®CloudLink Amazon Web Services Deployment Guide® Amazon Web Services Deployment Guide ... select...

CloudLink®

Amazon Web Services Deployment Guide

June 2014

Notice

THIS DOCUMENT CONTAINS CONFIDENTIAL AND TRADE SECRET INFORMATION OF AFORE

SOLUTIONS INC AND ITS RECEIPT OR POSSESSION DOES NOT CONVEY ANY RIGHTS TO

REPRODUCE OR DISCLOSE ITS CONTENTS, OR TO MANUFACTURE, USE, OR SELL

ANYTHING THAT IT MAY DESCRIBE. REPRODUCTION, DISCLOSURE, OR USE IN WHOLE OR IN

PART WITHOUT THE SPECIFIC WRITTEN AUTHORIZATION OF AFORE IS STRICTLY

FORBIDDEN.

The information furnished herein is believed to be accurate and reliable to the best of our knowledge.

However, AFORE Solutions, Inc. assumes no responsibility for its use, or for any infringements of

patents or other rights of third parties resulting from its use.

AFORE Solutions, Inc. reserves the right to, without notice, modify all or part of this document and/or

change product features or specifications and shall not be responsible for any loss, cost, or damage,

including consequential damage, caused by reliance on these materials. If you are in any doubt as to

whether this is the correct version of the manual for a particular release, contact the AFORE Solutions,

Inc.

Trademarks

AFORE Solutions and the AFORE Solutions logo are trademarks of AFORE Solutions Inc. All other

brands or product names mentioned herein are for identification purposed only and may be trademarks

and/or registered trademarks of their respective companies.

© Copyright 2014 All Rights Reserved

AFORE Solutions Inc.

2680 Queensview Drive, Suite 150 Ottawa, Ontario, K2B 8J9, Canada

Tel: (613) 224-5995 Fax: (613) 224-5410

Support Inquiries

(866) 356-4060 [email protected]

General Inquiries [email protected]

Sales Inquiries [email protected]

mailto:[email protected]



CloudLink® Amazon Web Services Deployment Guide

Software Version 2.2 3 Document Version 1.0

© Copyright 2014 AFORE Solutions Inc. All rights reserved.

Table of Contents 1 Introduction ................................................................................................................ 4

1.1 Audience and Purpose .................................................................................................................... 4

1.2 Typographical Conventions ............................................................................................................. 5

1.3 Deployment Guide Organization ..................................................................................................... 5

1.4 CloudLink ........................................................................................................................................ 6

2 CloudLink Amazon Machine Images ........................................................................ 7

2.1 Instance Types ................................................................................................................................ 7

2.2 Storage Modes ................................................................................................................................ 7

2.3 Storage Access in VPC Environments ............................................................................................ 8

2.4 Storage Access in EC2 Environments ............................................................................................ 8

2.5 Security ........................................................................................................................................... 9

2.5.1 Security Groups in VPC Environments ............................................................................................... 9

2.5.2 Security Groups in EC2 Environments ............................................................................................. 10

3 Prerequisites ............................................................................................................. 11

4 CloudLink Deployment ............................................................................................ 12

4.1 CloudLink Deployment in VPC ...................................................................................................... 13

4.2 CloudLink Deployment in EC2 ...................................................................................................... 16

5 Configuring the CloudLink Environment ............................................................... 19

5.1.1 Accessing CloudLink Center............................................................................................................. 20

5.1.2 Changing the secadmin Password ................................................................................................... 20

5.1.3 Assigning Licenses to the Storage Volumes .................................................................................... 21

5.1.4 Splitting a Volume ............................................................................................................................. 21

5.1.5 Changing the Volume Type .............................................................................................................. 22

5.1.6 Changing the Volume Write Mode to Async ..................................................................................... 23

5.1.7 Formatting the Volumes ................................................................................................................... 24

5.1.8 Configuring NFS/SMB Access to Secure Storage ............................................................................ 25

5.1.9 Configuring iSCSI Access to Secure Storage ................................................................................... 26

6 Accessing the Secure Storage ................................................................................ 29

6.1.1 Storage Access in an EC2 Environment ........................................................................................... 29

6.1.2 Storage Access in a VPC Environment ............................................................................................ 30

7 Terms and Acronyms ............................................................................................... 31

Appendix A: AWS Deployment Worksheet ..................................................................... 32




1 Introduction

CloudLink® is a data at rest encryption solution that provides a software defined storage encryption layer on top

of existing storage infrastructures whether deployed in the enterprise data center, private clouds or in public

clouds. Its cloud security management software enables a single data encryption solution for on-premise

enterprise virtualized data centers, hybrid cloud deployments, and public cloud environments such as Amazon

AWS, Microsoft Azure, and VMware-based cloud environments.

