Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

You can obtain the Infoblox vNIOS for AWS AMI by going to the Community AMI page in Amazon Web Services. Use 'NIOS' or 'Infoblox' as the search term to locate the AMI. For information, see the Obtaining the Infoblox vNIOS for AWS AMI section.

This topic describes the procedure that you can use to launch and provision an Infoblox vNIOS for AWS instance for your AWS VPC in the AWS console. This procedure supports users who want to provision Infoblox vNIOS for AWS using the BYOL (Bring Your Own Licensing) model. It provides the complete sequence of procedures that you must perform to manually provision a new Infoblox vNIOS for AWS instance in AWS.

When you use the BYOL licensing model, you install licenses using the standard methods described in the Infoblox NIOS Documentation, including a set of temporary feature licenses. Ensure that you add the following licenses to the appliance: A vNIOS license for your Infoblox vNIOS for AWS instance, a DNS license to run DNS services, a DHCP license to run DHCP services in the Infoblox vNIOS instance deployed on AWS, the Enterprise (Grid) license to configure it as a Grid Master, a Grid member, or a Grid Master Candidate, and the CNA (Cloud Network Automation) license to manage cloud features on the Grid Master. All other NIOS features are available for use in Infoblox vNIOS for AWS instances and can be enabled by their respective licenses.

Note

  • DHCP services can run on NIOS instances deployed on AWS to offer instances that are outside AWS. Due to AWS restriction, DHCP cannot be offered for instances running on AWS.

  • When installing licenses for IB-FLEX appliances, first, you must set the hardware type by running the set hardware-type command, and then install the NIOS licenses. For more information about the IB-FLEX, see the About IB-FLEX section in the Infoblox NIOS Documentation.

You may also use Elastic Scaling (dynamic licenses) to automatically provision and configure vNIOS instances in the AWS VPC. For more information about these licensing models, see Provisioning Infoblox vNIOS for AWS using Elastic Scaling.

Obtaining the Infoblox vNIOS for AWS AMI

You can obtain the Infoblox vNIOS for AWS AMI from the AWS wizard's Community AMIs page. Installation of the Infoblox vNIOS for AWS AMI involves a series of steps in the AWS console where you configure and launch a new Infoblox vNIOS for AWS instance. You may use the BYOL to establish your Infoblox NIOS features for your deployment of an instance.
To obtain and configure vNIOS for AWS using BYOL, complete the following steps:

  1. Log in to AWS using your chosen AWS account.

  2. On the main AWS Console page, click EC2.

  3. Click the Launch Instance button. The Choose AMI page of the Amazon Launch Instance wizard opens.

  4. Click the Community AMIs tab.

  5. Search for the Infoblox vNIOS for AWS AMI by entering the strings NIOS or Infoblox in the Search Community AMIs box. The Infoblox AMI listing appears in the search results.

  6. For the Infoblox vNIOS for AWS AMI, click Select.

  7. Select the EC2 Instance Type based on your requirements. See Infoblox vNIOS for AWS AMI Shapes and Regions for your available options.

  8. Click Next: Configure Instance Details to define the networking settings for your new Infoblox vNIOS for AWS instance. For more information, see the Defining Network Settings for your New Infoblox vNIOS for AWS Instance section.

Defining Network Settings for your New Infoblox vNIOS for AWS Instance

Infoblox vNIOS virtual appliances require two network interfaces (MGMT and LAN1) for proper Grid communications. These interfaces must be assigned to separate subnets within the same VPC.
Note that the NIOS GUI communicates through the MGMT port. If for any reason you must make changes to the MGMT port, such as swapping NICs or changing the MGMT IP address from static to dynamic, ensure that you use the same IP address for the MGMT port before and after the changes. Otherwise, you might not be able to access the NIOS GUI.

Note

Network settings made in your AWS cloud environment override changes made through the NIOS GUI or CLI. Therefore, when making changes such as adding, modifying, or deleting network interfaces through the NIOS GUI or CLI, ensure that the related changes are consistent with those in the cloud networks.

On the ConfigureInstanceDetails page of the AWS wizard, define the network settings for the new Infoblox vNIOS for AWS instance, including both the required network interfaces. Note that networks with IPv6 addresses are supported only in NIOS 8.5.2.

  1. Choose your VPC from the Network drop-down list.

    1. If you have not yet created a VPC, click the Create new VPC link, and then specify the name and the IP address range (in standard CIDR format) for the new VPC.
      To also associate IPv6 IP address with the instance, select Amazon provided IPv6 CIDR Block. (The address range you specify in this step appears as the top-level network view in the NIOS Data Management -> IPAM page.)

  2. Define the Subnet to which the new vNIOS for AWS instance is assigned. Each VPC must have a default subnet. You can then select this subnetwork value for your configuration:

    1. If you have not yet created a subnet for your VPC, click the Create new subnet link.

    2. On the VPC Dashboard page, which may open in a new browser window, click Subnets.

    3. Click Create Subnet. In the Create Subnet dialog box, complete the following:

      1. In the VPC list, select the VPC you created in Step 1.

      2. From the IPv4 CIDR Block drop-down list, choose the IPv4 IP address range for the subnet.

      3. If you need to assign an IPv6 address to the subnet, from the IPv6 CIDR Block drop-down list, choose the IPv6 address range.
        Note that the CIDR block must be a smaller prefix than the IP address range for the VPC.

    4. Click Yes, Create.
      You may create more than one subnet. The subnet prefix values appear in the Subnet field for each network interface in your AWS console.

  3. In the Auto-assign Public IP drop-down list, keep the default option, Use subnet setting (Disable).
    As you are creating an instance with two interfaces, AWS does not allow a Public IP assignment to the new vNIOS for AWS instance. AWS displays a warning to this effect when you create the second interface. (You may use an Elastic IP address or a private IP address.)

  4. In the Auto-assign IPv6 IP drop-down list, perform one of the following:

    1. Keep the default option, Use subnet setting (Disable) to assign only IPv4 addresses to the vNIOS instance.

    2. Choose Enable to also assign IPv6 addresses to the vNIOS instance. When the instance starts, it will be associated with both IPv4 and IPv6 addresses.

  5. Choose the IAM role for the vNIOS for AWS instance. Choose your IAM role from the list. You may use default settings for your initial testing. It can also be defined on the Identity and Access Management page in the AWS console. Your AWS administrator may not allow custom IAM accounts for your deployment, so this may not be a selectable value.
    For more information about Amazon IAM, see the Amazon IAM documentation page at http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_Introduction.html. For information about how Amazon IAM roles and permissions work with your Infoblox vNIOS for AWS instances to ensure secure and accurate authorization of user privileges, see Credentials for vDiscovery and Assigning AWS User Credentials to the NIOS Cloud Admin Account.

  6. Keep the default Tenancy setting (Shared tenancy (multi-tenant hardware). For information about tenant settings, see About Tenants.

  7. Select Network Interfaces -> eth0 and then choose the default Subnet from the drop-down list. This subnet should be the same one as the subnet described in Step 2 above. (If a default subnet is in the selected VPC, it automatically appears in this field.)
    Note that you must use two interfaces for your new Infoblox vNIOS for AWS instance: eth0 and eth1. You create a new eth1 interface for your instance. You use the eth1 interface to join the new Infoblox vNIOS for AWS instance to a NIOS Grid.

  8. Click the Add Device button. A new eth1 interface listing appears.
    The eth1 interface, automatically designated as such during configuration of the new Infoblox vNIOS for AWS instance, is also labeled as LAN1 in NIOS. You cannot change this setting. By default, the eth1 interface is assigned with IPv4 address.
    For SSH access to the vNIOS for AWS instance, you must always use the IP address associated with the LAN1 port.

    1. Choose the default Subnet from the drop-down list. (For more information on usage of Elastic IP addresses for interfaces in your Infoblox vNIOS for AWS instances, see Using an Elastic IP Address.)

    2. To set the AWS server to also assign IPv6 address to the eth1 interface, in the IPv6 IPs column, click the Add IP link.

  9. Open Advanced Details to configure the User data settings for your new instance.

When you start the vNIOS for AWS instance, to access the NIOS GUI, you must install the vNIOS license by setting the value "temp_license:vnios" in the User data settings. You can also use the NIOS CLI to set temporary or permanent licenses. For more information, see the following section.

Initializing New Infoblox vNIOS for AWS Instances with the AWS User Data Field

You can provision the Infoblox vNIOS for AWS instance through the Advanced Details -> User data field without using Elastic Scaling. This section has instructions to define the administrator login settings and specify the feature licenses for the new Infoblox vNIOS for AWS instance. Complete the following steps:

  1. In the Advanced Details section, define the following plain-text values in the User data field:

    1. remote_console_enabled: Enables or disables the remote SSH CLI console for a new instance (syntax: y or n).

