Page 1 of 25

SUSE Cloud Application Platform on the AWS Cloud

Quick Start Reference Deployment

April 2019

(last update: March 2020)

David Rocha, Louis Paul, Kevin Ayres, and Andrew Gracey, SUSE

Jay McConnell, AWS Quick Start team

Visit our GitHub repository for source files and to post feedback,

report bugs, or submit feature ideas for this Quick Start.

Contents

Overview .................................................................................................................................... 2

Cost and licenses .................................................................................................................... 3

Architecture ............................................................................................................................... 4

Planning the deployment .......................................................................................................... 5

Specialized knowledge ........................................................................................................... 5

AWS account .......................................................................................................................... 6

Technical requirements ......................................................................................................... 6

Deployment options ............................................................................................................... 7

Deployment steps ...................................................................................................................... 7

Step 1. Sign in to your AWS account ...................................................................................... 7

Step 2. Subscribe to SUSE Cloud Application Platform ........................................................ 7

Step 3. Launch the Quick Start ..............................................................................................8

Option 1: Parameters for deploying SUSE CAP into a new VPC ..................................... 10

Option 2: Parameters for deploying SUSE CAP into an existing VPC ............................ 13

Step 4. Test the deployment ................................................................................................ 18

Amazon Web Services – SUSE Cloud Application Platform on the AWS Cloud March 2020

Page 2 of 25

Best practices for using SUSE Cloud Application Platform on AWS ..................................... 19

Security .................................................................................................................................... 19

TLS certificates ..................................................................................................................... 19

Stratos web UI ........................................................................................................................ 20

Metrics: Optional installation using an endpoint for Prometheus .................................... 20

Eirini application runtime scheduler ..................................................................................... 20

Cloud Foundry roles and Kubernetes pod placement ........................................................... 20

Scaling application workloads and Availability Zone placement........................................ 21

Minimal-cost deployment without HA ................................................................................ 21

Backup and recovery ............................................................................................................... 22

FAQ .......................................................................................................................................... 22

Send us feedback ..................................................................................................................... 23

Additional resources ............................................................................................................... 23

Document revisions ................................................................................................................. 24

This Quick Start was created by SUSE in collaboration with Amazon Web Services (AWS).

Quick Starts are automated reference deployments that use AWS CloudFormation

templates to deploy key technologies on AWS, following AWS best practices.

Overview

This Quick Start reference deployment guide provides step-by-step instructions for

deploying SUSE Cloud Application Platform (CAP) on AWS.

SUSE CAP is a fully containerized implementation of Cloud Foundry. It provides a modern

application delivery platform that software development and operations teams can use to

streamline lifecycle management of traditional and cloud-native applications. The platform

provides the following features:

One-step, containerized application deployment through a command-line interface

(CLI) or web-based UI

The Stratos web-based UI for managing deployments across platforms

Amazon Web Services – SUSE Cloud Application Platform on the AWS Cloud March 2020

Page 3 of 25

Automation for application lifecycle management by assigning appropriate resources,

managing routing, load balancing, and scaling

Support for multiple languages and frameworks through open-source build packs for

Java, Go, .NET, Node.js, Ruby, PHP, Python, static websites, binary executables, and

more

Configurable service brokers for exposing third-party services to users and applications

through the Open Service Broker API

Amazon Elastic Kubernetes Service (Amazon EKS) support and integration with AWS

Service Broker

Note: This reference deployment uses the Amazon EKS Quick Start as a foundation

to provide a fully managed, highly available, and certified Kubernetes-conformant

control plane for SUSE Cloud Application Platform.

Cost and licenses

You are responsible for the cost of the AWS services used while running this Quick Start

reference deployment. There is no additional cost for using the Quick Start.

The AWS CloudFormation template for this Quick Start includes configuration parameters

that you can customize. Some of these settings, such as instance type, will affect the cost of

deployment. For cost estimates, see the pricing pages for each AWS service you will be

using. Prices are subject to change.

Tip: After you deploy the Quick Start, we recommend that you enable the AWS Cost

and Usage Report to track costs associated with the Quick Start. This report delivers

billing metrics to an S3 bucket in your account. It provides cost estimates based on

usage throughout each month, and finalizes the data at the end of the month. For

more information about the report, see the AWS documentation.

This Quick Start requires a subscription to SUSE Cloud Application Platform. To use SUSE

Cloud Application Platform for your production environments, you must have a support

subscription. To get started, contact your account executive or fill out the Request a Sales

Call form on the SUSE website.

If you don’t have a subscription, the Quick Start runs in trial mode, which allows free usage

in a non-production environment with no technical support. For more information about

proof-of-concept environments, contact aws@suse.com.

Amazon Web Services – SUSE Cloud Application Platform on the AWS Cloud March 2020

Page 4 of 25

Architecture

Deploying this Quick Start for a new virtual private cloud (VPC) builds the following SUSE

Cloud Application Platform environment in the AWS Cloud.

Figure 1: Quick Start architecture for SUSE Cloud Application Platform on AWS

The Quick Start sets up the following:

A highly available VPC architecture that spans three Availability Zones. The VPC is

configured with public and private subnets according to AWS best practices, to provide

you with your own virtual network on AWS.*

In the public subnets:

Amazon Web Services – SUSE Cloud Application Platform on the AWS Cloud March 2020

Page 5 of 25

– Managed NAT gateways to allow outbound internet access for resources in the

private subnets.*

– A Linux bastion host in an Auto Scaling group to allow inbound Secure Shell

(SSH) access to administer the SUSE Cloud Application Platform and Amazon

EKS environment.*

In the private subnets:

– Three Amazon Elastic Compute Cloud (Amazon EC2) instances that function as

Kubernetes nodes that run customer applications, in an Auto Scaling group. You

can configure the number of instances.

– Three EC2 instances that function as Kubernetes nodes that run SUSE Cloud

Application Platform infrastructure components, in an Auto Scaling group. You

can configure the number of instances.

– Security groups to allow internode communication.

Amazon Route 53 hosted zone and records to provide secure access to SUSE Cloud

Application Platform APIs and user applications hosted on the platform.

A Classic Load Balancer that routes traffic to SUSE Cloud Application Platform APIs and

user applications hosted on the platform.

* The template that deploys the Quick Start into an existing VPC skips the components

marked by asterisks and prompts you for your existing VPC configuration.

For a component-level architecture diagram, see SUSE Cloud Application Platform

Architecture in the SUSE documentation.

Planning the deployment

Specialized knowledge

This Quick Start assumes familiarity with Cloud Foundry and Kubernetes.

It also requires a moderate level of familiarity with AWS services. If you’re new to AWS,

visit the Getting Started Resource Center and the AWS Training and Certification website

for materials and programs that can help you develop the skills to design, deploy, and

operate your infrastructure and applications on the AWS Cloud.

Amazon Web Services – SUSE Cloud Application Platform on the AWS Cloud March 2020

Page 6 of 25

AWS account

If you don’t already have an AWS account, create one at https://aws.amazon.com by

following the on-screen instructions. Part of the sign-up process involves receiving a phone

call and entering a PIN using the phone keypad.

Your AWS account is automatically signed up for all AWS services. You are charged only for

the services you use.

Technical requirements

Before you launch the Quick Start, your account must be configured as specified in the

following table. Otherwise, deployment might fail.

Resources If necessary, request service quota increases for the following resources. You may

need this if an existing deployment uses these resources and you exceed the

default quotas with this deployment. The Service Quotas console displays your

usage and quotas for some aspects of some services. For more information, see

the AWS documentation.

AWS Trusted Advisor offers a service quotas check that displays your usage and

limits for some aspects of some services.

Resource This deployment uses

VPC 1

Availability Zone 3

S3 bucket 2

Elastic network

interface 3

Elastic IP address 3

IAM security group 5

IAM role 14

AWS Secrets Manager

secret 1

Auto Scaling group 3

Load balancer 4

NAT gateway 3

SLES 15 instance 7

Regions This deployment includes Amazon EKS, which may not currently be supported in

all AWS Regions. For a current list of supported Regions, see AWS Regions and

Endpoints in the AWS documentation.

Amazon Web Services – SUSE Cloud Application Platform on the AWS Cloud March 2020

Page 7 of 25

Key pair Ensure that at least one Amazon EC2 key pair exists in your AWS account in the

Region where you are planning to deploy the Quick Start. Make note of the key

pair name. You are prompted for this information during deployment. To create a

key pair, follow the instructions in the AWS documentation.

If you’re deploying the Quick Start for testing or proof-of-concept purposes, we

recommend that you create a new key pair instead of specifying a key pair that’s

already being used by a production instance.

IAM permissions To deploy the Quick Start, you must log in to the AWS Management Console with

IAM permissions for the resources and actions the templates deploy. The

AdministratorAccess managed policy within IAM provides enough permissions,

although your organization may choose to use a custom policy with more

restrictions.

Deployment options

This Quick Start provides two deployment options:

Deploy SUSE Cloud Application Platform into a new VPC (end-to-end

deployment). This option builds a new AWS environment consisting of the VPC,

subnets, NAT gateways, security groups, bastion hosts, and other infrastructure

components, and then deploys SUSE Cloud Application Platform into this new VPC.

Deploy SUSE Cloud Application Platform into an existing VPC. This option

provisions SUSE Cloud Application Platform in your existing AWS infrastructure.

The Quick Start provides separate templates for these options. It also lets you configure

classless inter-domain routing (CIDR) blocks, instance types and sizes, and other settings,

as discussed later in this guide.

