Artifactory With Amazon Ecs On The Aws Cloud PDF

Artifactory with Amazon ECS on
the AWS Cloud

Quick Start Reference Deployment
September 2019
JFrog Ltd
Chris Hirsch, Stephen Cole, Travis McVey, Trace3
Jay Yeras, Dylan Owen, AWS Quick Start team
Visit our GitHub repository for source files and to post feedback,
report bugs, or submit feature ideas for this Quick Start.
Contents
Overview .................................................................................................................................... 2
Artifactory on AWS ................................................................................................................ 3
Cost and licenses .................................................................................................................... 3
Architecture ............................................................................................................................... 4
Amazon ECS services ............................................................................................................. 7
Ansible init script ................................................................................................................... 7
Planning the deployment ..........................................................................................................8
Specialized knowledge ...........................................................................................................8
AWS account ..........................................................................................................................8
Technical requirements .........................................................................................................8
Deployment options ............................................................................................................. 10
Deployment steps .................................................................................................................... 10
Step 1. Sign in to your AWS account .................................................................................... 10
Step 2. Add the Artifactory license keys to AWS Secrets Manager ..................................... 10
Page 1 of 37
Amazon Web Services – Artifactory with Amazon ECS on the AWS Cloud September 2019
Step 3. Prepare the certificate parameters ...........................................................................11

Step 4. Launch the Quick Start ............................................................................................ 12
Option 1: Parameters for deploying Artifactory with ECS into a new VPC ..................... 13
Option 2: Parameters for deploying Artifactory with ECS into an existing VPC ............ 17
Step 5. Get started with JFrog Artifactory ........................................................................... 21
Updating Artifactory ...............................................................................................................24
Security .................................................................................................................................... 33
Storage .....................................................................................................................................34
Troubleshooting ......................................................................................................................34
Send us feedback ..................................................................................................................... 35
Additional resources ............................................................................................................... 35
Document revisions.................................................................................................................36
This Quick Start was created by JFrog and Trace3 in collaboration with Amazon Web
Services (AWS).
Quick Starts are automated reference deployments that use AWS CloudFormation
templates to deploy key technologies on AWS, following AWS best practices.
Overview
JFrog’s Artifactory is an enterprise universal repository manager, capable of hosting all
your binaries on AWS resources. This Quick Start provides a turnkey solution deploying
Artifactory Enterprise in a highly available (HA) configuration into AWS.
This Quick Start is for administrators who want the flexibility, scale, and availability of
AWS through products such as virtual private clouds (VPCs), Amazon Elastic Compute
Cloud (Amazon EC2), Amazon Elastic Container Service (Amazon ECS), Amazon Simple
Storage Service (Amazon S3), Elastic Load Balancing (ELB), and Amazon Relational
Database Service (Amazon RDS) to deploy Artifactory as their repository manager.
Amazon EC2 and Amazon ECS, along with Amazon S3 and Amazon RDS, form the
foundation for the deployment. By utilizing Amazon S3 and Amazon RDS as persistent
storage for artifacts and the configuration, respectively, Artifactory can be completely
redeployed, scaled up, or scaled down, depending on your requirements. This configuration
Page 2 of 37
allows organizations to save on costs for multiple secondary nodes and to pay only for
storage that is actually being used.
This Quick Start configures a single Amazon EC2 Auto Scaling group that configures
Amazon EC2 nodes for an Amazon ECS cluster. The EC2 nodes are specifically configured
for Artifactory, with configuration files mapped to the containers. Artifactory is configured
as two ECS services running the same task definition, which in turn deploys an Artifactory
and a NGINX container in each service:
 The first service is configured to be the Artifactory primary and will have at most only
one task running at one given time.
 The second service is configured to run the number of secondaries as desired. These
tasks within the service can scale up or down depending on the needs of the business.
The ECS tasks are monitored by a Network Load Balancer (NLB). The NLB is configured to
verify that port 443 is listening. This health check is important, because the NGINX
container listens on port 443 and depends on Artifactory starting successfully. Should the
endpoint fail to respond, the task will be shut down and a new task will be deployed.
Artifactory on AWS
Once you have deployed JFrog’s Quick Start Artifactory, you will be able to use it as a
production service. For further information regarding setting up Artifactory, see the Getting
started with Artifactory section later in this guide.
Important The deployment is configured as “infrastructure as code”. Any changes

to the infrastructure should be done through updating the CloudFormation stack.
Any changes performed on the boxes themselves (including reverse proxy
configurations) will be lost upon instance reboot. By design upon shutdown of an
instance or Artifactory service becoming unavailable, the node will be replaced via
Auto Scaling groups based on the load balancer’s health check.
Deploying to AWS gives you freedom to scale up your deployment based on the needs of
your changing business easily and quickly by simply updating the CloudFormation stack
while still paying for only what you are using.
Cost and licenses

