Deploy VAs in Alibaba Cloud
Deploy Cisco Secure Access Virtual Appliances in the Alibaba Cloud environment.
Note: You must deploy at least two Virtual Appliances (VAs) in a Secure Access Site. It is critical that these VAs are not cloned or copied in any way. Configure and set up each VA manually.
Table of Contents
Prerequisites
- Full Admin user role. For more information, see Manage Accounts.
- For information about the network requirements for deploying VAs, see Prerequisites for Virtual Appliances.
- An Alibaba account. Create your account at https://www.alibaba.com/.
- A qemu-utils package installed, such as Homebrew, to run the qemu-img and tar commands.
- Only VAs running version 3.6.1 or above can be deployed in Alibaba.
- An SSH client (for example, PuTTY on Windows or Terminal on Macintosh) to access the VA console.
(Optional) Configure Authentication for the Virtual Appliances
Before you can download the Virtual Appliance image in Secure Access, you must configure your Secure Access API keys for the Virtual Appliances in your organization. For more information, see Configure Authentication for Virtual Appliances.
Procedure
- Download and Extract the Hyper-V Installer. This is a one time task.
- Alibaba Cloud Setup
- Create a Custom Image. Perform this task for each VA after performing the one-time task of preparing the VA images.
- Deploy the Secure Access VAs from the Imported Custom Image
- First-time Login to Secure Access VA
- Related Topics
Download and Extract the Hyper-V Installer
-
Navigate to Connectors > DNS Forwarders and click Download Components.
-
Click Download for VA for Hyper-V.
Secure Access generates and downloads a tar file unique to your deployment.
This tar file includes:
- a zip file containing the virtual hard disks that need to be deployed on Hyper-V
- a signature file
- a Cisco public certificate to validate the signature
- a readme file
- Extract the contents of the tar file using the command
tar –xvf <
.
To verify the integrity of the downloaded file, validate the signature by following the instructions provided in the readme file. When successful, there will be a message saying “Verified OK." - Extract the .zip file. You'll find two folders—Virtual Hard Disks and Virtual Machines—and a config file.
-
In Windows Explorer, navigate to the \Virtual Hard Disks** subfolder within the extracted download folder created in Step 1**.
-
Note the two VA files, dynamic and forwarder-va. Convert the forwarder-va.vhd file to .raw format:
qemu-img convert -f vpc -O raw forwarder-va.vhd forwarder-va.raw
-
Zip the forwarder-va.raw file.
Note: Alibaba only allows for 5Gb uploads.
Alibaba Cloud Setup
This section describes the configuration requirements within Alibaba Cloud to support deploying the Secure Access VA instances to your virtual private cloud (VPC). For more details on setting up a VPC and other components, please refer to Alibaba's Cloud Documentation here.
Procedural Overview
- Create an Alibaba Virtual Private Cloud (VPC)
- Create a Bucket for the Umbrella VAs
- Configure a ZIP Package Decompression Rule
- Upload the Secure Access VHD Images to the OSS Bucket
Create an Alibaba Virtual Private Cloud (VPC)
A virtual private cloud (VPC) is required to deploy your Alibaba Cloud resources, such as Secure Access VAs.
- Log in to your Alibaba Cloud Account and log on to the VPC console.
- In the top navigation bar, select the region where you want to deploy the VPC.
Note: The VPC and the cloud resources that you want to deploy in the VPC must belong to the same region. - On the VPCs page, click Create VPC.
- On the Create VPC page, set the required parameters and click OK.
To find more information about this, please click here.
Create a Bucket for the Secure Access VAs
An Object Storage Service (OSS) bucket is needed. Alibaba OSS is a secure, cost-effective, and highly reliable cloud storage service that allows for the storage of large amounts of data.
- On the Alibaba Cloud Console home page, select Object Storage Service (OSS).
- In the left-side navigation pane, click Buckets. On the Buckets page, click Create Bucket.
- In the Create Bucket panel, enter the Bucket Name and Region .
The bucket must be in the same region as the VPC in which the Secure Access VAs are to be deployed. Keep the default settings for other parameters or configure the parameters after the bucket is created. - Click OK.
After the bucket is created, the Created message is displayed.
Configure a ZIP Package Decompression Rule
Alibaba Cloud accepts uploads of objects up to 5 GB in size using the OSS console. Because the Secure Access Forwarder VA is larger than 5 GB, the forwarder-va.vhd file needs to be converted to .raw format and then compressed to a zip file, as described in Download and Extract the Hyper-V Installer.
- In the left navigation pane of the OSS console, click Buckets. On the Buckets page, find and click the desired bucket.
- In the left navigation tree, choose Data Processing > Decompress ZIP Package.
- Click Start Activation and follow the prompts.
