The following document outlines the requirements for a self-hosted AWS install of the BluBracket Enterprise Server.
The deployment will be done via Amazon Web Services CloudFormation template. BluBracket Support team will provide:
The template URL
Docker token
List of resources required:
BluBracket customer will need to ensure that following requirements are met during and post deployment phase:
A user account with role that has permissions to:
Assign tags to subnets
Create roles. Note that BluBracket supports attaching permission boundaries. The ARN for desired permission boundary can be supplied via CloudFormation wizard.
Register CloudFormation resource types
Certificate for the desired subject name must be imported beforehand in Amazon Certificate Manager. Info link #1 Info link #2
Minimum subnets
1 VPC with 2 private and 2 public subnets split between 2 AZs
Available IPs per subnet - 64
Recommended subnets
1 VPC with 3 private and 3 public subnets split between 3 AZs
Available IPs per subnet - 128
Selected subnets must have outbound internet access to reach index.docker.io on TCP 443.
Selected subnet must have outbound access to AWS S3
Once the CloudFormation template is deployed, following primary resources will be created:
1 Load balancer (type = application)
1 EKS Cluster with 3 t3.2xlarge EC2 instances
1 m5.large RDS instance
1 t2.micro EC2 instance
Refer to BluBracket CloudFormation Resources BOM for the detailed list of all resources and related attributes.
Network Requirements
BluBracket Architecture Diagram
The BluBracket Enterprise Server should have the following ports and URL’s whitelisted
Inbound
TCP 443 from <github enterprise server URL> ingress via load balancer
TCP 22 (SSH) from <desired subnets> ingress via VPC routes
TCP 80/443 (BluBracket) from <desired subnets> via VPC routes
Outbound
TCP 443 to index.docker.io from private subnets chosen during deployment
TCP 443 to <github enterprise server URL> from private and public subnets chosen during deployment
The GitHub Enterprise Server should have the following ports open
Inbound
TCP 443 from <blubracket enterprise server URL>
Outbound
TCP 443 to <blubracket enterprise server URL>
IAM Requirements
BluBracket CloudFormation template uses few lambda functions that rely on Security Token Service (aka STS). For this, lambda function will use regional endpoints to ensure reduced latency.
Please make sure to verify that region in which BluBracket deployment is desired have STS endpoints activated. This can be verified/configured by navigating to IAM settings in the desired AWS account.
Comments
0 comments
Please sign in to leave a comment.