Deploy Security Connector

Depending on the hypervisor that you want to use for Security Connector, you can deploy Security Connector in these hypervisors or cloud platforms:

  • Microsoft Hyper-V
  • VMware ESXi hypervisor
  • Amazon Web Services (AWS) (beta)
  • Microsoft Azure (beta)

Deploy Security Connector on Microsoft Hyper-V

The ZIP file you downloaded contains these files:

  • PowerShell Utility Script: create-akamai-sc-vm.ps1

  • Virtual Hard Disk Image File: akamai-sc-<imageID>.vhd

    where <imageID> is the ID of the hard disk image file.

You can deploy Security Connector with the PowerShell utility script or manually with a virtual hard disk image file.

Create the Security Connector virtual machine with the PowerShell utility script

Before you begin

  1. Download Security Connector.

  2. Confirm that the folder you extracted contains the create-akamai-sc-vm.ps1 file.

You can use the PowerShell utility script to create the Security Connector VM.

📘

The PowerShell utility script is not supported with Microsoft Hyper-V on Windows Server 2008. If you plan to deploy Hyper-V on Windows Server 2008, use the virtual hard disk image file and deploy it manually. For instructions, see Manually create the Security Connector virtual machine with the hard disk image file.

To create the Security Connector VM with the PowerShell utility script:

  1. Open a PowerShell window.

  2. Type this command to execute the script:

    <path_to_unzipped_folder>/create-akamai-sc-vm.ps1

    where <path_to_unzipped_folder> is the path to the folder with the PowerShell script.

  3. If you see "The script is not digitally signed. You cannot run this script on the current system" error message, complete these steps to set the execution policy to bypass.

    1. In the PowerShell window, enter this command:

      Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

    2. When prompted for confirmation, enter Y and press Enter.

  4. When prompted, enter the VM name, disk path, and virtual switch name. The VM is created.

  5. Open Hyper-V Manager.

  6. Select the VM and in the Actions menu, click Start. After starting the VM, in the Actions menu, click Connect to access the VM. It may take a few minutes for the machine to start. Ignore any errors that may appear while the VM boots.

Next steps

Create a security connector password.

Manually create the Security Connector virtual machine with the hard disk image file

Before you begin

  1. Download Security Connector.

  2. Confirm that the folder you extracted contains the akamai-sc-<imageID>.vhd file, where is the ID associated with the image.

You can manually deploy the Security Connector VM with the hard disk image file. These instructions apply to Microsoft Hyper-V on Windows Server 2016. These steps may vary on other versions of Windows or Windows Server.

📘

The virtual hard disk file image file that's used to create the virtual machine is the hard disk drive for the virtual machine. Therefore, the changes you make to the virtual machine are saved to the hard disk or the image file. If you need to create a new Security Connector virtual machine, make sure you download a new image file.

To manually create the Security Connector VM with the hard disk image file:

  1. Open Hyper-V Manager.

  2. Select the computer or local server where you're deploying the VM.

  3. In the Actions menu, select New > Virtual Machine.

  4. Review the Before You Begin content and click Next.

  5. In the Specify Name and Location window, enter a name for the VM and click Next.

  6. In the Assign Memory window, enter 2048 in the Startup Memory field and click Next.

  7. In the Configure Networking window, select the virtual switch that you want from the Connection menu, and click Next.

  8. In the Connect Virtual Hard Disk window, complete these steps:

    1. Select Use an existing virtual hard disk option and click Browse.

    2. Browse to the akamai-sc-<imageID>.vhd file, where is the ID associated with the virtual hard disk image file.

    3. Click Open.

    4. Click Next

  9. Review the summary with the details you selected for the VM. Click Finish.

  10. Modify the number of virtual processors:

    1. Select the VM that was created in step 9 and in the Actions menu, click Settings.

    2. In the Hardware menu, select Processor.

    3. In the Number of virtual processors field, enter 2 and click Apply.

  11. Update the network adapter settings:

    1. In the Hardware menu, click Add Hardware.

    2. Select Network Adapter and click Add.

    3. Select the network adapter you added.

    4. Select the virtual switch. Depending on your network topology, this may be the switch you added in step 7.

    5. Click Apply and then click OK.

  12. Select the VM and in the Actions menu, click Start. After starting the VM, in the Actions menu, click Connect to access the VM. It may take a few minutes for the machine to start. Ignore any errors that may appear while the VM boots.

