Confirming prerequisites for setup

Virtual Storage Platform One SDS Block Cloud Setup and Configuration Guide

Version
1.14.x
Audience
anonymous
Part Number
MK-24VSP1SDS008-01

This section describes the prerequisites for setting up VSP One SDS Block from AWS Marketplace.

  • An AWS account must be created beforehand.

  • Setup must be performed by an IAM user with the AWS management policy "AWSMarketplaceFullAccess" and the following permissions, or an IAM user with administrative privileges.

    Note:

    After the deployment of VSP One SDS Block is completed, you can reduce security risks by removing the above permissions from the IAM user used for setup. Additionally, if it is unnecessary for the operation of VSP One SDS Block, you can delete the IAM user used for setup.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "cloudformation:CreateStack",
                    "cloudformation:DeleteStack",
                    "cloudformation:DescribeStacks",
                    "cloudformation:ListStacks",
                    "cloudformation:DescribeStackEvents",
                    "cloudformation:UpdateStack",
                    "cloudformation:ContinueUpdateRollback",
                    "cloudformation:ValidateTemplate",
                    "cloudformation:DescribeStackResource",
                    "cloudformation:DescribeStackResources",
                    "cloudformation:ListStackResources",
                    "cloudformation:CreateChangeSet",
                    "cloudformation:ExecuteChangeSet",
                    "cloudformation:DeleteChangeSet",
                    "cloudformation:DescribeChangeSet",
                    "cloudformation:ListChangeSets",
                    "cloudformation:CreateUploadBucket",
                    "cloudformation:GetTemplate",
                    "cloudformation:GetTemplateSummary",
                    "ec2:DescribeAccountAttributes",
                    "ec2:DescribeInternetGateways",
                    "ec2:CreateVpc",
                    "ec2:ModifyVpcAttribute",
                    "ec2:DeleteVpc",
                    "ec2:DescribeVpcs",
                    "ec2:CreateVpcEndpoint",
                    "ec2:CreateVpcEndpointServiceConfiguration",
                    "ec2:ModifyVpcEndpointServiceConfiguration",
                    "ec2:DeleteVpcEndpoints",
                    "ec2:DescribeVpcEndpoints",
                    "ec2:DescribeAvailabilityZones",
                    "ec2:CreateSubnet",
                    "ec2:DeleteSubnet",
                    "ec2:DescribeSubnets",
                    "ec2:ModifySubnetAttribute",
                    "ec2:DescribeRouteTables",
                    "ec2:CreateNetworkAcl",
                    "ec2:DeleteNetworkAcl",
                    "ec2:DescribeNetworkAcls",
                    "ec2:ReplaceNetworkAclAssociation",
                    "ec2:CreateNetworkAclEntry",
                    "ec2:DeleteNetworkAclEntry",
                    "ec2:CreateSecurityGroup",
                    "ec2:DeleteSecurityGroup",
                    "ec2:DescribeSecurityGroups",
                    "ec2:AuthorizeSecurityGroupEgress",
                    "ec2:RevokeSecurityGroupEgress",
                    "ec2:AuthorizeSecurityGroupIngress",
                    "ec2:RevokeSecurityGroupIngress",
                    "ec2:CreateNetworkInterface",
                    "ec2:DeleteNetworkInterface",
                    "ec2:DescribeNetworkInterfaces",
                    "ec2:AttachNetworkInterface",
                    "ec2:DetachNetworkInterface",
                    "ec2:ModifyNetworkInterfaceAttribute",
                    "ec2:AssignPrivateIpAddresses",
                    "ec2:RunInstances",
                    "ec2:StartInstances",
                    "ec2:StopInstances",
                    "ec2:TerminateInstances",
                    "ec2:DescribeInstances",
                    "ec2:DescribeInstanceAttribute",
                    "ec2:ModifyInstanceAttribute",
                    "ec2:DescribeInstanceStatus",
                    "ec2:DescribeInstanceTypes",
                    "ec2:DescribeInstanceTypeOfferings",
                    "ec2:DescribeImages",
                    "ec2:CreateKeyPair",
                    "ec2:DeleteKeyPair",
                    "ec2:DescribeKeyPairs",
                    "ec2:CreateLaunchTemplate",
                    "ec2:DeleteLaunchTemplate",
                    "ec2:DescribeLaunchTemplates",
                    "ec2:CreateLaunchTemplateVersion",
                    "ec2:DescribeLaunchTemplateVersions",
                    "ec2:CreateVolume",
                    "ec2:DeleteVolume",
                    "ec2:DescribeVolumes",
                    "ec2:AttachVolume",
                    "ec2:DetachVolume",
                    "ec2:ModifyVolumeAttribute",
                    "ec2:DescribeVolumesModifications",
                    "ec2:CreateTags",
                    "ec2:DeleteTags",
                    "ec2:DescribeTags",
                    "ec2:CreatePlacementGroup",
                    "ec2:DeletePlacementGroup",
                    "ec2:DescribePlacementGroups",
                    "ec2:AssociateIamInstanceProfile",
                    "ec2:ReplaceIamInstanceProfileAssociation",
                    "ec2:DisassociateIamInstanceProfile",
                    "ec2:DescribeIamInstanceProfileAssociations",
                    "ec2:GetSerialConsoleAccessStatus",
                    "ec2-instance-connect:SendSerialConsoleSSHPublicKey",
                    "autoscaling:DescribeAutoScalingInstances",
                    "elasticloadbalancing:CreateTargetGroup",
                    "elasticloadbalancing:DeleteTargetGroup",
                    "elasticloadbalancing:DescribeTargetGroups",
                    "elasticloadbalancing:DescribeTargetGroupAttributes",
                    "elasticloadbalancing:ModifyTargetGroupAttributes",
                    "elasticloadbalancing:RegisterTargets",
                    "elasticloadbalancing:DeregisterTargets",
                    "elasticloadbalancing:ModifyTargetGroup",
                    "elasticloadbalancing:DescribeTargetHealth",
                    "elasticloadbalancing:CreateLoadBalancer",
                    "elasticloadbalancing:DeleteLoadBalancer",
                    "elasticloadbalancing:DescribeLoadBalancers",
                    "elasticloadbalancing:DescribeLoadBalancerAttributes",
                    "elasticloadbalancing:ModifyLoadBalancerAttributes",
                    "elasticloadbalancing:SetIpAddressType",
                    "elasticloadbalancing:SetSubnets",
                    "elasticloadbalancing:CreateListener",
                    "elasticloadbalancing:DeleteListener",
                    "elasticloadbalancing:DescribeListeners",
                    "elasticloadbalancing:ModifyListener",
                    "elasticloadbalancing:CreateRule",
                    "elasticloadbalancing:DeleteRule",
                    "elasticloadbalancing:DescribeRules",
                    "elasticloadbalancing:ModifyRule",
                    "elasticloadbalancing:SetRulePriorities",
                    "elasticloadbalancing:DescribeAccountLimits",
                    "elasticloadbalancing:AddTags",
                    "elasticloadbalancing:RemoveTags",
                    "elasticloadbalancing:DescribeTags",
                    "s3:CreateBucket",
                    "s3:ListBucket",
                    "s3:PutObject",
                    "s3:GetObject",
                    "s3:GetObjectVersion",
                    "s3:GetBucketLocation",
                    "s3:ListAllMyBuckets",
                    "aws-portal:ViewBilling",
                    "iam:AttachRolePolicy",
                    "iam:CreatePolicy",
                    "iam:CreatePolicyVersion",
                    "iam:CreateRole",
                    "iam:DeletePolicy",
                    "iam:DeletePolicyVersion",
                    "iam:DeleteRole",
                    "iam:DetachRolePolicy",
                    "iam:GetPolicy",
                    "iam:GetPolicyVersion",
                    "iam:ListPolicies",
                    "iam:ListPolicyVersions",
                    "iam:SetDefaultPolicyVersion",
                    "iam:PassRole",
                    "iam:GetRole",
                    "iam:ListRoles",
                    "iam:GetRolePolicy",
                    "iam:ListAttachedRolePolicies",
                    "iam:AddRoleToInstanceProfile",
                    "iam:RemoveRoleFromInstanceProfile",
                    "iam:CreateInstanceProfile",
                    "iam:DeleteInstanceProfile",
                    "iam:GetInstanceProfile",
                    "iam:ListInstanceProfiles",
                    "iam:ListInstanceProfilesForRole",
                    "iam:TagInstanceProfile",
                    "iam:UntagInstanceProfile",
                    "iam:ListInstanceProfileTags",
                    "iam:CreateServiceLinkedRole",
                    "iam:GetServiceLinkedRoleDeletionStatus",
                    "iam:DeleteServiceLinkedRole",
                    "sts:AssumeRole",
                    "ssm:GetParameter",
                    "ssm:PutParameter",
                    "ssm:DeleteParameter"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
  • An IAM role that has the following privileges must be created.

