Portal for ArcGIS in AWS Best Practice

TraeTimmerman · ‎12-14-2023

My understanding is if the name of the machine shown within the portaladmin/machines endpoints changes, the Portal for ArcGIS site will become unavailable. To prevent this issue from occurring, I've allocated and assigned an elastic IP address to the EC2 instances where I'm installing Portal for ArcGIS.

On a RHEL 8x EC2 instance, following all of the steps in "If your portal machine has multiple network interface controller cards" section of this doc Installing Portal for ArcGIS—ArcGIS Enterprise | Documentation for ArcGIS Enterprise and step 7 in this doc: Deploy a base ArcGIS Enterprise portal on AWS—ArcGIS Enterprise in the cloud | Documentation for Arc... results in site creation failure. I set the following:

Created hostname.properties file and added hostname=<elastic IP>
In hostidentifier.properties file, uncommented preferredidentifier=ip
In the hostidentifier.properties file uncommented and modified to hostidentifier=<elastic IP>

Which of these files are which specific properties need to be set to force the Portal for ArcGIS site to use the elastic IP address to prevent future issues caused my private IP address changes?

Thank you!

MarceloMarques · ‎12-14-2023

@TraeTimmerman

A manual installation of ArcGIS Enterprise in an AWS ec2 instance can easily become a dauting task and you might end up not following best practices.

Instead of a manually deployment you shall try to deploy using the AWS CloudFormation Template.

AWS CloudFormation and ArcGIS—ArcGIS Enterprise in the cloud | Documentation for ArcGIS Enterprise

This will properly configure the AWS ec2 instance local firewall and properly install and configure Portal + WebAdaptor for Portal + ArcGIS Server + WebAdaptor for Server + Datastore, and correctly install the SSL Certificate and correctly configure the web context URL in Portal and ArcGIS Server.

The Elastic Public IP of the ec2 instance is not used in the ArcGIS Enterprise Configuration, neither in Portal, nor in ArcGIS Server, nor in the WebAdpators, nor in the DataStore.

The Elastic Public IP is only used in the External URL. That is why the Elastic Public IP of the ec2 instance can change and you just need to remap the External URL to resolve to the new Elastic Public IP and everything shall continue to work fine with ArcGIS Enterprise.

In an AWS ec2 instance the Private IP is used in the Portal configuration and the Private IP is used in the WebAdaptors (Portal and Server) as well. We do not use the Elastic Public IP.

Note, if you take an ec2 instance image backup and try to use the image to create another machine, then you must create the new machine with the same private ip or portal will not work anymore, there is no workaround for this, except to create the new machine with the same private ip, the web adaptors can be reinstalled using a new private ip, no problem there, and ArcGIS Server has no dependencies with the private ip, thus ArcGIS Server will continue to work even if the private ip changes, the problem is only with portal.

There are other tools to create an ArcGIS Enterprise Deployments in AWS, see link below.

Deployment options on Amazon Web Services—ArcGIS Enterprise in the cloud | Documentation for ArcGIS ...

I hope this helps to clarify your question.

View solution in original post

ReeseFacendini · ‎12-14-2023

When following the docs for multiple NICs, set the hostname to the private IP of the machine, not the public IP. The machine name will then be that private IP value which doesn't change.

TraeTimmerman · ‎12-14-2023

Thank you for the feedback, @ReeseFacendini! I think I see where I went wrong. When associated the elastic IP, I failed to specify the private to associate it with. Just updated and will reinstall and test.

MarceloMarques · ‎12-14-2023

@TraeTimmerman

A manual installation of ArcGIS Enterprise in an AWS ec2 instance can easily become a dauting task and you might end up not following best practices.

Instead of a manually deployment you shall try to deploy using the AWS CloudFormation Template.

AWS CloudFormation and ArcGIS—ArcGIS Enterprise in the cloud | Documentation for ArcGIS Enterprise

This will properly configure the AWS ec2 instance local firewall and properly install and configure Portal + WebAdaptor for Portal + ArcGIS Server + WebAdaptor for Server + Datastore, and correctly install the SSL Certificate and correctly configure the web context URL in Portal and ArcGIS Server.

