Set Up a Client-Side VPC - AWS

Overview

To securely connect with MarkLogic Data Hub Service over a peered connection, you must set up a client-side VPC (virtual network) and create a peer role that accepts a peering connection from the MarkLogic VPC. Then configure your route tables to enable the client-side VPC and MarkLogic VPC to communicate with each other. For an overview of VPC peering in Amazon Web Services (AWS), see https://aws.amazon.com/blogs/aws/new-vpc-peering-for-the-amazon-virtual-private-cloud/.

Before you begin

You need:

About this task

To set up your client-side VPC, you can create a new network stack in AWS. In this task, you will create a client-side VPC network stack and have the option to launch a bastion host in it. The bastion host enables you to securely connect from your client-side VPC to the MarkLogic VPC.
Note: To learn how to use a bastion host, see using PuTTY with Windows or using SSH with Mac / Linux.

Procedure

  1. Download the customer-example.template. If necessary, modify the template.
    Important: The customer-example.template creates a VPC. When you configure the template, you have the option to launch a bastion host in your VPC. A bastion host improves the security of your VPC and is required for accessing private endpoints in your service.
    Note: The customer-example.template is an optional template you can use to create your VPC. If you do not want to use our template to create your VPC, see https://docs.aws.amazon.com/vpc/.
  2. Navigate to the AWS CloudFormation Console page.

    AWS CloudFormation create network stack

    1. Click Create stack.
    2. Click With new resources (standard).
    Important: Before you continue, ensure you are creating your stack in a region supported by Data Hub Service (DHS). See Supported Regions - AWS.
  3. In the Create stack page, specify the template.

    Sample VPC configuration specify template

    • Click Next.
  4. In the Specify stack details page, supply the fields with the following information:
    Note: For more general information on creating a stack, see Creating a Stack on the AWS CloudFormation Console.

    Sample VPC configuration

    Field Description
    Stack name The name for this collection of AWS network resources.
    Bation Host Select whether you want to create a bastion host in your client-side VPC.
    Important: You must create a bastion host in your client-side VPC to access private endpoints in your service.
    Zone Deploy Select the number of availability zones in which you will host your client-side VPC. For highest availability, MarkLogic recommends you select three AWS availability zones per region. For details, see Supported Regions - AWS.
    Availability Zone Select your preferred availability zones. Select the same number of availability zones specified in the Zone Deploy field.
    Important: If you use more than three availability zones, download the template and modify the file to add more entries for Private/Public Subnet CIDRs, Route Associations, and so on. Use "Upload a template to Amazon S3" as the option when creating a CloudFormation stack.
    Note: For more general information on regions supported by AWS, see Regions and Availability Zones.
    VPC CIDR Range of IPv4 addresses used to set up your client-side VPC. Primary CIDR (Classless Inter-Domain Routing) block for your VPC. Example: 10.0.0.0/23
    Important: The CIDR range 10.128.0.0/10 is used internally. If your VPC CIDR is in the 10.128.0.0/10 range, your block size must be between a /20 netmask and /28 netmask. The maximum number of IP addresses including all subnets in this CIDR range is 4,096.
    Public and Private Subnet CIDRs CIDR is used to allocate an IP address for each subnet. Enter one CIDR in each field. Example: 10.0.0.0/23, 10.0.2.0/23, 10.0.4.0/23, 10.0.6.0/25, 10.0.6.128/25, 10.0.7.0/25
    Important: You must provide values for all three public and private subnet CIDRs. The order is the same as the Availability Zones selected. For example, if you select one Availability Zone, the second and third public and private subnet CIDRs will be ignored.
    EC2 Key Name See Creating a Key Pair.
    Important: You will need the certificate file (.pem file extension) to configure SSH tunneling.

    Click the following link to view a full list of client-side network resources.

    • Click Next.
  5. (Optional) In the Configure stack options page, specify tags, IAM roles, and advanced options.
    • Click Next.
    Note: This optional step enables you to set additional options for your stack. For more general information on configuring stack options, see Setting AWS CloudFormation Stack Options.
  6. Review the details.

    Sample VPC configuration reivew details

    • To make changes, click Previous.
    • To confirm, click Create Stack.

Results

The new AWS stack is displayed. In the AWS CloudFormation Console, the status of the stack must be CREATE_COMPLETE.
Result of create network stack in AWS

Important: Make note of values that each task produces. Depending on your organization's security model, values might need to be shared with others in your organization.
Value How to find Required to
Region For details, see https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-region.html. Set Up a Peered Network
VPC ID
Note: If using customer-example.template, this value is also known as MarkLogicVPC.

In AWS CloudFormation Console, click the stack name and then the Resources tab. Note the value for MarkLogicVPC.

Example: vpc-0f23c32843d97f2fb

For more general information, see https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html.

VPC CIDR

In AWS CloudFormation Console, click the stack name and then click the Parameters tab.

Example: 10.0.0.0/23

For more general information, see https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html.

Set Up a Peered Network
Public and Private Subnet CIDRs
Note: In your DHS portal, these values are also known as User Subnet CIDRs.

In AWS CloudFormation Console, click the stack name and then click the Parameters tab.

Example: 10.0.0.0/23, 10.0.2.0/23, 10.0.4.0/23, 10.0.6.0/25, 10.0.6.128/25, 10.0.7.0/25

For more general information, see https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html.

Set Up a Peered Network
Public and Private Subnet Route Tables

In AWS CloudFormation Console, click the stack name and then click the Outputs tab.

Example: rtb-1234abcd5678efghi

For more general information, see https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html.

Configure Your Network Routing
BastionHostIP
Note: If configuring SSH tunneling with the script in your DHS portal, this value is also known as BASTION_EC2.

In AWS CloudFormation Console, click the stack name and then click the Outputs tab.

Note: If you do not use customer-example.template, locate the IP address of the bastion host you created.

What to do next