Cohesity Cloud Scale Technology Deployment Guide Using Terraform for AWS
- Introduction
- Getting started with deployment
- Prerequisities for setting up AWS environment
- Prerequisites for Terraform
- Deploying Cloud Scale Technology using Terraform script
- Accessing the Cloud Scale Technology environment
- Troubleshooting and cleanup environment steps
Networking requirement
Ensure that the below networking requirements are met.
VPC and subnets must be created in AWS account before the Terraform scripts are executed.
Required address spaces for EKS - Two subnets in different availability zones (Subnet 1 and Subnet 2):
For the EKS cluster subnets in Availability zone A:There is one subnet and one load balancer.
Subnet 1 with /22 or /24 (used for node group).
Load balancer with /26. (This subnet needs to be empty with no virtual machines / devices installed)
For subnet 2 in Availability zone B: There is only one subnet:
Subnet 2 with /28 (for address space).
Create DNS entries in the Route53 Hosted Zone: (Primary (1), MSDP (1), Snapshot Manager (1) before executing the Terraform scripts.
Define a forward lookup, private DNS zone to be used by EKS as part of the load balancing subnet.
Populate the forward DNS zone with the appropriate records.
Define a 2nd reverse lookup, private DNS zone to be used by EKS as part of the load balancing subnet.
Populate the reverse DNS zone with the appropriate records.
Sufficient quota for inbound and outbound rules for a security group are required. By default, the quota for inbound and outbound rules for a security group is 60, increase it to 100. For more details refer Amazon VPC quotas.
Outbound internet access is required from Terraform Management Server to communicate with resources, services, and the servers.
While configuring the components or resources, avoid using prefixes like - netbackup, primary or media. The installation may fail if these keywords are used in the configuration.
Terraform server used to deploy Cloud Scale must be able to communicate with the cluster API server for your EKS server.
Note:
If the EKS VPC endpoint is enabled for the VPC and the Terraform Management Server are in the same VPC, the deployment may fail, as the EKS OIDC service endpoint can't be accessed from inside that VPC. Consequently, operations such as creating an OIDC provider in the VPC will not work and results in a timeout when attempting to request https://oidc.eks.region.amazonaws.com. This is the limitation from AWS cloud provider. For more details, refer to the EKS VPC endpoint. link