You can obtain the Infoblox vNIOS for AWS AMI by going to the Community AMI AMI page in Amazon Web Services. Use 'NIOS' or 'Infoblox' as the search term to locate the AMI. For information, see Infoblox.
This section describes the procedure you use to launch and provision an Infoblox vNIOS for AWS instance for your AWS VPC in the AWS console. This procedure supports users who want to provision Infoblox vNIOS for AWS using the BYOL (Bring Your Own Licensing) licensing model. It provides the complete sequence of procedures you perform to manually provision a new Infoblox vNIOS for AWS instance in AWS.
When you use the BYOL licensing model, you install licenses using the standard methods described in the Infoblox NIOS Documentation, including a set of temporary feature licenses. Ensure that you add the following licenses to the appliance: A vNIOS license for your Infoblox vNIOS for AWS instance; a DNS license to run DNS services; a DHCP license to run DHCP services in the Infoblox vNIOS instance deployed on AWSDue to AWS restriction, DHCP cannot ; the Enterprise (Grid) license to configure it as a Grid Master, a Grid member, or a Grid Master Candidate; and the CNA (Cloud Network Automation) license to manage cloud features on the Grid Master. All other NIOS features are available for use in Infoblox vNIOS for AWS instances and can be enabled by their respective licenses.
You may also use the Paid NIOS model or Elastic Scaling (dynamic licenses) to automatically provision and configure vNIOS instances in the AWS VPC. For more information about these licensing models, see Provisioning vNIOS for AWS Using the Paid NIOS Model and Provisioning Infoblox vNIOS for AWS using Elastic Scaling.
- You cannot combine BYOL and Paid NIOS on the same vNIOS member, but you can have a mix of BYOL and Paid NIOS licenses in the same Grid.
- DHCP services now can run on NIOS instances deployed on AWS to offer instances which are outside AWS. Due to AWS restriction, DHCP cannot be offered for instances running on AWS.
Obtaining the Infoblox vNIOS for AWS AMI
You obtain the Infoblox vNIOS for AWS AMI from the AWS wizard's Community AMIs page. Installation of the Infoblox vNIOS for AWS AMI involves a series of steps in the AWS console, during which you configure and launch a new Infoblox vNIOS for AWS instance. You may use either the BYOL or Paid NIOS model to establish your Infoblox NIOS features for your deployment of an instance.
To obtain and configure vNIOS for AWS using BYOL:
- Log in to AWS using your chosen AWS account.
- In the main AWS Console page, click EC2.
- Click the Launch Instance button. The Choose AMI page of the Amazon Launch Instance wizard opens.
- Click the Community AMIs tab.
- Search for the Infoblox vNIOS for AWS AMI by entering the strings NIOS or Infoblox in the Search Community AMIs box. The Infoblox AMI listing appears in the search results.
- For the Infoblox vNIOS for AWS AMI, click Select.
- Select the EC2 Instance Type based on your requirements. See Table 1.1 for your available options.
- Click Next: Configure Instance Details to define the networking settings for your new Infoblox vNIOS for AWS instance. For information, see the sectionInstance.
Defining Network Settings for your New Infoblox vNIOS for AWS Instance
Infoblox vNIOS virtual appliances require two network interfaces (MGMT and LAN1) for proper Grid communications. These interfaces must be assigned to separate subnets within the same VPC.
Note that the NIOS GUI communicates through the MGMT port. If for any reason you must make changes to the MGMT port, such as swapping NICs or changing the MGMT IP address from static to dynamic, ensure that you use the same IP address for the MGMT port before and after the changes. Otherwise, you might not be able to access the NIOS GUI.
Network settings made in your Azure cloud environment override changes made through the NIOS GUI or CLI. Therefore, when making changes to your network settings through the NIOS GUI or CLI, such as adding, modifying, or deleting network interfaces, ensure that the related changes are consistent with those in the cloud networks.
In the AWS wizard's ConfigureInstanceDetails page, you define the network settings for the new Infoblox vNIOS for AWS instance, including both required network interfaces.
Networks with IPv6 addresses are supported only in NIOS 8.5.2.
- Choose your VPC from the Network drop-down list.
- If you have not yet created a VPC, click the CreateNewVPC link, and specify the name and the IP address range (in standard CIDR format) for the new VPC. (The address range you specify in this step appears as the top-level network view in the NIOS DataManagement -> IPAM page.)
