Amazon Web Services (AWS) GovCloud is a cloud service from Amazon aimed specifically at the United States government. It is designed to enable US government agencies and customers to move sensitive workloads into the cloud by addressing specific regulatory and compliance requirements - for example, the International Traffic in Arms Regulations (ITAR) which governs how defense-related data is managed and stored. Specifically, GovCloud segregates the data both logically and physically to ensure that it is only accessible by designated individuals within the United States.
The KEMP Technologies Application Delivery Controller (ADC), Virtual LoadMaster, is available in AWS GovCloud Marketplace. Providing resilient pervasive secure delivery of applications within the AWS GovCloud, the Virtual LoadMaster guarantees high availability, ensures security of the application servers, and simplifies integration with on-premises infrastructure.
The AWS GovCloud platform enables existing on-premises applications to be easily provisioned in the cloud, providing customers the benefit of scalability, elasticity, and shift of capital expenses to operational ones.
KEMPâ€™s Virtual LoadMaster (VLM) is a full-featured, advanced Layer 4-7 load balancer that supports a variety of workloads. Available in two versions, Bring Your Own License (BYOL) and the perpetual free license, the VLM provides the required throughput at the right price.
Along with advanced scheduling methods, intelligent traffic steering and support for multiple protocols, the VLM also provides Global Site Load Balancing (GSLB), RESTful, Python and PowerShell Application Program Interfaces (APIs).
In addition, the LoadMaster includes integration of the FIPS 140-2 certified encryption module, and supports security features such as access control lists, Web Application Firewall (WAF), Distributed Denial of Service (DDoS) protection, and multiple authentication methods, including: Kerberos Constrained Delegation (KCD), Department of Defense (DoD) Common Access Card (CAC) and Federal Personal Identity Verification (PIV) smart card, and Single Sign-On (SSO).
Some of the features and associated benefits of the VLM are listed in the table below.
Regardless of where the applications are deployed (cloud, on premises, or in hybrid environments) the VLM can load balance them.
|Hybrid enhancement||The VLM manages applications deployed in hybrid infrastructures on premises and in the AWS GovCloud.|
|Scalable||Highly available ADCs, deployed on-demand to meet load requirements.|
|Resilient||VLM GEO load balancing supports application instances across multiple sites to accommodate growth and deliver additional resilience.|
This document is intended to brief the reader on the LoadMaster for AWS GovCloud product and assist the reader to set up a basic LoadMaster for AWS GovCloud instance through the Marketplace.
It is also possible to configure the LoadMaster using Application Program Interface (API) commands. For further details, please refer to the Interface Description documents on the KEMP documentation page: https://kemptechnologies.com/documentation.
This document is intended to be read by anyone who is interested in finding out about the LoadMaster for AWS GovCloud product.
There are some perquisites to be aware of before following the steps in this document:
Users should be familiar with the operation of AWS.
If not already done, create a KEMP ID at the registration page: https://kemptechnologies.com/kemp-id-registration/
Users should have access and be logged-in to the AWS GovCloud Management Console.
Some requirements to be aware of when deploying a LoadMaster in AWS GovCloud are below:
The Virtual Private Cloud (VPC) requires an internet gateway to be configured and bound to the subnet. When the gateway is bound to the subnet, it does not automatically create a default route in the subnet routing table - you must also add this. If either of these steps are missed during deployment, the LoadMaster cannot be configured correctly.
Internet access is required to license hourly-usage LoadMasters.
Using Bring Your Own License (BYOL) licensing in an AWS VPC does work without internet access when using the private IP address but only if you explicitly set Auto-Assign Public IP to Disabled. If it is set to Subnet Default (Disabled) there will be errors during initial configuration.
Firstly, the initial IP address that is obtained is assigned by AWS, rather than obtained using Dynamic Host Configuration Protocol (DHCP). The LoadMaster obtains this address at instantiation and will use this as its interface address. This address is permanent for this instance. This private address is associated with a public IP address as well. Additional private addressing can be assigned according to your needs if you have additional private networks in AWS GovCloud.
In addition, a public address which maps to the private address is issued by AWS GovCloud. Unlike the private address, the public IP address can be changed by purchasing an Elastic IP.
For more information on Elastic IPs, refer to the . Elastic IPs can be requested by opening a Support case with AWS. Elastic IPs can be allocated in the AWS EC2 Console in NETWORK & SECURITY > Elastic IPs.
From within LoadMaster, interface IP addresses can be changed administratively as usual, but this requires additional AWS configuration to prevent disconnection.
To preserve public ports, the Web User Interface (WUI) is available on port 8443 rather than 443. This allows port 443 to be used for a Virtual Service.
It is not possible to bond interfaces on AWS LoadMasters.
