Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure AWS Resources

Prepare AMIs and configure security settings required for the deployment.

This topic describes how to prepare the required AWS resources for deployment. It includes importing Routing Director images into Amazon Machine Images (AMIs) and configuring security groups to control access to cluster nodes and services. Importing a known VM image into an AMI provides consistent instance provisioning.

Completing these steps ensures that the necessary images and network security settings are in place.

Import Routing Director Image Files to AMI

Download the Routing Director software OVA bundle from the software download site. Extract the VMDK files from the OVA bundle.
To import the Routing Director VMDK files to Amazon Machine Image (AMI), perform the following steps:
  1. Upload the VMDK files to the S3 bucket.
  2. Create a disk specification containers.json file to convert the VMDK to AMI. For example:

    In this example, there are two VMDK files inside the 320310554640-bucket-west2 S3 bucket as the source images.

  3. Convert the VMDK files to AMI.

    Note down the ImportTaskId from the output.

  4. Check the status of the conversion job using the ImportTaskId until the status is Completed.
    Note: Note down the ImageId and ImportTaskId. You need this information when you create EC2 instances.

For more information on importing VMDK files to AMI, see https://docs.aws.amazon.com/vm-import/latest/userguide/import-vm-image.html.

To create the security groups for EC2 instances and load balancers, go to Create the Security Groups.

Create the Security Groups

After importing the Routing Director image to Amazon Machine Image (AMI), you must create the security groups to allow traffic to and from the VMs and the load balancer.

Create EC2 Instance Security Group

The following table details the security group that is attached to the EC2 instance and allows traffic flow to and from the VM.
Table 1: EC2 instance security group
Rule Direction Protocol/Port Source/Destination Description

Rule 1

Inbound

TCP/22

0.0.0.0/0

For all SSh management

Rule 2

Inbound

TCP/30011-30023

0.0.0.0/0

NodePort; to allow connection from the routers and the source-IP addresses to connect to the GUI

Rule 3

Inbound

any

VPC subnet IP range

Allow all intra-VPC communication

Rule 4

Outbound

any

any

Allow all outbound traffic from the VMs

To determine the VPC subnet IP range:

  1. Navigate to the VPC Dashboard.

  2. Click VPCs. The VPC that you plan to use is listed.

  3. Scroll to the IPv4 CIDR column of the VPC you plan to use. Note down the IPv4 subnet displayed. You will need to enter this when creating Rule 3 of the security group.

To create a security group to allow the traffic detailed in Table 1, perform the following steps:

  1. Navigate to the EC2 > Security Groups page. Click Create new security group at the top right corner of the page.

  2. Enter basic details such as a name in Security group name and description for the security group in Description. For example, enter the security group name as EC2-sg.

  3. Select the VPC on which you want to deploy the cluster node VMs.

  4. Expand Inbound rules.

  5. Enter information for the inbound rules by referring to the following table. After entering the values for a rule, click Add rule to enter the values for the next rule.

    Table 2:
    Field Description
    Rule 1

    Type

    Select Custom TCP.

    Port range

    Enter 22.

    Source

    Select Anywhere-IPv4.

    Description (Optional)

    All SSH management

    Rule 2

    Type

    Select Custom TCP.

    Port range

    Enter 30011-30023.

    Source

    Select Anywhere-IPv4.

    Description (Optional)

    To allow connection from the routers and the source-IP addresses to connect to the GUI

    Rule 3

    Type

    Select All traffic.

    Source

    Enter the VPC subnet IP range in CIDR notation that you determined earlier.

    Description (Optional)

    Allow all intra-VPC communication

  6. Expand Outbound rules.

  7. Enter information for the outbound rule by referring to the following table.

    Table 3:
    Field Description
    Rule 4

    Type

    Select All traffic.

    Source

    Select Anywhere-IPv4.

    Description (Optional)

    Allow all outbound traffic from the VMs

  8. Click Create security group to create the group. The group EC2-sg is listed under EC2 > Security Groups.

Create Load Balancer Security Group

The following table details the security group that is applied to the AWS load balancer to allow intracluster communication between the nodes.
Table 4: Load balancer security group
Rule Direction Protocol/Port Source/Destination Description

Rule 1

Inbound

TCP/443

0.0.0.0/0

For access to the GUI

Allow from everywhere

Rule 2

Inbound

TCP/2200

0.0.0.0/0

For NETCONF access

Rule 3

Inbound

TCP/4189

0.0.0.0/0

For PCEP

Rule 4

Inbound

UDP/4739

0.0.0.0/0

For routing observability CRPD

Rule 5

Inbound

TCP/5432

0.0.0.0/0

For routing observability IPFIX health-check

Rule 6

Inbound

TCP/6800

0.0.0.0/0

For active assurance TAGW

Rule 7

Inbound

TCP/17002

0.0.0.0/0

For routing observability IPFIX

Rule 8

Inbound

TCP/32767

0.0.0.0/0

For gNMI term access

Rule 9

Outbound

any

any

Allow all outbound traffic from the VMs

To create a load balancer security group to allow the traffic detailed in Table 4, perform the following steps:

  1. Navigate to the EC2 > Security Groups page. Click Create new security group at the top right corner of the page.

  2. Enter basic details such as a name in Security group name and description for the security group in Description. For example, enter the security group name as Loadbalancer-sg.

  3. Select the VPC on which you want to deploy the cluster node VMs.

  4. Expand Inbound rules.

  5. Enter information for the inbound rules by referring to the following table. After entering the values for a rule, click Add rule to enter the values for the next rule.

    Table 5:
    Field Description
    Rule 1

    Type

    Select Custom TCP.

    Port range

    Enter 443.

    Source

    Select Anywhere-IPv4.

    Description (Optional)

    For access to the GUI

    Rule 2

    Type

    Select Custom TCP.

    Port range

    Enter 2200.

    Source

    Select Anywhere-IPv4.

    Description (Optional)

    For NETCONF access

    Rule 3

    Type

    Select Custom TCP.

    Port

    Enter 4189.

    Source

    Select Anywhere-IPv4.

    Description (Optional)

    For PCEP

    Rule 4  

    Type

    Select Custom UDP.

    Port

    Enter 4739.

    Source

    Select Anywhere-IPv4.

    Description (Optional)

    For routing observability IPFIX

    Rule 5  

    Type

    Select Custom TCP.

    Port

    Enter 5432.

    Source

    Select Anywhere-IPv4.

    Description (Optional)

    For routing observability IPFIX health-check

    Rule 6

    Type

    Select Custom TCP.

    Port range

    Enter 6800.

    Source

    Select Anywhere-IPv4.

    Description (Optional)

    For active assurance TAGW

    Rule 7

     

    Type

    Select Custom TCP.

    Port range

    Enter 17002.

    Source

    Select Anywhere-IPv4.

    Description (Optional)

    For routing observability CRPD

    Rule 8

    Type

    Select Custom TCP.

    Port range

    Enter 32767.

    Source

    Select Anywhere-IPv4.

    Description (Optional)

    For gNMI term access

  6. Expand Outbound rules.

  7. Enter information for the outbound rule by referring to the following table.

    Table 6:
    Field Description
    Rule 6

    Type

    Select All traffic.

    Source

    Select Anywhere-IPv4.

    Alternatively, you can also enter the VPC subnet IP range in CIDR notation.

    Description (Optional)

    Allow all outbound traffic from the VMs

  8. Click Create security group to create the group. The group Loadbalancer-sg is listed under EC2 > Security Groups.

Create and launch the cluster nodes. Go to Launch the EC2 VMs.