Confirming prerequisites for setup

Virtual Storage Platform One SDS Block Cloud Setup and Configuration Guide

Version
1.15.x
Audience
anonymous
Part Number
MK-24VSP1SDS008-02

This section describes the prerequisites for setting up VSP One SDS Block from AWS Marketplace.

  • An AWS account must be created beforehand.

  • Setup must be performed by an IAM user with the AWS management policy "AWSMarketplaceFullAccess" and the following permissions, or an IAM user with administrative privileges.

    Note:

    After the deployment of VSP One SDS Block is completed, you can reduce security risks by removing the above permissions from the IAM user used for setup. Additionally, if it is unnecessary for the operation of VSP One SDS Block, you can delete the IAM user used for setup.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "cloudformation:CreateStack",
                    "cloudformation:DeleteStack",
                    "cloudformation:DescribeStacks",
                    "cloudformation:ListStacks",
                    "cloudformation:DescribeStackEvents",
                    "cloudformation:UpdateStack",
                    "cloudformation:ContinueUpdateRollback",
                    "cloudformation:ValidateTemplate",
                    "cloudformation:DescribeStackResource",
                    "cloudformation:DescribeStackResources",
                    "cloudformation:ListStackResources",
                    "cloudformation:CreateChangeSet",
                    "cloudformation:ExecuteChangeSet",
                    "cloudformation:DeleteChangeSet",
                    "cloudformation:DescribeChangeSet",
                    "cloudformation:ListChangeSets",
                    "cloudformation:CreateUploadBucket",
                    "cloudformation:GetTemplate",
                    "cloudformation:GetTemplateSummary",
                    "ec2:DescribeAccountAttributes",
                    "ec2:DescribeInternetGateways",
                    "ec2:CreateVpc",
                    "ec2:ModifyVpcAttribute",
                    "ec2:DeleteVpc",
                    "ec2:DescribeVpcs",
                    "ec2:CreateVpcEndpoint",
                    "ec2:CreateVpcEndpointServiceConfiguration",
                    "ec2:ModifyVpcEndpointServiceConfiguration",
                    "ec2:DeleteVpcEndpoints",
                    "ec2:DescribeVpcEndpoints",
                    "ec2:DescribeAvailabilityZones",
                    "ec2:CreateSubnet",
                    "ec2:DeleteSubnet",
                    "ec2:DescribeSubnets",
                    "ec2:ModifySubnetAttribute",
                    "ec2:DescribeRouteTables",
                    "ec2:CreateNetworkAcl",
                    "ec2:DeleteNetworkAcl",
                    "ec2:DescribeNetworkAcls",
                    "ec2:ReplaceNetworkAclAssociation",
                    "ec2:CreateNetworkAclEntry",
                    "ec2:DeleteNetworkAclEntry",
                    "ec2:CreateSecurityGroup",
                    "ec2:DeleteSecurityGroup",
                    "ec2:DescribeSecurityGroups",
                    "ec2:AuthorizeSecurityGroupEgress",
                    "ec2:RevokeSecurityGroupEgress",
                    "ec2:AuthorizeSecurityGroupIngress",
                    "ec2:RevokeSecurityGroupIngress",
                    "ec2:CreateNetworkInterface",
                    "ec2:DeleteNetworkInterface",
                    "ec2:DescribeNetworkInterfaces",
                    "ec2:AttachNetworkInterface",
                    "ec2:DetachNetworkInterface",
                    "ec2:ModifyNetworkInterfaceAttribute",
                    "ec2:AssignPrivateIpAddresses",
                    "ec2:RunInstances",
                    "ec2:StartInstances",
                    "ec2:StopInstances",
                    "ec2:TerminateInstances",
                    "ec2:DescribeInstances",
                    "ec2:DescribeInstanceAttribute",
                    "ec2:ModifyInstanceAttribute",
                    "ec2:DescribeInstanceStatus",
                    "ec2:DescribeInstanceTypes",
                    "ec2:DescribeInstanceTypeOfferings",
                    "ec2:DescribeImages",
                    "ec2:CreateKeyPair",
                    "ec2:DeleteKeyPair",
                    "ec2:DescribeKeyPairs",
                    "ec2:CreateLaunchTemplate",
                    "ec2:DeleteLaunchTemplate",
                    "ec2:DescribeLaunchTemplates",
                    "ec2:CreateLaunchTemplateVersion",
                    "ec2:DescribeLaunchTemplateVersions",
                    "ec2:CreateVolume",
                    "ec2:DeleteVolume",
                    "ec2:DescribeVolumes",