    2. default_admin_password: Sets the password for the NIOS admin user during the first boot. This value does not have to be a default; it can be the password of any administrator who initializes the new instance. The minimum password length is four characters. If an invalid password is passed by this method, it will be ignored, and the default "infoblox" password remains in effect for the instance. Note that if you want to include a symbol character at the beginning of the password, ensure that you put the password in quotes ('') to avoid login issues. Example: '!Infoblox'.

      • In NIOS 8.5.2 or later, for a Grid Master or a standalone vNIOS for AWS instance, the default NIOS password must be reset on the first login in the NIOS UI. Otherwise, you can configure the new password in the User data field and log in to the NIOS UI using that password. The minimum password length is four characters. It must consist of at least one uppercase character, one lowercase character, one numeric character, and one symbol character. Example: Infoblox1!

        • If the symbol character is at the beginning of the password, then include the password within quotes (''). Example: '@Infoblox123'.

        • If you enter an invalid password, you will be prompted to reset the password in the NIOS UI on the first login.

        • The password that you set for the Grid Master is propagated to all its members.

      • To access the NIOS CLI, you must either use the key pair or key pair + password authentication that is configured in NIOS, because access to the CLI using the NIOS UI password only is blocked.

    3. temp_license: Defines the NIOS feature licenses for the new instance. You can list a collection of temporary license names that apply to the instance during the initial boot. Using this directive allows you to quickly provision the new instance with temporary licenses without having to open a NIOS CLI session to do the same task. To access the NIOS GUI, you must provision the vNIOS license before you start the vNIOS instance. Infoblox recommends that you also provision the Grid and cloud licenses at the same time as follows: temp_license:grid cloud vnios. All text entries must be in all lower case.
      - When you use temp_license in the User data field to install a NIOS license, the Use AWS SSH authentication key option, is enabled by default.
      - For a IB-V4025 appliance, if you use the User data field to install the IB-V4025 license, the Use AWS SSH authentication key option will not be enabled by default. Therefore, Infoblox recommends that you first deploy the vNIOS instance without specifying the IB-V4025 license, and then install the license from the NIOS CLI.
      Valid license names include the following:

      • Infoblox vNIOS for AWS instances (IB-V825, IB-V1425 and IB-V2225):

        • grid

        • dns

        • enterprise

        • cloud

      • NIOS license for DDI (IB-V825, IB-V1425 and IB-V2225):

        • nios IB-Vxxxx
          where "xxxx" is the license number.

      • Cloud Platform Infoblox vNIOS for AWS instances (CP-V805, CP-V1405 and CP-V2205):

        • grid

        • dns

        • enterprise

        • cloud_api

Note

  • When you use temp_license in the User data field to install a NIOS license, the Use AWS SSH authentication key option that is needed to enable the CLI access to AWS instances, is enabled by default. For more information see Creating Local Admins in the Infoblox NIOS Documentation. However, for the IB-V4025 appliances, the Use AWS SSH authentication key option is not enabled with this user data configuration. Therefore, Infoblox recommends that you install the IB-V4025 license after deploying the vNIOS instance.

  • Only the V1 and V2 (token optional) value is supported in the Metadata version field. The V2 (token required) value is not supported.

The following figure shows an example:
Defining User Data Settings for Provisioning an Instance without Elastic Scaling

 
All user data settings are optional directives that can be included or left out of a configuration. For example, you can include the remote_console_enabled and default_admin_password declarations to the Elastic Scale configuration in Figure Adding the Grid Master, Token and Certificate information to the AWS vNIOS Instance in topic Provisioning Infoblox vNIOS for AWS using Elastic Scaling. The temp_license command setting does not interfere with or override any dynamic license assignments through Elastic Scaling. For more information, see Provisioning Infoblox vNIOS for AWS using Elastic Scaling.

Example:

#infoblox-config

gridmaster:

ip_addr: 172.16.1.2
remote_console_enabled: y

default_admin_password: '#$&$#!'

temp_license: cloud vnios dns grid

Example for adding temp licenses for IB-V825, IB-V1425 and IB-V2225 appliances using AWS User data field:

#infoblox-config

remote_console_enabled: y

default_admin_password: password

temp_license: dns enterprise nios IB-V1425

2. Click Next: Add Storage to continue with setting up the instance. For more information, see the Defining Storage Settings for your New Instance section.