Deployment steps

Step 1. Sign in to your AWS account

1. Sign in to your AWS account at https://aws.amazon.com with an IAM user role that has

the necessary permissions. For details, see Planning the deployment earlier in this

guide.

2. Ensure that your AWS account is configured correctly, as discussed in the Technical

requirements section.

Step 2. Subscribe to SUSE Cloud Application Platform

This Quick Start requires a subscription for SUSE Cloud Application Platform to enable

SUSE support.

Amazon Web Services – SUSE Cloud Application Platform on the AWS Cloud March 2020

Page 8 of 25

To use SUSE Cloud Application Platform for your production environments, you must have

a support subscription. To get started, contact your account executive or fill out the Request

a Sales Call form on the SUSE website. If you don’t have a subscription, the Quick Start

runs in trial mode, which allows free usage in a non-production environment with no

technical support. For more information about proof-of-concept environments, contact

aws@suse.com.

Step 3. Launch the Quick Start

Notes: The instructions in this section reflect the older version of the AWS

CloudFormation console. If you’re using the redesigned console, some of the user

interface elements might be different.

You are responsible for the cost of the AWS services used while running this Quick

Start reference deployment. There is no additional cost for using this Quick Start.

For full details, see the pricing pages for each AWS service you will be using in this

Quick Start. Prices are subject to change.

1. Choose one of the following options to launch the Quick Start into your AWS account.

For help with choosing an option, see deployment options earlier in this guide.

Deploy SUSE Cloud Application

Platform into a new VPC on AWS

Deploy SUSE Cloud Application

Platform into an existing VPC on AWS

Important: You must have registered a root domain name and a DNS zone ID

within Route 53. If you are using an externally registered domain, you must

configure the appropriate delegation set from your registrar and the corresponding

subdomain and zone within Route 53.

You must also have created an SSH key in the Region in which you plan to launch the

Quick Start.

• new VPC

• workloadDeploy • workload onlyDeploy

Amazon Web Services – SUSE Cloud Application Platform on the AWS Cloud March 2020

Page 9 of 25

If you’re deploying SUSE Cloud Application Platform into an existing VPC, ensure

that your VPC has three private subnets in different Availability Zones for the

workload instances, and that the subnets aren’t shared. This Quick Start doesn’t

support shared subnets. These subnets require NAT gateways in their route tables, to

allow the instances to download packages and software without exposing them to the

internet. You must also configure the domain name in the DHCP options, as

explained in the Amazon VPC documentation. You are prompted for your VPC

settings when you launch the Quick Start.

Each deployment takes about 45 minutes to complete.

2. Check the AWS Region that’s displayed in the upper-right corner of the navigation bar,

and change it if necessary. This is where the network infrastructure for SUSE Cloud

Application Platform is built. The Quick Start is launched in the US East (Ohio) Region

by default.

Note: This deployment includes Amazon EKS, which isn’t currently supported in all

AWS Regions. For a current list of supported Regions, see the AWS Regions and

Endpoints webpage.

3. On the Select Template page, keep the default setting for the template URL, and then

choose Next.

4. On the Specify Details page, change the stack name if needed. Review the parameters

for the template. Provide values for the parameters that require input. For all other

parameters, review the default settings and customize them as necessary.

In the following tables, parameters are listed by category and described separately for

the two deployment options:

– Parameters for deploying SUSE Cloud Application Platform into a new VPC

– Parameters for deploying SUSE Cloud Application Platform into an existing VPC

When you finish reviewing and customizing the parameters, choose Next.

Amazon Web Services – SUSE Cloud Application Platform on the AWS Cloud March 2020

Page 10 of 25

OPTION 1: PARAMETERS FOR DEPLOYING SUSE CAP INTO A NEW VPC

View template

Route 53 DNS configuration:

Parameter label

(name)

Default Description

Hosted zone ID

(HostedZoneID)

Requires

input

The Route 53 hosted zone ID to use as a base domain (e.g.,

Z2HBG4MXXV2ZI1).

Domain name

(DomainName)

Requires

input

The domain name to use as a base domain. If there is an externally

registered domain name, it will be in the format

subdomain.rootdomain.extension (e.g., suse.com or cap.suse.com).

Subdomain prefix

(SubDomainPrefix)

scf The prefix to add to the base domain to create a new Route 53 hosted zone.

Before you launch the Quick Start, ensure that a hosted zone with this name

does not exist.

Amazon EC2 configuration:

Parameter label

(name)

Default Description

SSH key name

(KeyPairName)

Requires input The name of an existing public/private key pair, which allows

you to securely connect to your instances after they launch.

VPC network configuration:

Parameter label

(name)

Default Description

Availability Zones

(AvailabilityZones)

Requires input The list of Availability Zones to use for the subnets in the VPC.

The Quick Starts uses three Availability Zones for this

deployment and preserves the logical order of your selections.

Choose three Availability Zones from the available list for your

Region. Regions supporting EKS but with fewer than three

Availability Zones are not be supported.

