Prepare an AWS Instance

Overview

This procedure explains how to prepare AWS instances for TOS deployments using the Tufin AMI. Some of the sections in this procedure only need to be done once. Others need to be repeated each time you add a worker node to the deployment.

High Availability (HA)

High availability is not supported in this release.

Remote Collectors (RCs)

Remote collectors can be deployed on AWS.

Prerequisites

General Requirements

  • This procedure must be performed by an experienced AWS administrator with knowledge of deploying on that platform.

  • To ensure optimal performance and reliability, the required resources need to always be available for TOS. If resources become unavailable, this will affect TOS performance. Do not oversubscribe resources.

  • Verify that you have sufficient resources (CPUs, disk storage and main memory) to run TOS. The required resources are determined by the size of your system. See Sizing Calculation for a Clean Install.

  • We do not recommend installing on your server 3rd party software not specified in the current procedure. It may impact TOS functionality and features, and it is your responsibility to verify that it is safe to use.

Network Requirements

  • You will need to allow access to required Ports and Services on the firewall.

  • Allocate a 24-bit CIDR subnet for the Kubernetes service network and a16-bit CIDR subnet for the Kubernetes pods network (10.244.0.0/16 is used by default).

    The pods and services networks must be inside the following private networks: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. In addition, ensure that the dedicated CIDR for the service network and pods network don't overlap with:

    • Each other

    • The physical addresses of your TOS servers (see below)

    • Your external load balancer IP(s)

    • Any other subnets communicating with TOS or with TOS nodes

  • DNS hostnames must be enabled on your VPC - see Modify the DNS attributes for your VPC (Amazon official documentation)

Create Security Groups

If not already done, create two security groups: for the EC2 instance and for the network load balancer.

Before you proceed, read and understand Prerequisites - this may prevent unexpected failures.

Load Balancer Security Group

  1. Navigate to EC2 > Security Groups.

  2. Click Create Security Group.

  3. In the Basic Details section, enter a name and description for the security group, and select the VPC being used for the EC2 instance.

  4. In the Inbound Rules section, create rules for the following ports:

    Central cluster

    Type

    Protocol

    Port range

    Source

    Source IP

    Description
    HTTPS TCP 443 Custom Client source IP address UI Access
    HTTPS TCP 443 Custom Remote cluster node addresses Remote cluster connectivity
    Custom TCP TCP 61617 Custom Remote cluster node addresses Remote cluster connectivity
    Custom TCP TCP 9099 Custom Client source IP address OPM devices
    Custom TCP TCP 8443 Custom Remote cluster node addresses Remote cluster connectivity
    Custom TCP TCP 9090 Custom Remote cluster node addresses Remote cluster connectivity
    Custom TCP TCP 601 Custom Client source IP address Unencrypted TCP syslogs
    Custom TCP TCP 6514 Custom Client source IP address TLS encrypted TCP syslogs
    Custom UDP UDP 514 Custom Client source IP address UDP syslogs
    Custom UDP UDP 161 Custom Client source IP address SNMP monitoring

    5.  

    Remote cluster

    Type

    Protocol

    Port range

    Source

    Source IP

    Description
    Custom TCP TCP 9099 Custom Client source IP address OPM devices
    Custom TCP TCP 8443 Custom Central cluster node addresses Central cluster connectivity
    Custom TCP TCP 601 Custom Client source IP address Unencrypted TCP syslogs
    Custom TCP TCP 6514 Custom Client source IP address TLS encrypted TCP syslogs
    Custom UDP UDP 514 Custom

    Client source IP address

    		 UDP syslogs

     

  5. Do not change the default outbound rule for allowing all traffic.

    6. No additional outbound rules need to be created.

  6. Click Create Security Group.

EC2 Security Group

  1. Navigate to EC2 > Security Groups.

  2. Click Create Security Group.

  3. In the Basic Details section, enter a name and description for the security group, and select the VPC being used for the EC2 instance.

