SC Cloud Migration - AWS User Manual PDF
Document Details
Uploaded by WellEducatedSanDiego
Supreme Court of the Philippines
Tags
Summary
This document is a guide to AWS cloud computing services implemented during the Supreme Court Cloud Migration Project. It includes information about topics such as AWS Infrastructure Diagram, AWS Management, AWS Services - VPC, and AWS Services - EC2.
Full Transcript
Supreme Court of the Philippines AWS Quick Reference Guide 1 | Page Table of Contents Table of Contents 2 Purpose 4 Document Control...
Supreme Court of the Philippines AWS Quick Reference Guide 1 | Page Table of Contents Table of Contents 2 Purpose 4 Document Control 4 Reviewer 4 AWS Infrastructure Diagram 5 AWS Management 5 AWS Organizational Structure - For Update - On SC Shared Drive. 6 AWS Control Tower Centralised Account Management 6 Access Management via Control Tower 6 Audit and Logging 6 AWS Services - VPC ℅ Jhay and Mia 6 VPC Networking Diagram 6 Deployment of New VPC *Subnets, Route Tables 6 Configuring VPC Peering 8 Configuring Site-to-Site VPN 9 AWS Services - EC2 11 Provisioning of EC2 Instances 11 Launch 11 Start 12 Stop 12 Terminate 12 Creation of AMI (Amazon Machine Image) 13 Creation of Snapshot 13 Creating, Attaching , Resizing and Detaching Volume 13 Change Instance Type 15 Configuring Security Groups 15 Other EC2 Service Configuration 16 Creation of System Session Manager 16 Managing of AWS Keypair 16 Connect via SSH 17 Creating Target Group 18 Creation of Elastic IP Addresses 19 Elastic IP Addresses 19 ○ Attach 19 ○ Detach 19 ○ Add Secondary Network Interface 20 Application Migration Service 20 Initial Configuration of Application Migration Service 20 Installation of Agentless On-Prem 20 ○ Download of VM VDDK 20 2 | Page ○ VM Discovery 20 ○ Configuring Default Replication Template 20 ○ Configuring Custom-Launch Template 20 ○ Start VM Replication using Agentless 20 ○ Migration Cut-Over 20 Pre-Cut-over 20 Final Cut-over 20 Disaster Recovery Service 20 Installation of DR Agent on VM 20 Configuring of Default Replication Template 23 Start Replication 23 Configuring of Custom Launch Template 23 Initiate Recovery Drill 23 Initiate Recovery 23 Start Reverse Replication 23 Complete Failback 23 WAF 24 AWS Managed WAF Rules 24 Custom WAF Rules 24 CloudFront 26 Content Security Policy 26 Caching 26 HTTP Headers 26 CloudWatch 27 Defacement 27 Route53 27 Creating Hosted Zone 27 Adding, Modifying and Deleting Records 27 AWS Application Load Balancer 27 CloudWatch 33 Enablement of Real-Time Logging 33 S3 Bucket 33 AWS Certificate Manager 33 Importing Certificate 33 Requesting New Certificate 34 Filing of Support Ticket 34 3 | Page Purpose The purpose of this document is to help users effectively navigate and utilize AWS cloud computing services implemented during the Supreme Court Cloud Migration Project. Document Control Each update in this document needs to be listed in the table below. In order to maintain consistency, the first version is identified as version 1.0. A minor change or revision will constitute an increment of 0.01 and so on. A major change or revision that significantly changes the content of this document will increment this document to the nearest higher whole number (i.e. version 2.0 and so on). Revision Date Owner Remarks 1.0 January 14, 2025 Kevin Kier Amandy Initial version of the AWS Quick Reference Guide released to Supreme Court Reviewer The names listed below define the complete list of stakeholders that will review this document. Name Role Action/Signature Date Signed Marlon Concepcion Project Manager Richard Venus Technical Manager Marc Reman Bessat Judicial Staff Officer VI 4 | Page AWS Infrastructure Diagram AWS Management 5 | Page AWS Organizational Structure - For Update - On SC Shared Drive. AWS Control Tower Centralised Account Management Access Management via Control Tower Audit and Logging AWS Services - VPC ℅ Jhay and Mia VPC Networking Diagram Deployment of New VPC *Subnets, Route Tables Creation of VPC To Create VPC 6 | Page 1. Search for VPC Dashboard then click Your VPCs 2. Then Click Create VPC 3. On the VPC Settings option, select VPC only. 4. For the IPv4 CIDR Block, select IPv4 CIDR manual input then input desired IPv4 CIDR Block. 5. IPv6 CID Block, select No IPv6 CIDR Block 6. set tenacity to Default. 7. (Optional) add tag. 8. Then click Create VPC. Creation of Subnet To Create Subnet 1. Search VPC Dashboard then click on Subnets. 2. Click on Create Subnet 3. Select the VPC you want to create subnet. 4. Specify subnet name. 5. Select your preferred availability Zone. 6. Input your desired IPv4 VPC CIDR Block. 7. Input your desired IPv4 subnet CIDR Block. 8. (optional) Add Tag. 9. (optional) if you want to add another subnet, click on Add subnet button at the bottom. 10.Click Create Subnet Creation and attaching of Internet Gateway To Create Internet Gateway 1. Search VPC Dashboard then click Internet Gateway. 2. Click Create internet Gateway button. 3. On the Create Internet Gateway, fill up the name tag. 4. (optional) Add Tag 5. Click Create Internet Gateway button Creation of NAT Gateway To Create NAT Gateway 1. Search VPC Dashboard then click Nat Gateway. 2. Click Create NAT Gateway button. 3. On the NAT Gateway window, provide Name. 4. on the Subnet section, select the Subnet that you want to use. 5. On the connectivity type, select either Public or Private depending on your use case (If Public is elected, select the Elastic IP you want to use, If Private, select either auto assign or custom if you want to have a custom private IP). 6. Click Create NAT Gateway. 7 | Page Route Table ○ Creation of Route Table To Create Route Table 1. Search VPC Dashboard then click Route Tables. 2. Click Create Route Table. 3. on the Create Route Table window, Fill up the Route Table Settings Name. 4. Select the VPC you want to use. 5. (optional) Add Tag 6. Click on Create Route Table. ○ Edit Route Table To Edit Route Table 1. Search VPC Dashboard then click Route Tables. 