AFORE’s CloudLink solution on the AWS Marketplace is a simple to deploy, self-contained AMI that enables

customers to get up and running quickly. You install a CloudLink AMI instance from the AWS Marketplace and

Amazon will simply add the CloudLink costs to your AWS bill as a separately identified charge.

There are two CloudLink AMIs: CloudLink 10TB Edition and CloudLink 1TB Edition. CloudLink instances can be

deployed in either Elastic Compute Cloud (EC2) or Virtual Private Cloud (VPC) environments.

1.1 Audience and Purpose

This guide is intended for system administrators managing CloudLink deployments in an Amazon Web Services

environment.

This guide assumes the administrator is experienced with AWS AMI deployment, Amazon Elastic Compute

Cloud (EC2) and Virtual Private Cloud (VPC) services, and IP networking. If you are new to AWS, visit the AWS

documentation webpage for useful getting started guides at http://aws.amazon.com/documentation.

The purpose of this guide is to walk you through the deployment and configuration of CloudLink instances

based on CloudLink AMIs available from the AWS Marketplace.

http://aws.amazon.com/documentation




1.2 Typographical Conventions

This guide uses the following typographical conventions.

Convention Used for

Black bold User interface elements such as menus, menu items, tabs, boxes, lists, and buttons. For example:

In the CloudLink window, select the Options tab.

Italics Examples of formats and values. Also used for emphasis. For example:

Use the default user name (secadmin)…

For each CloudLink instance you must…

1.3 Deployment Guide Organization

This deployment guide consists of the following chapters:

Chapter 1, Introduction, introduces you to CloudLink, AWS, and this document.

Chapter 2, CloudLink Amazon Machine Images, provides information on the AWS deployment

environment.

Chapter 3, Prerequisites, provides the necessary prerequisites for the deployment.

Chapter 4, CloudLink Deployment, provides a detailed description of CloudLink deployments in VPC

and EC2 environments.

Chapter 5, Configuring the CloudLink Environment, provides information on how to configure the

CloudLink environment.

Chapter 6, Accessing the Secure Storage, provides information on how to access the secure storage

volumes.

Chapter 7, Terms and Acronyms




1.4 CloudLink

CloudLink is a software solution that is deployed into enterprise virtualization infrastructures and/or public

clouds. CloudLink controls the encryption keys used to secure the storage while monitoring the network. The

CloudLink operating environment is as follows:

CloudLink includes CloudLink Center, a Web-service application that provides a user interface to configure

CloudLink instances and manage CloudLink. CloudLink Center provides secure storage encryption

management and provides audit trails of actions, alarms, events, and security events.




2 CloudLink Amazon Machine Images

An Amazon Machine Image (AMI) is a virtual machine preconfigured with a base Linux or Windows operating

system (OS) and, optionally, application software such as CloudLink. After you launch a CloudLink instance, it

looks like a virtualized server, and you can interact with it as you would any computer. Your CloudLink AMIs

must then be configured for security and with Elastic Block Store (EBS) volumes.

AFORE Solutions provides a CloudLink 10TB Edition AMI and a CloudLink 1TB Edition AMI. Both CloudLink

instances run in one of two supported platforms: EC2 or VPC. The operating environment will vary depending

on the selected platform.

2.1 Instance Types

The AWS instance type defines the number of cores, number of Elastic Compute Units (ECUs), and storage

space for the instance. The supported instance types for each CloudLink edition are as follows:

CloudLink 1TB Edition: m1.small, m3.medium, m3.large, m3.xlarge

CloudLink 10TB Edition: m3.medium, m3.large, m3.xlarge

Use of at least the m3.medium instance type is recommended for CloudLink AMIs.

2.2 Storage Modes

By default, EBS volumes assigned to a CloudLink instance at deployment time are merged into a single

CloudLink encrypted volume. From CloudLink Center you can split the encrypted volume into the original

volumes and assign an encryption key to each volume or keep the merged encrypted volume and assign a

single encryption key to the entire volume.

