How to create and configure an EBS Endpoint for CPM Workers
This article will provide step-by-step instructions on how to create and configure an EBS Endpoint for CPM workers (v3.1 and up)
Step 1:
Let's say that you have created this VPC for your workers:
In this example, we allocated IPv4 addresses 10.0.0.0-10.0.0.255 to this VPC.
"DNS resolution" and "DNS Hostnames" should be enabled.
We also have this subnet created in the VPC for the workers:
In this example, we allocated IPv4 addresses 10.0.0.128-10.0.0.255 to this subnet.
Step 2:
Now let's create a Security Group that will be associated with the EBS Endpoint.
It needs to allow incoming port 443 (HTTPS) from the workers. You can either reference workers' subnet, Security Group, or both - like in the example below, to lock it down based on both parameters.
Step 3:
Now let's create an EBS Endpoint in the right region and associate it with the previously created VPC and subnet:
It also needs to be associated with the previously created Security Group:
The created Endpoint should look like this:
Step 4:
After creating the EBS Endpoint, you need open outgoing communication from the worker's Security Group to the EBS Endpoint's IP.
The worker's Security Group should look like this:
Step 5:
To test connectivity, please do the following:
a) Launch an Amazon Linux 2 or Ubuntu 20.04 AMI into the worker's VPC/Subnet/Security Group, and assign it CPM Server's iAM Role
b) SSH into the instance (you will have to open SSH from your IP in the Security Group and the Routing Table).
c) Run the following command (replace "us-east-2" with your region):
You should see that curl has successfully connected to the EBS Endpoint's IP:
You should see that curl has successfully connected to the regional S3 endpoint:
wget --no-check-certificate https://cpmip/
This command should result in status 302 (redirecting to "/signin/") followed by 200
This command should result in status 302 (redirecting to "/signin/") followed by 200
ssh cpmuser@CPMIP
This command should result in "Permission denied (publickey)". This is only needed for File Level Restore workers, not S3.
Important: It's not enough to have the right connectivity, you also need to apply the latest permissions template to your iAM role's permission policy: https://support.n2ws.com/portal/en/kb/articles/what-are-the-required-minimal-aws-permissions-roles-for-cpm-operation
Related Articles
How To Test Connectivity from a CPM Worker to AWS endpoints
The Following Steps will help you Test the outgoing connection from the CPM Worker to AWS endpoints OR the CPM Server if you need to test to ensure that the Worker can reach the CPM server once it launches. Launch Worker First, ensure the CPM Worker ...How to retrieve logs from a CPM AWS Worker instance
Linux & AWS knowledge is required Please read the entire KB before starting. N2WS uses temporary EC2 worker instances for several operations (copy to S3, FLR, etc), In cases where a worker is failing before it could communicate with the main server, ...How to change instance type of S3 worker instances CPM
Some clients may need worker instances with more ram and CPU power. You can use this process to modify the ec2 instance type used for worker instances. We highly recommend not to change size unless it was suggested by the N2WS support team. Otherwise ..."Worker did not establish connection" and "worker did not complete initializing" errors during S3 and FLR
During S3 operations, you may encounter the message "Worker i-... did not establish connection" in the log of an S3 copy or S3 restore operation. Error - Worker i-1234567890abcdef did not establish connection - terminating operation During File Level ...How to test the worker configuration from UI
Background: This document explains the steps to test a CPM Worker configuration. This can help reduce errors during S3 copy and File-Level restores by being able to confirm the settings used for these jobs are successfully able to connect. Worker ...