Getting Started in a Private VPC Subnet
This article walks through the steps of setting up a Virtual Appliance inside a VPC subnet, where all outside connectivity is through a proxy. These steps assume that you do not have HTTPS (port 443) connectivity into the VPC and so you are unable to use the UI. If this is not the case, please see this article.
- You should have a VPC subnet with no Internet Gateway attached, and a HTTP proxy on this or another subnet.
- The subnet should route traffic correctly to the proxy. The proxy should route Internet traffic through an Internet Gateway.
- You should have SSH connectivity (possibly through an intermediary server) into the subnet.
- Ensure you have an AWS Access Key for your account. For our purposes, a read-only access key is sufficient.
- Make sure you have registered to IDPS and have your user name and password. Try logging in to: https://vkm.ps.idps.a.intuit.com/.
- Ensure you have the address and port number for the proxy.
- You will need the IDPS CLI script,
- Create a Security Group (any name is allowed, we will use
IDPS1in this article) on the Amazon Console with an inbound rule that allows all traffic from the same security group. This requires two steps: creating the group and then adding a rule. See screenshot.
- Start a Linux instance in the private subnet. The instance
should belong to the
IDPS1group, and in addition should allow inbound SSH connectivity. To do that you will need to edit your security groups in the Amazon launch wizard. We will assume that you are using a Red Hat instance.
- The instance should provide Python 2.7 and cURL. Both are available on the default RHEL 7.1 AMI.
- Use SSH to connect to your auxiliary instance. Reminder: the
default user on RHEL is
- From your instance, run
- Now configure the proxy, and test HTTPS connectivity through the proxy. Note that this configuration will not persist after a reboot.
export https_proxy="http://proxy-address:port" curl https://www.google.com
We will use the "advanced mode" launch option, which allows you to use a low-privilege Amazon access key. Therefore you need to launch the VA yourself from the AWS Console.
- In the AWS Console, locate the AMI. It should have a name
Intuit Data Protection Services v3.00 HVM. To ensure you are using the right AMI, make sure the source account is: 071989450653.
- Now launch an instance from this AMI. Any instance type is
acceptable for testing. The instance should belong to the
IDPS1security group. Note down the instance's private IP address.
- Prepare a configuration file (any file name will do) on the Auxiliary Instance:
[Launch] # VKM, instance, project details pvkm=vkm.ps.idps.a.intuit.com instance_address=<your instance's private IP> project_name=My Project project_description=Project Description # User name and password for your IDPS account email@example.com password=P@ssw0rd verbose = False verify_cert = True # AWS access key aws_key_id = <key ID> aws_secret_key = <secret> # Proxy details proxy_host=<proxy address> proxy_port=<proxy port> # Typically proxy user and password can remain blank proxy_user= proxy_password=
- Run the launch script from the Auxiliary Instance:
idpscli --advanced-launch config-file
- Copy and save the master key. Losing the master key will render your data unusable!
- Before you install the Agent, make sure that the instance on
which it will run belongs to the
- The instance should have port 443 connectivity into the Virtual Appliance. You can test that with: