How to create and configure an EBS Endpoint for CPM Workers
This article will provide step-by-step instructions on how to create and configure an EBS Endpoint for CPM workers (v3.1 and up)
Step 1:
Let's say that you have created this VPC for your workers:
In this example, we allocated IPv4 addresses 10.0.0.0-10.0.0.255 to this VPC.
"DNS resolution" and "DNS Hostnames" should be enabled.
We also have this subnet created in the VPC for the workers:
In this example, we allocated IPv4 addresses 10.0.0.128-10.0.0.255 to this subnet.
Step 2:
Now let's create a Security Group that will be associated with the EBS Endpoint.
It needs to allow incoming port 443 (HTTPS) from the workers. You can either reference workers' subnet, Security Group, or both - like in the example below, to lock it down based on both parameters.
Step 3:
Now let's create an EBS Endpoint in the right region and associate it with the previously created VPC and subnet:
It also needs to be associated with the previously created Security Group:
The created Endpoint should look like this:
Step 4:
After creating the EBS Endpoint, you need open outgoing communication from the worker's Security Group to the EBS Endpoint's IP.
The worker's Security Group should look like this:
Step 5:
To test connectivity, please do the following:
a) Launch an Amazon Linux 2 or Ubuntu 20.04 AMI into the worker's VPC/Subnet/Security Group, and assign it CPM Server's iAM Role
b) SSH into the instance (you will have to open SSH from your IP in the Security Group and the Routing Table).
c) Run the following command (replace "us-east-2" with your region):
You should see that curl has successfully connected to the EBS Endpoint's IP:
You should see that curl has successfully connected to the regional S3 endpoint:
wget --no-check-certificate https://cpmip/
This command should result in status 302 (redirecting to "/signin/") followed by 200
This command should result in status 302 (redirecting to "/signin/") followed by 200
ssh cpmuser@CPMIP
This command should result in "Permission denied (publickey)". This is only needed for File Level Restore workers, not S3.
Important: It's not enough to have the right connectivity, you also need to apply the latest permissions template to your iAM role's permission policy: https://support.n2ws.com/portal/en/kb/articles/what-are-the-required-minimal-aws-permissions-roles-for-cpm-operation
Related Articles
CPM v3.0.x may launch unnecessarily large Cleanup workers, resulting in extra costs
CPM v3.0.x may launch unnecessarily large Cleanup workers, resulting in extra costs. In order to reduce the costs, please use the following procedure: Connect (via ssh) to the machine running cpm (you will need to execute "sudo -i" to gain the root ...How To Test Connectivity from a CPM Worker to AWS endpoints
The Following Steps will help you Test the outgoing connection from the CPM Worker to AWS endpoints OR the CPM Server if you need to test to ensure that the Worker can reach the CPM server once it launches. Launch Worker First, ensure the CPM Worker ...How to retrieve logs from a CPM AWS Worker instance
Linux & AWS knowledge is required Please read the entire KB before starting. N2WS uses temporary EC2 worker instances for several operations (copy to S3, FLR, etc), In cases where a worker is failing before it could communicate with the main server, ...How to change instance type of S3 worker instances CPM
Some clients may need worker instances with more ram and CPU power. You can use this process to modify the ec2 instance type used for worker instances. We highly recommend not to change size unless it was suggested by the N2WS support team. Otherwise ...N2WS 3.1.x - Warning 'Error verifying access to EBS API in region: us-east-1. CPM will not use read from snapshot for instances in this region'
Issue summary When running copy to S3 on version 3.1 it might raise the following warning. Issue description and troubleshooting This warning can be caused by permission issues, communication or lack of EBS Direct API endpoint in target region. In ...