- Define the Subnet to which the new Infoblox vNIOS for AWS instance is assigned. Each VPC must have a default subnet; you then select this subnetwork value for your configuration:
- If you have not yet created a subnet for your VPC, click the Createnewsubnet link.
- In the VPCDashboard page, which may open in a new browser window, click Subnets.
- Click CreateSubnet. In the VPC list, select the VPC you created in Step 1a, and enter the CIDR Block for the subnet.
The CIDR block must be a smaller prefix than the IP address range for the VPC.
- Click Yes, Create.
You may create more than one subnet. The subnet prefix values appear in the Subnet field for each network interface in your AWS console.
- For the Auto-assign Public IP setting, keep the Disable default.
Because you are creating an instance with two interfaces, AWS does not allow a Public IP assignment to the new Infoblox vNIOS for AWS instance. AWS displays a warning to this effect when you create the second interface. (You may use an Elastic IP address or a private IP address.)
- Click Yes, Create.
3. Choose the IAM role for the new Infoblox vNIOS for AWS instance. Select your IAM role from the list. You may use default settings for your initial testing. It also may be defined in the AWS console on the Identity and Access Management page. Your AWS administrator may not allow custom IAM accounts for your deployment, so this may not be a selectable value.
For more information about Amazon IAM, see the Amazon IAM documentation page at http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_Introduction.html. For information about how Amazon IAM roles and permissions work with your Infoblox vNIOS for AWS instances to ensure secure and accurate authorization of user privileges, see Credentials for vDiscovery, and Assigning AWS User Credentials to the NIOS Cloud Admin Account.
4. Keep the default Tenancy setting (Shared tenancy (multi-tenant hardware)). For information about Tenant settings, see About Tenants.
5. Select Network Interfaces -> eth0 and then select the default Subnet from the drop-down list. This subnet should be the same one as the subnet described in Step 1b above. (If a default subnet is in the selected VPC, it automatically appears in this field.)
You must use two interfaces for your new Infoblox vNIOS for AWS instance: eth0 and eth1. You create a new eth1 interface for your instance. You use the eth1 interface to join the new Infoblox vNIOS for AWS instance to a NIOS Grid.
6. Click the Add Device button. A new eth1 interface listing appears.
The eth1 interface, automatically designated as such during configuration of the new Infoblox vNIOS for AWS instance, is also labeled as LAN1 in NIOS. You cannot change this setting.
For SSH access to the new Infoblox vNIOS for AWS instance, you must always use the IP address associated with the LAN1 port.
- For eth1, choose the default Subnet from the drop-down list. (For more information on usage of Elastic IP addresses for interfaces in your Infoblox vNIOS for AWS instances, see Using an Elastic IP Address.)
7. Open Advanced Details to configure the User data settings for your new instance.
In order to access the NIOS GUI when you start the vNIOS for AWS instance, you must install the vNIOS license. You can do so by setting the value "temp_license:vnios" in the User data settings. You can also use the NIOS CLI to set the temporary or permanent licenses. For more information, see the Initializing New Infoblox vNIOS for AWS InstancesField with the AWS User Data section.
You can provision the Infoblox vNIOS for AWS instance through the Advanced Details -> User data field without using Elastic Scaling. In this section, you define the administrator login settings and specify the feature licenses for the new Infoblox vNIOS for AWS instance.
- In the Advanced Details section, define the following plain-text values in the User data field:
remote_console_enabled:Enables or disables the remote SSH CLI console for a new instance (syntax: y or n).
default_admin_password: Sets the password for the NIOS admin user during the first boot. This value does not have to be a default; it can be the password of any administrator that initializes the new instance. With this method, the password is defined before SSH access to the instance CLI is allowed. The minimum password length is four characters. If an invalid password is passed by this method, it will be ignored and the default "infoblox" password remains in effect for the instance. Note that if you want to include special characters in your password, ensure that you put the password in quotes ('') to avoid login issues. Example: '!Infoblox'.
temp_license: Defines the NIOS feature licenses for the new instance. You can list a collection of temporary license names that apply to the instance during initial boot. Using this directive allows you to quickly provision the new instance with temporary licenses without having to open a NIOS CLI session to do the same task. In order to access the NIOS GUI, you must provision the vNIOS license before you start the vNIOS instance. Infoblox recommends that you also provision the Grid and Cloud licenses at the same time as follows:
temp_license:grid cloud vnios. All text entries must be in all lower case.
When you use
temp_licensein the User data field to install a NIOS license, the Use AWS SSH authentication key option, is enabled by default. For more information, see Creating Local Admins in the Valid license names include the following:
Infoblox NIOS Documentation.
For a TE-V4025 appliance, if you use the User data field to install the TE-V4025 license, the Use AWS SSH authentication key option will not be enabled by default. Therefore, Infoblox recommends that you first deploy the vNIOS instance without specifying the IB-V4025 license, and then install the license from the NIOS CLI.
- TE- Infoblox vNIOS for AWS instances (TE-V825, TE-V1425 and TE-V2225):
- NIOS license for DDI (TE-V825, TE-V1425 and TE-V2225):
where "xxxx" is the license number.
- TE- Infoblox vNIOS for AWS instances (TE-V825, TE-V1425 and TE-V2225):
- Cloud Platform Infoblox vNIOS for AWS instances (CP-V805, CP-V1405 and CP-V2205):
- Cloud Platform Infoblox vNIOS for AWS instances (CP-V805, CP-V1405 and CP-V2205):
- When you use
temp_licensein the User data field to install a NIOS license, the Use AWS SSH authentication key option that is needed to enable the CLI access to AWS instances, is enabled by default. For more information see Creating Local Admins in the Infoblox NIOS Documentation. However, for the IB-V4025 appliances, the Use AWS SSH authentication key option is not enabled with this user data configuration. Therefore, Infoblox recommends that you install the IB-V4025 license after deploying the vNIOS instance.
- Only the V1 and V2 (token optional) value is supported in the Metadata version field. The V2 (token required) value is not supported.
shows an example.
Figure 1.5 Defining User Data Settings for Provisioning an Instance without Elastic Scaling
All user Data settings are optional directives that can be included or left out of a configuration. For example, you can include the remote_console_enabled and default_admin_password declarations to the Elastic Scale configuration in Figure 1.8. The temp_license command setting does not interfere with or override any dynamic license assignments through Elastic Scaling (for information, see Provisioning Infoblox vNIOS for AWS using Elastic Scaling).
temp_license: cloud vnios dns grid
Example for adding temp licenses for TE-V825, TE-V1425 and TE-V2225 appliances using AWS User data field:
temp_license: dns enterprise nios IB-V1425
2. Click Next: Add Storage to continue with setting up the instance. For information, see the section
use the Add Storage page to define the storage resources to be used by the new instance. Infoblox vNIOS for AWS instances provide a defined amount of instance data storage. The storage size varies according to the AMI you have chosen for your current instance (for information, see Table 1.1). You can adjust the amount of instance storage to its maximum value, and attach external storage volumes for an additional cost.
- In the Add Storage page, clear the Delete on Termination checkbox. You use this setting for your Infoblox vNIOS for AWS instances, to de-couple the root partition deletion from the state of the new EC2 instance. This allows retention of the volume for debugging and event log inspection.
Infoblox recommends keeping at least the minimum storage capacity defaults for the new Infoblox vNIOS for AWS instance.
Check the top of the AWS console page to see the wizard configuration step location. Click the Previous button at any time to navigate to previous configuration pages.
2. Click Next: Tag Instance to continue setting up the new Infoblox vNIOS for AWS instance. For information, see the section
Using AWS Tags with Infoblox Extensible Attributes to Identify Resources for IP Address Assignments
AWS Tags that have a matching tag defined in NIOS extensible attributes have the tag value replicated into NIOS.
You use the Tag Instance page to define name-value pairs for categorizing, searching and identifying Amazon objects such as EC2 instances, subnets, VPCs, and IP addresses. If you already have extensible attributes defined for your Infoblox Grid, you can add those same EAs to the new Infoblox vNIOS for AWS instance on this page. The tags that you define here apply only to the instance. You can choose to create the tags for the instance at a later time.
You use EAs to tag Infoblox network containers and networks, and to tag corresponding Amazon VPCs and subnets for assigning IP addresses to new resources in the cloud. Without the NIOS EA definitions, the tags defined on the AWS objects will only be meaningful in AWS and you cannot search and match against managed AWS objects in Grid Manager.
For information about Cloud Extensible Attributes, see Extensible Attributes for Cloud Objects in the Infoblox NIOS Documentation.
- In the Tag Instance page, enter the name for the first Key. This key name may match a Cloud EA defined in NIOS, or you can define that EA at a later time in Grid Manager.
- Enter the Value for the new tag.
- Click the Create Tag button to add a new tag entry to the list. For more information, see the section.
