Setting Up an Amazon Web Services (AWS) EC2 Panzura Freedom Filer

This document provides instructions on how to deploy a Panzura Freedom Filer (filer) as an EC2 instance from an Amazon Machine Image (AMI).

Create an Amazon Web Services (AWS) Account

1. Open a browser and go to: https://aws.amazon.com/

2. Click “Sign In to the Console”.

3. Follow instructions to login or create a new account:

4. You will arrive at the AWS Management Console:

If you are also using Amazon Machine Image (AMI) to create a Panzura filer instance, you may want to create two users, one for Amazon S3 cloud storage and one for the AWS EC2 service. Doing this limits users to the least permissions required for their tasks. However, with sufficient permissions, a single user can administer AWS S3 and AWS EC2.

User Permissions for Deployment from Panzura Freedom filer AMI

Panzura Freedom filers can be deployed as an AMI on Amazon’s EC2 service. Amazon EC2 defines a set of permissions that you can specify in a policy. These are keywords, each of which maps to specific Amazon EC2 operation.

User permissions are determined by the group that the user is assigned to. As a best practice, Panzura recommends that the IAM user be provided with only the minimum set of permissions required to deploy the instance and create the storage and network resources. After deployment is complete, permissions may be revoked from the IAM user. This limits the number of users capable of generating EC2 resources. However a user with minimum permissions will be required if you should need to deploy additional instances in the future.

The following are the minimal recommended permissions. This does NOT include specific permissions required for access to other Amazon resources you may have provisioned for use with the Panzura Freedom AMI. When you make an API request, the parameters that you specify in the request determine which resources an IAM user must have permission to use. If the user doesn't have the required permissions, the request fails. For example, if you use RunInstances to launch an instance in a subnet (by specifying the SubnetId parameter), an IAM user must have permission to use the VPC.

Panzura required Amazon EC2 Permissions for Filer Deployment

aws-marketplace:ViewSubscriptions

Allows users to see their account's subscriptions.

Access Level: List

ec2:RunInstances  Launches the specified number of instances using an AMI for which you have permissions.
ec2:TerminateInstances Shuts down the specified instances.
ec2:DescribeImages  Describes the specified images (AMIs, AKIs, and ARIs) available to you or all of the images available to you.
ec2:DescribeInstances Describes the specified instances or all of AWS account's instances.
ec2:DescribeAvailabilityZones Describes the Availability Zones and Local Zones that are available to you
ec2:DescribeVpcs Describes one or more of your VPCs
ec2:DescribeSubnets Describes one or more of your subnets
ec2:DescribeKeyPairs  Describes the specified key pairs or all of your key pairs.
ec2:DescribeSecurityGroups Describes the specified security groups or all of your security groups
ec2:DescribeInstanceStatus Describes the status of the specified instances or all of your instances. By default, only running instances are described, unless you specifically indicate to return the status of all instances.

 

 

An example JSON using permissions from above:

{

"Version": "2012-10-17",

"Statement":  [

"Sid": "VisualEditor0",

"Effect": "Allow",

"Action": [

"aws-marketplace:ViewSubscriptions",

"ec2:RunInstances",

"ec2:TerminateInstances",

"ec2:DescribeImages",

"ec2:DescribeInstances",

"ec2:DescribeAvailabilityZones",

"ec2:DescribeVpcs",

"ec2:DescribeSubnets",

"ec2:DescribeKeyPairs",

"ec2:DescribeSecurityGroups",

"ec2:DescribeInstanceStatus"

],

"Resource": "*" 

)

]

)

See the following documents for more information:

  • Full guide to AWS Identity and Access Management:

http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAuthAccess.html

  • Amazon Elastic Compute Cloud, API Reference, API Version 2016-11-15:

https://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api.pdf#ec2-api-permissions

Create a Policy for use with Panzura Freedom filer AMI

1. From the AWS console, navigate to the IAM service:

2. Click on “Policies” on the left menu column, then click the “Create policy” button:

3. Choose the Marketplace service and select the “ViewSubscriptions” action:

4. Click “Add Additional Permissions”

5. Choose the EC2 service and select the actions from the table above:

6. Provide ARNs as required:

7. Based on your companies’ security policies, you may want to add additional permissions to this policy. You may do so by clicking “Add additional permissions”. Otherwise, click the “Review policy” button:

8. Enter a “Name” for the policy, as well as a “Description”, and click the “Create policy” button:

9. On the IAM: Policies page, see that your policy has been created:

Create an Amazon User with Credentials for Panzura Freedom filer

1. Navigate to the IAM service:

2. Click on “Users”:

3. Click “Add User”:

4. Specify “User name”, select “Programmatic access”, and click the “Next: Permissions” button:

5. Select “Attach existing policies directly” to find the correct policy, select the Panzura specific policy, and click the “Next: Tags” button.