You are responsible for the cost of the AWS services used while running this Quick Start
reference deployment. There is no additional cost for using the Quick Start.
Page 3 of 37
The AWS CloudFormation template for this Quick Start includes configuration parameters
that you can customize. Some of these settings, such as instance type, will affect the cost of
deployment. For cost estimates, see the pricing pages for each AWS service you will be
using. Prices are subject to change.
Tip After you deploy the Quick Start, we recommend that you enable the AWS Cost
and Usage Report to track costs associated with the Quick Start. This report delivers
billing metrics to an S3 bucket in your account. It provides cost estimates based on
usage throughout each month and finalizes the data at the end of the month. For
more information about the report, see the AWS documentation.
This Quick Start requires an Enterprise or Enterprise+ license for Artifactory. To use the
Quick Start in your production environment, you can sign up for a Free Trial license, which
includes three Artifactory Enterprise licenses. You’ll need to place the license keys in the
specified fields when you launch the Quick Start. Enterprise or Enterprise+ licenses are
required due to the following features being used by the deployment:
 High availability
 S3 object storage
Note If the license isn’t an Enterprise or Enterprise+ license, the license is invalid,
or the license is not included, the deployment will fail. Also, ensure that the number
of secondary Artifactory servers is at most the amount licensed minus one, for the
primary server. If you specify too many servers, see the FAQ section for instructions.
If you use a Free Trial, ensure that you convert to a permanent license before your trial is
up; otherwise, the nodes will become unresponsive until a permanent license is in place.
You can request a quote by contacting JFrog.
Architecture
If you want to set up Artifactory with Amazon ECS, deploying this Quick Start for a new
VPC with default parameters builds the following Artifactory environment in the AWS
Cloud.
Page 4 of 37
Figure 1: Quick Start architecture for Artifactory with Amazon ECS on AWS
Page 5 of 37
Figure 2: Quick Start architecture for Artifactory ECS containers on AWS
The Quick Start sets up the following:

 A highly available architecture that spans two Availability Zones.*
 A VPC configured with public and private subnets according to AWS best practices, to
provide you with your own virtual network on AWS.*
 In the public subnets:
– Managed network address translation (NAT) gateways to allow outbound
internet access for resources in the private subnets.*
– A Linux bastion host in an Auto Scaling group to allow inbound Secure Shell
(SSH) access to EC2 instances in public and private subnets.*
 A Network Load Balancer attached to the public subnets connecting via port 443 to the
NGINX container, providing reverse proxy and Secure Sockeets Layer (SSL) termination
for the Artifactory primary and secondary nodes listening on port 8081.
 In the private subnets:
– An Amazon RDS instance accessible only from the private subnets on port 3306.
Page 6 of 37
– Two Amazon ECS service groups, one for the primary node, and the other for the
secondaries.
– Artifactory and NGINX containers.
– An Auto Scaling group configured specifically to boot instances ready to host
Artifactory.
 A private and encrypted S3 bucket for repository storage.
* The template that deploys the Quick Start into an existing VPC skips the components
marked by asterisks and prompts you for your existing VPC configuration.
Amazon ECS services

There is a single Auto Scaling group for the Artifactory hosts. The service’s task are
comprised of containers that are deployed to the hosts via bridge networking. Upon an
Artifactory service or overall container failure, the ECS service will automatically recreate
the Docker instances. Due to this, all configuration is done on boot and will result in a loss
of data that is not stored in the Amazon RDS instance or the Amazon S3 bucket. This
includes the NGINX container that is tied to each Artifactory instance.
Ansible init script

The Amazon EC2 Docker hosts that support the ECS cluster are configured via Ansible
following the Docker Compose best practices for Artifactory. Ansible is installed and
configured to run only on the initial boot. Ansible, in cooperation with the automatic
scaling group, generates the required configuration files for Artifactory. These generated
configuration files are then mapped and mounted into the containers.
Important Do not change the master key of the stack when updating the stack.
This will result in future nodes being unable to join the cluster and an unsupported
configuration.
To update a Secure Sockets Layer (SSL) certificate, you will need to update the
CloudFormation stack by changing the certificate and certificate key inputs, and re-
deploying the nodes (see ECS upgrade section). If you change the certificate and
certificate key manually on the EC2 instances, instead of updating the
CloudFormation stack, the manual changes will be lost during the next upgrade or
reboot, resulting in an unwanted configuration.
Page 7 of 37
Planning the deployment

Specialized knowledge
This Quick Start assumes familiarity with JFrog Artifactory and infrastructure as code. It
also requires a moderate level of familiarity with AWS services. If you’re new to AWS, visit
the Getting Started Resource Center and the AWS Training and Certification website for
materials and programs that can help you develop the skills to design, deploy, and operate
your infrastructure and applications on the AWS Cloud.
AWS account
If you don’t already have an AWS account, create one at https://aws.amazon.com by
following the on-screen instructions. Part of the sign-up process involves receiving a phone
call and entering a PIN using the phone keypad.
Your AWS account is automatically signed up for all AWS services. You are charged only for
the services you use.
Technical requirements
By default, all options of the Quick Start will create a load balancer and output its HTTP
Domain Name System (DNS) on the Outputs tab of the CloudFormation console. This is
how you initially access Artifactory.
Note During the Quick Start deployment, you will be asked for an SSL Certificate
and Certificate Key. All deployments terminate SSL on the NGINX (instance, service,
or container). The SSL certificate is configured via Ansible on startup and is not
terminated on the ELB.
If you have a domain name available (e.g., https://artifactory.mycompany.com), you can

use it with the Quick Start, but this is not required or configured during the installation.
The default DNS name is generated based on the ELB and is expected not to match the
name of the SSL certificate, please see the custom domain name documentation to update
your DNS accordingly.
Before you launch the Quick Start, your account must be configured as specified in the
following table. Otherwise, deployment might fail.
Page 8 of 37
Resources If necessary, request service limit increases for the following resources. You might
need to do this if you already have an existing deployment that uses these resources,
and you think you might exceed the default limits with this deployment. For default
limits, see the AWS documentation.
AWS Trusted Advisor offers a service limits check that displays your usage and limits
for some aspects of some services.
Resource This deployment uses
VPCs 1
Elastic IP addresses 3
AWS Identity and

Access Management 1
(IAM) users
IAM roles 2
Security groups 4
Auto Scaling groups 3
Load balancers 1
m4.xlarge instances 4
t2.micro instances 1
db.m4.large (RDS) 1
S3 Buckets 1
ECS cluster 1
ECS service 2
Key pair Make sure that at least one Amazon EC2 key pair exists in your AWS account in the
region where you are planning to deploy the Quick Start. Make note of the key pair
name. You’ll be prompted for this information during deployment. To create a key
pair, follow the instructions in the AWS documentation.
If you’re deploying the Quick Start for testing or proof-of-concept purposes, we
recommend that you create a new key pair instead of specifying a key pair that’s
already being used by a production instance.
IAM permissions To deploy the Quick Start, you must log in to the AWS Management Console with IAM
permissions for the resources and actions the templates will deploy. The
AdministratorAccess managed policy within IAM provides sufficient permissions,
although your organization may choose to use a custom policy with more restrictions.
Page 9 of 37
S3 buckets Unique S3 bucket names are automatically generated based on the account number
and region. If you delete a stack, the Artifactory storage bucket is not deleted. If
you plan to re-deploy this Quick Start in the same region, you must first manually
delete the S3 buckets that were created during the previous deployment; otherwise,
the re-deployment will fail.
Deployment options
This Quick Start provides two deployment options:
 Deploy Artifactory running as an Amazon ECS service into a new VPC (end-
to-end deployment). This option builds a new AWS environment consisting of the
VPC, subnets, NAT gateways, security groups, bastion hosts, ECS cluster, EC2 nodes to
support the ECS cluster, an S3 bucket, and an Amazon RDS instance, and then deploys
Artifactory as a service onto the ECS cluster in this new VPC.
 Deploy Artifactory running as an ECS Service into an existing VPC. This
option provisions Artifactory in your existing AWS infrastructure, and creates an S3
bucket and an Amazon RDS instance. Optionally, an ECS cluster can be specified
instead of creating a new one; however, new EC2 nodes will be created and configured
as mentioned earlier in this guide to support running the Artifactory tasks.
The Quick Start provides separate templates for each of these options. It also lets you
configure CIDR blocks, instance types, and Artifactory settings, as discussed later in this
guide.
Deployment steps
Step 1. Sign in to your AWS account
1. Sign in to your AWS account at https://aws.amazon.com with an IAM user role that has
the necessary permissions. For details, see Planning the deployment earlier in this
guide.
2. Make sure that your AWS account is configured correctly, as discussed in the Technical
requirements section.
Step 2. Add the Artifactory license keys to AWS Secrets Manager

1. Open AWS Secrets Manager in the same Region in which you are deploying the Quick
Start.
2. Choose Store a new secret.
Page 10 of 37
3. Choose Other type of secret.

4. For the Secret key/value, create four rows for the Artifactory licenses.
The key names should be as follows, with the key values being the Artifactory license
keys:
a. ArtifactoryLicense1
b. ArtifactoryLicense2
c. ArtifactoryLicense3
d. ArtifactoryLicense4
5. Choose Next.
6. Provide a Secret name. This name will be used when deploying the Quick Start.
7. Choose Next twice.
8. Choose Store.
Step 3. Prepare the certificate parameters

The certificate and certificate key parameters require special adjustments because of the
underlying system’s dependency on JSON. After you have your certificate and key, you need
to replace new line endings with a | (pipe) character.
Page 11 of 37
To do this, copy the certificate into an editor of your choice and edit the settings to show
line endings. On a Windows system, you will see CR FL characters. On a Linux system, you
will see LF characters.
Replace all CRFL or LF characters with | (pipe) characters. This will result in the entire
certificate being on a single line. Follow the same process for the certificate key.
Step 4. Launch the Quick Start
Notes The instructions in this section reflect the older version of the AWS
CloudFormation console. If you’re using the redesigned console, some of the user
interface elements might be different.
You are responsible for the cost of the AWS services used while running this Quick
Start reference deployment. There is no additional cost for using this Quick Start.
For full details, see the pricing pages for each AWS service you will be using in this
Quick Start. Prices are subject to change.
1. Sign in to your AWS account, and choose one of the following options to launch the
AWS CloudFormation template. For help choosing an option, see deployment options
earlier in this guide.
• new VPC
Deploy Deploy • workload only
• workload
Deploy Artifactory ECS into a Deploy Artifactory ECS into an

new VPC on AWS existing VPC on AWS
Page 12 of 37
Important If you’re deploying Artifactory into an existing VPC, make sure that
your VPC has two private subnets in different Availability Zones for the workload
instances, you know the CIDRs, and that the subnets aren’t shared. This Quick Start
doesn’t support shared subnets. These subnets require NAT gateways in their route
tables, to allow the instances to download packages and software without exposing
them to the internet. The VPC also requires two similar public networks for the load
balancer. You will also need the domain name option configured in the DHCP
options as explained in the Amazon VPC documentation. You will be prompted for
your VPC settings when you launch the Quick Start.
The deployment takes about 30 minutes to complete.

