Launch ArcGIS Enterprise in AWS

4778
6
08-11-2017 07:01 AM
Labels (1)
GeriMiller
Esri Regular Contributor
5 6 4,778

ArcGIS Enterprise can be deployed on many different platforms, both on internal infrastructure and in the cloud.  This blog will describe a series of items to keep in mind as one launches ArcGIS Enterprise in Amazon Web Services (AWS).  The steps outlined below can be considered for various implementations of the ArcGIS Platform, regardless of the infrastructure it is installed on.

The main purpose for launching ArcGIS Enterprise in this example was to provide access to a portal to be used by students in a MS in GIS program, along with access to Insights for ArcGIS.

There are a number of System Requirements that we need to keep in mind as we implement ArcGIS Enterprise. First, we would start with a base ArcGIS Enterprise deployment, which includes an ArcGIS Server, Portal for ArcGIS, ArcGIS Data Store and two ArcGIS Web Adaptors. Then add additional server sites, as needed, to support additional capabilities.  

NOTE: This is just an example of an implementation, there are many possible variations for the outlined steps.  

  1.      Launch an AWS ArcGIS Enterprise instance (one of the available Esri AMIs).
    •      Ensure it fulfills the system requirements for ArcGIS Server and Portal for ArcGIS – as a start m4.2xlarge, 32GB, 8 virtual cores system was used.
    •      A new security group was created in a VPC with all required ArcGIS ports (see ports used by ArcGIS Server, Portal for ArcGIS, ArcGIS Data Store). Using a launch-wizard or default security groups is generally not recommended, because they will allow all traffic in. 
    •      Once the instance was launched, the windows password was retrieved using a .pem file, and a remote desktop connection was made.
    •      A few logistical items were done, such as removing IE Enhanced security configuration, set default browser of preference, and install any programs of interest, such as ArcGIS Pro, Notepad ++, etc.
    •      The World Wide Web publishing service (Windows service) was started, then set to Automatic start.
    •      The ArcGIS Data Store and Portal for ArcGIS Windows services were started as well. The startup was changed to Automatic, versus manual. Why do this? Some of the components of ArcGIS Enterprise run under a dedicated Windows service (Arc GIS server, Portal for ArcGIS and ArcGIS Data Store). These services need to be running.

 

  1.      Work with IT to secure the following:
    •      Have a preferred domain in mind, i.e. gis.myuniversity.edu. IT department was contacted with the preferred domain name and the internal IP address of the instance. This is how eventually the DNS entry for the website was setup, that will map a domain name, such as gis.myuniversity.edu, to the IP address of the AWS instance. This would work for internal access, then IT setup a NAT for external access.
    •      Add the machine to Active Directory domain (IT staff with proper permissions performed this) and confirm that the proper DNS records updated.
    •      Add a desired account to the local Administrators group, that way that person could login to the AWS instance using their university credentials, versus the local Administrator account.
    •      The university’s IT practice recommended against using Elastic IPs – on premises DNS was used. They focus on setting up internal access only first and then using a NAT for external access (one of the next steps).

 

  1.      Request SSL certificates (CA certificate) issued to the domain.
    •      University IT departments use various services. Some of the common ones are GlobalSign, Comodo, DigiCert, others.  
    •      Certificate Signing Request (CSR) was created.
    •      Once certificate was received, it was installed and configured. An example is here.
    •      Certificate was bind to the website.

 

  1.      Request Public IP NAT.
    •      At this point, the IIS Welcome URL (https://gis.myuniversity.edu ) was able to be reached while on the university network, but not outside of the network.
    •      IT created a Public IP NAT, then updated the DNS entry with the Public IP address.
    •      After NAT records were updated with the Public IP, https://gis.myuniversity.edu was able to be accessed from anywhere (good indicator one could proceed).
    •      In a nutshell, all traffic was coming through an internal networked IP – the AWS machine was hidden from the outside world. Note that this is just one possible scenario of networking and implementation.
    •      RDP port was not open on the NAT. This means that one had to be on the university network to make a remote desktop connection to the instance.

