Amazon Web Services (AWS) is a collection of remote computing services (also called web services) that together make up Amazonâ€™s cloud computing platform.
This document is intended to brief the reader on the LoadMaster for AWS product and assist the reader to set up a basic LoadMaster for AWS instance and create a service.
It is also possible to use High Availability (HA) when using the LoadMaster for AWS. For further information on this, please refer to the .
This document is intended to be read by anyone who is interested in finding out about the LoadMaster for AWS product.
Some requirements to be aware of when deploying a LoadMaster in AWS are below:
The Virtual Private Cloud (VPC) requires an internet gateway to be configured and bound to the subnet. When the gateway is bound to the subnet, it does not automatically create a default route in the subnet routing table - you must also add this. If either of these steps are missed during deployment, the LoadMaster cannot be configured correctly.
Internet access is required to license hourly-usage LoadMasters.
Using Bring Your Own License (BYOL) licensing in an AWS VPC does work without internet access when using the private IP address but only if you explicitly set Auto-Assign Public IP to Disabled. If it is set to Subnet Default (Disabled) there will be errors during initial configuration.
Firstly, the initial IP address that is obtained is assigned by AWS, rather than obtained using Dynamic Host Configuration Protocol (DHCP). The LoadMaster obtains this address at instantiation and will use this as its interface address. This address is permanent for this instance. This private address is associated with a public IP address as well. Additional private addressing can be assigned according to your needs if you have additional private networks in AWS.
In addition, a public address which maps to the private address is issued by AWS. Unlike the private address, the public IP address can be changed by purchasing an Elastic IP.
For more information on Elastic IPs, refer to the . Elastic IPs can be requested by opening a Support case with AWS. Elastic IPs can be allocated in the AWS EC2 Console in NETWORK & SECURITY > Elastic IPs.
From within LoadMaster, interface IP addresses can be changed administratively as usual, but this requires additional AWS configuration to prevent disconnection.
To preserve public ports, the Web User Interface (WUI) is available on port 8443 rather than 443. This allows port 443 to be used for a Virtual Service.
It is not possible to bond interfaces on AWS LoadMasters.
There are two main licensing options when deploying a LoadMaster for AWS:
Hourly consumption (PAYG)
Bring Your Own License (BYOL)
When starting a new instance, you are prompted to select a key pair. A key pair is a certificate and key. It is used to SSH to the LoadMaster. Keep the downloaded key in a safe place. Steps on how to add a key pair are below:
1. Log in to the AWS console.
2. Click EC2.
3. In the main menu, select Key Pairs.
4. Click Create Key Pair.
5. Enter a name for the key pair and click Create.
6. The .pem file will download.
This file is required to SSH into the LoadMaster so make a note of where this file is stored. This file needs to reside on the client that is used to SSH to the LoadMaster.
If you are using a client that does not accept PEM format, you will need to convert the file to another format, for example PPK for Putty.
7. The permissions of the key pair file need to be changed in order for it to work. To do this in Linux, go to the directory where the file is stored and run the following command:
chmod 600 <FileName>
To start an instance, follow the steps below:
Please note that it is also possible to deploy a LoadMaster using a different flow using the AWS Marketplace. Please configure the same settings as outlined below, in particular â€“ please ensure to select a Virtual Private Cloud (VPC) as the network.
2. Click EC2.
3. Click Instances.
4. Click Launch Instance.
5. Select AWS Marketplace.
6. Search for Virtual LoadMaster.
7. Click Select for the relevant version to be deployed.
8. If you chose an hourly licensing model, click Continue to proceed.
9. Select the desired Instance Type.
For further information on instance types, please refer to the following Amazon link: Amazon EC2 Instance Types.
10. Click Next: Configure Instance Details.
11. Ensure to select the correct item (a VPC) in the Network drop-down list.
If multiple LoadMasters on multiple networks are needed, choose the different networks as required. If more networks need to be created, please contact your AWS administrator to add them. The Create new VPC link can be used to add more networks if needed.
12. Ensure that the Auto-assign Public IP option is set to Enable.
13. Configure any other setting as needed.
14. Click Review and Launch.
15. Select the relevant option on the Boot from General Purpose (SSD) screen and click Next.
16. Before launching, click Edit security groups.
17. Select the security group of your choosing or create a new security group.
a) The following rules are needed in the security group:
Custom TCP Rule with the Port Range 8443 for the WUI
SSH for the SSH management interface
Do not block port 6973.
Any additional rules that are needed for other ports for services to be load balanced, for example Remote Desktop Protocol (RDP) if load balancing Windows RDP servers, or HTTPS for a secure website
Select the relevant source option from the drop-down list and enter custom IP addresses as needed.
18. It is recommended that management interfaces only be allowed using trusted IP addresses. You should also add rules for any services you intend on creating. You can always revisit this security group later if additional services become necessary.
19. Click Review and Launch.
20. Click Launch.
21. Select the appropriate key pair for your environment. This is the key pair that was created in the Create a New Key Pair section. This key pair is needed to connect using SSH.
22. Select the check box.
23. Click Launch Instances.
25. Once your instance state is Running, you may proceed to connect to your LoadMaster instance.
If you chose an hourly licensing method - after the instance has been launched, you first need to access the LoadMaster using SSH with the required key pair to enable WUI access. The example steps below use PuTTY as the SSH client.
