Install on AWS using CloudFormation

This tutorial uses CloudFormation to perform a clustered installation of the Curity Identity Server on AWS EC2 virtual machines. A CloudFormation template is provided in the GitHub repository, which also enables integration with various other AWS services. The following video shows how to get up and running quickly.

AWS Resources

The CloudFormation template creates several AWS resources, namely:

• An EC2 instance for the admin node
• A launch configuration for the runtime node(s)
• An Application Load Balancer (ALB)
• IAM roles and profiles which will be attached to the nodes
• Security groups for both node types and the ALB
• An S3 bucket where the cluster configuration will be stored
• Log groups, if logging into CloudWatch is enabled
• Scaling policies and alarms, used for autoscaling

Parameters the template expects, related to these resources, are explained later in this tutorial.

Preparation

The CloudFormation template has three parameters that require some preparation.

1. KeyName (required)
2. CertificateArn (optional)
3. EFSDNS (optional)

The KeyName is a reference to the SSH key that will be installed in both node types, so that you have SSH access. To create one, navigate under EC2 -> Key Pairs and create a key pair.

CertificateArn is the arn of a certificate that is verified by AWS. You can import or generate one in the Certificate Manager in the AWS Console.

EFSDNS is the DNS name of the EFS storage which can be used to store template and message overrides, as well as plugins that you want installed in your cluster.

Import the Template

In the AWS console, navigate under CloudFormation and create a new stack. Then upload the template file and click next. In the Specify Stack Details step, you are required to enter a stack name and select/fill the parameters available for the template configuration.

Understand Parameters

The parameters are divided into five sections:

1. Node Configuration

In this section you can select what EC2 instance type the nodes will use, as well as how many runtime nodes will be created in your cluster. Also select the SSH key which will be installed in the instances. You can select a different instance type for admin and runtime nodes with the parameters AdminInstanceType and RuntimeInstanceType respectively. Since the clustering mode used here is Standalone Admin Setup, the AdminInstanceType can be a less powerful instance than the RuntimeInstanceType. The parameters RuntimeMinNodeCount, RuntimeMaxNodeCount are relevant to the runtime nodes (auto-scaling group) and define the minimum and maximum size of the AutoScalingGroup respectively. Finally the KeyName is a reference of the SSH key that you should have already created during preparation (it should appear in the dropdown).

2. Networking

Here you can select which Virtual Private Cloud will be used (VpcId), as well as the Subnets that the instances will live on. You must select at least two subnets.

There are two configurable IP ranges, the TrustedIpRange and LoadBalancerIpRange. The former is the range of IPs that are allowed to access the admin node of the Curity Identity Server and have SSH access to the instances. The latter is the IP range that will be allowed to access the runtime nodes of the Curity Identity Server through the ALB.

3. AWS Services

In the AWS Services section you can (optionally) configure a CertificateArn. If that is set, the ALB will listen on HTTPS traffic (port 443). Otherwise the ALB will listen on HTTP (port 80). Also, if the certificate is configured, the admin node will be reachable through the ALB as well on port 6749, but only from the TrustedIpRange configured previously.

EFSDNS is also an optional parameter of the EFS Storage that can be used to store files, such as login customizations or plugins. This enables these resources to be shared across all runtime nodes. You can find further instructions on EFS configuration in the README of the GitHub repository.

When CloudWatchNamespace is configured, the metrics of the Curity Identity Server will be pushed to CloudWatch. The setting MetricsScrapeInterval is only relevant when CloudWatchNamespace is configured and it is the interval of the metrics scraping. Finally, when EnableCloudWatchLogs is enabled, all the relevant log files of the Curity Identity Server will be monitored and pushed to CloudWatch logs.

4. Auto Scaling

The Auto Scaling in this setup is done by utilizing metrics of the ALB. In this section you set the thresholds which, when exceeded, instruct the Auto Scaling group to scale up or down. MaxRequestsPerRuntimeNode is the maximum threshold of concurrent requests (connections) per runtime node. MinRequestsPerRuntimeNode is the minimum threshold of concurrent requests (connections) per runtime node. Exceeding these limits will scale up or down the cluster.

5. Curity Configuration

In the final section of the parameters you can find some configuration options that are directly related to the Curity Identity Server. First, there is the AdminUserPassword, used as the default login to the admin UI. You can also optionally configure a ConfigEncryptionKey, whose usage is described in the configuration guide. Lastly, you can configure other runtime properties, including the RuntimePort.

Create a CloudFormation Stack

Now that the parameters have been explained, you can start with configuring only the required ones:

1. Select the KeyName that appears in the dropdown, which you have created during the preparation
2. Select one (if there are many options in your region) VpcId
3. Select at least two of the available Subnets
4. Configure a CloudWatchNamespace, e.g. curity-demo
5. Enable the CloudWatchLogs
6. Set an AdminUserPassword

Click Next and go through the Stack Options step, which is a standard step when creating a CloudFormation stack. No changes are necessary, so click Next again, after which there is a Review step. Before clicking on Create Stack, you will have to acknowledge that AWS CloudFormation creates IAM resources. When this is done, you will be able to create your stack. After a couple of minutes, you should see that all the resources and the stack status is CREATE_COMPLETE. In the stack page, you can navigate to the Outputs tab where you will find the URL for the Curity admin UI.

Summary

This tutorial showed how to quickly create a clustered installation of the Curity Identity Server, using the CloudFormation template. The stack created included one admin node and two runtime nodes. The CloudFormation template took care of the cluster configuration and created a cluster encryption key used for securing the communication between the admin and runtime nodes.

Next Steps

Now the Curity Identity Server is up and running but without any configuration. The next step is to set up the basic profiles and services. Move on to the First Configuration Tutorial.