Luminate Connectors are an essential element in the BeyondCorp-like Zero Trust access to corporate services and applications. These are the components that allow delivering secure access to corporate applications and services from any device located anywhere without the complexity of partitioning networks, deploying VPN gateways or Endpoint Agents.
Simply put, Luminate Connectors need to be deployed in the datacenters hosting the corporate resources (on-premises or in the cloud) and they provide connectivity to corporate resources located in those datacenters. For details about the Luminate Secure Access Cloud (TM) architecture, please refer to this article.
When accessing corporate applications and services hosted in Amazon Web Services, Luminate Connectors deployed in the customers' AWS environments require compute and networking resources in order to function. Deploying connectors on AWS EC2 Spot Instances allows saving on compute costs and allowing potentially greater scalability. Using Spotinst Elastigroups or Container Management Services, an organization can guarantee durable connectivity service to its applications and services, while achieving dramatic reduction in EC2 Compute costs for the connectivity infrastructure.
This article will explain how to deploy Luminate Connectors on Spot Instances using SpotInst Elastigroups.
Following diagram depicts the system architecture:
In the diagram above, connectivity to customer's application infrastructure and resources is provided by Luminate Connectors that run on EC2 Spot Instances. As Spot instances can be terminated at any time, in order to guarantee continuous connectivity, as well as matching the machine size to the required load, Spotinst Elasticgroup is constantly orchestrating these Spot Instances, while storing the identity of the connectors on persistent EBS Volumes, allowing the machine size to be changed, while preserving the Connector that uses it.
In order to configure the above architecture, following steps need to be completed:
- Define Connectors in the Luminate Admin Portal
- Configure Spotinst Elastigroup to run a number of Spot Instances with persistent EBS Volumes
- Run the Connectors on the Spot Instances, configuring persistent storage for Container identity
Step I - Define Connectors in the Luminate Admin Portal
For each availability zone we need to define a dedicated Luminate Connector. The step-by-step instructions for defining connectors in the Luminate Admin Portal can be found in this article. (If following the steps in the article, please avoid the part that runs the command on the Linux servers, in favor of the next steps)
Prior to proceeding to the next step, "run command" for each defined connector should be collected and stored. The command should look like the following:
Step II - Configure Spotinst Elastigroup
A detailed procedure for defining Elastigoup in Spotinst can be found in this article. When configuring Elastigroup following issues should be taken into consideration:
- Image - Any Linux OS that supports running Docker Containers can be picked.
- Advanced Settings --> Stateful configuration - Described in details in this guide, you need to choose whether to store the Connectors identity store (described in the next step) on either the Root Volume or the Data Volume of the machines, configuring the relevant volume for persistence as Spot Instances are being destroyed and re-created.
Step III - Run the Connectors on the Spot Instances
There are a number of options for making sure, that the launched EC2 Spot Instance initiates the Luminate Connector service:
- Configure the command that runs the service in User Data for the instances, as described in details in this guide
- Run the command manually, registering the service for automatic restart. For that, an administrator needs to connect to the instance using a Key Pair defined when creating an Elastigroup and run the command manually. Re-initialized and re-launched instances will load a Docker Service configuration from the persistent root volume (this method requires persistent root volume) and will run it automatically.
No matter which method is being used, following parameters should be added to the command that is responsible for launching the Connector service, i.e, the following command:
sudo docker run -e SERVER_POD_URI='wss://luminate-ws.XXXXXX.luminatesec.com' \
-e CMS_URL='https://internal.XXXXX.luminatesec.com' \
-e TENANT_IDENTIFIER='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
-e HTTPS_SKIP_CERT_VERIFY='true' \
-e OTP='XXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
-e STORAGE_PATH='/path/inside/connector/CONNECTORNAME_storage' \
The goal of these two parameters is as follows:
- --volume - As described in the docker run reference, this command instructs Docker to map a location on the host (i.e., EC2 Spot Instance) into the container (running the Luminate Connector). The host path should be located on a persistent volume, as chosen in Advanced Settings of Spotinst Elastigroup in order to remain persistent between re-initialized Spot Instances.
- -e STORAGE_PATH - Once the above directive is provided to the Docker engine, the Luminate Connector needs to be instructed to initialize (and, later on use) its identity in the location inside the container mapped to a persistent volume. The map is for a directory, whereas the identity will be stored in a single file inside the directory (the STORAGE_PATH environment variable contains a full file name). For each connector the file name should be unique (it is recommended to have it correlate with a connector name).
Upon launching the instances, the connector status in the Luminate Admin Portal should change from Unregistered to Online.