Install from AWS Marketplace

A Shortcut to GRAX Success

The article documents the fastest, easiest methodology for installing your own GRAX environment in an AWS account. The are several points of divergence in the steps; each will be clearly defined and present the options before you. If you have any questions, please reach out to a GRAX representative or [email protected].

AWS Account Identification / Creation

GRAX runs inside an account controlled and owned by your business. As such, identifying or creating the account is the first step. You'll need high-level or admin access to the chosen account throughout the process of installing GRAX. We recommend that this account be separated from the rest of your AWS network simply to provide your team with a clear demarcation between GRAX resources and other parts of your infrastructure. It can also simplify access and auditing conversations.

DNS and Domain Registration

NOTE: If you are meeting with a GRAX Engineering or Sales representative to perform a POC, Trial, Sandbox, or Production installation, you must complete this step first.

Your GRAX app will run at a publicly available domain/endpoint by default. Regardless of the filtering on the endpoint, this requires that the Load Balancer be associated with a registered domain and given a matching certificate. You have an option here:

  1. Register a domain in Route 53, create a hosted zone, and connect the ALB to it (GRAX creates Cert).
  2. Register a domain elsewhere, create a hosted zone, delegate DNS, and connect the ALB to it (GRAX creates Cert).

Anything other than these options requires that you build and provide your own ALB which GRAX will not help build or support. We highly recommend against this.

Marketplace

Prior to installing the GRAX AWS template, please ensure that you have communicated with the GRAX Sales Team. If you have not, please contact them at [email protected]; They can assist you through the AWS Marketplace experience to ensure that you have been provided a GRAX License for your installation. This is necessary to ensure that there is no disruption with your GRAX application once installed.

Cloudformation

Now that you've secured a license and been sent into the Cloudformation interface, it's time to actually provision some infrastructure. We'll go one parameter at a time down the list and provide examples for when each parameter is needed.

The single most important step here is ensuring you're logged into the correct AWS account. Clicking the install/deploy links will assume the account that you were last using. This may not be correct for your use-case. Doublecheck your account before proceeding.

Parameters

Create a new VPC?

Unless you are bringing a custom stand-alone VPC/networking stack to your GRAX install, set this to True.

Create a new Load Balancer?

Unless you are bringing a custom stand-alone ALB stack to your GRAX install, set this to True.

Create a new Web Application Firewall?

Unless you are bringing a custom stand-alone WAF, doing custom network filtering, or don't want filtering at all, set this to True.

VPC CIDRs and Subnet CIDRs (7 Parameters)

If you chose "True" for the "Create a new VPC?" option above, specify a "/16" CIDR for the VPC and unique "/24" CIDRs for the subnets in the CIDR parameter fields. Else, keep empty.

VPC ID and Subnet IDs (7 Parameters)

If you chose "False" for the "Create a new VPC?" option above, specify the ID of your custom stand-alone VPC and the IDs of your custom subnets in the ID parameter fields. Else, keep empty.

Hosted Zone ID

If you chose option 1 or 2 in the "DNS and Domain Registration" section above, enter the ID of the created hosted zone in this field. It will take a form like Z090403712WK0R7BCGET5. Else, keep empty.

Domain Name

If you chose option 1 or 2 in the "DNS and Domain Registration" section above, this value must be a subdomain of the hosted zone's domain. This means that if your subdomain is "graxcustomer.com", valid values here would be of the form:

  • uat.graxcustomer.com
  • uat.grax.graxcustomer.com
  • prod.grax.graxcustomer.com

If you did not choose option 1 or 2 in the "DNS and Domain Registration" section above, your value here must be a subdomain of whatever domain you registered elsewhere.

Load Balancer Access Scheme

If you chose "False" for the "Create a new Load Balancer?" option above, leave this blank. Else, set this value to "internet-facing" unless you have discussed an internal-only ALB access scheme with a GRAX engineer.

Load Balancer Ingress Security Group CIDR

This value controls what IP ranges can talk to the load balancer.

If you chose "False" for the "Create a new Load Balancer?" option above, leave this blank. Else, set this value to 0.0.0.0/0 unless you have strict requirements against it. This is usually only used with an "internal" access scheme. For general traffic filtering, see the WAF configuration options below.

Client-Side IPs

Several features of the GRAX application/service rely on user-client traffic directly talking to application endpoints. This means that the IPs of your end users must be able to reach the Load Balancer. If you have a limited network segment (VPN) which all of your users utilize for network access, you can add CIDR ranges here to allow them while removing "public" access. If blank, allows public access on several endpoints which are otherwise secured (token-based auth, etc).

If you chose "False" for the "Create a new Web Application Firewall?" option above, leave this blank; it will not effect your custom filtering.

Load Balancer

If you chose "False" for the "Create a new Load Balancer?" option above, enter the ARN of your custom stand-alone Load Balancer here. Else, leave blank.

Ingress / Egress Security Group

This optional security group can help manage what network devices can communicate with the EC2 Instance and which devices the EC2 instance can communiate with. Keep in mind that misconfigurations will affect service availability. If you choose to use it, enter the ID of the chosen Security Group. Else, leave blank.

Load Balancer Security Group

If you chose "False" for the "Create a new Load Balancer?" option above, enter the ID of a Security Group that allows the ALB to communicate with the EC2 instance. Else, leave blank.

Target Group

If you chose "False" for the "Create a new Load Balancer?" option above, enter the ARN of a target group which EC2 instances will be associated with. Else, leave blank.

Database Version

Do not modify.

Database Instance Type

Do not modify. Can be scaled later for performance if needed. Current default: db.t3.medium

Database Password, Snapshot ID (2 Parameters)

These fields are only required if performing a database snapshot restore in case of migration or incident recovery. Do not set during install.

Database KMS Key

If using BYOK KMS for RDS/DB, enter the ARN of your KMS key here.

Enable S3 Endpoint

If "False", you must provision your own S3 endpoint and route table or S3 traffic will exit the VPC on the way to storage. Traffic is encrypted either way.

S3 Bucket Name

If set, bucket will take the given name. If blank, name is based on the stack name and concatenated with a random string. Must be globally unique.

S3 KMS Key

If using BYOK KMS for S3, enter the ARN of your KMS key here.

Environment Variables

Leave blank unless advised by GRAX Engineer.

EC2 Instance Type

Do not modify. Can be scaled later for performance if needed. Current default: m5.xlarge

EC2 Instance Volume Size

Do not modify. Can be scaled later for performance if needed. Current default: 500

Syslog URL

Leave blank. If interested in sending logs to GRAX, contact a GRAX representative.

IAM Policy and Role Prefixes (2 Parameters)

Prefixes and arbitrary value to the beginning of the IAM resource names for compliance with naming conventions.

HTTP Proxy Variables (3 Parameters)

If you require HTTP/HTTPS proxy support, set the HTTP Proxy, HTTPS Proxy, and No Proxy variables accordingly.

Go Branch

Do not modify.

Redeploy

Leave blank.

Template Branch

Do not modify.

Template Version

Do not modify.

Creation

Check the box at the bottom of the page to approve creation of custom-named IAM resources and click "Create Stack". Within 25 minutes your GRAX stack should be ready for operation.

Connection

Once you've installed the GRAX SFDC package, check the Outputs from the stack you created in Cloudformation. Navigate to the APIURL in your browser and add "/web" to the end; this is the GRAX web interface. Log in with your integration user, and check the bottom of the "settings" page for the "GRAX Tokens". These values need to be entered on the "Connection" tab of the GRAX package to connect SFDC -> App traffic.