2. Check the Region that’s displayed in the upper-right corner of the navigation bar, and
change it if necessary. This is where the network infrastructure for Artifactory will be
built. The template is launched in the US West (Oregon) Region by default.
3. On the Select Template page, keep the default setting for the template URL, and then
choose Next.
4. On the Specify Details page, change the stack name if needed. Review the parameters
for the template. Provide values for the parameters that require input. For all other
parameters, review the default settings and customize them as necessary.
In the following tables, parameters are listed by category and described separately for
the two deployment options:
– Parameters for deploying Artifactory with ECS into a new VPC
– Parameters for deploying Artifactory with ECS into an existing VPC
When you finish reviewing and customizing the parameters, choose Next.
OPTION 1: PARAMETERS FOR DEPLOYING ARTIFACTORY WITH ECS INTO A NEW VPC
View template
Security configuration:
Parameter label Default Description
(name)
SSH key name Requires input The name of an existing public/private key pair, which allows
(KeyPairName) you to securely connect to your instance after it launches. This is
the key pair you created in your preferred Region; see the
Technical requirements section.
Page 13 of 37

(name)
Permitted IP range Requires input The CIDR IP range that is permitted to access Artifactory. We
(AccessCIDR) recommend that you set this value to a trusted IP range. For
example, you might want to grant only your corporate network
access to the software.
Remote access CIDR Requires input The remote CIDR range for allowing SSH into the Bastion
(RemoteAccessCIDR) instance. We recommend that you set this value to a trusted IP
range. For example, you might want to grant specific ranges
inside your corporate network SSH access.
Network configuration:
(name)
Availability Zones us-west-2a, us- The list of Availability Zones to use for the subnets in the VPC.
(AvailabilityZones) west-1b Two Availability Zones are used for this deployment, and the
logical order of your selections is preserved.
VPC CIDR 10.0.0.0/16 The CIDR block for the VPC.

(VPCCIDR)
Private subnet 1 CIDR 10.0.0.0/19 The CIDR block for private subnet 1 located in Availability
(PrivateSubnet1CIDR) Zone 1.
Private subnet 2 CIDR 10.0.32.0/19 The CIDR block for private subnet 2 located in Availability
(PrivateSubnet2CIDR) Zone 2.
Public subnet 1 CIDR 10.0.128.0/20 The CIDR block for the public (DMZ) subnet 1 located in
(PublicSubnet1CIDR) Availability Zone 1.
Public subnet 2 CIDR 10.0.144.0/20 The CIDR block for the public (DMZ) subnet 2 located in
(PublicSubnet2CIDR) Availability Zone 2.
Bastion configuration:
(name)
Bastion host Enabled Choose whether to boot a Bastion host or not. Due to the
(ProvisionBastionHost) Artifactory nodes being created in private subnets, this is highly
recommended.
Bastion instance type t2.micro The size of the bastion instances.

(BastionInstanceType)
Bastion operating Amazon-Linux- The Linux distribution for the AMI to be used for the bastion
system HVM instances.
(BastionOS)
Bastion root volume size 10 The size of the root volume on the bastion instances.
(BastionRootVolumeSize)
Page 14 of 37

(name)
Bastion enable TCP true Choose whether to enable TCP forwarding via the bootstrapping
forwarding of the bastion host.
(BastionEnableTCP
Forwarding)
Number of Bastion 1 The number of bastion hosts to create. The maximum number is
hosts four.
(NumBastionHosts)
ECS configuration:
(name)
ECS cluster name JFrog The name for your ECS cluster.
(ClusterName)
EC2 instance type m4.xlarge The EC2 instance type for the Artifactory Docker hosts.
(InstanceType)
EBS root volume size 200 The size in GB of the available storage; the Quick Start will create
(VolumeSize) EBS volumes of this size.
JFrog Artifactory Configuration:

(name)
Artifactory version 6.11.1 The version of Artifactory that you want to deploy into the Quick
(ArtifactoryVersion) Start. Please see the release notes to select the version you want
to deploy.
Number of secondary 2 The number of secondary Artifactory servers to complete your

instances HA deployment. To fit the Artifactory best practices, the
(NumberOfSecondary) minimum number is two; the maximum number is seven. Do
not select more instances than you licenses for.
Number of EC2 nodes 3 The number of EC2 nodes to create for the ECS cluster. There
(NumberOfEC2Nodes) must be enough nodes to run the number of secondaries plus
the primary task.
Artifactory licenses Requires input The secret name created in AWS Secrets Manager, which
secret name contains the Artifactory licenses.
(SMLicensesName)
Certificate Requires input The certificate file to be used to terminate SSL.

(Certificate)
Certificate key Requires input The private key for the certificate.
(CertificateKey)
Page 15 of 37

(name)
Certificate domain Requires input The certificate domain, which must match the domain specified
(CertificateDomain) on your certificate.
Artifactory server Requires input The name of your Artifactory server. Ensure that this matches
name your certificate.
(ArtifactoryServer
Name)
Master server key Requires input Master The master key for the Artifactory cluster. Generate a
(MasterKey) master by key using the command $openssl rand -hex 16.
Extra Java options -Xmx4g Setting Java memory parameters for Artifactory. For more
(ExtraJavaOptions) information, see the Artifactory system requirements.
Ansible Vault password Requires input The Ansible Vault password to protect the Artifactory YAML
(AnsibleVaultPass) configuration file generated during the Artifactory deployment.
This YAML file is stored on the EC2 nodes and secured with this
password.
Amazon RDS configuration:

(name)
Database name artdb The name for your DB instance. The name must be unique
(DatabaseName) across all DB instances owned by your AWS account in the
current AWS Region. The DB instance identifier is case-
insensitive, but is stored as all lowercase (as in
mydbinstance).
Database engine MySQL The database engine that you want to run, currently locked to
(DatabaseEngine) MySQL.
Database version 5.7 The major version of the MySQL database engine you wish to
(DatabaseVersion) run, currently locked to MySQL versions supported by
Artifactory and RDS.
Database user artifactory The login ID for the master user of your DB instance.
(DatabaseUser)
Database password Requires input The password for the Artifactory database user.
(DatabasePassword)
Database instance type db.m4.large The size of the database to be deployed as part of the Quick
(DatabaseInstance) Start.
Database allocated 10 The size in GB of the available storage for the database
storage instance.
(DBAllocatedStorage)
High availability true Choose false to create an Amazon RDS instance in a single
database Availability Zone.
(MultiAZDatabase)
Page 16 of 37
AWS Quick Start configuration:
Note We recommend that you keep the default settings for the following two
parameters, unless you are customizing the Quick Start templates for your own
deployment projects. Changing the settings of these parameters will automatically
update code references to point to a new Quick Start location. For additional details,
see the AWS Quick Start Contributor’s Guide.

(name)
Quick Start S3 bucket aws-quickstart The S3 bucket you created for your copy of Quick Start assets,
name if you decide to customize or extend the Quick Start for your
(QSS3BucketName) own use. The bucket name can include numbers, lowercase
letters, uppercase letters, and hyphens, but should not start or
end with a hyphen.
Quick Start S3 key quickstart-jfrog- The S3 key name prefix used to simulate a folder for your copy
prefix artifactory/ of Quick Start assets, if you decide to customize or extend the
(QSS3KeyPrefix) Quick Start for your own use. This prefix can include numbers,
lowercase letters, uppercase letters, hyphens, and forward
slashes.
OPTION 2: PARAMETERS FOR DEPLOYING ARTIFACTORY WITH ECS INTO AN EXISTING

VPC
View template
Security configuration:
(name)
SSH key name Requires input The name of an existing public/private key pair, which allows
(KeyPairName) you to securely connect to your instance after it launches. This
is the key pair you created in your preferred Region; see the
Technical requirements section.
Permitted IP range Requires input The CIDR IP range that is permitted to access Artifactory. We
(AccessCIDR) recommend that you set this value to a trusted IP range. For
example, you might want to grant only your corporate network
access to the software.
Remote access CIDR Requires input The remote CIDR range for allowing SSH into the Bastion
(RemoteAccessCIDR) instance. We recommend that you set this value to a trusted IP
range. For example, you might want to grant specific ranges
inside your corporate network SSH access.
Network configuration:
Page 17 of 37

(name)
VPC ID Requires input The ID of your existing VPC for deployment (e.g., vpc-
(VPCID) 0343606e).
VPC CIDR 10.0.0.0/16 The CIDR block for the VPC.

(VPCCIDR)
Public subnet 1 ID Requires input The ID of the public subnet in Availability Zone 1 in your existing
(PublicSubnet1ID) VPC (e.g., subnet-z0376dab).
Public subnet 2 ID Requires input The ID of the public subnet in Availability Zone 2 in your existing
(PublicSubnet2ID) VPC (e.g., subnet-a29c3d84).
Private subnet 1 ID Requires input The ID of the private subnet in Availability Zone 1 in your
(PrivateSubnet1ID) existing VPC (e.g., subnet-a0246dcd).
Private subnet 2 ID Requires input The ID of the private subnet in Availability Zone 2 in your
(PrivateSubnet2ID) existing VPC (e.g., subnet-b58c3d67).
Private subnet 1 CIDR 10.0.0.0/19 The CIDR of the private subnet in Availability Zone 1 in your
(PrivateSubnet1CIDR) existing VPC (e.g., 10.0.0.0/19).
Private subnet 2 CIDR 10.0.32.0/19 The CIDR of the private subnet in Availability Zone 2 in your
(PrivateSubnet2CIDR) existing VPC (e.g., 10.0.32.0/19).
Bastion configuration:
(name)
Provision Bastion host Enabled Choose Disabled to skip booting a bastion host. Due to the
(ProvisionBastionHost) Artifactory nodes being created in private subnets, the default
setting of Enabled is highly recommended.
Bastion instance type t2.micro The size of the bastion instance.

(BastionInstanceType)
Bastion operating Amazon-Linux- The Linux distribution for the AMI to be used for the bastion
system HVM instances.
(BastionOS)
Bastion root volume 10 The size of the root volume on the Bastion instance.
size
(BastionRootVolumeSize)
Bastion enable TCP true Choose whether to enable TCP forwarding via the
forwarding bootstrapping of the bastion host.
(BastionEnableTCP
Forwarding)
Bastion enable X11 false Choose whether to enable X11 via the bootstrapping of the
forwarding bastion host. Setting this value to true will enable X Windows
(BastionEnableX11 over SSH. X11 forwarding can be very useful but it is also a
Forwarding) security risk, so we recommend that you keep the default
(false) setting unless required.
Page 18 of 37

