1 Introduction

Amazon Web Services (AWS) GovCloud is a cloud service from Amazon aimed specifically at the United States government. It is designed to enable US government agencies and customers to move sensitive workloads into the cloud by addressing specific regulatory and compliance requirements - for example, the International Traffic in Arms Regulations (ITAR) which governs how defense-related data is managed and stored. Specifically, GovCloud segregates the data both logically and physically to ensure that it is only accessible by designated individuals within the United States.

The Kemp Application Delivery Controller (ADC), Virtual LoadMaster, is available in AWS GovCloud Marketplace. Providing resilient pervasive secure delivery of applications within the AWS GovCloud, the Virtual LoadMaster guarantees high availability, ensures security of the application servers, and simplifies integration with on-premises infrastructure.

The AWS GovCloud platform enables existing on-premises applications to be easily provisioned in the cloud, providing customers the benefit of scalability, elasticity, and shift of capital expenses to operational ones.

Kemp's Virtual LoadMaster (VLM) is a full-featured, advanced Layer 4-7 load balancer that supports a variety of workloads. Available in two versions, Bring Your Own License (BYOL) and the perpetual free license, the VLM provides the required throughput at the right price.

Along with advanced scheduling methods, intelligent traffic steering and support for multiple protocols, the VLM also provides Global Site Load Balancing (GSLB), RESTful, Python and PowerShell Application Program Interfaces (APIs).

In addition, the LoadMaster includes integration of the FIPS 140-2 certified encryption module, and supports security features such as access control lists, Web Application Firewall (WAF), Distributed Denial of Service (DDoS) protection, and multiple authentication methods, including: Kerberos Constrained Delegation (KCD), Department of Defense (DoD) Common Access Card (CAC) and Federal Personal Identity Verification (PIV) smart card, and Single Sign-On (SSO).

Some of the features and associated benefits of the VLM are listed in the table below.

Feature	Benefit
Application ubiquity	Regardless of where the applications are deployed (cloud, on premises, or in hybrid environments) the VLM can load balance them.
Hybrid enhancement	The VLM manages applications deployed in hybrid infrastructures on premises and in the AWS GovCloud.
Scalable	Highly available ADCs, deployed on-demand to meet load requirements.
Resilient	VLM GEO load balancing supports application instances across multiple sites to accommodate growth and deliver additional resilience.

1.1 Document Purpose

This document is intended to brief you on the LoadMaster for AWS GovCloud product and assist the reader to set up a basic LoadMaster for AWS GovCloud instance through the Marketplace.

It is also possible to configure the LoadMaster using Application Program Interface (API) commands. For further details, please refer to the Interface Description documents on the Kemp documentation page: https://kemptechnologies.com/documentation.

1.2 Intended Audience

This document is intended for anyone who is interested in finding out about the LoadMaster for AWS GovCloud product.

1.3 Prerequisites

There are some perquisites to be aware of before following the steps in this document:

Users should be familiar with the operation of AWS.

If not already done, create a Kemp ID at the registration page: https://kemptechnologies.com/kemp-id-registration/

Users should have access and be logged-in to the AWS GovCloud Management Console.

2 LoadMaster for AWS GovCloud

2.1 Prerequisites

Some requirements to be aware of when deploying a LoadMaster in AWS GovCloud are below:

• Internet access in the Virtual Private Cloud (VPC) is required to license free and hourly-usage LoadMasters.
• Using Bring Your Own License (BYOL) licensing in an AWS VPC does work without internet access when using the private IP address but only if Offline Licensing is used during the deployment.
• Alternate default gateway support is not permitted in a cloud environment.
• If you want to enable 10 Gb throughput for a LoadMaster in AWS, you must select an AWS virtual machine (VM) instance type that supports the 10 Gb ENA driver. You can do this on initial install, or by moving to a new instance type after installation. The following AWS VM instance types support the 10 Gb ENA driver: A1, C5, C5d, C5n, F1, G3, H1, I3, I3en, m4.16xlarge, M5, M5a, M5ad, M5d, P2, P3, R4, R5, R5a, R5ad, R5d, T3, T3a, u-6tb1.metal, u-9tb1.metal, u-12tb1.metal, X1, X1e, and z1d. Refer to the Supported Instance Types AWS page for further details.

