How to securely deploy Docker EE on the AWS Cloud

Overview

This reference deployment guide provides the step-by-step instructions for deploying Docker Enterprise Edition on the Amazon Web Services (AWS) Cloud. This automation references deployments that use the Docker Certified Infrastructure (DCI) template which is based on Terraform to launch, configure and run the AWS compute, network, storage and other services required to deploy a specific workload on AWS. The DCI template uses Ansible playbooks to configured the Docker Enterprise cluster environment.

Docker Enterprise Edition has three main components: Docker Universal Control Panel (UCP), Docker Trusted Registry (DTR) and workers.

• UCP is an enterprise-grade cluster management solution from Docker that helps you manage your whole cluster from a single place. UCP includes the UCP controllers and UCP nodes. It provides the management plane for both Swarm and Kubernetes.

• DTR is the enterprise-grade image storage solution from Docker that helps you securely store and manage the Docker images you use in your applications. DTR is deployed in a three-node configuration that includes one DTR master and two DTR replicas.

• Worker nodes will be used for running the applications.

The standard DCI template didn’t follow the best security practices to deploy infrastructure in AWS. Capstone used the standard DCI template as the base version and modified the AWS related resource deployment section in Terraform to follow the best security and high availability design. Some of the changes are these:

• The DCI templates creates a VPC in AWS with only a public subnet. We have enhanced the Terraform templates to create both public and private subnets inside the VPC.
• The DCI template launches all EC2 instances on a public subnet and enables SSH and RDP access to the public. We don’t want these instances directly accessible from the Internet. Instead, we have enhanced the templates to launch the EC2 instances in the private subnet.
• Launched a Bastion Host in the public subnet which will allow access to public. This will be used for connecting to any EC2 running on the private subnet.
• The DCI template deploys the EC2 instance only in 2 availability zones (AZs). We have enhanced the DCI template to deploy manager and worker nodes in 3 AZs instead of 2 for high availability.
• By default, the DCI templates opens instance and ELB security groups to the public. Restricted all the public access to instances and only relevant ELB can connect to the instances. ELB security group rules are changed to allow public or specific CIDR range and instance security group rules are changed to allow only the ELB security group.
• We want to make sure the ELBs are only open to necessary and secure protocols. As a result, we modified the corresponding security groups to only allow HTTPS (TCP port 443) to the UCP and DTR instances and Kube API (6443) to the UCP instances
• After the changes the ELB security group opened to public or specific CIDR and Instances security groups is only opened for ELB security group.
• Depending on the requirement the ELB can be deployed internet facing or internal.
• DCI template was designed to deploy the cluster from your local machine or any deployment server and it needs direct access to all the nodes. After making all the security related changes it requires a Bastion host in the public subnet which will be used for running the Ansible playbooks for the Docker cluster in the private subnet.

Architecture

Before the changes to DCI

After the changes to DCI

Security Groups Design

Resources created in AWS

Deployment Steps

Step 1. Register for a Docker EE Trial License

Before you deploy the Quick Start, you must obtain a trial license for Docker EE.

• Create a Docker ID at https://hub.docker.com/register/ if you don’t already have one.
• Open the Docker EE trial page at https://store.docker.com/editions/enterprise/dockeree-trial and log in with your credentials.
• Fill out the registration form and choose Start Your Free Trial.
• On the next screen, download the license key

Step 2. Prepare an AWS Account

• If you don’t already have an AWS account, create one at https://aws.amazon.com by following the on-screen instructions.
• Use the region selector in the navigation bar to choose the AWS Region where you want to deploy Docker EE on AWS.

Step 3. Prepare the environment to deploy the DCI template

•   Tools required.
  • Terraform
  • Ansible

Login to the AWS console and create a keypair under the EC2 service. Save the keypair’s private key.

Clone the DCI template. ( Currently DCI is available only to selected Docker Partners )

• Open aws\aws.auto.tfvars and customize the properties shown below.
  • Set key_name same as keypair name created in aws console.
  • Set private_key_path to the path of the downloaded private key.

Docker EE UCP and DTR after the deployment

Additional Resources

AWS services

• Amazon VPC
  • https://aws.amazon.com/documentation/vpc/
• Amazon EC2
  • https://aws.amazon.com/documentation/ec2/
• Amazon S3
  • https://aws.amazon.com/documentation/s3/
• Amazon EFS
  • https://aws.amazon.com/documentation/efs/

Docker

• Docker Enterprise Edition
  • https://www.docker.com/enterprise-edition
• Docker Universal Control Plane
  • https://docs.docker.com/datacenter/ucp/1.1/overview/
• Docker Trusted Registry
  • https://docs.docker.com/datacenter/dtr/2.4/guides/
  • https://docs.docker.com/datacenter/dtr/2.0/configure/configuratin/
• Best Practices for Docker Enterprise 17.06 on Amazon Web Services
  • https://success.docker.com/article/certified-infrastructures-aws

Need help ?

Do you need help with containers, cloud and/or DevOps? Capstone IT is here to help. We bring years of enterprise IT experience to help you with your digital transformations.

Vijay Thiyagarajan
Solutions Architect at Capstone