Scripts which build an OpsWorks Stack with HA-NAT Layer
Amazon VPC and OpsWorks are amazing solutions to publish applications.
Suppose we are constructing such a structure:
|
that has 4 subnets
- public subnet 1
- private subnet 1 (connectable to the Internet due to nat1)
- public subnet 2
- private subnet 2 (connectable to the Internet due to nat2)
To avoid to enclose Single Point Of Failure, it is preffered to have such a mechanism.
|
|
| checking heartbeat each other | automatic failovering and recovering |
|---|
But constructing as above is hard a little bit.
DupsWorks makes it easy to build a VPC sutructure as above, OpsWorks Stack, NAT Layer and instances, and install some scripts to NAT instances that provides High-Availability.
All processes are below:
- create VPC
- create 4 subnets
- create an OpsWorks stack
- create OpsWorks layers
- admin layer (for gateway instances)
- nat layer
- set permissions (optional)
- create OpsWorks instances
- 1 admin instance
- 2 NAT instances
- start NAT instances
- configure route
- public subnets -> internet gateway
- private subnets -> nat instances
- checking heartbeat route
- configure NAT instances
- disable Source/dest. check.
- set '1' to net.ipv4.ip_forward using sysctl
- configure iptables and enable IP Masquerading
- install scripts(check heartbeat and failover) to NAT instances.
Dupsworks depends on Python 3 and some packages. You can install them using pip:
pip install -r requirements.txt
- Copy
settings.cfg.exampletosettings.cfg. - Edit params in
[PersonalSettings]section.
[PersonalSettings]
vpc_name = MyVPC
vpc_cidr = 10.0.0.0/16
vpc_subnet_az1_public_cidr = 10.0.0.0/24
vpc_subnet_az1_private_cidr = 10.0.128.0/24
vpc_subnet_az2_public_cidr = 10.0.1.0/24
vpc_subnet_az2_private_cidr = 10.0.129.0/24
region = us-east-1
vpc_subnet_az1 = us-east-1a
vpc_subnet_az2 = us-east-1b
stack_name = MyStack
stack_service_role_arn = arn:aws:iam::111111111111:role/aws-opsworks-service-role
stack_default_instance_profile_arn = arn:aws:iam::111111111111:instance-profile/aws-opsworks-ec2-role
[[stack_permissions]]
[[[hoge]]]
iam_user_arn = arn:aws:iam::111111111111:user/hoge
allow_ssh = True
allow_sudo = True
An OpsWorks Stack requires 2 ARNs. "Default IAM Instance Profile" is one of them.
When Dupsworks creates an OpsWorks Stack, the value you specified as "stack_default_instance_profile_arn" in settings.cfg will be set to "Default IAM Instance Profile".
You must add following permissions to the IAM Role:
* allow to read EC2 information
* allow modifing EC2 instance attributes
* allow replacing route in VPC
in order to execute recipes of weseek/vpcnat.
See the Security and Permissions page for more information.
Dupsworks uses boto and awscli.
You need to set your AWS security credentials before the script is able to connect to AWS. The SDK will automatically pick up credentials in environment variables:
export AWS_ACCESS_KEY_ID="Your AWS Access Key ID"
export AWS_SECRET_ACCESS_KEY="Your AWS Secret Access Key"
See the AWS Security Credentials page for more information on getting your keys.
python build_stack.py
- Fork the repository on Github
- Write your change (and fix my poor English!)
- Submit a Pull Request using Github
- Author:: Yuki Takei (yuki@weseek.co.jp)
Copyright 2014 WESEEK, Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.