2. Click the Route Table that you want to edit. 3. Click on the Route tab 4. Click Edit Route Table button. 5. Click on Add Route. 6. Fill up the appropriate Destination and Target settings. 7. For the Target,add entries to the following entries: a. Virtual Private Gateway b. Network Interface c. NAT Gateway 8. Select the VPC you want to use. 9. (optional) Add Tag 10.Click on Create Route Table. ○ Association of Subnet To Associate Subnet 1. Search VPC Dashboard then click Route Tables. 2. Select the Route Table entry you want to associate a subnet with. 3. Click the Subnet Associations Tab 4. On the Explicit Subnet Associations section, click on Edit Subnet Association, select the subnet that you want to associate then click on Save Associations Configuring VPC Peering Note: Assumption that there are VPCs in two different regions Create Peering To Create Peering 8 | Page 1. Search VPC Dashboard then click Peering Connections. 2. In the Create peering connection window, Fill up the Name in the Peering connection settings. 3. Fill up the VPC Details 4. On the select another VPC to peer with section, account field, select My Account. 5. In the region settings, select the desired region. 6. On the VPC ID section, input the VPC ID for connection (from the Seoul Region) 7. Click on Create Peering Connection. Confirmation to the other VPC To Confirm the peering on the other VPC 1. After clicking the Create Peering Connection button, on the upper right section of the window, select the region similar to the Region of the VPC ID previously entered (Seoul) 2. Once you are in the selected VPC region, a prompt will be displayed to accept the recently created VPC connection. Click on Accept Request button. Alternatively, you may select the newly created VPC connection on the Peering connection window then click Actions on the upper right side of the list and select Accept request action. Route Table Configuration (All Endpoints) To Create the Route Table Configuration (All Endpoints) 1. Go to the region of the endpoint you want to configure. 2. Search VPC Dashboard then click Route Tables. 3. Click the Route Table that you want to edit. 4. Click on the Route tab 5. Click the Edit Route Table button. 6. Click on Add Route. 7. Fill up the appropriate Destination and Target settings. 8. For the Target,add entries to the following entries: a. Peering 9. Select the VPC you want to use. 10.(optional) Add Tag 11. Click on Create Route Table. 12.Do the same on the origin region. Configuring Site-to-Site VPN To Create a Site-To-Site 9 | Page 1. Go to the region of the endpoint you want to configure. 2. Search VPC Dashboard, under Virtual Private Network (VPN), click Customer Gateways 3. Ont he Customer Gateways screen, click on Create Customer Gateway button. 4. On the Create customer gateway section, fill up Name section, BGP ASN (use default), for the IP Address, input the desired IP Address. 5. (optional), fill up certificate ARN and Device. 6. (Optional) Add Tags 7. Click Create Customer Gateway button. 8. Go back to the VPC Dashboard then click on Virtual Private Gatways. 9. On the Virtual Private Gateways section, click on Create virtual private gateway button. 10.On the Create virtual private gateway window, Fill up Name field. 11. In the Autonomous System Number (ASN) select Amazon default ASN) 12.(optional) Add Tags 13.Click Create Virtual Private Gateway 14.Go back to VPC Dashboard then select Site-to-site VPN Connection. 15.On VPn Connection window, click on Create VPN Connection 16.On The Create VPN Connection section, fill up Name tag. 17. Choose Virtual Private Gateway, on the drop down select your VPG 18.Choose Customer Gateway, on the drop down select your customer gateway. 19.Select your desired Routing options, static or dynamic. 20.Fill up static ip prefixes if you chose Static. 21.Fill up local and remote IPv4 (optional). 22.(Optional) Add Tags. 23.Click Create VPN Connection. 24.On VPN Connection window, select your VPN then select Download Configuration 25.Send the downloaded configuration to the client. 10 | Page AWS Services - EC2 Provisioning of EC2 Instances Launch To quickly launch an instance using the launch instance wizard 1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. 2. In the navigation bar at the top of the screen, the current AWS Region is displayed (for example, US East (Ohio)). If needed, select a different Region in which to launch the instance. 3. From the Amazon EC2 console dashboard, choose Launch instance. 4. (Optional) Under Name and tags, for Name, enter a descriptive name for your instance. 5. Under Application and OS Images (Amazon Machine Image), choose Quick Start, and then choose the operating system (OS) for your instance. 6. Select Instance Type (ex. m5.large, t2.micro). 7. Under Key pair (login), for Key pair name, choose an existing key pair or create a new one. 8. Setup Network Settings (VPC and Subnet). 9. Setup Security Group (note: Create a new security group if there are no existing security groups). 10. Configure Storage. 11. (Optional) Advanced Details (ex. Termination Protection, Instance Auto Recovery) 12. In the Summary panel, choose Launch instance. 11 | Page Start To start an Amazon EBS-backed instance 1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. 2. In the left navigation pane, choose Instances, and then select the instance. 3. To start a stopped instance, select the instance, and choose Instance state, Start instance. 4. It can take a few minutes for the instance to enter the running state. 5. If you stopped an Amazon EBS-backed instance and it appears "stuck" in the stopping state, you can forcibly stop it. For more information, see Troubleshoot Amazon EC2 instance stop issues. Stop To stop an Amazon EBS-backed instance 1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. 2. In the left navigation pane, choose Instances, and then select the instance. 3. On the Storage tab, verify that Root device type is EBS. Otherwise, you can't stop the instance. 4. Choose Instance state, Stop instance. If this option is disabled, either the instance is already stopped or its root device is an instance store volume. 5. When prompted for confirmation, choose Stop. It can take a few minutes for the instance to stop. Terminate To terminate an instance using the console 1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. 2. In the navigation pane, choose Instances. 3. Select the instance, and choose Instance state, Terminate (delete) instance. 4. Choose Terminate (delete) when prompted for confirmation. 5. After you terminate an instance, it remains visible for a short while, with a state of terminated. If termination fails or if a terminated instance is visible for more than a few hours, see Terminated instance still displayed. 12 | Page Creation of AMI (Amazon Machine Image) Creating an AMI from an existing Amazon EC2 instance 1. From the AWS Toolkit Explorer, expand Amazon EC2 and choose Instances to view a list of your existing instances. 2. Right-click the instance that you want to use as the basis for your AMI and choose Create Image (AMI) to open the Create Image dialog window. 3. From the Create Image dialog window, add a name and a description for your image into the provided fields, then choose the OK button to continue. 4. Click Create Image. Creation of Snapshot To Create a snapshot: 1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. 2. In the navigation pane, choose Snapshots, Create snapshot. 3. Select volume or instance or resource type. 4. Select Volume ID or Instance ID depending on the selected item on the previous step. 5. Add description and tags. 6. Click Create Snapshot. Creating, Attaching , Resizing and Detaching Volume To create a volume 1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. 2. In the navigation pane, choose Volumes and then choose Create volume. 3. For Volume type, choose the type of volume to create. 4. For Size, enter the size of the volume, in GiB. 5. (For io1, io2, and gp3 only) For IOPS, enter the maximum number of input/output operations per second (IOPS) that the volume should provide. 6. (For gp3 only) For Throughput, enter the throughput that the volume should provide, in MiB/s. 7. For Availability Zone, choose the Availability Zone in which to create the volume. 8. (Optional) To assign custom tags to the volume, in the Tags section, choose 13 | Page Add tag, and then enter a tag key and value pair. 9. Choose Create volume. 10. To use the volume, wait for it to reach the available state and then attach it to an Amazon EC2 instance in the same Availability Zone. To attach an EBS volume to an instance using the console 1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. 2. In the navigation pane, choose Volumes. 3. Select the volume to attach and choose Actions, Attach volume. Note You can attach only volumes that are in the Available state. 4. For Instance, enter the ID of the instance or select the instance from the list of options. Note The volume must be attached to an instance in the same Availability Zone. If the volume is encrypted, it can only be attached to instance types that support Amazon EBS encryption. 5. For Device name, do one of the following: For a root volume, select the required device name from the Reserved for root volume section of the list. Typically /dev/sda1 or /dev/xvda for Linux instances depending on the AMI, or /dev/sda1 for Windows instances. For data volumes, select an available device name from the Recommended for data volumes section of the list. To use a custom device name, select Specify a custom device name and then enter the device name to use. 6. This device name is used by Amazon EC2. The block device driver for the instance might assign a different device name when mounting the volume. For more information, see device names on Linux instances or device names for volumes on EC2 instances. 7. Choose Attach volume. 14 | Page 8. Connect to the instance and mount the volume. For more information, see Make an Amazon EBS volume available for use. To Resize a Volume 1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. 2. In the navigation pane, choose Volumes. 3. Select the volume to resize and choose Actions, Modify Volume. 4. Adjust the desired size of the volume. 5. Save changes. To detach a volume Step 1: Unmount the volume Linux instances From your Linux instance, use the following command to unmount the /dev/sdh device. [ec2-user ~]$ sudo umount -d /dev/sdh To detach an EBS volume using the console 1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. 2. In the navigation pane, choose Volumes. 3. Select the volume to detach and choose Actions, Detach volume. 4. When prompted for confirmation, choose Detach. Change Instance Type To Change instance Type: 1. Stop the instance to be changed. 2. Select the instance then click actions then select Instance Settings then Change Instance type. 3. Select the desired Instance Type. 4. Save changes. 5. Start the Instance. Configuring Security Groups To create a security group during instance setup 1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. 2. Navigate to Instances: In the left-hand menu, click on "Instances" under the "Instances" section. 3. Select Your Instance: Locate the instance whose specifications you want to view and click on its "Instance ID" to open its details. 15 | Page 4. In the navigation pane, choose Security Group. 5. In the "Security" tab, configure the ports listed for: a. Inbound rules b. Outbound rules 6. Save Changes Other EC2 Service Configuration Creation of System Session Manager To Create SSM: 1. Go to IAM (Identity Access management). 2. Under Access management, click on Roles. 3. Click Create Role on the upper right side of the window. 