A Everpure Cloud Dedicated instance has four Ethernet interfaces that are used for the following types of traffic: iSCSI/NVMe-TCP, management, replication, and system intercommunication. Each Ethernet interface requires different types of TCP access.
- As a security best practice, create three different security groups as shown in the table below with the appropriate TCP access for the replication, iSCSI/NVMe-TCP, and management interfaces. Each security group will be applied during the Everpure Cloud Dedicated deployment.
- The security group for the System interface is automatically created during the deployment.
- The three security groups must be in the same region and VPC.
|
Security Group |
Inbound |
Outbound |
|---|---|---|
|
System (eth0)* |
25, 587 (optional for outgoing SMTP communication) |
|
|
Replication (eth1) |
8117 |
8117 443 (if using CloudSnap) |
|
iSCSI/NVMe-TCP (eth2) |
3260 (used by iSCSI) 4420, 8009 (used by NVMe-TCP) |
|
|
Management (eth3) |
22, 80, 443, 8084 |
443 |
* Note: For the System interface, a fourth security group called "PureSystemSecurityGroup" is automatically created and applied as part of the Everpure Cloud Dedicated deployment.
Create Security Groups
To create new Security Groups, go to VPC menu within the AWS console, locate Security Groups in the left-hand side menu, and click Create Security Group button. It is recommended to use naming that will help with identification of the group (e.g.: EverpureCloud_Dedicated-replication-sg). Follow the information above to set-up three individual security groups for Replication, iSCSI/NVMe-TCP, and Management interfaces.
IAM Role and Permissions (Mandatory)
To automate an Everpure Cloud Dedicated deployment, upgrade, or termination, an IAM role with appropriate permissions is required. Even with Administrator permissions elevated, the IAM role is still required. You must create a new IAM policy with the appropriate IAM permissions. Then create the IAM role and attach the IAM policy to your IAM role.
This section provides steps on creating the IAM roles and permissions required to Deploy and Upgrade Everpure Cloud Dedicated. First, create the permissions policy. Then create the IAM role that is required to launch Everpure Cloud Dedicated, and attach the permissions policy to the role.
- Go to the main IAM console.
- Create a new policy by selecting Policies and click Create policy.
- Click the JSON tab. Replace the default content of the JSON
file with the following permissions. You can copy/paste the following content
directly into the JSON file.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ApplicationAutoscalingPermissions", "Effect": "Allow", "Action": [ "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScheduledActions", "application-autoscaling:PutScalingPolicy", "application-autoscaling:RegisterScalableTarget" ], "Resource": "*" }, { "Sid": "AutoscalingPermissions", "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:CreateLaunchConfiguration", "autoscaling:CreateOrUpdateTags", "autoscaling:DeleteAutoScalingGroup", "autoscaling:DeleteLaunchConfiguration", "autoscaling:DeleteTags", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeScalingActivities", "autoscaling:DescribeTags", "autoscaling:PutLifecycleHook", "autoscaling:SetDesiredCapacity", "autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup" ], "Resource": "*" }, { "Sid": "DynamoDBPermissions", "Effect": "Allow", "Action": [ "dynamodb:CreateTable", "dynamodb:DeleteTable", "dynamodb:DescribeTable", "dynamodb:ListTables", "dynamodb:ListTagsOfResource", "dynamodb:TagResource", "dynamodb:UntagResource", "dynamodb:UpdateTable" ], "Resource": "*" }, { "Sid": "EC2Permissions", "Effect": "Allow", "Action": [ "ec2:AttachNetworkInterface", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:CreatePlacementGroup", "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:CreateVolume", "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:DeleteLaunchTemplate", "ec2:DeleteNetworkInterface", "ec2:DeletePlacementGroup", "ec2:DeleteSecurityGroup", "ec2:DeleteTags", "ec2:DeleteVolume", "ec2:DescribeAvailabilityZones", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeKeyPairs", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeNetworkInterfaces", "ec2:DescribePlacementGroups", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", "ec2:DetachNetworkInterface", "ec2:ModifyNetworkInterfaceAttribute", "ec2:ModifyVolumeAttribute", "ec2:ModifyInstanceAttribute", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:TerminateInstances" ], "Resource": "*" }, { "Sid": "IAMPermissions", "Effect": "Allow", "Action": [ "iam:AddRoleToInstanceProfile", "iam:AttachRolePolicy", "iam:CreateInstanceProfile", "iam:CreatePolicy", "iam:CreateRole", "iam:CreateServiceLinkedRole", "iam:DeleteInstanceProfile", "iam:DeletePolicy", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:DetachRolePolicy", "iam:GetInstanceProfile", "iam:GetPolicy", "iam:GetRole", "iam:GetRolePolicy", "iam:ListRoleTags", "iam:PassRole", "iam:PutRolePolicy", "iam:RemoveRoleFromInstanceProfile", "iam:SimulatePrincipalPolicy", "iam:TagRole", "iam:UntagRole" ], "Resource": "*" }, { "Sid": "KMSPermissions", "Effect": "Allow", "Action": [ "kms:CreateAlias", "kms:CreateKey", "kms:DeleteAlias", "kms:DescribeKey", "kms:DisableKey", "kms:EnableKey", "kms:ListAliases", "kms:ListKeyPolicies", "kms:ListKeys", "kms:ListResourceTags", "kms:PutKeyPolicy", "kms:ScheduleKeyDeletion", "kms:TagResource", "kms:UntagResource", "kms:UpdateAlias" ], "Resource": "*" }, { "Sid": "LambdaPermissions", "Effect": "Allow", "Action": [ "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunction", "lambda:GetFunctionConfiguration", "lambda:InvokeFunction", "lambda:ListTags", "lambda:TagResource", "lambda:UntagResource", "lambda:UpdateFunctionCode", "lambda:UpdateFunctionConfiguration" ], "Resource": "*" }, { "Sid": "S3Permissions", "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:DeleteBucket", "s3:DeleteBucketPolicy", "s3:GetBucketPolicy", "s3:GetBucketTagging", "s3:ListBucket", "s3:PutBucketPolicy", "s3:PutBucketTagging", "s3:PutBucketVersioning", "s3:PutMetricsConfiguration", "s3:PutBucketPublicAccessBlock" ], "Resource": "*" }, { "Sid": "SecretsManagerPermissions", "Effect": "Allow", "Action": [ "secretsmanager:CreateSecret", "secretsmanager:TagResource", "secretsmanager:PutResourcePolicy", "secretsmanager:DeleteResourcePolicy", "secretsmanager:DeleteSecret" ], "Resource": "*" }, { "Sid": "STSPermissions", "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": "*" } { "Sid": "SSMPermissions", "Effect": "Allow", "Action": [ "ssm:GetParameters" ], "Resource": "*" } ] } - Click Next.
- Provide a name for the policy. For example, you can call it PurityServicePermission.
- Click Create policy .
- Go back in the main IAM console.
- Create a role by selecting Roles and click Create role.
- Select the trusted entity by selecting:
- AWS service
- CloudFormation
- Click Next.
- In the search box, type the policy name PurityServicePermission created in step 4, and check the box for this policy.
- Click Next: Tags.
- (Optional) Add Tag if desired and click Next.
- Enter the role name PurityServiceRole and click Create
role
.
This completes the process of creating the PurityServiceRole.
In addition to the PurityServiceRole, another role is needed in order to deploy Everpure Cloud Dedicated. This role is called AWSServiceRoleForApplicationAutoScaling_DynamoDBTable. Follow the steps below to check whether this role already exists, and to create the role if needed.
- Log into the AWS Management Console either as a user with full administrative access, or at least as a user with permissions that allow the action iam:CreateServiceLinkedRole on either all resources, or at least on the AWS Service Application Auto Scaling.
- After logging in, go to Identity and Access Management (IAM); and then to Roles; and search for the role AWSServiceRoleForApplicationAutoScaling_DynamoDBTable:
- If the role already exists, proceed to step #22 below. If
this role does not exist, click on Create role
to create this role. The following screen will appear:
- Under Type of trusted entity, select AWS service, and scroll down. In the Service or use case window, type Application Auto Scaling and then select Application Auto Scaling -DynamoDB.
-
Click Next. On the screen below, you should see the message T he service-linked role that you selected requires the following policy, and the following policy should be listed under Policy name: AWSApplicationAutoscalingDynamoDBTablePolicy
- Click on Next and the following Review screen will appear:
- policy is attached to it.
- Click on the policy; then click on Permissions and { } JSON; and make sure that the following permissions exist:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DescribeTable",
"dynamodb:UpdateTable",
"cloudwatch:PutMetricAlarm",
"cloudwatch:DescribeAlarms",
"cloudwatch:DeleteAlarms"
],
"Resource": "*"
}
]
}