Set Up a Client-Side VPC - AWS

Overview

To securely connect with MarkLogic Data Hub Service over a peered connection, you must set up a client-side VPC (virtual network) and create a peer role that accepts a peering connection from the MarkLogic VPC. Then configure your route tables to enable the client-side VPC and MarkLogic VPC to communicate with each other. For an overview of VPC peering in Amazon Web Services (AWS), see https://aws.amazon.com/blogs/aws/new-vpc-peering-for-the-amazon-virtual-private-cloud/.

Before you begin

You need:

An AWS account with permissions to create and configure AWS VPCs (virtual networks)
To subscribe to MarkLogic Data Hub Service (DHS) on AWS

About this task

To set up your client-side VPC, you can create a new network stack in AWS. In this task, you will create a client-side VPC network stack and have the option to launch a bastion host in it. The bastion host enables you to securely connect from your client-side VPC to the MarkLogic VPC.

Note: To learn how to use a bastion host, see using PuTTY with Windows or using SSH with Mac / Linux.

Procedure

Download the customer-example.template. If necessary, modify the template.

Important: The customer-example.template creates a VPC. When you configure the template, you have the option to launch a bastion host in your VPC. A bastion host improves the security of your VPC and is required for accessing private endpoints in your service.

Note: The customer-example.template is an optional template you can use to create your VPC. If you do not want to use our template to create your VPC, see https://docs.aws.amazon.com/vpc/.
Navigate to the AWS CloudFormation Console page.
1. Click Create stack.
2. Click With new resources (standard).
Important: Before you continue, ensure you are creating your stack in a region supported by Data Hub Service (DHS). See Supported Regions - AWS.
In the Create stack page, specify the template.
- Click Next.

In the Specify stack details page, supply the fields with the following information:

Note: For more general information on creating a stack, see Creating a Stack on the AWS CloudFormation Console.


Field	Description
Stack name	The name for this collection of AWS network resources.
Bation Host	Select whether you want to create a bastion host in your client-side VPC. Important: You must create a bastion host in your client-side VPC to access private endpoints in your service.
Zone Deploy	Select the number of availability zones in which you will host your client-side VPC. For highest availability, MarkLogic recommends you select three AWS availability zones per region. For details, see Supported Regions - AWS.
Availability Zone	Select your preferred availability zones. Select the same number of availability zones specified in the Zone Deploy field. Important: If you use more than three availability zones, download the template and modify the file to add more entries for Private/Public Subnet CIDRs, Route Associations, and so on. Use "Upload a template to Amazon S3" as the option when creating a CloudFormation stack. Note: For more general information on regions supported by AWS, see Regions and Availability Zones.
VPC CIDR	Range of IPv4 addresses used to set up your client-side VPC. Primary CIDR (Classless Inter-Domain Routing) block for your VPC. Example: `10.0.0.0/23` Important: The CIDR range `10.128.0.0/10` is used internally. If your VPC CIDR is in the `10.128.0.0/10` range, your block size must be between a `/20` netmask and `/28` netmask. The maximum number of IP addresses including all subnets in this CIDR range is 4,096.
Public and Private Subnet CIDRs	CIDR is used to allocate an IP address for each subnet. Enter one CIDR in each field. Example: `10.0.0.0/23, 10.0.2.0/23, 10.0.4.0/23, 10.0.6.0/25, 10.0.6.128/25, 10.0.7.0/25` Important: You must provide values for all three public and private subnet CIDRs. The order is the same as the Availability Zones selected. For example, if you select one Availability Zone, the second and third public and private subnet CIDRs will be ignored.
EC2 Key Name	See Creating a Key Pair. Important: You will need the certificate file (`.pem` file extension) to configure SSH tunneling.

Click the following link to view a full list of client-side network resources.

Click Next.

(Optional) In the Configure stack options page, specify tags, IAM roles, and advanced options.
- Click Next.
Note: This optional step enables you to set additional options for your stack. For more general information on configuring stack options, see Setting AWS CloudFormation Stack Options.
Review the details.
- To make changes, click Previous.
- To confirm, click Create Stack.

Results

The new AWS stack is displayed. In the AWS CloudFormation Console, the status of the stack must be CREATE_COMPLETE.

Important: Make note of values that each task produces. Depending on your organization's security model, values might need to be shared with others in your organization.


Value	How to find	Required to
Region	For details, see https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-region.html.	Set Up a Peered Network
VPC ID Note: If using `customer-example.template`, this value is also known as MarkLogicVPC.	In AWS CloudFormation Console, click the stack name and then the Resources tab. Note the value for MarkLogicVPC. Example: `vpc-0f23c32843d97f2fb` For more general information, see https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html.	Create the Peer Role Set Up a Peered Network
VPC CIDR	In AWS CloudFormation Console, click the stack name and then click the Parameters tab. Example: `10.0.0.0/23` For more general information, see https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html.	Set Up a Peered Network
Public and Private Subnet CIDRs Note: In your DHS portal, these values are also known as User Subnet CIDRs.	In AWS CloudFormation Console, click the stack name and then click the Parameters tab. Example: `10.0.0.0/23, 10.0.2.0/23, 10.0.4.0/23, 10.0.6.0/25, 10.0.6.128/25, 10.0.7.0/25` For more general information, see https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html.	Set Up a Peered Network
Public and Private Subnet Route Tables	In AWS CloudFormation Console, click the stack name and then click the Outputs tab. Example: `rtb-1234abcd5678efghi` For more general information, see https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html.	Configure Your Network Routing
BastionHostIP Note: If configuring SSH tunneling with the script in your DHS portal, this value is also known as BASTION_EC2.	In AWS CloudFormation Console, click the stack name and then click the Outputs tab. Note: If you do not use `customer-example.template`, locate the IP address of the bastion host you created.	Configure SSH Tunneling with Mac / Linux Configure SSH Tunneling with Windows

What to do next

Create the VPC peer role.