Share with friends and colleagues on social media

Challenge: No Internet Bound Traffic from the Public Cloud Allowed!

The Private Repository scenario below applies to on-demand images that SUSE publishes for Amazon Web Services, Microsoft Azure and Google Compute Engine.
Recently, the SUSE and Amazon Web Services (AWS) team jointly worked with a customer to run workloads on AWS with SUSE as the operating system. The customer chose to use on-demand/pay-as-you-go Amazon EC2 instances (virtual machines) to allow the customer to leverage hourly subscriptions, consolidated billing and AWS support for all issues including support for SUSE.

During the discussion the customer stated that their security team would not allow external traffic directly from their AWS Virtual Private Cloud (VPC). All traffic is required to be routed through the company’s corporate security network appliances located in their corporate data centers.

The SUSE team needed to solve how the on-demand SUSE Amazon EC2 instances would receive their updates. When SUSE publishes the on-demand images, the engineering team developed client automation packages that points them to the SUSE Public Cloud Update Infrastructure. In most common scenarios, this solution works great. The update servers are in the same AWS region as the customer’s Amazon EC2 instances so that updates are not pulling from different regions and are highly available. The challenge is that SUSE’s Public Cloud Update Infrastructure only accepts connections from known AWS IP addresses. If the update request traffic is being routed from a non-AWS data center the connections to the SUSE Public Cloud Update Infrastructure will be dropped.

Before we address the challenge, “No Internet Bound Traffic from the Public Cloud” requirement I want to quickly highlight that Amazon EC2 instances on private subnets are not able to connect directly to the Internet. This can easily be solved using a NAT Gateway for your Amazon VPC to connect to the SUSE Public Cloud Update Infrastructure. Click on the link for more information. This still doesn’t solve the no Internet bound traffic from the Amazon VPC requirement for the customer.

Solution: Deploy a Private Repository Server

SUSE provides several options for a customer to deploy a private repository server.

  1. SUSE Manager: available as a public cloud image and is much more than a private repository server. SUSE Manager Product and link to blog
  2. SUSE Maintenance Tool: SUSE Linux Enterprise Server 12 tool  Link to documentation
  3. SUSE Repository Mirror Tool: SUSE Linux Enterprise Server 15 tool  Link to documentation

It is worth restating two knowns.

  1. SUSE Public Cloud Update Server Infrastructure requires the connecting server IP address to be owned by the public cloud provider.
  2. All on-demand / pay-as-you-go images are configured to connect and register to the SUSE Public Cloud Update Server Infrastructure.

With that in mind, the customer chose SMT as the private repository. The customer purchased an additional SUSE subscription and launched a Bring Your Own Subscription image on the public cloud. During the setup of the SMT server, it connected to SUSE Customer Center and based off of the subscription mirrored the proper repositories. Once the SMT server setup was completed and the repositories were mirrored, the customer followed the steps below to connect the Amazon EC2 instances to the new private repository server.

Connect Amazon EC2 Instances to SMT Server

The customer needed to remove a few packages and entries in order to prepare their instances to connect to a private repository.

Remove packages that automate the configuration of the Amazon EC2 instance to connect to the SUSE Public Cloud Update Server.

  1. zypper rm cloud-regionsrv-client
  2. zypper rm regionServiceClientConfigEC2
Remove the /etc/hosts entry for smt-ec2.susecloud.net. The client automation software adds the host file entry for smt-ec2.susecloud.net which is the SUSE Public Cloud Update Server. Since a private repository server is being created, the entry will not be needed.
Remove the following directories before you register your Amazon EC2 instance to your private repository server.
rm /etc/SUSEConnect
rm /etc/zypp/credentials.d/*
rm /etc/zypp/services.d/*
rm /var/lib/cloudregister/*
The links to the documentation for each of the private repository options will document how to register the SUSE instance to the private repository of choice.

Summary

The described scenario applies to on-demand images that SUSE publishes for Amazon Web Services, Microsoft Azure and Google Compute Engine.
If you have any questions please reach out to your account team or send an email to aws@suse.com.

Share with friends and colleagues on social media

Leave a Reply

Your email address will not be published. Required fields are marked *

No comments yet