Enterprise Recon Cloud 2.12.0

Download ER Cloud 2.12.0 User Guide (PDF)

All Documentation > ER Cloud 2.12.0 User Guide > How-to Guides > Master Server Deployment > How To Deploy Enterprise Recon Cloud

How To Deploy Enterprise Recon Cloud

This section covers the following topics:

Overview
Start Enterprise Recon Cloud Deployment
- Subscribe to the ER Cloud Product in AWS Marketplace
- Create the CloudFormation Stack
  - Create with a New VPC
  - Create with an Existing VPC
View the ER Cloud Instance
Add Required Inbound Rules to the Security Group
Migrate to Enterprise Recon Cloud
Increase Disk Size

Overview

To know more about important considerations before deploying the Enterprise Recon Cloud 2.12.0, refer to the Plan the ER Cloud Deployment section.

To deploy ER Cloud, refer to Start Enterprise Recon Cloud Deployment below.

After deployment, update the Amazon Linux operating system to the latest version (refer to Update the Amazon Operating System in the Update ER Cloud section) and/or increase the disk size, if needed.

To migrate Enterprise Recon on-premises (ER2) to Enterprise Recon Cloud 2.12.0, refer to Migrate to Enterprise Recon Cloud below.

Start Enterprise Recon Cloud Deployment

Subscribe to the ER Cloud Product in AWS Marketplace.
Create the CloudFormation Stack either with a new VPC or an existing one.
Add Required Inbound Rules to the Security Group.
Update the Amazon Linux operating system to the latest version. Refer to Update the Amazon Operating System in the Update ER Cloud section.
View the ER Cloud Instance to obtain the details needed to access the web console and the ER Cloud Master Server.

Minimum AWS permission required
To be able to subscribe to the Enterprise Recon Cloud products on AWS and deploy using the CloudFormation template, please use an AWS account that has the necessary IAM identity permissions. For more information, refer to Amazon AWS - Adding and removing IAM identity permissions.

To subscribe to the Enterprise Recon Cloud on AWS Marketplace, perform the following steps:

Log in to the AWS IAM console.
In the search bar, enter AWS Marketplace and select AWS Marketplace from the list of services search results.
In the left side of the page, click the hamburger icon > Discover products.
In the search bar (under Search AWS Marketplace products), enter Enterprise Recon Cloud.
From the list of search results, select the appropriate edition of Enterprise Recon Cloud (Enterprise Recon Cloud PCI, Enterprise Recon Cloud PII, or Enterprise Recon Cloud PRO) to subscribe to.
Click Continue to Subscribe.
Click Accept Terms to agree to the Terms and Conditions.
Processing the subcription request may take a few seconds to complete.
After the request has been processed, click the Continue to Configuration button.

In the Configure this software section, complete the following fields:

Field	Description
Fulfillment option	Select either Enterprise Recon Cloud - New VPC or Enterprise Recon Cloud- Existing VPC. For more information, refer to the Plan the ER Cloud Deployment section.
Software version	Select the latest version from the list.
Region	Select the region to deploy the ER Cloud instance.

Click Continue to Launch.
On the Launch this software page, review your configuration and click Launch.
The page redirects to the CloudFormation console.

Create the CloudFormation Stack

Before creating the CloudFormation Stack, ensure that you have subscribed to the ER Cloud product. Refer to Subscribe to the ER Cloud Product in AWS Marketplace.

When creating the CloudFormation stack, you can choose to create in a new Virtual Private Cloud (VPC) or use an existing VPC for the Enterprise Recon Cloud deployment.

For more information, refer to the Plan the ER Cloud Deployment section.

Create with a New VPC

On the Create stack page in the CloudFormation console, complete the following fields:

Field	Description
Prepare template	Select Choose an existing template.
Template source	Select Amazon S3 URL.
Amazon S3 URL	This field is auto-populated with the URL of the template source.

Click Next.

