Appendix B: Ivanti Connect Secure CloudFormation Template
Ivanti Secure provides sample CloudFormation template files to deploy the Ivanti Connect Secure Virtual Appliance on AWS. Users can modify this to make it suitable for their need. Visit Amazon marketplace and download the ICS-3-nics.zip file, and unzip it to get ics-3-nics-new-network.json.
This template creates a new ICS with 3 NICs, VPC, four subnets, security group policies attached to ICS internal, external and management subnets and user-defined routes on the ICS internal subnet to ensure ICS is used as default gateway for L3 tunnel. All 3 NICs of ICS are configured with dynamic IP configuration and enabled IP forwarding. Public IPs are attached to the ICS external and management NIC.
The template has following sections:
|
Parameters |
This section defines the parameters used for deploying ICS on AWS. It contains parameter name, its default value and the mouse-over help text that is displayed when mouse is placed over the parameter in AWS Web portal. The parameters defined here are displayed in the Custom Deployment page of AWS portal. |
|
Resources |
This section defines resource types that are deployed or updated in a resource group. |
|
Outputs |
This section defines the public IP address, private IP address and primary private IP address returned after successful deployment of ICS on AWS. |
Parameters
Key Name: This is the name of the ICS Storage Account where the ICS VA image (.ami file) is stored.
"KeyName": {
"Type": "AWS::EC2::KeyPair::KeyName",
"Default": "",
"AllowedPattern": "[-_ a-zA-Z0-9]*",
"Description": "Name of an existing EC2 KeyPair. Your ICS will launch with this KeyPair.",
"ConstraintDescription": "Must be the name of an existing EC2 KeyPair."
ICS Image AMI ID: This is the ID of the uploaded AMI file.
"ICSImageAMIID" :{
"Type" : "String",
"Description: :AMI ID OF Your existing ICS Image"
Instance Type: This specifies the size of the instance – t2.medium or t2.large
"InstanceType":{
"Description": "Select ICS instance type",
"Type": "String",
Default": t2.medium",
"AllowedValues":{
"t2.medium",
"t2.large"
},
"ConstraintDescription": "Must be the name of an existing EC2 Instance type."
},
ICS Config Data: This section contains provisioning parameters that are required during the deployment of a Virtual Appliance. An XML-based configuration file can be present in another Virtual Machine in AWS cloud or in the corporate network which is accessible for Ivanti Connect Secure through site-to-site VPN between AWS and the corporate data center.
Ivanti Connect Secure accepts the following parameters as provisioning parameters:
•primary-dns
•secondary-dns
•wins-server
•dns-domain
•admin-username
•admin-password
•cert-common-name
•cert-random-text
•cert-organization
•config-download-url
•config-data
•auth-code-license
•enable-license-server
•accept-license-agreement
•enable-rest
For details about these parameters, see Ivanti Connect Secure Provisioning Parameters.
VPC CIDR: It is a valid CIDR range of the form x.x.x.x/x for entire VPC.
"VPCCIDR": {
"Description": "CIDR block for entire VPC.",
"Type": "String",
"Default": "10.20.0.0/16",
"AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$",
"ConstraintDescription": "Must be a valid CIDR range of the form x.x.x.x/x."
},
Internal Subnet CIDR: Subnet from which Ivanti Connect Secure Internal Interface needs to lease IP.
"InternalSubnetCIDR": {
"Description": "Ivanti Connect Secure VM internal interface connects to this subnet",
"Type": "String",
"Default": "10.20.1.0/24",
"AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$",
"ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/x"
External Subnet CIDR: Subnet from which Ivanti Connect Secure External Interface needs to lease IP.
"ExternalSubnetCIDR": {
"Description": "Ivanti Connect Secure VM external interface connects to this subnet",
"Type": "String",
"Default": "10.20.2.0/24",
"AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$",
"ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/x"
}
Management Subnet CIDR: Subnet from which Ivanti Connect Secure Management Interface needs to lease IP.