A single merged encrypted volume supports up to 10 TB (or 1 TB) to handle a large amount of data. In a multi-

volume environment, each volume is limited to 1 TB (EBS volume limitation) and the maximum aggregated

volume size is limited to 10 TB or 1 TB depending upon the CloudLink Edition licensed. Separate volumes allow

you to provide a separate key for each volume and manage the volumes independently.

CloudLink provides AWS instances with direct access to their encrypted storage over NFS/SMB or iSCSI.

CloudLink supports three storage modes:

NFS/SMB network-attached storage (NAS)

This option is appropriate for standard deployments where instances will be attaching/mapping




to an encrypted share.

iSCSI remote disk for a single Windows server

This option is appropriate for servers requiring dedicated, block-level high performance access

to a remote disk.

iSCSI remote disk for a Windows SMB server

This option is appropriate for advanced SMB sharing configurations where Windows Kerberos

authentication and access control is required.

Any data that is written to the EBS volume is secured with AES 256-bit encryption. Each EBS volume will have

a unique encryption key when configured in split volume mode. When EBS volumes are merged into a single

encrypted volume, a single key is used to encrypt the merged volume.

Note: CloudLink does not support AWS encrypted EBS volumes in this release.

2.3 Storage Access in VPC Environments

In a VPC environment, instances within AWS will access the CloudLink encrypted storage based on its private

IP address as private IP addressing is persistent in VPC environments.

Assigning a public IP to a VPC CloudLink instance is recommended to enable administrators to manage their

CloudLink deployment from a browser. If a public IP address is not assigned to CloudLink, administrators will

need to RDP to an AWS instance that does have a public IP and then access CloudLink from that instance’s

web browser.

NOTE: In VPC environments, public IP addresses are not persistent after stopping and starting the CloudLink

instance, but the private IP address is persistent (static).

2.4 Storage Access in EC2 Environments

Support of CloudLink deployments in EC2 requires additional configuration steps due to the fact that in EC2

both private and public IP addresses are not persistent after stopping and starting CloudLink instances. This

non-persistent IP addressing behaviour introduces ease of use challenges from the perspective of seamless

access and access control to the CloudLink encrypted storage.

To support CloudLink EC2 deployments, it is recommended that an Elastic IP address be assigned to

CloudLink. An Elastic IP (EIP) address is a static IP reservation that can be assigned to a CloudLink instance

providing a consistent IP for external Internet access to the CloudLink instance. An additional benefit of EIPs is




that internally within the AWS environment, if the EIP public domain name is queried, the current private IP

address of the CloudLink instance associated with the EIP is returned. If AWS instances attach/map to

CloudLink storage based upon the public domain name, even if the CloudLink instance is stopped and started,

the AWS DNS service will always return the current private IP address and the pre-defined attach/map

commands will be successful.

For a Windows instance attempting to access CloudLink encrypted storage, the attach or map command for a

single volume would look similar to the following: \\public_domain_name\secure0.

As mentioned, the AWS DNS service will return the current private IP address of the CloudLink instance to the

Windows instance attempting to access the CloudLink encrypted storage

If an EC2 CloudLink instance is stopped and started, the same EIP address is assigned to the CloudLink

instance, however, you must manually re-associate the IP address to the instance.

NOTE: A reboot of the CloudLink instance does not require re-association.

2.5 Security

By default, access to the CloudLink instance encrypted storage is denied to all. You must configure AWS

security groups to control traffic into the CloudLink instance. You then configure the CloudLink Access Control

List (ACL) to allow all members of the subnet to connect to the encrypted storage. Security groups act as a

virtual firewall.

2.5.1 Security Groups in VPC Environments

One method to grant access to secure encrypted storage in a VPC environment is to create a second security

group and associate it to designated virtual servers. You then add the security group to an inbound rule of the

CloudLink instance security group. Alternatively, you can assign individual IP or IP ranges to restrict access to

specific instances or groups of instances.

After you launch a CloudLink instance in a VPC, you can change its security groups. You can also change the

rules of a security group, and those changes are automatically applied to all virtual servers that are associated

with the security group.

NOTE: The rules you create for use with a security group for a VPC cannot reference a security group from the EC2

environment.

For more information on VPC security groups, refer to the AWS VPC user guide.




2.5.2 Security Groups in EC2 Environments

Since private IP addresses are non-persistent in an EC2 environment, access rules must be based on security

groups and not on IP addresses. You can create additional security groups and associate them with designated

virtual servers. You then add the security groups to inbound rules of the CloudLink instance security group.

