Prerequisites for CloudFormation Deployments
This topic describes the AnzoGraph prerequisites and provides instructions for meeting the requirements before you deploy the AnzoGraph infrastructure.
EC2 Key Pair
All users who deploy AnzoGraph must have an existing EC2 key pair in AWS. For instructions on creating one, see Creating an EC2 Key Pair.
Creating an EC2 Key Pair
If you do not have an existing key pair for EC2 usage, follow the instructions in this section to create one. Each user must create a key pair for their own account.
- Log in to the AWS EC2 Management Console.
- In the console navigation, click Key Pairs to open the key pairs page and view the list of existing key pairs.
- Click Create Key Pair to create a new key. AWS opens the Create Key Pair dialog box.
- In the Key pair name field, type the name to use to identify this key pair, and then click Create.
Amazon adds the key to the list of key pairs on the key pair screen and automatically downloads the key to your computer as a PEM file. The new key pair becomes available as a choice when you deploy AnzoGraph, and you can use the PEM file for SSH access to the cluster.
AWS Centos 7 Community AMI Subscription
Your organization's AWS account must have an active subscription for the free CentOS 7 (x86_64) community AMI published in the AWS Marketplace. See Checking Your Account for a CentOS 7 Community AMI Subscription.
Checking Your Account for a CentOS 7 Community AMI Subscription
Before deploying AnzoGraph, make sure that your AWS account has an active subscription for the free CentOS 7 (x86_64) community AMI published in the AWS Marketplace. AnzoGraph uses a custom-built AMI that is based on the CentOS 7 community AMI. To see if your account has an active subscription, see Your Software Subscriptions in the AWS Marketplace.
To subscribe for the free CentOS community AMI, go to the CentOS 7 (x86_64) page in the Marketplace and click Subscribe.
Amazon VPC
You must have an Amazon Virtual Private Cloud (VPC) to deploy AnzoGraph into. If you do not have a VPC or do not want to deploy AnzoGraph into an existing one, see Creating a VPC for instructions on creating a new VPC.
Creating a VPC
Follow the instructions below to create a public VPC that you can deploy AnzoGraph into. Cambridge Semantics does not recommend using this type of VPC with a public subnet for a development or production environment.
- Log in to the AWS VPC Management Console. On the VPC Dashboard, if you are presented with the option, select the region in which you want to create the VPC. Then click Start VPC Wizard. AWS displays the Select a VPC Configuration screen.
- On the Select a VPC Configuration screen, accept the default option, VPC with a Single Public Subnet, and click the Select button.
- On the VPC with a Single Public Subnet configuration screen, accept all of the default values except for the VPC name. Type a name for the VPC in the VPC name field.
- Click Create VPC. AWS creates the VPC and displays a "VPC Successfully Created" message. Click OK.
- Get the ID of the new subnet that AWS created in the VPC. You will need the subnet ID when you deploy AnzoGraph:
- In the VPC Management Console navigation, click Subnets. The console displays the list of subnets.
- In the search field above the list, search for the VPC that you created in the previous steps. The console displays the subnet details for the subnet in your VPC.
- Copy the value in the Subnet ID column so that you can enter that value during the deployment process.
The new VPC becomes available as a choice when you deploy AnzoGraph.
NFS Server Requirements
If you store data on NFS servers and want to give AnzoGraph access to the data, make sure that the AnzoGraph instances have network connectivity to the NFS servers. NFS servers should allow inbound access from the AnzoGraph nodes on TCP ports 2049 and 111.
Browser Requirements
The AnzoGraph Query and Administration Console supports the latest Safari, Google Chrome, and Mozilla Firefox browsers. Microsoft Edge and Internet Explorer are not supported at this time.
IAM Requirements
In addition to having an existing EC2 key pair in AWS, there are also Identity and Access Management (IAM) requirements for deploying AnzoGraph. Permissions must include an AnzoGraphCFN policy that grants access to run the AnzoGraph CloudFormation service as well as create the infrastructure that the service deploys.
There are two methods to choose from when assigning the required policy:
- Basic: Attach the AnzoGraphCFN policy to a user or create a group that includes the policy and add users to the group. This method grants users permission to run the CloudFormation service as well as privileges to deploy the same components that the service does, such as subnets, IAM resources, security groups, route tables, and NAT gateways. For instructions, see Applying the IAM Policy to a User.