If you have not yet created a Panzura specific policy for the AWS EC2 service, refer to the “User Permissions for Deployment of Panzura Freedom filer AMI” and the “Create a Policy for use with Panzura Freedom filer AMI” sections of this document.

6. You may add tags here, then click the “Review” button:

7. Review the “User details” and the “Permissions summary” sections. When you are satisfied, click the “Create user” button:

8. You will need your Access key ID and Secret access key later in the installation process. You can retrieve them from this screen in multiple ways:

a. Click “show” under “Secret access key” and copy the keys from the user interface.

b. Click “Download .csv”. A download of “credentials.csv” will begin. This file contains the username, Account key ID, and the Secret access key. Please note: Per AWS policy, this will be the only time you will be able to download the secret access key.

Create a Panzura Filer EC2 Instance

1. From the AWS console, navigate to the EC2 Dashboard:

2. Click “Launch Instance”:

3. Navigate to the Panzura Freedom offering on the AWS Marketplace. You can do this by entering “Panzura” in the search bar and clicking on “AWS Marketplace”. Click the “Select” button:

4. Read through the description of the Panzura Freedom offering, as well as the EC2 pricing details. Click the “Continue” button:

5. Choose an Instance Type: Panzura recommends using AWS instances with at least 8 CPUs and 64 GB of memory. Please consult with your Panzura Sales Engineer or Panzura Professional Support staff for sizing recommendations based on your specific use case and environment.

Select your instance type and click “Next: Configure Instance Details”:

6. Configure Instance Details: Select a VPC option under “Network”. A default subnet is selected automatically. Auto-assign public IP should not be enabled unless you need to access the filer over the internet. If enabled, a security policy limiting source IP addresses should be configured. This will ensure the filer is exposed to private IP space only.

Please make sure your VPC is connected to any other resources that may access the Panzura Freedom filer. This includes, but is not limited to, your AD server, other on-prem and in-cloud filers.

a. Panzura (and AWS!) recommends that you enable Termination Protection. While this is not mandatory, this will prevent accidental termination of your instance. After you make your selection, click “Next: Add Storage”:

7. Add Storage: Please consult with Panzura Professional Services staff on number and size of EBS volumes.

Please take note of the following recommendations for Volume Type for attached EBS Volumes for Panzura Freedom filer. These recommendations are dependent on your specific use case (capacity and environment):

  Recommended Notes
Metadata SSD (io1) SSD is required for Metadata purposes.
Cache SSD (gp2) Cache can be stored on type st1 (HDD) as well, but using a non-SSD option may impact performance. Type sc1 is not supported.

Panzura recommends using SSD flash for both Metadata and Cache. When you have completed your attached EBS volumes, click “Next: Add Tags”:

8. Add Tags: Add tags as needed or in compliance with your internal tracking and reporting policies. Click the “Next: Configure Security Group” button:

9. Configure Security Group: Panzura has configured the proper HTTPS, SSH, and Custom TCP Ports for use with the Panzura Freedom filer. Consult your security team for proper Source restrictions (for restricting access by IP) and firewall settings. You do not have to use this Security Group, but any Security Group you do deploy for the Panzura Freedom filer will require inclusion of these firewall rules.

Once you have reviewed and deployed the proper Security Group, click the “Review and Launch” button:

10.Review Instance Launch: Review the details of your instance. When you are ready to proceed, click “Launch”:

11. Select an existing key pair or create a new key pair. If you create a new key pair, type a “Key pair name” and click the “Download key pair” button. A “.pem” file will be downloaded. Keep this in a safe place as you will need it later. Per Amazon policy, you will not be able to download this later.