For increased access control, you can configure the CloudLink instance encrypted storage as an iSCSI share,

then use a Windows server as the SMB server and configure Windows ACL capabilities.

After you launch a CloudLink instance in an EC2 environment, you cannot change its security groups. However,

you can add rules to or remove rules from a security group, and those changes are automatically applied to all

instances that are associated with the security group.

NOTE: The rules you create for use with a security group for EC2 cannot reference a security group from the VPC

environment.

For more information on EC2 security groups, refer to the AWS EC2 user guide.




3 Prerequisites

Before launching a CloudLink instance on the AWS Marketplace, ensure that you have the following:

An AWS account.

You can use an existing key pair or create a key pair during the deployment process.

Access to the AWS documentation at http://aws.amazon.com/documentation.

Access to the CloudLink documentation available on the CloudLink page in the AWS Marketplace:

o CloudLink Amazon Web Services Deployment Guide (this guide)

o CloudLink Amazon Web Services Administration Guide

http://aws.amazon.com/documentation




4 CloudLink Deployment

The CloudLink instance is deployed with the Launch with EC2 Console method and is capable of supporting

multiple EBS volumes totalling up to 10 TB or 1 TB, depending upon the edition licensed, that can be configured

as standard or Provisioned Input/Output Operations per Second (IOPS) volumes. In this deployment model, as

storage requirements grow, additional storage can be added to the CloudLink instance or additional CloudLink

instances can be added to the AWS environment.

The CloudLink instance ACL is initially configured to deny access to all servers. Once security group

configuration is complete and applied to the designated instances, you can change the CloudLink instance ACL

setting to allow access to all instances. The security group settings will act as a virtual firewall and filter access

to the encrypted storage of the CloudLink instance.

The port requirements for CloudLink are as follows:

CloudLink ports:

o TCP: 8443 (HTTPS) for incoming access to CloudLink.

o UDP: 514 to send the CloudLink Center logs to a system log

o TCP: 443 if RSA DPM is implemented as a key store

o TCP: 389 if Active Directory is implemented as a key store

iSCSI ports:

o TCP: 860 and 3260

NFS ports:

o TCP: 111, 2049, and 32666

SMB ports:

o TCP and UDP: 135, 137, 138, and 139

o TCP: 445

For SSH access to the CloudLink instance, enable port 22.




4.1 CloudLink Deployment in VPC

The Launch with EC2 Console method allows you to configure a CloudLink instance to meet your requirements

for the VPC environment.

To deploy a CloudLink AMI instance in a VPC environment:

1. Log on to the AWS Marketplace with your AWS account credentials.

2. Locate the AFORE Solutions CloudLink products on the AWS Marketplace website.

3. Select either of the following CloudLink products:

AFORE CloudLink® NAS Encryption – 10 TB Edition


4. From the CloudLink product page, click Continue.

5. Select a version.

6. Click Accept Terms (only required if you have not previously accepted the terms).

7. Click the Launch with EC2 Console button for the desired region.

8. Step 2 of the AWS deployment procedure appears on your screen. For example:

9. Select the m3.medium instance type or a larger instance type.

10. Click Next to proceed to Step 3.

11. For the Network parameter, select an existing VPC or click Create new VPC.

If you selected Create new VPC, the VPC console is launched. Click Create VPC and configure the

VPC parameters to suit your environment and return to the EC2 console to resume deployment. You

then select the new VPC as the Network parameter and create a subnet for the VPC.

12. Checkmark the Automatically assign a public IP address to your instances checkbox to assign a

public IP address to the CloudLink instance.


14. Add the necessary EBS volumes up to a maximum of 10 TB or 1TBs depending upon the CloudLink

edition selected. Log the snapshot identifiers of all EBS volumes and store them in a safe place. You

can use the worksheet in Appendix A: AWS Deployment Worksheet on page 32 to log your




configuration.

NOTES:

You can also add EBS volumes after deployment, see the CloudLink Amazon Web Services

Administration Guide.

Newer Linux kernels may rename the devices from dev/sd to /dev/xvd.

15. Ensure that the Delete on Termination checkbox is unchecked for all EBS volumes. Otherwise, all

data on the EBS volumes will be lost on termination of the CloudLink instance.


17. Enter a string for the Name tag in the Value field. This string will be used as the CloudLink hostname.


19. Create a new security group or select an existing security group. Only security groups from the VPC

environment are available.

NOTE: At this point, you can only configure inbound rules. Once deployed, you can change the inbound

rules and the default outbound rules.