4. On the Select trusted entity, under Trusted entity type, select AWS service. 5. Under Use Case, select EC2. 6. On Choose a use case for the specified service, select EC2 Role for AWS Systems Manager then click Next. 7. On the Add Permissions, click on Next. 8. On the name, review and create section, Fill up the Role Details (ex. Role Name, Description, tag(optional)) 9. Click Create Role Attaching SSM role to an instance 1. Go to EC2 then select the instance. 2. Click on Actions then on Security, click on Modify IAM Role. 3. Select the IAM Role previously created. 4. Click Update IAM Role. Managing of AWS Keypair To create a key pair using Amazon EC2 1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. 2. In the navigation pane, under Network & Security, choose Key Pairs. 3. Choose Create key pair. 4. For Name, enter a descriptive name for the key pair. Amazon EC2 associates the public key with the name that you specify as the key name. A key name can include up to 255 ASCII characters. It can’t include leading or trailing spaces. 5. Select a key pair type appropriate for your operating system: (Linux instances) For Key pair type, choose either RSA or ED25519. (Windows instances) For Key pair type, choose RSA. ED25519 keys are not supported for Windows instances. 16 | Page 6. For Private key file format, choose the format in which to save the private key. To save the private key in a format that can be used with OpenSSH, choose pem. To save the private key in a format that can be used with PuTTY, choose ppk. 7. To add a tag to the public key, choose Add tag, and enter the key and value for the tag. Repeat for each tag. 8. Choose Create key pair. 9. The private key file is automatically downloaded by your browser. The base file name is the name that you specified as the name of your key pair, and the file name extension is determined by the file format that you chose. Save the private key file in a safe place. 10. Important 11. This is the only chance for you to save the private key file. 12. If you plan to use an SSH client on a macOS or Linux computer to connect to your Linux instance, use the following command to set the permissions of your private key file so that only you can read it. 13. chmod 400 key-pair-name.pem 14. If you do not set these permissions, then you cannot connect to your instance using this key pair. For more information, see Error: Unprotected private key file. Connect via SSH To connect to your instance using an SSH client 1. Open a terminal window on your computer. 2. Use the ssh command to connect to the instance. You need the details about your instance that you gathered as part of the prerequisites. For example, you need the location of the private key (.pem file), the username, and the public DNS name or IPv6 address. The following are example commands. (Public DNS) To use the public DNS name, enter the following command. ssh -i /path/key-pair-name.pem instance-user-name@instance-public-dns-name (IPv6) Alternatively, if your instance has an IPv6 address, enter the following command to use the IPv6 address. ssh -i /path/key-pair-name.pem instance-user-name@instance-IPv6-address The following is an example response. 17 | Page The authenticity of host 'ec2-198-51-100-1.compute-1.amazonaws.com (198-51-100-1)' can't be established. ECDSA key fingerprint is l4UB/neBad9tvkgJf1QZWxheQmR59WgrgzEimCG6kZY. Are you sure you want to continue connecting (yes/no)? 3. (Optional) Verify that the fingerprint in the security alert matches the fingerprint. If these fingerprints don't match, someone might be attempting a man-in-the-middle attack. If they match, continue to the next step. For more information, see Get the instance fingerprint. 4. Enter yes. You see a response like the following: Warning: Permanently added 'ec2-198-51-100-1.compute-1.amazonaws.com' (ECDSA) to the list of known hosts. Creating Target Group To create a target group using the console 1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. 2. On the navigation pane, under Load Balancing, choose Target Groups. 3. Choose Create target group. 4. For Choose a target type, select Instances to register targets by instance ID as a target. 5. For Target group name, type a name for the target group. This name must be unique per region per account, can have a maximum of 32 characters, must contain only alphanumeric characters or hyphens, and must not begin or end with a hyphen. 6. (Optional) For Protocol and Port, modify the default values as needed. 7. For VPC, select a virtual private cloud (VPC). Note that for IP addresses target types, the VPCs available for selection are those that support the IP address type that you chose in the previous step. 8. (Optional) For Protocol version, modify the default value as needed. 9. (Optional) In the Health checks section, modify the default settings as needed. 10. (Optional) Add one or more tags as follows: Expand the Tags section. Choose Add tag. Enter the tag key and the tag value. 11. Choose Next. 18 | Page 12. (Optional) Add one or more targets as follows: If the target type is Instances, select one or more instances, enter one or more ports, and then choose Include as pending below. Note: The instances must have an assigned primary IPv6 address to be registered with an IPv6 target group. 13. Choose Create target group. Creation of Elastic IP Addresses To allocate an Elastic IP address 1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. 2. In the navigation pane, choose Network & Security, Elastic IPs. 3. Choose Allocate Elastic IP address. Elastic IP Addresses ○ Attach To attach an Elastic IP Address: 1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. 2. In the navigation pane, choose Network & Security, Elastic IPs. 3. Select the Elastic IP that you want to associate. 4. Click on actions, then click Associate Elastic IP Address. 