(name)
Number of Bastion 1 The number of bastion hosts to create. The maximum

hosts number is four.
(NumBastionHosts)
ECS Configuration:
(name)
ECS cluster name JFrog The name for your ECS cluster.
(ClusterName)
Create new ECS Enabled Choose whether to create a new ECS cluster with the name
cluster specified in the ClusterNameparameter. If you choose
(CreateNewECSCluster) Disabled, an ECS cluster with the name specified in
CluserName must already exist.
EC2 instance type m4.xlarge The EC2 instance type for the Artifactory Docker hosts.
(InstanceType)
EBS root volume size 200 The size in GB of the available storage; the Quick Start will
(VolumeSize) create EBS volumes of this size.
JFrog Artifactory configuration:

(name)
Artifactory version 6.11.1 The version of Artifactory that you want to deploy into the Quick
(ArtifactoryVersion) Start. Please see the release notes to select the version you want
to deploy.
Number of secondary 2 The number of secondary Artifactory servers to complete your

instances HA deployment. To fit the Artifactory best practices, the
(NumberOfSecondary) minimum number is two; the maximum number is seven. Do
not select more instances than you have licenses for.
Number of EC2 nodes 3 The number of EC2 nodes to create for the ECS cluster. There
(NumberOfEC2Nodes) must be enough nodes to run the number of secondaries plus the
primary task.
Artifactory licenses Requires input The secret name created in AWS Secrets Manager, which
secret name contains the Artifactory licenses.
( SMLicensesName)
Certificate Requires input The certificate file to be used to terminate SSL.

(Certificate)
Certificate key Requires input The private key for the certificate.
(CertificateKey)
Page 19 of 37

(name)
Certificate domain Requires input The certificate domain, which must match the domain specified
(CertificateDomain) on your certificate.
Artifactory server name Requires input The name of your Artifactory server. Ensure that this matches
(ArtifactoryServer your certificate.
Name)
Master server key Requires input The master key for the Artifactory cluster. Generate a master key
(MasterKey) by using the command $openssl rand -hex 16.
Extra Java options -Xmx4g Setting Java memory parameters for Artifactory. Learn about
(ExtraJavaOptions) system requirements for Artifactory.
Ansible Vault password Requires input The Ansible Vault password to protect the Artifactory YAML
(AnsibleVaultPass) configuration file generated during the Artifactory deployment.
This YAML file is stored on the EC2 nodes and secured with this
password.
Amazon RDS configuration:

(name)
Database name artdb The name for your DB instance. The name must be unique
(DatabaseName) across all DB instances owned by your AWS account in the
current AWS Region. The DB instance identifier is case-
insensitive, but is stored as all lowercase (as in
mydbinstance).
Database engine MySQL The database engine that you want to run, currently locked to
(DatabaseEngine) MySQL.
Database version 5.7 The major version of the MySQL database engine you wish to
(DatabaseVersion) run, currently locked to MySQL versions supported by
Artifactory and RDS.
Database user artifactory The login ID for the master user of your DB instance.
(DatabaseUser)
Database password Requires input The password for the Artifactory database master user.
(DatabasePassword)
Database instance type db.m4.large The size of the database to be deployed as part of the Quick
(DatabaseInstance) Start.
Database allocated 10 The size in GB of the available storage for the database
storage instance.
(DBAllocatedStorage)
High availability true Choose false to create an Amazon RDS instance in a single
database Availability Zone.
(MultiAZDatabase)
Page 20 of 37
AWS Quick Start configuration:
Note We recommend that you keep the default settings for the following two
parameters, unless you are customizing the Quick Start templates for your own
deployment projects. Changing the settings of these parameters will automatically
update code references to point to a new Quick Start location. For additional details,
see the AWS Quick Start Contributor’s Guide.
Parameter label
Default Description
(name)
Quick Start S3 bucket aws-quickstart The S3 bucket you have created for your copy of Quick Start
name assets, if you decide to customize or extend the Quick Start for
(QSS3BucketName) your own use. The bucket name can include numbers,
lowercase letters, uppercase letters, and hyphens, but should
not start or end with a hyphen.
Quick Start S3 key quickstart-jfrog- The S3 key name prefix used to simulate a folder for your copy
prefix artifactory/ of Quick Start assets, if you decide to customize or extend the
(QSS3KeyPrefix) Quick Start for your own use. This prefix can include numbers,
lowercase letters, uppercase letters, hyphens, and forward
slashes.
Step 5. Get started with JFrog Artifactory

1. Connect to Artifactory from the ArtifactoryURL, which is on the Outputs tab of the
Artifactory primary stack. Verify you are able to view the welcome screen.
Figure 3: The JFrog Artifactory welcome screen
Page 21 of 37
Note If you used a non CA-Signed certificate, you will receive a certificate warning
when you attempt to access the page because the certificate will not match the ELB
DNS name, unless you configure Amazon Route 53.
2. Choose Next to run through the Artifactory setup wizard for the initial configuration.
This Quick Start handles the license key configuration during the deployment, and you
will not be prompted to activate your license during the initial wizard.
3. Set a secure Admin password for your deployment, and then choose Next.
Figure 4: The Set Admin Password screen
4. Optionally configure proxy settings for remote resources.
Page 22 of 37
Figure 5: Configure proxy settings if required
5. Select the repositories that are required for your use case, and choose Create.
Figure 6: Available repositories
6. Finally, choose Finish.
Page 23 of 37
Figure 7: The final wizard screen
7. Finalize the administrative tasks by configuring the following:

 Backups
 Maintenance operations
 Authentication
Updating Artifactory
If any maintenance needs to be performed on the stack, ensure that you update the
CloudFormation stack rather than updating the infrastructure manually. This includes
updating Artifactory. The Artifactory version for this Quick Start is 6.11.1.
Page 24 of 37
Figure 8: Configuration details, including the version number
1. To perform an upgrade, select the Root stack, and then choose Update. Please see
Figure 9.
Figure 9: Stack list and Update button on the CloudFormation console
2. Find the Artifactory Version field by scrolling down.
Figure 10: CloudFormation console update page (before you change the version)
3. Enter the version number that you want to run.
Page 25 of 37
Figure 11: CloudFormation console update page (after you change the version)
4. Scroll down, choose Next, and choose Next again, unless you want to change any other
tags or policies. Then select the two I acknowledge check boxes, and choose Update
Stack.
Figure 12: Completing the update process
5. Select the stack that contains the description ArtifactoryExistingVPCStac-Artifa-

PrimaryStack.
If you have deployed the Amazon ECS configuration, upon updating the stack you will
notice that ArtifactoryTaskDefnition has been updated (in the following screenshot,
it is at UPDATE_COMPLETE, based on the timestamp of the event), but
ECSService is stuck at UPDATE_IN_PROGRESS.
Page 26 of 37
Figure 13: Updating the stack in the CloudFormation console
1. In the Amazon ECS console, select the ECS cluster. If you used the default option, the
cluster name is JFrog.
Figure 14: Amazon ECS console list of clusters
2. Select the ArtifactoryPrimary service.
Page 27 of 37
Figure 15: Amazon ECS JFrog cluster
3. Choose the current Task definition. In the following screenshot, the task definition is
ArtifactoryPrimary-Task:13.
Figure 16: Artifactory primary service view
4. Scroll down and expand the Container definitions to ensure that the version has
been updated.
Page 28 of 37
Figure 17: ArtifactoryPrimary task
5. After you verify that the task has been updated, you need to find where the primary task
is running. Navigate back to the ESC console Cluster screen (shown in Figure 17), and
select the ECS Instances tab.
Figure 18: ECS console showing ECS instances running the container instances
6. Select the first container instance to determine which EC2 instance is running the
primary node.
7. On the Container Instance page, look for the ArtifactoryPrimary task definition.
Page 29 of 37
Figure 19: Container Instance page on the Amazon ECS console
In this example, the EC2 instance is i-0404ee145828b3f65.

8. On the Amazon EC2 console, choose Target Groups, and then select the Artifactory
target group, and choose Edit.
Figure 20: Target Groups page on the Amazon EC2 console
Page 30 of 37
9. Select the instance that you determined was running the primary container instance,
and choose Remove. This will ensure no outage is experienced while the new primary
node is created.
Figure 21: Target Groups edit page
10. Next, you need to stop the ArtifactoryPrimary-Task task. Return to the Amazon ECS
console, select the cluster, choose the Tasks tab, select the ArtifactoryPrimary-Task
task, and choose Stop.
Figure 22: ArtifactoryPrimary-Task selected on the Amazon ECS console
Page 31 of 37
In the pop-up window that opens, choose Stop.
Figure 23: Pop up window that opens when you choose to stop a task
This stops the primary container.
After a few minutes, the service will recognize the stopped task, and will kick off the
latest-version TaskDefinition.
Figure 24: New task in RUNNING state
The proper version will also be updated on the JFrog Artifactory High Availability
Configuration page.
Page 32 of 37
Figure 25: JFrog Artifactory High Availability Configuration page
The CloudFormation console will show the progress of the update.
Figure 26: Update progress show on the CloudFormation console
11. Repeat steps 1-10 for the ArtifactorySecondary service. Please do one task at a time.
Important: Ensure you remove the instances from the Registered Targets list
(step 9 in this procedure). Failure to do so may cause unwanted downtime.
Security
By default, the load balancer will not match your certificate. You will need to configure DNS
according to your organization’s configuration, which is highly recommended for a
production deployment.
Page 33 of 37
When you create a new VPC, the private subnet CIDR is automatically provided to the
database security group ArtifactoryBDSG. In the new VPC, the private subnet is accessible
only from the public subnet.
When you deploy to an existing VPC, ensure similar rules are followed so that your
Artifactory nodes are not accessible directly from the internet. Also, ensure that the private
CIDR is correct and locked down. Avoid using 0.0.0.0/0. If the subnet is a public subnet, it
will allow your MySQL database to be available from the internet.
Storage
A major difference between running on premises and on AWS is the use of storage. As
Amazon S3 is being used, you will be charged for what is currently in use, rather than what
may be allocated on premises. Please be sure to monitor your usage.
Troubleshooting
Q. I provisioned more secondary nodes than I have licenses, and I cannot access
Artifactory. What do I do?
A. In the AWS CloudFormation console, choose Update Stack, and reduce the number of
secondary nodes to the number of licenses you purchased minus one license for the master.
Q. My license ran out and Artifactory is unresponsive. How do I fix this?

A. If this occurs, please reduce the number of secondary nodes to zero, and contact JFrog
for a new license.
Q. My certificate is out of date. How do I update it?

A. The certificate is handled via Ansible or Helm. In the AWS CloudFormation console,
choose Update Stack, change the certificate and certificate key values. Then, by rolling
restart, update the master node first, and then, one at a time, the secondary nodes. This will
rebuild each node with the correct certificate.
Q. I encountered a CREATE_FAILED error when I launched the Quick Start.

