Amazon Web Services Deployment Guide
This guide walks you through the steps needed to set up the necessary infrastructure in Amazon Web Services (AWS) for a proof of concept environment for API Connectivity Manager. The options presented in this guide for creating AWS Instances keep cost in mind and prefer the minimum requirements for running a fully functional API Connectivity Manager environment. Keep in mind that production environments may require larger instance sizes and incur greater costs.
- Make sure you have an AWS account.
Because the minimum requirement for the F5 NGINX Management Suite host requires 2 CPU and 4GB RAM (NOT a free tier size), completing this deployment guide will incur charges from AWS according to their price plan.
The AWS instance types and storage capacity used in this guide are based on the NGINX Management Suite Technical Specs.
| Hosts | AWS Instance Type | AWS Storage | 
|---|---|---|
| NGINX Management Suite Host | t3.medium | 100GB | 
| Data Plane Host | t2.micro | 10GB | 
| Developer Portal Host | t2.micro | 10GB | 
Complete the tasks in this section to set up the following resources in AWS:
The instances you create by the end of this guide are:
- NGINX Management Suite Host
- Data Plane Host
- Developer Portal Host
This section creates and configures the AWS Virtual Private Cloud (VPC) as described below. If your existing VPC is able to allow the following types of traffic, skip this section.
- Be able to access the internet (for install)
- Be able to establish an SSH connection from your workstation to the EC2 Instances
- Have HTTPS traffic enabled
- To allow NGINX Management Suite user interface and/or API access
- Communication between Data Plane or Developer Portal host and NGINX Management Suite host
 
- Have HTTP traffic enabled
- To allow access to the Developer Portal from a workstation
- To allow traffic for gateway proxy from a workstation
 
Take the steps below to create a new VPC:
- Go to to the VPC Service.
- Select Create VPC.
- In the VPC setting section, provide the Name (optional) and IPv4 CIDR.
- Select Create VPC.
Take the steps below to create a new subnet:
- On the left menu, select Virtual private cloud > Subnets.
- Select Create subnet.
- In the VPC section, select the newly created VPC from above.
- In the Subnet settings, provide the Subnet name (optional) and IPv4 CIDR block.
- Select Create subnet.
Take the steps below to create a new internet gateway:
- On the left menu, select Virtual private cloud > Internet Gateways.
- Select Create internet gateway.
- On the main window of the newly created internet gateway, select Actions > Attach to VPC.
- Select the VPC created from above.
- Select Attach internet gateway.
The Internet Gateway is what provides a public subnet internet access.
Take the steps below to create a route table, add a route entry that defaults to the internet gateway created above, and associate a subnet with this route table:
- On the left menu, select Virtual private cloud > Route tables.
- Select Create route table.
- Associate this route table to the VPC created from above.
- Select Create route table.
- Scroll down on the main window of the newly created route table then select Edit routes.
- Select Add route.
- Provide 0.0.0.0/0for the Destination.
- Select the Internet Gateway created from above.
- Select Save changes.
 
- Provide 
- Scroll down on the main window on the same route table then select the Subnet associations tab.
- Select Edit subnet associations.
- Select the subnet created from above.
- Select Save changes.
At this point, the VPC created above is available when creating EC2 Instances.
Before creating the EC2 instances, create your Key Pair and Security Groups if they do not already exist. The reason why they are required is described below.
| AWS Object | Reason | 
|---|---|
| Key Pair | This is used to allow SSH connections in to EC2 Instances. | 
| Security Groups | The security group needs to enable HTTP/S traffic and allow SSH traffic from your IP. | 
Take the steps below to create a Key Pair.
- Go to the EC2 Service.
- On the left menu, select Network & Security > Key Pairs.
- You can either create a new Key Pair or import your own.
- To create a new Key Pair:
- Select Create key pair.
- Provide the Name. Key pair type, and Private key file format.
 
- To import your existing Key Pair:
- Select Actions > Import key pair.
- Provide the key pair Name and your public key content.
 
 
- To create a new Key Pair:
The table below summarizes the two security groups that you should create.
| Security Group Name | HTTP | HTTPS | SSH | 
|---|---|---|---|
| sg-controller | NA | Anywhere-IPv4 | My IP | 
| sg-data | Anywhere-IPv4 | Anywhere-IPv4 | My IP | 
Selecting Anywhere-IPv4 as the Source for HTTP and HTTPS will cause the instances placed inside your Security Group to be publicly accessible. If this is not suitable for you or your organization, please ensure that appropriate restrictions are in place.
Select My IP as the Source for SSH to prevent SSH connection attempts by anyone other than yourself.
If you are not allowed to do this, refer to the Terminal Access Using Session Manager section below.
Each host needs to be associated to a security group. The mapping of each host to the correct security group is shown below.
| Host | Security Group | 
|---|---|
| NGINX Management Suite Host | sg-controller | 
| Data Plane Host | sg-data | 
| Developer Portal Host | sg-data | 
Take the steps below to create a security group for access. Repeat these steps twice, once for sg-controller and once for sg-data.
- Go to the EC2 Service.
- On the left menu, select Network & Security > Security Groups.
- Select Create security group.
- In the Basic details section, provide the Security group name, Description, and select the VPC created from above.
- In the Inbound rules section, refer to each traffic Type that corresponds to the security group being created from Table 1.2 above.
- The Outbound rules should already allow all traffic by default. If it isn’t, modify the rules so that it allows all traffic.
- Select Create security group.
Take the steps below to create an EC2 Instance. Repeat these steps three times, once for each host shown in Table 1.1.
- Go to the EC2 Service.
- On the left menu, select Instances > Instances.
- Select Launch Instances.
- Provide the Name of your instance.
- In the Application and OS Images section, select your supported OS of choice.
- Select your instance size in the Instance Type section. Refer to Table 1.1 for the suggested size of your host. Refer to Technical Specifications for additional information.
- In the Key pair (login) section, select the key pair that was created above.
- In the Network settings section, select the Edit button.
- Provide your VPC and Subnet information.
- Select Enable for Auto-assign public IP.
- Select Select existing security group.
- Provide the security group created above shown in Table 1.4 that corresponds to your host for Common security groups.
 
