Preparing to Deploy Ops Manager on AWS Manually

Page last updated:

This topic describes how to manually configure the Amazon Web Services (AWS) components that you need to deploy Pivotal Cloud Foundry (PCF) on AWS.

Note: To install PCF with the Pivotal Container Service (PKS) runtime on AWS, you must use Terraform. Manual installation is not currently supported. See Installing and Configuring Ops Manager on AWS in the PKS documentation.

To deploy PCF on AWS, you must perform the procedures in this topic to create objects in the AWS Management Console that PCF requires.

To view the list of AWS objects created by the procedures in this topic, see Required AWS Objects.

After completing the procedures in this topic, proceed to Deploying Ops Manager on AWS Manually to continue deploying PCF.

Step 1: File a Ticket

Log in to the AWS Management Console, and file a ticket with Amazon to ensure that your account can launch more than the default 20 instances. In the ticket, ask for a limit of 50 t2.micro instances and 20 c4.large instances in the region you are using.

Note: To deploy PCF to AWS GovCloud (US), log in to the AWS GovCloud (US) Console instead of the standard AWS Management Console and select the us-gov-west-1 region.

Note: To deploy PCF to AWS China, set up an AWS China account and contact the Platform Architect assigned for your Pivotal account.

You can check the limits on your account by visiting the EC2 Dashboard on the AWS Management Console and clicking Limits on the left navigation.

Step 2: Create S3 Buckets

  1. Navigate to the S3 Dashboard.

    Note:S3 bucket names must be globally unique. When naming buckets, Pivotal recommends that you prefix the generic names below with an unique and helpfully identifiable string (i.e. ID-STRING-pcf-ops-manager-bucket, MY-IDENTIFIER-pcf-buildpacks-bucket, and so on). Then you should use the same prefix when naming other associated resources, such as IAM policies.

  2. Perform the following steps to create five S3 buckets:

    • Click Create Bucket.
    • For Bucket name, enter ID-STRING-pcf-ops-manager-bucket.
    • For Region, select your region.
    • Click Next three times.
    • Click Create bucket.
    • Repeat the above steps to create four more S3 buckets:
      1. ID-STRING-pcf-buildpacks-bucket
      2. ID-STRING-pcf-packages-bucket
      3. ID-STRING-pcf-resources-bucket
      4. ID-STRING-pcf-droplets-bucket

Step 3: Create an IAM User for PCF

Perform the following steps to create an Amazon Identity and Access Management (IAM) user with the minimal permissions necessary to run and install PCF:

  1. Click IAM to access the IAM Dashboard.

  2. Click Users and then click Add user.

    Aws iam username

  3. Enter a user name, such as pcf-user.

  4. For AWS access type, select Programmatic access.

    Note: If you prefer to create your keys locally and import them into AWS, see the Amazon documentation.

  5. Click Next: Permissions.

  6. Click Next: Review and review your choices.

    Note: On the Review page you may see a warning that the user has no permissions. You can disregard this message. You do not need to set user permissions.

  7. Click Create user.

  8. Click Download .csv to download the user security credentials.

    WARNING: The credentials.csv contains the IDs for your user security access key and secret access key. Keep the credentials.csv file for your currently active key pairs in a secure directory. You cannot recover a lost key pair.

  9. Click Close.

  10. On the Users page, click the user name to access the user details page.

    Note: On the Users page you may see a warning that the user has no permissions. You can disregard this message. You do not need to set user permissions.

  11. Click Add inline policy. You can review your existing inline policies by clicking the down arrow.

    Aws iam json

  12. On the Create policy page, define a policy:

    1. Copy the policy document included in the Pivotal Cloud Foundry for AWS Policy Document topic. You must edit the policy document so the names of the S3 buckets match the ones you created in Step 2: Create S3 Buckets.
    2. Paste the policy document into the JSON tab on the Create policy page.
  13. Click Review policy.

