Install Banyan Access Tier using AWS CloudFormation

This article describes features that are only available in the Banyan Enterprise edition.

Pre-install Checklist

  1. Ensure you have an Amazon Web Services (AWS) account and permissions to launch EC2 instances, manage AutoScaling and set Security Groups.

  2. Download the CloudFormation banyan-elastic-access-tier.json file.

  3. Ensure you have an Organization set up in Banyan and that you have admin access via the Command Center.

  4. In the Banyan Command Center, navigate to Infrastructure > Clusters and ensure you have a Cluster with a running Shield that the Netagent or Access Tier can connect to. The Clusters section of the Web Console lists all cluster parameters such as Cluster Name, Shield Address, etc.

  5. In the Command Center, navigate to User Settings > My Profile and ensure you have generated a Refresh Token. You will need your Refresh Token if/when you use the automated bootstrap scripts to install Netagent or Access Tier.

Refresh Token - My Profile

Networking

You can deploy the Access Tier in an entirely new VPC or in an existing VPC.

New VPC

Use the steps below to deploy Access Tier on a new VPC and provision all the requisite AWS Networking.

1. Download the banyan-network-stack.json file.

2. In the AWS Console, navigate to Services > CloudFormation.

3. Create a stack With new resources (Standard) and upload the banyan-network-stack.json file to provision all the requisite AWS Networking.

4. Enter a stack name, and then ensure the Zones are valid for your region.

5. Configure stack options as needed, then click Create stack.

6. Since Access Tier will be deployed in this VPC, ensure the Access Tier has connectivity to the upstream application, server, or host via VPC peering.

Existing VPC - Network Reachability Checklist

  1. Ensure that your VPC has an Internet Gateway attached and a Public Subnet where you can deploy the Access Tier.

  2. The Access Tier resources should be located in your Public Subnet and have a Public IP Address so it can be reached from anywhere on the Internet.

  1. Ensure that Access Tier can make an outbound TCP connection to its Shield (Cluster Coordinator) to register with the Command Center, receive Policies, and send Event data. You can find the Shield Address for your Access Tier in the Cluster Settings page.

Shield Address - Infrastructure > Cluster

  1. Ensure that Access Tier can make an outbound HTTPS connection to the Command Center to download and install the components for your Server.

Additionally, Access Tier supports proxy settings, so the connection from Access Tier to Shield could traverse a proxy if required.

  • OS-specific Module: The Access Tier will make a request to https://www.banyanops.com/netting/… to download an OS-specific Module.
  • Automated Bootstrap: The install script will make an API call to https://net.banyanops.com/api/v1/… to obtain a one-time-key required for installation
  1. Ensure that Access Tier can make an outbound HTTPS connection to the Command Center to obtain rotating keys used for digital signing and verification.
    • JWKS Signing: In order to authenticate OIDC JWT tokens used for web access, the Access Tier will need to obtain JSON Web Key Set (JWKS) containing public keys from https://{your_orgname}.trust.banyanops.com/v2/.well-known/jwks.json
  2. Ensure your networking policies allow traffic to flow from the Access Tier server to backend machines running the applications and services you need to secure access to.

Setup

1. Create the Access Tier Stack using CloudFormation in the AWS Console

1. In the AWS Console, navigate to CloudFormation and then create a new stack.

2. Select the option With new resources (standard). On the Create stack page, leave Template is ready selected and then select Upload a template file.

3. Upload the banyan-elastic-access-tier.json file, and then click Next.

2. Configure and Deploy Access Tier

1. Provide a Stack name and then configure the applicable Parameters:

  • Select the VPC into which the Access Tier should be deployed
  • Select the applicable PublicSubnets and PrivateSubnets
  • Optionally, enter a KeyName to enable SSH on port 2222 for Access Tier instances
  • Enter the BanyanClusterName of the applicable Cluster (found in the Command Center by navigating to Directory & Infrastructure > Infrastructure > Clusters)
  • Enter your BanyanRefreshToken (found in the Command Center by navigating to My Profile > Refresh Token)
  • Enter the BanyanSiteDomainName(s) that Access Tier will protect

2. Click Next, and then Configure stack options according to your deployment needs.

3. Click Next, and then click Create stack to start Access Tier.

4. Configure a Public Wildcard DNS Record that follows your corporate domain name convention to map to the load balancer’s DNS name

  • A common pattern is to use *.corp.example.com
  • Then, corporate services can be exposed to your users as website1.corp.example.com, sshserver2.corp.example.com, etc

    If you’re deploying Access Tiers across multiple sites, you can further scope the subdomains into *.east.corp.example.com, *.west.corp.example.com, etc.

By default, Banyan Access Tier CloudFormation template utilizes an Amazon-Linux-2 image.

3. Verify Installation

Once the Access Tier is installed, you can check the Infrastructure > Sites section of the Banyan Command Center to see the list of all the registered Access Tiers.

Infrastructure - Sites



Last modified: Jun 18, 2021