Appendix C: Ivanti Connect Secure CloudFormation Template for an Existing Virtual Private Cloud

Ivanti Secure provides sample CloudFormation template files to deploy Ivanti Connect Secure Virtual Appliance on AWS. Users can modify this to make it suitable for their need. Visit Amazon marketplace and download the aws_template-3-nics.zip file, and unzip it to get aws-template-3nic-existing-vpc.json.

This template creates a new ICS with 3 NICs, VPC, four subnets, security group policies attached to ICS internal, external and management subnets and user-defined routes on the ICS internal subnet to ensure ICS is used as default gateway for L3 tunnel. All 3 NICs of ICS are configured with dynamic IP configuration and enabled IP forwarding. Public IPs are attached to the ICS external and management NIC.

The template has following sections:

Parameters

Resources

Outputs

This section defines the parameters used for deploying ICS on AWS. It contains parameter name, its default value and the mouse-over help text that is displayed when mouse is placed over the parameter in AWS Web portal. The parameters defined here are displayed in the Custom Deployment page of AWS portal.

This section defines resource types that are deployed or updated in a resource group.

This section defines the public IP address and FQDN returned after successful deployment of ICS on AWS.

Parameters

Key Name: This is the name of the ICS Storage Account where the ICS VA image (.ami file) is stored.

"Parameters": {

"KeyName": {

"Type": "AWS::EC2::KeyPair::KeyName",

"Default": "",

"AllowedPattern": "[-_ a-zA-Z0-9]*",

"Description": "Name of an existing EC2 KeyPair. Your ICS will launch with this KeyPair.",

"ConstraintDescription": "Must be the name of an existing EC2 KeyPair."

},

ICS Image AMI ID: This is the ID of the uploaded AMI file.

"ICSImageAMIId" : {

"Type" : "String",

"Description" : "AMI ID of your existing ICS image"

},

Instance Type: This specifies the size of the instance – t2.medium or t2.large

"InstanceType":{

"Description": "Select ICS instance type",

"Type": "String",

Default": t2.medium",

"AllowedValues":{

"t2.medium",

"t2.large"

},

"ConstraintDescription": "Must be the name of an existing EC2 Instance type."

},

ICS Config Data: This section contains provisioning parameters that are required during the deployment of a Virtual Appliance. An XML-based configuration file can be present in another Virtual Machine in AWS cloud or in the corporate network which is accessible for Ivanti Connect Secure through site-to-site VPN between AWS and the corporate data center.

Ivanti Connect Secure accepts the following parameters as provisioning parameters:

primary-dns

secondary-dns

wins-server

dns-domain

admin-username

admin-password

cert-common-name

cert-random-text

cert-organization

config-download-url

config-data

auth-code-license

enable-license-server

accept-license-agreement

enable-rest

For details about these parameters, see Ivanti Connect Secure Provisioning Parameters.

VPCID: This is the ID of the existing VPC.

"VpcId": {

"Type": "AWS::EC2::VPC::Id",

"Description": "Existing VPC to deploy the Ivanti Connect Secure into."

},

SubnetIntID: This is the ID of the subnet to which ICS Internal interface connects.

"SubnetIntId": {

"Type": "AWS::EC2::Subnet::Id",

"Description": "Ivanti Connect Secure VM internal interface connects to this subnet"

},

SubnetExtId: This is the ID of the subnet to which ICS External interface connects."SubnetExtId": {

"Type": "AWS::EC2::Subnet::Id",

"Description": "Ivanti Connect Secure VM external interface connects to this subnet"

},

SubnetMgmtId: This is the ID of the subnet to which ICS Management interface connects.

"SubnetMgmtId": {

"Type": "AWS::EC2::Subnet::Id",

"Description": "Ivanti Connect Secure VM management interface connects to this subnet"

}

Resources

EIP1:

"EIP1": {

"Type": "AWS::EC2::EIP",

EIPAssoc1:

"EIPAssoc1": {

"Type": "AWS::EC2::EIPAssociation",

EIP2:

"EIP2": {

"Type": "AWS::EC2::EIP"

EIPAssoc2:

"EIPAssoc2": {

"Type": "AWS::EC2::EIPAssociation",

ICSvExternalSecurityGroup:

"ICSvExternalSecurityGroup": {

"Type": "AWS::EC2::SecurityGroup",

ICSvInternalSecurityGroup:

"ICSvInternalSecurityGroup": {

"Type": "AWS::EC2::SecurityGroup",

ICSvManagementSecurityGroup:

"ICSvManagementSecurityGroup": {

"Type": "AWS::EC2::SecurityGroup",

EC2Instance:

"EC2Instance": {

"Type": "AWS::EC2::Instance",

Eth0:

"Eth0": {

"Type": "AWS::EC2::NetworkInterface",

Eth1:

"Eth1": {

"Type": "AWS::EC2::NetworkInterface",

Eth2:

"Eth1": {

"Type": "AWS::EC2::NetworkInterface",

Outputs

The Outputs section defines the public IP address, private IP address and primary private IP address that is displayed on successful deployment of ICS on AWS.

"Outputs": {

"ExternalAddress": {

"Value": {

"Fn::Join": [

" ",

[

"Public IP address:",

{

"Ref": "EIP1"

},

"Private IP address:",

{

"Fn::GetAtt": [

"Eth1",

"PrimaryPrivateIpAddress"

]

}