How to Setup Aspera Transfer Cluster Manager (ATCM) in a Private Subnet within a VPC

Summary

This article walks you through setting up your Cluster Manager in a private subnet using a NAT Gateway. This will allow your Cluster Manager to communicate with your Cluster Nodes, but will prevent the Internet from connecting to your Cluster Manager. The following diagram illustrates the architecture of a VPC with a NAT gateway. Note that this diagram and much of this information comes from Amazon Web Services' section on NAT Gateways: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html

VPC Setup

PREREQUISITES: The ability to create a VPN connection into your VPC (via OpenVPN, for example).

NOTE: You may use the VPC Wizard rather than following these steps or use this CloudFormation template that will create a VPC with two public subnets, two private subnets, a NAT Gateway, and an Internet Gateway: https://s3.amazonaws.com/aspera-helpers/20160810-VPC-Creation.template

Create NAT Gateway

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. In the navigation pane, choose NAT Gateways, Create NAT Gateway.
  3. In the dialog box, specify the PUBLIC subnet in which to create the NAT gateway, and select an Elastic IP address to associate with the NAT gateway. If you do not have any Elastic IPs, click Create New EIP. When you're done, choose Create a NAT Gateway.
  4. The NAT gateway displays in the console. After a few moments, its status changes to Available, after which it's ready for you to use.
  5. Verify that your NAT Gateway has been created in a public subnet. A public subnet will have an internet gateway as a route within its Route Table.

Update Route Table

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. In the navigation pane, choose Route Tables.
  3. Select the route table associated with your private subnet and choose Routes, Edit.
  4. Choose Add another route. For Destination, enter 0.0.0.0/0. For Target, select the ID of your NAT gateway.

Security Groups Setup

Create Security Groups

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. In the navigation pane, choose Security Groups, Create Security Group.
  3. Specify atc-manager as the name of the security group, and provide a description. For VPC, select the ID of the VPC you created and choose Yes, Create.
  4. Choose Create Security Group again.
  5. Specify atp-node as the name of the security group, and provide a description. For VPC, select the ID of your VPC and choose Yes, Create.

Cluster Manager's Security Group

  1. On the Inbound Rules tab, choose Edit and add rules for inbound traffic as follows:
    1. Choose Type, SSH. For Source, enter the range of private IP addresses that will be able to SSH into your Cluster Manager.
    2. Choose Type, HTTP. For Source, enter the range of private IP addresses that will be able to browse your Cluster Manager in a web browser.
    3. Choose Type, HTTPS. For Source, enter the range of private IP addresses that will be able to browse your Cluster Manager in a web browser.
    4. Choose Type, Custom TCP Rule. For Port Range, enter 5001-5002. For Source, enter the atp-node security group ID.
    5. Your Inbound Rules should look something similar to this:

Cluster Nodes' Security Group

  1. On the Inbound Rules tab, choose Edit and add rules for inbound traffic as follows:
    1. Choose Type, SSH. For Source, enter the range of private IP addresses that will be able to SSH into your Cluster Nodes.
    2. Choose Type, HTTPS. For Source, enter 0.0.0.0/0.
    3. Choose Type, Custom TCP Rule. For Port Range, enter 5002. For Source, enter the atc-manager security group ID.
    4. Choose Type, Custom TCP Rule. For Port Range, enter 43001-43010. For Source, enter the atp-node security group ID. NOTE: Enter the atp-node security ID.
    5. Choose Type, Custom TCP Rule. For Port Range, enter 33001. For Source, enter 0.0.0.0/0.
    6. Choose Type, Custom UDP Rule. For Port Range, enter 33001. For Source, enter 0.0.0.0/0.
    7. Your Inbound Rules should look something similar to this:

ATCM

Launching ATCM

  1. Follow the instructions in the ATCM manual: http://downloads.asperasoft.com/en/downloads/53
  2. In Configure Instance Details, choose your private subnet.
  3. Finish the steps that are outlined in the ATCM manual.

Launching a Cluster

  1. Follow the instructions in the ATCM manual: http://downloads.asperasoft.com/en/downloads/53
  2. In Cluster Configuration, ensure that private network is selected:
  3. Finish the steps that are outlined in the ATCM manual and launch your cluster, ensuring that Available private IPs and All private IPs have entries in DNS Configuration.

Additional Resources

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html

http://downloads.asperasoft.com/en/downloads/53

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk