AWS Requirements for HA Wireguard Cluster
Steps to configure AWS Network Load Balancer for HA Wireguard Cluster
6 minute read
Standing up a Trustgrid node in AWS is easy using an Amazon AMI. Trustgrid nodes in AWS use two network interfaces - a management and a data interface. The management interface communicates with Trustgrid Cloud Management systems. The data interface is used to terminate TLS tunnels from Edge Nodes.
Known Supported Instance Types | Architecture |
---|---|
t2, t3, t3a, c5, c5n, c6i, c6in, c6a | x86_64 only |
Additional x86_64 instances types may work but have not been tested. Contact Trustgrid support if a different type is believed necessary.
Note: ARM-based instances (such as Graviton) are not supported.
If using a burstable performance instance types (T2, T3 and T3a) the following is advised:
Set CPU Credits for all Gateway instances to unlimited to allow CPU to burst in the event there is a spike above the normal threshold. Unlimited mode for burstable performance instances - Amazon Elastic Compute Cloud
Configure monitoring of your CPU Credit Balance to alert if your credits are being consumed or you are being charged for additional CPU usage which might warrant resizing your devices. Monitor your CPU credits - Amazon Elastic Compute Cloud
VPC with public and private subnets - Management NIC goes in the public subnet, Data NIC goes in the private subnet
Security group for management NIC that allows the following traffic:
IAM role for the instance with policies allowing changes to the routing table of the data NIC - See attached doc
All Interfaces on the Trustgrid Gateway should have source/destination check disabled in AWS
Security group for data NIC - No configuration for now
An IP in the private subnet that will be used by the data NIC
An SSH key-pair that can be used to SSH to the instance if necessary
VPC must have unallocated public IP that will be claimed during provisioning
Create a new Node. When complete the Node license will copy to clipboard.
Select the appropriate Cloud Formation Template based on the AWS region in which the Trustgrid node is being deployed
Fill out the fields in the CloudFormation form
Unique name to describe this deployment
Field Name | Description |
---|---|
Instance Type | Set the instance type of the EC2 instance to deploy (bigger instances cost more) |
SSH Keypair | SSH keypair to SSH to the instance as ubuntu user if necessary
|
Host IAM Role | An IAM role needs to be created with the permissions listed in the IAM Role Requirements section below. |
Required for all nodes
By default, the cloud formation template provided will configure an encrypted EBS volume on the Trustgrid Node. The following permissions need to be applied to the associated IAM role to provide access to the default EBS key. Note you will need to input your applicable AWS account ID/region where this node is being deployed.
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:ReEncrypt*",
"kms:GenerateDataKey*"
],
"Resource": "arn:aws:kms:us-east-1:$aws_accountid:alias/aws/ebs"
}
Required for clustered nodes
If the node will be clustered the IAM role requires the following permissions (ec2:DescribeRouteTables
for all resources and ec2:CreateRoute
and ec2:DeleteRoute
on the route table):
Route Table Policy
{
"Effect": "Allow",
"Action": "ec2:DescribeRouteTables",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateRoute",
"ec2:DeleteRoute"
],
"Resource": "arn:aws:ec2:us-east-1:$aws_accountid:route-table/rtb-f428d58b"
}
NOTE: Set the Resource field to the ARN of the Routing Table associated with the data NICs of the instance.
This section covers the configuration of the outside, internet-facing interface of the EC2 instance.
Field Name | Description |
---|---|
Security Group |
|
Subnet | The VPC subnet for the public, internet-facing interface. The EIP that is created by the CloudFormation template will be associated with the interface on this subnet. |
This section covers the configuration of the inward, private-facing interface of the EC2 instance.
Field Name | Description |
---|---|
Security Group | The security group for the data path interface.
|
Subnet | The VPC subnet for the data path interface. |
Data IP | The private IP for the data path - must belong to the subnet and not already be allocated. |
Field Name | Description |
---|---|
Trustgrid License | Copy/paste the license from the portal. Note: It is critical that you copy/paste the license correctly. |
Steps to configure AWS Network Load Balancer for HA Wireguard Cluster
Steps to configure a high availability Trustgrid gateway cluster in AWS
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.