- In the Configure Storage section, select the storage amount required by your host. Refer to Table 1.1 for guidance to determine the suggested size. GP2 storage is suitable. Refer to Technical Specifications for additional information.
Take the steps below to obtain the public IP so you can access the instance through an SSH connection.
- Select Instances > Instances on the left menu.
- Select your instance.
- Select the Details tab.
- The public IP address is shown in the Public IPv4 address section. This is the IP that allows external access (such as from your workstation) to the selected EC2 Instance.
It takes about a minute for the instance to become available for SSH connections.
Follow the NGINX Management Suite Installation Guide to install both the Instance Manager Module and the API Connectivity Manager Module. The Security Module is not required for this demo.
Follow the steps in the Set Up an API Gateway Environment guide to create an API Gateway and deploy it to your NGINX data plane host.
Follow the steps in the Set Up a Developer Portal Environment guide to create a Developer Portal and deploy it to your NGINX Dev Portal host.
AWS allows you to enable SSH traffic to a specific Source IP Address which is much safer than exposing it to everyone on the internet. Even though exposing it to one IP may be good enough, it might not be sufficient for your company policy. It is possible to completely disable SSH traffic yet still have terminal access to your EC2 Instances. There are different ways of doing this, and one way covered here is using AWS System Manager Session Manager.
There are two methods of gaining terminal access via Session Manager:
- AWS Management Console
- AWS Command Line Interface Tool
Whichever method you decide, you need to take the following steps to properly configure your instances to allow connections from AWS Session Manager. Before continuing, ensure the Session Manager Prerequisites are met.
You must create a new IAM Role that grants Session Manager access to EC2 Instances. This will be associated with the EC2 Instances needing terminal access. Take the instructions below to create an IAM Role for Session Manager.
- Log in to your AWS Account on your web browser.
- Go to the IAM service.
- On the left menu, select Access management > Roles.
- Select Create role.
- In the Trusted entity type section, select AWS service.
- In the Use case section, select EC2.
- Select Next.
- In the Permissions policies section, select AmazonSSMManagedInstanceCore. You can filter for this name in the filter box.
- Select Next.
- Provide the Role name and Tag (optional) for this IAM Role specifically allowing Session Manager access to EC2 Instances.
- Select Create role.
Creating an IAM Role from the AWS Management Console and choosing EC2 as the AWS Service also creates an AWS Instance Profile associated with EC2 Instances. Additional details can be found in the AWS knowledge article.
When you associate an IAM Role created from the IAM service to an EC2 Instance, you are really associating an IAM Instance Profile. Again, when you create an IAM Role from AWS Management Console and choose EC2 as the AWS Service, it also creates an IAM Instance Profile. Take the steps in this section to associate an IAM Instance Profile to an EC2 Instance.
There are two situations that can happen here:
- Associating IAM Instance Profile to an existing instance
- Associating an IAM Instance Profile to a new instance
Take the steps below to associate an IAM Instance Profile to an existing EC2 Instance:
- Go to the EC2 Service.
- On the left menu, select Instances > Instances.
- Right-click on the instance of interest.
- Select Security > Modify IAM role.
- Select the IAM Instance Profile from the list.
Associating an IAM Instance Profile to a new instance happens before the instance is created. The steps below assume you know how to get to the page where you provide information for the new instance you are about to create. You see this page after selecting Launch instances from Instances > Instances on the EC2 Service.
- In the Advanced details section, expand the entire section.
- Select your IAM Instance Profile for IAM instance profile.
You can access the terminal of your instance by either:
- AWS Management Console
- AWS Command Line Interface Tool
Take the steps below to get terminal access using Session Manager.
- Go to the System Manager Service.
- On the left menu, select Node Management > Session Manager.
- Verify you are on the Sessions tab.
- Select Create session.
- In the Target Instances section, select the instance of interest.
- Select Start session. This takes you to the terminal where you are logged in as ssm-user.
- When you are done, select Terminate at the top.
If you do not see your instance in the Target Instances section:
- Verify the IAM Instance Profile is associated to your instance.
- Verify the IAM Role has SSM permissions properly configured.
- The instance allows outbound HTTPS traffic to the endpoints shown in the Connectivity to endpoints row from the Session Manager Prerequisites page.
- Wait about 15 minutes if you attached the IAM Instance Profile to an existing instance.
Another way to get terminal access to instances is through AWS’s CLI Tool.
Take the steps below to fulfill prerequisites for using Session Manager on the command line interface:
- Install AWS CLI Tool.
- You must also install the Session Manager Plugin.
- You need AWS Access Key ID and AWS Secret Access Key, which you can set up by referring to the AWS CLI Prerequisite page.
Take the steps below to get terminal access on an instance:
- 
Run aws configureto set up access to your AWS account.shell $ aws configure AWS Access Key ID []: ****************DLVT AWS Secret Access Key []: ****************666r Default region name []: <yourRegionName> Default output format []: jsonIf your AWS account is configured to use temporary credentials, you need to provide the aws_session_tokenby running the command below:aws configure set aws_session_token <sessionToken>
- 
Run aws ssm start-session --target "<instanceId>"to start a session which provides terminal access.shell $ aws ssm start-session --target "<instanceId>" Starting session with SessionId: aaaaaaaa-0538f063ab275aeed $
- 
To exit out of the session, type exitas if you were going to close a normal terminal screen.