20. Click Review and Launch.

21. Confirm your settings and click Launch.

22. From the Key Pair dialog, select an existing key pair or create a new key pair.

A key pair consists of a public key that AWS stores, and a private key file that you store. Together, they

allow you to connect to your CloudLink instance securely. For the CloudLink AMIs, the private key file

allows you to use SSH to log in to your CloudLink instance.

23. Click Launch Instances to launch the CloudLink instance and view the instance identifier from the

Launch Status window.

24. Click View Instances to access the EC2 console and view the new VPC CloudLink instance.

25. Access the CloudLink instance’s security group from the EC2 console and modify the inbound and

outbound rules to suit your environment and security requirements.

You have deployed an instance of the CloudLink AMI in a VPC environment. The CloudLink instance has a

static private IP address and a public IP address that allows you to access the CloudLink instance from the

Internet. If the CloudLink instance is stopped and restarted, a new public IP address will be assigned to the




CloudLink instance.

To configure the CloudLink environment, proceed to 5 Configuring the CloudLink Environment on page 19.




4.2 CloudLink Deployment in EC2

The Launch with EC2 Console method allows you to configure a CloudLink instance to meet your requirements

for the EC2 environment.

To deploy a CloudLink AMI instance in a VPC environment:

1. Log on to the AWS Marketplace with your AWS account credentials.

2. Locate the AFORE Solutions CloudLink products on the AWS Marketplace website.

3. Select either of the following CloudLink products:



4. From the CloudLink product page, click Continue.

5. Select a version.

6. Click Accept Terms (only required if you have not previously accepted the terms).

7. Click the Launch with EC2 Console button for the desired region.

8. Step 2 of the AWS deployment procedure appears on your screen. For example:

9. Select the m3.medium instance type or a larger instance type.


11. For the Network parameter, select Launch into EC2-Classic and configure the remaining parameters

to suit your environment.


13. Add the necessary EBS volumes up to a maximum of 10 TB or 1 TB depending upon the CloudLink

edition selected. Log the snapshot identifiers of all EBS volumes and store them in a safe place. You

can use the worksheet in Appendix A: AWS Deployment Worksheet on page 32 to log your

configuration.

NOTES:

You can also add EBS volumes after deployment, see the CloudLink Amazon Web Services

Administration Guide.




Newer Linux kernels may rename the devices from dev/sd to /dev/xvd.

14. Ensure that the Delete on Termination checkbox is unchecked for all EBS volumes. Otherwise, all

data on the EBS volumes will be lost on termination of the CloudLink instance.


16. Enter a string for the Name tag in the Value field. This string will be used as the CloudLink hostname.


18. Create a new security group or select an existing security group. Only security groups from the EC2

environment are available.

NOTE: At this point, you can only configure inbound rules. Once deployed, you can change the inbound

rules.

19. Click Review and Launch.

20. Confirm your settings and click Launch.

21. From the Key Pair dialog, select an existing key pair or create a new key pair.

A key pair consists of a public key that AWS stores, and a private key file that you store. Together, they

allow you to connect to your CloudLink instance securely. For the CloudLink AMIs, the private key file

allows you to use SSH to log in to your CloudLink instance.

22. Click Launch Instances to launch the CloudLink instance and view the instance identifier from the

Launch Status window.

23. Click View Instances to access the EC2 console and view the new EC2 CloudLink instance.

24. Access the CloudLink instance’s security group from the EC2 console and modify the inbound rules to

suit your environment and security requirements.

25. From the EC2 console, you can assign an EIP address to the CloudLink instance. The EIP is a public

static IP address that belongs to your AWS account. If the CloudLink instance is stopped and restarted,

you must re-associate the EIP with the CloudLink instance. A reboot of the CloudLink instance does not

require re-association.

a. Under Network and Security, click Elastic IPs and then click Allocate New Address.

b. From the Allocate New Address dialog, select EC2 and click Yes, Allocate.

c. Observe the new IP address in the EIP window.

d. Select the new IP address and click Associate Address.

e. From the Associate Address dialog, select the CloudLink instance and click Associate.




f. Observe the results in the Elastic IP window.

g. Click Instances and select the CloudLink instance. Observe the parameters from the

Description tab.

h. To view the security group configuration, click the view rules link in the Description tab.

You have deployed an instance of the CloudLink AMI in an EC2 environment. The CloudLink instance has a

non-static private IP address and a static public EIP address.