    Also, EC2 must be set with the trusted entity of the created IAM role.

    Note:

    The IAM role to be created includes the necessary permissions for the operation of VSP One SDS Block. The IAM role is assigned to each storage node. However, for security risk reduction, users cannot directly log in to each storage node. The role is used only by internal processes.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "cloudformation:DescribeStacks",
                    "cloudformation:ListStacks",
                    "cloudformation:DescribeStackEvents",
                    "cloudformation:UpdateStack",
                    "cloudformation:ContinueUpdateRollback",
                    "cloudformation:ValidateTemplate",
                    "cloudformation:DescribeStackResource",
                    "cloudformation:DescribeStackResources",
                    "cloudformation:ListStackResources",
                    "cloudformation:CreateChangeSet",
                    "cloudformation:ExecuteChangeSet",
                    "cloudformation:DeleteChangeSet",
                    "cloudformation:DescribeChangeSet",
                    "cloudformation:ListChangeSets",
                    "cloudformation:CreateUploadBucket",
                    "cloudformation:GetTemplate",
                    "cloudformation:GetTemplateSummary",
                    "ec2:DescribeVpcs",
                    "ec2:DescribeVpcEndpoints",
                    "ec2:DescribeAvailabilityZones",
                    "ec2:DescribeSubnets",
                    "ec2:DescribeRouteTables",
                    "ec2:DescribeNetworkAcls",
                    "ec2:DescribeSecurityGroups",
                    "ec2:DescribeNetworkInterfaces",
                    "ec2:DescribeInstances",
                    "ec2:DescribeInstanceStatus",
                    "ec2:DescribeInstanceTypes",
                    "ec2:DescribeInstanceTypeOfferings",
                    "ec2:DescribeImages",
                    "ec2:DescribeKeyPairs",
                    "ec2:DescribeLaunchTemplates",
                    "ec2:CreateLaunchTemplateVersion",
                    "ec2:DescribeLaunchTemplateVersions",
                    "ec2:DescribeVolumes",
                    "ec2:DescribeVolumesModifications",
                    "ec2:DescribeTags",
                    "ec2:DescribePlacementGroups",
                    "ec2:DescribeIamInstanceProfileAssociations",
                    "autoscaling:DescribeAutoScalingInstances",
                    "elasticloadbalancing:DescribeTargetGroups",
                    "elasticloadbalancing:DescribeTargetGroupAttributes",
                    "elasticloadbalancing:DescribeTargetHealth",
                    "elasticloadbalancing:DescribeLoadBalancers",
                    "elasticloadbalancing:DescribeLoadBalancerAttributes",
                    "elasticloadbalancing:DescribeListeners",
                    "elasticloadbalancing:DescribeRules",
                    "elasticloadbalancing:DescribeAccountLimits",
                    "elasticloadbalancing:DescribeTags",
                    "s3:CreateBucket",
                    "s3:ListBucket",
                    "s3:PutObject",
                    "s3:GetObject",
                    "s3:GetObjectVersion",
                    "iam:GetRole",
                    "iam:ListRoles",
                    "iam:GetRolePolicy",
                    "iam:ListAttachedRolePolicies",
                    "iam:GetInstanceProfile",
                    "iam:ListInstanceProfiles",
                    "iam:ListInstanceProfilesForRole",
                    "iam:ListInstanceProfileTags",
                    "sts:AssumeRole",
                    "ssm:GetParameter"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
    
  • An Amazon S3 bucket or folder where error message files or dump log files are to be stored must have been created in the AWS region where a storage cluster is configured.

Make sure that the VPC that meets the following conditions has been created.

  • The VPC has the sufficient IP address range needed to create the following resources.
    • Storage node: uses 3 IP addresses per node (one for the control network, one for the internode network, and one for the compute network)
    • Compute node: uses 2 IP addresses per node (one for the control network and one for the compute network)
    • Controller node: uses 1 IP addresses per node (for the control network)
    • Load balancer: uses 1 IP addresses per storage clusteruses 1 IP addresses per node

      Note that you need additional considerations for IP addresses used by the load balancer. For details, see the following website.

      https://docs.aws.amazon.com/elasticloadbalancing/latest/network/network-load-balancers.html

    • VPC endpoint: uses 5 IP addresses (for EC2, EC2Message, SSM, SSMAgent, and CloudFormation)
  • The DNS resolution setting and DNS host name setting are enabled.
  • When the VPC in which a compute node is to be placed differs from the VPC in which VSP One SDS Block is to be configured, communication with the VPC in which a compute node is to be placed is possible.

Make sure that the VPC endpoints that meet the following conditions have been created.

  • The following have been created to operate CloudFormation.

    • A VPC endpoint for CloudFormation

    • A VPC endpoint for EC2

    • A VPC endpoint for Amazon S3

    • A VPC endpoint for EC2Message

    • A VPC endpoint for SSM

    • A VPC endpoint for SSMMessage

    Also, make sure that a VPC endpoint for Amazon S3 has already been created as a Gateway endpoint.

Make sure that the subnets that meet the following conditions (for control network, internode network, and compute network) have been created.

  • Each subnet for control network, internode network, and compute network is set with the required IP address range.
    • For the IP address range for the control network subnet, set a range of IPv4 addresses sufficient to create storage nodes, controller nodes, and load balancers.
    • For the IP address range for the internode network subnet, set a range of IPv4 addresses sufficient to create storage nodes.
    • For the IP address range for the compute network subnet, set a range of IPv4 addresses sufficient to create storage nodes and a compute node.
  • Communication between the control network subnet and its outside is allowed.
  • Communication between the internode network subnet and its outside is not allowed.
  • When placing a compute node in the VPC or subnet different from the VPC or subnet for compute network, communication between the compute network subnet and the VPC and subnet in which a compute node is to be placed must be allowed.
  • To set EBS encryption by default, the EBS encryption setting must be enabled.
  • For products that apply usage-based pricing, access from the control network to the internet must be possible to connect to the AWS Metering Service.
CAUTION:

After a storage cluster configuration completes, the EBS setting made using default encryption cannot be changed.

For details about how to set EBS encryption, see Amazon EBS encryption function.

Note:

If the IAM user is not granted sufficient permissions, see the AWS user guide to add necessary permissions.