5. On the Associate Elastic IP Address, select the instance you want to attach the IP Address or Network interface you want to associate the Elastic IP Address 6. Click Associate. ○ Detach To detach an Elastic IP Address: 1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. 2. In the navigation pane, choose Network & Security, Elastic IPs. 3. Select the Elastic IP Address you want to detach. 4. Click on actions, Disassociate Elastic IP Address. 19 | Page ○ Add Secondary Network Interface To Add a Secondary Network Interfaces, 1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. 2. In the navigation pane, choose Network & Security, Network Interfaces. 3. Click Create Network Interface 4. In the Create Network Interface section, fill up the details (e. Description, Subnet, Private IP Address etc.) 5. Click Create Network Interface Application Migration Service Initial Configuration of Application Migration Service Installation of Agentless On-Prem ○ Download of VM VDDK ○ VM Discovery ○ Configuring Default Replication Template ○ Configuring Custom-Launch Template ○ Start VM Replication using Agentless ○ Migration Cut-Over Pre-Cut-over Final Cut-over Disaster Recovery Service Installation of DR Agent on VM Notes: Before installing, you need root privileges to run the Agent installer file on a Linux server. Alternatively, you can run the Agent Installer file with sudo permissions. 1. Download the agent installer aws-replication-installer-init onto your Linux source server. The Agent installer download location follows this format: sudo wget https://aws-elastic-disaster-recovery-ap-northeast-2.s3.ap-northeast- 2.amazonaws.com/latest/linux/aws-replication-installer-init or sudo curl -o https://aws-elastic-disaster-recovery-ap-northeast-2.s3.ap-northeast- 2.amazonaws.com/latest/linux/aws-replication-installer-init 20 | Page 2. Use the following command on your source server in order to run the installation script. sudo chmod +x aws-replication-installer-init; sudo./aws-replication-installer-init The installer will confirm that the installation of the AWS Replication Agent has started. sudo chmod +x aws-replication-installer-init; sudo./aws-replication-installer-init The installation of the AWS Replication Agent has started. 3. The installer will prompt you to enter your AWS Region Name, the AWS Access Key ID and AWS Secret Access Key that you previously generated. Enter the complete AWS Region name (for example, ap-northeast-2), the full AWS Access Key ID and the full AWS Secret Access Key. sudo chmod +x aws-replication-installer-init; sudo./aws-replication-installer-init The installation of the AWS Replication Agent has started. AWS Region name: ap-northeast-2 AWS Access Key ID: [Insert provided AWS Access Key ID] AWS Secret Access Key:[Insert provided AWS Secret Access Key] Note: The AWS Region name, AWS Access Key ID and AWS Secret Access Key values shown above should be replaced with the credentials provided/generated for you by Novare Team. 4. Once you have entered your credentials, the installer will identify volumes for replication. The installer will display the identified disks and prompt you to choose the disks you want to replicate. sudo chmod +x aws-replication-installer-init; sudo./aws-replication-installer-init... AWS Secret Access Key: [Insert provided AWS Secret Access Key] Identifying volumes for replication. Choose the disks you want to replication. Your disks are: /dev/sda,/dev/xvda To replication some of the disks, type the path of the disks, separated with a comma (for example, /dev/sda,/dev/sdb). To replication all disks, press Enter: To replicate some of the disks, type the path of the disks, separated by a comma, as illustrated in the installer (such as: /dev/sda, /dev/sdb, etc). To replicate all of the disks, press Enter. The installer will identify the selected disks and print their size. sudo chmod +x aws-replication-installer-init; sudo./aws-replication-installer-init 21 | Page... To replication some of the disks, type the path of the disks, separated with a comma (for example, /dev/sda,/dev/sdb). To replication all disks, press Enter: Identified volume for replication: /dev/xvda of size 8 GiB The installer will confirm that all disks were successfully identified. sudo chmod +x aws-replication-installer-init; sudo./aws-replication-installer-init... Identified volume for replication: /dev/xvda of size 8 GiB All volumes for replication were successfully identified. 5. After all of the disks that will be replicated have been successfully identified, the installer will download and install the AWS Replication Agent on the source server. sudo chmod +x aws-replication-installer-init; sudo./aws-replication-installer-init... Identified volume for replication: /dev/xvda of size 8 GiB All volumes for replication were successfully identified. Downloading the AWS Replication Agent onto the source server... Finished Installing the AWS Replication Agent onto the source server... Finished 6. Once the AWS Replication Agent is installed, the server will be added to the AWS Elastic Disaster Recovery console and will undergo the initial sync process. The installer will provide you with the source server's ID. sudo chmod +x aws-replication-installer-init; sudo./aws-replication-installer-init... Installing the AWS Replication Agent onto the source server... Finished Syncing the source server with the AWS Elastic Disaster Recovery console... Finished The following is the source server ID: s-3146f90b19example The AWS Replication Agent was successfully installed. 7. You can review this process in real time on the Source servers page. 22 | Page Configuring of Default Replication Template Start Replication Configuring of Custom Launch Template Initiate Recovery Drill Steps: 1. Navigate to the AWS Elastic Disaster Recovery Console. In the left navigation pane, select Source Servers 2. Select one or more source servers, then select Initiate Recovery Job. 3. Select Initiate recovery drill 4. Select a Point in Time to recover to: 5. Select "Use most recent data" to attempt to create a sub-second RPO snapshot from the source server(s). 