# Edge Extend Agent for AWS This guide covers the network configuration of the [[:edgeextend/agent]] running on the AWS Cloud in your AWS Account. Once network configuration is complete return to [[:edgeextend/server]] to continue setup. For general documentation see [[:edgeextend]] ## Architecture ### Virtual Machine Each Edge Extend agent is deployed to the AWS as a single virtual machine or instance. Agents connect to a single Edge Extend server, deployed on another region or cloud, through a public endpoint. They will connect using a UDP protocol through port 8445. {{ /smbstream:agent:aws_cloud:aws_smbstream_agent_arch.png |AWS architecture diagram showing an Edge Extend server and Edge Extend agents}}. ## Deployment This guide walks through deploying an Edge Extend agent to your environment. An instance will be launched directly from the AWS Marketplace. Once the instance is running you'll set up the network, and then, after registering the agent with a server, you will complete set up. ### Skills Required This guide is for IT infrastructure architects and DevOps professionals who are deploying an Edge Extend agent on AWS. To follow this guide a user should have some familiarity with the AWS Console and with a Linux shell. ### Time Required Following this guide, an Edge Extend agent can be deployed in under an hour. ### Prerequisites You will need the following information before you can complete the setup: * An AWS Account. If you don’t already have an AWS account, create one at https://aws.amazon.com/getting-started/ by following the on-screen instructions. ## Security As with all systems you deploy to the AWS Cloud security responsibilities are shared between you and AWS. AWS is responsible for the host operating system and virtualization layer down to the physical security of the facilities in which the services operate. You assume responsibility for the security of the appliance through configuration and management of specific AWS Cloud services and of the appliance itself. Through the appliance, you can delegate specific application and data security responsibilities to designated users and roles. For more information: * [[:edgeextend/security]] * [[http://aws.amazon.com/security/|AWS Security Center]] ### AWS Identity and Access Management The agent needs access to any network storage server for which remote access is required. It does not access AWS services. ### Operating System Security The appliance does not use root or other administrative uses to run internal components. An end-user cannot log in as root – they can use sudo from the user smbstream. A user can log into the smbstream account only by using the SSH key specified during the deployment process. AWS doesn't store these SSH keys, so if you lose your SSH key, you can lose access to these instances. We will announce high-severity security patches when they are available through a security alert (email). This includes security patches to third-party components we may be using and other remediations. ### Customer Sensitive Data Edge Extend provides a number of preventative and detective mechanisms to protect customer data. For more information see [[:edgeextend/security]]. ### Data Encryption The Access Anywhere encrypts data in motion and provides a number of options for encrypting data at rest in addition to that provided by the storage service. * Amazon S3 server-side encryption can be enabled * Folder encryption, where data is sent encrypted to the storage * Personal encryption where data is encrypted by the client before Access Anywhere. For more information see [[:edgeextend/security]]. ### Security Groups A security group acts as a firewall that controls the traffic for one or more instances. When you launch an instance, you associate a security group with it. You add rules to the security group that allow traffic to or from the instance. You can modify the rules for a security group at any time. ## Launch ### AWS Marketplace To launch directly from the marketplace select [[https://aws.amazon.com/marketplace/pp/prodview-z3dcqr3ui2li4| Edge Extend Agent]]. Select "Continue to Subscribe". {{ :aws-gettingstarted:continue-to-subscribe.png?nolink&200 |}} Review terms and select "Continue to Configuration". {{ :aws-gettingstarted:continue-to-configuration.png?nolink&200 |}} Select your preferred **Region** and then select "Continue to Launch" {{ /edgeextend/agent/aws_cloud/configure-this-software.png?nolink&600 |}} This page allows you to launch the instance directly from this webpage, or through the EC2 launch instance wizard. {{ /edgeextend/agent/aws_cloud/review-config-details.png?nolink&600 |}} Leave the setting as **Launch from Website** (Recommended). Instructions for launching from EC2 instead are provided in the section [[#launch_through_ec2|Launch Through EC2]]. {{ :aws-gettingstarted:choose-action-launch-from-website.png?nolink&600 |}} #### Launch from Website (Recommended) Review Configuration details: * **EC2 Instance Type**: t3.small * **Memory**: 2 GiB * **CPU**: 2 virtual cores * **Storage**: EBS Only * **Network Performance**: Up to 5 Gigabit Ethernet * **VPC Settings**: (default) * **Subnet Settings**: (default) ##### Security Group Settings Select "Create New Based on Seller Settings". {{ :aws-gettingstarted:security-group.png?nolink&600 |}} #### Create New Security Group Add a name and description. Do NOT change the Source (IP or Group) to "My IP" as this setting incorrectly assigns an internal AWS IP address. Select "Save". {{ /edgeextend/agent/aws_cloud/new-security-group-settings.png?nolink&600 |}} #### Key Pair Amazon EC2 uses SSH-2 RSA keys for SSH which is required to complete the configuration. A public/private key pair can be assigned or created. Choose an existing Key Pair or create a new one. {{ :aws-gettingstarted:key-pair.png?nolink&600 |}} #### Launch Select the "Launch" button to deploy. {{ :aws-gettingstarted:website-launch-congratulations.png?nolink&600 |}} Select EC2 Console to see the instance running in the region you selected. Add a Name by clicking in the empty Name box and entering "Edge Extend Agent". Jump to the next step [[#Configuration]]. ### Launch through EC2 If you did not "Launch from the website", follow these steps to launch the instance. #### Step 1. Choose an Amazon Machine Image (AMI) 1. From the AWS Marketplace click [[https://aws.amazon.com/marketplace/pp/prodview-z3dcqr3ui2li4|Edge Extend Agent]]. 2. Then click **Launch**. #### Step 2: Choose an Instance Type Minimum recommended settings are: * vCPUs - 2 * Memory - 2 GB * Disk - 40 GB (SSD) This corresponds to a t3.small. For example, ^ Family ^ Type ^ vCPUs ^ Memory (GiB) ^ Instance Storage (GB) ^ Network ^ Notes ^ | t3 | t3.small | 2 | 2 | EBS Only | Up to 5 Gigabit Ethernet | Recommended | #### Step 3: Configure Instance Details Check the following setting: * **Auto-assign Public IP** - set to **Enable** #### Step 4: Add Storage Accept the defaults, for example: ^ Volume Type ^ Device ^ Snapshot ^ Size (GbB) ^ Volume Type ^ Delete on Termination ^ | Root | /dev/xvda | snap-xxx | 40 | [General Purpose SSD (gp2] | Yes | You might wish to change "Delete on Termination" to False to prevent your instance from being accidentally terminated through Amazon EC2. #### Step 5: Add Tags No changes, select Next: Configure Security Group #### Step 6: Configure Security Group Choose the default, a new security group with one rule. ^ Type ^ Protocol ^ Port Range ^ Source ^ Description ^ | SSH | TCP | 22 | Anywhere 0.0.0.0/0, ::/0 | SSH for initial configuration | #### Step 7: Review Instance Launch Select [Launch] to bring up the dialog to choose or create a public/private key pair that will allow you to SSH into the instance. {{ ::aws-gettingstarted:aws-keypair.png?nolink&600 |}} Select **Launch Instances**. #### View Instances Select **View Instances** and wait a few minutes until the **Status Checks** are complete. ## Configuration ### SSH Access The instance can now be accessed at this IP address using a standalone SSH client and the Key Pair you assigned. The username is **smbstream**. For example: ssh -i "AccessAnywhere.pem" smbstream@34.194.216.200 (If the command freezes check your Security Group allows SSH access (port 22) for your IP address.) Check that you can become root. sudo bash This will be required to complete the configuration. More information on connecting via SSH can be found in the AWS Console. Select the instance in the Instances view and click **Connect**. ### Next Steps Once network configuration is complete return to [[:edgeextend/server]] to continue agent setup.