Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 25 Next »

This topic describes the procedure that you can use to launch and provision an Infoblox vNIOS for AWS instance for your AWS VPC in the AWS console. This procedure supports users who want to provision Infoblox vNIOS for AWS using the BYOL (Bring Your Own Licensing) model. It provides the complete sequence of procedures that you must perform to manually provision a new Infoblox vNIOS for AWS instance in AWS.

When you use the BYOL licensing model, you can install licenses using the standard methods described in the Infoblox NIOS Documentation, which includes a set of temporary feature licenses. Ensure that you add the following licenses to the appliance: A vNIOS license for your Infoblox vNIOS for AWS instance, a DNS license to run DNS services, a DHCP license to run DHCP services in the vNIOS instance deployed on AWS, the Enterprise (Grid) license to configure it as a Grid Master, a Grid member, or a Grid Master Candidate, and the CNA (Cloud Network Automation) license to manage cloud features on the Grid Master. All other NIOS features are available for use in vNIOS for AWS instances and can be enabled by their respective licenses.

Note

  • DHCP services can run on NIOS instances deployed on AWS to offer instances that are outside AWS. Due to AWS restriction, DHCP cannot be offered for instances running on AWS.

  • When installing licenses for IB-FLEX appliances, first, you must set the hardware type by running the set hardware-type command, and then install the NIOS licenses. For more information about IB-FLEX, see the About IB-FLEX section in the Infoblox NIOS Documentation.

  • IB-FLEX appliances deployed on AWS do not support Advanced DNS Protection and DNS Cache Acceleration.

You may also use Elastic Scaling (dynamic licenses) to automatically provision and configure vNIOS instances in the AWS VPC. For more information about these licensing models, see Provisioning Infoblox vNIOS for AWS using Elastic Scaling.

vNIOS for AWS instances can be deployed with HA from NIOS 9.0.4 onwards. To configure HA, complete the Prerequisites, perform the sequence of procedures defined in this topic, and additionally, configure the advanced network configuration defined in Configuring HA with vNIOS for AWS Instances.

Defining Name and Tags for the vNIOS for AWS Instance

An AWS tag is a name-value pair. You can define tags for categorizing, searching, and identifying Amazon objects such as EC2 instances, subnets, VPCs, and IP addresses.

Use AWS tags with Infoblox extensible attributes to identify resources for IP address assignments. If you already have extensible attributes defined for your Infoblox Grid, you can add the same extensible attributes to the new vNIOS for AWS instance. The tags that you define here apply only to the instance. You can choose to create tags when provisioning an instance or at a later time.

You can use extensible attributes to tag Infoblox network containers and networks, and to tag corresponding Amazon VPCs and subnets for assigning IP addresses to the new resources in the cloud. Without the NIOS extensible attributes definitions, the tags defined on the AWS objects will only be meaningful in AWS, and you cannot search and match against managed AWS objects in Grid Manager. For information about cloud extensible attributes, see Extensible Attributes for Cloud Objects in the Infoblox NIOS Documentation.

Note
AWS Tags that have a matching tag defined in NIOS extensible attributes have the tag value replicated into NIOS.

  1. Log in to the Amazon EC2 console using your AWS account credentials.

  2. On the Console Home page, in the Services box, search for and click EC2 in the search results.

  3. On the EC2 Dashboard tab > Launch instance section, expand Launch instance, and then choose Launch instance.
    The Launch an instance page is displayed.

  4. On the Launch an instance page, in the Name and tags section, type a name for your instance in the Name field.
    The name is a tag defined by a key-value pair in which Name is the key and the value that you specify is the value.

  5. To define an additional tag, click Add additional tags and specify values in the Key and Value fields.

Tagging Existing AWS Objects

To tag existing objects in AWS, select a VPC > subnet within a VPC > an EC2 instance or other object types residing in AWS, and then use the Manage tags button on the Tags tab.

Adding Tags to AWS Objects

In NIOS, define the extensible attributes for each network in the Cloud -> Networks page, or under IPAM within the network view.

When you consistently use AWS tags and extensible attributes in your networks, they become more useful and valuable. For example, you can use Infoblox API extensions with the extensible attributes that are appropriate for your applications. For more information, see Infoblox Extensions to the AWS API.