- Once activation is complete, go to the bucket and click Decompress ZIP Package. In the Decompress ZIP Package panel, configure the following parameters:
- Service Authorization - Authorize Function Compute to read data from and write data to OSS and to execute functions. Click Authorize. Complete authorization on the page that appears.
- Authorize Trigger - Authorize OSS to access Function Compute. Click Authorize. Complete authorization on the page that appears. If OSS is authorized to access Function Compute, the Trigger Role parameter is displayed instead of the Authorize Trigger parameter.
- Destination Directory - To store the objects extracted from a ZIP package in a subdirectory that has the same name as the package in the destination directory, select Add the compressed object name to the destination directory.
- Click OK.
Now that the bucket is created, click Go to Bucket. Alternatively, click Buckets in the left-side navigation pane and click the name of the created bucket.
Upload the Secure Access VHD Images to the OSS Bucket
Upload the Secure Access VHD images that were downloaded in Download and Extract the Hyper-V Installer to your bucket.
-
Select your bucket, choose Files > Upload, and click here to upload.
-
Select the compressed forwarder-va zip file on your local drive. Wait for the automatic decompression to be triggered before continuing. The forwarder-va.raw file should be seen in the table on the Upload page if it is uploaded successfully.
-
Select the dynamic.vhd on your local drive. Given the small size of this file, no conversion or compression is required.
-
The file will be displayed in the table on the Upload page if it is uploaded successfully.
-
Click View Details, the click Copy File URL. This URL is needed in later steps when creating a custom image.
Create a Custom Image
- Select the Alibaba Elastic Compute Service (ECS).
- Select Instances & Images > Images > Custom Images.
- Click the Import Image button.
- Paste the forwarder-va.raw URL in the Import Image window. See Upload the Secure Access VHD Images to the OSS Bucket for where to find the URL.
Note: If the following error is seen, ECS does not have access to the OSS resources. Enable access by clicking the here hyperlink shown.
- If necessary, click the Confirm Authorization Policy button.
- Repeat the Import Image action and fill the necessary fields as below.
- Check the Configure Disk Attributes box and adjust the Disk SizeGiB setting.
Note: Make sure that the forwarder-va.raw disk size is 6.5 GB. - Repeat for the dynamic.vhd file.
Note: Make sure that the dynamic.vhd disk size is 20 MB.
- If the image is successfully created, the following window is shown.
- Note that if the forwarder-va.vhd is uploaded instead of .raw image, or if the size is not supported, the following error is shown.
Deploy the Secure Access VAs from the Imported Custom Image
An Elastic Compute Service (ECS) image provides the information that is required to create an ECS instance. An image must be specified when creating an ECS instance. An image is a copy of data from one or more disks. An instance image can contain data from only the system disk or from both the system disk and data disks.
- Navigate to Elastic Compute Service > Instances. Click Create Instance.
- Complete the following Basic Configuration settings:
- Select the Region and zone. Select a region that is close to your geographical location to reduce latency. After an instance is created, the region and the zone of the instance cannot be changed.
- Select the Instance type. Different instance types have different CPU, RAM and throughput capacity.
Note: It is recommended to have an instance type having a minimum capability of ecs.c6.xlarge for optimal DNS performance, with enhanced clock speed as the VA is a DNS proxy.
- Select the Custom image, Duration and click Next.
Note: The System Disk size increase will not help scale the VA as dynamic disk size change is not supported. The VA only supports a 7 GB system and 1 GB data disk.
- Select the VPC and VSwitch as per the topology. In this example, default values are selected.
The Virtual Appliance will have a private IP with which it will be registered with the dashboard. Specify the private IP so that it does not change on power cycle.
- If a Security Group has already been created, the same can be reused. This example proceeds with basic configuration and enable the ports later as per VA pre-requisites
- Alibaba cloud does not support password setting for users other than "root", so the vmadmin password cannot be set through the Cloud and it has to be Set Later through SSH or console access.
- Select the Resource Group in the next window. In this example, the Default Resource Group is used.
- Click Create Order and proceed.
- Once the subscription is created, the instance will show up on the ECS console.
What's Next
- Go to the newly created instance and edit Security Group rules; see the virtual appliances (VA) network requirements.
- The vmadmin password can be reset by doing remote SSH via the public IP as port 3389 is allowed by default.
- If the instance does not have a public IP, a Bastion host has to be created in the same region to access it via Private IP as per Alibaba documentation.
- Please note that connecting to the VA through the Alibaba Cloud workbench will fail due to the change password prompt, so the first time password reset has to happen via SSH.
- Once the password is reset, the Alibaba workbench can be used to login to the console.
- After the password is set, you can SSH to the VA via the ECS Workbench as well.
First-time Login to Secure Access VA
There are three ways to do the first-time login to the Secure Access VA:
- If the VA has a public IP associated, use the default vmadmin/ credentials and reset the password.
