Challenge: No Internet Bound Traffic from the Public Cloud Allowed!
During the discussion the customer stated that their security team would not allow external traffic directly from their AWS Virtual Private Cloud (VPC). All traffic is required to be routed through the company’s corporate security network appliances located in their corporate data centers.
The SUSE team needed to solve how the on-demand SUSE Amazon EC2 instances would receive their updates. When SUSE publishes the on-demand images, the engineering team developed client automation packages that points them to the SUSE Public Cloud Update Infrastructure. In most common scenarios, this solution works great. The update servers are in the same AWS region as the customer’s Amazon EC2 instances so that updates are not pulling from different regions and are highly available. The challenge is that SUSE’s Public Cloud Update Infrastructure only accepts connections from known AWS IP addresses. If the update request traffic is being routed from a non-AWS data center the connections to the SUSE Public Cloud Update Infrastructure will be dropped.
Before we address the challenge, “No Internet Bound Traffic from the Public Cloud” requirement I want to quickly highlight that Amazon EC2 instances on private subnets are not able to connect directly to the Internet. This can easily be solved using a NAT Gateway for your Amazon VPC to connect to the SUSE Public Cloud Update Infrastructure. Click on the link for more information. This still doesn’t solve the no Internet bound traffic from the Amazon VPC requirement for the customer.
Solution: Deploy a Private Repository Server
SUSE provides several options for a customer to deploy a private repository server.
- SUSE Manager: available as a public cloud image and is much more than a private repository server. SUSE Manager Product and link to blog
- SUSE Maintenance Tool: SUSE Linux Enterprise Server 12 tool Link to documentation
- SUSE Repository Mirror Tool: SUSE Linux Enterprise Server 15 tool Link to documentation
It is worth restating two knowns.
- SUSE Public Cloud Update Server Infrastructure requires the connecting server IP address to be owned by the public cloud provider.
- All on-demand / pay-as-you-go images are configured to connect and register to the SUSE Public Cloud Update Server Infrastructure.
With that in mind, the customer chose SMT as the private repository. The customer purchased an additional SUSE subscription and launched a Bring Your Own Subscription image on the public cloud. During the setup of the SMT server, it connected to SUSE Customer Center and based off of the subscription mirrored the proper repositories. Once the SMT server setup was completed and the repositories were mirrored, the customer followed the steps below to connect the Amazon EC2 instances to the new private repository server.
Connect Amazon EC2 Instances to SMT Server
The customer needed to remove a few packages and entries in order to prepare their instances to connect to a private repository.
Remove packages that automate the configuration of the Amazon EC2 instance to connect to the SUSE Public Cloud Update Server.
- zypper rm cloud-regionsrv-client
- zypper rm regionServiceClientConfigEC2