1. Open the PuTTY client.
2. Enter the IP address of the LoadMaster instance. This is the IP address obtained in the Start a New Instance section.
3. In the main menu, navigate to Connection > SSH > Auth.
4. Click Browse.
5. Navigate to and select the key pair file that was exported in the Licensing Options section.
If you are using a client that does not accept PEM you will need to convert the key pair file to another format, for example PPK for Putty. For instructions on how to do this, refer to the following TechRepublic article: Connect to Amazon EC2 with a private key using PuTTY and Pageant.
6. If desired, you can save the settings so that you do not have to perform these steps each time you open a Putty session for this IP address. To do this, enter a name in the Saved Sessions text box and click Save.
7. Click Open.
8. Log in with the username bal. This is the default LoadMaster username.
9. Enter the passphrase if you specified one to be used for the private key.
10. A number of screens appear relating to configuring various network options. These can be left as the default values but can be changed if needed. Press OK on each screen to proceed:
a) A screen appears relating to the IP address.
b) The IP address for the default gateway should only be changed if you have an alternative gateway configured.
c) The default name server appears. You can optionally change this to an alternative name server if required.
d) Leave this option blank unless your environment requires a proxy server to access the internet.
11. If you selected an hourly licensing model, you are asked to enter the current LoadMaster password. By default, the password is set to the Instance ID which can be found in the AWS EC2 Dashboard by selecting Instances within the INSTANCES section of the main menu. Enter and confirm the new password.
The password must be reset to access the LoadMaster Web User Interface (WUI). If you enter an incorrect password, you must restart SSH and go through the setup again.
12. Log in with the new password.
13. Connect to the LoadMaster using a browser by entering https://InstanceAddress:8443 in the address bar to continue configuration. The instance address can be the public IP address or the public DNS, both of which can be found in the EC2 Console in the Description tab.
If the first attempt to reset the password fails or if the WUI is not accessible, follow the steps in the Restart Web Server Access - Hourly Licensing section.
If the first attempt to reset the password fails or if the WUI is not accessible, follow the steps below. The existing SSH session can be used, or a new SSH session can be opened using bal and the new password created in the Initial Setup â€“ Hourly Licensing section.
1. On the main menu, select Local Administration.
2. Select Web Address.
3. Select Immediately Stop Web Server Access.
4. Select Immediately Start Web Server Access.
5. Connect to the LoadMaster using a browser by entering https://InstanceAddress:8443 in the address bar to continue configuration. The instance address can be the public IP address or the public DNS, both of which can be found in the EC2 console in the Description tab.
If you chose an hourly licensing model, follow the steps below to initially set up the LoadMaster:
1. Open the VLM in a web browser by entering https://InstanceAddress:8443 in the address bar. The instance address can be the public IP address or the public DNS, both of which can be found in the EC2 Console in the Description tab.
2. Acknowledge the self-signed certificate to proceed.
The certificate used by the WUI will take the public name used by AWS.
3. Accept to End User License Agreement (EULA).
4. A screen will then appear asking if you are OK with the LoadMaster regularly contacting KEMP to check for updates and other information. Click the relevant button to proceed.
A prompt will appear asking for the username and password. Enter bal as the username and the password that was set previously. The LoadMaster is now licensed and is ready for administration and configuration.
When using the BYOL method, the normal LoadMaster licensing and activation process is used. Access the LoadMaster using the WUI by entering the Public Address, preceded with https:// and followed by :8443. Then, proceed through the steps and license the LoadMaster.
To use the BYOL option, follow the steps below:
1. Deploy the BYOL â€“ Trial and perpetual license version of the Virtual LoadMaster (follow the steps in the Start a New Instance section).
2. Contact a KEMP representative to get a license.
3. Update the license on your LoadMaster to apply the license change (System Configuration > System Administration > Update License).
To create a Virtual Service, follow the steps below in the LoadMaster WUI:
1. In the main menu, select Virtual Services and Add New.
2. Enter the private address of the LoadMaster instance in the Virtual Address text box.
3. Enter the relevant Port which was permitted in the Security Group.
4. Enter a recognizable Service Name.
5. Select the relevant Protocol.
6. Click Add this Virtual Service.
7. Configure the settings for the Virtual Service as needed, for example:
8. To enable SSL acceleration, select the Enabled check box in the SSL Properties section. For more information on SSL offloading, refer to the SSL Accelerated Services, Feature Description.
9. To enable ESP, select the Enable ESP check box in the ESP Options section. For more information on how to configure the ESP options, refer to the ESP, Feature Description.
10. To enable the Web Application Firewall (WAF), select the Enabled check box in the WAF Options section. For more information on how to configure the WAF options, refer to the KEMP Web Application Firewall, Feature Description.
11. Add real servers in the Real Servers section.
If you are using a Pay Per Use (Hourly Usage) LoadMaster, three days after initially setting up the LoadMaster, a prompt will appear asking you to activate your support subscription. Enter your KEMP ID and Password and click Update License to do this.
You can activate your support subscription before three days by expanding System Configuration > System Administration, clicking the Update License option and filling in your KEMP ID and password.
KEMP recommends rebooting the LoadMaster after updating the license.
Do not downgrade from firmware version 7.2.36 or higher to a version below 7.2.36. If you do this, the LoadMaster becomes inaccessible and you cannot recover it.
While the instructions above provide a basic overview of how to deploy and configure LoadMaster for AWS, it is not designed to be a comprehensive guide to configure every possible workload. This section identifies some of many guides published on our resources section of our website. Unless otherwise specified, the following documents can be found at .
Web User Interface (WUI), Configuration Guide
This document was last updated on 30 April 2018.