  4. In the Inbound Rules create rules for the following ports:

    Central cluster

    Type

    Protocol

    Port range

    Source

    Source IP

    Description
    HTTPS TCP 31443 Custom Client source IP address UI Access
    HTTPS TCP 31443 Custom Remote cluster node addresses Remote cluster connectivity
    HTTPS TCP 31443 Custom Load balancer security group ID Health check
    Custom TCP TCP 31617 Custom Remote cluster node addresses Remote cluster connectivity
    HTTPS TCP 31617 Custom Load balancer security group ID Health check
    Custom TCP TCP 31099 Custom Client source IP address OPM devices
    Custom TCP TCP 31099 Custom Load balancer security group ID Health check
    Custom TCP TCP 31843 Custom Remote cluster node addresses Remote cluster connectivity
    Custom TCP

    TCP

    		 31843 Custom Load balancer security group ID Health check
    Custom TCP TCP 31090 Custom Remote cluster node addresses Remote cluster connectivity
    Custom TCP TCP 31090 Custom Load balancer security group ID Health check
    Custom TCP TCP 32514 Custom Client source IP address Unencrypted TCP syslogs
    Custom TCP TCP 32514 Custom Load balancer security group ID Health check
    Custom TCP TCP 31514 Custom Client source IP address TLS encrypted TCP syslogs
    Custom TCP TCP 31514 Custom Load balancer security group ID Health check
    Custom UDP UDP 30514 Custom Client source IP address UDP syslogs
    Custom UDP UDP 30161 Custom Client source IP address SNMP monitoring

    5.  

    Remote cluster

    Type

    Protocol

    Port range

    Source

    Source IP

    Description
    Custom TCP TCP 31099 Custom Client source IP address OPM devices
    Custom TCP TCP 31099 Custom Load balancer security group ID Health check
    Custom TCP TCP 31843 Custom Central cluster node addresses Central cluster connectivity
    Custom TCP TCP 31843 Custom Load balancer security group ID Health check
    Custom TCP TCP 32514 Custom Client source IP address Unencrypted TCP syslogs
    Custom TCP

    TCP

    		 32514 Custom Load balancer security group ID Health check
    Custom TCP TCP 31514 Custom Client source IP address TLS encrypted TCP syslogs
    Custom TCP TCP 31514 Custom Load balancer security group ID Health check
    Custom UDP UDP 30514 Custom Client source IP address UDP syslogs

     

  5. To enforce SSH access to the EC2 instance, add the following rule:

    6. Type

    Protocol

    Port range

    Source

    Source IP

    Description
    SSH

    TCP

    		 22 Custom Inbound IP address SSH access

  6. Do not change the default outbound rule for allowing all traffic.

    7. No additional outbound rules need to be created.

  7. Click Create Security Group.

  8. In the Inbound Rules tab, click Edit Inbound Rules, and add the following rule:

    Type

    Protocol

    Port range

    Source

    Source IP

    Description

    All traffic

    All

    All

    Custom

    EC2 security group ID 

    Communication between nodes

Launch the Instance

Repeat this section for each node in the cluster (data and worker) before proceeding to the next section.

  1. Navigate to EC2 > Launch instance.

  2. In the Name and tags pane, enter the name of the instance.

  3. In Application and OS Images (Amazon Machine Image), search for Tufin.

  4. Select the AWS Markeplace AMIs tab to view the results.

  5. Do one of the following:

    • For the data node, select TufinOS.

    • For the worker node, select TufinOS Worker.

  6. Subscribe to the AMI.

  7. Edit the configuration details:

    1. EC2 instance type: Select the instance type based on the type of node and the sizing requirements.

    2. In the Network Settings pane, click Edit, and enter/select the following details:

      • VPC settings: Select the relevant VPC.

      • Subnet settings: Select the relevant subnet.

      • Auto-assign public IP: We recommend selecting Disable.

      • Security group settings: Select the EC2 Security Group you created.

