The following requirements should be met when using this configuration. Below is a summary of requirements for the AWS environment and instances created on it.
Requirements for AWS environment
Create a base environment on AWS to provide services. The requirements for using this configuration are as follows.
Amazon Virtual Private Cloud (VPC)
- A VPC needs to be configured in AWS.
- The VPC where the client is located must be configured in a different region from the VPC where the cluster nodes are located.
- Create a subnet for the primary instance and a subnet for the standby instance in the VPC where the cluster nodes reside. The subnets must be created in different Availability Zones (AZ).
- The security groups for the subnets in the VPC containing the cluster nodes must be configured to allow incoming traffic from the subnet in the VPC containing the client, and vice-versa.
Amazon Elastic Compute Cloud (EC2)
- At least 2 instances are required.
- A primary instance and a standby instance need to be configured in different AZs from each other.
- Cluster node instances are connected to an Elastic Network Interface (ENI).
- Cluster node instances must satisfy LifeKeeper installation requirements.
- The AWS Command Line Interface (AWS CLI) must be installed on all of the cluster node instances. Refer to Installing the AWS CLI for more details. The path to the AWS CLI executable files must be appended to the PATH parameter in the LifeKeeper defaults file /etc/default/LifeKeeper if it is not already present there.
- The cluster nodes need to be able to access the Amazon EC2 web service endpoint URL (see https://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region) using https and the Amazon EC2 metadata URL (http://169.254.169.254/) using http.
AWS Identity and Access Management (IAM)
In order for LifeKeeper to operate in AWS, an IAM user or IAM role with the following access privilege is required. Please configure EC2 IAM role or configure AWS CLI appropriately so that it can be accessed by the root user of the EC2 instance.
- ec2:DisassociateAddress
- ec2:DescribeAddresses
- ec2:AssociateAddress
- ec2:DescribeRouteTables
- ec2:ReplaceRoute
AWS Transit Gateway
- The VPC with cluster nodes and VPCs with clients should not be directly connected to each other with AWS Inter-Region VPC Peering. Instead, create an AWS Transit Gateway in each region and connect the AWS Transit Gateways with AWS Transit Gateway inter-region peering.
- Enable the default route table association and the default route table propagation when creating each AWS Transit Gateway.
- Create a Transit Gateway Attachment in each region to connect each AWS Transit Gateway to its corresponding VPC.
- An AWS Transit Gateway inter-region peering connection between AWS Transit Gateways should be enabled by creating a Transit Gateway Attachment. Note that this step requires manual confirmation in the target region before the Transit Gateway Attachment will actually be created by AWS.
Post your comment on this topic.