Obtaining the vNIOS for AWS AMI

You can obtain the Infoblox vNIOS for AWS AMI from the AWS Marketplace AMIs tab. Installation of the vNIOS for AWS AMI involves a series of steps in the AWS console where you can configure and launch a new Infoblox vNIOS for AWS instance. You can also obtain the vNIOS for AWS AMIs from the Amazon Marketplace website.
You may use the BYOL to establish your Infoblox NIOS features for your deployment of an instance.

To obtain and configure vNIOS for AWS using BYOL, complete the following steps:

  1. Based on whether you use the Amazon EC2 console or AWS Marketplace to get the AMI, perform one of the following:

    1. If you are using the Amazon EC2 console to launch an instance, complete the following steps:

      1. Navigate to the Launch an instance page of the Amazon EC2 console.

      2. Expand Application and OS Images (Amazon Machine Image) and click Browse more AMIs.

      3. On the Choose an Amazon Machine Image (AMI) page, click the AWS Marketplace AMIs tab.

      4. Search for the AMI by entering the strings NIOS or Infoblox in the search box. The Infoblox AMI listing appears in the search results.

      5. In the appropriate vNIOS for AWS AMI row, click Select.

    2. If you are using AWS Marketplace to launch an instance, complete the following steps from the AWS Marketplace website:

      1. On the landing page, enter infoblox to search for Infoblox AMIs.

      2. In the displayed list, select the AMI based on the version of NIOS on which you intend to deploy the instance:

        • Infoblox vNIOS for DNS, DHCP and IPAM for NIOS 8.6.x

        • Infoblox NIOS for AWS (AMI) for 9.0.x for NIOS 9.0.x.

      3. Click Continue to Launch.

      4. Select the required version from the Software version drop-down list and launch the instance.
        Note that you may select prior versions of NIOS from the Software version drop-down list.

  2. Expand Instance type, and select an appropriate shape from the Instance type drop-down list. See Infoblox vNIOS for AWS AMI Shapes and Regions for the available options.

  3. Expand Key pair (login) and configure a key pair to securely connect to your instance. When you configure a key pair in AWS, the public key will be uploaded to NIOS.
    Do one of the following:

    • In the Key pair name drop-down list, choose an existing key pair.

    • Click Create new key pair and complete the following in the Create key pair window:

      1. Key pair-name: Enter a name for the key pair.

      2. Key pair type: Select the required type.

      3. Private key file format: Select the format to use for the private key.

      4. Click Create key pair.

    • (Not recommended) If you want to perform a simple deployment, proceed without configuring a key pair.

  4. Proceed to configure the network settings as defined in the Defining Network Settings for the vNIOS for AWS Instance section.

Note

If the vNIOS for AWS instance is a Grid Master, according to the authentication method configured for AWS SSH access for the admin account, you must use the key pair or key pair and password as the SSH login for all members in that Grid. For more information, see the Creating Local Admins topic in the Infoblox NIOS Documentation.

Defining Network Settings for the vNIOS for AWS Instance

Infoblox vNIOS virtual appliances require two network interfaces (MGMT and LAN1) for proper Grid communications. These interfaces must be assigned to separate subnets within the same VPC. Configuring the AWS member Management (MGMT) network and the Grid Master's LAN1 network in the same subnet is not supported. This can cause connectivity issues.

Note that the NIOS GUI communicates through the MGMT port. If for any reason you must make changes to the MGMT port, such as swapping NICs or changing the MGMT IP address from static to dynamic, ensure that you use the same IP address for the MGMT port before and after the changes. Otherwise, you might not be able to access the NIOS GUI.

If you are deploying the appliance in an HA setup, you must add three network interfaces (MGMT, LAN1, and HA).

Note

Network settings configured in your AWS cloud environment override changes made through the NIOS GUI or CLI. Therefore, when making changes such as adding, modifying, or deleting network interfaces through the NIOS GUI or CLI, ensure that the changes made to settings in NIOS are consistent with the corresponding settings in cloud networks.

On the Launch an instance page of the AWS wizard, define the network settings for the new vNIOS for AWS instance, including the required network interfaces. Note that networks with IPv6 addresses are supported from NIOS 8.5.2 onwards. HA is not supported with IPv6 networks.

