Amazon Web Services – Installation

Device42 on AWS

Deploying D42 from the AWS Marketplace

Configure instance & communication settings

  1. Launch your Device42 instance via the AWS Marketplace 1-Click feature. Follow the on-screen instructions, and when you arrive at the Launch this software screen, select a key-pair to use for SSH console access to the Device42 appliance and be sure to allow incoming access from your external IP address:
    • a) You may generate a key via the “Create a key pair in EC2” link. See the “Generating a new AWS Keypair” section on this page for more help with this step.
      Select SSH key pair to use for console access to Device42 on AWS

    • b) [Note: this step explains how to allow traffic from your PC and/or local network to facilitate communication with the Device42 instance you are deploying directly over the internet. This IS NOT considered best practice and should only be used for testing; Set up a VPN or other secure means of communication for production AWS use!]
      Create an appropriate security group via ‘Security Group Settings’. Select ‘Create new based on seller settings’ and be sure to add your external IP as an allowed IP for the default Device42 ports [404 ssh, 4242 appmgr-http, 4343 appmgr-https, 443 https], all of which are part of the default D42 AMI security group settings for incoming SSH, appliance manager, and webUI access:
      security group settings for access to Device42 on AWS

  2. SSH to the public endpoint of your new Device42 main appliance [MA] using the public DNS name or the IP address found in the AWS UI, ensuring your SSH client is configured to connect on port 404. Use the username: device42 and the SSH keyfile you chose in Step 1 above for SSH authentication (instead of a password).

    If you have trouble connecting, be sure you’ve configured your instances security group settings to allow SSH access from your PC’s IP address.

    Instance ID, public ip, DNS address on EC2 dash

  3. Navigate to the Device42 login screen by visiting https://DEVICE42_AWS_ADDRESS [where DEVICE42_AWS_ADDRESS is the DNS name (preferred) or IP address found on the AWS UI]. Login to the Device42 web-UI using the default username admin, and provide your AWS instance ID as your temporary PW.

    It’s a good idea to change these credentials to something more secure as soon as you log in!

    Device42 Web UI login

  4. Update the appliance license key – the included key is expired. Obtain an updated license by sending an email to sales@device42.com requesting a trial license for an AWS-Marketplace Device42 install. Once you receive the updated keyfile, save it to your local filesystem and install it via main menu, Tools -> Licensing, simply browsing to the new key file and then clicking “Upload & Apply License”:

    While you should receive a your license shortly, we are working to automate this step.
    update license d42 aws

  5. Check to make sure your AMI is running the latest version of Device42 and update if necessary. From the web interface of your Device42 appliance, head to the main menu, TOOLS -> Update. Make note of the “Current Version” number displayed, then follow the “Check for latest version” link or visit https://device42.com/update/ to check for an update. Should the update page offer a newer release, enter your work email to download and install it by following the Device42 Upgrade Steps (since this is a brand new appliance with no data, you may skip the backup noted in step 1 this time only!):
    Check for Device42 Update

  6. You’re all set! Now is a good time to check out “Getting started with Device42” documentation! If you have any questions or issues that the documentation doesn’t address, head to https://support.device42.com or send an email to open a ticket with support@device42.com.

Generating a new AWS keypair for SSH access

To generate a new SSH keypair for use on AWS, either click the “Create a key pair in EC2” link during configuration of your appliance or alternatively, open up the EC2 console, scroll the menu on the left hand side to the Network & Security section, and choose Key Pairs:
Create an new SSH keypair on AWS EC2

  1. Click the “Create Key Pair” button, #1 in the image above.
  2. In the dialog that pops up, give your new key-pair a name that has meaning to you.
  3. Click the “Create” button. Your Keyfile will be created, and the private key will begin downloading automatically; save it somewhere safe. FileName.pem contains your your private key, which is what you will use to authenticate. If you are using Linux, copy it to your key directory.
  4. To use your new SSH key with Putty on Windows, reference this helpful AWS article on Connecting to Your Linux Instance from Windows Using PuTTY.

Accessing the D42 Appliance Manager – AWS Marketplace installs

All maintenance operations are performed through the Device42 appliance manager. The appliance manager listens on port 4343 (https://YOUR_DEVICE42_INSTANCE:4343). Software updates, Device42 backups and restores, and certificate management are all performed through the appliance manager:
Appliance manager login

For 1-click installations from the AWS Marketplace, users may log on to appliance manager using the default Device42 username [ d42admin ], the password being your AWS instance ID. Once logged in, you’ll see the appliance manager main menu:
D42 Appliance Manager menu

Note: if you installed on AWS manually (using a downloaded image), reference the Appliance Manager section below [different credentials].


Deploying a downloaded image to an AWS instance [manual installation]

Pre-requisites – before you begin

  1. Please submit a ticket requesting access to the Device42 AMI (Amazon Machine Image). Be certain to include the following information:
    • AWS Region for Device42 Deployment
    • AWS Account Number
  2. After Device42 Support has granted access to the Device42 AMI, navigate to your EC2 Dashboard and launch a new instance.
  3. Select “My AMIs” (ensure to select “Shared with Me”), and deploy your appliance. Device42 recommends a t2.xlarge as the minimum instance size.

Configuring instance access

Given the nature of discovery and the inherent access it requires, Device42 does not recommend direct access from unrestricted internet sources. Instead, Device42 recommends access to the Device42 instance be protected through VPN connections and security groups. While these requirements will vary from environment to environment, Device42 recommends strict adherence to the principle of least privilege.

For additional visibility, Device42 recommends users enable AWS CloudTrail as a security and operational best practice: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-getting-started.html

Appliance Manager Access – Manual AWS Installs

All maintenance operations are performed through the Device42 appliance manager. The appliance manager listens on port 4343 (https://YOUR_DEVICE42_INSTANCE:4343). Software updates, Device42 backups and restores, and certificate management are all performed through the appliance manager.
For manual AWS (image-based) installations, you can log on to appliance manager using the default Device42 username/password [d42admin/default]


Administration of Device42 on AWS

Software and security updates & patches

Security patches are bundled with Device42 software updates. There is no need to manually apply patches to your Device42 instances outside of software updates. Software updates can be downloaded from https://www.device42.com/update/.

The following video demonstrates updating your Device42 instance: https://docs.device42.com/how-to-videos/update-d42-how-to/

Backing up and restoring your D42 data on AWS

Device42’s backup facilities are accessible through the appliance manager. Backups can be executed immediately, and users have the ability to download a backup file immediately or on a schedule leveraging automatic saving to an SFTP, NFS, or AWS S3 destination.

For more information on backups / restores, see our documentation: https://docs.device42.com/device42-appliance-manager/setting-up-backup-device42-appliance-manager/.

Configuring High Availability (HA) of Device42 on AWS

If a High Availability (HA) deployment of Device42 is desired or required for a Device42 instance running on AWS, Device42 offers a supported “WarmHA” solution. To configure your deployment to run WarmHA, follow the instructions that can be found on the Device42 WarmHA Documentation page – https://docs.device42.com/device42-appliance-manager/warm-ha-setup-failover-and-automated-backups/. The linked page contains instructions on setting up WarmHA, failover, and if desired, configuring automatic backups.

An example configuration that leverages Nagios to automatically fail-over the instance in case of a failure is also described.

Discovery across your instance – Sample IAM Policy

A sample IAM policy (with minimum appropriate permissions) for AWS discovery is listed below. The discovery requires the following:

  • AmazonEc2ReadOnly
  • AmazonElastiCacheReadOnlyAccess
  • AmazonRDSReadOnlyAccess
  • AmazonS3ReadOnlyAccess
  • JSON example of an IAM policy containing the minimum permissions.
    {
        "Version": "2017-11-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "ec2:Describe*",
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": "elasticloadbalancing:Describe*",
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "cloudwatch:ListMetrics",
                    "cloudwatch:GetMetricStatistics",
                    "cloudwatch:Describe*"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": "autoscaling:Describe*",
                "Resource": "*"
            },
            {
                "Action": [
                    "elasticache:Describe*"
                ],
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "s3:Get*",
                    "s3:List*"
                ],
                "Resource": "*"
            },
            {
                "Action": [
                    "rds:Describe*",
                    "rds:ListTagsForResource",
                    "ec2:DescribeAccountAttributes",
                    "ec2:DescribeAvailabilityZones",
                    "ec2:DescribeSecurityGroups",
                    "ec2:DescribeVpcs"
                ],
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Action": [
                    "cloudwatch:GetMetricStatistics",
                    "logs:DescribeLogStreams",
                    "logs:GetLogEvents"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }
        ]
    }