Next steps

Create a security connector password.

Deploy Security Connector on VMware ESXi

Before you begin

  1. Download Security Connector.

  2. Enable the Bridge Protocol Data Unit (BPDU) Filter on your ESXi host. For more information, see Enable the BPDU Filter.

  3. Make sure the OVA file is located on your local computer.

This procedure uses the vSphere client. For more information on deploying an OVA file, or if you choose to create a new VM from the OVA file, see the VMware production documentation.

To deploy the Security Connector OVA file in VMware:

  1. Log in to the vSphere client.

  2. Right-click the data center or resource pool that you want to use for the VM.

  3. Click Deploy OVF Template. A wizard appears.

  4. On the Select an OVF template window, select Local file and click Browse to find the Security Connector OVA file. After you find it, click Open and then Next.

  5. In the Virtual machine name field, enter a unique name for the VM.

  6. Select a location for the VM and click Next.

  7. Review the template details and click Next.

  8. Select the disk format for the VM, the storage policy, and the datastore for the VM. Click Next.

  9. Select a destination network for each source network. Click Next.

  10. Review the settings you selected. Click Finish.

Next steps

Create a security connector password.

Enable the BPDU Filter

Make sure you enable the Bridge Protocol Data Unit (BPDU) Filter on the ESXi host to prevent a denial of service attack scenario. A BPDU filter blocks BPDU packets that can be transmitted from the VM to a switch. Malicious BPDUs can cause loops in the network and result in switch ports going down. For more information about this feature, see Understanding the BPDU Filter feature in vSphere.

Steps may vary depending on your version of vSphere.

To enable the BPDU filter:

  1. If you are using the vSphere web client, complete these steps:

    📘

    These steps apply to vSphere ESXi 6.5.

    1. Click the host for the Security Connector in the inventory.
    2. In the navigation menu, click Manage.
    3. Under System, click Advanced settings.
    4. In the Filter that appears to the right of the page, enter BPDU. The Net.BlockGuestBPDU setting appears.
    5. Select the Net.BlockGuestBPDU key and click Edit option.
    6. Enter 1 as the new value.
    7. Click Save.
  2. If you are using the vSphere client, complete these steps:

    1. Open the vSphere client.
    2. Go to the Hosts and Clusters view.
    3. Select the host for the Security Connector in the inventory tree.
    4. Click the Configure tab.
    5. Select System > Advanced System Settings.
    6. Click Edit.
    7. Select the Net.BlockGuestBPDU setting and enter 1 as the value.
    8. Click OK.

Prepare for Security Connector deployment on a cloud platform

Before you deploy Security Connector on Amazon Web Services (AWS) or Azure, you need:

  • An SSH Key Pair. To access Security Connector with SSH, you need an existing SSH key or you'll have to generate a new key pair in AWS or Azure. You associate the key pair to the Security Connector VM or instance.

  • Two network interfaces. By default, Azure and AWS have a network interface. However, you have to create another network interface.

  • An instance that meets virtual machine requirements. Make sure the instance you create in these cloud platforms meets virtual machine requirements. For more information, see Virtual machine requirements.

  • Inbound and Outbound Access. If you want administrators to access Security Connector through a public IP address, you have to allow these ports and protocols in your firewall:

    • Allow inbound access to TCP port 22 for SSH connections.

    • Allow outbound access to the Internet.

    • The public IP address that you will configure for the Security Connector.

      For the Security Connector data path (en1 interface), you must also allow TCP and UDP port 53. For a complete list of network requirements, see Network requirements

  • Security Connector 3.3.0 image file. Contact your ​Akamai​ representative to have ​Akamai​ share the image file to your Azure and AWS account.

Deploy Security Connector on Amazon Web Services (AWS)

These are the high-level steps that are required to deploy a Security Connector image on Amazon Web Services (AWS).

