deploying the control plane solution · deploying the control plane solution...
TRANSCRIPT
Deploying the Control Plane Solution
This chapter describes how to deploy the cDVR control plane components.
• cDVR Orchestration Platform, page 1
• Control Plane Deployment, page 3
• Requirements, page 3
• Deploying the cDVR Control Plane Solution, page 4
• Required AWS Identity and Access Management Orchestration Policies, page 8
cDVR Orchestration PlatformThe cDVR solution provides an orchestration platform to deploy the application control plane, health andmonitoring infrastructure, and analytics platform for the solution. The orchestration platform provides adeployment engine on Amazon Web Services (AWS) and it allows customers to deploy Cisco applicationsusing a released ISO in a customer-operated AWS account.
This document is intended for operators who manages AWS accounts, and operators who have a certain levelbasic understanding of AWS technologies. The diagram below displays the orchestration platform deploymentparadigm.
Cisco Cloud DVR Deployer Release 9.6 User Guide 1
The following is a list of key AWS technologies used in the cDVR orchestration, and links to more information:
• Elastic Compute Cloud (EC2) - http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html
• Virtual Private Cloud (VPC) - http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html
• Elastic IP (EIP) - http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html
• Elastic File System (EFS) - http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEFS.html
• Simple Storage Service (S3) - http://docs.aws.amazon.com/AmazonS3/latest/dev/Introduction.html
• Route 53 - http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/Welcome.html
• Elastic Load Balancing (ELB) - https://aws.amazon.com/documentation/elastic-load-balancing/
• AWS VPN - http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpn-connections.html
Cisco Cloud DVR Deployer Release 9.6 User Guide2
Deploying the Control Plane SolutioncDVR Orchestration Platform
Control Plane DeploymentThe following is a list of components and instances installed when you deploy the full control plane solution:
• Control Plane Deployer - PPS, UPM, AuthZ, RabbitMQ, Recorder Router (RR), HAProxy
Foundation - Consul, Couchbase, Mongo, IPA, Operations Hub UI, HAProxy
• Health Monitoring - Sensu, Uchiwa, RabbitMQ, HAProxy
• Log Analytics - ELK, Kafka, HAProxy
• Operations Hub UI
The following diagram illustrates the cDVR control plane orchestration:
RequirementsThe following is a list of components or settings required for the cDVR control plane orchestration:
• AmazonWeb Services (AWS) account, with EC2 compute instances and storage resources to host cDVRapplications.
• A minimum of 100 instance AWS account limit (ability to deploy a minimum of 100 EC2 instances ofvarious types).
Cisco Cloud DVR Deployer Release 9.6 User Guide 3
Deploying the Control Plane SolutionControl Plane Deployment
• AWS Identity and Access Management (IAM) role, with admin privileges, attached to the EC2 instanceused for deployment. For more information on the required AWS policies, see Required AWS Identityand Access Management Orchestration Policies, on page 8.
• AWS region for the deployment, with the following requirements:
◦Elastic File System (EFS) support.
◦A minimum of three availability zones for deployment.
• cDVR control plane release ISO file (cdvr_deployer_<snapshot version number>_<auto-generatednumber>). For example, cdvr_deployer_17.33.517.02_e3c1c09. Or, a S3 Bucket link for the cDVRcontrol plane ISO file (for example,
https://s3-us-west-2.amazonaws.com/productionbuild-270224602766-us-west-2-isos/cdvr_deployer_17.33.517.02_e3c1c09.iso).For more information on obtaining the file, contact Cisco Services.
• If deploying a specific Virtual Private Cloud (VPC) and specific subnets in the VPC, you must obtainthe VPC ID and Subnet ID.
• SSH key that can be used for orchestration.
Deploying the cDVR Control Plane SolutionProcedure
Step 1 Sign in to your AWS account through the AWS Manager Console. Ensure that you have administrativeprivileges.
Step 2 From the top right corner of the AWS Manager Console, choose the region you are in and want to deploycDVR on the cloud.
Step 3 Create and launch an EC2 Instance:a) From the AWS Manager Console, choose Services > EC2.b) From the EC2 Dashboard, click Launch Instance.
Cisco Cloud DVR Deployer Release 9.6 User Guide4
Deploying the Control Plane SolutionDeploying the cDVR Control Plane Solution
c) Choose a Linux Amazon Machine Image (AMI), by clicking Select next to the Amazon Linux.d) Choose an EC2 instance type, with a high network limit and memory capacity. We recommend i3.large
type.e) Click Next: Configure Instance Details.
f) From the Network and Subnet drop-down lists, choose the location of the virtual machine.g) From the Auto-assign Public IP drop-down list, choose Enable to ensure that you have public access to
the current IP address.