When you have chosen your key pair, click “Launch Instances”:

12. When deployment is complete, you can see the Launch Status:

13. Navigate to the EC2 service on the AWS console. Find the IP:

14. On a browser, navigate to the IP using a URL in the following format:

https://<https://INSERT YOUR IP HERE>

Click the “Choose File” button:

15. Select the appropriate “.pem” file (either the one you just created, or one that was created prior to this) and click “SHOW DECRYPTED PASSWORD”:

16. Store the “Clear text password” (blurred out in the image below) and click the “Next” button:

17. You can now see the Panzura Freedom filer login screen. When logging in for the first time, use the following credentials:

Username: admin

Password: <The clear text password from the step above>

18.You are now in the Configuration Wizard:

Configuring the Panzura Freedom filer

Use the setup wizard to configure the master filer, subordinate filers, and any standby filers for high availability for your CloudFS deployment. The setup wizard process is similar in each case. All options are described in this section.

After completing the wizard, your filer will have the necessary information to start services and connect users.

  1. Go to https://<Filer IP>
    • When logging in for the first time, use the following credentials:
      • Username: admin
      • Password: <The clear text password from the section above>
        Click the “LOG IN” button:
  2. You are now in the Configuration Wizard. When you log in for the first time, the setup wizard opens automatically. Click the “START” button:
  3. Read through the End User License Agreement (EULA). You must accept the EULA by clicking on the slider next to “I ACCEPT”:
  4. You can sign up for product and marketing updates by clicking on the slider:

  5. Enter the relevant and required contact information and click the “NEXT” button:
  6. Read through the information required for setup and click the “NEXT” button:
  7. For security purposes, you must change your password. Enter a new password and click the “NEXT” button:
  8. Panzura requires the “Shared Network (One-arm)” option for AWS EC2 deployment. Amazon limits bandwidth on a per-instance basis, so choosing “Dedicated Network (Inline)” for multiple network interfaces does not improve performance. Panzura does not support the “Dedicated Network (Inline)” option for EC2 deployments.

Choose “Shared Network (One-arm)”. The network information (IP Address, Subnet Mask, Default Gateway, and Primary DNS Server IP) are all configured from the EC2 service.

You may specify your own DNS server. For example, you may be using your AD server for DNS.

Starting with 8.0.0.9, Freedom filers support the use of a proxy server when communicating with AWS S3 only. To enable the proxy server, click on the “Proxy Server” slider, enter the IP / hostname, and Port Number of your proxy server.

When you are done, click the “Next” button:

9. System Settings: enter a unique hostname in lowercase from 8.0 PZOS, filer location, contact email, and DNS Domain then click the “NEXT” button:

Please make sure to add the unique hostname to your DNS services. If you are using an AD server for DNS services, the hostname will be automatically added when you join the AD domain (in a few steps!). Panzura recommends an in-cloud AD server for use by the filer. Note: AD services may become impacted with latencies greater than 150ms.


10. Enter the License Token or License Files provided by Panzura. If you don’t have this, please contact Panzura Support for assistance.

11. When you have entered the License Token or License Files, click the “NEXT” button.

12. Enter an NTP server. A default one is provided if you do not have one. Choose a Time Zone that matches the filer location you entered a few steps ago. When you are done, click the “NEXT” button: 

13. Role Settings:

    1. Choose the “role” of the filer you are setting up:
      1. Master: This filer will act as a master for configuration purposes only. If this the first filer in the cluster you are deploying, choose Master.
      2. Subordinate: This filer will act as a subordinate for configuration purposes only. Every active filer deployed in the cluster after the master should be a subordinate or HA filer.
      3. HA Local: Panzura supports High Availability through the use of a local machine for failover of a single active filer. This type of machine is not considered an active filer. If you are deploying this machine as HA for a single active filer, choose HA local.

The use of a VIP is not available in the AWS EC2 environment due to AWS layer 2 communication restrictions. This also means that the autofailover feature for HA local is not available for filers deployed within AWS EC2.

              1. iv. HA Global: Panzura supports High Availability through the use of a machine for failover of multiple active filers. This type of machine is not considered an active filer. IF you are deploying this machine as HA for multiple filers, choose HA Global 
              When you are done, click the “NEXT” button:
          1.  