6. Select a specific time to use snapshots created at that timestamp, or slightly before if a snapshot was unavailable for a particular source server(s). 7. Select Initiate drill. 8. (Optional) Monitor Recovery Drill progress from the AWS Elastic Disaster Recovery Console Recovery Job History. Initiate Recovery Start Reverse Replication Complete Failback Steps: 1. Navigate to the AWS Elastic Disaster Recovery Console. In the left navigation pane, select Recovery instances. 2. Select one or more source servers, then select Actions. 3. Select Terminate recovery instances. 4. Select Terminate on any dialog boxes. To add or remove conditions in a rule 1. Sign in to the AWS Management Console and open the AWS WAF console at https://console.aws.amazon.com/wafv2/. If you see Switch to AWS WAF Classic in the navigation pane, select it. 2. In the navigation pane, choose Rules. 3. Choose the name of the rule in which you want to add or remove conditions. 4. Choose Add rule. 5. To add a condition, choose Add condition and specify the following values: When a request does/does not If you want AWS WAF Classic to allow or block requests based on the filters in a condition, for example, web requests that originate from the range of IP addresses 192.0.2.0/24, choose does. 23 | Page If you want AWS WAF Classic to allow or block requests based on the inverse of the filters in a condition, choose does not. For example, if an IP match condition includes the IP address range 192.0.2.0/24 and you want AWS WAF Classic to allow or block requests that do not come from those IP addresses, choose does not. match/originate from Choose the type of condition that you want to add to the rule: Cross-site scripting match conditions – choose match at least one of the filters in the cross-site scripting match condition IP match conditions – choose originate from an IP address in Geo match conditions – choose originate from a geographic location in Size constraint conditions – choose match at least one of the filters in the size constraint condition SQL injection match conditions – choose match at least one of the filters in the SQL injection match condition String match conditions – choose match at least one of the filters in the string match condition Regular expression match conditions – choose match at least one of the filters in the regex match condition 6. condition name Choose the condition that you want to add to the rule. The list displays only conditions of the type that you chose in the preceding step. 7. To remove a condition, select the X to the right of the condition name 8. Choose Update. WAF AWS Managed WAF Rules Custom WAF Rules To create a rule and add conditions 1. Sign in to the AWS Management Console and open the AWS WAF console at https://console.aws.amazon.com/wafv2/. If you see Switch to AWS WAF Classic in the navigation pane, select it. 2. In the navigation pane, choose Rules. 3. Choose Create rule. 24 | Page 4. Enter the following values: Name Enter a name. CloudWatch metric name Enter a name for the CloudWatch metric that AWS WAF Classic will create and will associate with the rule. The name can contain only alphanumeric characters (A-Z, a-z, 0-9), with maximum length 128 and minimum length one. It can't contain white space or metric names reserved for AWS WAF Classic, including "All" and "Default_Action. Rule type Choose either Regular rule or Rate–based rule. Rate–based rules are identical to regular rules, but also take into account how many requests arrive from an IP address in a five-minute period. For more information about these rule types, see How AWS WAF Classic works. Rate limit For a rate-based rule, enter the maximum number of requests to allow in any five-minute period from an IP address that matches the rule's conditions. The rate limit must be at least 100. You can specify a rate limit alone, or a rate limit and conditions. If you specify only a rate limit, AWS WAF places the limit on all IP addresses. If you specify a rate limit and conditions, AWS WAF places the limit on IP addresses that match the conditions. When an IP address reaches the rate limit threshold, AWS WAF applies the assigned action (block or count) as quickly as possible, usually within 30 seconds. Once the action is in place, if five minutes pass with no requests from the IP address, AWS WAF resets the counter to zero. 5. To add a condition to the rule, specify the following values: When a request does/does not If you want AWS WAF Classic to allow or block requests based on the filters in a condition, choose does. For example, if an IP match condition includes the IP address range 192.0.2.0/24 and you want AWS WAF Classic to allow or block requests that come from those IP addresses, choose does. If you want AWS WAF Classic to allow or block requests based on the inverse of the filters in a condition, choose does not. For example, if an IP match condition includes the IP address range 192.0.2.0/24 and you want AWS WAF Classic to allow or block requests that do not come 25 | Page from those IP addresses, choose does not. match/originate from Choose the type of condition that you want to add to the rule: Cross-site scripting match conditions – choose match at least one of the filters in the cross-site scripting match condition IP match conditions – choose originate from an IP address in Geo match conditions – choose originate from a geographic location in Size constraint conditions – choose match at least one of the filters in the size constraint condition SQL injection match conditions – choose match at least one of the filters in the SQL injection match condition String match conditions – choose match at least one of the filters in the string match condition Regular expression match conditions – choose match at least one of the filters in the regex match condition 6. condition name Choose the condition that you want to add to the rule. The list displays only conditions of the type that you chose in the preceding step. 7. To add another condition to the rule, choose Add another condition, and repeat steps 4 and 5. Note the following: If you add more than one condition, a web request must match at least one filter in every condition for AWS WAF Classic to allow or block requests based on that rule If you add two IP match conditions to the same rule, AWS WAF Classic will only allow or block requests that originate from IP addresses that appear in both IP match conditions 8. When you're finished adding conditions, choose Create. CloudFront Content Security Policy Caching HTTP Headers 26 | Page CloudWatch Defacement Route53 Creating Hosted Zone To create a public hosted zone using the Route 53 console 1. Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/. 2. If you're new to Route 53, choose Get started under DNS management. If you're already using Route 53, choose Hosted zones in the navigation pane. 3. Choose Create hosted zone. 4. In the Create Hosted Zone pane, enter the name of the domain that you want to route traffic for. You can also optionally enter a comment. For information about how to specify characters other than a-z, 0-9, and - (hyphen) and how to specify internationalized domain names, see DNS domain name format. 5. For Type, accept the default value of Public Hosted Zone. 6. Choose Create. 7. Create records that specify how you want to route traffic for the domain and subdomains. For more information, see Working with records. 8. To use records in the new hosted zone to route traffic for your domain, see the applicable topic: If you're making Route 53 the DNS service for a domain that is registered with another domain registrar, see Making Amazon Route 53 the DNS service for an existing domain. If the domain is registered with Route 53, see Adding or changing name servers and glue records for a domain. Adding, Modifying and Deleting Records AWS Application Load Balancer Setting Up Application Load Balancer For EC2 Workload Introduction In this set-up and configuration guide, we assume that you already have a webserver running EC2 Instance/s on AWS Cloud. 27 | Page Requirement Checklist List of ports to be used (Ex. Webserver Port 80 and 443) List of Domain/s to be used SSL Certificate Installation and Configuration Guide Part I : Setting up Target Groups 1. Login to AWS Console 2. Go to EC2 Services (Change region where your workload is hosted if needed.) 3. On the left panel of the EC2 Service Console, scroll down and click on Target Group which is under Load Balancing 4. Click on Create Target Group on the upper right corner Note : Currently, here are the target groups currently in-placed 5. Configuring Target Group (Step 1) a. Since we are targeting EC2 Instance/s, Target Type should be Instances. b. Add Target Group Name for your Target Group c. For protocol you can choose HTTP or HTTPS port but in our case select HTTPS Port 443 since we want all traffic to be encrypted and also to correspond with the load balancer we will create later in this guide. d. For IP address type leave it on default which is IPv4 unless your EC2 instance also uses IPv6, then you can configure target group IP address type to IPv6. e. For the VPC select the VPC where your EC2 Instance/s workload. 28 | Page f. For health check you can either select HTTP or HTTPS depending on your webserver configuration g. For Health Check Path, you can leave as default unless you have a specific path on your webserver for Health Check. h. Click Next i. Register Targets, select the EC2 Instance you want to register for the Target Group, once selected you can click on “Include as pending below” button. You may also do this step later and just click on “Create target group” button if the server you want to add doesn’t exist yet. Important Note : The health check is checking via IP, so make sure the protocol and path is accessible. Part II : Launching & Initial Configuration of Application Load Balancer 1. Assuming you are still in the EC2 Services Console. 2. On the left panel of the EC2 Service Console, scroll down and click on Load Balancer which is under Load Balancing 3. Click on Create Load Balancer on the upper right corner 4. On the Load Balancer Type click “Create” under Application Load Balancer. 5. Configuring Load Balancer a. Add Load Balancer Name for your Load Balancer b. For the Scheme choose “Internet-facing” since traffic will come from the Internet. Optionally you can also choose “internal” if you want to limit the access from the internet directly on the Application Load Balancer since both schemes are supported by AWS CloudFront. c. For the Load Balancer IP address type you can leave it as default IPv4 or if you want you can choose Dualstack if you also want to include an IPv6. The third option Dualstack without IPv4 option is only supported by Internet-facing load balancers only. d. On the Network Mapping VPC select the VPC that you use for your workload. e. On the Security Groups Select the Security Group Select the Security Group you will use for the Load Balancer, in the most common cases security groups include the common ports like 80 and 443 f. For the Listeners and routing, initially you can select the Target Group we created on part 1 as we will still re-configure this later in this documentation 29 | Page g. As for the Optimize with Service Integration you can optionally select AWS CloudFront + WAF, WAF or AWS Global accelerator but you can also configure this services later h. Finally Click on Create Load Balancer at the bottom Part III : Modifying Load Balancer for Host Based Load Balancing 1. On the Load Balancer Console select the Load Balancer you created in part 2. 