- To add more tags to the list, create Add Another Tag.
- When you are finished defining the tags, click Next: Configure Security Group to continue setting up the new Infoblox vNIOS for AWS instance. For information, see Defining an AWS Instance Security Group.
Tagging Existing AWS Objects
Tagging existing objects in AWS is straightforward; select a VPC, subnet within a VPC, an EC2 instance or other object type residing in AWS, and then click the Tags tab:
Figure 1.6 Adding Tags to AWS Objects
In NIOS, you define the extensible attributes for each network in the Cloud -> Networks page, or under IPAM within the network view, as shown in Figure 1.7.
Figure 1.7 Defined EAs for Cloud Objects in NIOS
When you consistently use AWS tags and extensible attributes in your networks, they become more useful and valuable. For example, you use Infoblox API extensions with the EAs that are appropriate for your applications. For information, see Infoblox Extensions to the AWS API.
Defining an AWS Instance Security Group
Configure the AWS Security Group for your instance to only accept traffic for SSH (22) and HTTPS (443) from the specific computers or subnets that are used to manage the Infoblox appliance.
You use the Configure Security Group page to define the firewall security settings for your new Infoblox vNIOS for AWS instance. Amazon Web Services enforces a default Deny All policy for all security groups. Your new security group consists of a set of simple firewall rules that specifically allow known IP addresses and network prefixes to access your Infoblox vNIOS for AWS instance and to use specific protocols. These are defined as Inbound rules. You may create a new security group, or add new rules to an existing security group definition provided by your AWS administrator, depending on your AWS IAM privileges.
- In the Configure Security Group page, you define new Inbound rules for your new instance using the following:
- Permit SSH traffic (TCP/22) from the preferred prefix.
- Open the port for DNS (UDP/53).
- Permit secure Web traffic (HTTPS/443) only from a Custom IP prefix representing the network of hosts that access the vNIOS instance for management and configuration.
- Open two ports for NIOS Grid Joining traffic:
- Open the port for the Infoblox API Proxy (TCP/8787).
You configure a minimum of six rules based on the list above.
You can also add a rule, named 'myip' or similarly, to allow access from your desktop computer to the VPC. Simply select My IP from the Source drop-down list.
Avoid using any prefixes other than those that must access the Infoblox vNIOS for AWS instances in the VPC.
2. Select Assign a Security Group -> Create a New Security Group.
3. Enter the Security group name (AWS uses a simple naming default with the prefix "launch-wizard-...").
4. Enter a Description for the new security group.
5. Click the Type drop-down list for the first rule, and choose SSH.
- For Source, choose Custom IP and then enter the IPv4 prefix containing the computer hosts that use SSH connections to the new instance. (You may need more than one rule if you have users from multiple networks accessing your instance.)
6. Click Add Rule to create a second rule in the list.
7. Click the Type drop-down list for the second rule, and choose HTTPS.
- For Source, select Custom IP and then enter the IPv4 prefix containing the computer hosts that connect to Grid Manager for the new Infoblox vNIOS for AWS instance. (You may need more than one rule if you have multiple networks accessing your instance.)
8. When you complete the security group configuration, click Review and Launch.The Review Instance Launch page appears.
Completing Your Infoblox vNIOS for AWS Instance Launch
The Review Instance Launch page lists breakout sections with each category of settings, beginning with AMI Details at the top. The page provides an Edit link for each category (Edit instance type, Edit security groups...) for any final changes.
- When finished reviewing, click Launch. AWS starts the Key Pair installation. The Key Pair dialog box opens.
You can choose the Proceed without a Key Pair option if you want to perform a simple deployment and then click the I Acknowledge... checkbox.
The Infoblox standard configuration for Infoblox vNIOS for AWS deployment requires use of a VPN connection or a direct connection to the Amazon VPC(s) on which you are deploying and operating Infoblox vNIOS for AWS instances. This connection does not require an Internet-connected IP address or a secure key pair. All AWS Proxy API operations require use of an assigned and regularly rotated AWS-generated key pair assigned to the cloud-api-only account under Grid Manager. For information, see Assigning AWS User Credentials to the NIOS Cloud Admin Account.
2. Click Review and Launch to launch your new instance. After a brief period of time, the Infoblox vNIOS for AWS instance is active in your VPC.
3. Perform additional tasks for the vNIOS for AWS configuration to ensure that the virtual appliance is functioning properly. For information, see Additional Configuration for vNIOS for AWS.
This page has no comments.