LoadMaster for AWS

1 Introduction

Amazon Web Services (AWS) is a collection of remote computing services (also called web services) that together make up Amazon’s cloud computing platform.

1.1 Document Purpose

This document is intended to brief you on the LoadMaster for AWS product and assist the reader to set up a basic LoadMaster for AWS instance and create a service.

It is also possible to use High Availability (HA) when using the LoadMaster for AWS. For further information on this, refer to the .

080.png

1.2 Intended Audience

This document is intended for anyone who is interested in finding out about the LoadMaster for AWS product.

2 LoadMaster for AWS

2.1 Prerequisites

Some requirements to be aware of when deploying a LoadMaster in AWS are below:

  • Internet access in the Virtual Private Cloud (VPC) is required to license free and hourly-usage LoadMasters.
  • Using Bring Your Own License (BYOL) licensing in an AWS VPC does work without internet access when using the private IP address but only if Offline Licensing is used during the deployment.

2.2 Differences from the Virtual LoadMaster (VLM)

First, the initial IP address that is obtained is assigned by AWS rather than obtained using Dynamic Host Configuration Protocol (DHCP). The LoadMaster obtains this address at instantiation and uses it as its interface address. This address is permanent for this instance and this private address is associated with a public IP address as well. Additional private addressing can be assigned according to your needs if you have additional private networks in AWS.

In addition, a public address that maps to the private address is issued by AWS. Unlike the private address, the public IP address can be changed by purchasing an Elastic IP.

For more information on Elastic IPs, refer to the Amazon EC2 Elastic IP Addresses Feature Guide. Elastic IPs can be requested by opening a Support case with AWS. Elastic IPs can be allocated in the AWS EC2 Console in NETWORK & SECURITY > Elastic IPs.

Interface IP addresses can be changed administratively as usual from the LoadMaster, but this requires an additional AWS configuration to prevent disconnection.

To preserve public ports, the Web User Interface (WUI) is available on port 8443 rather than 443. This allows port 443 to be used for a Virtual Service.

Due to AWS limitations, it is not possible to bond interfaces on AWS LoadMasters.

2.3 Licensing Options

There are three main licensing options when deploying a LoadMaster for AWS:

Hourly consumption (PAYG)

The hourly consumption option includes Enterprise Plus Support. You can find details on KEMP subscriptions at the following link: LoadMaster Support Subscriptions.

BYOL

You must purchase a Standard, Enterprise, or Enterprise Plus subscription as part of the BYOL option.

Metered Enterprise Licensing Agreement (MELA)

KEMP MELA is a monthly subscription that allows for unlimited LoadMaster deployments and is billed based on aggregate consumption.

2.4 Security Best Practices

AWS has many security features to protect customers' cloud assets. This section outlines some security best practices pertaining to AWS. See the AWS Security Best Practices Whitepaper for further details.

If you already have an Identity and Access Management (IAM) role for administration of the Elastic Compute Cloud (EC2) and SSH key pair, you can skip to the Start a New Instance section.

2.4.1 IAM Service

IAM is a centralized service that manages users, credentials, policies, and keys for the resources deployed in AWS. You should create individual accounts for each user that creates or accesses AWS resources. When possible, you should enable AWS Multi-Factor Authentication (MFA) for the IAM user account to further secure unauthorized access to assets running in the public cloud.

You should always leverage IAM Policies to assign permissions to IAM user accounts. You should scope these permissions with the least privilege security model by only permitting access based on users’ job requirements.

2.4.1.1 Create an IAM Policy

This section provides step-by-step instructions on creating an IAM Policy allowing an IAM user to create and manage EC2 Services:

1. Log in to the AWS console.

120.png

2. Click Services.

121.png

3. Under Security, Identity, & Compliance, select IAM.

122.png

4. In the navigation on the left, click Policies.

123.png

5. Click Create policy.

124.png

6. Select JSON.

125.png

7. Enter the IAM Policy in the provided area. The text shown above is only an example. Policies created in AWS should be reviewed with your organization's security team.

126.png

8. Click Review policy.

127.png

9. Enter a unique Name.

128.png

10. Click Create policy.

You can find further information on IAM Policies at the following link: Policies and Permissions.

2.4.1.2 Assign an IAM Policy to an IAM User

This section provides step-by-step instructions on assigning an IAM Policy to an IAM user:

1. Log in to the AWS console.

129.png

2. Click Services.

130.png

3. Under Security, Identity, & Compliance, select IAM.

131.png

4. Select Users.

5. From the list of users, select the user to assign the policy to.

132.png

6. Click Add permissions.

133.png

7. Click Attach existing policies directly.

134.png

8. Search for and select the IAM Policy to apply.

135.png

9. Click Next: Review.

136.png

10. Click Add permissions.

2.4.2 Access Keys

Access Keys are credentials for an IAM user that allow programmatic requests to the AWS Command Line Interface (CLI) or AWS Application Programming Interface (API). These keys consist of two parts; an access key ID and a secret access key. You should leverage multiple keys and use them across the different applications requiring access to AWS resources. In addition, you should rotate these keys regularly.

2.4.2.1 Rotate Access Key and Secret Key

This section provides step-by-step instructions for creating and rotating Access Keys and Secret Keys:

1. Log in to the AWS console.

137.png

2. Click Services.

138.png

3. Under Security, Identity, & Compliance, select IAM.

139.png

4. Select Users.

5. From the list of users, select the user to manage.

141.png

6. Click Security credentials.

142.png

7. Click Create access key.

143.png

8. Copy the Access key ID and Secret access key.

144.png

You can now use these keys in the application or direct access to the CLI or API. When viewing the Access Key, there is a Last used column. You can leverage this to ensure the Access Key is no longer in use and can be deleted as part of the key rotation schedule.

 

2.4.3 Storing Secrets

The handling and storing of secrets is a critical component of the overall security of the assets. AWS provides AWS Secrets Manager, which makes it easy to store and retrieve secrets. You should use the AWS Secrets Manager whenever possible to improve the overall security in AWS. For more information on AWS Secrets Manager, visit the following website: AWS Secrets Manager: Store, Distribute, and Rotate Credentials Securely

2.5 Create a New Key Pair

When starting a new instance in EC2, you are prompted to select a key pair. A key pair is a certificate and key. It is used to SSH to the LoadMasterand you must keep the downloaded key in a safe place. Steps on how to add a key pair are below:

1. Log in to the AWS console.

080.png

2. Click EC2.

Create a New Key Pair_1.png

3. In the main menu, select Key Pairs.

Create a New Key Pair_2.png

4. Click Create Key Pair.

055.png

5. Enter a name for the key pair and click Create.

6. The .pem file will download.

This file is required to SSH into the LoadMaster so make a note of where this file is stored. This file needs to reside on the client that is used to SSH to the LoadMaster.

If you are using a client that does not accept PEM format, you must convert the file to another format, for example PPK for Putty.

7. The permissions of the key pair file must be changed for it to work. To do this in Linux, go to the directory where the file is stored and run the following command:

chmod 600 <FileName>

2.6 Start a New Instance

You can deploy new LoadMaster instances through the AWS Marketplace. For greater availability, KEMP recommends deploying a pair of KEMP LoadMasters in HA mode. For more information on deploying an HA pair, refer to the following feature guide: HA for AWS Feature Description.

To start an instance, follow the steps below:

Note that it is also possible to deploy a LoadMaster using a different flow using the AWS Marketplace. Configure the same settings as outlined below, in particular – ensure to select a VPC as the network.

1. Log in to the AWS home page.

Start a New Instance.png

2. Click EC2.

Start a New Instance_1.png068.png

3. Click Instances.

Start a New Instance_2.png

4. Click Launch Instance.

Start a New Instance_3.png

5. Select AWS Marketplace.

154.png

6. Search for Virtual LoadMaster.

7. Click Select for the relevant version to be deployed.

8. If you select an hourly licensing model, click Continue to proceed.

014.png

9. Select the desired Instance Type.

Use the following LoadMaster sizing table as a reference only because some workloads may require more vCPU or memory than others:

LoadMaster

Instance Type

VLM-200

m4.large

VLM-3000 m4x.large
VLM-5000 m4.2xlarge
VLM-10G m4.4xlarge

For further information on instance types, refer to the following Amazon link: Amazon EC2 Instance Types.

Start a New Instance_6.png

10. Click Next: Configure Instance Details.

Start a New Instance_7.png

11. Ensure to select the correct item (a VPC) in the Network drop-down list.

If multiple LoadMasters on multiple networks are needed, choose the different networks as required. If more networks need to be created, contact your AWS administrator to add them. The Create new VPC link can be used to add more networks if needed.

12. Ensure that the Auto-assign Public IP option is set to Enable.

13. Configure any other setting as needed.

Start a New Instance_8.png

14. Click Review and Launch.

Start a New Instance_9.png

15. Select the relevant option on the Boot from General Purpose (SSD) screen and click Next: Add Tags.

145.png

AWS tags allow you to categorize resources in different ways. You can categorize by application, owner, purpose, or any custom tag.

16. Enter tags.

17. Before launching, click Edit security groups.

18. Select the security group of your choosing or create a new security group.

155.png

a) The following rules are needed in the security group:

  • Custom TCP Rule with the Port Range 8443 for the WUI
  • SSH for the SSH management interface
  • Any additional rules that are needed for other ports for services to be load balanced, for example Remote Desktop Protocol (RDP) if load balancing Windows RDP servers, or HTTPS for a secure website

Do not block port 6973. This port is used for synchronization when using the LoadMaster in a HA configuration.

Select the relevant source option from the drop-down list and enter the custom IP addresses as needed.

19. It is recommended that management interfaces only be allowed using trusted IP addresses. You should also add rules for any services you intend on creating. You can always revisit this security group later if additional services become necessary.

20. Click Review and Launch.

21. Click Launch.

Start a New Instance_11.png

22. Select the appropriate key pair for your environment. This is the key pair that was created in the Create a New Key Pair section. This key pair is needed to connect using SSH.

23. Select the check box.

24. Click Launch Instances.

Start a New Instance_12.png

25. Click View Instances. The Public IP address or Public DNS address can be used to connect to the instance using HTTPS on port 8443.

26. After your instance state is Running, you can connect to your LoadMaster instance.

2.7 Initial Setup – Hourly Licensing

If you chose an hourly licensing method - after the instance is launched, you must first access the LoadMaster using SSH with the required key pair to enable WUI access. The example steps below use PuTTY as the SSH client.

1. Open the PuTTY client.

084.png

2. Enter the IP address of the LoadMaster instance. This is the IP address obtained in the Start a New Instance section.

3. In the main menu, navigate to Connection > SSH > Auth.

Initial Setup Hourly Licensing_1.png

4. Click Browse.

Initial Setup Hourly Licensing_2.png

5. Navigate to and select the key pair file that was exported in the Licensing Options section.

If you are using a client that does not accept PEM you must convert the key pair file to another format, for example PPK for Putty. For instructions on how to do this, refer to the following TechRepublic article: Connect to Amazon EC2 with a private key using PuTTY and Pageant.

83.png

6. If desired, you can save the settings so that you do not have to perform these steps each time you open a Putty session for this IP address. To do this, enter a name in the Saved Sessions text box and click Save.

7. Click Open.

C001.png

8. Log in with the username bal. This is the default LoadMaster username.

C002.png

9. Enter the passphrase if you specified one to be used for the private key.

10. A number of screens appear relating to configuring various network options. These can be left as the default values but can be changed if needed. Press OK on each screen to proceed:

239.png

a) A screen appears relating to the IP address.

240.png

b) The IP address for the default gateway should only be changed if you have an alternative gateway configured.

241.png

c) The default name server appears. You can optionally change this to an alternative name server if required.

242.png

d) Leave this option blank unless your environment requires a proxy server to access the internet.

Initial Setup Hourly Licensing_5.png

11. If you selected an hourly licensing model, you are asked to enter the current LoadMaster password. By default, the password is set to the Instance ID which can be found in the AWS EC2 Dashboard by selecting Instances within the INSTANCES section of the main menu. Enter and confirm the new password.

The password must be reset to access the LoadMaster WUI. If you enter an incorrect password, you must restart SSH and go through the setup again.

12. Log in with the new password.

13. Connect to the LoadMaster using a browser by entering https://InstanceAddress:8443 in the address bar to continue configuration. The instance address can be the public IP address or the public DNS, both of which can be found in the EC2 Console in the Description tab.

If the first attempt to reset the password fails or if the WUI is not accessible, follow the steps in the Restart Web Server Access - Hourly Licensing section.

2.7.1 Restart Web Server Access - Hourly Licensing

If the first attempt to reset the password fails or if the WUI is not accessible, follow the steps below. The existing SSH session can be used, or a new SSH session can be opened using bal and the new password created in the Initial Setup – Hourly Licensing section.

153.png

1. On the main menu, select Local Administration.

154.png

2. Select Web Address.

243.png

3. Select Immediately Stop Web Server Access.

244.png

4. Select Immediately Start Web Server Access.

5. Connect to the LoadMaster using a browser by entering https://InstanceAddress:8443 in the address bar to continue configuration. The instance address can be the public IP address or the public DNS, both of which can be found in the EC2 console in the Description tab.

2.7.2 Initial Configuration – Hourly Licensing

If you chose an hourly licensing model, follow the steps below to initially set up the LoadMaster:

1. Open the VLM in a web browser by entering https://InstanceAddress:8443 in the address bar. The instance address can be the public IP address or the public DNS, both of which can be found in the EC2 Console in the Description tab.

2. Acknowledge the self-signed certificate to proceed.

The certificate used by the WUI takes the public name used by AWS.

3. Accept the End User License Agreement (EULA).

4. A screen appears asking if you are OK with the LoadMaster regularly contacting KEMP to check for updates and other information. Click the relevant button to proceed.

A prompt appears asking for the username and password. Enter bal as the username and the password that was set previously. The LoadMaster is now licensed and is ready for administration and configuration.

2.8 Initial Setup – BYOL

When using the BYOL method, the normal LoadMaster licensing and activation process is used. Access the LoadMaster using the WUI by entering the Public Address, preceded with https:// and followed by :8443. Then, proceed through the steps and license the LoadMaster.

To use the BYOL option, follow the steps below:

1. Deploy the BYOL – Trial and perpetual license version of the VLM (follow the steps in the Start a New Instance section).

2. When the LoadMaster deploys successfully, connect to the LoadMaster WUI, for example, https://52.45.31.111:8443.

3. Acknowledge the self-signed certificate to proceed.

4. Accept the EULA.

5. Enter your KEMP ID and password to obtain a trial license. If you have an Order ID#, enter it now to apply the purchased license. If you do not have an Order ID#, you can license the LoadMaster in the following step: Contact a KEMP representative to get a license.

6. Select your license and click Continue.

7. A screen appears asking if you are OK with the LoadMaster regularly contacting KEMP to check for updates and other information. Click the relevant button to proceed.

8. Enter a new password for the default bal account and click Set password.

If you did not enter the Order ID# during the initial configuration, follow the steps below to license the LoadMaster:

1. Contact a KEMP representative to get a license.

2. Log in to the LoadMaster WUI and navigate to System Configuration > System Administration > Update License.

3. Enter your KEMP ID and Password to update the license.

2.9 Create a Virtual Service

To create a Virtual Service, follow the steps below in the LoadMaster WUI:

1. In the main menu, select Virtual Services and Add New.

Create a Virtual Service.png

2. Enter the private address of the LoadMaster instance in the Virtual Address text box.

3. Enter the relevant Port, which was permitted in the Security Group.

4. Enter a recognizable Service Name.

5. Select the relevant Protocol.

6. Click Add this Virtual Service.

7. Configure the settings for the Virtual Service as needed, for example:

a) To enable SSL acceleration, select the Enabled check box in the SSL Properties section. For more information on SSL offloading, refer to the SSL Accelerated Services, Feature Description.

b) To enable ESP, select the Enable ESP check box in the ESP Options section. For more information on how to configure the ESP options, refer to the ESP, Feature Description.

c) To enable the Web Application Firewall (WAF), select the Enabled check box in the WAF Options section. For more information on how to configure the WAF options, refer to the KEMP Web Application Firewall, Feature Description.

8. Add Real Servers in the Real Servers section.

2.10 Activate your Support Subscription

If you are using a Pay Per Use (Hourly Usage) LoadMaster, three days after initially setting up the LoadMaster, a prompt appears asking you to activate your support subscription. Enter your KEMP ID and Password and click Update License to do this.

Activate Your Support Subscription.png

You can activate your support subscription before three days by expanding System Configuration > System Administration, clicking the Update License option and filling in your KEMP ID and password.

KEMP recommends rebooting the LoadMaster after updating the license.

3 LoadMaster Firmware Downgrades

It is best practice to keep the KEMP LoadMaster firmware at the latest version. In the event an issue occurs after an upgrade to the latest firmware version, the system can be rolled back to the previous version.

You can find steps for upgrading/downgrading the LoadMaster firmware at the following link:

Updating the LoadMaster Software

Do not downgrade from firmware version 7.2.36 or higher to a version below 7.2.36. If you do this, the LoadMaster becomes inaccessible and you cannot recover it.

4 LoadMaster Backup and Restore

KEMP provides several methods to backup and restore configuration and certificates on the LoadMaster. Depending on the Recovery Point Objective (RPO) and Recovery Time Objective (RTO), you can take these backups manually or automatically on a daily or weekly schedule. For information on the backup and restore features, refer to this Technical Note: Backup and Restore Technical Note

5 Monitoring LoadMaster Health in AWS

Refer to the sections below for details on monitoring LoadMaster health.

5.1 Monitoring with KEMP 360

KEMP provides network and application owners with the necessary tools to maintain and monitor the application delivery infrastructure:

Product

Description

Link

KEMP 360 Central

Management and control of application delivery controllers

https://kemptechnologies.com/kemp360/central/
KEMP 360 Vision Proactive monitoring of application delivery controllers and application health https://kemptechnologies.com/kemp360/vision/

5.2 Monitoring with AWS

AWS provides monitoring on the system and instances. These status checks can be leveraged to alert on certain outages such as in an availability zone or region. You can configure status check alerts to email an administrator in such an event. This section outlines the configuration of status check alerts:

1. Log in to the AWS console.

146.png

2. Click Services.

147.png

3. Under Compute, select EC2.

148.png

4. In the navigation on the left, click Instances.

149.png

5. Click the relevant instance to create an alarm for.

150.png

6. Click Status Checks.

151.png

7. Click Create Status Check Alarm.

152.png

8. Complete the following fields:

a) Type a name for the notification group.

b) Type an email address for alarms to be sent to.

c) Select Status Check Failed (Any) in the Whenever drop-down list.

d) Keep the default interval of 2 consecutive period(s) of 1 Minute.

e) Type a unique name for the alarm in the Name of alarm text box.

153.png

9. Click Create Alarm.

References

While the instructions above provide a basic overview of how to deploy and configure LoadMaster for AWS, it is not designed to be a comprehensive guide to configure every possible workload. This section identifies some of many guides published on our resources section of our website. Unless otherwise specified, the following documents can be found at http://kemptechnologies.com/documentation.

LoadMaster Licensing, Feature Description

ESP, Feature Description

SSL Accelerated Services, Feature Description

KEMP Web Application Firewall, Feature Description

Web User Interface (WUI), Configuration Guide

HA for AWS, Feature Description

Last Updated Date

This document was last updated on 09 January 2019.

Was this article helpful?

0 out of 0 found this helpful

Comments