Deploy on AWS

An AWS CloudFormation template is provided for quick deployment of the VMClarity environment.

Note: To avoid extra costs (cross-region snapshots), you may want to deploy the VMClarity AWS CloudFormation template in the same region where the majority of the VMs are that you want to scan with VMClarity.

The following figure shows the basic AWS resources that the VMClarity CloudFormation template creates:

  • a VPC with a public and private subnet, and

  • an AWS Internet Gateway (IGW) and NAT Gateway (NGW) into the VPC.

The public subnet (VmClarityServerSubnet) hosts the VMClarity Server (VmClarityServer) EC2 instance. The VMClarity server houses the scanning configuration, the UI, and other control components. The EC2 instance is assigned an external IPv4 address (EIP) for SSH and web UI access.

The private subnet (VmClarityScannerSubnet) hosts the VM snapshot instances (EC2) that are scanned for security vulnerabilities.

Prerequisites

Deployment steps

To deploy the VMClarity AWS CloudFormation Stack, you can:

  • click this quick-create link to navigate directly to the AWS CloudFormation console and jump to the wizard instructions, or
  • complete the following steps.

  1. Download the latest VMClarity release.

    wget https://github.com/openclarity/vmclarity/releases/download/v0.6.0/aws-cloudformation-v0.6.0.tar.gz

    Alternatively, copy the AWS CloudFormation template file from the project repository to deploy the latest development code and skip the next step.

  2. Create a new directory and extract the files.

    mkdir aws-cloudformation-v0.6.0
tar -xvzf aws-cloudformation-v0.6.0.tar.gz -C aws-cloudformation-v0.6.0

  3. Log in to the AWS CloudFormation console and go to the AWS CloudFormation Stacks section, then select Create Stack > With New Resources (standard).

  4. Check Template is ready and Upload a template file, then click Upload a template file/Choose file and upload the previously downloaded CFN template file.

  5. In the VMClarity CloudFormation Stack wizard, set the following:

    1. Enter a name for the stack.
    2. Select the InstanceType (defaults to t2.large for the VMClarity Server, and the scanner VMs).
    3. Specify the SSH key for the EC2 instance in the KeyName field. You will need this key to connect to VMClarity.
    4. Adjust SSHLocation according to your policies.
    5. Do not change AdvancedConfiguration, unless you are building from a custom registry.
    6. Click NEXT.
    7. (Optional) Add tags as needed for your environment. You can use the defaults unless you need to adjust for your own policies.
    8. Click NEXT, then scroll to the bottom of the screen, and check I acknowledge….
    9. Click SUBMIT.

  6. Once the stack is deployed successfully, copy the VMClarity SSH address from the Outputs tab.

  7. Open an SSH tunnel to VMClarity the server

    ssh -N -L 8080:localhost:80 -i  "<Path to the SSH key specified during install>" ubuntu@<VmClarity SSH Address copied during install>

  8. Access the VMClarity UI.

    1. Open the VMClarity UI in your browser at http://localhost:8080/. The dashboard opens.

      VMClarity UI Dashboard

    2. (Optional) If needed, you can access the API athttp://localhost:8080/api. For details on the API, see API reference.

Next steps

Complete the First tasks on the UI.

Last modified January 24, 2024: docs(aws): add quick-create link (#36) (4501ea0)