"ManagementSubnetCIDR": {
"Description": "Ivanti Connect Secure VM management interface connects to this subnet",
"Type": "String",
"Default": "10.20.3.0/24",
"AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$",
"ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/x"
}
Tunnel Subnet CIDR: Subnet which will be configured as Tunnel IP pool in Ivanti Connect Secure VPN profile.
"TunnelSubnetCIDR": {
"Description": "For L3 VPN connections PCS hands over IP to the clients from this subnet",
"Type": "String",
"Default": "10.20.4.0/24",
"AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))$",
"ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/x"
}
Resources
VPC:
"VPC" : {
"Type" : "AWS::EC2::VPC",
IntSubnet: This block is responsible for creating subnet. The created subnet is applied to ICS Internal interface.
"IntSubnet": {
"Type": "AWS::EC2::Subnet",
ExtSubnet: This block is responsible for creating subnet. The created subnet is applied to ICS External interface.
"ExtSubnet": {
"Type": "AWS::EC2::Subnet",
MgmtSubnet: This block is responsible for creating subnet. The created subnet is applied to ICS Management interface.
"MgmtSubnet": {
"Type": "AWS::EC2::Subnet",
TunnelSubnet: This block is responsible for creating tunnel pool. The created tunnel pool is applied to ICS Tunnel Pool.
"TunnelSubnet" : {
"Type" : "AWS::EC2::Subnet",
InternetGateway:
"InternetGateway": {
"Type": "AWS::EC2::InternetGateway",
AttachGateway:
"AttachGateway": {
"Type": "AWS::EC2::VPCGatewayAttachment",
PublicSubnetRouteTable:
"PublicSubnetRouteTable": {
"Type": "AWS::EC2::RouteTable",
PublicSubnetRoute:
"PublicSubnetRoute": {
"Type": "AWS::EC2::Route",
ExtSubnetRouteTableAssociation:
"ExtSubnetRouteTableAssociation": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
MgmtSubnetRouteTableAssociation:
"MgmtSubnetRouteTableAssociation": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
EIP1:
"EIP1": {
"Type": "AWS::EC2::EIP"
EIPAssoc1:
"EIPAssoc1": {
"Type": "AWS::EC2::EIPAssociation",
EIP2:
"EIP2": {
"Type": "AWS::EC2::EIP",
EIPAssoc2:
"EIPAssoc2": {
"Type": "AWS::EC2::EIPAssociation",
ICSvExternalSecurityGroup:
"ICSvExternalSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
ICSvInternalSecurityGroup:
"ICSvInternalSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
ICSvManagementSecurityGroup:
"ICSvManagementSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
EC2Instance:
"EC2Instance": {
"Type": "AWS::EC2::Instance",
Eth0:
"Eth0": {
"Type": "AWS::EC2::NetworkInterface",
Eth1:
"Eth1": {
"Type": "AWS::EC2::NetworkInterface",
Eth2:
"Eth2": {
"Type": "AWS::EC2::NetworkInterface",
Outputs
The Outputs section defines the public IP address, private IP address and primary private IP address that is displayed on successful deployment of ICS on AWS."Outputs": {
"ManagementAddress": {
"Value": {
"Fn::Join": [
" ",
[
"Public IP address:",
{
"Ref": "EIP2"
},
"Private IP address:",
{
"Fn::GetAtt": [
"Eth2",
"PrimaryPrivateIpAddress"
]
}
]
]
},
"Description": "Ivanti Connect Secure Management Interface details"
},
"ExternalAddress": {
"Value": {
"Fn::Join": [
" ",
[
"Public IP address:",
{
"Ref": "EIP1"
},
"Private IP address:",
{
"Fn::GetAtt": [
"Eth1",
"PrimaryPrivateIpAddress"
]
}
]
]
},
"Description": "Ivanti Connect Secure External Interface details"
},
"InternalAddress": {
"Value": {
"Fn::Join": [
" ",
[
"Private IP address:",
{
"Fn::GetAtt": [
"Eth0",
"PrimaryPrivateIpAddress"
]
}
]
]
},
"Description": "Ivanti Connect Secure Internal Interface details"
}
}