ArcGIS Enterprise can be deployed on many different platforms, both on internal infrastructure and in the cloud. This blog will describe a series of items to keep in mind as one launches ArcGIS Enterprise in Amazon Web Services (AWS). The steps outlined below can be considered for various implementations of the ArcGIS Platform, regardless of the infrastructure it is installed on.
The main purpose for launching ArcGIS Enterprise in this example was to provide access to a portal to be used by students in a MS in GIS program, along with access to Insights for ArcGIS.
There are a number of System Requirements that we need to keep in mind as we implement ArcGIS Enterprise. First, we would start with a base ArcGIS Enterprise deployment, which includes an ArcGIS Server, Portal for ArcGIS, ArcGIS Data Store and two ArcGIS Web Adaptors. Then add additional server sites, as needed, to support additional capabilities.
NOTE: This is just an example of an implementation, there are many possible variations for the outlined steps.
- Launch an AWS ArcGIS Enterprise instance (one of the available Esri AMIs).
- Ensure it fulfills the system requirements for ArcGIS Server and Portal for ArcGIS – as a start m4.2xlarge, 32GB, 8 virtual cores system was used.
- A new security group was created in a VPC with all required ArcGIS ports (see ports used by ArcGIS Server, Portal for ArcGIS, ArcGIS Data Store). Using a launch-wizard or default security groups is generally not recommended, because they will allow all traffic in.
- Once the instance was launched, the windows password was retrieved using a .pem file, and a remote desktop connection was made.
- A few logistical items were done, such as removing IE Enhanced security configuration, set default browser of preference, and install any programs of interest, such as ArcGIS Pro, Notepad ++, etc.
- The World Wide Web publishing service (Windows service) was started, then set to Automatic start.
- The ArcGIS Data Store and Portal for ArcGIS Windows services were started as well. The startup was changed to Automatic, versus manual. Why do this? Some of the components of ArcGIS Enterprise run under a dedicated Windows service (Arc GIS server, Portal for ArcGIS and ArcGIS Data Store). These services need to be running.
- Work with IT to secure the following:
- Have a preferred domain in mind, i.e. gis.myuniversity.edu. IT department was contacted with the preferred domain name and the internal IP address of the instance. This is how eventually the DNS entry for the website was setup, that will map a domain name, such as gis.myuniversity.edu, to the IP address of the AWS instance. This would work for internal access, then IT setup a NAT for external access.
- Add the machine to Active Directory domain (IT staff with proper permissions performed this) and confirm that the proper DNS records updated.
- Add a desired account to the local Administrators group, that way that person could login to the AWS instance using their university credentials, versus the local Administrator account.
- The university’s IT practice recommended against using Elastic IPs – on premises DNS was used. They focus on setting up internal access only first and then using a NAT for external access (one of the next steps).
- Request SSL certificates (CA certificate) issued to the domain.
- University IT departments use various services. Some of the common ones are GlobalSign, Comodo, DigiCert, others.
- Certificate Signing Request (CSR) was created.
- Once certificate was received, it was installed and configured. An example is here.
- Certificate was bind to the website.
- Request Public IP NAT.
- At this point, the IIS Welcome URL (https://gis.myuniversity.edu ) was able to be reached while on the university network, but not outside of the network.
- IT created a Public IP NAT, then updated the DNS entry with the Public IP address.
- After NAT records were updated with the Public IP, https://gis.myuniversity.edu was able to be accessed from anywhere (good indicator one could proceed).
- In a nutshell, all traffic was coming through an internal networked IP – the AWS machine was hidden from the outside world. Note that this is just one possible scenario of networking and implementation.
- RDP port was not open on the NAT. This means that one had to be on the university network to make a remote desktop connection to the instance.
- Follow the Deploy Portal for ArcGIS on AWS
- Ensure that Portal for ArcGIS, ArcGIS Server and ArcGIS Data Store services are running and startup is Automatic.
- When creating the Portal Administrator Account, ensure there is proper storage on the drive where the components are installed. There have been issues with users trying to do the installation with small amount of space, for example 10GB, left. Also, proper permissions are needed for the windows account under which the Portal and Server windows services are running.
- NOTE: Make sure step 19 of the Deploy Portal for ArcGIS on AWS documentation is done to set the portal’s system properties in the Portal Administrator Directory.
- IMPORTANT: Follow this workflow to avoid redirect errors – the Web Adaptor URL has to be changed to https://gis.myuniversity.edu/portal in the Portal Administrator Directory.
6. Request enterprise logins, commonly referred to Single Sign On (SSO).
- Worked with IT to configure a SAML-compliant identity provider with the portal.
- In this particular case, IT staff requested that a portal account with Administrator privileges be created for them, and they enabled SSO.
- This step is very important to save time when it comes to user management – this means that no additional logins for students had to be created, and they could just login to the portal and the Insights for ArcGIS app using their student credentials.
Any comments or additions are welcome.