To configure the CloudLink environment, proceed to 5 Configuring the CloudLink Environment on page 19.




5 Configuring the CloudLink Environment

After you deploy a CloudLink instance on AWS, you must access CloudLink Center on the CloudLink instance

and configure the CloudLink environment before you can access the encrypted storage from the designated

virtual servers. Proceed as follows:

1. Access CloudLink Center on the CloudLink instance, see 5.1.1 Accessing CloudLink Center on page 20.

2. Change the default secadmin user account password, see 5.1.2 Changing the secadmin Password

on page 20.

3. Assign storage licenses to the storage volumes, see 5.1.3 Assigning Licenses to the Storage

Volumes on page 21.

4. Split the volume if desired (CloudLink merges all storage volumes at deployment time), see 5.1.4

Splitting a Volume on page 21.

5. Specify the storage type (NFS/SMB or iSCSI), see 5.1.5 Changing the Volume Type on page 22.

6. Set the write mode for the storage volumes, see 5.1.6 Changing the Volume Write Mode to Async on

page 23.

7. Format the storage volume(s), see 5.1.7 Formatting the Volumes on page 24.

8. Configure access rights to the storage volumes:

For SMB/NFS, see 5.1.8 Configuring NFS/SMB Access to Secure Storage on page 25.

For iSCSI, see 5.1.9 Configuring iSCSI Access to Secure Storage on page 26.

For information on how to access a storage volume, see 6 Accessing the Secure Storage on page 29.

For additional information on configuring and managing the CloudLink environment, refer to the CloudLink

Amazon Web Services Administration Guide.




5.1.1 Accessing CloudLink Center

To connect to CloudLink Center on the CloudLink instance:

1. In your Web browser, type the URL of the CloudLink instance in the format

https:// IpAddress:8443 or https:// fqdn:8443 where IpAddress is the public interface IP and fqdn is the

fully qualified domain name (FQDN).

2. Observe the presence of the CloudLink Center home page in your browser.

3. Log in. The default Username is secadmin and the default Password is your AWS instance ID.

5.1.2 Changing the secadmin Password

To change the default secadmin password:

1. Log in as a secadmin user. The default password is your AWS instance ID.

(see 5.1.1 Accessing CloudLink Center on page 20).

2. From the Topology Tree, select the CloudLink instance.

3. Click the Administration tab.

4. From the Options panel, select User Accounts.

5. In the User name list, right-click the secadmin account and click Change password.

6. In the Change password window, enter the new password and confirm the new password.

7. Click OK.




5.1.3 Assigning Licenses to the Storage Volumes

Storage licenses form part of the CloudLink instances and depending upon the edition selected either a 10 TB

or 1 TB license is included.

To assign a storage license to a CloudLink instance:

1. Log in as a secadmin or admin user (see 5.1.1 Accessing CloudLink Center on page 20).

2. From the Topology Tree, select a CloudLink instance.

3. Select the Storage tab.

4. From the Options panel, select the License option.

5. From the License Assignment panel, select the storage license from the Available Licenses

dropdown list.

6. Click Assign to assign the storage license.

7. Observe the graph in the License Usage panel.

5.1.4 Splitting a Volume

When you create more than one volume at instantiation, CloudLink automatically merges the volumes into a

single volume. You can split the aggregated volume back into separate volumes, with each volume being

encrypted with a unique encryption key.

NOTE: Splitting a volume results in the loss of all data on the EBS volume. Ensure any data associated with the

CloudLink EBS volume is backed up before proceeding.

The storage volume names will be secure0-xx where xx starts at 01. The Device rows will show the original

device names, for example, sdb, sdc, sdd, and sde. The displayed Size of the volumes will show the original

disk sizes.

The results of a volume split are as follows:

All data previously stored on the combined volume is lost.

The storage key for the volume is lost and the ACL configuration is lost.

The storage write mode is set to Sync.




To split a volume:

1. Log in as a secadmin user (see 5.1.1 Accessing CloudLink Center on page 20).


3. Click the Storage tab then the Configuration tab.

4. Click Volumes in the Options panel.

5. From the Volumes panel, right-click the volume and select Split. Click Yes in the confirmation window.

6. Once the Storage tab reappears, select it to view the results.

5.1.5 Changing the Volume Type

You can change the volume type of a volume from NFS/SMB to iSCSI and from iSCSI to NFS/SMB.

Server Message Block (SMB) shares, also referred to as Common Internet File System (CIFS) shares, are

primarily used in Windows operating systems.

