16
BOSH Director TCP 25555 10.0.0.0/16

See Step 5: Configure a Security Group for Ops Manager.

PCF VMs

The PCV VMs Security Group must be named pcf-vms-security-group and have the following inbound rule:

Type Protocol Port Range Source
All traffic All 0 - 65535 Custom IP 10.0.0.0/16

See Step 6: Configure a Security Group for PCF VMs.

Web ELB

The Web ELB Security Group must be named pcf-web-elb-security-group and have the following inbound rules:

Type Protocol Port Range Source
Custom TCP rule TCP 4443 Anywhere 0.0.0.0/0
HTTP TCP 80 Anywhere 0.0.0.0/0
HTTPS TCP 443 Anywhere 0.0.0.0/0

See Step 7: Configure a Security Group for the Web ELB.

SSH ELB

The SSH ELB Security Group must be named pcf-ssh-elb-security-group and have the following inbound rule:

Type Protocol Port Range Source
Custom TCP rule TCP 2222 Anywhere 0.0.0.0/0

The SSH ELB Security Group must have the following outbound rule:

Type Protocol Port Range Source
All traffic All All Anywhere 0.0.0.0/0

See Step 8: Configure a Security Group for the SSH ELB.

TCP ELB

The TCP ELB Security Group must be named pcf-tcp-elb-security-group and have the following inbound rule:

Type Protocol Port Range Source
Custom TCP rule TCP 1024 - 1123 Anywhere 0.0.0.0/0

The TCP ELB Security Group must have the following outbound rule:

Type Protocol Port Range Source
All traffic All All Anywhere 0.0.0.0/0

See Step 9: Configure a Security Group for the TCP ELB.

Outbound NAT

The Outbound NAT Security Group must be named pcf-nat-security-group and have the following inbound rule:

Type Protocol Port Range Source
All traffic All All Custom IP 10.0.0.0/16

See Step 10: Configure a Security Group for the Outbound NAT.

MySQL

The MySQL Security Group must be named pcf-mysql-security-group and have the following inbound rules:

Type Protocol Port Range Source
MySQL TCP 3306 Custom IP 10.0.0.0/16

The MySQL Security Group must have the following outbound rules:

Type Protocol Port Range Destination
All traffic All All Custom IP 10.0.0.0/16

See Step 11: Configure a Security Group for MySQL.

Ops Manager AMI

You must locate the public Ops Manager AMI using the AMI ID provided by the PDF downloaded when clicking Pivotal Cloud Foundry Ops Manager for AWS on Pivotal Network.

See Step 12: Launch a Pivotal Ops Manager AMI.

ELBs

The following sections describe the ELBs you must create from the EC2 Dashboard.

Web ELB

You must create a web ELB with the following configuration:

  • Name: pcf-web-elb
  • LB Inside: pcf-vpc
  • Selected Subnet: pcf-public-subnet-az0, pcf-public-subnet-az1, pcf-public-subnet-az2
  • Security Group: pcf-elb-security-group
  • Health Check: TCP Port 8080, Path: /health

See Step 13: Create Web Load Balancer.

SSH ELB

  • Name: pcf-ssh-elb
  • LB Inside: pcf-vpc
  • Selected Subnet: pcf-public-subnet-az0, pcf-public-subnet-az1, pcf-public-subnet-az2
  • Security Group: pcf-ssh-security-group
  • Health Check: TCP Port 2222

See Step 14: Create SSH Load Balancer.

TCP ELB

  • Name: pcf-tcp-elb
  • LB Inside: pcf-vpc
  • Selected Subnet: pcf-public-subnet-az0, pcf-public-subnet-az1, pcf-public-subnet-az2
  • Security Group: pcf-tcp-security-group
  • Health Check: TCP Port 80

See Step 15: Create TCP Load Balancer.

DNS Configuration

You must navigate to your DNS provider and create CNAME and A records for all three of your load balancers.

See Step 16: Configure DNS Records.

RDS Subnet Group

You must create a subnet group for RDS named pcf-rds-subnet-group from the RDS Dashboard.

See Step 18: Create RDS Subnet Group.

MySQL Database

You must create a MySQL database from the RDS Dashboard.

See Step 19: Create a MySQL Database using AWS RDS.

Create a pull request or raise an issue on the source for this page in GitHub