Note

The SSH key will not be uploaded if the ssh_authorized_keys parameter is given in the User data. For information to upload the SSH key, see the Completing Your Infoblox vNIOS for AWS Instance Launch section.

Defining Storage Settings for your New Instance

You can use the Add Storage page to define the storage resources to be used by the new instance. Infoblox vNIOS for AWS instances provides a defined amount of instance data storage. The storage size varies according to the AMI you have chosen for your current instance. For more information, see Infoblox vNIOS for AWS AMI Shapes and Regions. You can adjust the amount of instance storage to its maximum value, and attach external storage volumes for an additional cost.

  1. In the Add Storage page, clear the Delete on Termination checkbox. You can use this setting for your Infoblox vNIOS for AWS instances to de-couple the root partition deletion from the state of the new EC2 instance. This allows retention of the volume for debugging and event log inspection.
    Infoblox recommends keeping at least the minimum storage capacity defaults for the new Infoblox vNIOS for AWS instance.

  2. (For reporting appliances only) If you are deploying the vNIOS for AWS instance for reporting, you must create two virtual hard disks. One as the default disk used for storing regular NIOS data and a second disk for storing the reporting data. To add a second disk:

    1. On the Add Storage page, click the Add New Volume button.
      A new row appears for the second disk.

    2. In the Size (GiB) field, specify a size for the disk. Infoblox recommends that you allocate a minimum of 250 GB of additional disk space for the reporting storage requirements.

  3. Click Next: Tag Instance to continue setting up the new Infoblox vNIOS for AWS instance. For information, see the Using AWS Tags with Infoblox Extensible Attributes to Identify Resources for IP Address Assignments section.

Note

Check the top of the AWS console page to see the wizard configuration step location. Click the Previous button at any time to navigate to previous configuration pages.

Using AWS Tags with Infoblox Extensible Attributes to Identify Resources for IP Address Assignments

Note

AWS Tags that have a matching tag defined in NIOS extensible attributes have the tag value replicated into NIOS.

You can use the Tag Instance page to define name-value pairs for categorizing, searching and identifying Amazon objects such as EC2 instances, subnets, VPCs, and IP addresses. If you already have extensible attributes defined for your Infoblox Grid, you can add those same extensible attributes to the new Infoblox vNIOS for AWS instance on this page. The tags that you define here apply only to the instance. You can choose to create the tags for the instance at a later time.

You can use extensible attributes to tag Infoblox network containers and networks, and to tag corresponding Amazon VPCs and subnets for assigning IP addresses to the new resources in the cloud. Without the NIOS extensible attributes definitions, the tags defined on the AWS objects will only be meaningful in AWS and you cannot search and match against managed AWS objects in Grid Manager.

Note

For information about Cloud Extensible Attributes, see Extensible Attributes for Cloud Objects in the Infoblox NIOS Documentation.

  1. On the Tag Instance page, enter the name for the first Key. This key name may match a Cloud EA defined in NIOS, or you can define that extensible attribute at a later time in Grid Manager.

  2. Enter the Value for the new tag.

  3. Click the Create Tag button to add a new tag entry to the list. For more information, see the Tagging Existing AWS Objects section.

  4. To add more tags to the list, create Add Another Tag.

  5. When you are finished defining the tags, click Next: Configure Security Group to continue setting up the new Infoblox vNIOS for AWS instance. For information, see the Defining an AWS Instance Security Group section.

Tagging Existing AWS Objects

Tagging existing objects in AWS is straightforward. Select a VPC, subnet within a VPC, an EC2 instance, or other object type residing in AWS, and then click the Tags tab.

Adding Tags to AWS Objects


In NIOS, define the extensible attributes for each network in the Cloud -> Networks page, or under IPAM within the network view, as shown in the following figure.

Defined Extensible Attributes for Cloud Objects in NIOS


When you consistently use AWS tags and extensible attributes in your networks, they become more useful and valuable. For example, you can use Infoblox API extensions with the extensible attributes that are appropriate for your applications. For information, see Infoblox Extensions to the AWS API.

