VPC for ArcGIS Enterprise

Create an AWS VPC for DMZ deployments

This template is part of an advanced workflow for configuring your highly available ArcGIS Enterprise in private subnets (subnets that are not directly accessible from the Internet). This is referred to as a DMZ network architecture and can provide greater security. It requires a good grasp of networking concepts and design and is only intended for highly available ArcGIS Enterprise deployments.

The workflow for deploying a highly available ArcGIS Enterprise in DMZ network architecture in AWS has three steps.

  • Create the VPC (virtual private cloud).
  • Create the ELB.
  • Deploy ArcGIS Enterprise.

There are CloudFormation templates for each of these steps. The template described in this topic is the first step, creating the VPC. This template does the following:

  • Creates two public subnets across two availability zones
  • Creates two pirvate subnets across two availability zones
  • Creates an Internet gateway that allows traffic into the public subnets
  • Creates a NAT gateway that enables outbound internet traffic from instances in a private subnets

The output of this template will be the four id's of the public and private subnets. You will use the public subnet id's when creating your ELB using Esri's ELB CloudFormation templates. You will use the private subnet id's when deploying your highly available ArcGIS Enterprise. The diagram below provides you an idea of what the network architecture looks like.

VPC for ArcGIS Enterprise

To deploy this template, follow these steps:

Before running this template, one step must be done first. You must first create an elastic IP address in the AWS Management Console for use by the NAT gateway in this architecture. Take note of the allocation id when it creates the Elastic IP address. You will need that allocation id as one of the inputs.

Most organizations running this template will only need to select the availability zones and provide the allocation id. The parameters for CIDR blocks will always work and would only need to be different if there was an organizational requirement to use certain IP address ranges. The template parameters are:

  • AZs: Select two availability zones that you want the VPC subnets to be in. The VPC subnets will be created in these zones.
  • CIDR: This is the range of IP addresses that will be available for the entire VPC. CIDR is a common short-hand for specifying IP address ranges. The default value of 10.0.0.0/16 will be fine for most organizations.
  • PublicSubnet1CIDR: This is the range of IP addresses for the first public subnet. It needs to have distinct values from the other subnets and must be contained in the range for VPC. The default of 10.0.0.0/24 will be fine for most organizations.
  • PublicSubnet2CIDR: This is the range of IP addresses for the second public subnet. It needs to have distinct values from the other subnets and must be contained in the range for VPC. The default of 10.0.1.0/24 will be fine for most organizations.
  • PrivateSubnet1CIDR: CIDR block of VPC private subnet 1. The default is 10.0.2.0/24.
  • PrivateSubnet2CIDR: CIDR block of VPC private subnet 2. The default is 10.0.3.0/24.
  • NATEIPAllocationID: Provide the allocation id for the elastic IP address you created prior to running this template. Elastic IP allocation addresses have a format of eipalloc-XXXXXXXX.

Outputs

The output of this template will have the names VPCId, PrivateSubnet1, PrivateSubnet2, PublicSubnet1, PublicSubnet2. For all of these, the value will be an id value that you will use in other Cloud Formation templates. The subnet id's typically have the format subnet-XXXXXX and the vpc id has a format of vpc-XXXXXXX.


Troubleshooting

See Troubleshoot AWS CloudFormation stack creation in the ArcGIS Server on Amazon Web Services help if you run into problems.