ArcGIS Enterprise on AWS (Configuring Enterprise with AWS Load Balancers & using WebGISDr Tool)

Discussion created by cdickerson@waukeshacounty.gov_WaukeshaCounty on Nov 5, 2019
Latest reply on Nov 7, 2019 by cdickerson@waukeshacounty.gov_WaukeshaCounty

Hi All,

I have a dilemma I am facing with our ArcGIS Enterprise configuration on AWS. First, I will describe our system to give context to the issue. Note our system is fully up and running and we are not experiencing any issues at the moment.  Most of what I will be discussing are issues or questions that came up when planning for system outages and recovery plan, and deploying a development environment for testing system upgrades.  Any questions for this thread will be listed at the end of the tread, I reference these questions with *Q# for context in the discussion.


System Config

We have a GIS Enterprise system (ArcGIS 10.6.1) fully in the AWS Cloud. In our system we have two servers that drive the use of our multi-machine deployment of ArcGIS Enterprise. First, a GIS Server with ArcGIS Server, Portal for ArcGIS, and Data store software along with both Web Adaptors and second, Image Server with ArcGIS Server software. The last time our SSL Certificate expired, in the attempt to save a little bit of money we stood up a Application Load Balancer (ALB) in front of our servers that handled secure routing of traffic to our servers.  Load Balancers in AWS can host the SSL certificates but these certificates cannot be installed on the instances (servers) themselves. Through the use of an ALB, our DNSs switched from being associated with an elastic IP to the ALB (*Q1). This changed the way that ArcGIS Server and Protal allowed us to configure the Web Adaptors. Instead of being able to configure the Web Adaptors with the DNS ( it changed how our systems communicate with each other and we had to configure the Web Adaptors to use the private IP (https://10.x.x.x:6443) and federate our servers in Portal the same way (*Q2). Through these nuances of configuration we have a relatively stable GIS enviornment.   


Development Environment Deployment

From the system detailed above, we took images of our two servers in AWS and deployed them in the separate Virtual Private Cloud (VPC) for testing. We replicated security groups, launched a load balancer for those servers, and ensured all the components of what is needed to operate our GIS system were present and account for. These servers had their own variants of the DNSs that we were looking to reconfigure for the dev system. We ran into some hurdles with ArcGIS Server and ended up uninstalling and reinstalling the software (preserving the config-store and directories folders). We were able to create a new GIS site for server manager but unable to recreate the site from an existing one using the preserved folders.  We were unsure if the issue was because of the DNS change or differences in the admin passwords I chose to use (*Q3). We ended up doing the same thing form Portal and Data store and we now have a replicated system with no content but it is successfully running ArcGIS Enterprise. Additionally, we were able to reconfigure our Image server without losing content (I do believe the same admin account password was preserved).


WebGISDr Tool

Both within our production and development environments we were able to use the WebGISDr Tool to export full backups of our Enterprise to AWS.  Within development we were able to import a backup successfully after exporting it. We however have been unable to migrate data/content from our production environment to dev with the tool.  I have been told that as long as my DNS's match I should be able to import a back up generated from our production environment and use it in development (*Q4). Other than some minor differences (admin account password being different) in our prod and dev systems the one attempt at doing this led to the tool failing once it got to the data store. Looking to understand if this failure is something others have seen or if it is a nuance of our particular configuration or of our system stemming back to the way we have our ALB configured. 


That said, here are my questions:


* Q1 - Most traditional deployment models have the SSL Certificate installed on the servers themselves. Has anyone experienced any issues managing their SSL Certificates through Load Balancers?

*Q2 - In AWS you have no control over the what the primary private IP will be for a server but you have the ability to assign a secondary private IP. Does any one know if ArcGIS Enterprise can be configured using secondary private IPs? Has anyone ever tried, and could there be unforeseen consequences to doing this?

*Q3 - Has anyone recovered the content that was published to ArcGIS Server through replacing the config-store and directories folders? Was it for the same system where the DNS and the admin accounts matched?

*Q4 - Has anyone ever successfully imported a backup with the WebGISDr tool, to a different server? Were there any nuances you encountered that you needed to do to get it to work?


Thank you in advance.