Provision and Launch Virtual iNodes and Virtual Edge iNodes with Amazon Web Services

This article describes how to provision and launch Virtual iNodes and Virtual Edge iNodes on Amazon Web Services (AWS).

Provisioning and Launching Virtual iNodes on AWS

In this section, learn how to provision and launch a Virtual iNode on AWS.

Provision a Virtual iNode on AWS

To provision a Virtual iNode, follow these steps:

1. To add a Virtual iNode, start in the Secure Edge Portal left menu by selecting the plus icon (+) to display Add iNode.
2. Enter the iNode Name.
3. Optionally, you can also specify custom attributes as Label.
4. Select the Virtual profile.
5. Download the iNode security credentials that you’ll need when you launch the Virtual iNode by selecting aws. Note that you can download this file only once. The file contains secure credentials used by the Virtual iNode. Save the downloaded file in a safe place. Don’t share it.
   
6. Then select Add iNode.

Launch a Virtual iNode

To launch a Virtual iNode, follow these steps:

1. Login to the AWS account using your AWS credentials.
2. To launch a Virtual iNode on AWS, you need access to the Secure Edge virtual iNode AMI for the region in which you want to launch. If you don’t already have the AMI, ask Secure Edge support to share it with your account.
3. When you have access to the AMI you need, select the region in which you’ll launch.
   
4. In the management console, under All services, select EC2 in the Compute section.
5. Under Create Instance, select Launch Instance to launch a new virtual instance.
6. When you’re prompted to choose the AMI, select the AMI Secure Edge gave you, under My AMIs.
7. On the Choose an Instance Type page, select t2.medium or higher. The minimum requirement is t2.medium. Then select Next Configure Instance Details.
   
8. On the Configure Instance Details page, select the Network (Virtual Private Cloud, VPC) and the Subnet in which you want to deploy the Virtual iNode.
9. Select Auto-assign Public IP to be Enable.
10. Near the bottom of the Configure Instance Details, select Advanced Details. For User data, select As file and attach the iNode security credentials file downloaded in Provisioning a Virtual iNode (AWS).
11. Select Next: Add Storage. Leave the default setting for Storage and select Next: Add Tags.
12. You can use tags for easy lookup in a pool. When you’re done, select Next: Configure Security Group.
13. Name the security group and configure the following policies:

    Type	Protocol	Source
    All traffic	All	Inter VPC/Subnet/YourIP
    HTTPS	TCP	0.0.0.0/0

14. Select Review and Launch, and check the configurations. Edit if needed, then select Launch.
15. Select Actions > Networking > Change Source/Dest. Check. Disable the Source/Dest Check.

When the instance is established and running, you’ll see its status as ALIVE in the Secure Edge Portal.

Configuring routing

To configure routing for the application servers to reach the local network through the Virtual iNode, follow these steps:

1. Copy the Instance ID of the Virtual iNode.
   
2. In VPC, select Route Tables.
3. Select your VPC and select Routes.
4. Select Edit Routes. Add the network CIDR of the local network protected by your Edge iNode in the Destination. Select Target as Instance and then the Virtual iNode. This will autopopulate the Instance ID.
5. Select Save Routes.

Provisioning and Launching Virtual Edge iNodes with AWS

A Virtual Edge iNode is an Secure Edge network element that is a AWS instance located at
the edge of your private network. This section describes how to provision and launch Virtual Edge iNodes on AWS

Provision Virtual Edge iNodes

Set up Virtual Edge iNodes using the Secure Edge Portal to add them as a network element, assign them to local networks, and add attributes.

Before you start, make sure you have an SSH public key to use for access authentication of the Edge iNode console. For more on SSH key management, see Managing SSH Key Authentication for an iNode

Add an AWS Virtual Edge iNode

To add a new Virtual Edge iNode, follow these steps:

1. To add an iNode, in the Secure Edge Portal left menu, select the plus icon (+) > Add iNode.
2. Enter the iNode name.
3. Optionally, specify any custom attribute as Label. (For more on labels, see Using Labels.)
4. Select the Virtual Edge profile.
5. For SSH Key, select the name of the SSH public key for use when logging into the console of this iNode. (If you don’t have an SSH public key to use, see Managing SSH Key Authentication for an iNode.)
6. To get the required security credentials to launch the Virtual Edge iNode, select AWS to download the iNode security credentials file. Save the downloaded file.
   
   
   

   The iNode security credentials file is downloadable only once and contains secure credentials to be used by the Virtual iNode. Save it in a safe place and don’t share it with anyone. After creation of the Virtual iNode, you should destroy the credential file.
   
   
7. Select Add iNode.

Add the Local Network to be Protected by this Virtual Edge iNode

1. Select the name of the newly added iNode to display the iNode details page.
   
2. To specify the local network that will be protected by this iNode, select the plus icon (+) to display the Add Network page. Enter the network name in the Name field, and optionally, specify any custom attribute as a Label. (For more on labels, see Using Labels.)
   