Allowed external

access CIDR

(RemoteAccessCIDR)

Requires input The CIDR IP range that is permitted to access the instances.

We recommend that you set this value to a trusted IP range

and NOT to 0.0.0.0/0

VPC CIDR

(VPCCIDR)

10.0.0.0/16 The CIDR block for the VPC.

Private subnet 1 CIDR

(PrivateSubnet1CIDR)

10.0.0.0/19 The CIDR block for private subnet 1 located in Availability

Zone 1.

Private subnet 2 CIDR

(PrivateSubnet2CIDR)

10.0.32.0/19 The CIDR block for private subnet 2 located in Availability

Zone 2.

Amazon Web Services – SUSE Cloud Application Platform on the AWS Cloud March 2020

Page 11 of 25

Parameter label

(name)

Default Description

Private subnet 3 CIDR

(PrivateSubnet3CIDR)

10.0.64.0/19 The CIDR block for private subnet 3 located in Availability

Zone 3.

Public subnet 1 CIDR

(PublicSubnet1CIDR)

10.0.128.0/20 The CIDR block for the public (DMZ) subnet 1 located in

Availability Zone 1.

Public subnet 2 CIDR

(PublicSubnet2CIDR)

10.0.144.0/20 The CIDR block for the public (DMZ) subnet 2 located in

Availability Zone 2.

Public subnet 3 CIDR

(PublicSubnet3CIDR)

10.0.160.0/20 The CIDR block for the public (DMZ) subnet 3 located in

Availability Zone 3.

Amazon EKS configuration:

Parameter label

(name)

Default Description

Nodes instance type

(NodeInstanceType)

m5.large The EC2 instance type to use for the worker node instances.

Number of

infrastructure nodes

(NumberOfInfraNodes)

3 The number of Amazon EKS worker node instances to create

in the infrastructure Auto Scaling group.

Number of application

nodes

(NumberOfAppNodes)

3 The number of Amazon EKS worker node instances to create

in the customer Application Auto Scaling group.

Node group name

(NodeGroupName)

Default The name for the Amazon EKS node group.

Node volume size

(NodeVolumeSize)

80 The size of the node volumes, in GiB.

Additional EKS admin

ARNs

(AdditionalEKSAdmin

Arns)

Optional A comma-separated list of IAM users/roles to be granted

administrative access to the Amazon EKS cluster. This is

necessary for other access methods, such as allowing another

user to connect to the EKS cluster from a host other than the

created bastion host. The format must be a complete ARN for

the designated UserID.

SUSE Cloud Application Platform scaling:

Parameter label

(name)

Default Description

Number of UAA

replicas

(UaaReplicas)

2 The number of SUSE User Account and Authentication (UAA)

replicas to deploy.

Amazon Web Services – SUSE Cloud Application Platform on the AWS Cloud March 2020

Page 12 of 25

Parameter label

(name)

Default Description

Number of UAA

MySQL replicas

(UaaMysqlReplicas)

3 The number of UAA MySQL replicas to deploy.

Number of TCP router

replicas

(TcpRouterReplicas)

2 The number of TCP router replicas to deploy.

Number of SCF

MySQL replicas

(ScfMysqlReplicas)

3 The number of SUSE Cloud Foundry (SCF) MySQL replicas to

deploy.

Number of routing

API replicas

(RoutingApiReplicas)

2 The number of routing API replicas to deploy.

Number of router

replicas

(RouterReplicas)

2 The number of router replicas to deploy.

Number of NATS

replicas

(NatsReplicas)

2 The number of NATS replicas to deploy.

Number of Diego SSH

replicas

(DiegoSshReplicas)

2 The number of Diego SSH replicas to deploy.

Number of Diego

brain replicas

(DiegoBrainReplicas)

2 The number of Diego brain replicas to deploy.

Number of Diego API

replicas

(DiegoApiReplicas)

2 The number of Diego API replicas to deploy.

Number of CC

uploader replicas

(CcUploaderReplicas)

2 The number of Cloud Controller (CC) uploader replicas to

deploy.

Number of adapter

replicas

(AdapterReplicas)

2 The number of adapter replicas to deploy.

Number of API group

replicas

(ApiGroupReplicas)

2 The number of API group replicas to deploy.

Number of CC clock

replicas

(CcClockReplicas)

2 The number of CC clock replicas to deploy.

Amazon Web Services – SUSE Cloud Application Platform on the AWS Cloud March 2020

Page 13 of 25

Parameter label

(name)

Default Description

Number of CC worker

replicas

(CcWorkerReplicas)

2 The number of CC worker replicas to deploy.

Number of CF USB

replicas

(CfUsbReplicas)

2 The number of Cloud Foundry USB replicas to deploy.

AWS Quick Start configuration:

Note: We recommend that you keep the default settings for the following

parameters, unless you are customizing the Quick Start templates for your own

deployment projects. Changing the settings of these parameters automatically

updates code references to point to a new Quick Start location. For additional details,

see the AWS Quick Start Contributor’s Guide.

Parameter label

(name)

Default Description

Quick Start S3 bucket

name

(QSS3BucketName)

aws-quickstart The S3 bucket you created for your copy of Quick Start assets,

if you decide to customize or extend the Quick Start for your

own use. The bucket name can include numbers, lowercase

letters, uppercase letters, and hyphens, but should not start or

end with a hyphen.

Quick Start S3 key

prefix

(QSS3KeyPrefix)

quickstart-suse-

cloud-application-

platform/

The S3 key name prefix used to simulate a folder for your copy

of Quick Start assets, if you decide to customize or extend the

Quick Start for your own use. This prefix can include

numbers, lowercase letters, uppercase letters, hyphens, and

forward slashes.

Lambda zips bucket

name

(LambdaZipsBucket

Name)

Optional The name of the S3 bucket where the AWS Lambda zip files

should be placed. If you leave this setting blank, the Quick

Start creates a bucket.

OPTION 2: PARAMETERS FOR DEPLOYING SUSE CAP INTO AN EXISTING VPC

View template

Network configuration:

Parameter label

(name) Default Description

VPC ID

(VPCID)

Requires input The ID of your existing VPC (e.g., vpc-0343606e).

Amazon Web Services – SUSE Cloud Application Platform on the AWS Cloud March 2020

Page 14 of 25

Parameter label

(name) Default Description

Private subnet 1 ID

(PrivateSubnet1ID)

Requires input The ID of the private subnet in Availability Zone 1 in your

existing VPC (e.g., subnet-fe9a8b32).

Private subnet 2 ID

(PrivateSubnet2ID)

Requires input The ID of the private subnet in Availability Zone 2 in your

existing VPC (e.g., subnet-be8b01ea).

Private subnet 3 ID

(PrivateSubnet3ID)

Requires input The ID of the private subnet in Availability Zone 3 in your

existing VPC (e.g., subnet-abd39039).

Public subnet 1 ID

(PrivateSubnet1ID)

Requires input The ID of the public subnet in Availability Zone 1 in your

existing VPC (e.g., subnet-a0246dcd).

Public subnet 2 ID

(PrivateSubnet2ID)

Requires input The ID of the public subnet in Availability Zone 2 in your

existing VPC (e.g., subnet-b58c3d67).

Public subnet 3 ID

(PrivateSubnet3ID)

Requires input The ID of the public subnet in Availability Zone 3 in your

existing VPC (e.g., subnet-c3456aba).

Allowed external

access CIDR

(RemoteAccessCIDR)

Requires input The CIDR IP range that is permitted to access the instances.

We recommend that you set this value to a trusted IP range.

Amazon EC2 configuration:

Parameter label

(name)

Default Description

SSH key name

(KeyPairName)

Requires input The name of an existing public/private key pair, which allows

you to securely connect to your instances after they launch

Route 53 DNS configuration:

Parameter label

(name)

Default Description

Hosted zone ID

(HostedZoneID)

Requires input The Route 53 hosted zone ID to use as a base domain.

Domain name

(DomainName)

Requires input The domain name to use as a base domain.

Sub-domain prefix

(SubDomainPrefix)

scf The prefix to add to the base domain to create a new Route 53

hosted zone. Before you launch the Quick Start, ensure that a

hosted zone with this name does not exist.

Amazon EKS configuration:

Parameter label

(name)

Default Description

Nodes instance type

(NodeInstanceType)

m5.large The EC2 instance type to use for the worker node instances.

Amazon Web Services – SUSE Cloud Application Platform on the AWS Cloud March 2020

Page 15 of 25

Parameter label

(name)

Default Description

Number of

infrastructure nodes

(NumberOfInfraNodes)

3 The number of Amazon EKS worker node instances to create

in the infrastructure Auto Scaling group.

Number of application

nodes

(NumberOfAppNodes)

3 The number of Amazon EKS worker node instances to create

in the customer Application Auto Scaling group.

Node group name

(NodeGroupName)

Default The name for the Amazon EKS node group.

Node volume size

(NodeVolumeSize)

80 The size of the node volumes, in GiB.

Additional EKS admin

ARNs

(AdditionalEKSAdmin

Arns)

Optional A comma-separated list of IAM users/roles to be granted

administrative access to the Amazon EKS cluster.

SUSE Cloud Application Platform scaling:

Parameter label

(name)

Default Description

Number of UAA

replicas

(UaaReplicas)

2 The number of SUSE User Account and Authentication (UAA)

replicas to deploy.

Number of UAA

MySQL replicas

(UaaMysqlReplicas)

3 The number of UAA MySQL replicas to deploy.

Number of TCP router

replicas

(TcpRouterReplicas)

2 The number of TCP router replicas to deploy.

Number of SCF

MySQL replicas

(ScfMysqlReplicas)

3 The number of SUSE Cloud Foundry (SCF) MySQL replicas to

deploy.