2. Under Listeners and Rules tab click “Add Listener” 3. Configure Load Balancer based on your needs, but for this documentation we will assume that we are adding Port 443 as added listener a. For Listener Configuration Select HTTPS as the protocol and 443 for the port as seen in the image below. b. For Routing Action select “Return Fixed Response” as we are configuring a host based routing protocol, so any other domain that is pointed in this load balancer but not configured in this load balancer will result in 503 error. Please see the configuration Below. c. Then Click Add button below 4. On the same page under Listener and rules click on the HTTPS:443 we added previously as seen in the image below. 5. Under Rules tab, click “Add rule” button 30 | Page 6. Configure the Host Based rules you want to add a. For Add rule, add the name of the rule you want to add based on your preference, you may also add additional tags if needed. After Adding the name click Next. b. On the Define rule conditions click on “Add condition” button as seen in the image below c. Configuring Condition i. For the Rule condition type select “Host Header” from the dropdown and add the hostname that you will use for your application as seen in the image below. ii. Click Confirm the click next d. For the define rules actions, make sure “Forward to target groups” is selected under Routing Actions then select the target group you will use for this Application Load Balancer then click next. Please see the image below. 31 | Page If you have multiple target groups for your host just click on the “Add target group” button and add the other target group you need for your configuration. Also if you have multiple target groups you can also set the traffic weight as seen in the image above. e. Set the rule priority, the Default Rule we modify earlier will be the last rule which is 0 Rule Priority, this will ensure that if the Host Header is not found within the configuration it will show 503 error. f. Review and Create. You will see that the host based rule has been added to the 443 Listener rules as seen in the image below. 7. If you need to redirect traffic from http to https, follow these steps below a. Go back to the load balancer main page and click the load balancer you want to modify. b. Under Listener and rules select the HTTP:80 c. On the HTTP:80 Click the Checkbox of Default Listener Rules then click actions dropdown and select edit d. On the Default Listener details modify the routing actions and choose Redirect to URL then select URI Parts, protocol is HTTPS and port 443 to redirect HTTP Port 80 Traffic to Port 443 as seen in the image below. 32 | Page e. Save Changes CloudWatch Enablement of Real-Time Logging S3 Bucket AWS Certificate Manager Importing Certificate The following example shows how to import a certificate using the AWS Management Console. 1. Open the ACM console at https://console.aws.amazon.com/acm/home. If this is your first time using ACM, look for the AWS Certificate Manager heading and choose the Get started button under it. 2. Choose Import a certificate. 3. Do the following: a. For Certificate body, paste the PEM-encoded certificate to import. It should begin with -----BEGIN CERTIFICATE----- and end with 33 | Page -----END CERTIFICATE-----. b. For Certificate private key, paste the certificate's PEM-encoded, unencrypted private key. It should begin with -----BEGIN PRIVATE KEY----- and end with -----END PRIVATE KEY-----. c. (Optional) For Certificate chain, paste the PEM-encoded certificate chain. 4. (Optional) To add tags to your imported certificate, choose Tags. A tag is a label that you assign to an AWS resource. Each tag consists of a key and an optional value, both of which you define. You can use tags to organize your resources or track your AWS costs. 5. Choose Import. Requesting New Certificate Filing of Support Ticket To create a support case 1. Sign in to the AWS Support Center Console. 2. Tip 3. In the AWS Management Console, you can also choose the question mark icon ( ) and then choose Support Center. 4. Choose Create case. 5. Choose one of the following options: Account and billing Technical For service quota increases, choose Looking for service limit increases? and then follow the instructions for Creating a service quota increase. 6. Choose the Service, Category, and Severity. 7. Tip 8. You can use the recommended solutions that appear for commonly asked questions. 9. Choose Next step: Additional information 34 | Page 10. On the Additional information page, for Subject, enter a title about your issue. 11. For Description, follow the prompts to describe your case, such as the following: Error messages that you received Troubleshooting steps that you followed How you're accessing the service: AWS Management Console AWS Command Line Interface (AWS CLI) API operations 12. (Optional) Choose Attach files to add any relevant files to your case, such as error logs or screenshots. You can attach up to three files. Each file can be up to 5 MB. 13. Choose Next step: Solve now or contact us. 14. On the Contact us page, choose your preferred language. 15. Choose your preferred contact method. You can choose one of the following options: Web – Receive a reply in Support Center. Chat – Start a live chat with a support agent. If you can't connect to a chat, see Troubleshooting. Phone – Receive a phone call from a support agent. If you choose this option, enter the following information: Country or region Phone number (Optional) Extension 16. (Optional) If you have a Business, Enterprise On-Ramp, or Enterprise Support plan, the Additional contacts option appears. You can enter the email addresses of people to notify when the status of the case changes. If you're signed in as an IAM user, include your email address. If you're signed in with your root account email address and password, you don't need to include your email address 17. Review your case details and then choose Submit. Your case ID number and summary appear. 35 | Page