The process outlined in these procedures are for the AWS user interface only. To use the command line for these operations, see the AWS documentation.

  1. Launch an instance with a Security Connector image

  2. Create and attach an additional network interface

  3. If you want to use a public IP address to access Security Connector, you can associate an elastic IP address to the network interface. For instructions, see Associate an elastic IP address to the network interface.

📘

Security Connector deployments on AWS are currently in beta.

Launch an instance with a Security Connector image

Complete this procedure to launch an instance in the EC2 console with the Security Connector image. For more information, see the AWS documentation.

Before you begin:

  • If you don’t have an SSH key that you want to use for this instance, make sure you create an SSH key. For instructions, see Create an SSH key pair in AWS.
  • Make sure you contact your ​Akamai​ representative to have ​Akamai​ share the image file to your AWS account as a Community AMI.

To set up Security Connector with AWS:

  1. Log in to the AWS Management Console.

  2. Select your region.

  3. On the landing page, search and select the EC2 service. The Amazon EC2 console appears.

  4. From the navigation menu, select Instances > Instances.

  5. Click Launch instance.

  6. In the Name field, enter a name for the instance.

  7. Under Application and OS images, click Browse More AMIs.

  8. Click Community AMIs and find the Security Connector image file. Click Select.

  9. For the instance type, select t2.medium or an instance type that meets the needs of your network.

  10. Under Key pair (login), select an SSH key pair. To generate an SSH key, see Create an SSH key pair in AWS.

  11. Under network settings, select a VPC, subnet, and a security group.

  12. Click Launch instance.

Next Steps:

  1. Stop the instance that you created:

    1. In the navigation menu, select Instances.

    2. Select the instance that you created.

    3. In the Actions menu, select Instance State > Stop.

  2. Create and attach an additional network interface

Create and attach an additional network interface

Complete this procedure to create and attach an additional network interface. This is the network interface that you attach to the Security Connector instance. For more information on this operation, see the AWS Documentation.

Before you begin:
Launch an instance with a Security Connector image

To create and attach an additional network interface:

  1. In the EC2 navigation menu, select Network & Security > Network Interfaces.

  2. Click Create network interface.

  3. In the Create Network Interface dialog, do the following:

    1. Enter a description for the instance.

    2. In the Subnet menu, select the subnet where you want the network interface created.

    3. Select security groups.

    4. Click Create new interface.

  4. Attach the Security Connector EC2 instance to the network interface you created:

    1. On the Network interface page, select the network interface that you created.

    2. Click the Actions menu and select Attach.

    3. Select the Security Connector EC2 instance and click Attach.

Next Steps:

If you want to access Security Connector with a public IP address, see Associate an elastic IP address to the network interface.

Associate an elastic IP address to the network interface

After you attach the Security Connector instance to the network interface you created, you can associate an elastic IP address to the network interface. An elastic IP address allows you to use a public IP address to access Security Connector.

For more information on this task, see the AWS documentation.

Before you begin:
Create and attach an additional network interface

To associate an elastic IP address to the network interface:

  1. Go to the Amazon VPC console:

    1. In the search bar of the AWS Management Console, enter VPC.

    2. In the search results, select VPC.

  2. In the navigation menu, select Virtual private cloud > Elastic IPs.

  3. Allocate elastic IP addresses:

    1. Click Allocate Elastic IP address.

    2. For the Public IPv4 address pool, select the pool of IP addresses that you prefer.

    3. Click Allocate.

  4. Select an IP address that you allocated.

  5. In the Actions menu, select Associate Elastic IP address.

  6. In the dialog that appears, select Network interface as the resource type and then select the interface that you created.

  7. Click Associate.

Next Steps:

  1. Start the instance:

    1. In the EC2 console, select Instances from the navigation menu.

    2. Select the Security Connector instance that you created.

    3. In the Actions menu, select Instance State > Start.

  2. Wait for 10 minutes.

  3. Use your SSH key to access the Security Connector console. In your command line or terminal, enter this command:

    ssh -i </path/to/ssh/key> admin@<Elastic_IP>

    where:

If you are unable to reach Security Connector, it is possible that the en2 interface is mapped to the default interface, not the interface that you created. If that’s the case, you must assign the elastic IP address to the other interface. For instructions, see Disassociate the elastic IP address and associate it to a new interface.