2.2 Differences from the Virtual LoadMaster (VLM)

First, the initial IP address that is obtained is assigned by AWS using Dynamic Host Configuration Protocol (DHCP). The LoadMaster obtains this address at instantiation and uses it as its interface address. This address is permanent for this instance and this private address is associated with a public IP address as well. Additional private addressing can be assigned according to your needs if you have additional private networks in AWS GovCloud.

In addition, a public address that maps to the private address is issued by AWS GovCloud. Unlike the private address, the public IP address can be changed by purchasing an Elastic IP.

For more information on Elastic IPs, refer to the Amazon EC2 Elastic IP Addresses Feature Guide. Elastic IPs can be requested by opening a Support case with AWS. Elastic IPs can be allocated in the AWS EC2 Console in NETWORK & SECURITY > Elastic IPs.

Interface IP addresses can be changed administratively as usual from the LoadMaster, but this requires an additional AWS configuration to prevent disconnection.

To preserve public ports, the Web User Interface (WUI) is available on port 8443 rather than 443. This allows port 443 to be used for a Virtual Service.

Due to AWS limitations, it is not possible to bond interfaces on AWS LoadMasters.

2.3 Licensing Options

There are three main licensing options when deploying a LoadMaster for AWS:

Hourly consumption (PAYG)

The hourly consumption option includes Enterprise Plus Support. You can find details on Kemp subscriptions at the following link: LoadMaster Support Subscriptions.

BYOL

You must purchase a Standard, Enterprise, or Enterprise Plus subscription as part of the BYOL option.

Metered Enterprise Licensing Agreement (MELA)

Kemp MELA is a monthly subscription that allows for unlimited LoadMaster deployments and is billed based on aggregate consumption.

2.4 Security Best Practices

AWS has many security features to protect customers' cloud assets. This section outlines some security best practices pertaining to AWS. See the AWS Security Best Practices Whitepaper for further details.

If you already have an Identity and Access Management (IAM) role for administration of the Elastic Compute Cloud (EC2) and SSH key pair, you can skip to the Start a New Instance section.

2.4.1 IAM Service

IAM is a centralized service that manages users, credentials, policies, and keys for the resources deployed in AWS. You should create individual accounts for each user that creates or accesses AWS resources. When possible, you should enable AWS Multi-Factor Authentication (MFA) for the IAM user account to further secure unauthorized access to assets running in the public cloud.

You should always leverage IAM Policies to assign permissions to IAM user accounts. You should scope these permissions with the least privilege security model by only permitting access based on users' job requirements.

2.4.1.1 Create an IAM Policy

This section provides step-by-step instructions on creating an IAM Policy allowing an IAM user to create and manage EC2 Services:

1. Log in to the AWS console.

2. Click Services.

3. Under Security, Identity, & Compliance, select IAM.

4. In the navigation on the left, click Policies.

5. Click Create policy.

6. Select JSON.

7. Enter the IAM Policy in the provided area. The text shown above is only an example. Policies created in AWS should be reviewed with your organization's security team.

8. Click Review policy.

9. Enter a unique Name.

10. Click Create policy.

You can find further information on IAM Policies at the following link: Policies and Permissions.

2.4.1.2 Assign an IAM Policy to an IAM User

This section provides step-by-step instructions on assigning an IAM Policy to an IAM user:

1. Log in to the AWS console.

2. Click Services.

3. Under Security, Identity, & Compliance, select IAM.

4. Select Users.

5. From the list of users, select the user to assign the policy to.

6. Click Add permissions.

7. Click Attach existing policies directly.

8. Search for and select the IAM Policy to apply.

9. Click Next: Review.

10. Click Add permissions.

2.4.2 Access Keys

Access Keys are credentials for an IAM user that allow programmatic requests to the AWS Command Line Interface (CLI) or AWS Application Programming Interface (API). These keys consist of two parts; an access key ID and a secret access key. You should leverage multiple keys and use them across the different applications requiring access to AWS resources. In addition, you should rotate these keys regularly.