On the Specify stack details page, complete the following fields:

Field	Description
Stack name	Enter a descriptive label for the CloudFormation stack.
Deployment Size	Select the size (small, medium, or large) of the deployment. For more information, refer to Plan the ER Cloud Deployment.
Enter the VPC CIDR block	Enter the network range of the VPC.
Enter the subnet CIDR block	Enter the network range of the ER Cloud instance. The network should be within the VPC network range.
Select the availability zone	Select the default availability zone of the subnet within your AWS region.
Enter allowed CIDR block	Enter the IP address range allowed to access the ER Cloud Master Server. Using the "0.0.0.0/0" IP address will allow access to all IP addresses and will expose the Enterprise Recon Cloud instance to all public connections. Avoid public connections whenever possible.
Enter the security group name	Enter the label for your security group (e.g. ERC Security Group). For more information, refer to Amazon VPC Security Groups.
Enter a name for the new SSH key	Enter a label for the new SSH key (e.g. erc-ssh-key).

Click Next.
On the Configure stack options page, click Next.
On the Review and create page, review your Cloud Formation template details.
Select the I acknowledge that AWS CloudFormation might create IAM resources checkbox.
Click Submit.
On the left panel of the CloudFormation console, verify that the configured CloudFormation stack is listed under Stacks section with status "CREATE_IN_PROGRESS".
Creating the stack may take a few minutes to complete.

Create with an Existing VPC

On the Create stack page in the CloudFormation console, complete the following fields:

Field	Description
Prepare template	Select Choose an existing template.
Template source	Select Amazon S3 URL.
Amazon S3 URL	This field is auto-populated with the URL of the template source.

Click Next.

On the Specify stack details page, complete the following fields:

Field	Description
Stack name	Enter a descriptive label for the CloudFormation stack.
Deployment Size	Select the size (small, medium, or large) of the deployment. For more information, refer to Plan the ER Cloud Deployment.
Select VPC	Select the existing VPC where you want to deploy your ER Cloud instance.
Select Subnet	Select the existing public subnet where you want to deploy your ER Cloud instance. The subnet should be under the selected VPC.
Availability Zone	Select the availability zone of the subnet within your AWS region.
Enter allowed CIDR block	Enter the IP address range allowed to access the ER Cloud Master Server. Using the "0.0.0.0/0" IP address will allow access to all IP addresses and will expose the Enterprise Recon Cloud instance to all public connections. Avoid public connections whenever possible.
Enter the security group name	Enter the label for your security group (e.g. ERC Security Group). For more information, refer to Amazon VPC Security Groups.
Enter a name for the new SSH key	Enter a label for the new SSH key (e.g. erc-ssh-key).

Click Next.
On the Configure stack options page, click Next.
On the Review and create page, review your Cloud Formation template details.
Select the I acknowledge that AWS CloudFormation might create IAM resources checkbox.
Click Submit.
In the left panel of the CloudFormation console, verify that the configured CloudFormation stack is listed under Stacks section with status "CREATE_IN_PROGRESS".
Creating the stack may take a few minutes to complete.

Add Required Inbound Rules to the Security Group

Instructions for configuring a cloud service account's security settings are provided here for the user's convenience only. For the most up-to-date instructions, refer to Amazon EC2 - Add Rules to a Security Group.

Add the required inbound rules on the AWS side to limit access and only allow required ports to access the ER Cloud Master Server and its functionalities.

Log in to the AWS EC2 console.
In the left navigation pane, under Network and Security, click Security groups.
From the list, select the security group for the CloudFormation stack.
In the section that appears, click the Inbound rules tab > Edit inbound rules.
In the current list of rules, under Source column, delete all rules with a 0.0.0.0/0 IP address.

Add rules for the following required ports:

Type	Source	Description
SSH	Custom	In the field next to the Source dropdown, enter the CIDR block (IP address). This allows the specified IP address to access the EC2 instance of the Enterprise Recon Cloud. Port number 22 is auto-populated.
HTTPS	Custom	In the field next to the Source dropdown, enter the CIDR block (IP address). This allows the specified IP address to access the Enterprise Recon Cloud Master Server UI. Port number 443 is auto-populated.
Customer TCP	Custom	In the Port range field, enter 11117, and in the field next to the Source dropdown, enter the CIDR block (IP address) of the node or proxy agent. This allows the specified IP address to connect to the Enterprise Recon Cloud Master Server.
Custom TCP	Custom	In the Port range field, enter 8339, and in the field next to the Source dropdown, enter the CIDR block (IP address). This grants API access to the specified IP address.