          14. When deploying a Master filer, make sure to choose “Full Mesh” and to set “Configure as Key Master Filer” as ON:

                15. When deploying a Subordinate, HA Local, or HA Global filer, you must enter the hostname of the Master filer.

                    16. Leave the Support Assistance section as defaults – this will be configured after the Wizard setup.

                      17. Panzura Freedom filers use a Peer-to-Peer Authentication Key when communicating with each other. This is centrally sourced by the Master configuration filer.
                              a. If you are deploying a Master filer, click the “Export” button and save the file in a secure location.
                              You will need this file when configuring additional Subordinate and HA filers in the future. This file can be downloaded from the Master filer in the future if needed.
                              Click the “NEXT” button:

                                b. If you are not configuring the Master filer upload the Peer-to-Peer Authentication Key, then click the “NEXT” button

                        18. Datastore Setting:
                            a. Automatic: This will allow the wizard to guide you through the creation of datastores attached to this machine. Panzura refers to datastores as the local EBS volumes used to store metadata and user cache locally on the filer.
                            You will need to enter the AWS EC2 access key and secret key to allow the wizard to create the datastores to be attached to this machine. (Reminder: This is the same access key and secret key created in the last step of the “Create an Amazon User with Credentials for Panzura Freedom filer” section of this document.
                            i. If the Freedom filer detects attached volumes or datastores, you will not be able to select “Automatic”. Skip down to the “Manual” section to continue configuration:

                            In the “Cloud Storage to Allocate (TB)” field, enter the Object Storage size (licensed capacity from Panzura or size of Object Store bucket). If you are not sure of this field, please consult a Panzura Support or Panzura Professional Services engineer. When you are done, click the “NEXT” button

                            ii. Datastore Allocation: The selection of datastore type is dependent upon your use case and environment. See “Add Storage” step of the “Create a Panzura Filer AMI” section for recommendations. If you are unsure of any of the options on this page, please consult your Panzura Support or Professional Services staff.
                            iii. Click “Datastore for Metadata”

                            iv. For metadata, Panzura requires SSD. See “Add Storage” step of the “Create a Panzura Filer EC2 Instance” section for recommendations. If you are unsure, please consult your Panzura Support or Professional Services staff.

                            v. Take note that this process will create 3 equally sized disks which sum to the total Metadata storage. This process will also create 3 equally sized disks which sum to the total Cache storage. These disks will then be attached to the Freedom filer AMI automatically. When you are done, click the “NEXT” button.

                    The default value for metadata and cache space is a simple percentage of cloud storage space entered in the previous step. You should size the metadata and cache based on sizing estimation performed by your Panzura Sales Engineer or Professional Services staff.


                              vi. You have an opportunity to go back to review your options. When you are ready, click the “PROCEED” button.

                              vii: In the AWS EC2 console, you can see the volumes that the Freedom filer created:

                              viii: If the Freedom filer detects attached volumes or datastores, you will not be able to select.

                      b. Mannual: allows you to create the datastores on your own, outside of the wizard process, including ones created in the “Add Storage” step of the “Create a Panzura Filer AMI” section.

                      In the “Cloud Storage to Allocate (TB)” field, enter the Object Storage size (licensed capacity from Panzura or size of Object Store bucket). If you are not sure of this field, please consult a Panzura Support or Professional Services staff.

                      i. Disks that are attached to the Freedom filer AMI should auto populate here. However, if your disk is not shown, click the “DISCOVER NEW DISKS” button.

                      Select the Media type and intended Datastore type for each volume. When you are done, click the “NEXT” button.

                      the Freedom filer will add only the specific disks that you specify here. It will not divide the capacity into multiple disks, as in the “Automatic” option.

                              ii. You have an opportunity to go back to review your options. When you are ready, click the “PROCEED” button:

                                iii. After initial deployment and configuration, more metadata and cache space can be added to the Freedom filer by going to the filer Management UI > Configuration > Disk Expansion:

                        19. Cloud Storage Provider: Select a Primary Cloud and enter the relevant details.

                                  a. Enter the object store information and click the “NEXT” button.
                                    If you are using AWS S3 for object storage, please refer to the “

                          Setting up AWS S3 for Panzura Freedom Filers” document

                                    for best practices and details. Starting in 8.0.0.9, Panzura supports

                          AWS Server Side Encryption (SSE-KMS).

                                  To enable this feature, click the “SSE-KMS” slider and enter the ARN for your KMS key. (This can also be enabled later by navigating to the Filer UI > Configuration > License Manager > Installed License Modules and edit your “CSP-Amazon” license.)

                          20. You have an opportunity to review your settings before continuing. When you are ready, click the “PROCEED” button.

                          21. You can see the status screens as the Freedom filer configures your object storage settings and boots up your system services.

                          22. Protocol Settings: Choose the relevant protocol(s) and enable them as appropriate. Click the “NEXT” button: 

                          23. Active Directory Setup: Enter your AD Domain Name, AD Administrator and password and click the “NEXT” button.

                          ● The AD Administrator and password are used to join the filer to the AD domain only. They are not stored or used again in the future (much like adding a Windows client to an AD domain).

                          ● The “Domain Controller” field should be left as “Any”. This allows the filer to use any AD server available. Selecting a single AD server will pin the filer to a single AD server. This may leave users unable to be authenticated should that single AD server become unavailable.

                          24. Review the configuration, then click the “FINISH” button: 

                          25. You will see a confirmation that your filer has a complete setup. Click “PROCEED” to be re-directed to the Freedom filer Management UI:

                          26. Arrive at the Freedom filer Management UI:

                          Freedom Filer External Dependencies

                          Panzura Freedom filers rely on a number of external dependencies to provide services to enterprises and their end users. The following diagram depicts the general architecture of Panzura Freedom filer deployments:

                          Dependency Required Notes
                          Object Storage*  Required Public / Private RESTful APIs to object storage
                          Domain Name System (DNS)  Required Used to transpose hostnames to IPs.
                          Simple Network Management Protocol (SNMP)  Optional Protocol used to manage and monitor network devices and their functions
                          Active Directory (AD)  Req’d for SMB deployments May be used for Kerberos authentication on NFS.
                          Simple Mail Transfer Protocol (SMTP) Optional Required for email alerts and notifications.
                          Network Time Protocol (NTP) Optional Recommended for time synchronization of filers. Authentication to object stores and AD servers may fail if time drift is high.
                          Syslog Optional Used for exporting monitoring and audit events to an external syslog server.
                          Key Management Interoperability Protocol (KMIP) Optional Used for key management.
                          Internet Content Adaptation Protocol (ICAP)* Optional Communication protocol used for communicating to anti-virus server of your choosing
                          Panzura Support Assistance (SA)* Optional Automated communication to Panzura Support from your Freedom filer
                          Panzura Mobile Optional Solution which allows for access to filer data via Mobile Clients
                          Panzura Data Services Optional Analytics Service that enables you to Search, Analyze, and Monitor Your Enterprise Data

                          *Not depicted in diagram

                          Active Directory Integration Options

                          WebUI Authentication Using Active Directory

                          If the filer has joined an Active Directory domain, you can set up your AD domain filer to allow authentication to the Panzura filer using Active Directory credentials without additional setup in the Panzura filer.

                          • To allow Admin level access to the WebUI a user or group of users should be added to the group: priv_panzura_admins
                          • To allow User level access to the WebUI a user or group of users should be added to the group: priv_panzura_users

                          For both groups, set the group scope to Global and group type to Security. Users assigned to either of these groups can then log in to the Panzura filer using their AD credentials. Both of the following username formats are accepted:

                          - username@domainname

                          - domainname\username.

                          Logging into the WebUI using Domain Credentials is an identical process for the two roles, except for checking which group the user is a member of.

                          The authentication of the user and password is done using Kerberos, and will fall-back to attempting NTLM if Kerberos fails. If authentication is successful, then the Freedom filer will confirm the user is a member of one or both of the groups above in the same manner that an SMB connection does. If authentication and membership succeed, then access to the Management UI is granted at the highest level that the user is a member of (e.g. if the user is a member of both, they are granted Admin level access).

                          Additional details for setting this up are on the AD Settings page of the Admin Guide: http://docs.panzura.com/7.1/Content/common/ADSettings.htm

                          You can configure your AD information in the Configuration Wizard. If configuring AD after you have completed the Configuration Wizard, you can navigate to the Management UI > Configuration > Active Directory > Active Directory Configuration. Enter AD Domain information, then click the “SAVE” button:

                          To join the Active Directory domain that you configured, click “Join Active Directory Domain”, enter the required AD Administrator credentials and click the “JOIN” button:

                          You can see the result of the JOIN action:

                          To detach from the AD Domain, enter your AD Administrator credentials and clicking the “DETACH” button:

                          You can see the result of the DETACH action:

                          If you are joining an Active Directory Read Only Domain Filer, see Joining a Microsoft Active Directory Domain.