2.4.2.1 Rotate Access Key and Secret Key

This section provides step-by-step instructions for creating and rotating Access Keys and Secret Keys:

1. Log in to the AWS console.

2. Click Services.

3. Under Security, Identity, & Compliance, select IAM.

4. Select Users.

5. From the list of users, select the user to manage.

6. Click Security credentials.

7. Click Create access key.

8. Copy the Access key ID and Secret access key.

You can now use these keys in the application or direct access to the CLI or API. When viewing the Access Key, there is a Last used column. You can leverage this to ensure the Access Key is no longer in use and can be deleted as part of the key rotation schedule.

 

2.4.3 Storing Secrets

The handling and storing of secrets is a critical component of the overall security of the assets. AWS provides AWS Secrets Manager, which makes it easy to store and retrieve secrets. You should use the AWS Secrets Manager whenever possible to improve the overall security in AWS. For more information on AWS Secrets Manager, visit the following website: AWS Secrets Manager: Store, Distribute, and Rotate Credentials Securely

2.5 Create a New Key Pair

When starting a new instance in EC2, you are prompted to select a key pair. A key pair is a certificate and key. It is used to SSH to the LoadMasterand you must keep the downloaded key in a safe place. Steps on how to add a key pair are below:

1. Log in to the AWS console.

2. Click EC2.

3. In the main menu, select Key Pairs.

4. Click Create Key Pair.

5. Enter a name for the key pair and click Create.

6. The .pem file will download.

7. The permissions of the key pair file must be changed for it to work. To do this in Linux, go to the directory where the file is stored and run the following command:

chmod 600 <FileName>

2.6 Start a New Instance

You can deploy new LoadMaster instances through the AWS Marketplace. For greater availability, Kemp recommends deploying a pair of Kemp LoadMasters in HA mode. For more information on deploying an HA pair, refer to the following feature guide: HA for AWS Feature Description.

To start an instance, follow the steps below:

Note that it is also possible to deploy a LoadMaster using a different flow using the AWS Marketplace. Configure the same settings as outlined below, in particular - ensure to select a VPC as the network.

1. Log in to the AWS home page.

2. Click EC2.

3. Click Instances.

4. Click Launch Instance.

5. Select AWS Marketplace.

6. Search for Virtual LoadMaster.

7. Click Select for the relevant version to be deployed.

8. If you select an hourly licensing model, click Continue to proceed.

9. Select the desired Instance Type.

Use the following LoadMaster sizing table as a reference only because some workloads may require more vCPU or memory than others:

LoadMaster	Instance Type
VLM-200	m4.large
VLM-3000	m4x.large
VLM-5000	m4.2xlarge
VLM-10G	m4.4xlarge

For further information on instance types, refer to the following Amazon link: Amazon EC2 Instance Types.

If you want to enable 10 Gb throughput for a LoadMaster in AWS, you must select an AWS VM instance type that supports the 10 Gb ENA driver. You can do this on initial install, or by moving to a new instance type after installation. The following AWS VM instance types support the 10 Gb ENA driver: A1, C5, C5d, C5n, F1, G3, H1, I3, I3en, m4.16xlarge, M5, M5a, M5ad, M5d, P2, P3, R4, R5, R5a, R5ad, R5d, T3, T3a, u-6tb1.metal, u-9tb1.metal, u-12tb1.metal, X1, X1e, and z1d. For more information, refer to the Enable a 10 Gb Interface section.

10. Click Next: Configure Instance Details.

11. Ensure to select the correct item (a VPC) in the Network drop-down list.

If multiple LoadMasters on multiple networks are needed, choose the different networks as required. If more networks need to be created, contact your AWS administrator to add them. The Create new VPC link can be used to add more networks if needed.

12. Ensure that the Auto-assign Public IP option is set to Enable.

13. Configure any other setting as needed.

14. Click Review and Launch.

15. Select the relevant option on the Boot from General Purpose (SSD) screen and click Next: Add Tags.

AWS tags allow you to categorize resources in different ways. You can categorize by application, owner, purpose, or any custom tag.