  1. Expand Network settings and click Edit.

  2. In the VPC drop-down list, choose your VPC.

  3. In the Subnet drop-down list, choose the subnet to which the new instance must be assigned. Ensure that each VPC has a default subnet. You can select this subnet value for your configuration.
    If you have not yet created a subnet for your VPC, use the Create new subnet link to create a subnet.
    You may create more than one subnet. The subnet prefix values appear in the Subnet field for each network interface in your AWS console.

  4. In the Auto-assign Public IP drop-down list, keep the default option, Disable.
    As you are creating an instance with two interfaces, AWS does not allow a Public IP assignment to the new vNIOS for AWS instance. AWS displays a warning to this effect when you create the second interface. (You may use an Elastic IP address or a private IP address.)

  5. In the Auto-assign IPv6 IP drop-down list, perform one of the following:

    1. Keep the default option, Disable to assign only IPv4 addresses to the vNIOS instance.

    2. Choose Enable to also assign IPv6 addresses to the vNIOS instance. When the instance starts, it will be associated with both IPv4 and IPv6 addresses.
      For information on Infoblox NIOS appliances that support IPv6, see Infoblox vNIOS for AWS AMI Shapes and Regions.

  6. Proceed to configure the security group as defined in the Defining an AWS Instance Security Group section.

Defining an AWS Instance Security Group

Note
Configure the AWS Security Group for your instance to only accept traffic for SSH (22) and HTTPS (443) from the specific computers or subnets that are used to manage the Infoblox appliance.

In the Network settings > Firewall (security groups) section, define the firewall security settings for your new vNIOS for AWS instance. Amazon Web Services enforces a default Deny All policy for all security groups. Your new security group consists of a set of simple firewall rules that specifically allow known IP addresses and network prefixes to access your vNIOS for AWS instance and to use specific protocols. These are defined as Inbound rules. You may create a new security group or add new rules to an existing security group definition provided by your AWS administrator, depending on your AWS IAM privileges.

Use the following points and take appropriate action for creating new inbound rules:

  • Permit SSH traffic (TCP/22) from the preferred prefix.

  • Open the port for DNS (UDP/53).

  • Permit secure web traffic (HTTPS/443) only from a Custom IP prefix representing the network of hosts that access the vNIOS instance for management and configuration.

  • Open two ports for NIOS Grid Joining traffic:

    • UDP/1194

    • UDP/2114

  • Open the port for the Infoblox API Proxy (TCP/8787).

  • Open the following ports if you want to deploy the reporting appliance IB-V5005 that is supported in NIOS 8.6.2 and later versions:

    • 7000 WebUI (Master,Indexer)

    • 7089 Management

    • 7887 Replication

    • 9997 Data Forwarding

    • 8000 WebUI

    • 8089 Management

    • 9185 Splunk REST API

Configure a minimum of six rules based on the list above.

Note
You can also add a rule, named 'myip' or similar, to allow access from your desktop computer to the VPC. Simply select My IP from the Source drop-down list.

Avoid using any prefixes other than those that must access the Infoblox vNIOS for AWS instances in the VPC.

  1. In the Firewall (security groups) section, select Select existing security group, and then select an existing group from the Common security groups drop-down list, or create a new security group as follows:

    1. Select Create security group.

    2. In the Security group name field, enter a name for the security group.

    3. In the Description field, write a description for the security group.

    4. To add the first rule to the group, complete the following:

      1. Click Add security group rule.

      2. In the Type drop-down list, choose Custom SSH,

      3. In the Source type drop-down list, choose Custom.

      4. In the Source field, enter the IPv4 prefix containing the computer hosts that use SSH connections to the new vNIOS for AWS instance.
        Note that you may need more than one rule if you have users from multiple networks accessing your instance.

    5. To add another rule to the group:

      1. Click Add security group rule.

      2. In the Type drop-down, choose Custom HTTPS.

      3. In the Source type drop-down list, choose Custom.

      4. In the Source field, enter the IPv4 prefix containing the computer hosts that connect to Grid Manager for the new vNIOS for AWS instance.
        Note that you may need more than one rule if you have multiple networks accessing your instance.

