Installation – Amazon Web Services

Deployment from AWS Marketplace – [Coming Soon]

  1. Launch your Device42 instance via the AWS Marketplace 1-Click feature. Follow the on screen instructions, supplying your own existing SSH key file for access or generating a new one.
  2. SSH to public endpoint of your new Device42 MA (main appliance) – Use the IP address found in the AWS UI, and point your client at port 404. For credentials, use admin as the username along with the SSH keyfile you provided or generated in step 1 for authentication (instead of a password). If you are having trouble connecting, be sure you’ve configured your new instance’s security group settings to allow SSH access from your PC ip address.
  3. At this point, you should be able to https://DEVICE42_ENDPOINT_IP [where DEVICE42_ENDPOINT_IP is the IP address from the MA console or from AWS UI] and see the login screen. Login to the Device42 web-UI using the default username admin, providing your AWS instance ID as your PW.
    It’s a good idea to change these credentials to something more secure as soon as you log on!: Instance ID and IP
  4. You’re all set! Now is a good time to check out “Getting started with Device42” documentation! If you have any questions or issues that the documentation doesn’t address, head to https://support.device42.com or send an email to open a ticket with support@device42.com.

Appliance Manager access for Marketplace 1-click installs

All maintenance operations are performed through the Device42 appliance manager. The appliance manager listens on port 4343 (https://YOUR_DEVICE42_INSTANCE:4343). Software updates, Device42 backups and restores, and certificate management are all performed through the appliance manager.
For 1-click installations from the AWS Marketplace, users may log on to appliance manager using the default Device42 username [ d42admin ], the password being your AWS instance ID. Note if you did an AWS Manual installation (using a downloaded image), reference the Appliance Manager section below.


Deploying a downloaded image to an AWS Instance

Pre-requisites

  1. Please submit a ticket requesting access to the Device42 AMI (Amazon Machine Image). Be certain to include the following information:
    • AWS Region for Device42 Deployment
    • AWS Account Number
  2. After Device42 Support has granted access to the Device42 AMI, navigate to your EC2 Dashboard and launch a new instance.
  3. Select “My AMIs” (ensure to select “Shared with Me”), and deploy your appliance. Device42 recommends a t2.xlarge as the minimum instance size.

Administration for AWS Manual Install [non-marketplace]

Configuring Instance Access

Given the nature of discovery and the inherent access it requires, Device42 does not recommend direct access from unrestricted internet sources. Instead, Device42 recommends access to the Device42 instance be protected through VPN connections and security groups. While these requirements will vary from environment to environment, Device42 recommends strict adherence to the principle of least privilege.

For additional visibility, Device42 recommends AWS CloudTrail is enabled as a security and operational best practice: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-getting-started.html

Appliance Manager

All maintenance operations are performed through the Device42 appliance manager. The appliance manager listens on port 4343 (https://YOUR_DEVICE42_INSTANCE:4343). Software updates, Device42 backups and restores, and certificate management are all performed through the appliance manager.
For manual AWS (image-based) installations, you can log on to appliance manager using the default Device42 username/password [d42admin/default]

Software and Security Updates

Security patches are bundled with Device42 software updates. There is no need to manually apply patches to your Device42 instances outside of software updates. Software updates can be downloaded from https://www.device42.com/update/.

The following video demonstrates updating your Device42 instance: https://docs.device42.com/how-to-videos/update-d42-how-to/

Backup and Restore of D42 data

Device42’s backup facilities are accessible through the appliance manager. Backups can be executed immediately, and users have the ability to download a backup file immidiately or on a schedule leveraging automatic saving to an SFTP, NFS, or AWS S3 destination.

For more information on backups / restores, see our documentation: https://docs.device42.com/device42-appliance-manager/setting-up-backup-device42-appliance-manager/

Discovery across your instance – Sample IAM Policy

A sample IAM policy (with minimum appropriate permissions) for AWS discovery is listed below. The discovery requires the following:

  • AmazonEc2ReadOnly
  • AmazonElastiCacheReadOnlyAccess
  • AmazonRDSReadOnlyAccess
  • AmazonS3ReadOnlyAccess
  • JSON example of an IAM policy containing the minimum permissions.
    {
        "Version": "2017-11-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "ec2:Describe*",
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": "elasticloadbalancing:Describe*",
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "cloudwatch:ListMetrics",
                    "cloudwatch:GetMetricStatistics",
                    "cloudwatch:Describe*"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": "autoscaling:Describe*",
                "Resource": "*"
            },
            {
                "Action": [
                    "elasticache:Describe*"
                ],
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "s3:Get*",
                    "s3:List*"
                ],
                "Resource": "*"
            },
            {
                "Action": [
                    "rds:Describe*",
                    "rds:ListTagsForResource",
                    "ec2:DescribeAccountAttributes",
                    "ec2:DescribeAvailabilityZones",
                    "ec2:DescribeSecurityGroups",
                    "ec2:DescribeVpcs"
                ],
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Action": [
                    "cloudwatch:GetMetricStatistics",
                    "logs:DescribeLogStreams",
                    "logs:GetLogEvents"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }
        ]
    }