Zentral up and running on AWS
This is a short Step-By-Step instruction how to start a Zentral-all-in-one deployment on Amazon AWS. To make it even easier for you to follow along, we’ve recorded a screencast (4:25) to complement this blogpost.
For a full reference and in-depth version of the AWS / EC2 instructions go and check out the Wiki here.
There are a few requirements to deploy Zentral-all-in-one (ZAIO) on AWS. You need to have:
- An active AWS account (note: running on a t2.micro instance in AWS free will unfortunately not meet the system requirements of ElasticSearch)
- AWS permissions to create an EC2 instance and setup AWS security group settings (used to set Firewall settings for the inbound traffic).
- Setup DNS A records for a domain
Prepare and Launch the Instance
Now start the to launch, setup and configure the Zentral instance:
- Find the latest AWS Link from the Zentral GitHub release page
- Click on the URL which is closest to your AWS region. This will open a pre-build Amazon Machine Image (AMI) with the latest Zentral code on AWS.
- Configure the EC2 instance. We recommend to use the following basic specifications for AWS:
a.) Choose VM size t2.medium (ElasticSearch needs RAM)
b.) Increase the root volume size (20–100GB for prod data)
c.) Ensure you’ll enable all required ports for the inbound traffic.
Ports: 80(HTTP,Let's Encrypt), 443(HTTPS), 22(SSH), 5044(Logstash)Note: Usually you’ll create a new AWS security group for this purpose.
d.) Create a new AWS Key Pair to later access the VM via SSH
e.) Start the EC2 instance and copy the IP address to setup DNS records
- You have to configure two DNS records with the same IP. Both records need to point to the public IP address of the EC2 instance. The first DNS A record is the main FQDN you’ll connect with, the second DNS record will be used for client-certificate based authentication and the build-in SCEP server in Zentral.
- Set correct file permissions, then connect via SSH to the EC2 instance by using the AWS Key Pair
ssh -i <keyname>.pem ubuntu@<FQDN>the default password you need to provide is same as the username: ubuntu.
- Now prepare to edit the command you need to run the
setuptool. You must provide correct settings that match your FQDN, username, email for the superuser and ensure the additional FQDN_FOR_CLI_CERT_AUTH is also set correctly. Run the command in Terminal session on the instance. This will start the initial setup process of your Zentral instance.
$ sudo /home/zentral/app/utils/setup.py FQDN USER EMAIL FQDN_FOR_CLI_CERT_AUTH
Note: When setup done, copy the password reset URL from the Terminal session.
Post launch steps
With the next steps you will get access the launched instance of Zentral.
- Once setup process has finished in Terminal, copy the reset password URL given. You have to open this URL in your browser, then set a password for the superuser.
- Log in to Zentral with the user / password credentials you’ve set.
Congrats, you now should have setup a full instance of Zentral-all-in-one on AWS. Next see other tutorials for additional setups, i.e. secure access with 2FA or see how to enable SSO with an Identity Provider on your Zentral instance.
- Check the Let’s Encrypt TLS certificate validity.
- Check the Zentral workers health status in Prometheus.
The AWS deployment shown here is most the simple way to run an instance of Zentral. Stay tuned our follow up post on getting up and running and also see the other resources.