  2. Proceed to add network interfaces as defined in the Defining Advanced Network Configuration section.

Defining Advanced Network Configuration

For a non-HA deployment, you must use two interfaces for the new vNIOS for AWS instance, network interface 1 and network interface 2 that are labelled as MGMT and LAN1 respectively in NIOS. Use network interface 1 to join the Infoblox vNIOS for AWS instance to a NIOS Grid. By default, the network interface 1 is assigned with an IPv4 address.

For an HA deployment, complete the steps defined in Configuring HA with vNIOS for AWS Instances.

Note

When you need to add or delete a network interface to an existing vNIOS for AWS instance, you must power off the instance, add or delete the interface, and then start the instance. Adding or deleting an interface when the instance is powered on, can result in unexpected behavior.

  1. Under Network interface 1, which is for the MGMT port, retain the settings as is.
    You will notice that the subnet selected in the Subnet field is displayed here.
    Note:
    If you need to set a static IP address on the MGMT interface when configuring a vNIOS instance with multiple interfaces (LAN1 and MGMT), set it from the Grid Manager UI; for steps, refer to the Infoblox NIOS documentationIf you try to set the IP address by using the set interface mgmt command, the command will fail to enable the MGMT interface because NIOS assumes that the LAN1 IP address of a vNIOS instance deployed on any cloud platform is always dynamic.

  2. To add the LAN1 port, click Add network interface.

  3. Under Network interface 2, in the Subnet drop-down list, choose a subnet.
    The selected subnet and security groups must be in the same VPC.

  4. For SSH access to the vNIOS for AWS instance, you must always use the IP address associated with the LAN1 port.

    1. Choose the default Subnet from the drop-down list. (For more information on usage of Elastic IP addresses for interfaces in your Infoblox vNIOS for AWS instances, see Using an Elastic IP Address.)

    2. To set the AWS server to also assign IPv6 address to the interface, in the IPv6 IPs drop-down list, select Add IP.

  5. Proceed to configure storage settings as described in the Defining Storage Settings for the vNIOS for AWS Instance section.

Defining Storage Settings for the vNIOS for AWS Instance

You can use the settings under Configure storage to define the storage resources to be used by the new instance. Infoblox vNIOS for AWS instances provide a defined amount of instance data storage. The storage size varies according to the AMI you have chosen for the instance. For more information, see Infoblox vNIOS for AWS AMI Shapes and Regions. You can adjust the amount of instance storage to its maximum value and attach external storage volumes for an additional cost.

  1. For a root volume, retain the default values for size and volume type.
    The default values differ based on the AMI that you select.

  2. To define settings for Elastic Block Storage volumes, click Advanced.
    The default configuration of volume 1 is displayed.

  3. In the Storage (volumes) > EBS Volumes > Volume 1 (AMI Root) section, complete the following steps for Elastic Block Storage (EBS) volumes:

    1. Size (GiB): Retain the default value.

    2. Volume type: Choose gp2 from the drop-down list.

    3. Delete on termination: Choose Yes if you want to delete the volume when the instance is terminated, or choose No to keep the volume.
      You can use this setting for your vNIOS for AWS instances to de-couple the root partition deletion from the state of the new EC2 instance. This allows retention of the volume for debugging and event log inspection.
      Infoblox recommends keeping at least the minimum storage capacity defaults for the new Infoblox vNIOS for AWS instance.

    4. Encrypted: To enable encryption on the EBS volume, choose Encrypted.
      Encryption of EBS volumes is supported only in NIOS 8.6.3 and later versions of 8.6.x.

    5. KMS key: Select a key that must be used to encrypt the volume.
      This field is accessible only when encryption is enabled.

  4. (For reporting appliances only) If you are deploying the vNIOS for AWS instance for reporting, you must create two virtual hard disks. One as the default disk used for storing regular NIOS data and a second disk for storing the reporting data. To add a second disk:

    1. In the Configure storage/Storage (volumes) section, click the Add New Volume button.

    2. In the Size (GiB) field, specify a size for the disk. Infoblox recommends that you allocate a minimum of 250 GB of additional disk space for the reporting storage requirements.

Defining Advanced Details

Use the settings under Advanced Details to define settings such as user data, IAM role, and Tenancy.