  14. In the Name field, enter pcf-iam-policy.

  15. Click Create policy. The Summary page displays a list of available policies and actions.

Step 4: Create a VPC

  1. Navigate to the VPC Dashboard.

  2. Click Start VPC Wizard.

    Pcf aws vpc wizard

  3. Select VPC with Public and Private Subnets and click Select.

    Pcf aws vpc config

  4. Specify the following details for your VPC:

    • IPv4 CIDR block: Enter 10.0.0.0/16.
    • IPv6 CIDR block: Select No IPv6 CIDR Block.
    • VPC name: pcf-vpc.
    • Public subnet’s IPv4 CIDR: Enter 10.0.0.0/24.
    • Set the Availability Zone fields for both subnets to REGION-#a. For example, us-west-2a.
    • Public subnet name: Enter pcf-public-subnet-az0.
    • Private subnet’s IPv4 CIDR: Enter 10.0.16.0/28.
    • Private subnet name: Enter pcf-management-subnet-az0.
    • Click Use a NAT instance instead and do the following:
      • Under Specify the details of your NAT instance, set the Instance type to t2.medium
      • Create a key pair titled pcf-ops-manager-key. For more information about creating the key pair, see Amazon EC2 Key Pairs in the AWS documentation.
      • Select your newly-created pcf-ops-manager-key for the Key Pair name.
    • Enable DNS hostnames: Click Yes.
    • Hardware tenancy: Select Default.
    • Click Create VPC.
  5. After the VPC is successfully created, click Subnets in the left navigation.

  6. Click Create Subnet.

  7. Add the following subnets to the pcf-vpc VPC:

    Note: You created the first two subnets in the previous step: pcf-public-subnet-az0 and pcf-management-subnet-az0.

    Name AZ IPv4 CIDR block
    pcf-public-subnet-az1 REGION-#b (for example, us-west-2b) 10.0.1.0/24
    pcf-public-subnet-az2 REGION-#c (for example, us-west-2c) 10.0.2.0/24
    pcf-management-subnet-az1 REGION-#b (for example, us-west-2b) 10.0.16.16/28
    pcf-management-subnet-az2 REGION-#c (for example, us-west-2c) 10.0.16.32/28
    pcf-pas-subnet-az0 REGION-#a (for example, us-west-2a) 10.0.4.0/24
    pcf-pas-subnet-az1 REGION-#b (for example, us-west-2b) 10.0.5.0/24
    pcf-pas-subnet-az2 REGION-#c (for example, us-west-2c) 10.0.6.0/24
    pcf-services-subnet-az0 REGION-#a (for example, us-west-2a) 10.0.8.0/24
    pcf-services-subnet-az1 REGION-#b (for example, us-west-2b) 10.0.9.0/24
    pcf-services-subnet-az2 REGION-#c (for example, us-west-2c) 10.0.10.0/24
    pcf-rds-subnet-az0 REGION-#a (for example, us-west-2a) 10.0.12.0/24
    pcf-rds-subnet-az1 REGION-#b (for example, us-west-2b) 10.0.13.0/24
    pcf-rds-subnet-az2 REGION-#c (for example, us-west-2c) 10.0.14.0/24

Step 5: Configure a Security Group for Ops Manager

  1. Return to the EC2 Dashboard.

  2. Select Security Groups>Create Security Group.

  3. For Security group name, enter pcf-ops-manager-security-group.

  4. For Description, enter a description to identify this security group.

  5. For VPC, select the VPC where you want to deploy Ops Manager.

  6. Click the Inbound tab and add rules according to the table below.

    Note: Pivotal recommends limiting access to Ops Manager to IP ranges within your organization, but you may relax the IP restrictions after configuring authentication for Ops Manager.

    Type Protocol Port Range Source
    HTTP TCP 80 My IP
    HTTPS TCP 443 My IP
    SSH TCP 22 My IP
    BOSH Agent TCP 6868 10.0.0.0/16
    BOSH Director TCP 25555 10.0.0.0/16
  7. Click Create.