Cisco Cloud DVR Deployer Release 9.6 User Guide 5
Deploying the Control Plane SolutionDeploying the cDVR Control Plane Solution
h) From the IAM role drop-down list, choose cDVROrchestratiorRole. This was created prior to installation.For more information, see Required AWS Identity and Access Management Orchestration Policies, onpage 8.
i) Click Next: Add Storage.j) In the Size field, enter the size of memory. We recommend that you enter a minimum of 16 GB.k) Click Next: Add Tags.l) Click Add Tag.m) In the Value field, enter the name of the virtual machine (for example, cDVR-Solution-Launcher).n) Click Next: Configure Security Group to configure who can access the virtual machine.o) Verify the default rule to confirm that SSH access is applied. If a rule is not added, click Add Rule to
specify the type of traffic allowed on specific port.p) From the Typemenu, choose SSH, and in the Source field, type 0.0.0.0/0. You can limit the IP addresses
that can access the virtual machine, but we recommend that you leave it open with 0.0.0.0.q) Click Review and Launch, and then click Launch.r) If this is your first time performing the deployment, you can create a new key. Or, you can use an existing
key from a previous deployment. If you create a new key, enter the name of the key and click DownloadKey Pair. Ensure that you have a copy of the key because you will need it when you SSH into the virtualmachine (as access encryption).
s) Click Launch Instances.
Step 4 From the EC2 Dashboard, click Running Instances for a list of all the instances you are currently runningin your lab (running virtual machines in your account).
Step 5 Once in running state, click the instance and copy the IPv4 Public IP address.Step 6 Start SSH and log on to the instance that you created (the copied public IP address).
ssh - i <region key>.pem ec2-user@<public IP address>
Step 7 To change to a root user, type: $ sudo -i.Step 8 Install Docker and start the service:
a) Type yum install docker to install the Docker.b) Type service docker start to the start the Docker service.
Step 9 To create a release folder, type: # mkdir cdvr_release.Step 10 Type the following command to copy the cDVR control plane ISO file from S3 bucket to the virtual machine:
curl -# -O <link to the ISO file>
Step 11 Type cd cdvr_release/.Step 12 Create or copy the key that must be used for the deployment (<key on specific region that you want to
deploy on>.pem) . For example, cdvr-us-west-2.pem. This is obtained in AWS > EC2 > Key Pairs.This is not required if you are deploying the cDVR complete package (Option 1 when you run thesetup script in Step 14 below).
Note
Step 13 To mount the ISO:a) Type: mkdir -p /mnt/iso to create the directory.
Cisco Cloud DVR Deployer Release 9.6 User Guide6
Deploying the Control Plane SolutionDeploying the cDVR Control Plane Solution
b) Type: mount -o loop cdvr_deployer_<ISO file> /mnt/iso to mount the ISO to the new directory.
Step 14 The contents of the ISO are in the mount ISO directory (/mnt/iso).Step 15 To export the region name to the environment that is needed for deployment, type: export
AWS_DEFAULT_REGION="<region name>". For example, export AWS_DEFAULT_REGION="us-west-2".
Step 16 Type /mnt/iso/setup.sh $HOME/cdvr_release to run the setup script to initiate the Deployer dockercontainer. The ISO is installed in the docker container. The following is an example:[root@ip-172-31-39-202 cdvr_release]# /mnt/iso/setup.sh $HOME/cdvr_release34e7b85d83e4: Loading layer 199.9MB/199.9MB790b85e7fb70: Loading layer 448.2MB/448.2MBc83da2b6b8d7: Loading layer 3.072kB/3.072kBcdcbbf2dab11: Loading layer 22.53kB/22.53kBLoaded image: cdvrdeployer:latest############################################################# Start wizard############################################################Choose a number:1: NEW Orchestrates cDVRas a complete package and creates VPC andsubnets,deploys all DB Services{Mongo & Couch}, DNS(DNS & Service Discovery) & stacks for controlplane,Monitoring, Log Analytics2: NEW_EXISTING_NETS Deploys 'NEW' but lets User Provide Region, VPC-ID, Subnets [ 3PublicSubnets Across AZ for Foundation, 3 Private Subnets Across AZ for CP, 2 Private Subnets forHealth & LogAnalytics3: FOUNDATION_ONLY Only Deploys DB Services{Mongo & Couch}, CONSUL(DNS & ServiceDiscovery)4: CP_ONLY Deploys Control plane stacks only. Requires that Consul[DNS &Service Discovery] is available5: HEALTH_ONLY Deploys the Infrastructure for Health6: LOGAN_ONLY Deploys Log Analytics Stack on a provided subnet7: POST_ORCHESTRATION Optional choices after orchestration
Step 17 From the Choice prompt, choose the type of orchestration you would like to deploy (1 to 7). Before you start,we recommend that you map your naming convention.
• 1: New - Creates VPC and subnets. Deploys the cDVR complete package, including all database services,DNS, control plane stack, monitoring stack, and log analytics stack.
• 2: New Existing Nets - Deploys the cDVR complete package (all database services, DNS, control planestack, monitoring stack, and log analytics stack), but allow users to provide VPC and subnet information.
