Setting up an Amazon Web Services account
Create and set up an Amazon Web Services (AWS) account to access AWS web services for IBM® Spectrum Symphony.
Procedure
Follow these steps to set up an AWS account, enabling Elastic Compute Cloud (EC2) compute hosts to dynamically join the IBM Spectrum Symphony cluster to run workload.
- Create an account on the AWS website.
-
Create Identity and Access Management (IAM) users and roles for your AWS account. IAM allows
secure access to AWS services and resources for users; it also allows shared access to an AWS
account. For more information, see the Elastic Compute Cloud (EC2) console.
It is recommended that the cluster administrator create an Amazon account and designate an IAM user within this account with appropriate authorization to access AWS resources (such as images and networks). This designated IAM user's AWS credentials will be used to provision EC2 hosts in your cluster. Ensure that this designated IAM user is assigned all permissions required for successful provisioning. For a list of minimal permissions that must be assigned, see Minimal permissions for AWS provisioning.
-
Based on your cluster setup, you can use either long-term credentials or temporary
instance-profile credentials for AWS authentication.
- If the HostFactory service is running on a non-EC2 host, create and
download the access key for the designated IAM user. The access key is required for authentication
when hosts are provisioned from AWS. The access key, consisting of an access key ID and secret
access key, is used to sign programmatic requests to AWS.
- From the IAM console, create an access key for the designated IAM user. It is recommended that you use the IAM access key, instead of the AWS root account access key. Root account credentials provide unlimited access to your AWS resources and is not recommended by AWS for security reasons.
- After you create the access key, download the security credentials to a secure location on your cluster's primary host.
- Create a credentials file to include the downloaded key information in the following
format:
This credentials file is used by host factory for authentication.# cat credentials [default] aws_access_key_id=your_access_key_id aws_secret_access_key=your_secret_access_key
- If the HostFactory service is running on an EC2 host within an IAM role that has permissions for provisioning and releasing EC2 On-Demand and Spot instances, you are not required to configure a credential file in the awsprov_config.json file. Host factory authenticates with temporary instance profile credentials on the EC2 host. Ensure, however, that the designated IAM user role is assigned permissions to provision and release EC2 On-Demand and Spot instances (see Minimal permissions for AWS provisioning).
- If the HostFactory service is running on a non-EC2 host, create and
download the access key for the designated IAM user. The access key is required for authentication
when hosts are provisioned from AWS. The access key, consisting of an access key ID and secret
access key, is used to sign programmatic requests to AWS.
- From the region selection menu on the AWS console page, select the Amazon EC2 region for provisioning from the EC2 console; use the region selector. All EC2 instances will be provisioned from this selected region.
-
Create an EC2 key pair to encrypt and decrypt login information for an instance. AWS uses
public-key cryptography to secure login information.
- Create an EC2 key pair in the region from the EC2 console. Ensure that you choose a key pair name that is easy to remember.
- Download the private key file (keyfile.pem) to a secure location on your cluster's primary host. The key name is required to launch EC2 instances; the private key is required to log in using SSH when connecting to the instance.
-
Set permissions to ensure that the private key file is privately viewable, for example, on
Linux:
$ chmod 400 my-key-pair.pem
- Optional:
Create an EC2 security group. A security group acts as a virtual firewall that controls the
traffic for one or more instances. Every AWS account has a default security group for each Virtual
Private Cloud (VPC). You can use the default security group or create your own security group with
customized rules.
Ensure that you configure security as appropriate for your cluster. For testing purposes, inbound and outbound traffic can be set to allow all traffic; you can use 0.0.0.0/0 which allows all IP addresses to access your instance. For a production deployment, however, the security group must be created and configured while creating a VPC as part of secure network setup for cloud access. For more information about inbound and outbound rules for security group, see Creating a security group and Using network security on Linux instances or on Windows instances.
-
Create a VPC and subnets. For more information, see Getting Started With Amazon VPC.
- From the Virtual Private Cloud console, create a VPC (a virtual network that is dedicated to an AWS account). With a VPC, you can use your own resources isolated within the AWS cloud and connect those resources directly to your on-premises cluster by using industry-standard encrypted IPsec VPN connections.
-
Create subnets (a range of IP addresses) within your VPC. You can deploy AWS resources to a
selected subnet.
If the Auto-Assign Public IP option is selected for a subnet, public IP and public DNS is available for created instances in this subnet. If you want to use SSH to connect to the created instance, Auto-Assign Public IP is required. To enable Auto-Assign Public IP for a subnet, select the subnet and click the Subnet Actions menu, then, select Modify auto-assign IP settings and select the check box.
-
Set up secure networking through an IPsec VPN connection. A network administrator must
establish a secure IPsec VPN connection between the on-premises network and the AWS network. The
secure VPN connection consists of:
- A virtual private gateway that is attached to your AWS VPC.
- A customer gateway located on-premises.
- Routing for VPN (static or dynamic).
All compute hosts that connect to your IBM Spectrum Symphony cluster must use private subnets. Ensure that your cluster is configured to access these private subnets.
For more information on setting up a secure IPsec VPN connection on your Amazon EC2 Virtual Private Cloud, see VPN Connections. For information on setting up a secure IPsec VPN connection for your IBM Spectrum Symphony cluster, see the Amazon Virtual Private Cloud Network Administrator Guide.
-
Decide on the Amazon Machine Image (AMI) that contains the information to create a new
instance. You can use an AMI with a base OS image, or you can create your own AMI, for example, a
base OS image with IBM Spectrum Symphony installed and configured. For advantages and disadvantages of either approach, see
Cloud host provisioning options.
If you want to create a custom image, launch an EC2 instance with a base OS image. Then, customize the instance by installing IBM Spectrum Symphony. See Creating a custom image in AWS.
What to do next
After creating your image (base or custom), configure a post-provisioning script for greater flexibility in managing your configuration. See Configuring the post-provisioning script for AWS.