Initializing vNIOS for AWS Instances with the AWS User Data Field

You can provision the vNIOS for AWS instance through the Advanced Details -> User data field without using Elastic Scaling. This section has instructions to define the administrator login settings and specify the feature licenses for the new instance. Complete the following steps:

  1. Expand Advanced Details and scroll down to the User data field.

    When you start the vNIOS for AWS instance, to access the NIOS GUI, you must install the vNIOS license by setting the value "temp_license:vnios" in the User data settings. You can also use the NIOS CLI to set temporary or permanent licenses.

  2. Define the following plain-text values in the User data field:

    1. remote_console_enabled: Enables or disables the remote SSH CLI console for a new instance (syntax: y or n).

    2. default_admin_password: Sets the password for the NIOS admin user during the first boot. This value does not have to be a default; it can be the password of any administrator who initializes the new instance. The minimum password length is four characters. If an invalid password is passed by this method, it will be ignored, and the default "infoblox" password remains in effect for the instance. Note that if you want to include a symbol character at the beginning of the password, ensure that you put the password in quotes ('') to avoid login issues. Example: '!Infoblox'.

      • In NIOS 8.5.2 or later, for a Grid Master or a standalone vNIOS for AWS instance, the default NIOS password must be reset on the first login in the NIOS UI. Otherwise, you can configure the new password in the User data field and log in to the NIOS UI using that password. The minimum password length is four characters. It must consist of at least one uppercase character, one lowercase character, one numeric character, and one symbol character. Example: Infoblox1!
        Consider the following points for defining a password:

        • If the symbol character is at the beginning of the password, then include the password within quotes (''). Example: '@Infoblox123'.

        • If you enter an invalid password, you will be prompted to reset the password in the NIOS UI on the first login.

        • The password that you set for the Grid Master is propagated to all its members.

      • To access the NIOS CLI, you must either use the key pair or key pair + password authentication that is configured in NIOS, because access to the CLI by using only the NIOS UI password is blocked.

    3. temp_license: Defines the NIOS feature licenses for the new instance. You can list a collection of temporary license names that apply to the instance during the initial boot. Using this directive allows you to quickly provision the new instance with temporary licenses without having to open a NIOS CLI session to do the same task. To access the NIOS GUI, you must provision the vNIOS license before you start the vNIOS instance. Infoblox recommends that you also provision the Grid and cloud licenses at the same time as follows: temp_license:grid cloud vnios. All text entries must be in all lower case.
      - When you use temp_license in the User data field to install a NIOS license, the Use AWS SSH authentication key option, is enabled by default.
      - For a IB-V4025 appliance, if you use the User data field to install the IB-V4025 license, the Use AWS SSH authentication key option will not be enabled by default. Therefore, Infoblox recommends that you first deploy the vNIOS instance without specifying the IB-V4025 license, and then install the license from the NIOS CLI.
      Valid license names include the following:

      • Infoblox vNIOS for AWS instances (IB-V825, IB-V1425 and IB-V2225):

        • grid

        • dns

        • enterprise

        • cloud

      • NIOS license for DDI (IB-V825, IB-V1425 and IB-V2225):

        • nios IB-Vxxxx
          where "xxxx" is the license number.

      • Cloud Platform Infoblox vNIOS for AWS instances (CP-V805, CP-V1405 and CP-V2205):

        • grid

        • dns

        • enterprise

        • cloud_api

Note

  • When you use temp_license in the User data field to install a NIOS license, the Use AWS SSH authentication key option that is needed to enable the CLI access to AWS instances, is enabled by default. For more information see Creating Local Admins in the Infoblox NIOS Documentation. However, for the IB-V4025 appliances, the Use AWS SSH authentication key option is not enabled with this user data configuration. Therefore, Infoblox recommends that you install the IB-V4025 license after deploying the vNIOS instance.

  • In NIOS versions prior to 9.0.1, only the V1 and V2 (token optional) value is supported in the Metadata version field. Starting from NIOS 9.0.1, the values of both V1 and V2 (token optional) and V2 (token required) are supported.

  • For more information about licensing in NIOS 9.0.1, refer to the topic Managing Licenses in NIOS 9.0.1 in the Infoblox NIOS Documentation.