There are two main licensing options when deploying a LoadMaster for AWS:
Hourly consumption (PAYG)
Bring Your Own License (BYOL)
When starting a new instance, you are prompted to select a key pair. A key pair is a certificate and key. It is used to SSH to the LoadMaster. Keep the downloaded key in a safe place. Steps on how to add a key pair are below:
1. Log in to the AWS console.
2. Click EC2.
3. In the main menu, select Key Pairs.
4. Click Create Key Pair.
5. Enter a name for the key pair and click Create.
6. The .pem file will download.
This file is required to SSH into the LoadMaster so make a note of where this file is stored. This file needs to reside on the client that is used to SSH to the LoadMaster.
If you are using a client that does not accept PEM format, you will need to convert the file to another format, for example PPK for Putty.
7. The permissions of the key pair file need to be changed in order for it to work. To do this in Linux, go to the directory where the file is stored and run the following command:
chmod 600 <FileName>
To start an instance, follow the steps below:
Please note that it is also possible to deploy a LoadMaster using a different flow using the AWS Marketplace. Please configure the same settings as outlined below, in particular â€“ please ensure to select a Virtual Private Cloud (VPC) as the network.
2. Click EC2.
3. Click Instances.
4. Click Launch Instance.
5. Select AWS Marketplace.
6. Search for Virtual LoadMaster.
7. Click Select for the relevant version to be deployed.
8. If you chose an hourly licensing model, click Continue to proceed.
9. Select the desired Instance Type.
For further information on instance types, please refer to the following Amazon link: Amazon EC2 Instance Types.
10. Click Next: Configure Instance Details.
11. Ensure to select the correct item (a VPC) in the Network drop-down list.
If multiple LoadMasters on multiple networks are needed, choose the different networks as required. If more networks need to be created, please contact your AWS administrator to add them. The Create new VPC link can be used to add more networks if needed.
12. Ensure that the Auto-assign Public IP option is set to Enable.
13. Configure any other setting as needed.
14. Click Review and Launch.
15. Select the relevant option on the Boot from General Purpose (SSD) screen and click Next.
16. Before launching, click Edit security groups.
17. Select the security group of your choosing or create a new security group.
a) The following rules are needed in the security group:
Custom TCP Rule with the Port Range 8443 for the WUI
SSH for the SSH management interface
Do not block port 6973.
Any additional rules that are needed for other ports for services to be load balanced, for example Remote Desktop Protocol (RDP) if load balancing Windows RDP servers, or HTTPS for a secure website
Select the relevant source option from the drop-down list and enter custom IP addresses as needed.
18. It is recommended that management interfaces only be allowed using trusted IP addresses. You should also add rules for any services you intend on creating. You can always revisit this security group later if additional services become necessary.
19. Click Review and Launch.
20. Click Launch.
21. Select the appropriate key pair for your environment. This is the key pair that was created in the Create a New Key Pair section. This key pair is needed to connect using SSH.
22. Select the check box.
23. Click Launch Instances.
25. Once your instance state is Running, you may proceed to connect to your LoadMaster instance.
If you chose an hourly licensing method - after the instance has been launched, you first need to access the LoadMaster using SSH with the required key pair to enable WUI access. The example steps below use PuTTY as the SSH client.
1. Open the PuTTY client.
2. Enter the IP address of the LoadMaster instance. This is the IP address obtained in the Start a New Instance section.
3. In the main menu, navigate to Connection > SSH > Auth.
4. Click Browse.
5. Navigate to and select the key pair file that was exported in the Licensing Options section.
If you are using a client that does not accept PEM you will need to convert the key pair file to another format, for example PPK for Putty. For instructions on how to do this, refer to the following TechRepublic article: Connect to Amazon EC2 with a private key using PuTTY and Pageant.
6. If desired, you can save the settings so that you do not have to perform these steps each time you open a Putty session for this IP address. To do this, enter a name in the Saved Sessions text box and click Save.
7. Click Open.
8. Log in with the username bal. This is the default LoadMaster username.
9. Enter the passphrase if you specified one to be used for the private key.
10. A number of screens appear relating to configuring various network options. These can be left as the default values but can be changed if needed. Press OK on each screen to proceed:
a) A screen appears relating to the IP address.
b) The IP address for the default gateway should only be changed if you have an alternative gateway configured.
c) The default name server appears. You can optionally change this to an alternative name server if required.
d) Leave this option blank unless your environment requires a proxy server to access the internet.
11. If you selected an hourly licensing model, you are asked to enter the current LoadMaster password. By default, the password is set to the Instance ID which can be found in the AWS EC2 Dashboard by selecting Instances within the INSTANCES section of the main menu. Enter and confirm the new password.
The password must be reset to access the LoadMaster Web User Interface (WUI). If you enter an incorrect password, you must restart SSH and go through the setup again.
12. Log in with the new password.
13. Connect to the LoadMaster using a browser by entering https://InstanceAddress:8443 in the address bar to continue configuration. The instance address can be the public IP address or the public DNS, both of which can be found in the EC2 Console in the Description tab.