Disassociate the elastic IP address and associate it to a new interface

If you’re unable to access Security Connector with the elastic IP address of the network interface, it’s possible that the Security Connector en2 interface was attached to the incorrect network interface. For example, the interface that’s included with AWS by default.

To disassociate the elastic IP address and associate it to a new interface:

  1. In the EC2 console, select the Networking tab.

  2. Go to the Network Interfaces area and take note of the elastic IP address.

  3. Click the Allocated IPv4 address.

  4. In the Actions menu, select Disassociate Elastic IP address.

  5. Click Associate Elastic IP Address.

  6. In the dialog that appears:

    1. For the Resource Type, select Network interface.

    2. Search for the network interface that you created in Create and attach an additional network interface.

    3. Click Associate.

Create an SSH key pair in AWS

If you would like to create an SSH key pair that you use to log in to the Security Connector instance, complete this procedure. For detailed instructions, see Create a key pair in the AWS documentation.

To create an SSH key pair:

  1. Log in to the AWS Management Console.

  2. Select your region.

  3. On the landing page, search and select the EC2 service. The Amazon EC2 console appears.

  4. In the navigation menu, select Key Pairs.

  5. Click Create Key Pair.

  6. In that dialog that appears:

    1. Enter a name for the key.

    2. For the File Format, select the format that you want to use for the private key. If you plan to use Open SSH, select pem. If you plan to use PuTTY, select ppk.

    3. Click Create key pair. The private key is automatically downloaded to your browser. Store the private key file in a secure location.

  7. If plan to use an SSH client on macOS or a Linux computer, make sure you apply a permission to the private key file to ensure that other users can’t view it:

    1. In a terminal, change directories to the location of the private key file.

    2. Enter this command:

      chmod 400 <key.name>.pem

      where <key.name> is the name of the key file.

Deploy Security Connector on Microsoft Azure

Complete these high-level steps to deploy Security Connector on Microsoft Azure.

The process outlined in these procedures is for the Azure user interface only. To use the command line for these operations, see the Azure documentation.

To deploy Security Connector on Azure:

  1. Create a virtual machine in Azure

  2. Create a network interface

  3. Attach the network interface to the virtual machine

📘

Security Connector deployments on Azure are currently in beta.

Create a virtual machine in Azure

Complete this procedure to create a VM in Azure. For more information on creating and managing virtual machines in Azure, see the Microsoft Azure documentation.

Before you begin:

Contact your ​Akamai​ representative to have ​Akamai​ share the Security Connector image file with your organization’s Azure account.

To create a VM in Azure:

  1. Log in to the Azure portal.

  2. In the search field, search for virtual machines and select Virtual Machines from the search results.

  3. Click Create > Azure virtual machine.

  4. In the subscription field, enter the ID for your subscription. To find this ID, see Get subscription and tenant IDs in the Azure Portal.

  5. In the Resource group field, enter a name for the resource group.

  6. In the Instance details section, complete these steps:

    1. In the Virtual machine name field, enter a name for the virtual machine.

    2. In the region field, select a region.

    3. In the Availability Zones, select a zone.

    4. In the image menu, select the Security Connector image file. If the image file is not available in the drop-down menu, click See all images.

    5. Under Community Images (PREVIEW), find the Security Connector image that ​Akamai​ shared with your region, and select it.

    6. In the Size menu, select Standard_B2s - 2 vcpus, 4 GiB memory or any setting that meets the requirements for Security Connector. For information on setup requirements, see Setup and virtual machine requirements.

  7. In the Administrator account section, complete these steps:

    1. For Authentication type, select SSH public key.

    2. In the Username field, leave it with the default setting.

      📘

      When you use SSH to access the Security Connector, you must enter admin as the username.

    3. In the SSH public key source menu, you can use an existing key stored in Azure, any public key, or you can generate a key pair.