                    "ec2:AttachVolume",
                    "ec2:DetachVolume",
                    "ec2:ModifyVolumeAttribute",
                    "ec2:DescribeVolumesModifications",
                    "ec2:CreateTags",
                    "ec2:DeleteTags",
                    "ec2:DescribeTags",
                    "ec2:CreatePlacementGroup",
                    "ec2:DeletePlacementGroup",
                    "ec2:DescribePlacementGroups",
                    "ec2:AssociateIamInstanceProfile",
                    "ec2:ReplaceIamInstanceProfileAssociation",
                    "ec2:DisassociateIamInstanceProfile",
                    "ec2:DescribeIamInstanceProfileAssociations",
                    "ec2:GetSerialConsoleAccessStatus",
                    "ec2-instance-connect:SendSerialConsoleSSHPublicKey",
                    "autoscaling:DescribeAutoScalingInstances",
                    "elasticloadbalancing:CreateTargetGroup",
                    "elasticloadbalancing:DeleteTargetGroup",
                    "elasticloadbalancing:DescribeTargetGroups",
                    "elasticloadbalancing:DescribeTargetGroupAttributes",
                    "elasticloadbalancing:ModifyTargetGroupAttributes",
                    "elasticloadbalancing:RegisterTargets",
                    "elasticloadbalancing:DeregisterTargets",
                    "elasticloadbalancing:ModifyTargetGroup",
                    "elasticloadbalancing:DescribeTargetHealth",
                    "elasticloadbalancing:CreateLoadBalancer",
                    "elasticloadbalancing:DeleteLoadBalancer",
                    "elasticloadbalancing:DescribeLoadBalancers",
                    "elasticloadbalancing:DescribeLoadBalancerAttributes",
                    "elasticloadbalancing:ModifyLoadBalancerAttributes",
                    "elasticloadbalancing:SetIpAddressType",
                    "elasticloadbalancing:SetSubnets",
                    "elasticloadbalancing:CreateListener",
                    "elasticloadbalancing:DeleteListener",
                    "elasticloadbalancing:DescribeListeners",
                    "elasticloadbalancing:ModifyListener",
                    "elasticloadbalancing:CreateRule",
                    "elasticloadbalancing:DeleteRule",
                    "elasticloadbalancing:DescribeRules",
                    "elasticloadbalancing:ModifyRule",
                    "elasticloadbalancing:SetRulePriorities",
                    "elasticloadbalancing:DescribeAccountLimits",
                    "elasticloadbalancing:AddTags",
                    "elasticloadbalancing:RemoveTags",
                    "elasticloadbalancing:DescribeTags",
                    "s3:CreateBucket",
                    "s3:ListBucket",
                    "s3:PutObject",
                    "s3:GetObject",
                    "s3:GetObjectVersion",
                    "s3:GetBucketLocation",
                    "s3:ListAllMyBuckets",
                    "aws-portal:ViewBilling",
                    "iam:AttachRolePolicy",
                    "iam:CreatePolicy",
                    "iam:CreatePolicyVersion",
                    "iam:CreateRole",
                    "iam:DeletePolicy",
                    "iam:DeletePolicyVersion",
                    "iam:DeleteRole",
                    "iam:DetachRolePolicy",
                    "iam:GetPolicy",
                    "iam:GetPolicyVersion",
                    "iam:ListPolicies",
                    "iam:ListPolicyVersions",
                    "iam:SetDefaultPolicyVersion",
                    "iam:PassRole",
                    "iam:GetRole",
                    "iam:ListRoles",
                    "iam:GetRolePolicy",
                    "iam:ListAttachedRolePolicies",
                    "iam:AddRoleToInstanceProfile",
                    "iam:RemoveRoleFromInstanceProfile",
                    "iam:CreateInstanceProfile",
                    "iam:DeleteInstanceProfile",
                    "iam:GetInstanceProfile",
                    "iam:ListInstanceProfiles",
                    "iam:ListInstanceProfilesForRole",
                    "iam:TagInstanceProfile",
                    "iam:UntagInstanceProfile",
                    "iam:ListInstanceProfileTags",
                    "iam:CreateServiceLinkedRole",
                    "iam:GetServiceLinkedRoleDeletionStatus",
                    "iam:DeleteServiceLinkedRole",
                    "sts:AssumeRole",
                    "ssm:GetParameter",
                    "ssm:PutParameter",
                    "ssm:DeleteParameter"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
  • An IAM role that has the following privileges must be created.