- Advanced: Attach the AnzoGraphCFN policy to a CloudFormation service, which delegates permission to create the AnzoGraph infrastructure to the CloudFormation service but does not grant the same privileges to the users who deploy AnzoGraph. This method requires adding a minimal policy to IAM user permissions to allow users to run the CloudFormation service. For instructions, see Applying the IAM Policy to a CloudFormation Service.
Applying the IAM Policy to a User
This section provides instructions for defining the AnzoGraphCFN policy in AWS and applying the policy to a user or group.
This procedure grants users permission to run the AnzoGraph CloudFormation service as well as privileges to deploy the same components that the service does, such as subnets, IAM resources, security groups, route tables, NAT gateways, etc. For instructions on delegating permissions to the AnzoGraph CloudFormation service instead of users, see Applying the IAM Policy to a CloudFormation Service.
- Log in to the AWS IAM Management Console.
- In the console navigation, click Policies to open the policies page.
- On the policies page, click Create Policy. Then click the JSON tab on the Create policy screen.
- On the JSON tab, overwrite the existing text with the following AnzoGraphCFN policy JSON:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "lambda:CreateFunction", "ec2:AuthorizeSecurityGroupIngress", "ec2:DeleteSubnet", "ec2:DescribeInstances", "iam:RemoveRoleFromInstanceProfile", "iam:CreateRole", "lambda:GetFunctionConfiguration", "iam:PutRolePolicy", "iam:AddRoleToInstanceProfile", "ec2:DeleteRouteTable", "ec2:AssociateRouteTable", "ec2:DescribeInternetGateways", "elasticloadbalancing:DescribeLoadBalancers", "ec2:CreatePlacementGroup", "autoscaling:DescribeAutoScalingGroups", "ec2:CreateRoute", "ec2:RevokeSecurityGroupEgress", "autoscaling:UpdateAutoScalingGroup", "ec2:DescribeAccountAttributes", "lambda:DeleteFunction", "autoscaling:DeleteTags", "iam:GetRole", "lambda:InvokeFunction", "ec2:CreateTags", "autoscaling:DescribeTags", "ec2:CreateRouteTable", "cloudformation:*", "iam:DeleteRole", "ec2:DisassociateRouteTable", "ec2:RevokeSecurityGroupIngress", "autoscaling:CreateOrUpdateTags", "ec2:DeleteNatGateway", "autoscaling:DeleteAutoScalingGroup", "ec2:CreateSubnet", "ec2:AssociateAddress", "ec2:DescribeSubnets", "autoscaling:CreateAutoScalingGroup", "iam:CreateInstanceProfile", "ec2:DisassociateAddress", "autoscaling:DescribeAutoScalingInstances", "ec2:DescribeAddresses", "ec2:DeleteTags", "ec2:CreateNatGateway", "autoscaling:DescribeLaunchConfigurations", "sns:ListTopics", "iam:DeletePolicy", "pricing:GetProducts", "iam:PassRole", "elasticloadbalancing:DescribeListeners", "autoscaling:DescribeScalingActivities", "iam:DeleteRolePolicy", "ec2:CreateSecurityGroup", "iam:DeleteInstanceProfile", "ec2:ReleaseAddress", "ec2:AuthorizeSecurityGroupEgress", "ec2:DeletePlacementGroup", "lambda:GetFunction", "ec2:DeleteRoute", "ec2:AllocateAddress", "ec2:DescribeSecurityGroups", "autoscaling:CreateLaunchConfiguration", "ec2:Describe*", "autoscaling:DeleteLaunchConfiguration", "ec2:DescribeVpcs", "ec2:DeleteSecurityGroup", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:DescribeTargetGroups" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "elasticloadbalancing:DeleteLoadBalancer", "s3:GetObject", "iam:CreateServiceLinkedRole", "elasticloadbalancing:CreateLoadBalancer" ], "Resource": [ "arn:aws:s3:::csi-solo-cfn/*", "arn:aws:iam::*:role/*", "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*" ] }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:CreateLoadBalancer" ], "Resource": "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*" }, { "Sid": "VisualEditor3", "Effect": "Allow", "Action": [ "elasticloadbalancing:CreateListener", "elasticloadbalancing:DeleteListener" ], "Resource": [ "arn:aws:elasticloadbalancing:*:*:listener/*/*/*", "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*" ] }, { "Sid": "VisualEditor4", "Effect": "Allow", "Action": [ "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DeleteTargetGroup" ], "Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*" }, { "Sid": "VisualEditor5", "Effect": "Allow", "Action": "elasticloadbalancing:AddTags", "Resource": [ "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*" ] }, { "Sid": "VisualEditor6", "Effect": "Allow", "Action": "elasticloadbalancing:AddTags", "Resource": [ "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*" ] }, { "Sid": "VisualEditor7", "Effect": "Allow", "Action": [ "elasticloadbalancing:CreateListener", "elasticloadbalancing:DeleteListener" ], "Resource": [ "arn:aws:elasticloadbalancing:*:*:listener/*/*/*", "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*" ] }, { "Sid": "VisualEditor8", "Effect": "Allow", "Action": [ "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DeleteTargetGroup" ], "Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*" } ] } - Click Review policy.