    4. If you selected to generate a key pair, in the dialog that appears, enter the name of the key pair.

  8. In the Inbound port rules section, configure the public inbound ports that are required for the en1 and en2 interface.

    📘

    For SSH connections, allow TCP port 22.

  9. In the Licensing section, select Other.

  10. Click Next: Disks.

  11. Click Next: Networking.

  12. In the Network tab, complete these steps:

    1. In the Virtual network menu, select your virtual network.

    2. In the Subnet, select a subnet.

    3. In the Public IP field, select a new IP or an existing IP.

    4. For the NIC network security group, select Advanced.

    5. In the Configure network security group, select a network security group. To create a new group, click Create new.

  13. Click Review + create.

  14. After the VM is validated, click Create.

Next Steps

  1. If you selected to generate a new key, the Generate new key pair window appears, click Download private key and create resource. The key file is downloaded from your browser and is given the name that you assigned in step 7.

  2. Stop the virtual machine:

    1. In the Azure Portal, go to the list of virtual machines.

    2. Select the name of your VM.

    3. Click Stop and then click OK in the dialog to confirm the action.

  3. Create a network interface

Create a network interface

Complete this procedure to add a new interface to the Security Connector virtual machine. For more information, see the Microsoft Azure documentation.

Before you begin:
Create a virtual machine in Azure

To add a network interface:

  1. In the navigation menu, select Networking.

  2. Click Attach network interface and then click Create and attach network interface.

  3. Select a resource group.

  4. In the Network interface section, complete these steps:

    1. Enter a name for the interface.

    2. In the Subnet field, select a subnet.

    3. For the NIC network security group, select Advanced.

    4. Configure inbound ports that are required for the en1 and en2 interface.

    📘

    For SSH connections, allow TCP port 22.

  5. Click Create.

Next Steps:

Attach the network interface to the virtual machine

Attach the network interface to the virtual machine

Complete this procedure to attach the network interface to the Security Connector virtual machine.

Before you begin:
Make sure that you have created a virtual machine and a network interface. For instructions, see Create a virtual machine in Azure and Create a network interface.

To attach a network interface to the VM:

  1. In the navigation menu, select Networking.

  2. Click Attach network interface.

  3. In the dialog, select the network interface that you created, and click OK.

Next Steps:

  1. Start the virtual machine.

    1. Return to the virtual machine you created.

    2. Click the name of it.

    3. Click Start.

  2. Wait for 10 minutes.

  3. Use your SSH key to access the Security Connector console. In your command line or terminal, enter this command:

    ssh -i </path/to/ssh/key> admin@<NIC-public-IP>

    where:

    • </path/to/ssh/key> is the file path to the SSH key.
    • <NIC-public-IP> is the public IP address of the network interface.

If you are unable to reach Security Connector, it is possible that the en2 interface is mapped to the default interface that’s associated with the virtual machine, not the interface that you created. If that’s the case, you must detach the current interface and attach the correct interface to the virtual machine. For instructions, see Attach another interface to the virtual machine.

Attach another interface to the virtual machine

If you’re unable to access Security Connector with the public IP address of the network interface, it’s possible that the virtual machine was attached to the en2 interface. For example, the interface that’s included with the virtual machine by default. Perform this procedure to detach the network interface and attach the interface that you created to the virtual machine.

To attach another interface to the virtual machine:

  1. In the Azure Portal, search for the name of the virtual machine and select the name of the VM.

  2. In the VM Overview area, click Stop.

  3. Click OK to confirm that you want to stop the virtual machine.

  4. In the navigation menu, select Networking.

  5. Click the public IP address for NIC Public IP.

  6. Click Disassociate. A dialog appears asking if you want to disassociate the public IP.

  7. Click Yes.

  8. Associate a public IP address to the interface you created in Create a network interface.

    1. Click Associate.

    2. In the Resource type menu, select Network Interface.

    3. Select the network interface.

  9. Detach network interface:

    1. Return to the Networking page and click Detach network interface.

    2. Select the interface that is included with the VM by default.

    3. Click OK.

  10. Reattach the network interface:

    1. Select the interface that you detached in step 9.

    2. Click OK.

  11. In the VM Overview area, click Start.