16. Enter tags.

17. Before launching, click Edit security groups.

18. Select the security group of your choosing or create a new security group.

a) The following rules are needed in the security group:

• Custom TCP Rule with the Port Range 8443 for the WUI
• SSH for the SSH management interface
• Any additional rules that are needed for other ports for services to be load balanced, for example Remote Desktop Protocol (RDP) if load balancing Windows RDP servers, or HTTPS for a secure website

Do not block port 6973. This port is used for synchronization when using the LoadMaster in a HA configuration.

Select the relevant source option from the drop-down list and enter the custom IP addresses as needed.

19. It is recommended that management services only be allowed using trusted IP addresses. You should also add rules for any services you intend on creating. You can always revisit this security group later if additional services become necessary.

20. Click Review and Launch.

21. Click Launch.

22. Select the appropriate key pair for your environment. This is the key pair that was created in the Create a New Key Pair section. This key pair is needed to connect using SSH.

23. Select the check box.

24. Click Launch Instances.

25. Click View Instances. The Public IP address or Public DNS address can be used to connect to the instance using HTTPS on port 8443.

26. After your instance state is Running, you can connect to your LoadMaster instance.

2.7 Enable a 10 Gb Interface

Virtual LoadMasters deployed within the AWS Cloud now support 10 Gb interfaces. This support comes with the following limitations:

• No speed is displayed when it cannot be read from the interface.

• The speed displayed behaves similar to bonded interfaces in that the speed of the aggregate of the number of separate logical interfaces that have been defined on that interface is displayed.

• Interface graphs for 10 Gb interfaces on the Statistics page may be displayed incorrectly. This will be addressed in a future release.

If you upgrade from a release prior to 7.2.48 to 7.2.48 or a later release and your AWS VM is running a VM instance type that does not support 10 Gb interfaces (for example, m4.10xlarge), you must convert the VM to a machine type that supports 10 Gb interfaces (for example, m4.16xlarge).

To enable 10 Gb interfaces on the LoadMaster, perform the following steps:

1. Shut down the LoadMaster using the LMOS WUI or API.

2. Enable ENA driver support on the AWS VM using the following command:

aws ec2 modify-instance-attribute --instance-id instanceID --ena-support

The Instance ID can be found in the AWS EC2 Dashboard by selecting Instances within the INSTANCES section of the main menu.

3. Change the AWS VM instance type to one that supports the ENA 10 Gb driver (for example, m4.16xlarge) using the AWS UI.

4. Start the LoadMaster VM.

For further details on this, refer to the AWS document on Enabling Enhanced Networking with the Elastic Network Adapter (ENA) on Linux Instances.

For details on how to get started with AWS command line, refer to the following AWS documentation:

• What is the AWS Command Line Interface?
• Installing the AWS CLI

2.8 Initial Setup - Hourly Licensing

If you chose an hourly licensing method - after the instance is launched, you must first access the LoadMaster using SSH with the required key pair to enable WUI access. The example steps below use PuTTY as the SSH client.

1. Open the PuTTY client.

2. Enter the IP address of the LoadMaster instance. This is the IP address obtained in the Start a New Instance section.

3. In the main menu, navigate to Connection > SSH > Auth.

4. Click Browse.

5. Navigate to and select the key pair file that was exported in the Licensing Options section.

If you are using a client that does not accept PEM you must convert the key pair file to another format, for example PPK for Putty. For instructions on how to do this, refer to the following TechRepublic article: Connect to Amazon EC2 with a private key using PuTTY and Pageant.

6. If desired, you can save the settings so that you do not have to perform these steps each time you open a Putty session for this IP address. To do this, enter a name in the Saved Sessions text box and click Save.

7. Click Open.

8. Log in with the username bal. This is the default LoadMaster username.

9. Enter the passphrase if you specified one to be used for the private key.

10. A number of screens appear relating to configuring various network options. These can be left as the default values but can be changed if needed. Press OK on each screen to proceed:

a) A screen appears relating to the IP address.

b) The IP address for the default gateway should only be changed if you have an alternative gateway configured.

c) The default name server appears. You can optionally change this to an alternative name server if required.

d) Leave this option blank unless your environment requires a proxy server to access the internet.