Number of routing

API replicas

(RoutingApiReplicas)

2 The number of routing API replicas to deploy.

Number of router

replicas

(RouterReplicas)

2 The number of router replicas to deploy.

Number of NATS

replicas

(NatsReplicas)

2 The number of NATS replicas to deploy.

Amazon Web Services – SUSE Cloud Application Platform on the AWS Cloud March 2020

Page 16 of 25

Parameter label

(name)

Default Description

Number of Diego SSH

replicas

(DiegoSshReplicas)

2 The number of Diego SSH replicas to deploy.

Number of Diego

brain replicas

(DiegoBrainReplicas)

2 The number of Diego brain replicas to deploy.

Number of Diego API

replicas

(DiegoApiReplicas)

2 The number of Diego API replicas to deploy.

Number of CC

uploader replicas

(CcUploaderReplicas)

2 The number of Cloud Controller (CC) uploader replicas to

deploy.

Number of adapter

replicas

(AdapterReplicas)

2 The number of adapter replicas to deploy.

Number of API group

replicas

(ApiGroupReplicas)

2 The number of API group replicas to deploy.

Number of CC clock

replicas

(CcClockReplicas)

2 The number of CC clock replicas to deploy.

Number of CC worker

replicas

(CcWorkerReplicas)

2 The number of CC worker replicas to deploy.

Number of CF USB

replicas

(CfUsbReplicas)

2 The number of Cloud Foundry USB replicas to deploy.

AWS Quick Start configuration:

Note: We recommend that you keep the default settings for the following

parameters, unless you are customizing the Quick Start templates for your own

deployment projects. Changing the settings of these parameters automatically

updates code references to point to a new Quick Start location. For additional details,

see the AWS Quick Start Contributor’s Guide.

Amazon Web Services – SUSE Cloud Application Platform on the AWS Cloud March 2020

Page 17 of 25

Parameter label

(name)

Default Description

Quick Start S3 bucket

name

(QSS3BucketName)

aws-quickstart The S3 bucket you created for your copy of Quick Start assets,

if you decide to customize or extend the Quick Start for your

own use. The bucket name can include numbers, lowercase

letters, uppercase letters, and hyphens, but should not start or

end with a hyphen.

Quick Start S3 key

prefix

(QSS3KeyPrefix)

quickstart-suse-

cloud-application-

platform/

The S3 key name prefix used to simulate a folder for your copy

of Quick Start assets, if you decide to customize or extend the

Quick Start for your own use. This prefix can include

numbers, lowercase letters, uppercase letters, hyphens, and

forward slashes.

Lambda zips bucket

name

(LambdaZipsBucket

Name)

Optional The name of the S3 bucket where the AWS Lambda zip files

should be placed. If you leave this setting blank, the Quick

Start creates a bucket.

5. On the Options page, you can specify tags (key-value pairs) for resources in your stack

and set advanced options. When you’re done, choose Next.

6. On the Review page, review and confirm the template settings. Under Capabilities,

select the two check boxes to acknowledge that the template creates IAM resources and

that it might require the capability to auto-expand macros.

7. Choose Create to deploy the stack.

8. Monitor the status of the stack. When the status is CREATE_COMPLETE, the SUSE

Cloud Application Platform cluster is ready.

Figure 2: SUSE Cloud Application Platform outputs after successful deployment

Amazon Web Services – SUSE Cloud Application Platform on the AWS Cloud March 2020

Page 18 of 25

9. Use the URLs displayed in the Outputs tab for the stack, to view the resources that

were created.

Step 4. Test the deployment

1. Log in to the bastion host with the configured key pair and the user name ec2-user. You

can get the IP address of the bastion host from the Outputs tab of the AWS

CloudFormation console.

ssh -i "~/.ssh/cap.pem" ec2-user@12.23.34.45

2. Verify that the client software was installed through the bastion host:

> kubectl version Client Version: version.Info <version#> > helm version Client: <version#> > aws –version <version#> > cf –version cf version <version#> > git version git version <version#>

3. Verify the health of the Amazon EKS cluster through the bastion host. Use the installed

kubectl and helm commands to verify access to the environment and the running state

of the cluster and packages.

> kubectl cluster-info > kubectl get nodes > kubectl get pods -n uaa > kubectl get pods -n scf > helm list > helm status scf |grep https

4. Retrieve the Cloud Foundry administrative password from AWS Secrets Manager. Sign

in to the AWS Secrets Manager console at

https://console.aws.amazon.com/secretsmanager/. Choose the secret that has an

AdminPassword prefix, and then choose Retrieve secret value.