- If the VA is inside private network, create another OAM VM (not the Alibaba bastion) inside the same network and SSH through the private IP using the vmadmin/ credentials and reset the password.
- ECS instances can also be added to a Bastion host enterprise edition available on the Alibaba cloud; refer to the following guidelines. When doing so, please note that the password should be reset from the ECS instance UI also before trying to login through the Bastion. Please note that even though the instance password is reset through UI, it won't apply to the instance as we do not have a root account.
Related Topics
- Dual-NIC Support on the VA
- IP Addressing
- Anycast Configuration Support
- DNS Performance on Alibaba ECS Instances
- Extensions on Alibaba ECS Instances
Dual-NIC Support on the VA
In the Alibaba Cloud elastic network interfaces (ENIs) are logical networking components that represent virtual NICs, providing network connectivity and IP addresses for Elastic Compute Service (ECS) instances deployed in virtual private clouds (VPCs).
The Secure Access VA supports a dual-NIC configuration. This dual-NIC configuration is intended to enable DMZ deployment of a VA for traffic segregation with one network interface being used for outbound communication and the other network interface used for internal communication.
There is no change to existing behavior if the VA is deployed with a single NIC. Configuring more than two NICs on the VA is not supported.
For more information about Secure Access Dual-NIC support and how to configure Alibaba ENIs, see the following:
Note: Do not connect more than one ENI the same VSwitch. Network issues will result.
IP Addressing
General Guidelines
The Secure Access VA supports both IPv4 and IPv6 addressing (dual stack). However there are some observations on the Alibaba cloud regarding IP addressing:
- While the Alibaba ECS ENI supports multiple private IP address, please note that the Secure Access VA only supports a single IPv4 or Single IPv4 + IPv6 pair per ENI.
- One private IPv4 and one private IPv6 address can be added to the Secure Access VA.
- The Alibaba Cloud is not supporting public IPv6 address to ECS instances.
- An IPv6 gateway can be set up at the VPC level and establish connectivity to Secure Access global IPv6 resolvers. However, it has been observed during testing that IPv6 packets are not getting a response even after setting up the gateway. This has been observed in the Germany Frankfurt Region.
Support for IPv6 Addressing
The following are observations regarding IPv6 addressing on the Alibaba Cloud:
- The IPv6 address range should be enabled on the VSwitch.
- By default, when creating an Elastic Compute Service (ECS) instance, an IPv4 address instead of an IPv6 address is assigned to the instance. To have the instance communicate over IPv6, configure an IPv6 address for the instance.
- IPv6 addressing is not supported on every ECS instance types. It depends on system resources selected during deployment. Refer to ECS instance type family.
- See Configure IPv6 addresses for information on how to configure an IPv6 address for the instance.
Anycast Configuration Support
The Umbrella VA enables the use of Anycast DNS addressing within an enterprise.
The VA currently supports enabling Anycast using the BGP protocol. This requires support for BGP on the VA’s neighboring router, or any router that is reachable from the VA within 255 hops. See the Configure Anycast topic for information about how to configure Anycast on the VA.
In addition, keep the following in mind when configuring Anycast on the Alibaba cloud:
- Configure an additional route on the VSwitch for the Anycast IP address for packets with the destination IP as Anycast.
- The Anycast IP/network can be routed only per single ECS or ENI per VSwitch, where the next hop is the VA instance on which Anycast is enabled and 10.0.0.5 is the Anycast IP.
Note: VAs participating in anycast DNS should belong to different VSwitches or different networks; the following image shows the route table of a VSwitch configured with an Anycast route.
DNS Performance on Alibaba ECS Instances
Different instance types have different CPU, RAM and throughput capacity. Latency and throughput testing was performed on the following instances using dnsperf. The results captured after running the test for 1 minute are collected in the following table.
From these statistics, it is recommended to have an instance type having a minimum capability of ecs.c6.xlarge for optimal DNS performance. Refer to the Alibaba Cloud Instance family documentation for information on instance configurations.
Instance Type | Maximum DNS Throughput |
---|---|
ecs.mn4.small | 1300 qps |
ecs.c5.large | 1800 qps |
ecs.hfc5.large | 2000 qps |
ecs.g6e.large | 2700 qps |
ecs.c6.xlarge | 4600 qps |
ecs.g6e.xlarge | > 10000 qps |
Extensions on Alibaba ECS Instances
Alibaba ECS instance supports installing agents/plugins for monitoring purpose, example CloudMonitor argusagent. It is not recommended to do so as it puts the VA under risk for root partition exhaustion. On a newly deployed VA instance, the memory usage is 66 % due to the aliyun default packages installation.
Deploy VAs in Nutanix < Deploy VAs in Alibaba > Configure Virtual Appliances
Updated 18 days ago