If the first attempt to reset the password fails or if the WUI is not accessible, follow the steps in the Restart Web Server Access - Hourly Licensing section.
If the first attempt to reset the password fails or if the WUI is not accessible, follow the steps below. The existing SSH session can be used, or a new SSH session can be opened using bal and the new password created in the Initial Setup â€“ Hourly Licensing section.
1. On the main menu, select Local Administration.
2. Select Web Address.
3. Select Immediately Stop Web Server Access.
4. Select Immediately Start Web Server Access.
5. Connect to the LoadMaster using a browser by entering https://InstanceAddress:8443 in the address bar to continue configuration. The instance address can be the public IP address or the public DNS, both of which can be found in the EC2 console in the Description tab.
If you chose an hourly licensing model, follow the steps below to initially set up the LoadMaster:
1. Open the VLM in a web browser by entering https://InstanceAddress:8443 in the address bar. The instance address can be the public IP address or the public DNS, both of which can be found in the EC2 Console in the Description tab.
2. Acknowledge the self-signed certificate to proceed.
The certificate used by the WUI will take the public name used by AWS.
3. Accept to End User License Agreement (EULA).
4. A screen will then appear asking if you are OK with the LoadMaster regularly contacting KEMP to check for updates and other information. Click the relevant button to proceed.
A prompt will appear asking for the username and password. Enter bal as the username and the password that was set previously. The LoadMaster is now licensed and is ready for administration and configuration.
When using the BYOL method, the normal LoadMaster licensing and activation process is used. Access the LoadMaster using the WUI by entering the Public Address, preceded with https:// and followed by :8443. Then, proceed through the steps and license the LoadMaster.
To use the BYOL option, follow the steps below:
1. Deploy the BYOL â€“ Trial and perpetual license version of the Virtual LoadMaster (follow the steps in the Start a New Instance section).
2. Contact a KEMP representative to get a license.
3. Update the license on your LoadMaster to apply the license change (System Configuration > System Administration > Update License).
KEMP recommends rebooting after updating the license.
For AWS GovCloud, use offline licensing.
To upgrade the license using the offline method, you must enter the license text in the LoadMaster. You can either get this from KEMP or by using the Get License link.
To get the license text using the Get License link:
4. Click the Get License link.
5. If you have a purchase order number, select Yes from the Do you have a purchase order? drop-down list. Enter the Order ID. Your Order ID is in an email sent to you from KEMP operations.
6. If you have a serial number, select Yes from the Do you have a serial number? drop-down list. Enter the Serial number.
7. Enter the LoadMaster access code. This is displayed on the LoadMaster Offline Licensing screen.
8. Select the Firmware version.
9. Enter the KEMP ID (email address used when registering the KEMP account).
10. Enter the Password of the KEMP account.
11. Click GENERATE LICENSE. An email is sent to the KEMP ID containing the license. You can also copy the text to your clipboard by clicking the link in the dialog box.
12. Open the email and copy the text, from the start of the word begin to the end of the word end.
13. Open the LoadMaster.
14. Paste the license into the box provided.
15. Click Update License. KEMP recommends rebooting after updating the license.
To create a Virtual Service, follow the steps below in the LoadMaster WUI:
1. In the main menu, select Virtual Services and Add New.
2. Enter the private address of the LoadMaster instance in the Virtual Address text box.
3. Enter the relevant Port which was permitted in the Security Group.
4. Enter a recognizable Service Name.
5. Select the relevant Protocol.
6. Click Add this Virtual Service.
7. Configure the settings for the Virtual Service as needed, for example:
8. To enable SSL acceleration, select the Enabled check box in the SSL Properties section. For more information on SSL offloading, refer to the SSL Accelerated Services, Feature Description.
9. To enable ESP, select the Enable ESP check box in the ESP Options section. For more information on how to configure the ESP options, refer to the ESP, Feature Description.
10. To enable the Web Application Firewall (WAF), select the Enabled check box in the WAF Options section. For more information on how to configure the WAF options, refer to the KEMP Web Application Firewall, Feature Description.
11. Add real servers in the Real Servers section.
If you are using a Pay Per Use (Hourly Usage) LoadMaster, three days after initially setting up the LoadMaster, a prompt will appear asking you to activate your support subscription. Enter your KEMP ID and Password and click Update License to do this.
You can activate your support subscription before three days by expanding System Configuration > System Administration, clicking the Update License option and filling in your KEMP ID and password.
KEMP recommends rebooting the LoadMaster after updating the license.
Do not downgrade from firmware version 7.2.36 or higher to a version below 7.2.36. If you do this, the LoadMaster becomes inaccessible and you cannot recover it.
While the instructions above provide a basic overview of how to deploy and configure LoadMaster for AWS GovCloud, it is not designed to be a comprehensive guide to configure every possible workload. This section identifies some of many guides published on our resources section of our website. Unless otherwise specified, the following documents can be found at .
Web User Interface (WUI), Configuration Guide
This document was last updated on 05 October 2018.