Amazon Web Services – SUSE Cloud Application Platform on the AWS Cloud March 2020

Page 19 of 25

5. Retrieve the Cloud Foundry API endpoint from the CloudFormation stack outputs, and

log in to the Cloud Foundry CLI:

> cf login -a <API_ENDPOINT>

6. (Optional) Deploy a sample application:

> cf create-org SUSE > cf create space DEMO > cf target -s DEMO # Push your first application. Try Dizzy Lizard. > git clone https://github.com/troytop/dizzylizard # Push application and return its URL > cf push | grep http

To learn about how to deploy and manage your applications on SUSE Cloud Application

Platform, see the Developer Guide on the Cloud Foundry website.

Best practices for using SUSE Cloud Application Platform on AWS

The optimal configuration for running SUSE Cloud Application Platform on an Amazon

EKS cluster requires a minimum of three worker nodes with at least 16 GiB RAM and 4

vCPUs each. This configuration provides minimal support for high availability and failover

of the infrastructure components and allows 12–16 GiB for application workloads. If you

need a leaner environment for a lighter workload or for testing, you can change the default

number of worker nodes, their instance types, and volume size when you deploy the Quick

Start.

SUSE Cloud Application Platform requires storage for databases used by the pods that are

related to Cloud Foundry and User Authentication and Authorization (UAA). This Quick

Start uses the Amazon Elastic Block Store (Amazon EBS) backed gp2 storage class. This

storage class dynamically provisions and attaches EBS volumes as needed.

Security

TLS certificates

This Quick Start automatically sets up Elastic Load Balancing (ELB) to support the critical

services of a Cloud Application Platform cluster. These subdomains and zone entries are

added to the Amazon Route 53 hosted zone during installation.

Amazon Web Services – SUSE Cloud Application Platform on the AWS Cloud March 2020

Page 20 of 25

TLS is set up on the ELB entry point to the SUSE Cloud Application Platform API. This is

accomplished with AWS Certificate Manager (ACM), which manages the certificate keys

and attaches the certificate to the load balancer. Except for the Gorouter component, the

backend connection from the load balancer is also encrypted using self-signed certificates

that are generated during installation.

Stratos web UI

SUSE provides a web UI called Stratos for connecting to Cloud Foundry instances and

viewing cross-referenced metrics to Kubernetes endpoints. Stratos is available within the

QuickStart and can be deployed by setting the optional parameter Stratos web console to

Enabled either initially or by way of a stack update.

After the Stratos web application is deployed, you can access it from the browser via

https://scf.<DomainName>.

Note: Stratos is a large client UI that is based on Node.js/Angular, with a Golang

backend application. If the staging phase exceeds the default timeout of 180 seconds,

you may need to pre-build the Node.js components; see the SUSE Stratos

documentation for details.

Metrics: Optional installation using an endpoint for Prometheus

It is possible to optionally enable metrics for Stratos through Prometheus. For more

information, see https://github.com/SUSE/stratos-metrics.

Eirini application runtime scheduler

SUSE Cloud Application Platform supports the option of Kubernetes, rather than Diego.

This Quick Start, however, currently deploys using the traditional Diego model. For more

information, see Eirini and CF Containerization: a field guide.

Cloud Foundry roles and Kubernetes pod placement

SUSE Cloud Application Platform deployment differs from upstream Cloud Foundry

deployment, where BOSH manages the placement of the Cloud Foundry roles onto virtual

machines (VMs).

Amazon Web Services – SUSE Cloud Application Platform on the AWS Cloud March 2020

Page 21 of 25

The installation uses Helm to specify affinity/anti-affinity and placement rules onto

Kubernetes nodes to provide the best resiliency and scaling capabilities. This Quick Start

enforces the following rules by default.

Anti-affinity rule:

Go-router

Diego-cells

Note: All other Cloud Foundry roles also have anti-affinity to themselves, which

allows an even distribution of instances and roles across the worker nodes.

SUSE Cloud Application Platform deploys the Cloud Foundry User Authentication and

Authorization Service (UAA) independently of the remaining Cloud Foundry roles. This

allows UAA to be used by multiple services (such as SUSE CAP Stratos Web UI or other

third-party or custom applications). To optimize UAA and its data store, the following rule

is set.

Affinity rule:

UAA

MySQL

Scaling application workloads and Availability Zone placement

When applications are deployed to SUSE Cloud Application Platform by using the Cloud

Foundry CLI or Stratos UI, the Cloud Foundry component called Diego (Droplet Execution

Agent — DEA written in Golang) determines the placement of the application workloads

onto the available Kubernetes worker nodes.

This placement depends on the application’s resource requirements (memory, disk, CPU)

and the number of customer application instances to start and scale up to. To facilitate

scaling the cluster, this Quick Start implements appropriate Kubernetes node labeling to

enable even distribution of the Diego cell pods on the initial number of nodes.

Minimal-cost deployment without HA

If you want a low-cost development environment without high availability, you can set all

resource multipliers to 1. This would deploy two nodes in total.