Using the "0.0.0.0/0" IP address will allow access to all IP addresses and will expose the Enterprise Recon Cloud instance to all public connections. Avoid public connections whenever possible.

If you want to use your IP address, select My IP as the source to let AWS automatically determine your CIDR block/IP address.

(Optional) If you need to allow connections to the required ports from different IP address ranges, add a rule for each port, select the appropriate source, and enter the IP address.

By default, AWS enforces a quota of 60 inbound rules and 60 outbound rules per security group. You may request a quota change, if needed. For more information, refer to Amazon VPC - Amazon VPC quotas.
Click Save rules.

View the ER Cloud Instance

The created CloudFormation stack contains the details of the ER Cloud instance needed to access and log in to the web console.

To view the details of the ER Cloud instance:

In the left panel of the CloudFormation console, click Stacks.
Select the CloudFormation stack for the ER Cloud Master Server.
Click the Outputs tab to obtain the details needed to access the ER Cloud Master Server.

The PublicDNS key value is the link to your Master Server web console.
Save the SSH Key.
Take down the initial Master Server password (MasterServerPassword key value) and username (MasterServerUsername key value) to the Master Server web console.
Access Web Console to complete the setup and activate ER Cloud.

Save the SSH Key

In the Outputs tab, click the link under the “Value” column for the SshKey.
Select the Value toggle button to show decrypted value.
Copy the text value and paste it into a new file on your local machine, ensuring the entire content is copied without extra whitespaces or lines.
Save the file in PEM (.pem) format (e.g. sshkey.pem). The location path of the PEM file will be used when you connect to the EC2 instance to access the Master Server console.
Change the permission of the SSH key (.pem) file.

chmod 600 <path-to-the-sshkey.pem-file>
Delete the SSH private key from the Parameter Store. Refer to Deleting Systems Manager parameters.

Migrate to Enterprise Recon Cloud

For seamless migration of your existing Enterprise Recon Master Server, ensure you have successfully deployed the Enterprise Recon Cloud. Refer to Start Enterprise Recon Cloud Deployment above.

To migrate your on-premise Enterprise Recon Master Server instance to Enterprise Recon Cloud, perform the following steps:

Create a backup of the ER2 Master Server using either the automated backup or the manual backup method. Refer to the ER2 - Create Backup page of the latest Enterprise Recon User Guide.
Copy the backup file from the ER2 Master Server host to a shared location that is accessible by the new Enterprise Recon Cloud Master Server. Refer to the Move the Backup File from the ER2 Master Server section below for general guidance.
Restore From Backup File.
If you want to connect existing on-premises agents to the ER Cloud Master Server, configure the agents to point to the updated ER Cloud Master Server IP address (required) and public key (optional). Refer to the Configure Agents section.

Contact Ground Labs Support Team if you need assistance in migrating your existing ER2 Master Server.

Move the Backup File from the ER2 Master Server

There are several other ways to move files. The instructions provided here are offered solely for general guidance and for the user’s convenience.

On Windows

Use a Windows SCP client such as WinSCP to connect to the Master Server via the SCP protocol.

Start WinSCP.

In the Login dialog box, enter the following:

Field	Value
File protocol	Select SCP.
Host name	Enter the hostname or IP address of the Master Server.
Port number	Default value is 22.
User name	Enter root.
Password	Enter the root password for the Master Server.

Click Save.
Click Login to connect to the Master Server.

Once connected, locate the backup file (.bak or .ebk) on the Master Server and copy it to your Windows machine.

On Linux

On the Linux host that you want to copy the backup file to, open the terminal and run:

# Where '<directory>' is the full path of the backup folder # and <backup-file> is the .bak or .ebk file scp root@er-master:<directory>/<backup-file> ./

This securely copies the backup file to your current directory.

If you cannot connect to the Master Server via the SCP protocol, check that the OpenSSH server is running on the Master Server console. Run service sshd start.

Increase Disk Size

If needed, you can increase your instance and/or disk size after deployment. Refer to the Manage Instance and Disk Size section.