 

  1.      Follow the Deploy Portal for ArcGIS on AWS
    •      Ensure that Portal for ArcGIS, ArcGIS Server and ArcGIS Data Store services are running and startup is Automatic.
    •      When creating the Portal Administrator Account, ensure there is proper storage on the drive where the components are installed. There have been issues with users trying to do the installation with small amount of space, for example 10GB, left. Also, proper permissions are needed for the windows account under which the Portal and Server windows services are running.
    •      NOTE: Make sure step 19 of the Deploy Portal for ArcGIS on AWS documentation is done to set the portal’s system properties in the Portal Administrator Directory.
    •      IMPORTANT: Follow this workflow to avoid redirect errors – the Web Adaptor URL has to be changed to https://gis.myuniversity.edu/portal in the Portal Administrator Directory.

  6.  Request enterprise logins, commonly referred to Single Sign On (SSO).  

  •      Worked with IT to configure a SAML-compliant identity provider with the portal.
  •      In this particular case, IT staff requested that a portal account with Administrator privileges be created for them, and they enabled SSO.  
  •      This step is very important to save time when it comes to user management – this means that no additional logins for students had to be created, and they could just login to the portal and the Insights for ArcGIS app using their student credentials.

Any comments or additions are welcome.

6 Comments
AzinSharaf
Frequent Contributor

Hi Geri Miller  I am deploying ArcGIS Enterprise very similar to the one you have describe here. Have you installed Web Adaptor? At the end we need to enable SSO with SAML and I am wondering if SAML configuration can eliminates the need of web adaptor or not?

GeriMiller
Esri Regular Contributor

Arin, SSO/SAML configuration will not eliminate the need for Web Adaptor, you will need the Web Adaptor as required component of ArcGIS Enterprise (two web adaptors, one for Portal for ArcGIS and one for ArcGIS Server).

JohnBrockwell
Frequent Contributor

Real Quick, Do I need the initial administrator account to deploy the web adaptor or will any administrator account in portal work for configuring the ArcGIS Web Adaptor with Portal for ArcGIS? Asking for a friend 

AurelieShapiro
Frequent Contributor

hi everyone,

we are running arcGIS Server on Amazon Web Services. But we want to upgrade our instance to a new one with more RAM.

Does anyone have experience with this? I plan to make a snapshot of my instance and then get a better one and implement it from the snapshot. However, I absolutely cannot lose the data connections to our AGOL and have to re-publish everything...Will my web apps work the same? is there any guidance or info to share? Warnings or lessons learned?

many thanks!

JohnBrockwell
Frequent Contributor

A proper snapshot will be fine. You need to make sure you don't change the instance. If you change the instance name that is where you will lose connections to data sources. Not sure how you AWS is structured but keep an eye on your usage and monthly statements from AWS. The AWS office was very  accommodating and willing to assist. They really helped with some of our questions.

Take Care,

JB

PeterKnoop
MVP Regular Contributor

If you haven't already, I would recommend taking a look through the generic AWS guide, Changing the Instance Type.

Sounds like you are interested in only adding more memory to your setup, and  do not need to change anything else about it. In other words, you plan to stick with the same instance family, but want to use a different instance type within the family, one with more memory (e.g., maybe you want to migrate from an m4.xlarge with 16GB to an m4.2xlarge with 32GB.)

I would strongly recommend that you do make a snapshot first, in case something goes wrong along the way, and you need to revert to your existing setup.

The basic process for "adding memory" to an instance -- assuming you are using a typical EBS-backed instance -- is to stop your instance, change its instance type to a compatible one that has more memory, and then start the instance again.  The steps are outlined in detail in the section of the AWS document titled, Resizing an Amazon EBS–backed Instance

Hope that helps,

-peter