Step 6: Configure a Security Group for PCF VMs

  1. From the Security Groups page, click Create Security Group to create another security group.

  2. For Security group name, enter pcf-vms-security-group.

  3. For Description, enter a description to identify this security group.

  4. For VPC, select the VPC where you want to deploy the PCF VMs.

  5. Click the Inbound tab and add rules for all traffic from your public and private subnets to your private subnet, as the table and image show. This rule configuration does the following:

    • Enables BOSH to deploy PAS and other services.
    • Enables application VMs to communicate through the router.
    • Allows the load balancer to send traffic to Pivotal Application Service (PAS).
    Type Protocol Port Range Source
    All traffic All 0 - 65535 Custom IP 10.0.0.0/16
  6. Click Create.

    Pcf aws secgrp er

Step 7: Configure a Security Group for the Web ELB

  1. From the Security Groups page, click Create Security Group to create another security group.

  2. For Security group name, enter pcf-web-elb-security-group.

  3. For Description, enter a description to identify this security group.

  4. For VPC, select the VPC where you want to deploy this Elastic Load Balancer (ELB).

  5. Click the Inbound tab and add rules to allow traffic to ports 80, 443, and 4443 from 0.0.0.0/0, as the table and image show.

    Note: Allow traffic to port 4443 only if you are in an AWS cloud region that does not support AWS ALBs. For example, the GovCloud region. For more information about AWS regoins and availability zones, see AWS Global Infrastructure.

    Note: For finer control over what can reach PAS, change 0.0.0.0/0 to be more restrictive. This security group governs external access to PAS from apps such as the cf CLI and app URLs.

    Type Protocol Port Range Source
    Custom TCP rule TCP 4443 Anywhere 0.0.0.0/0
    HTTP TCP 80 Anywhere 0.0.0.0/0
    HTTPS TCP 443 Anywhere 0.0.0.0/0
  6. Click Create.

    Configure security group

Step 8: Configure a Security Group for the SSH ELB

  1. From the Security Groups page, click Create Security Group to create another security group.

  2. For Security group name, enter pcf-ssh-elb-security-group.

  3. For Description, enter a description to identify this security group.

  4. For VPC, select the VPC where you want to deploy this ELB.

  5. Click the Inbound tab and add the following rule:

    Type Protocol Port Range Source
    Custom TCP rule TCP 2222 Anywhere 0.0.0.0/0

  6. Click Create.

Step 9: Configure a Security Group for the TCP ELB

  1. From the Security Groups page, click Create Security Group to create another security group.

  2. For Security group name, enter pcf-tcp-elb-security-group.

  3. For Description, enter a description to identify this security group.

  4. For VPC, select the VPC where you want to deploy this ELB.

  5. Click the Inbound tab and add the following rule:

    Type Protocol Port Range Source
    Custom TCP rule TCP 1024 - 1123 Anywhere 0.0.0.0/0

  6. Click Create.

Step 10: Configure a Security Group for the Outbound NAT

  1. From the Security Groups page, click Create Security Group to create another security group.

  2. For Security group name, enter pcf-nat-security-group.

  3. For Description, enter a description to identify this security group.

  4. For VPC, select the VPC where you want to deploy the Outbound NAT.

  5. Click the Inbound tab and add a rule to allow all traffic from your VPCs, as the table and image show.

    Type Protocol Port Range Source
    All traffic All All Custom IP 10.0.0.0/16
  6. Click Create.

    Pcf aws secgrp nat

Step 11: Configure a Security Group for MySQL

Note: If you plan to use an internal database, skip this step. If you are using RDS, you must configure a security group that enables the Ops Manager VM and BOSH Director VM to access the database.

  1. From the Security Groups page, click Create Security Group to create another security group.

  2. For Security group name, enter pcf-mysql-security-group.

  3. For Description, enter a description to identify this security group.

  4. For VPC, select the VPC where you want to deploy MySQL.

  5. Click the Inbound tab. Add a rule of type MySQL and specify the subnet of your VPC in Source, as the table and image show.

    Type Protocol Port Range Source
    MySQL TCP 3306 Custom IP 10.0.0.0/16

  6. Click the Outbound tab. Add a rule of type All traffic and specify the subnet of your VPC in Destination, as the table and image show.

    Type Protocol Port Range Destination
    All traffic All All Custom IP 10.0.0.0/16

  7. Click Create.

    Pcf aws secgrp mysql

Next Step

Proceed to the next step, Deploying Ops Manager on AWS Manually.