    Also, EC2 must be set with the trusted entity of the created IAM role.

    Note:

    The IAM role to be created includes the necessary permissions for the operation of VSP One SDS Block. The IAM role is assigned to each storage node. However, for security risk reduction, users cannot directly log in to each storage node. The role is used only by internal processes.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "cloudformation:DescribeStacks",
                    "cloudformation:ListStacks",
                    "cloudformation:DescribeStackEvents",
                    "cloudformation:UpdateStack",
                    "cloudformation:ContinueUpdateRollback",
                    "cloudformation:ValidateTemplate",
                    "cloudformation:DescribeStackResource",
                    "cloudformation:DescribeStackResources",
                    "cloudformation:ListStackResources",
                    "cloudformation:CreateChangeSet",
                    "cloudformation:ExecuteChangeSet",
                    "cloudformation:DeleteChangeSet",
                    "cloudformation:DescribeChangeSet",
                    "cloudformation:ListChangeSets",
                    "cloudformation:CreateUploadBucket",
                    "cloudformation:GetTemplate",
                    "cloudformation:GetTemplateSummary",
                    "ec2:DescribeVpcs",
                    "ec2:DescribeVpcEndpoints",
                    "ec2:DescribeAvailabilityZones",
                    "ec2:DescribeSubnets",
                    "ec2:DescribeRouteTables",
                    "ec2:DescribeNetworkAcls",
                    "ec2:DescribeSecurityGroups",
                    "ec2:DescribeNetworkInterfaces",
                    "ec2:DescribeInstances",
                    "ec2:DescribeInstanceStatus",
                    "ec2:DescribeInstanceTypes",
                    "ec2:DescribeInstanceTypeOfferings",
                    "ec2:DescribeImages",
                    "ec2:DescribeKeyPairs",
                    "ec2:DescribeLaunchTemplates",
                    "ec2:CreateLaunchTemplateVersion",
                    "ec2:DescribeLaunchTemplateVersions",
                    "ec2:DescribeVolumes",
                    "ec2:DescribeVolumesModifications",
                    "ec2:DescribeTags",
                    "ec2:DescribePlacementGroups",
                    "ec2:DescribeIamInstanceProfileAssociations",
                    "autoscaling:DescribeAutoScalingInstances",
                    "elasticloadbalancing:DescribeTargetGroups",
                    "elasticloadbalancing:DescribeTargetGroupAttributes",
                    "elasticloadbalancing:DescribeTargetHealth",
                    "elasticloadbalancing:DescribeLoadBalancers",
                    "elasticloadbalancing:DescribeLoadBalancerAttributes",
                    "elasticloadbalancing:DescribeListeners",
                    "elasticloadbalancing:DescribeRules",
                    "elasticloadbalancing:DescribeAccountLimits",
                    "elasticloadbalancing:DescribeTags",
                    "s3:CreateBucket",
                    "s3:ListBucket",
                    "s3:PutObject",
                    "s3:GetObject",
                    "s3:GetObjectVersion",
                    "iam:GetRole",
                    "iam:ListRoles",
                    "iam:GetRolePolicy",
                    "iam:ListAttachedRolePolicies",
                    "iam:GetInstanceProfile",
                    "iam:ListInstanceProfiles",
                    "iam:ListInstanceProfilesForRole",
                    "iam:ListInstanceProfileTags",
                    "sts:AssumeRole",
                    "ssm:GetParameter"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
    
  • An Amazon S3 bucket or folder where error message files or dump log files are to be stored must have been created in the AWS region where a storage cluster is configured.

Make sure that the VPC that meets the following conditions has been created.

