Enabling shell access using native Docker or ECS
DuploCloud allows shell access into the deployed containers. Shell access is enabled differently, depending on whether you use native Docker or ECS.
To enable shell access for the DuploCloud Docker Native container system:
In the DuploCloud Portal, navigate to Docker -> Services, displaying the Services page.
From the Docker list box, click Enable Docker Shell. The Start Shell Service pane displays.
From the Certificate list box, select a certificate name.
From the Visibility list box, select Public.
Click Update.
A provisioned service named dockerservices-shell is created, enabling you to access the Service containers using SSH.
Optionally, DuploCloud provides just-in-time (JIT) access to both the container shell and the kubectl
shell directly from your browser.
In the DuploCloud Portal:
In the Tenant list box, on the upper-left side of the DuploCloud Portal, select the Default Tenant.
Navigate to Docker -> Services, displaying the Services page.
Click Enable Docker Shell. The Start Shell Service pane displays.
From the Platform list box, select Kubernetes.
From the Certificate list box, select a certificate name.
From the Visibility list box, select Public.
Click Update.
Now you can begin using the Kubernetes (K8s) shell from the DuploCloud Portal for K8s services.
Navigate to Kubernetes -> Services. The Service page displays.
From the KubeCtl list box, click KubeCtl Shell.
In the DuploCloud Portal, navigate to Kubernetes -> Containers.
Select Container Shell or Host Shell from the Actions menu. The container or host shell launches in AWS Systems Manager.
You can also view the ECS task shell and select the container shell to which you want to connect.
In the DuploCloud Portal, navigate to Cloud Services -> ECS, displaying the ECS Task Definition page.
Select the name from the TASK DEFINITION FAMILY NAME column.
Select the Tasks tab.
To display the ECS task shell for any task, click on the (>_) icon in the Actions column of the appropriate row. Click on Console for AWS Console access, Logs for log data, or a container task shell of your choice. A browser launches to give you access to the resource you select.
Click the options menu () icon in the appropriate row.
Tasks to perform before you use AWS with DuploCloud
Before using DuploCloud, ensure the following prerequisites are met.
Read the Access Control section to ensure at least one person has administrator access.
Create an Certificate for AWS Certificate Manager
The DuploCloud platform needs a wild character AWS Certificate Manager (ACM) certificate that corresponds to the domain you created for the Route 53 Hosted Zone.
For example, if the Route 53 Hosted Zone created is apps.acme.com
, then the ACM certificate specifies *.apps.acme.com
. You can add additional domains to this certificate (for example, *.acme.com
.
The ACM certificate is used with AWS Elastic Load Balancers (ELBs) that are created as part of DuploCloud application deployment. Follow this AWS guide to issue an ACM certificate.
Once the certificate is issued, add the Amazon Resource Name (ARN) of the certificate in the DuploCloud Plan so that it is available to subsequent configurations, starting with the DuploCloud default plan.
In the DuploCloud Platform, navigate to Administrator -> Plans. The Plans page displays.
Select the DEFAULT Plan from the Name column.
Click the Certificates tab.
Click Add.
In the Name field, enter a certificate name.
In the Certificate ARN field, enter the ARN.
Click Create. The ACM Certificate with ARN is created.
Note that the ARN Certificate must be set for every new Plan created in a DuploCloud Infrastructure.
Configure DuploCloud to automatically generate Amazon Certificate Manager (ACM) Certificates for your Plan's DNS.
From the DuploCloud portal, navigate to Administrator -> Systems Settings.
Select the System Config tab, and click Add. The Add Config pane displays.
From the Config Type list box, select Flags.
From the Key list box, select Other.
In the Key field that displays, enter enabledefaultdomaincert
.
In the Value list box, select True.
Click Submit.
DuploCloud integrates natively with OpenVPN by provisioning VPN users added in the Duplocloud portal. As a DuploCloud user, you can access resources in the private network by connecting to the VPN with the OpenVPN client.
The OpenVPN Access Server is set to forward only traffic destined for network resources in the DuploCloud-managed private networks. Traffic accessing other resources on the internet does not pass through the tunnel.
User VPN credentials are accessible on the user profile page. It can be accessed through the menu on the upper right of the page or through the User menu option on the left.
Follow the VPN URL link in the VPN Details section of your user profile. Modern browsers will call the link unsafe since it is using a self-signed certificate. Proceed to it.
Integrate with OpenVPN by provisioning VPN users
DuploCloud integrates natively with OpenVPN by provisioning VPN users that you add to the Duplocloud Portal. OpenVPN setup is a two-step process.
Accept OpenVPN Free tier (Bring Your Own License) in the AWS marketplace:
Log into your AWS account. In the console, navigate to: https://aws.amazon.com/marketplace/pp?sku=f2ew2wrz425a1jagnifd02u5t.
Accept the agreement. Other than the regular EC2 instance cost, no additional license cost is added.
In the DuploCloud Portal, navigate to Administrator -> System Settings.
Click the VPN tab.
Click Provision VPN.
After the OpenVPN is provisioned, it is ready to use. Behind the scenes, DuploCloud launches a CloudFormation script to provision the OpenVPN.
You can find the OpenVPN admin password in the CloudFormation stack in your AWS console.
Provision a VPN while creating a user:
In the DuploCloud Portal, navigate to Administrator -> Users.
Click Add. The Create User pane displays.
Enter a valid email address in the Username field.
In the Roles field, select the appropriate role for the User.
Select Provision VPN.
Click Submit.
For information about removing VPN access for a user, see Deleting a VPN user. To delete VPN access, you must have administrator privileges.
By default, users connected to a VPN can SSH or RDP into EC2 instances. Users can also connect to internal load balancers and endpoints of the applications. However, to connect to other services, such as databases and ElastiCache, you must open the port to the VPN:
In the DuploCloud Portal, navigate to Administrator -> Tenants.
Select the Tenant in the Name column.
Click the Security tab.
Click Add. The Add Tenant Security pane displays.
In the Source Type field, select Ip Address.
In the IP CIDR field, enter the name of your VPN.
Click Add.
Log in to the OpenVPN Access Server user portal using the credentials from the DuploCloud user profile section.
Install the OpenVPN Connect app for your local machine.
Download the OpenVPN user profile for your account from the link labeled Yourself (user-locked profile).
Open the .ovpn file and click OK at the Import profile dialog. Then click Connect.
Creating a Route 53 hosted zone to program DNS entries
The DuploCloud platform needs a unique Route 53 hosted zone to create DNS entries for services that you deploy. The domain must be created out-of-band and set in DuploCloud. The zone is a subdomain such as apps.[
MY-COMPANY
].com
.
Never use this subdomain for anything else, as DuploCloud owns all CNAME
entries in this domain and removes all entries it has no record of.
To create the Route53 hosted zone using the AWS Console:
Log in to the AWS console.
Navigate to Route 53 and Hosted Zones.
Create a new hosted zone with the desired domain name, for example, apps.acme.com
.
Access the hosted zone and note the name server names.
Go to your root Domain Provider's site (for acme.com
, for example), and create a NS
record that references the domain name of the hosted zone you created (apps.acme.com
) and add the zone name to the name servers that you noted above.
Once this is complete, provision the Route53 domain in every DuploCloud Plan, starting with the default plan. Add the Route53 hosted zone ID and domain name, preceded with a dot (.).
Do not forget the dot (.) at the beginning of the DNS suffix, in the form as shown below.
Note that this domain must be set in each new Plan you create in your DuploCloud Infrastructure.