A. If AWS CloudFormation fails to create the stack, we recommend that you relaunch the
template with Rollback on failure set to No. (This setting is under Advanced in the
AWS CloudFormation console, Options page.) With this setting, the stack’s state will be
retained and the instance will be left running, so you can troubleshoot the issue.
Page 34 of 37
Important When you set Rollback on failure to No, you will continue to incur
AWS charges for this stack. Please make sure to delete the stack when you finish
troubleshooting.
For additional information, see Troubleshooting AWS CloudFormation on the AWS

website.
Q. I encountered a size limitation error when I deployed the AWS CloudFormation

templates.
A. We recommend that you launch the Quick Start templates from the links in this guide or
from another S3 bucket. If you deploy the templates from a local copy on your computer or
from a non-S3 location, you might encounter template size limitations when you create the
stack. For more information about AWS CloudFormation limits, see the AWS
documentation.
Send us feedback
To post feedback, submit feature ideas, or report bugs, use the Issues section of the
GitHub repository for this Quick Start. If you’d like to submit code, please review the Quick
Start Contributor’s Guide.
Additional resources
AWS resources
 Getting Started Resource Center
 AWS General Reference
 AWS Glossary
AWS services
 AWS CloudFormation
 Amazon EBS
 Amazon EC2
 IAM
 Amazon VPC
 Amazon RDS
Page 35 of 37
 Amazon S3
 Amazon ECS
 Elastic Load Balancing
 Amazon RDS
 Amazon S3
Artifactory documentation
 Artifactory User Guide
Other Quick Start reference deployments

 AWS Quick Start home page
Document revisions
Date Change In sections
September 2019 Initial publication —
Page 36 of 37
© 2019, Amazon Web Services, Inc. or its affiliates, and JFrog. All rights reserved.
Notices
This document is provided for informational purposes only. It represents AWS’s current product offerings
and practices as of the date of issue of this document, which are subject to change without notice. Customers
are responsible for making their own independent assessment of the information in this document and any
use of AWS’s products or services, each of which is provided “as is” without warranty of any kind, whether
express or implied. This document does not create any warranties, representations, contractual
commitments, conditions or assurances from AWS, its affiliates, suppliers or licensors. The responsibilities
and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of,
nor does it modify, any agreement between AWS and its customers.
The software included with this paper is licensed under the Apache License, Version 2.0 (the "License"). You
may not use this file except in compliance with the License. A copy of the License is located at
http://aws.amazon.com/apache2.0/ or in the "license" file accompanying this file. This code is distributed on
an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and limitations under the License.
Page 37 of 37

Artifactory With Amazon Ecs On The Aws Cloud PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Artifactory With Amazon Ecs On The Aws Cloud PDF

Uploaded by

Copyright:

Available Formats

Artifactory with Amazon ECS on

the AWS Cloud

Step 3. Prepare the certificate parameters ...........................................................................11

Important The deployment is configured as “infrastructure as code”. Any changes

Cost and licenses

Figure 2: Quick Start architecture for Artifactory ECS containers on AWS

The Quick Start sets up the following:

Amazon ECS services

Ansible init script

Planning the deployment

If you have a domain name available (e.g., https://artifactory.mycompany.com), you can

Resource This deployment uses

AWS Identity and

Auto Scaling groups 3

Step 2. Add the Artifactory license keys to AWS Secrets Manager

3. Choose Other type of secret.

Step 3. Prepare the certificate parameters

Step 4. Launch the Quick Start

Deploy Artifactory ECS into a Deploy Artifactory ECS into an

The deployment takes about 30 minutes to complete.

Parameter label Default Description

VPC CIDR 10.0.0.0/16 The CIDR block for the VPC.

Bastion instance type t2.micro The size of the bastion instances.

Parameter label Default Description

JFrog Artifactory Configuration:

Number of secondary 2 The number of secondary Artifactory servers to complete your

Certificate Requires input The certificate file to be used to terminate SSL.

Parameter label Default Description

Amazon RDS configuration:

AWS Quick Start configuration:

Parameter label Default Description

OPTION 2: PARAMETERS FOR DEPLOYING ARTIFACTORY WITH ECS INTO AN EXISTING

Parameter label Default Description

VPC CIDR 10.0.0.0/16 The CIDR block for the VPC.

Bastion instance type t2.micro The size of the bastion instance.

Parameter label Default Description

Number of Bastion 1 The number of bastion hosts to create. The maximum

JFrog Artifactory configuration:

Number of secondary 2 The number of secondary Artifactory servers to complete your

Certificate Requires input The certificate file to be used to terminate SSL.

Parameter label Default Description

Amazon RDS configuration:

AWS Quick Start configuration:

Step 5. Get started with JFrog Artifactory

Figure 3: The JFrog Artifactory welcome screen

Figure 4: The Set Admin Password screen

4. Optionally configure proxy settings for remote resources.

Figure 5: Configure proxy settings if required

Figure 6: Available repositories

6. Finally, choose Finish.

Figure 7: The final wizard screen

7. Finalize the administrative tasks by configuring the following:

Figure 8: Configuration details, including the version number

Figure 9: Stack list and Update button on the CloudFormation console

2. Find the Artifactory Version field by scrolling down.

3. Enter the version number that you want to run.

Figure 12: Completing the update process

5. Select the stack that contains the description ArtifactoryExistingVPCStac-Artifa-

Figure 13: Updating the stack in the CloudFormation console

Figure 14: Amazon ECS console list of clusters

2. Select the ArtifactoryPrimary service.

Figure 15: Amazon ECS JFrog cluster

Figure 16: Artifactory primary service view