    3. Key pair settings: Create a new key pair or use an existing one. Both .pem and .ppk file formats are supported.

  8. Click Launch Instance.

  9. In the Key pair (login) pane, select the key pair you created.

  10. Click Launch Instance.

  11. (Optional) We recommend changing the permissions of the .pem file downloaded to your PC to prevent unauthorized users from running it. If your PC is running on a Linux-like operating system, run the command:

    [<ADMIN> ~]# chmod 400 <pem_key_name>
    chmod 400 <pem_key_name>

  12. When required, log in to the instance as follows:

    [<ADMIN> ~]# ssh -i <pem_key_name> tufin-admin@<IP>
    ssh -i <pem_key_name> tufin-admin@<IP>

    where

    • <pem_key_name> is the name of the .pem file downloaded previously from the AWS console

    • <IP> is the private or public IP of the tufin-admin user

Create/Update Target Groups

If you are preparing AWS instances for the first time, you are going to need to create target groups for the ports needed. These ports are listed in the Target column in the table below. The target groups are rules that redirect traffic to the load balancer.

If you are adding a worker node to an existing deployment, you need to update the target groups with the new instance.

Central cluster

Protocol

Listener

Target

Health Check Protocol

Purpose
TCP 443 31443

TCP

 UI access and remote cluster connectivity
TCP 61617 31617 TCP Remote cluster connectivity
TCP 9099 31099

TCP

 OPM devices
TCP 8443 31843

TCP

 Remote cluster connectivity
TCP 9090 31090 TCP Remote cluster connectivity
TCP 601 32514 TCP Unencrypted TCP syslogs
TCP 6514 31514 TCP TLS encrypted TCP syslogs
UDP 514 30514 TCP (31443) UDP syslogs
UDP 161 30161 TCP (31443) SNMP monitoring

 

Remote cluster

Protocol

Listener

Target

Health Check Protocol

Purpose
TCP 9099 31099 TCP OPM devices
TCP 8443 31843 TCP Remote cluster connectivity
TCP 601 32514 TCP Unencrypted TCP syslogs
TCP 6514 31514 TCP TLS encrypted TCP syslogs
UDP 514 30514 TCP (31843) UDP syslogs

Create a Target Group

Repeat this procedure for each port you need.

  1. In your AWS console, navigate to EC2 > Target Groups.

  2. Click Create target group.

    The Step 1 - Specify group details tab appears.

  3. Enter/select the following:

    • Target type: Instances

    • Target group name: A name of your choice

    • Protocol/Port: The protocol and source port . For example: TCP / 443

    • IP Address Types: IPv4

    • VPC: The VPC being used for the EC2 instance

    • Health checks: TCP

  4. If you are creating a target group for a UDP protocol:

    1. Expand the Advanced health check settings pane.

    2. Select Override.

    3. Enter port 31443.

  5. Click Next.

    6. The Step 2 - Register Targets tab appears.

  6. Select the instances you created in the previous section.

  7. Enter the target port. For example: 31443.

  8. Click Include as pending below.

  9. Click Create target group.

  10. In the target group, go to the Attributes tab and verify that Preserve client IP addresses is On. If not, click Edit and change this attribute to On.

Update Target Group

Repeat this procedure for each target group.

  1. In your AWS console, navigate to EC2 > Target Groups. All targets groups are listed.

  2. Select the target group.

  3. Click Register Target.

  4. Select the instance you created in the previous section.

  5. Enter the target port. For example: 31443.

  6. Click Include as pending below.

  7. Click Register pending targets.

Create a Load Balancer

If not already done, create the load balancer for the deployment. The load balancer is going to have listeners - one for each of the target group ports from the previous section.

  1. In your AWS console, navigate to EC2 > Load Balancers.

  2. Click Create Load Balancer.

  3. Click Create for Network Load Balancer.

  4. Enter/select details:

    • Load balancer name: A name of your choice

    • Scheme: Select the relevant scheme

    • VPC: The VPC you are using with the EC2 instance.

  5. Select the relevant availability zones and subnets you are using.

  6. In the Security Groups section, select the security group you created for the load balancer.

  7. Add a listener for each target port.

    To add a listener,

    1. Enter/select:

      • Protocol: Protocol. For example: UDP

      • Port: Listener port. For example: 514

      • Target group: Name of the appropriate group created in Create Target Groups.

    2. Click Add listener.

  8. Click Create load balancer.

    The load balancer will be added to the list of load balancers

  9. Select the newly created load balancer from the list of load balancers and note the DNS name. This will be the URL of TOS when it is installed.

Deploy TOS