The sample Amazon Web Services (AWS) CloudFormation templates provided by Esri allow you to deploy ArcGIS Enterprise into two types of network architectures. The first and most common architecture deploys ArcGIS Enterprise in an Amazon Virtual Private Cloud (VPC) network that is directly accessible to the internet. Access to these networks can and should be controlled through security groups.
A second network architecture allows you to deploy ArcGIS Enterprise to a subnet that is not directly accessible to the internet. Only the Elastic Load Balancer for the deployment is accessible to the internet. This type of architecture is commonly referred to as a DMZ network architecture. This architecture requires a greater understanding of networking but provides some benefits in terms of isolation and security.
The following information summarizes how you can deploy ArcGIS Enterprise in a DMZ network architecture on AWS. The high-level steps for this process are as follows:
- Create the VPC with a DMZ network architecture.
- Create an Elastic Load Balancer.
- Deploy ArcGIS Enterprise.
As mentioned, Esri provides a sample CloudFormation template to create a VPC with the DMZ network architecture. You can modify the Esri sample template, but it is beyond the scope of this document to cover custom templates. In addition, Esri Support will be limited in the amount of help it can provide to troubleshoot network architecture problems in a VPC created without the use of the Esri template.
Before you run the Esri CloudFormation template to create a VPC, you must have the following:
- An unassigned elastic IP allocated in your AWS region and you must know the allocation id for the elastic IP to provide to the template.
- Two availability zones.
- The Amazon Resource Name (ARN) value for your SSL certificate. You can use ArcGIS Enterprise Cloud Builder Command Line Interface for Amazon Web Services to upload your SSL certificate to AWS certificate manager. From the certificate manager, you can retrieve the certificate's ARN value.
Deploy ArcGIS Enterprise in a DMZ network architecture
Follow these steps to deploy ArcGIS Enterprise in a DMZ network architecture on AWS using Esri sample CloudFormation templates:
- Use the VPC CloudFormation template that creates four subnets—two public and two private—to create your VPC. Save the IDs for the VPC and the subnets and make sure you differentiate the public and private subnets.
- Use one of the CloudFormation templates to create an AWS Elastic Load Balancer (ELB)—either the classic load balancer or application load balancer template.
- Provide the VPC ID for your newly created VPC.
- Provide the public subnet IDs from step 1.
- Provide the SSL certificate ARN.
The ELB template returns an ELBName value. Take note of that value, as you need it in the next step. Also note the DNSName value, as you will need that in the final step.
- Run the highly available base ArcGIS Enterprise AWS CloudFormation template to create a base ArcGIS Enterprise deployment. Provide the private subnet IDs for the Subnet1 and Subnet2 values from the first step. Provide the ELBName you noted from the previous step.
- Once the highly available base ArcGIS Enterprise deployment is created successfully, work with your IT staff to create a CNAME record that maps the name you want to use for the site in the URL (for example, gis.acme.org) to the DNSName value that Amazon automatically assigned to the ELB.
The following diagram shows an example of a highly available ArcGIS Enterprise deployment in a DMZ network architecture on AWS: