Prepare an AWS Instance

Overview

This procedure explains how to prepare an AWS instance for a TOS Deployment. To add a node to an existing cluster, see Adding a Node on AWS. For all other deployment options, see Deploying TOS.

High Availability (HA)

High availability is not supported in this release.

Remote Collectors (RCs)

Remote collectors can be deployed on AWS.

Procedure

Read and understand Prerequisites before you start.

Follow the steps below in sequence.

• Launch the Instance

• Create Target Groups

• Create a Load Balancer

• Configure Partitions

• Configure The Operating System

• Mount The etcd Database on a Separate Volume

Prerequisites

General Requirements

• This procedure must be performed by an experienced Linux administrator with knowledge of network and storage configuration.

• To ensure optimal performance and reliability, the required resources need to always be available for TOS. If resources become unavailable, this will affect TOS performance. Do not oversubscribe resources.

• Verify that you have sufficient resources (CPUs, disk storage and main memory) to run TOS. The required resources are determined by the size of your system. See Sizing Calculation for a Clean Install.

• IP tables version 1.8.5 and above. IP tables must be reserved exclusively for TOS Aurora and cannot be used for any other purpose. During installation, any existing IP tables configurations will be flushed and replaced.

• We do not recommend installing on your server 3rd party software not specified in the current procedure. It may impact TOS functionality and features, and it is your responsibility to verify that it is safe to use.

Operating System Requirements

• OS distribution:

  • Red Hat Enterprise Linux 8.10

  • Rocky Linux 8.10

• Disks:

  • Select a storage type of SSD. Take into consideration that TOS requires 7,500 IOPS and the throughput expected will average 250MB/s with bursts of up to 700MB/s.

  • The disk for the operating system and TOS data requires three partitions: /opt, /var and /tmp.

  • Partition sizes:

    • /opt: Use the Sizing Calculator to determine the partition size

    • /var: 200 GB

    • /tmp: 25 GB

  • We recommend allocating the /opt partition all remaining disk space after you have partitioned the OS disk and moved etcd to a separate disk.

Network Requirements

• Allocate a 24-bit CIDR subnet for the Kubernetes service network and a16-bit CIDR subnet for the Kubernetes pods network (10.244.0.0/16 is used by default).

  The pods and services networks must be inside the following private networks: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. In addition, ensure that the dedicated CIDR for the service network and pods network don't overlap with:

  • Each other

  • The physical addresses of your TOS servers (see below)

  • Your external load balancer IP(s)

  • Any other subnets communicating with TOS or with TOS nodes

• You will need to allow access to required Ports and Services.

• DNS hostnames must be enabled on your VPC - see Modify the DNS attributes for your VPC (Amazon official documentation)

Launch the Instance

For additional help, refer to the official AWS documentation - Create your EC2 resources and launch your EC2 instance.

1. In your AWS console, navigate to EC2 > Instances > Launch Instances.

2. In the Name and tags pane, enter the name of the instance.

   

3. In the Application and OS Images pane, choose an Amazon Machine image (AMI) from the AWS Marketplace. The AMI needs to be for:

   • Red Hat Enterprise Linux 8.10

   • Rocky Linux 8.10

   If you select Red Hat, it must be 'Red Hat Enterprise Linux Server Standard'. Other Linux distributions and versions are not supported. The AMI must include Logical Volume Management (LVM), which is required to enlarge the volumes.

4. In the Instance type pane, select an instance type that meets your CPU and RAM resource requirements (see Prerequisites section).

   

5. In the Key pair (login) pane, select or create a key pair to securely connect to your instance.

   

6. In the Network Settings pane, click Edit, and enter/select the following details:

   • Network: The VPC you are using with this instance

   • Subnet: The subnet you are using with this instance

   • Auto-assign public IP: Select Disable.

   • Firewall (security groups): Create a new security group, or select an existing security group that you want to use to control the traffic to your instance.

   

7. In the Configure Storage pane:

   1. Click Add new volume.

   2. For each volume, enter/select the following:

      • 300

      • General purpose SSD (gp3)

   

   3. Click the Advanced link, and set the IOPS, Throughput, and Encryption for each volume. Take into consideration that TOS requires 7,500 IOPS and the throughput expected will average 250MB/s with bursts of up to 700MB/s.

      The encryption should match your company's security policy.

      

8. Click Launch Instance.

9. (Optional) We recommend changing the permissions of the .pem file downloaded to your PC to prevent unauthorized users from running it. If your PC is running on a Linux-like operating system, run the command:

   [<ADMIN> ~]# chmod 400 <pem_key_name>

   chmod 400 <pem_key_name>

10. When required, log in to the instance as follows:

    [<ADMIN> ~]# ssh -i <pem_key_name> <awsuser>@<IP>

    ssh -i <pem_key_name> <awsuser>@<IP>

    where

    • <pem_key_name> is the name of the .pem file downloaded previously from the AWS console

    • <awsuser> is the name of your AWS user

    • <IP> is its private or public IP

Create Target Groups

Target Ports

After launching the instance, you need to create a target group for the ports you are going to need. These ports are listed in the Target column in the table below. The target groups are rules that redirect traffic to the load balancer.

Protocol	Source	Target	Purpose
TCP	443	31443	Mandatory
TCP	61617	31617	Remote collector connectivity
TCP	9099	31099	OPM devices
TCP	8443	31843	Remote collector connectivity
TCP	9090	31090	Remote collector connectivity
TCP	601	32514	Unencrypted TCP syslogs
TCP	6514	31514	TLS encrypted TCP syslogs
UDP	514	30514	UDP syslogs
UDP	161	30161	SNMP monitoring
UDP	10161	31161	SNMP monitoring

Create a Target Group

Repeat this procedure for each port you need.

1. In your AWS console, navigate to EC2 > Target Groups.

2. Click Create target group.

   The Step 1 - Specify group details tab appears.

3. Enter/select the following:

   • Target type: IP addresses

   • Target group name: A name of your choice

   • Protocol/Port: The protocol and target port . For example: UDP / 30514

   • VPC: The VPC you have defined previously

   • IP Address Types: IPv4

   • Health checks: TCP

   

4. Click Next.

   The Step 2 - Register Targets tab appears.

   

5. Enter details:

   • IPv4 address: The IP address of the instance created previously

   • Ports: The target port you entered above.

6. Click Include as pending below.

   

7. Click Create target group.

Create a Load Balancer

The load balancer you create is going to have listeners - one for each of the target group ports from the previous section.

1. In your AWS console, navigate to EC2 > Load Balancers.

2. Click Create Load Balancer.

3. Click Create for Network Load Balancer.

   

4. Enter/select details:

   • Load balancer name: A name of your choice

   • Scheme: Internal

   • VPC: The VPC you are using with the instance.

5. Select the relevant availability zones and subnets you are using.

6. Add a listener for each target port.

   To add a listener,

   1. Enter/select:

      • Protocol: Protocol. For example: UDP

      • Port: Source port. For example: 514

      • Target group: Name of the appropriate group created in Create Target Groups.

        

   2. Click Add listener.

7. Click Create load balancer.

   The load balancer will be added to the list of load balancers

8. Select the newly created load balancer from the list of load balancers and note the DNS name. This will be the URL of TOS when it is installed.

Configure Partitions

If not done already, set up partitions according to the Prerequisites.

Configure The Operating System

1. If you are not currently logged in as user root, do so now.

   [<ADMIN> ~]$ su -

   su -

2. If you want to change the host name or IP of the machine, do so now. Once TOS has been installed, changing the host name or IP address will require reinstalling - see Changing IP Address/Host Names. To change the host name, use the command below, replacing <mynode> with your preferred name.

   [<ADMIN> ~]# hostnamectl set-hostname <mynode>

   hostnamectl set-hostname <mynode>

3. Modify the environment path to run TOS CLI commands without specifying the full path (/usr/local/bin/tos).

   [<ADMIN> ~]# echo 'export PATH="${PATH}:/usr/local/bin"' | sudo tee -a /root/.bashrc > /dev/null

   echo 'export PATH="${PATH}:/usr/local/bin"' | sudo tee -a /root/.bashrc > /dev/null

4. Synchronize your machine time with a trusted NTP server. Follow the steps in Configuring NTP Using Chrony.

5. Configure the server timezone.

   [<ADMIN> ~]# timedatectl set-timezone <timezone>

   timedatectl set-timezone <timezone>

   where <timezone> is in the format Area/Location. Examples: America/Jamaica, Hongkong, GMT, Europe/Prague. List the time-zone formats that can be used in the command.

   [<ADMIN> ~]# timedatectl list-timezones

   timedatectl list-timezones

6. Upgrade the kernel:

   [<ADMIN> ~]# dnf upgrade

   dnf upgrade

7. Disable SELinux:

   • If file /etc/selinux/config exists, edit and change the value of SELINUX to disabled:

     SELINUX=disabled

   • If the file doesn't exist or SELINUX is already set to disabled, do nothing.
8. Reboot the machine and log in.

9. Install Wireguard. This is needed to encrypt communication between nodes (machines) within the cluster. The wireguard version must match the operating version you are installing.

[<ADMIN> ~]# sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm

sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm

[<ADMIN> ~]# sudo yum install kmod-wireguard wireguard-tools

sudo yum install kmod-wireguard wireguard-tools
10. Reboot the machine and log in.

11. Install tmux and rsync:

    [<ADMIN> ~]# dnf install -y rsync tmux

    dnf install -y rsync tmux

12. Disable the firewall:

    [<ADMIN> ~]# systemctl stop firewalld

    systemctl stop firewalld

    [<ADMIN> ~]# systemctl disable firewalld

    systemctl disable firewalld

13. Create the TOS load module configuration file /etc/modules-load.d/tufin.conf. Example using vi:

    [<ADMIN> ~]# vi /etc/modules-load.d/tufin.conf

    vi /etc/modules-load.d/tufin.conf

14. Specify the modules to be loaded by adding the following lines to the configuration file created in the previous step. The modules will then be loaded automatically on boot.

    br_netfilter
    wireguard
    overlay
    ebtables
    ebtable_filter

    br_netfilter wireguard overlay ebtables ebtable_filter

15. Load the above modules now:

    [<ADMIN> ~]# cat /etc/modules-load.d/tufin.conf |xargs modprobe -a 

    cat /etc/modules-load.d/tufin.conf |xargs modprobe -a

    Look carefully at the output to confirm all modules loaded correctly; an error message will be issued for any modules that failed to load.

16. Check that Wireguard has loaded correctly.

    [<ADMIN> ~]# lsmod |grep wireguard

    lsmod |grep wireguard

    The output will appear something like this:

    wireguard              201106  0
    ip6_udp_tunnel         12755  1 wireguard
    udp_tunnel             14423  1 wireguard
    

    If Wireguard is not listed in the output, contact support.

17. Create the TOS kernel configuration file /etc/sysctl.d/tufin.conf. Example using vi:

    [<ADMIN> ~]# vi /etc/sysctl.d/tufin.conf

    vi /etc/sysctl.d/tufin.conf

18. Specify the kernel settings to be made by adding the following lines to the configuration file created in the previous step. The settings will then be applied on boot.

    net.bridge.bridge-nf-call-iptables = 1
    fs.inotify.max_user_watches = 1048576
    fs.inotify.max_user_instances = 10000
    net.ipv4.ip_forward = 1

    net.bridge.bridge-nf-call-iptables = 1 fs.inotify.max_user_watches = 1048576 fs.inotify.max_user_instances = 10000 net.ipv4.ip_forward = 1

19. Apply the above kernel settings now:

    [<ADMIN> ~]# sysctl --system

    sysctl --system

Mount The etcd Database on a Separate Volume

The etcd database should be on a separate volume to improve the stability of TOS and reduce latency. Moving the etcd database to a separate volume ensures that the kubernetes database has access to all the resources required to ensure an optimal TOS performance.

See Move etcd - New AWS Instance.