  • The VPC has the sufficient IP address range needed to create the following resources.
    • Storage node: uses 3 IP addresses per node (one for the control network, one for the internode network, and one for the compute network)

      In Multi-AZ configuration, a tiebreaker node uses two IP addresses. (one for the control network and one for the internode network)

    • Compute node: uses 2 IP addresses per node (one for the control network and one for the compute network)

    • Controller node: uses 1 IP addresses per node (for the control network)
    • Load balancer:

      (Single-AZ configuration) Uses 1 IP addresses per storage cluster

      (Multi-AZ configuration) Uses 1 IP address (of each Availability Zone) per storage cluster.

      Note that you need additional considerations for IP addresses used by the load balancer. For details, see the following website.

      https://docs.aws.amazon.com/elasticloadbalancing/latest/network/network-load-balancers.html

    • VPC endpoint: uses 5 IP addresses (for EC2, EC2Message, SSM, SSMAgent, and CloudFormation)
    • VPC endpoint for AWS License Manager (only for products to which contract-based charge applies)

      • (Single-AZ configuration) Uses 1 IP addresses
      • (Multi-AZ configuration) Uses 3 IP addresses (for each Availability Zone)
  • The DNS resolution setting and DNS host name setting are enabled.
  • When the VPC in which a compute node is to be placed differs from the VPC in which VSP One SDS Block is to be configured, communication with the VPC in which a compute node is to be placed is possible.

Make sure that the VPC endpoints that meet the following conditions have been created.

  • The following have been created to operate CloudFormation.

    • A VPC endpoint for CloudFormation

    • A VPC endpoint for EC2

    • A VPC endpoint for Amazon S3

    • A VPC endpoint for EC2Message

    • A VPC endpoint for SSM

    • A VPC endpoint for SSMMessage

    Also, make sure that a VPC endpoint for Amazon S3 has already been created as a Gateway endpoint.

  • The following have been created for AWS License Manager operation (only for products to which contract-based charge applies)

    • VPC endpoint for AWS License Manager

      (Single-AZ configuration) 1 VPC end points

      (Multi-AZ configuration) 3 VPC end points (one VPC end point for each Availability Zone for redundancy)

    However, if you use subnets that allow for connection from the control network to the internet, you do not need to create VPC end points for AWS License Manager.

Make sure that the subnets that meet the following conditions (for control network, internode network, and compute network) have been created.

  • Each subnet for control network, internode network, and compute network is set with the required IP address range.
    • For the IP address range for the control network subnet, set a range of IPv4 addresses sufficient to create storage nodes (or tiebreaker node), controller nodes, and load balancers.
    • For the IP address range for the internode network subnet, set a range of IPv4 addresses sufficient to create storage nodes (or tiebreaker node).
    • For the IP address range for the compute network subnet, set a range of IPv4 addresses sufficient to create storage nodes and a compute node.

  • Communication between the control network subnet and its outside is allowed.
  • Communication between the internode network subnet and its outside is not allowed.
  • When placing a compute node in the VPC or subnet different from the VPC or subnet for compute network, communication between the compute network subnet and the VPC and subnet in which a compute node is to be placed must be allowed.
  • To perform remote copy (by using the Universal Replicator function) with a storage system placed in a network different from that for the subnet of VSP One SDS Block compute network, communication between the network for the compute network subnet and the network in which the storage system is installed must be allowed.

  • To set EBS encryption by default, the EBS encryption setting must be enabled.
  • For products that apply usage-based pricing, access from the control network to the internet must be possible to connect to the AWS Metering Service.
  • For products that apply contract-based charge, access from the control network to the internet must be possible to connect to AWS License Manager.

    However, if you use VPC end points for AWS License Manager, connection to the internet is unnecessary.

  • In the case of Multi-AZ configuration, the following subnets are created in each Availability Zone.
    • For Availability Zone in which storage nodes are to be installed: Control network subnet, internode network subnet, compute network subnet
    • For Availability Zone in which tiebreaker node is to be installed: Control network subnet, internode network subnet
  • In the case of Multi-AZ configuration, communication between subnets of the same type in each Availability Zone is allowed.

CAUTION:

After a storage cluster configuration completes, the EBS setting made using default encryption cannot be changed.

For details about how to set EBS encryption, see Amazon EBS encryption function.

Note:
  • If the IAM user is not granted sufficient permissions, see the AWS user guide to add necessary permissions.

  • To use products that apply contract-based charge, you must add an access right to AWS License Manager to the IAM user permissions. For details, see the AWS user guide.

  • For details about the license, see License management overview in the VSP One SDS Block System Administrator Operation Guide.