11. If you selected an hourly licensing model, you are asked to enter the current LoadMaster password. By default, the password is set to the Instance ID which can be found in the AWS EC2 Dashboard by selecting Instances within the INSTANCES section of the main menu. Enter and confirm the new password.

The password must be reset to access the LoadMaster WUI. If you enter an incorrect password, you must restart SSH and go through the setup again.

12. Log in with the new password.

13. Connect to the LoadMaster using a browser by entering https://InstanceAddress:8443 in the address bar to continue configuration. The instance address can be the public IP address or the public DNS, both of which can be found in the EC2 Console in the Description tab.

If the first attempt to reset the password fails or if the WUI is not accessible, follow the steps in the Restart Web Server Access - Hourly Licensing section.

2.8.1 Restart Web Server Access - Hourly Licensing

If the first attempt to reset the password fails or if the WUI is not accessible, follow the steps below. The existing SSH session can be used, or a new SSH session can be opened using bal and the new password created in the Initial Setup - Hourly Licensing section.

1. On the main menu, select Local Administration.

2. Select Web Address.

3. Select Immediately Stop Web Server Access.

4. Select Immediately Start Web Server Access.

5. Connect to the LoadMaster using a browser by entering https://InstanceAddress:8443 in the address bar to continue configuration. The instance address can be the public IP address or the public DNS, both of which can be found in the EC2 console in the Description tab.

2.8.2 Initial Configuration - Hourly Licensing

If you chose an hourly licensing model, follow the steps below to initially set up the LoadMaster:

1. Open the VLM in a web browser by entering https://InstanceAddress:8443 in the address bar. The instance address can be the public IP address or the public DNS, both of which can be found in the EC2 Console in the Description tab.

2. Acknowledge the self-signed certificate to proceed.

The certificate used by the WUI takes the public name used by AWS.

3. Accept the End User License Agreement (EULA).

4. A screen appears asking if you are OK with the LoadMaster regularly contacting Kemp to check for updates and other information. Click the relevant button to proceed.

A prompt appears asking for the username and password. Enter bal as the username and the password that was set previously. The LoadMaster is now licensed and is ready for administration and configuration.

2.9 Initial Setup - BYOL

When using the BYOL method, the normal LoadMaster licensing and activation process is used. Access the LoadMaster using the WUI by entering the Public Address, preceded with https:// and followed by :8443. Then, proceed through the steps and license the LoadMaster.

To use the BYOL option, follow the steps below:

1. Deploy the BYOL - Trial and perpetual license version of the VLM (follow the steps in the Start a New Instance section).

2. When the LoadMaster deploys successfully, connect to the LoadMaster WUI, for example, https://52.45.31.111:8443.

3. Acknowledge the self-signed certificate to proceed.

4. Accept the EULA.

5. Enter your Kemp ID and password to obtain a trial license. If you have an Order ID#, enter it now to apply the purchased license. If you do not have an Order ID#, you can proceed with these steps and then enter an Order ID# later after contacting a Kemp representative to purchase a license (see steps below).

6. Select your license and click Continue.

7. A screen appears asking if you are OK with the LoadMaster regularly contacting Kemp to check for updates and other information. Click the relevant button to proceed.

8. Enter a new password for the default bal account and click Set password.

If you did not enter the Order ID# during the initial configuration, follow the steps below to license the LoadMaster:

1. Contact a Kemp representative to get a license.

2. Log in to the LoadMaster WUI and navigate to System Configuration > System Administration > Update License.

3. Enter your Kemp ID and Password to update the license.

Kemp recommends rebooting after updating the license.

For AWS GovCloud, use offline licensing.

To upgrade the license using the offline method, you must enter the license text in the LoadMaster. You can either get this from Kemp or by using the Get License link.

To get the license text using the Get License link:

4. Click the Get License link.

5. Click GENERATE LICENSE.

6. A page displays showing the license text. Click the here link to copy the license text.

7. Open the email and copy the text, from the start of the word begin to the end of the word end.

8. Open the LoadMaster.

9. Paste the license into the box provided.

10. Click Update License. Kemp recommends rebooting after updating the license.

2.10 Create a Virtual Service

To create a Virtual Service, follow the steps below in the LoadMaster WUI:

1. In the main menu, select Virtual Services and Add New.

2. Enter the private address of the LoadMaster instance in the Virtual Address text box.

3. Enter the relevant Port, which was permitted in the Security Group.

4. Enter a recognizable Service Name.

5. Select the relevant Protocol.

6. Click Add this Virtual Service.

7. Configure the settings for the Virtual Service as needed, for example:

a) To enable SSL acceleration, select the Enabled check box in the SSL Properties section. For more information on SSL offloading, refer to the SSL Accelerated Services, Feature Description.

b) To enable ESP, select the Enable ESP check box in the ESP Options section. For more information on how to configure the ESP options, refer to the ESP, Feature Description.

c) To enable the Web Application Firewall (WAF), select the Enabled check box in the WAF Options section. For more information on how to configure the WAF options, refer to the Kemp Web Application Firewall, Feature Description.

8. Add Real Servers in the Real Servers section.

2.11 Activate your Support Subscription

If you are using a Pay Per Use (Hourly Usage) LoadMaster, three days after initially setting up the LoadMaster, a prompt appears asking you to activate your support subscription. Enter your Kemp ID and Password and click Update License to do this.

You can activate your support subscription before three days by expanding System Configuration > System Administration, clicking the Update License option and filling in your Kemp ID and password.

Kemp recommends rebooting the LoadMaster after updating the license.

3 LoadMaster Firmware Downgrades

It is best practice to keep the Kemp LoadMaster firmware at the latest version. In the event an issue occurs after an upgrade to the latest firmware version, the system can be rolled back to the previous version.

You can find steps for upgrading/downgrading the LoadMaster firmware at the following link:

Updating the LoadMaster Software

Do not downgrade from firmware version 7.2.36 or higher to a version below 7.2.36. If you do this, the LoadMaster becomes inaccessible and you cannot recover it.

4 LoadMaster Backup and Restore

Kemp provides several methods to backup and restore configuration and certificates on the LoadMaster. Depending on the Recovery Point Objective (RPO) and Recovery Time Objective (RTO), you can take these backups manually or automatically on a daily or weekly schedule. For information on the backup and restore features, refer to this Technical Note: Backup and Restore Technical Note

5 Monitoring LoadMaster Health in AWS

Refer to the sections below for details on monitoring LoadMaster health.

5.1 Monitoring with Kemp 360

Kemp provides network and application owners with the necessary tools to maintain and monitor the application delivery infrastructure:

Product	Description	Link
Kemp 360 Central	Management and control of application delivery controllers	https://kemptechnologies.com/kemp360/central/
Kemp 360 Vision	Proactive monitoring of application delivery controllers and application health	https://kemptechnologies.com/kemp360/vision/

5.2 Monitoring with AWS

AWS provides monitoring on the system and instances. These status checks can be leveraged to alert on certain outages such as in an availability zone or region. You can configure status check alerts to email an administrator in such an event. This section outlines the configuration of status check alerts:

1. Log in to the AWS console.

2. Click Services.

3. Under Compute, select EC2.

4. In the navigation on the left, click Instances.

5. Click the relevant instance to create an alarm for.

6. Click Status Checks.

7. Click Create Status Check Alarm.

8. Complete the following fields:

a) Type a name for the notification group.

b) Type an email address for alarms to be sent to.

c) Select Status Check Failed (Any) in the Whenever drop-down list.

d) Keep the default interval of 2 consecutive period(s) of 1 Minute.

e) Type a unique name for the alarm in the Name of alarm text box.

9. Click Create Alarm.

References

While the instructions above provide a basic overview of how to deploy and configure LoadMaster for AWS GovCloud, it is not designed to be a comprehensive guide to configure every possible workload. This section identifies some of many guides published on our resources section of our website. Unless otherwise specified, the following documents can be found at http://kemptechnologies.com/documentation.

LoadMaster Licensing, Feature Description

ESP, Feature Description

SSL Accelerated Services, Feature Description

Kemp Web Application Firewall, Feature Description

Web User Interface (WUI), Configuration Guide

Last Updated Date

This document was last updated on 07 March 2022.