The Elastic Public IP of the ec2 instance is not used in the ArcGIS Enterprise Configuration, neither in Portal, nor in ArcGIS Server, nor in the WebAdpators, nor in the DataStore.

The Elastic Public IP is only used in the External URL. That is why the Elastic Public IP of the ec2 instance can change and you just need to remap the External URL to resolve to the new Elastic Public IP and everything shall continue to work fine with ArcGIS Enterprise.

In an AWS ec2 instance the Private IP is used in the Portal configuration and the Private IP is used in the WebAdaptors (Portal and Server) as well. We do not use the Elastic Public IP.

Note, if you take an ec2 instance image backup and try to use the image to create another machine, then you must create the new machine with the same private ip or portal will not work anymore, there is no workaround for this, except to create the new machine with the same private ip, the web adaptors can be reinstalled using a new private ip, no problem there, and ArcGIS Server has no dependencies with the private ip, thus ArcGIS Server will continue to work even if the private ip changes, the problem is only with portal.

There are other tools to create an ArcGIS Enterprise Deployments in AWS, see link below.

Deployment options on Amazon Web Services—ArcGIS Enterprise in the cloud | Documentation for ArcGIS ...

I hope this helps to clarify your question.

TraeTimmerman · ‎12-14-2023

Thank you for the feedback, @MarceloMarques. So, the solution is to use the private IP then if restoring from an AMI is necessary in the future, the restored instance must utilize the same private IP address. I can see how the public IP could be problematic for communication within the VPC.

MarceloMarques · ‎12-14-2023

@TraeTimmerman

If you need to create a new machine using the ec2 instance AMI backup then you could try to change the Private IP on the files below on the new ec2 instance, but you still need to reconfigure the webapators to use the new Private IP.

C:\Program Files\ArcGIS\Portal\framework\etc\hostname.properties

C:\Program Files\ArcGIS\Portal\framework\runtime\ds\framework\etc\hostidentifier.properties

C:\Program Files\ArcGIS\Server\framework\etc\hostname.properties

But you might still encounter issues, because the Private IP might still need to be changed in some other configuration files that is difficult to determine.

Hence, if you need to keep the current ec2 instance and create a new machine with the AMI backup, then create a new VPC, and create the new ec2 instance in the new VPC using the same Private IP of the original ec2 instance, hence everything shall work with the ArcGIS Enterprise deployment, but remember, you will need to create a new elastic public ip, then attach that to the new ec2 instance, the external URL for the new ec2 instance shall resolve to that new elastic ip, then you need to change the web context url in the portal admin and server admin, and last you need to import the new ssl certificate for the new external url into the new ec2 instance webserver, and if you have imported the ssl certificate into portal or server then you will need to do the same on the new ec2 instance, see this can be quite a lot of work, and sometimes folks just create a new deployment from scratch and try to use webgisdr backup utility to move the site content into the new site.

I hope this helps.

MikeSchonlau · ‎02-06-2024

Could you use the ec2 instance hostname instead of the private ip? This would not change if launching from an AMI. Or does the ESRI software only use the private ip for configuration? I know the hostidentifier.properties file is set to hostname by default. Assuming this is a single machine deployment

TraeTimmerman · ‎02-16-2024

Hey @MikeSchonlau,

I've used the hostname instead of the private IP in some cloud deployments that are more static (and chose to do so in this deployment). The concern that I've heard is that autogenerated hostnames are not guaranteed to be unique, so there is potential for conflict there.

MarceloMarques · ‎02-16-2024

@TraeTimmerman, the aws ec2 instance hostname can change once you power off / on the machine, while the private ip address stays the same. That is the reason we use the private ip address to configure the webadaptors.

TraeTimmerman · ‎02-16-2024

@MarceloMarques that makes sense for Linux instances, I should have specified in my previous post that I've implemented this way specifically for Windows instances. Thanks for the clarification.