The following figure shows an example:
Defining User Data Settings for Provisioning an Instance without Elastic Scaling

All user data settings are optional directives that can be included or left out of a configuration. For example, you can include the remote_console_enabled and default_admin_password declarations to the Elastic Scale configuration in Figure Adding the Grid Master, Token and Certificate information to the AWS vNIOS Instance in topic Provisioning Infoblox vNIOS for AWS using Elastic Scaling. The temp_license command setting does not interfere with or override any dynamic license assignments through Elastic Scaling. For more information, see Provisioning Infoblox vNIOS for AWS using Elastic Scaling.

Example:

#infoblox-config

gridmaster:

ip_addr: 172.16.1.2
remote_console_enabled: y

default_admin_password: '#$&$#!'

temp_license: cloud vnios dns grid

Example for adding temp licenses for IB-V825, IB-V1425 and IB-V2225 appliances using AWS User data field:

#infoblox-config

remote_console_enabled: y

default_admin_password: password

temp_license: dns enterprise nios IB-V1425

Note
The SSH key will not be uploaded if the ssh_authorized_keys parameter is given in the User data. For information to upload the SSH key, see the Completing Your Infoblox vNIOS for AWS Instance Launch section.

Defining IAM Role

In the Advanced details section, you can configure the IAM role for the vNIOS for AWS instance.

To define, from the IAM instance profile drop-down list, choose a profile.

You may use default settings for your initial testing. It can also be defined on the Identity and Access Management page in the AWS console. Your AWS administrator may not allow custom IAM accounts for your deployment, so this may not be a selectable value.

If you are setting up the instance for HA, see Configuring HA with vNIOS for AWS Instances for the permissions required.

For more information about Amazon IAM, see the Amazon IAM documentation page at http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_Introduction.html. For information about how Amazon IAM roles and permissions work with your Infoblox vNIOS for AWS instances to ensure secure and accurate authorization of user privileges, see Credentials for vDiscovery and Assigning AWS User Credentials to the NIOS Cloud Admin Account.

Defining Tenancy Setting

In the Advanced details section, you can configure the tenancy settings for the vNIOS for AWS instance from the Tenancy drop-down list. Keep the tenancy setting as is. For information about tenant settings, see About Tenants.

Completing Your Infoblox vNIOS for AWS Instance Launch

The Summary panel on the Launch an Instance page lists settings that you have configured. Each setting is a link. You may click on a setting to navigate to that section directly and make appropriate changes.

Click the Launch instance button to launch the vNIOS for AWS instance. After a brief period of time, the vNIOS for AWS instance will be active in your VPC.
You can perform additional tasks for the vNIOS for AWS configuration to ensure that the virtual appliance is functioning properly. For more information, see Additional Configuration for vNIOS for AWS.

Note

  • Access to the CLI using the NIOS password is blocked, except for the root user. To gain CLI entry, other users have to allow SSH keys in the NIOS Grid Manager.

  • For a Grid Master or a standalone vNIOS for AWS instance, the default NIOS password must be reset on the first login in the NIOS UI.

  • The Infoblox standard configuration for vNIOS for AWS deployment requires use of a VPN connection or a direct connection to the Amazon VPC(s) on which you are deploying and operating vNIOS for AWS instances. This connection does not require an Internet-connected IP address or a secure key pair.

  • All AWS Proxy API operations require use of an assigned and regularly rotated AWS-generated key pair assigned to the cloud-api-only account in Grid Manager. For information, see Assigning AWS User Credentials to the NIOS Cloud Admin Account.

Connecting to the EC2 Serial Console of the Instance

vNIOS for AWS instances running on NIOS 8.6.3 or later versions of 8.6.x and deployed with r6i EC2 shapes, support connecting to the EC2 serial console on the vNIOS for AWS instance. You can connect to the serial console to perform activities such as installing licenses or for troubleshooting purposes.
To connect to the EC2 serial console, complete the following steps:

  1. In the Amazon EC2 console, navigate to the Instances page.

  2. Select the instance for which you want to access the serial console and click Connect.

  3. On the Connect to instance page > EC2 serial console tab, click Connect.

  • No labels