To set up vNIOS for AWS instance with HA (high availability), refer to the list of prerequisites, and then on each node of the HA pair, perform the complete sequence of procedures defined in Provisioning vNIOS for AWS Using the BYOL Model, and additionally, configure the advanced network settings defined in this topic.
Prerequisites
In the Amazon EC2 console, create an IAM role profile with the permissions defined in the Defining IAM Role for HA section, and then associate it with the vNIOS instance.
Configure a DNS resolver in the Grid Properties Editor in NIOS. For more information, refer to the Enabling DNS Resolution topic in the Infoblox NIOS Documentation.
When defining the HA configuration, you must set up each node of the HA pair with three network interfaces for MGMT, LAN1, and HA. Additionally, assign a secondary IP address to the HA interface on one of the nodes, and ensure that the LAN1 and HA interfaces of both nodes and the secondary IP address are assigned to the same subnetwork. For more information, see the Defining Advanced Network Configuration for HA section below.
Ensure that the time on the HA nodes is synchronized with the actual time.
You can configure NTP servers on the vNIOS appliance and enable the NTP service to synchronize time on the appliance. For information about how to set up the NTP server, refer to the Infoblox NIOS Documentation.
Defining IAM Role for HA
The IAM role permissions defined in this section are a set of minimum permissions required to form an HA pair and allow the vNIOS instance to manage resources in the AWS cloud.
You can define the IAM role for the vNIOS for AWS instance from the Launch an instance page > Advanced details section. A sample JSON script is as follows:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:UnassignPrivateIpAddresses", "ec2:AssignPrivateIpAddresses", "ec2:DescribeNetworkInterfaces", "iam:ListRoles", "iam:ListAttachedRolePolicies", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "ec2:AssociateAddress", "ec2:DescribeAddresses" ], "Resource": [ "arn:aws:ec2::337773173961:network-interface/", "*" ] } ]}
To allow access to resources, you must set the
Effectelement toAllow.NIOS uses the roles with read permissions to run a check and validate the configuration on the host every five minutes.
NIOS uses the roles with write permissions to unassign and assign private and public IP addresses during an HA failover. The following permissions provide write access:
ec2:UnassignPrivateIpAddresses: This permission is required to unassign private IP addresses from network interfaces during an HA failover.ec2:AssignPrivateIpAddresses: This permission is required to assign private IP addresses to network interfaces during an HA failover.ec2:AssociateAddress: This permission is required only if you have configured a public IP address to access the Grid from outside of your private virtual network. The permission associates the configured public IP address with the private IP address.
For more information about Amazon IAM, see the Amazon IAM documentation page at http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_Introduction.html. For information about how Amazon IAM roles and permissions work with your Infoblox vNIOS for AWS instances to ensure secure and accurate authorization of user privileges, see Credentials for vDiscovery and Assigning AWS User Credentials to the NIOS Cloud Admin Account.
Defining Advanced Network Configuration for High Availability
To configure HA on a vNIOS instance, add three network interfaces: network interface 1, network interface 2, and network interface 3 that are labelled in NIOS as MGMT, LAN1, and HA respectively. Ensure that the LAN1 and HA interfaces of node1 and node2 and the VIP are on the same subnetwork.
Note
When you need to add or delete a network interface to an existing vNIOS for AWS instance, you must power off the instance, add or delete the interface, and then start the instance. Adding or deleting an interface when the instance is powered on, can result in unexpected behavior.
On the Amazon EC2 console > Launch an instance page, under Network settings, complete the following steps:
Under Network interface 1, which is for the MGMT port, retain the settings as is.
You will notice that the subnet selected in the Subnet field is displayed here.Click Add network interface to add the LAN1 port.
Under Network interface 2, in the Subnet drop-down list, choose a subnet that is different from the subnet assigned to the network interface 1 (MGMT port).
The selected subnet and security groups must be in the same VPC.To enable SSH access to the vNIOS instance, configure any one of the following:
The IP address of the LAN1 port.
The secondary IP address that you will assign to the HA interface.
If you configure an elastic IP address to access the HA Grid, you may use it for SSH access.
Under Network interface 3 (for HA interface), in the Subnet drop-down list, choose the same subnet that you assigned to the network interface 2 (LAN1 port).
In the Secondary IP drop-down list, assign a secondary IP address to the HA interface. You may retain the setting as Automatically assign.
In the box below the Secondary IP field, specify the count of secondary IP addresses to create.
Note that you must configure the secondary IP address on one of the HA nodes. NIOS uses the secondary IP address of the active node as the virtual IP address (VIP) to communicate with the cloud platform.
If you want to assign an elastic IP address to access the HA Grid from outside of your virtual network, associate the elastic IP address with the secondary IP address.
Proceed to configure storage settings as described in the Defining Storage Settings for the vNIOS for AWS Instance section.
For settings that you must configure in NIOS for an HA setup, refer to the HA related topics under Deploying a Grid in the Infoblox NIOS Documentation.