Defining an AWS Instance Security Group

Note

Configure the AWS Security Group for your instance to only accept traffic for SSH (22) and HTTPS (443) from the specific computers or subnets that are used to manage the Infoblox appliance.

You can use the Configure Security Group page to define the firewall security settings for your new Infoblox vNIOS for AWS instance. Amazon Web Services enforces a default Deny All policy for all security groups. Your new security group consists of a set of simple firewall rules that specifically allow known IP addresses and network prefixes to access your Infoblox vNIOS for AWS instance and to use specific protocols. These are defined as Inbound rules. You may create a new security group or add new rules to an existing security group definition provided by your AWS administrator, depending on your AWS IAM privileges.

  1. On the Configure Security Group page, define new Inbound rules for your new instance using the following:

    • Permit SSH traffic (TCP/22) from the preferred prefix.

    • Open the port for DNS (UDP/53).

    • Permit secure web traffic (HTTPS/443) only from a Custom IP prefix representing the network of hosts that access the vNIOS instance for management and configuration.

    • Open two ports for NIOS Grid Joining traffic:

      • UDP/1194.

      • UDP/2114.

    • Open the port for the Infoblox API Proxy (TCP/8787).

    • Open the following ports if you want to deploy the reporting appliance IB-V5005 that is supported in NIOS 8.6.2 and later versions:

      • 7000 WebUI (Master,Indexer)

      • 7089 Management

      • 7887 Replication

      • 9997 Data Forwarding

      • 8000 WebUI

      • 8089 Management

      • 9185 Splunk REST API

Configure a minimum of six rules based on the list above.

Note

You can also add a rule, named 'myip' or similar, to allow access from your desktop computer to the VPC. Simply select My IP from the Source drop-down list.

Avoid using any prefixes other than those that must access the Infoblox vNIOS for AWS instances in the VPC.

2. Select Assign a Security Group -> Create a New Security Group.

3. Enter the Security group name (AWS uses a simple naming default with the prefix "launch-wizard-...").

4. Enter a Description for the new security group.

5. Click the Type drop-down list for the first rule, and then choose SSH.

For Source, choose Custom IP and then enter the IPv4 prefix containing the computer hosts that use SSH connections to the new instance. (You may need more than one rule if you have users from multiple networks accessing your instance.)

6. Click Add Rule to create a second rule in the list.

7. Click the Type drop-down list for the second rule, and then choose HTTPS.

For Source, select Custom IP and then enter the IPv4 prefix containing the computer hosts that connect to Grid Manager for the new Infoblox vNIOS for AWS instance. (You may need more than one rule if you have multiple networks accessing your instance.)

8. When you complete the security group configuration, click Review and Launch. The Review Instance Launch page appears.

Completing Your Infoblox vNIOS for AWS Instance Launch

The Review Instance Launch page lists breakout sections with each category of settings, beginning with AMI Details at the top. The page provides an Edit link for each category (such as Edit instance type and Edit security groups) for any final changes.

  1. After reviewing the settings, click Launch. The Key Pair dialog box opens.

    • You can choose the Choose an existing key pair, Create a new keypair, or Proceed without a key pair option if you want to perform a simple deployment. Selecting an existing key or creating a new key pair file on AWS will upload the public key to NIOS. Then, click the I acknowledge... checkbox

    • The Infoblox standard configuration for Infoblox vNIOS for AWS deployment requires use of a VPN connection or a direct connection to the Amazon VPC(s) on which you are deploying and operating Infoblox vNIOS for AWS instances. This connection does not require an Internet-connected IP address or a secure key pair. All AWS Proxy API operations require use of an assigned and regularly rotated AWS-generated key pair assigned to the cloud-api-only account under Grid Manager. For information, see /wiki/spaces/NAIGdraft/pages/22544467.

  2. Click Launch Instances to launch your new instance. After a brief period of time, the Infoblox vNIOS for AWS instance is active in your VPC.

  3. Perform additional tasks for the vNIOS for AWS configuration to ensure that the virtual appliance is functioning properly. For more information, see Additional Configuration for vNIOS for AWS.
    Note:

    • The access to the CLI using the NIOS password is blocked, except for the root user. To gain CLI entry, other users have to allow SSH keys in the NIOS Grid Manager.

    • For a Grid Master or a standalone vNIOS for AWS instance, the default NIOS password must be reset on the first login in the NIOS UI.



  • No labels