Skip to main content

BluBracket VPC Deployment using AWS CloudFormation

Maurice Evans
  • Updated

The following document outlines the requirements for a self-hosted AWS install of the BluBracket Enterprise Server.

The deployment will be done via Amazon Web Services CloudFormation template. BluBracket Support team will provide:

  • The template URL

  • Docker token

List of resources required:

BluBracket customer will need to ensure that following requirements are met during and post deployment phase:

  • A user account with role that has permissions to:

    • Assign tags to subnets

    • Create roles. Note that BluBracket supports attaching permission boundaries. The ARN for desired permission boundary can be supplied via CloudFormation wizard.

    • Register CloudFormation resource types 

  • Certificate for the desired subject name must be imported beforehand in Amazon Certificate Manager. Info link #1 Info link #2

  • Minimum subnets

    • 1 VPC with 2 private and 2 public subnets split between 2 AZs

    • Available IPs per subnet - 64

  • Recommended subnets

    • 1 VPC with 3 private and 3 public subnets split between 3 AZs

    • Available IPs per subnet - 128

  • Selected subnets must have outbound internet access to reach  index.docker.io on TCP 443.

  • Selected subnet must have outbound access to AWS S3

Once the CloudFormation template is deployed, following primary resources will be created:

  • 1 Load balancer (type = application)

  • 1 EKS Cluster with 3 t3.2xlarge EC2 instances

  • 1 m5.large RDS instance

  • 1 t2.micro EC2 instance

Refer to BluBracket CloudFormation Resources BOM for the detailed list of all resources and related attributes.

Network Requirements


BluBracket Architecture Diagram

  • The BluBracket Enterprise Server should have the following ports and URL’s whitelisted

    • Inbound

      • TCP 443 from <github enterprise server URL> ingress via load balancer

      • TCP 22 (SSH) from <desired subnets> ingress via VPC routes

      • TCP 80/443 (BluBracket) from <desired subnets> via VPC routes

    • Outbound

      • TCP 443 to  index.docker.io from private subnets chosen during deployment

      • TCP 443 to <github enterprise server URL> from private and public subnets chosen during deployment

  • The GitHub Enterprise Server should have the following ports open

    • Inbound

      • TCP 443 from <blubracket enterprise server URL>

    • Outbound

      • TCP 443 to <blubracket enterprise server URL>

IAM Requirements

BluBracket CloudFormation template uses few lambda functions that rely on Security Token Service (aka STS). For this, lambda function will use regional endpoints to ensure reduced latency.

Please make sure to verify that region in which BluBracket deployment is desired have STS endpoints activated. This can be verified/configured by navigating to IAM settings in the desired AWS account.

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk