Deploy Security Connector

Depending on the hypervisor that you want to use for Security Connector, you can deploy Security Connector in these hypervisors or cloud platforms:

  • Microsoft Hyper-V
  • VMware ESXi hypervisor
  • Amazon Web Services (AWS)
  • Microsoft Azure

Deploy Security Connector on Microsoft Hyper-V

The ZIP file you downloaded contains these files:

  • PowerShell Utility Script: create-akamai-sc-vm.ps1

  • Virtual Hard Disk Image File: akamai-sc-<imageID>.vhd

    where <imageID> is the ID of the hard disk image file.

You can deploy Security Connector with the PowerShell utility script or manually with a virtual hard disk image file.

Create the Security Connector virtual machine with the PowerShell utility script

Before you begin

  1. Download Security Connector.

  2. Confirm that the folder you extracted contains the create-akamai-sc-vm.ps1 file.

You can use the PowerShell utility script to create the Security Connector VM.

📘

The PowerShell utility script is not supported with Microsoft Hyper-V on Windows Server 2008. If you plan to deploy Hyper-V on Windows Server 2008, use the virtual hard disk image file and deploy it manually. For instructions, see Manually create the Security Connector virtual machine with the hard disk image file.

To create the Security Connector VM with the PowerShell utility script:

  1. Open a PowerShell window.

  2. Type this command to execute the script:

    <path_to_unzipped_folder>/create-akamai-sc-vm.ps1

    where <path_to_unzipped_folder> is the path to the folder with the PowerShell script.

  3. If you see "The script is not digitally signed. You cannot run this script on the current system" error message, complete these steps to set the execution policy to bypass.

    1. In the PowerShell window, enter this command:

      Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

    2. When prompted for confirmation, enter Y and press Enter.

  4. When prompted, enter the VM name, disk path, and virtual switch name. The VM is created.

  5. Open Hyper-V Manager.

  6. Select the VM and in the Actions menu, click Start. After starting the VM, in the Actions menu, click Connect to access the VM. It may take a few minutes for the machine to start. Ignore any errors that may appear while the VM boots.

Next steps

Create a security connector password.

Manually create the Security Connector virtual machine with the hard disk image file

Before you begin

  1. Download Security Connector.

  2. Confirm that the folder you extracted contains the akamai-sc-<imageID>.vhd file, where is the ID associated with the image.

You can manually deploy the Security Connector VM with the hard disk image file. These instructions apply to Microsoft Hyper-V on Windows Server 2016. These steps may vary on other versions of Windows or Windows Server.

📘

The virtual hard disk file image file that's used to create the virtual machine is the hard disk drive for the virtual machine. Therefore, the changes you make to the virtual machine are saved to the hard disk or the image file. If you need to create a new Security Connector virtual machine, make sure you download a new image file.

To manually create the Security Connector VM with the hard disk image file:

  1. Open Hyper-V Manager.

  2. Select the computer or local server where you're deploying the VM.

  3. In the Actions menu, select New > Virtual Machine.

  4. Review the Before You Begin content and click Next.

  5. In the Specify Name and Location window, enter a name for the VM and click Next.

  6. In the Assign Memory window, enter 2048 in the Startup Memory field and click Next.

  7. In the Configure Networking window, select the virtual switch that you want from the Connection menu, and click Next.

  8. In the Connect Virtual Hard Disk window, complete these steps:

    1. Select Use an existing virtual hard disk option and click Browse.

    2. Browse to the akamai-sc-<imageID>.vhd file, where is the ID associated with the virtual hard disk image file.

    3. Click Open.

    4. Click Next

  9. Review the summary with the details you selected for the VM. Click Finish.

  10. Modify the number of virtual processors:

    1. Select the VM that was created in step 9 and in the Actions menu, click Settings.

    2. In the Hardware menu, select Processor.

    3. In the Number of virtual processors field, enter 2 and click Apply.

  11. Update the network adapter settings:

    1. In the Hardware menu, click Add Hardware.

    2. Select Network Adapter and click Add.

    3. Select the network adapter you added.

    4. Select the virtual switch. Depending on your network topology, this may be the switch you added in step 7.

    5. Click Apply and then click OK.

  12. Select the VM and in the Actions menu, click Start. After starting the VM, in the Actions menu, click Connect to access the VM. It may take a few minutes for the machine to start. Ignore any errors that may appear while the VM boots.

Next steps

Create a security connector password.

Deploy Security Connector on VMware ESXi

Before you begin

  1. Download Security Connector.
  1. Make sure the OVA file is located on your local computer.

This procedure uses the vSphere client. For more information on deploying an OVA file, or if you choose to create a new VM from the OVA file, see the VMware production documentation.

To deploy the Security Connector OVA file in VMware:

  1. Log in to the vSphere client.

  2. Right-click the data center or resource pool that you want to use for the VM.

  3. Click Deploy OVF Template. A wizard appears.

  4. On the Select an OVF template window, select Local file and click Browse to find the Security Connector OVA file. After you find it, click Open and then Next.

  5. In the Virtual machine name field, enter a unique name for the VM.

  6. Select a location for the VM and click Next.

  7. Review the template details and click Next.

  8. Select the disk format for the VM, the storage policy, and the datastore for the VM. Click Next.

  9. Select a destination network for each source network. Click Next.

  10. Review the settings you selected. Click Finish.

Next steps

Create a security connector password.

Prepare for Security Connector deployment on a cloud platform

Before you deploy Security Connector on Amazon Web Services (AWS) or Azure, you need:

  • An SSH Key Pair. To access Security Connector with SSH, you need an existing SSH key or you'll have to generate a new key pair in AWS or Azure. You associate the key pair to the Security Connector VM or instance. To generate SSH keys on macOS, Linux, or Windows, see Generate SSH keys.

  • Two network interfaces. By default, Azure and AWS have a single network interface. However, you have to create another network interface.

  • An instance that meets virtual machine requirements. Make sure the instance you create in these cloud platforms meets virtual machine requirements. For more information, see Virtual machine requirements.

  • Inbound and Outbound Access. If you want administrators to access Security Connector through a public IP address, you have to allow these ports and protocols in your firewall:

    • Allow inbound access to TCP port 22 for SSH connections.

    • Allow outbound access to the Internet.

    • The public IP address that you will configure for the Security Connector.

      For the Security Connector data path (en1 interface), you must also allow TCP and UDP port 53. For a complete list of network requirements, see Network requirements

  • Security Connector image file. The image file is available in the AWS and Azure marketplaces.

Generate SSH Keys

SSH keys are required to access Security Connector through a virtual machine on the Azure and AWS cloud platforms. You can generate SSH keys as you set up Security Connector or you can upload a key that you generated outside of the Security Connector setup. This section provides instructions on generating keys on Linux, macOS, or Windows.

Generate SSH keys on Linux or macOS

Complete this procedure to create SSH keys on Linux or macOS.

To generate SSH keys on Linux or macOS:

  1. Open a terminal window, and enter this command:

    ssh-keygen -t rsa -b 4096 -f ./<path>/<filename> -C <comment>

    where:

    • <path> is where the keys will be generated.
    • <filename> is the name of the key files.
    • <comment> is the value that’s added to the comment field in the public key. This value is appended to the public key.

    Make sure the private key has the .pem or .ppk extension.

  2. Enter the passphrase for the keys.

  3. Enter the passphrase again.

  4. Save the private key to a secure location.

Generate SSH Keys on Windows

Complete this procedure to generate SSH keys on Windows.

To generate SSH keys on Windows:

  1. Open a command prompt.
  2. Enter ssh-keygen. By default, the keys are saved to <home_directory>/.ssh/id_rsa. You can modify the file location.
    where <home_directory> is your home directory on Windows. This is usually C:\Users\<your_username>.
  3. Enter the passphrase for the keys.
  4. Enter the passphrase again.
  5. Save the private key to a secure location.

Deploy Security Connector on Amazon Web Services (AWS)

These are the high-level steps that are required to deploy a Security Connector image on Amazon Web Services (AWS).

The process outlined in these procedures are for the AWS user interface only. To use the command line for these operations, see the AWS documentation.

  1. Launch an instance with a Security Connector image

  2. Create and attach an additional network interface

  3. If you want to use a public IP address to access Security Connector, you can associate an elastic IP address to the network interface. For instructions, see Associate an elastic IP address to the network interface.

  4. If you plan to use only one interface for HTTP Forwarder or DNS Forwarder, complete these steps:

    1. Assign an elastic IP address to the second interface that’s attached to the AWS VM. This interface has a device index of 1. For instructions, see Associate an elastic IP address to the network interface. Complete this procedure on the interface with device index 1.
    2. Continue the steps for the Security Connector as outlined in Set up the security connector. Make sure you set one interface when you configure the incoming and outgoing interfaces in Security Connector.

Launch an instance with a Security Connector image

Complete this procedure to launch an instance in the EC2 console with the Security Connector image. For more information, see the AWS documentation.

Before you begin:

If you don’t have an SSH key that you want to use for this instance, make sure you create an SSH key. For instructions, see Create an SSH key pair in AWS or Generate SSH keys. If you want to import an existing SSH key, see Import the SSH public key to AWS.

To set up Security Connector with AWS:

  1. Log in to the AWS Management Console.

  2. Select your region.

  3. On the landing page, search and select the EC2 service. The Amazon EC2 console appears.

  4. From the navigation menu, select Instances > Instances.

  5. Click Launch instance.

  6. In the Name field, enter a name for the instance.

  7. Under Application and OS images, click Browse More AMIs.

  8. Click AWS Marketplace AMIs and search for "Akamai Security Connector" to find the Security Connector image file. Click Select.

  9. For the instance type, select t2.medium or an instance type that meets the needs of your network.

  10. Under Key pair (login), select an SSH key pair. To generate an SSH key, see Create an SSH key pair in AWS or Generate SSH Keys. To import an SSH key, see Import the SSH public key to AWS.

  11. Under network settings, select a VPC, subnet, and a security group.

  12. Click Launch instance. It may take three to five minutes to launch the instance.

Next Steps:

  1. Stop the instance that you created:

    1. In the navigation menu, select Instances.

    2. Select the instance that you created.

    3. In the Actions menu, select Instance State > Stop.

  2. Create and attach an additional network interface

Import the SSH public key to AWS

If you created SSH keys outside of AWS and would like to import them, complete this procedure.

Before you begin:

Make sure that you created your SSH keys. For information on creating keys, see Generate SSH Keys

To import the SSH public key:

  1. In the EC2 console of the navigation menu, select Key Pairs.
  2. Click Import key pair.
  3. In the Name field, enter a name for the public key. The name can be up to 255 characters.
  4. Browse for the public key or paste the contents of the key into the Public key contents field.
  5. Click Import key pair. Confirm that the key you imported appears in the list of keys.

Create an SSH key pair in AWS

If you would like to create an SSH key pair in AWS, complete this procedure. For detailed instructions, see Create a key pair in the AWS documentation.

If you have an SSH key that you would like to import into AWS, see Import the SSH public key to AWS.

To create an SSH key pair:

  1. Log in to the AWS Management Console.

  2. Select your region.

  3. On the landing page, search and select the EC2 service. The Amazon EC2 console appears.

  4. In the navigation menu, select Key Pairs.

  5. Click Create Key Pair.

  6. In that dialog that appears:

    1. Enter a name for the key.

    2. For the File Format, select the format that you want to use for the private key. If you plan to use Open SSH, select pem. If you plan to use PuTTY, select ppk.

    3. Click Create key pair. The private key is automatically downloaded to your browser. Store the private key file in a secure location.

  7. If plan to use an SSH client on macOS or a Linux computer, make sure you apply a permission to the private key file to ensure that other users can’t view it:

    1. In a terminal, change directories to the location of the private key file.

    2. Enter this command:

      chmod 400 <key.name>.pem

      where <key.name> is the name of the key file.

Create and attach an additional network interface

Complete this procedure to create and attach an additional network interface. This is the network interface that you attach to the Security Connector instance. For more information on this operation, see the AWS Documentation.

Before you begin:
Launch an instance with a Security Connector image

To create and attach an additional network interface:

  1. In the EC2 navigation menu, select Network & Security > Network Interfaces.

  2. Click Create network interface.

  3. In the Create Network Interface dialog, do the following:

    1. Enter a description for the instance.

    2. In the Subnet menu, select the subnet where you want the network interface created.

    3. Select security groups.

    4. Click Create new interface.

  4. Attach the Security Connector EC2 instance to the network interface you created:

    1. On the Network interface page, select the network interface that you created.

    2. Click the Actions menu and select Attach.

    3. Select the Security Connector EC2 instance and click Attach.

Next Steps:

If you want to access Security Connector with a public IP address, see Associate an elastic IP address to the network interface.

Associate an elastic IP address to the network interface

After you attach the Security Connector instance to the network interface you created, you can associate an elastic IP address to the network interface. An elastic IP address allows you to use a public IP address to access Security Connector.

For more information on this task, see the AWS documentation.

Before you begin:

  1. Create and attach an additional network interface
  2. Confirm which interface has a device index of 0. In addition to the network interface you created, AWS also has a network interface. The interface with the device index of 0 should be the en2 interface for the Security Connector or the interface that you assign with an elastic IP address. To identify the interface with a device index of 0, complete these steps:
    1. In the EC2 console, go to Network Interfaces.
    2. Select the network interface that you created and in the Instance details, make sure the device index is 0. Take note of the network interface ID.

To associate an elastic IP address to the network interface:

  1. Go to the Amazon VPC console:

    1. In the search bar of the AWS Management Console, enter VPC.

    2. In the search results, select VPC.

  2. In the navigation menu, select Virtual private cloud > Elastic IPs.

  3. Allocate elastic IP addresses:

    1. Click Allocate Elastic IP address.

    2. For the Public IPv4 address pool, select the pool of IP addresses that you prefer.

    3. Click Allocate.

  4. Select an IP address that you allocated.

  5. In the Actions menu, select Associate Elastic IP address.

  6. In the dialog that appears, select Network interface as the resource type and then select the interface that you created. This is the interface that you confirmed had a device index of O. You select the network interface by its ID.

  7. Click Associate.

Next Steps:

  1. Start the instance:

    1. In the EC2 console, select Instances from the navigation menu.

    2. Select the Security Connector instance that you created.

    3. In the Actions menu, select Instance State > Start.

  2. Wait for 10 minutes.

  3. Use your SSH key to access the Security Connector console. In your command line or terminal, enter this command:

    ssh -i </path/to/ssh/key> admin@<Elastic_IP>

    where:

  4. If you plan to use only one interface for HTTP Forwarder or DNS Forwarder, complete these steps:

    1. Assign an elastic IP address to the second interface that’s attached to the AWS VM. This interface has a device index of 1.
    2. Continue the steps for the Security Connector as outlined in Set up the security connector. Make sure you set one interface when you configure the incoming and outgoing interfaces in Security Connector.

Deploy Security Connector on Microsoft Azure

Complete these high-level steps to deploy Security Connector on Microsoft Azure.

The process outlined in these procedures is for the Azure user interface only. To use the command line for these operations, see the Azure documentation.

To deploy Security Connector on Azure:

  1. Create a virtual machine in Azure

  2. Create a network interface

  3. Attach the network interface to the virtual machine

  4. If you plan to use only one interface for HTTP Forwarder or DNS Forwarder, complete these steps:

    1. Assign a public IP address to the second interface that’s attached to the Azure VM. For instructions, see Assign a public IP address to the second network interface.
    2. Continue the steps for the Security Connector as outlined in Set up the security connector. Note the following:
      • When you configure the en1 and en2 interfaces, make sure you assign a static IP address.
      • Make sure you set one interface when you configure the incoming and outgoing interfaces in Security Connector.

Create a virtual machine in Azure

Complete this procedure to create a VM in Azure. For more information on creating and managing virtual machines in Azure, see the Microsoft Azure documentation.

To create a VM in Azure:

  1. Log in to the Azure portal.

  2. In the search field, search for virtual machines and select Virtual Machines from the search results.

  3. Click Create > Azure virtual machine.

  4. In the subscription field, enter the ID for your subscription. To find this ID, see Get subscription and tenant IDs in the Azure Portal.

  5. In the Resource group field, enter a name for the resource group.

  6. In the Instance details section, complete these steps:

    1. In the Virtual machine name field, enter a name for the virtual machine.

    2. In the region field, select a region.

    3. In the Availability Zones, select a zone.

    4. For the image, click See all images.

    5. Under Marketplace, select All.

    6. Search for Akamai Security Connector - Virtual Machine Image and select it.

    7. Under Bring Your Own License, select Akamai Security Connector - Standard - x64 Gen 1.

    8. In the Size menu, select Standard_B2s - 2 vcpus, 4 GiB memory or any setting that meets the requirements for Security Connector. For information on setup requirements, see Setup and virtual machine requirements.

  7. In the Administrator account section, complete these steps:

    1. For Authentication type, select SSH public key.

    2. In the Username field, leave it with the default setting.

      📘

      When you use SSH to access the Security Connector, you must enter admin as the username.

    3. In the SSH public key source menu, you can use an existing key stored in Azure, any public key, or you can generate a key pair. To upload an existing SSH key, see Upload an SSH key in the Azure documentation.

    4. If you selected to generate a key pair, in the dialog that appears, enter the name of the key pair.

  8. In the Inbound port rules section, configure the public inbound ports that are required for the en1 and en2 interface.

    📘

    For SSH connections, allow TCP port 22.

  9. In the Licensing section, select Other.

  10. Click Next: Disks.

  11. Click Next: Networking.

  12. In the Network tab, complete these steps:

    1. In the Virtual network menu, select your virtual network.

    2. In the Subnet, select a subnet.

    3. In the Public IP field, select a new IP or an existing IP.

    4. For the NIC network security group, select Advanced.

    5. In the Configure network security group, select a network security group. To create a new group, click Create new.

  13. Click Review + create.

  14. After the VM is validated, click Create. The VM may take 8-10 minutes to create.

Next Steps

  1. If you selected to generate a new key, the Generate new key pair window appears, click Download private key and create resource. The key file is downloaded from your browser and is given the name that you assigned in step 7.

  2. Stop the virtual machine:

    1. In the Azure Portal, go to the list of virtual machines.

    2. Select the name of your VM.

    3. Click Stop and then click OK in the dialog to confirm the action.

  3. Create a network interface

Create a network interface

Complete this procedure to add a new interface to the Security Connector virtual machine. For more information, see the Microsoft Azure documentation.

Before you begin:
Create a virtual machine in Azure

To add a network interface:

  1. In the navigation menu, select Networking.

  2. Click Attach network interface and then click Create and attach network interface.

  3. Select a resource group.

  4. In the Network interface section, complete these steps:

    1. Enter a name for the interface.

    2. In the Subnet field, select a subnet.

    3. For the NIC network security group, select Advanced.

    4. Configure inbound ports that are required for the en1 and en2 interface.

    📘

    For SSH connections, allow TCP port 22.

  5. Click Create. It may take up to 10 minutes to create.

Next Steps:

Attach the network interface to the virtual machine

Attach the network interface to the virtual machine

Complete this procedure to attach the network interface to the Security Connector virtual machine.

Before you begin:
Make sure that you have created a virtual machine and a network interface. For instructions, see Create a virtual machine in Azure and Create a network interface.

To attach a network interface to the VM:

  1. In the navigation menu, select Networking.

  2. Click Attach network interface.

  3. In the dialog, select the network interface that you created, and click OK.

Next Steps:

  1. Make sure that the public IP address is assigned to the first network interface of the VM. To view the network interfaces that are assigned to the VM, go to the VM that you created and select Networking from the navigation menu.

  2. Start the virtual machine.

    1. Return to the virtual machine you created.

    2. Click the name of it.

    3. Click Start.

  3. Wait for 10 minutes.

  4. Use your SSH key to access the Security Connector console. In your command line or terminal, enter this command:

    ssh -i </path/to/ssh/key> admin@<NIC-public-IP>

    where:

    • </path/to/ssh/key> is the file path to the SSH key.
    • <NIC-public-IP> is the public IP address of the network interface.
  5. If you plan to configure one interface mode for HTTP Forwarder or DNS Forwarder, you will need to additionally assign a public IP address to the second interface that’s attached to the VM. For more information, see Assign a public IP address to the second network interface.

Assign a public IP address to the second network interface

If you plan to use only one interface for HTTP Forwarder or DNS Forwarder, make sure you assign a public IP address to the second interface that’s attached to the VM. For more information, see Add IP Addresses in the Microsoft Azure documentation.

To add a public IP address to your network interface:

  1. Go to the network interfaces. You can enter network interfaces in the search bar.
  2. In the list of interfaces, select the second network interface that’s attached to your VM.
  3. Under Settings, select IP configurations.
  4. Click Add.
  5. Enter a name for the IP configuration.
  6. For the IP Version, select IPv4.
  7. For the Public IP Address field, select Associate.
  8. Select a public IP address field or create a new public IP address.
  9. Click OK.

Next Steps:

Continue the steps for the Security Connector as outlined in Set up the security connector. Note the following:

  • When you configure the en1 and en2 interface, make sure you assign a static IP address.
  • Make sure you set one interface when you configure the incoming and outgoing interfaces in Security Connector.