Network File System (NFS) shares are primarily used in Unix and Linux based operating systems. When

working with NFS you mount a remote folder to a local path.

The Internet Small Computer System Interface (iSCSI) provides better performance for raw I/O and is used for

databases/clusters.

The results of a change in volume type are as follows:

All data on the disk is lost.

The storage keys are lost and the ACL configuration is lost.

The storage write mode is set to Sync.

To access a CloudLink instance’s secure storage over iSCSI, you must also configure CHAP credentials for use

in performing incoming access to the instance’s iSCSI target. For more information, see the CloudLink Amazon

Web Services Administration Guide.

To change the volume type for a storage volume:








5. Right-click a NFS/SMB volume and select Change volume type to iSCSI or right-click an iSCSI

volume and select Change volume type to NFS/SMB.

6. Observe that the volume type has changed in the Volumes panel.

NOTES: If the new volume type is iSCSI, you must mount the volume as an iSCSI target from the disk

management facility on the client PC and configure CHAP credentials for use in performing access to the

iSCSI target.

5.1.6 Changing the Volume Write Mode to Async

The default write mode for NFS/SMB and iSCSI EBS volumes is synchronous (sync). You can change the write

mode to asynchronous for the purpose of reducing data transfer times to EBS volumes. In the asynchronous

write mode, loss of data can occur under network failure scenarios.

NOTE: After changing the write mode for an iSCSI volume, you must reactivate the disk from the disk

management facility on the client PC.

To change the write mode of a volume to async:





5. From the Volumes panel, right-click a volume and select Change Write Mode to async.

NOTE: You can change the mode back to sync at any time. See the CloudLink Amazon Web Services

Administration Guide for details.




5.1.7 Formatting the Volumes

To format a storage volume:




4. Click Key in the Options panel.

5. Select one or more volumes and right-click a selected volume.

6. Select Format from the menu.

The format operation formats the disk and makes old data unusable. The generated key has a name in the

following format:

volumeName_yyyyMMdd_HHmmss.key

where: volumeName - the name of volume yyyyMMdd - key generation date HHmmss - key generation time

For example, secure0-01_20131008_033222.key

To retain access to the secure storage in the event of an unrecoverable failure of the CloudLink instance, you

should export and securely save all keys before storing data on the volumes. All keys are exported as a set into

a single file. The exported keys will allow you to access the storage volumes from another CloudLink instance.

NOTE: Active Directory (AD) or RSA DPM can be used as a key store. For more information, see the CloudLink

Amazon Web Services Administration Guide.




5.1.8 Configuring NFS/SMB Access to Secure Storage

To access a CloudLink instance secure storage over NFS/SMB, you configure which instances are granted

access to the secure storage. For CloudLink instances in an AWS environment, you simply allow all machines

connected to the CloudLink instance’s private subnet. As part of deployment, AWS security groups are

configured and therefore act as a virtual firewall to control traffic into the CloudLink instance’s secure storage.

To configure the ACL to provide access to the storage for all members:




4. In the Options panel, click Access.

5. Select a volume from the Volume Name dropdown list.

6. Click the IP Address dropdown list, and select Any.

7. Click Add.

NOTE: All IP entries in the Access Control List must be deleted before you can select Any.

The Access Control List will display the subnet(s) that will be granted access to the secure storage.

Once access to a secure storage has been granted, the storage is made available to those devices over

NFS/SMB that form part of the proper AWS security groups. For more information, see 6 Accessing the Secure

Storage on page 29.




5.1.9 Configuring iSCSI Access to Secure Storage

To access a CloudLink instance secure storage over iSCSI, you must configure CHAP credentials for use in

performing incoming access to the iSCSI target (that is, one-way CHAP authentication).

If you wish to configure mutual CHAP authentication, you can optionally configure CHAP credentials for

performing outgoing access from the CloudLink instance to the iSCSI initiator.

This section shows you how to:

Configure one-way CHAP authentication.

Configure mutual CHAP authentication.

To configure one-way CHAP authentication:




4. From the Options panel, click Access.

5. Select the encrypted volume for which you are configuring access from the Volume Name dropdown

list in the Volume panel.

6. If the Access Control List is empty, then there are no credentials configured for accessing the iSCSI

storage and the storage is therefore inaccessible. Set the ACL configuration to Any.

7. Enter a CHAP user name in the User Name field and a corresponding secret in the Secret field. This

user name and secret combination will be used to authenticate the iSCSI initiator.