Amazon Web Services – SUSE Cloud Application Platform on the AWS Cloud March 2020

Page 22 of 25

Backup and recovery

To configure backups for Cloud Foundry data (user, organizations/spaces, application

metadata), please contact SUSE for installation and configuration instructions.

FAQ

Q. I encountered a CREATE_FAILED error when I launched the Quick Start.

A. If AWS CloudFormation fails to create the stack, we recommend that you relaunch the

template with Rollback on failure set to No. (This setting is under Advanced in the

AWS CloudFormation console, Options page.) With this setting, the stack’s state is

retained and the instance is left running so you can troubleshoot the issue.

Important: When you set Rollback on failure to No, you continue to incur AWS

charges for this stack. Ensure that you delete the stack after you finish

troubleshooting.

For additional information, see Troubleshooting AWS CloudFormation on the AWS

website.

Q. I encountered a size limitation error when I deployed the AWS CloudFormation

templates.

A. We recommend that you launch the Quick Start templates from the links in this guide or

from another S3 bucket. If you deploy the templates from a local copy on your computer or

from a non-S3 location, you might encounter template size limitations when you create the

stack. For more information about AWS CloudFormation limits, see the AWS

documentation.

Q. Custom::KubeManifest/Custom::Helm failed on stack create, update, or deletion.

A. These resources are backed by Lambda functions that are defined in the Functions stack.

Their logs are stored in Amazon CloudWatch Logs. To access the logs, open the AWS

Lambda console at https://console.aws.amazon.com/lambda/, select the relevant Lambda

function, and then choose Open in CloudWatch Logs.

Q. The Route53::HostedZone resource fails to create with the error “Hosted zone already

exists.”

A. When you deploy the Quick Start, the value you provide for the Subdomain prefix

(SubDomainPrefix) parameter must be unique. Ensure that it doesn’t point to an existing

Route 53 hosted zone name.

Amazon Web Services – SUSE Cloud Application Platform on the AWS Cloud March 2020

Page 23 of 25

Q. UAA for SCF resources failed with an error.

A. These resources represent the installation of the SUSE Cloud Application Platform Helm

charts. To troubleshoot, use the Kubernetes CLI (kubectl command) to check the status of

the running pods:

> kubectl get namespaces > kubectl get pods –n uaa > kubectl get pods –n scf > kubectl describe pods -n uaa > kubectl describe pod -n scf > kubectl get pv,pvc –all-namespaces

Q. Can I enable Eirini?

A. It is advised that you wait for the Git fork that includes a “Technical Preview” of the

Eirini Project.

Send us feedback

To post feedback, submit feature ideas, or report bugs, use the Issues section of the

GitHub repository for this Quick Start. If you’d like to submit code, please review the Quick

Start Contributor’s Guide.

Additional resources

SUSE Cloud Application Platform

SUSE Documentation - Deploying SUSE Cloud Application on Amazon EKS

Cloud Foundry Developer Guide

Deploying and Using the AWS Service Broker

Marketing materials and case studies

Client tools

Cloud Foundry CLI (cf)

Kubernetes CLI (kubectl)

Helm CLI (helm)

AWS resources

Getting Started Resource Center

Amazon Web Services – SUSE Cloud Application Platform on the AWS Cloud March 2020

Page 24 of 25

AWS General Reference

AWS Glossary

Amazon EKS documentation

Amazon EKS

Other AWS services

AWS CloudFormation

Amazon CloudWatch Logs

Amazon EBS

Amazon EC2

Elastic Load Balancing

IAM

AWS Lambda

Amazon VPC

Other Quick Start reference deployments

AWS Quick Start home page

Document revisions

Date Change In sections

March 2020 Update for CAP 1.5.2 Eirini application

runtime scheduler

FAQ

September 2019 Domain information; parameter descriptions

Health-verification code update

Stratos information

Erini information

Step 3

Step 4

Stratos web UI

Erini application

runtime scheduler

FAQ

April 2019 Initial publication —

Amazon Web Services – SUSE Cloud Application Platform on the AWS Cloud March 2020

Page 25 of 25

© 2020, Amazon Web Services, Inc. or its affiliates, and SUSE. All rights reserved.

Notices

This document is provided for informational purposes only. It represents AWS’s current product offerings

and practices as of the date of issue of this document, which are subject to change without notice. Customers

are responsible for making their own independent assessment of the information in this document and any

use of AWS’s products or services, each of which is provided “as is” without warranty of any kind, whether

express or implied. This document does not create any warranties, representations, contractual

commitments, conditions or assurances from AWS, its affiliates, suppliers or licensors. The responsibilities

and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of,

nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, Version 2.0 (the "License"). You

may not use this file except in compliance with the License. A copy of the License is located at

http://aws.amazon.com/apache2.0/ or in the "license" file accompanying this file. This code is distributed on

an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

See the License for the specific language governing permissions and limitations under the License.