• 3: Foundation Only - Deploys Consul and databases (couch and Mongo). This is for upgrade purposesonly.
• 4: CP Only - Deploys the control plane stack only.
• 5: Health Only - Deploys the monitoring stack only.
• 6: Log Analytics Only (Logan_Only) - Deploys the log analytics stack only.
Cisco Cloud DVR Deployer Release 9.6 User Guide 7
Deploying the Control Plane SolutionDeploying the cDVR Control Plane Solution
• 7: Post Orchestration - PPS External Configuration, Route53 Steer, or CP and Consul cleanup. This isoptional.
Step 18 Provide answers to the questions prompted by the script. The questions differ, depending on the type oforchestration selected.
If you enter in the wrong information and need to cancel the script, press CTRL Z or CTRL C. Torestart the script, repeat Step 13.
Tip
Step 19 Perform the manual procedures required after deployment. For details, see Configuring Components AfterOrchestration.
Required AWS Identity and Access Management OrchestrationPolicies
This section lists the Identity and Access Management (IAM) policies required for the AWS orchestration.Each policy contains the required permissions. For information on how to create and manage AWS policies,see Amazon AWS documentation. You can import these policies by creating an IAM Role in the AWS IAMconsole. These policies allow the Launcher EC2 instances orchestration rights during the deployment of cDVRon AWS.
Temporary Policy{
"Version": "2012-10-17","Statement": [
{"Effect": "Allow","Action": "s3:*","Resource": "*"
}]
}
DynamoDB Policy - Full Access{
"Version": "2012-10-17","Statement": [
{"Action": [
"dynamodb:*","cloudwatch:DeleteAlarms","cloudwatch:DescribeAlarmHistory","cloudwatch:DescribeAlarms","cloudwatch:DescribeAlarmsForMetric","cloudwatch:GetMetricStatistics","cloudwatch:ListMetrics","cloudwatch:PutMetricAlarm","datapipeline:ActivatePipeline","datapipeline:CreatePipeline","datapipeline:DeletePipeline","datapipeline:DescribeObjects","datapipeline:DescribePipelines",
Cisco Cloud DVR Deployer Release 9.6 User Guide8
Deploying the Control Plane SolutionRequired AWS Identity and Access Management Orchestration Policies
"datapipeline:GetPipelineDefinition","datapipeline:ListPipelines","datapipeline:PutPipelineDefinition","datapipeline:QueryObjects","iam:ListRoles","sns:CreateTopic","sns:DeleteTopic","sns:ListSubscriptions","sns:ListSubscriptionsByTopic","sns:ListTopics","sns:Subscribe","sns:Unsubscribe","sns:SetTopicAttributes","lambda:CreateFunction","lambda:ListFunctions","lambda:ListEventSourceMappings","lambda:CreateEventSourceMapping","lambda:DeleteEventSourceMapping","lambda:GetFunctionConfiguration","lambda:DeleteFunction"
],"Effect": "Allow","Resource": "*"
}]
}
EC2 Policy - Full Access{
"Version": "2012-10-17","Statement": [
{"Action": "ec2:*","Effect": "Allow","Resource": "*"
},{
"Effect": "Allow","Action": "elasticloadbalancing:*","Resource": "*"
},{
"Effect": "Allow","Action": "cloudwatch:*","Resource": "*"
},{
"Effect": "Allow","Action": "autoscaling:*","Resource": "*"
}]
}
Elastic File System (EFS) Policy{
"Version": "2012-10-17","Statement": [
{"Action": [
"ec2:CreateNetworkInterface","ec2:DeleteNetworkInterface","ec2:DescribeAvailabilityZones","ec2:DescribeNetworkInterfaceAttribute","ec2:DescribeNetworkInterfaces",
Cisco Cloud DVR Deployer Release 9.6 User Guide 9
Deploying the Control Plane SolutionEC2 Policy - Full Access
"ec2:DescribeSecurityGroups","ec2:DescribeSubnets","ec2:DescribeVpcs","ec2:ModifyNetworkInterfaceAttribute","elasticfilesystem:*"
],"Effect": "Allow","Resource": "*"
}]
}
Identity and Access Management (IAM) Policy - Full Access{
"Version": "2012-10-17","Statement": [
{"Effect": "Allow","Action": "iam:*","Resource": "*"
}]
}
Route 53 Policy{
"Version": "2012-10-17","Statement": [
{"Sid": "Stmt1494966762000","Effect": "Allow","Action": [
"route53:CreateHostedZone","route53:GetHostedZone","route53:ListHostedZones","route53:GetChange","route53:UpdateHostedZoneComment","route53:ListResourceRecordSets","route53:ChangeResourceRecordSets","route53:ListTagsForResource","route53:DeleteHostedZone"
],"Resource": [
"*"]
}]
}
Cisco Cloud DVR Deployer Release 9.6 User Guide10
Deploying the Control Plane SolutionIdentity and Access Management (IAM) Policy - Full Access