8. Select Incoming User in the User Type dropdown list and click Add. For example:

NOTES:

You must configure the iSCSI initiator(s) you wish to connect to with one of the Incoming User

credentials specified in the Access Control List.

The iSCSI Qualified Name (IQN) field is not used for this release.

To configure mutual CHAP authentication:

1. Configure one-way CHAP authentication as described in this section.

2. Enter a CHAP user name in the User Name field and a corresponding secret in the Secret field. This

user name and secret combination will be used to authenticate the CloudLink iSCSI target to the

initiator.




3. Select Outgoing User in the User Type dropdown list and click Add. For example:

NOTES:

You can configure only one Outgoing User credential for each volume.

You must configure the iSCSI initiator(s) you wish to connect to with an Outgoing User

credential specified in the Access Control List for mutual authentication.

The iSCSI Qualified Name (IQN) field is not used for this release.




6 Accessing the Secure Storage

Once access to a CloudLink instance’s secure storage has been granted to virtual servers, the storage is made

available to those devices over NFS/SMB or iSCSI.

If you opted to have the encrypted storage presented as a single volume, the storage volume name is secure0.

It you opted to split the encrypted storage into multiple volumes, the volume name format is secure0-x where x

represents the numerical identifier of the encrypted storage volume. For example, secure0-01 to secure0-12.

6.1.1 Storage Access in an EC2 Environment

To access encrypted secure storage from a Windows machine in an EC2 environment, launch a file browser

from a qualified instance and enter the domain name of the CloudLink instance followed by the secure storage

name. For example, a CloudLink instance with an EIP address of 54.232.178.105, may be accessed as follows:

\\ec2-54-232-178-105.sa-east-1.compute.amazonaws.com\secure0

To test the storage, you can create a folder on the encrypted storage volume. For example:

To access the same encrypted secure storage from a Linux machine, you would mount the drive as follows:

mount ec2-54-232-178-105.sa-east-1.compute.amazonaws.com:/secure0/mnt/ folderName




6.1.2 Storage Access in a VPC Environment

To access an encrypted secure storage from a Windows machine in an EC2 environment, launch a file browser

from a qualified instance and enter the private IP address of the CloudLink instance followed by the secure

storage name. For example, a CloudLink instance with a private IP address of 10.0.0.103, may be accessed as

follows:

\\10.0.0.103\secure0

For external access, you can use the public IP address.

To access the same encrypted secure storage from a Linux machine, you would mount the drive as follows:

mount 10.0.0.103:/secure0/mnt/ folderName




7 Terms and Acronyms ACL Access Control List

AES Advanced Encryption Standard

AMI Amazon Machine Image

AWS Amazon Web Services

AWS Marketplace An online store of software and services to build products and run businesses. AWS Marketplace includes databases, application servers, testing tools, monitoring tools, content management, and business intelligence software.

CHAP Challenge-Handshake Authentication Protocol

CIFS Common Internet File System

DNS Domain Name Server

EBS Elastic Block Store

EC2 Elastic Compute Cloud

EIP Elastic Internet Protocol

FQDN Fully Qualified Domain Name

GB Gigabyte

HTTP Hypertext Transfer Protocol

HTTPS Hypertext Transfer Protocol Secure

I/O Input/Output

IOPS Input/Output Operations per Second

IP Internet Protocol

iSCSI Internet Small Computer System Interface

NFS Network File System

PIN Personal Identification Number

RDP Remote Desktop Protocol

SG Security Group

SMB Server Message Block

SSH Secure Shell

TB Terabyte

TCP Transmission Control Protocol

UDP User Datagram Protocol

vDC Virtual Data Center

VM Virtual Machine

VPC Virtual Private Cloud




Appendix A: AWS Deployment Worksheet

After deployment and before using the encrypted storage you should log the AWS AMI instance configuration to

help you correlate the CloudLink instances to their components.

CloudLink Instance Name:

Region / Availability Zone:

VPC Id. (vpc-):

AMI Id:

Instance Id. (i-):

Public DNS (ec2-):

Private DNS (ip-):

EIP Address:

Security groups (sg-):

Volumes (vol-) / Snapshots (snap-):

Other:

Date post:	19-Jun-2018
Category:	Documents
Upload:	doankhuong
View:	219 times
Download:	0 times

®CloudLink Amazon Web Services Deployment Guide® Amazon Web Services Deployment Guide ... select...

Documents