Amazon Web Services

This article describes how to import an Airlock Gateway cloud image and deploy it as a VM on Amazon Web Services (AWS).

Cloud image import

Before starting, make sure the following prerequisites are met:

You have downloaded the Airlock Gateway cloud image in VMDK format from the Airlock Gateway download page on Techzone. This image file will be uploaded to Amazon S3 and then imported as an Amazon Machine Image (AMI).
An S3 bucket exists for storing the Airlock Gateway cloud image.
The IAM role vmimport exists with the correct trust and permission policies (for details, see the Required service role section of the VM Import/Export User Guide).

Creating an AMI

To deploy Airlock Gateway on AWS, the Airlock Gateway cloud image must first be converted into an Amazon Machine Image (AMI). This requires uploading the Airlock Gateway cloud image to Amazon S3 and then importing it into Amazon EC2.

Upload the disk image to Amazon S3:

Terminal box

aws s3 cp airlock_IMG_x64_<version>.vmdk s3://<your-s3-bucket>/

Create a containers.json descriptor:

Terminal box

[
  {
    "Description": "Airlock Gateway <version> disk image",
    "Format": "VMDK",
    "UserBucket": {
      "S3Bucket": "<your-s3-bucket>",
      "S3Key": "airlock_IMG_x64_<version>.vmdk"
    }
  }
]

Import the image into EC2 as an AMI:

Terminal box

aws ec2 import-image \
  --description "Airlock Gateway <version>" \
  --disk-containers file://containers.json

Note: If the import fails, verify that the vmimport role was created and granted access to the S3 bucket.

After the import task completes, the new AMI is available in your account and can be used to launch Airlock Gateway instances on Amazon EC2.

For further details, refer to the AWS EC2 documentation article about AMI image creation.

Instance creation

Example of a full aws ec2 run-instances command

Terminal box

aws ec2 run-instances \
  --image-id ami-<airlock-gateway-ami-id> \
  --count 1 \
  --instance-type <instance-type> \
  --key-name <ssh-keypair-name> \
  --security-group-ids <sg-1234567890abcdef0> \
  --subnet-id <subnet-1234567890abcdef0> \
  --block-device-mappings '[{"DeviceName":"/dev/sda1","Ebs":{"VolumeSize":20,"VolumeType":"gp3"}}]' \
  --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=Airlock-Gateway}]' \
  --user-data file://cloud-init-user-data.txt

Opening the required ports

In AWS, inbound and outbound traffic is controlled through security groups. By default, a new EC2 instance is only accessible via SSH on port 22. To make Airlock Gateway fully usable, additional inbound security rules covering the following ports must be added to the security group associated with the instance:

8443 for the Airlock Gateway Configuration Center
80 and/or 443 for virtual hosts (HTTP/HTTPS)
Those required inbound ports correspond to the port assignment recommended for the Airlock network setup.

For step-by-step instructions on managing security group rules, refer to the security groups section of the EC2 User Guide.