3. Manually configure static IP addresses for the hosts in this network. (The Network Addressing field is set to Static.)
4. Specify the network's CIDR in the Network CIDR field.
5. Specify a range of IP addresses (at least one) to reserve for iNode internal use. These IP addresses must be part of the same IP subnet as the local network's CIDR.
   • In Defauly Gateway, you can specify the IP address of the default gateway in your local network. If you don't specify a default gateway, the Start IP Address in the Internal IP Reserved Address Range is assumed to be the default gateway.
   • You may have the option of configuring Virtual LANs (VLANs). (For more on VLANs, see Using VLANs on Edge iNodes.)
   • Any traffic from the local network with a destination outside the local network (for example, traffic going to the internet or LAN) is sent to the default destination. You can set the Default Destinationto one of the following:
     • None (default), which results in dropping the traffic
     • Specify IP Address, which sends the traffic to the IP address of a gateway in the local network that you specify
     • WAN Network, which sends the traffic through the iNode uplink
6. Click Save.

Set Up Addressing for Services

If you aren’t planning to run services on this network, skip this step.

By default, the Virtual Edge iNode assigns IP addresses to services on the network dynamically from the Internal Reserved IP Address Range you specified. If you’re using the default, make sure you’ve reserved enough IP addresses. You need at least one more than the number of services you plan to run.

If you plan to configure the services manually with static IP addresses, follow these steps:

1. Select the Services expansion panel and set Service Addressing to Static.
   
2. Select Save.

Create Static Routes for a Virtual Edge iNode

Create static routes if you want:

• Services running on the Virtual Edge iNode to reach specific routed network segments behind the iNode
• Hosts in the local network to reach specific networks in your LAN or the internet

1. Select the Static Routes expansion panel and select Add to add a new static route. You can add up to 64 static routes per network. Note that if you set Default Destination to a value other than None, it uses up a static route.
   
2. Specify the CIDR of the destination network in the Destination Network CIDR field.
3. Select where to send the traffic going to the destination network in the Via field. Select one of the following:
   • Specify IP Address, which sends the traffic to the IP address of a gateway in the local network that you specify
   • WAN Network, which sends the traffic through the iNode uplink
4. Select Save.

Launch Virtual Edge iNodes

To launch a Virtual Edge iNode, follow these steps:

1. Sign in to the AWS account using your AWS credentials.
2. To launch a Virtual Edge iNode on AWS, you need access to the Secure virtual Edge iNode AMI for the region in which you want to launch. If you don’t already have the AMI, ask Secure Edge support to share it with your account.
3. When you have access to the AMI you need, select the region.
   
4. In the mangement console under All services, in the Compute section select EC2.
   
5. Under Create Instance, select Launch Instance to launch a new virtual instance.
   
6. When you’re prompted to choose the AMI, select the AMI Secure Edge gave you under My AMIs.
7. On the Choose an Instance Type page, select t2.medium or higher. The minimum requirement is t2.medium. Then select Next > Configure Instance Details. 
8. On the Configure Instance Details page, edit network setting and select the Network (Virtual Private Cloud, VPC) and the Subnet in which you want to deploy the Virtual iNode.
9. Set Auto-assign Public IP to Disable.
10. From Advanced network settings, add two interface to the instance from the same availability zone but different networks. Network subnet 1 will be public network and network subnet 2 can be public or private.
    
11. Leave the default settings for Configure Storage.
12. Select Advanced Details. For User data, select As file and attach the iNode security credentials file downloaded during provisioning.
13. Once instance is created, attach an elastic IP to the 1st interface (eth0).
14. Select Actions > Networking > Change Source/Dest. Check. Disable the Source/Dest Check.
15. In the AWS console, attach a security group with following rules to the instance :

    Type	Protocol	Outbound
    All traffic	All	0.0.0.0/0

    or

    Type	Protocol	Source
    DNS	TCP/UDP port 53	0.0.0.0
    HTTPS	TCP	34.217.170.7 54.185.195.11

16. When the instance is established and running, you’ll see its status as ALIVE in the Secure Edge Portal.
    
17. When creating a TAN in a Virtual Edge iNode, specify the gateway IP as the private IP that is associated to the interface #2. Also, ensure that the TAN CIDR is same the subnet of network #2. If you specify a reserved IP range for the TAN, ensure that the same range is excluded in the subnet autoassignment.

Configuring routing

To configure routing for devices behind the Virtual Edge to reach the virtual network through the Virtual Edge iNode, follow these steps:

1. Copy the TAN Interface ID of the Virtual Edge iNode.
   
2. In VPC, select Route Tables.
3. Select your VPC and select Routes.
4. Select Edit Routes. Add the network CIDR of the destination network protected by your Edge iNode in the Destination. Select Target as Instance and then paste the copied Interface ID. This will autopopulate the Instance ID.
5. Select Save Routes.