This article will provide step-by-step instructions on how to create and configure an EBS Endpoint for CPM workers (v3.1 and up)
Let's say that you have created this VPC for your workers:
In this example, we allocated IPv4 addresses 10.0.0.0-10.0.0.255 to this VPC.
"DNS resolution" and "DNS Hostnames" should be enabled.
We also have this subnet created in the VPC for the workers:
In this example, we allocated IPv4 addresses 10.0.0.128-10.0.0.255 to this subnet.
Now let's create a Security Group that will be associated with the EBS Endpoint.
It needs to allow incoming port 443 (HTTPS) from the workers. You can either reference workers' subnet, Security Group, or both - like in the example below, to lock it down based on both parameters.
Now let's create an EBS Endpoint in the right region and associate it with the previously created VPC and subnet:
It also needs to be associated with the previously created Security Group:
The created Endpoint should look like this:
After creating the EBS Endpoint, you need open outgoing communication from the worker's Security Group to the EBS Endpoint's IP.
The worker's Security Group should look like this:
To test connectivity, please do the following:
a) Launch an Amazon Linux 2 or Ubuntu 20.04 AMI into the worker's VPC/Subnet/Security Group, and assign it CPM Server's iAM Role
b) SSH into the instance (you will have to open SSH from your IP in the Security Group and the Routing Table).
c) Run the following command (replace "us-east-2" with your region):
You should see that curl has successfully connected to the EBS Endpoint's IP:
You should see that curl has successfully connected to the regional S3 endpoint:
wget --no-check-certificate https://cpmip/
This command should result in status 302 (redirecting to "/signin/") followed by 200
This command should result in "Permission denied (publickey)". This is only needed for File Level Restore workers, not S3.