Set Up a Secure Client-Side VPC - AWS

Overview

To securely connect with MarkLogic Data Hub Service over a peered connection, you must set up a client-side VPC (virtual private cloud) and create a peer role to peer with your MarkLogic VPC. Then configure your network and routing to use the peer role.

Before you begin

You need:

About this task

To set up your client-side VPC, you can create a new network stack in AWS. In this task, you will create a client-side VPC network stack and launch a bastion host in it. The bastion host securely communicates between the outside world and MarkLogic.
Note: To learn how to use a bastion host, see using PuTTY with Windows or using SSH with Mac / Linux.

Procedure

  1. Download the customer-example.template. If necessary, modify the template.
    Important: MarkLogic recommends using a bastion host to improve the security of your VPC.
  2. Navigate to the AWS CloudFormation Console page.

    AWS CloudFormation create network stack

    • Click Create Stack.
    Important: Before you continue, ensure you are creating your stack in a region supported by Data Hub Service (DHS). See Supported Regions - AWS.
  3. In the Create stack page, specify the template.

    Sample VPC configuration specify template

    • Click Next.
  4. In the Specify stack details page, supply the fields with the following information:
    Note: For more general information on creating a stack, see Creating a Stack on the AWS CloudFormation Console.

    Sample VPC configuration

    Field Description
    Stack name The name for this collection of AWS network resources.
    Availability Zone Select three of your preferred availability zones. DHS requires at least three availability zones to ensure high availability (HA). To view availability zones supported by DHS, see Supported Regions - AWS.
    Important: If you use more than three availability zones, download the template and modify the file to add more entries for Private/Public Subnet CIDRs, Route Associations, and so on. Use "Upload a template to Amazon S3" as the option when creating a CloudFormation stack.
    Note: For more general information on availbility zones supported by AWS, see Regions and Availability Zones.
    VPC CIDR Range of IPv4 addresses used to set up your client-side VPC. Primary CIDR (Classless Inter-Domain Routing) block for your VPC. Example: 10.0.0.0/21
    Important: The CIDR block 20.0.0.0/10 is used internally. If your VPC CIDR is within the 20.0.0.0/10 range of IP addresses, your CIDR block size must be between /20 and /28 subnet masks. The maximum amount of IP addresses in a CIDR block is 4,096, including all subnets.
    Public and Private Subnet CIDRs CIDR is used to allocate an IP address for each subnet. Enter one CIDR in each field. Example: 10.0.0.0/23, 10.0.2.0/23, 10.0.4.0/23, 10.0.6.0/25, 10.0.6.128/25, 10.0.7.0/25
    EC2 Key Name See Creating a Key Pair.
    Important: You will need the certificate file (.pem file extension) to configure SSH tunneling.

    Click the following link to view a full list of client-side network resources.

    • Click Next.
  5. (Optional) In the Configure stack options page, specify tags, IAM roles, and advanced options.
    • Click Next.
    Note: This optional step enables you to set additional options for your stack. For more general information on configuring stack options, see Setting AWS CloudFormation Stack Options.
  6. Review the details.

    Sample VPC configuration reivew details

    • To make changes, click Previous.
    • To confirm, click Create Stack.

Results

The new AWS stack is displayed. In the AWS CloudFormation Console, the status of the stack must be CREATE_COMPLETE.
Result of create network stack in AWS

Important: You will need the Public and Private Subnet Route Tables, Public and Private CIDRs (used to execute this stack), and BastionHostIP.
  • To view these values, click the Outputs tab.

In addition, you will need the VPC ID.

  • To view this value, click the Resources tab.
  • In the search box, enter "MarkLogicVPC". The VPC ID is in the Physical ID column.

What to do next