Install on AWS using CloudFormation
On this page
This tutorial uses CloudFormation to perform a clustered installation of the Curity Identity Server on AWS EC2 virtual machines. A CloudFormation template is provided in the GitHub repository, which also enables integration with various other AWS services. The following video shows how to get up and running quickly.
AWS Resources
The CloudFormation template creates several AWS resources, namely:
- An EC2 instance for the admin node
- A launch configuration for the runtime node(s)
- An Application Load Balancer (ALB)
- IAM roles and profiles which will be attached to the nodes
- Security groups for both node types and the ALB
- An S3 bucket where the cluster configuration will be stored
- Log groups, if logging into CloudWatch is enabled
- Scaling policies and alarms, used for autoscaling
Parameters the template expects, related to these resources, are explained later in this tutorial.
Preparation
The CloudFormation template has three parameters that require some preparation.
KeyName
(required)CertificateArn
(optional)EFSDNS
(optional)
The KeyName
is a reference to the SSH key that will be installed in both node types, so that you have SSH access. To create one, navigate under EC2 -> Key Pairs and create a key pair.
CertificateArn
is the arn
of a certificate that is verified by AWS. You can import or generate one in the Certificate Manager in the AWS Console.
EFSDNS
is the DNS name of the EFS storage which can be used to store template and message overrides, as well as plugins that you want installed in your cluster.
Import the Template
In the AWS console, navigate under CloudFormation and create a new stack. Then upload the template file and click next. In the Specify Stack Details
step, you are required to enter a stack name and select/fill the parameters available for the template configuration.
Understand Parameters
The parameters are divided into five sections:
1. Node Configuration
In this section you can select what EC2 instance type the nodes will use, as well as how many runtime nodes will be created in your cluster. Also select the SSH key which will be installed in the instances.
You can select a different instance type for admin and runtime nodes with the parameters AdminInstanceType
and RuntimeInstanceType
respectively.
Since the clustering mode used here is Standalone Admin Setup,
the AdminInstanceType
can be a less powerful instance than the RuntimeInstanceType
.
The parameters RuntimeMinNodeCount
, RuntimeMaxNodeCount
are relevant to the runtime nodes (auto-scaling group) and define the minimum and maximum size of the AutoScalingGroup
respectively.
Finally the KeyName
is a reference of the SSH key that you should have already created during preparation (it should appear in the dropdown).
2. Networking
Here you can select which Virtual Private Cloud will be used (VpcId
), as well as the Subnets
that the instances will live on. You must select at least two subnets.
There are two configurable IP ranges, the TrustedIpRange
and LoadBalancerIpRange
. The former is the range of IPs that are allowed to access the admin node of the Curity Identity Server and have SSH access to the instances. The latter is the IP range that will be allowed to access the runtime nodes of the Curity Identity Server through the ALB.
3. AWS Services
In the AWS Services section you can (optionally) configure a CertificateArn
. If that is set, the ALB will listen on HTTPS traffic (port 443). Otherwise the ALB will listen on HTTP (port 80). Also, if the certificate is configured, the admin node will be reachable through the ALB as well on port 6749, but only from the TrustedIpRange
configured previously.
EFSDNS
is also an optional parameter of the EFS Storage that can be used to store files, such as login customizations or plugins. This enables these resources to be shared across all runtime nodes. You can find further instructions on EFS configuration in the README of the GitHub repository.
When CloudWatchNamespace
is configured, the metrics of the Curity Identity Server will be pushed to CloudWatch. The setting MetricsScrapeInterval
is only relevant when CloudWatchNamespace
is configured and it is the interval of the metrics scraping. Finally, when EnableCloudWatchLogs
is enabled, all the relevant log files of the Curity Identity Server will be monitored and pushed to CloudWatch logs.
4. Auto Scaling
The Auto Scaling in this setup is done by utilizing metrics of the ALB. In this section you set the thresholds which, when exceeded, instruct the Auto Scaling group to scale up or down.
MaxRequestsPerRuntimeNode
is the maximum threshold of concurrent requests (connections) per runtime node.
MinRequestsPerRuntimeNode
is the minimum threshold of concurrent requests (connections) per runtime node.
Exceeding these limits will scale up or down the cluster.
5. Curity Configuration
In the final section of the parameters you can find some configuration options that are directly related to the Curity Identity Server. First, there is the AdminUserPassword
, used as the default login to the admin UI. You can also optionally configure a ConfigEncryptionKey
, whose usage is described in the configuration guide. Lastly, you can configure other runtime properties, including the RuntimePort
.
Create a CloudFormation Stack
Now that the parameters have been explained, you can start with configuring only the required ones:
- Select the
KeyName
that appears in the dropdown, which you have created during the preparation - Select one (if there are many options in your region)
VpcId
- Select at least two of the available
Subnets
- Configure a
CloudWatchNamespace
, e.g. curity-demo - Enable the
CloudWatchLogs
- Set an
AdminUserPassword
Click Next and go through the Stack Options
step, which is a standard step when creating a CloudFormation stack. No changes are necessary, so click Next again, after which there is a Review
step. Before clicking on Create Stack, you will have to acknowledge that AWS CloudFormation creates IAM resources. When this is done, you will be able to create your stack. After a couple of minutes, you should see that all the resources and the stack status is CREATE_COMPLETE
. In the stack page, you can navigate to the Outputs
tab where you will find the URL for the Curity admin UI.
Summary
This tutorial showed how to quickly create a clustered installation of the Curity Identity Server, using the CloudFormation template. The stack created included one admin node and two runtime nodes. The CloudFormation template took care of the cluster configuration and created a cluster encryption key used for securing the communication between the admin and runtime nodes.
Next Steps
Now the Curity Identity Server is up and running but without any configuration. The next step is to set up the basic profiles and services. Move on to the First Configuration Tutorial.
Join our Newsletter
Get the latest on identity management, API Security and authentication straight to your inbox.
Start Free Trial
Try the Curity Identity Server for Free. Get up and running in 10 minutes.
Start Free Trial