Nearly-instant Zerto deployments to AWS via CloudFormation

As one of Zerto’s public cloud solution architects, I serve in an advisory role to prospective customers, solutions engineers, channel partners, and everyone that is looking for guidance in making their “public cloud journey” a little easier and efficient. One of the things that I have been asked on a variety of occasions is to deploy brand new environments into the cloud and to assist with this process.

We actually have a “Zerto from scratch” AWS deployment guide that we are in the process of updating (written by my super-smart and talented colleague Gene Torres, who you should follow on Twitter at @EugeneJTorres), and while this is certainly a great start to a brand new environment, there are a lot of steps that are involved, and as anyone that has deployed environments in AWS knows, it’s a lot of effort to start from scratch! So, if you’re not actively deploying VPCs on a regular basis, or if you want a better way to do things, one may consider AWS CloudFormation.

Before I get to the good stuff: AWS CloudFormation is a free service provided by AWS that enables you to write and deploy infrastructure stacks using a JSON or YAML template. This enables a concept referred to as “Infrastructure as Code”. Meaning, you can write a reusable template which builds out an entire environment programmatically, significantly reducing time to deployment and human error.

The template that I wrote takes Gene’s deployment guide and makes it a turn-key script. All you need to do is run the stack and it will build out a ready-to-use Zerto environment in AWS (with caveats, which I’ll get to) that you can use for your own purposes, including production, POC, patch testing, or the like. It will create your VPC with DHCP options, three subnets, an internet gateway, a routing table with a route to the internet, a security group for Zerto Cloud Appliance / Zerto Virtual Manager / Virtual Replication Appliance interaction, a NACL for the “test” subnet, a VPC endpoint to S3 for the region you are deploying to, and an IAM user with the required permissions attached as a policy. In other words, this will save you at least an hour of manual work.

The caveats here are as follows (READ THEM CAREFULLY):

  • You will need to create your own access key and grab the secret access key for the Zerto IAM user manually in IAM. I could automate this, but I haven’t figured out a truly secure way of doing this and not logging it to CloudTrail, so I decided to forgo it.
  • You will need a VPN (or Direct Connect link) set up manually back on premise. I recommend IPSec.
  • You will need to create a key pair manually and name it “zertokey0001” (without quotes. There is no way to create a key pair in CloudFormation, and you will need it to log into the ZCA. Creating a keypair is very easy: follow this guide here.
  • The Security Group ingress rules should be tightened up after the VPN is set up. You don’t want 0.0.0.0 as a general rule of thumb for anything, so after the VPN is configured make sure that’s edited!
  • The template was designed to work in us-west-1 (North California region), but it can be easily transported to other regions as well. us-west-1 is small with only two AZs, which is why the ZertoZCASubnet and the ZertoProdSubnet exist on the same AZ. I recommend if you are deploying to a larger region that you separate out the three subnets to separate AZs.
  • The Zerto ZCA instance is being called using an ImageId, which is unique for that region. If you deploy outside of us-west-1/N. California, either update the ImageId with the correct Zerto Community AMI, or delete the reference to ZERTOZCAINSTANCE and deploy a Windows 2019 m5.xlarge instance for the ZCA manually.

So, how do you use this?

Copy the following JSON template located in my github repository hereSave it somewhere on your desktop and open CloudFormation.

todo2.PNG

Click on “Designer”. Here, you can upload a template from your computer or an S3 bucket. (By the way, if you are interesting in pursuing the AWS Solutions Architect certification, CloudFormation is critical, so start playing around with it!)

todo3

Click on the Create Stack button in the top left corner of the screen (the one that looks like a cloud with an arrow), and create the stack. Give your stack a name, assign it a Key/Value tag if desired/necessary, acknowledge the custom IAM changes, and finally “create stack”.

todo4

In about a minute or less you will have a fully deployed environment ready to go! Make sure you create that access key and secret access key so you can give Zerto programmatic access to AWS, log into your new instance with your previously-created keypair, and install Zerto.

Let me know what you think! I know that each environment is different, and if you run into things that you think should be automated, please let me know!

alex.schenck@zerto.com