ArcGIS Enterprise can be deployed on many different platforms, both on internal infrastructure and in the cloud. This blog will describe a series of items to keep in mind as one launches ArcGIS Enterprise in Amazon Web Services (AWS). The steps outlined below can be considered for various implementations of the ArcGIS Platform, regardless of the infrastructure it is installed on.
The main purpose for launching ArcGIS Enterprise in this example was to provide access to a portal to be used by students in a MS in GIS program, along with access to Insights for ArcGIS.
A new security group was created in a VPC with all required ArcGIS ports (see ports used by ArcGIS Server, Portal for ArcGIS, ArcGIS Data Store). Using a launch-wizard or default security groups is generally not recommended, because they will allow all traffic in.
Once the instance was launched, the windows password was retrieved using a .pem file, and a remote desktop connection was made.
A few logistical items were done, such as removing IE Enhanced security configuration, set default browser of preference, and install any programs of interest, such as ArcGIS Pro, Notepad ++, etc.
The ArcGIS Data Store and Portal for ArcGIS Windows services were started as well. The startup was changed to Automatic, versus manual. Why do this? Some of the components of ArcGIS Enterprise run under a dedicated Windows service (Arc GIS server, Portal for ArcGIS and ArcGIS Data Store). These services need to be running.
Work with IT to secure the following:
Have a preferred domain in mind, i.e. gis.myuniversity.edu. IT department was contacted with the preferred domain name and the internal IP address of the instance. This is how eventually the DNS entry for the website was setup, that will map a domain name, such as gis.myuniversity.edu, to the IP address of the AWS instance. This would work for internal access, then IT setup a NAT for external access.
Add the machine to Active Directory domain (IT staff with proper permissions performed this) and confirm that the proper DNS records updated.
Add a desired account to the local Administrators group, that way that person could login to the AWS instance using their university credentials, versus the local Administrator account.
The university’s IT practice recommended against using Elastic IPs – on premises DNS was used. They focus on setting up internal access only first and then using a NAT for external access (one of the next steps).
Request SSL certificates (CA certificate) issued to the domain.
At this point, the IIS Welcome URL (https://gis.myuniversity.edu) was able to be reached while on the university network, but not outside of the network.
IT created a Public IP NAT, then updated the DNS entry with the Public IP address.
After NAT records were updated with the Public IP, https://gis.myuniversity.edu was able to be accessed from anywhere (good indicator one could proceed).
In a nutshell, all traffic was coming through an internal networked IP – the AWS machine was hidden from the outside world. Note that this is just one possible scenario of networking and implementation.
RDP port was not open on the NAT. This means that one had to be on the university network to make a remote desktop connection to the instance.
Ensure that Portal for ArcGIS, ArcGIS Server and ArcGIS Data Store services are running and startup is Automatic.
When creating the Portal Administrator Account, ensure there is proper storage on the drive where the components are installed. There have been issues with users trying to do the installation with small amount of space, for example 10GB, left. Also, proper permissions are needed for the windows account under which the Portal and Server windows services are running.
NOTE: Make sure step 19 of the Deploy Portal for ArcGIS on AWS documentation is done to set the portal’s system properties in the Portal Administrator Directory.
In this particular case, IT staff requested that a portal account with Administrator privileges be created for them, and they enabled SSO.
This step is very important to save time when it comes to user management – this means that no additional logins for students had to be created, and they could just login to the portal and the Insights for ArcGIS app using their student credentials.