You can connect your AWS VPC to Cato using an IPsec tunnel or a virtual Socket (vSocket). This article describes how to deploy a (vSocket) on an EC2 instance.
The vSocket provides these advantages:
-
Bandwidth management control and QoS
-
Maximizes connectivity to PoPs in the Cato Cloud
-
Support for high availability configurations
For more information about vSocket and IPsec sites, see Selecting the Connection Type for a Site.
This article assumes that you already have a VPC in your AWS environment.
-
You must have admin permissions to the AWS dashboard and the Cato Management Application. In addition, you must have the following permissions in AWS:
-
AWS Marketplace
-
Cloud Formation
-
IAM role creation
-
Key pair creation
-
-
Make sure the environment meets the requirements listed in Cato Socket Connection Prerequisites.
The following EC2 instance types are certified for vSockets:
-
t3.large
-
t3.xlarge
-
c3.xlarge
-
c4.xlarge
-
c5.xlarge
-
c5d.xlarge
-
c5n.xlarge (Suggested for higher performance sites with bandwidth above 2Gbps)
-
d2.xlarge
Note
Note: If the c3.xlarge or c4.xlarge instances are not available in your region, contact AWS customer support.
-
In the Cato Management Application, create a new site for the AWS vSocket
-
Deploy the Cato Networks AWS offering
-
Verify that the vSocket is connected to your account
Create the AWS vSocket site in the Cato Management Application, and the serial number for the vSocket is generated. This serial number is used when you launch the EC2 instance.
The Local IP for the vSocket must be the same as the IP address for the LAN interface on the EC2 instance. The first three IP addresses of the subnet are reserved by the VPC.
After you create the site, the Cato Management Application automatically generates a unique serial number for the new vSocket. You need to enter this serial number when you launch the EC2 instance (see below Launching the Instance with the Cato AMI).
To create the site for the AWS vSocket:
-
In the Cato Management Application, from the navigation menu select Network > Sites.
-
Click New. The Add Site panel opens.
-
Configure the General settings for the site:
-
Enter the Site Name.
-
Select the Site Type. This option determines which icon is used for the site in the Topology window.
-
Select vSocket AWS for the Connection Type.
-
Configure the Configure the Country, State, and Time Zone to set the time frame for the Maintenance Window. Country, and State.
-
-
Configure the WAN Interface Settings, including the Downstream and Upstream bandwidth according to your ISP bandwidth.
-
Configure the LAN Interface Settings, including the Native Range for the AWS site. This setting must be the same as the LAN subnet IP range in AWS.
-
Click Apply. The site is added to the Sites list.
The Cato Management Application automatically generates a unique serial number for the new vSocket. You need to enter this serial number (S/N) is used during when you launch the EC2 instance (see below Launching the Instance with the Cato AMI).
This procedure enables you to automatically deploy all aspects of the AWS environment using a predefined template. Before you begin, make you have:
-
Necessary permissions to download and run the template from the AWS Marketplace
-
Created a key pair for encrypted communication
-
Copied the serial number from the vSocket you created in the Cato Management Application.
To deploy AWS resources using the Cato offering:
-
From the AWS Marketplace, search for Cato Networks Virtual Socket.
-
Click Continue to Subscribe.
-
Click Continue to Configuration.
-
Under Fulfillment option, select CloudFormation Template.
-
Under Region, make sure to select the region in which your vSocket is located.
-
-
Click Continue to Launch.
-
In the Choose Action dropdown, select Launch CloudFormation.
-
After reviewing the configuration information, click Launch.
-
In the Create stack page, click Next to use the template as is, or click View in Designer to make changes relevant to your environment.
-
Enter the Network Configuration parameters for your virtual resources:
-
VPC - enter the network range of the VPC to which you are connecting. Make sure it does not conflict with your WAN.
-
MGMT, WAN, and LAN subnets - enter the range, within the VPC, to use as the respective subnets.
-
-
Enter the Instance Configuration parameters for your virtual resources:
-
MGMTENI - an IP address within the MGMT subnet for the MGMT interface. The first three IP addresses of the subnet are reserved by the VPC.
-
WANENI - an IP address within the WAN subnet for the WAN interface. The first three IP addresses of the subnet are reserved by the VPC.
-
LANENI - an IP address within the LAN subnet for the LAN interface. The first three IP addresses of the subnet are reserved by the VPC.
-
KeyPair - select the key pair that you created to encrypt this connection.
-
Serial number - the S/N you copied when creating the vSocket in the Cato Management Application.
-
Security Group Ingress - enter the IP address or range that can initiate a connection to these virtual resources. We recommend limiting this to the smallest group possible to maintain good security posture.
-
-
Click Next.
The new configuration is deployed and within several minutes, the vSocket should display a Connected status.
If your application EC2 instances are associated to a non-Native Range subnet (a subnet which is not the vSocket LAN interface subnet), in the Cato Management Application add a routed range in the Networks section for the site.
To route traffic to the EC2 instance:
-
From the navigation menu, select Network > Sites, and select the site.
-
From the navigation menu, select Site Configuration > Networks.
-
In the LAN section, click New. The New IP range panel opens.
-
Enter the Name for the IP range.
-
Set the Type of range to Routed.
-
Enter the Subnet IP Range.
-
Set the Gateway IP to the VPC router, which is the first host IP address of the Native Range subnet.
-
(Optional) Configure the Static NAT for the range.
-
Click Apply. The range is added to the Networks screen.
The screenshot above shows these sample settings for the Routed range:
-
Native Range - 10.0.2.0/24
-
Routed range - 10.0.26.0/24
-
Gateway IP - 10.0.2.1
IMDS (Instance Metadata Service) provides secure access to retrieve an instance's metadata. Cato uses this service to get the following information:
-
Serial number in user data
-
Instance ID
-
HA-related information
-
Key and hostname settings for modifying the routing table
Starting with Socket v20 build 18221, Cato is adding support for IMDSv2.
To configure your instance to use IMDSv2:
-
In AWS, select the instance you want to configure.
-
Select Actions > Instance settings.
-
In the Modify instance metadata options section, under IMDSv2 select Required.
-
Click Save.
This change does not cause any downtime. However, if you have an HA deployment, you must configure both the primary and secondary instances to use the same IMDS version.
2 comments
This is broken link Cato Socket Connection Prerequisites in Overview Section.
Thank you, Yoshihiro-san - it's fixed now.
Please sign in to leave a comment.