- On the Review policy screen, type AnzoGraphCFN in the Name field and add an optional Description. The Summary lists the following four services: CloudFormation, IAM, Lambda, and S3.
- Click Create policy to submit the new policy and return to the policies screen.
- If you want to apply the policy to an IAM user, follow these steps:
- On the IAM Management Console navigation, click Users.
- On the users screen, click the user name for which you want to add the policy.
- On the Summary screen for the user click the Add permissions button.
- On the Add permissions screen, click Attach existing policies directly. The console displays the list of policies to choose from.
- Click the check box next to the AnzoGraphCFN policy and then click Next: Review. The console displays the Permissions summary screen.
- On the Permissions summary screen, click Add permissions.
The user now has permission to run the AnzoGraph CloudFormation service as well as privileges to deploy the same components as the service.
- If you want to create an AnzoGraphCFN group to apply the policy, follow these steps:
- On the IAM Management Console navigation, click Groups.
- On the groups screen, click Create New Group.
- On the Set Group Name screen, type a name for the group. For example, "AnzoGraphCFN." Then click Next Step. The console displays the Attach Policy screen.
- On the Attach Policy screen, click the checkbox next to the AnzoGraphCFN policy that you created, and then click Next Step. The console displays the Review screen.
- Review the new group details, and then click Create Group.
Any users in the new group will have the ability to deploy AnzoGraph as well as privileges to deploy the same components as the CloudFormation service.
Applying the IAM Policy to a CloudFormation Service
This section provides instructions for applying the AnzoGraphCFN IAM policy to the CloudFormation service without granting the same privileges to users who deploy AnzoGraph. Cambridge Semantics recommends that you review AWS CloudFormation Service Role in the AWS documentation for important information and best practices.
Choosing to allow the CloudFormation service to create and manage AnzoGraph instances and resources instead of a user requires that you follow more advanced deployment instructions that include manual steps. See Deploy AnzoGraph with a CloudFormation Service Role for more information.
Follow the steps below to add the AnzoGraphCFN policy to AWS, create a CloudFormation service role that applies the policy, and add a minimal user role policy so that users can access the CloudFormation service.
- Log in to the AWS IAM Management Console.
- In the console navigation, click Policies to open the policies page.
- On the policies page, click Create Policy. Then click the JSON tab on the Create policy screen.
- On the JSON tab, overwrite the existing text with the following AnzoGraphCFN policy JSON:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "lambda:CreateFunction", "ec2:AuthorizeSecurityGroupIngress", "ec2:DeleteSubnet", "ec2:DescribeInstances", "iam:RemoveRoleFromInstanceProfile", "iam:CreateRole", "lambda:GetFunctionConfiguration", "iam:PutRolePolicy", "iam:AddRoleToInstanceProfile", "ec2:DeleteRouteTable", "ec2:AssociateRouteTable", "ec2:DescribeInternetGateways", "elasticloadbalancing:DescribeLoadBalancers", "ec2:CreatePlacementGroup", "autoscaling:DescribeAutoScalingGroups", "ec2:CreateRoute", "ec2:RevokeSecurityGroupEgress", "autoscaling:UpdateAutoScalingGroup", "ec2:DescribeAccountAttributes", "lambda:DeleteFunction", "autoscaling:DeleteTags", "iam:GetRole", "lambda:InvokeFunction", "ec2:CreateTags", "autoscaling:DescribeTags", "ec2:CreateRouteTable", "cloudformation:*", "iam:DeleteRole", "ec2:DisassociateRouteTable", "ec2:RevokeSecurityGroupIngress", "autoscaling:CreateOrUpdateTags", "ec2:DeleteNatGateway", "autoscaling:DeleteAutoScalingGroup", "ec2:CreateSubnet", "ec2:AssociateAddress", "ec2:DescribeSubnets", "autoscaling:CreateAutoScalingGroup", "iam:CreateInstanceProfile", "ec2:DisassociateAddress", "autoscaling:DescribeAutoScalingInstances", "ec2:DescribeAddresses", "ec2:DeleteTags", "ec2:CreateNatGateway", "autoscaling:DescribeLaunchConfigurations", "sns:ListTopics", "iam:DeletePolicy", "pricing:GetProducts", "iam:PassRole", "elasticloadbalancing:DescribeListeners", "autoscaling:DescribeScalingActivities", "iam:DeleteRolePolicy", "ec2:CreateSecurityGroup", "iam:DeleteInstanceProfile", "ec2:ReleaseAddress", "ec2:AuthorizeSecurityGroupEgress", "ec2:DeletePlacementGroup", "lambda:GetFunction", "ec2:DeleteRoute", "ec2:AllocateAddress", "ec2:DescribeSecurityGroups", "autoscaling:CreateLaunchConfiguration", "ec2:Describe*", "autoscaling:DeleteLaunchConfiguration", "ec2:DescribeVpcs", "ec2:DeleteSecurityGroup", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:DescribeTargetGroups" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "elasticloadbalancing:DeleteLoadBalancer", "s3:GetObject", "iam:CreateServiceLinkedRole", "elasticloadbalancing:CreateLoadBalancer" ], "Resource": [ "arn:aws:s3:::csi-solo-cfn/*", "arn:aws:iam::*:role/*", "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*" ] }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:CreateLoadBalancer" ], "Resource": "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*" }, { "Sid": "VisualEditor3", "Effect": "Allow", "Action": [ "elasticloadbalancing:CreateListener", "elasticloadbalancing:DeleteListener" ], "Resource": [ "arn:aws:elasticloadbalancing:*:*:listener/*/*/*", "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*" ] }, { "Sid": "VisualEditor4", "Effect": "Allow", "Action": [ "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DeleteTargetGroup" ], "Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*" }, { "Sid": "VisualEditor5", "Effect": "Allow", "Action": "elasticloadbalancing:AddTags", "Resource": [ "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*" ] }, { "Sid": "VisualEditor6", "Effect": "Allow", "Action": "elasticloadbalancing:AddTags", "Resource": [ "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*" ] }, { "Sid": "VisualEditor7", "Effect": "Allow", "Action": [ "elasticloadbalancing:CreateListener", "elasticloadbalancing:DeleteListener" ], "Resource": [ "arn:aws:elasticloadbalancing:*:*:listener/*/*/*", "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*" ] }, { "Sid": "VisualEditor8", "Effect": "Allow", "Action": [ "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DeleteTargetGroup" ], "Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*" } ] } - Click Review policy.
- On the Review policy screen, type AnzoGraphCFN in the Name field and add an optional Description. The Summary lists the following four services: CloudFormation, IAM, Lambda, and S3.
- Click Create policy to submit the new policy and return to the policies screen.
- In the AWS IAM Management console navigation, click Roles.
- On the Roles screen, click Create role.
- On the Create role screen under Select type of trusted entity, select AWS service.
- At the bottom if the screen under Choose the service that will use this role, click CloudFormation. Then click Next: Permissions. The console displays a list of the available permissions policies.
- In the list of policies, select the check box next to the AnzoGraphCFN policy you created. Then click Next: Review.
- On the Review screen, type a name for the role in the Role name field. Then click Create role to submit the role and return to the roles screen.
The AnzoGraph CloudFormation service can now create and manage the AnzoGraph instances and resources.
- Create the minimal user role policy to apply to users who need permission to access the AnzoGraph CloudFormation service:
- In the IAM Management console navigation, click Policies.
- On the policies page, click Create Policy. Then click the JSON tab on the Create policy screen.
- On the JSON tab, overwrite the existing text with the following AnzoGraphCFN policy JSON:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:Passrole" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::csi-solo-cfn*" } ] } - Click Review policy.
- On the Review policy screen, type a name for the policy in the Name field and add an optional Description. The Summary lists the following three services: CloudFormation, IAM, and S3.
- Click Create policy to submit the new policy and return to the policies screen.
- Apply the new policy to any user or group that should have permission to access the AnzoGraph CloudFormation service.