AWS byol 3.0

Author: haberkornsam

docs/intro_installation_quickstart_byol_conductor_aws.md

@@ -64,12 +64,12 @@ To deploy the Session Smart Networking software via the AWS Console:
 7. Answer the following questions to launch the deployment of an SSR. For a description of the parameters of the template, please refer to [Launch the Conductor Template](#launch-the-conductor-template).
 
 - What name do you want to give the instance?
-  - Provide it in the **Stack name** field (for example: Conductor).
+  - Provide it in the **Conductor Name** field (for example: conductor).
 - What version of SSR software do you want to install?
+- What are the artifactory credentials used to install the software?
 - Where do you want to deploy it?
   - Select the VPC in the region.
   - Select the subnet within the VPC.
-- What are the artifactory credentials used to install the software?
 - Who is going to be the administrator?
   - Select the IAM user key.
 8. Click **Next**.
@@ -110,7 +110,8 @@ write_files:
             "mode": "conductor",
             "artifactory-user": "<username>",
             "artifactory-password": "<password>",
-            "node-name": "node0"
+            "node-name": "node0",
+            "cloud-provider": "aws"
         }
 ```
 
@@ -143,14 +144,15 @@ A description of the parameters of the template are listed in the following tabl
 
 | Parameter            | Description |
 | -------------------- | ----------- |
-| Stack name           | The Instance Name field provides a name to the VM for the device.|
-| VPC ID               | ID of the existing VPC where the device is going to be deployed. |
-| Public Subnet ID     | ID of the management subnet within the VPC. |
-| Public Subnet Allowed CIDR | The IP CIDR range of the endpoints allowed to originate traffic to the Conductor's management interface in the management subnet. |
+| Name           | The Instance Name field provides a name to the VM for the device.|
+| Instance Type        | Size of the EC2 instance.|
+| SSR Version | SSR software version installed on the instance. |
 | Artifactory Username | User portion of the artifactory credentials used to install the SSR software. |
 | Artifactory Token | Token for the artifactory credentials used to install the SSR software. |
-| Version | SSR software version installed on the instance. |
-| Instance size        | Size of the EC2 instance.|
+| VPC ID               | ID of the existing VPC where the device is going to be deployed. |
+| Control Subnet ID     | ID of the control subnet within the VPC. |
+| Control Subnet Allowed CIDR | The IP CIDR range of the endpoints allowed to originate traffic to the Conductor's management interface in the management subnet. |
+| Admin Allowed CIDR | The IP CIDR range of the endpoints allowed to SSH to the EC2 instance as well as login to the Conductor's GUI. |
 | Key Name             | IAM user key (SSH public key) to login to the EC2 instance (Linux) via SSH.|
 
 
@@ -171,7 +173,7 @@ Once the deployment of the template is complete, information about the new route
 
 The information listed in the Outputs tab is the following:
 * Instance ID of the Router EC2 instance.
-* Public IP address of the public interface for administration purposes.
+* Public IP address of the Control interface for administration purposes.
 * SSH command to login to the Linux VM.
 
 #### AWS CLI
@@ -188,14 +190,15 @@ Paste the following JSON content. Please adjust the values to your specific envi
 
 ```
 {
-  "StackName": "<instance name>",
-  "VpcId": "<ID of the VPC>",
-  "ManagementSubnet": "<ID of the management subnet within the VPC>",
-  "ManagementSubnetAllowedCidr": "0.0.0.0/0",
+  "Name": "<instance name>",
+  "Version": "<ssr-version>",
+  "InstanceType": "c5.xlarge",
   "ArtifactoryUsername": "<username>",
   "ArtifactoryUsername": "<password>",
-  "SSRVersion": "<ssr-version>",
-  "InstanceType": "c5.xlarge",
+  "VpcId": "<ID of the VPC>",
+  "ControlSubnet": "<ID of the management subnet within the VPC>",
+  "ControlAllowedCidr": "0.0.0.0/0",
+  "AdminAllowedCidr": "0.0.0.0/0",
   "KeyName": "<username>"
 }
 ```
@@ -269,7 +272,7 @@ The following infrastructure must exist in your AWS account:
 * The existing VPC is segmented with at least the following three subnets:
   - **Public Subnet**: This subnet must provide connectivity to enable communication with external/remote SSR peers.
   - **Private Subnet**: This subnet must provide connectivity to internal workloads within the cloud.
-  - **Management Subnet**: This subnet is used for conductor-managed deployments, and has the following requirements:
+  - **[OPTIONAL] Management Subnet**: This subnet is used for conductor-managed deployments, and has the following requirements:
     * The subnet is reachable for SSH for administration purposes.
     * The interface of the Conductor that manages this router must be reachable from this subnet.
 * [Enable enhanced network](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enhanced-networking-ena.html#enabling_enhanced_networking) with ENA for maximum throughput performance. For SSR routers, execute the following command from your local computer:
@@ -312,7 +315,7 @@ To deploy the Session Smart Networking software via the AWS Console:
 - What version of SSR software do you want to install?
 - Where do you want to deploy it?
   - Select the VPC in the region.
-  - Select the public, private, and management subnets within the VPC.
+  - Select the public, private, and optional management subnets within the VPC.
 - What are the artifactory credentials used to install the software?
 - What is the control IP address of the Conductor used to manage it?
 - **Optional** What is the secondary control IP address of the Conductor used to manage it?
@@ -354,7 +357,8 @@ write_files:
             "name": "<router-name>",
             "ssr-version": "<version>",
             “mode”: "conductor-managed",
-            “conductor-hosts”: ["<conductor-host>"]
+            “conductor-hosts”: ["<conductor-host>"],
+            "cloud-provider": "aws"
         }
 ```
 | Option | Meaning |
@@ -379,9 +383,9 @@ The _Session Smart Router Template_ deploys an EC2 instance for the SSR with two
 
 | Network Interface name | Subnet           | PCI Address     |
 | ---------------------- | ---------------- | ----------------|
-| ge-0-0                 | Management       | 0000:00:05.0    |
-| ge-0-1                 | Public           | 0000:00:06.0    |
-| ge-0-2                 | Private          | 0000:00:07.0    |
+| ge-0-0                 | Public           | 0000:00:05.0    |
+| ge-0-1                 | Private          | 0000:00:06.0    |
+| ge-0-2                 | Management       | 0000:00:07.0    |
 
 ### Launch the Conductor Managed Template
 
@@ -393,21 +397,22 @@ A description of the parameters of the template are listed in the following tabl
 
 | Parameter            | Description |
 | -------------------- | ----------- |
-| Stack name           | Fill out the Instance Name field to provide a name to the VM for the conductor-managed router.|
-| VPC ID               | ID of the existing VPC where the conductor-managed router is going to be deployed. |
-| Public Subnet ID     | ID of the public subnet within the VPC. |
-| Public Subnet Allowed CIDR | The IP CIDR range of the endpoints allowed to originate traffic to the Router's public interface in the public subnet. |
-| Private Subnet ID    | ID of the private subnet within the VPC. |
-| Private Subnet Allowed CIDR | The IP CIDR range of the endpoints allowed to originate traffic to the Router's private interface in the private subnet. |
-| Management Subnet ID | ID of the management subnet within the VPC. |
-| Management Allowed CIDR   | The IP CIDR range of the endpoints allowed to SSH to the EC2 instance as well as login to the Router's GUI. |
+| Name           | Fill out the Instance Name field to provide a name to the VM for the conductor-managed router.|
+| Version | SSR software version installed on the instance. |
 | Artifactory Username | User portion of the artifactory credentials used to install the SSR software. |
 | Artifactory Token | Token for the artifactory credentials used to install the SSR software. |
 | Primary Control IP | The primary IP address of the Conductor |
 | Secondary Control IP | The secondary IP address of the Conductor |
-| Version | SSR software version installed on the instance. |
-| Instance size        | Size of the EC2 instance.|
 | Key Name             | IAM user key (SSH public key) to login to the EC2 instance (Linux) via SSH.|
+| Instance size        | Size of the EC2 instance.|
+| VPC ID               | ID of the existing VPC where the conductor-managed router is going to be deployed. |
+| Public Subnet ID     | ID of the public subnet within the VPC. |
+| Public Subnet Allowed CIDR | The IP CIDR range of the endpoints allowed to originate traffic to the Router's public interface in the public subnet. |
+| Admin Allowed CIDR   | The IP CIDR range of the endpoints allowed to SSH to the EC2 instance as well as login to the Router's GUI. |
+| Private Subnet ID    | ID of the private subnet within the VPC. |
+| Private Subnet Allowed CIDR | The IP CIDR range of the endpoints allowed to originate traffic to the Router's private interface in the private subnet. |
+| Management Subnet ID | [OPTIONAL] ID of the management subnet within the VPC. |
+
 
 #### Using the AWS Console
 
@@ -443,20 +448,21 @@ Paste the following JSON content. Please adjust the values to your specific envi
 
 ```
 {
-  "StackName": "<instance name>",
+  "Name": "<instance name>",
+  "Version": "<ssr-version>",
+  "ArtifactoryUsername": "<username>",
+  "ArtifactoryToken": "<password>",
+  "conductorPrimaryControlIP": "<control-ip>",
+  "conductorSecondaryControlIP": "<control-ip>",
+  "InstanceType": "c5.xlarge",
+  "KeyName": "<username>"
   "VpcId": "<ID of the VPC>",
   "PublicSubnet": "<ID of the public subnet within the VPC>",
   "PublicSubnetAllowedCidr": "0.0.0.0/0",
   "PrivateSubnet": "<ID of the public subnet within the VPC>",
   "PrivateSubnetAllowedCidr": "0.0.0.0/0",
   "AdminAllowedCidr": "0.0.0.0/0",
-  "conductorPrimaryControlIP": "<control-ip>",
-  "conductorSecondaryControlIP": "<control-ip>",
-  "ArtifactoryUsername": "<username>",
-  "ArtifactoryUsername": "<password>",
-  "SSRVersion": "<ssr-version>",
-  "InstanceType": "c5.xlarge",
-  "KeyName": "<username>"
+  "ManagementSubnet": "<[OPTIONAL] ID of the management subnet within the VPC>",
 }
 ```
 
@@ -527,6 +533,7 @@ In addition to using the cloud formation template, the admin can tag the interfa
 | --------- | ------- |
 | WAN       | Interface is marked as WAN for onboarding purposes. |
 | LAN       | Interface is marked as LAN and is assumed to be used as a private network for internal workflows. |
+| MGMT       | Interface is marked as MGMT and is assumed to have SSH connectivity. |
 
 :::note
 The EC2 instance must be assigned the IAM role containing the `ec2_describeNetwork` permission to leverage the interface tagging.

docs/intro_installation_quickstart_byol_mist_aws.md

@@ -67,16 +67,16 @@ To deploy the Session Smart Networking software via the AWS Console:
 
 7. Answer the following questions to launch the deployment of an SSR. For a description of the parameters of the template, please refer to [Launch the Template](#launch-the-template).
 
-- What version of SSR software do you want to install?
 - What name do you want to give the instance?
-  - Provide it in the **Stack name** field (for example: SSR_1_Router).
-- Where do you want to deploy it?
-  - Select the VPC in the region.
-  - Select the public, private, and management subnets within the VPC.
+  - Provide it in the **Router Name** field (for example: SSR_1_Router).
 - Which Mist organization is going to manage it?
   Provide the [registration code](wan_onboarding_whitebox.md#manual-adoption) for the Mist organization.
+- What version of SSR software do you want to install?
 - Who is going to be the administrator?
   - Select the IAM user key.
+- Where do you want to deploy it?
+  - Select the VPC in the region.
+  - Select the public, private, and optional management subnets within the VPC.
 8. Click the **Next** button.
 9. Click on the **Create stack** button to launch the deployment.
 
@@ -118,7 +118,7 @@ write_files:
 ### Manual Onboarding
 If a user does not supply the onboarding configuration before launching the instance, the onboarding steps can be manually executed.
 
-1. Log into the instance using the default AWS username `ec2-user` and the key pair provided when launching.
+1. Log into the instance using the default SSR username `t128` and the key pair provided when launching.
 2. Run `/usr/libexec/hardwareBootstrapper128t config-generator`
 3. Follow the prompts to generate and apply the onboarding configuration.
 
@@ -136,24 +136,26 @@ If the device does not show up in the Mist organization or the desired SSR versi
 
 ### Network Interfaces Layout
 
-The _Session Smart Router Template_ deploys an EC2 instance for the SSR with two network interfaces. The template attaches the network interfaces to the EC2 instance in the following order: Public, and Private. The network interfaces to be used in Mist configuration are as follows:
+The _Session Smart Router Template_ deploys an EC2 instance for the SSR with two network interfaces. The template attaches the network interfaces to the EC2 instance in the following order: Public, private, and Management. The network interfaces to be used in Mist configuration are as follows:
 
 | Network Interface Name | Subnet           | Mist Config Name     |
 | ---------------------- | ---------------- | ----------------|
 | ge-0-0                 | Public           | ge-0/0/0    |
 | ge-0-1                 | Private          | ge-0/0/1    |
+| ge-0-2                 | Management       | Out Of Band Management    |
 
 #### Interface Tagging
 
 In addition to using the cloud formation template, the admin can tag the interface with the key `SSR-ROLE`. The possible values are as follows:
 
 | Tag Value | Meaning |
 | --------- | ------- |
-| WAN       | Interface is marked as WAN for onboarding purposes and is assumed to have connectivity to Mist cloud infrastructure. |
+| WAN       | Interface is marked as WAN for onboarding purposes. Without a MGMT interface, it is assumed to have connectivity to Mist cloud infrastructure. |
 | LAN       | Interface is marked as LAN and is assumed to be used as a private network for internal workflows. |
+| MGMT       | Interface is marked as MGMT and is assumed to have connectivity to Mist cloud infrastructure. |
 
 :::note
-The EC2 instance must be assigned the IAM role containing the `ec2_describeNetwork` permission to leverage the interface tagging.
+The EC2 instance must be assigned the IAM role containing the `ec2_describeNetwork` permission to leverage the interface tagging. This is automatically done when using the provided templates.
 :::
 
 ## Source / Destination Check
@@ -180,17 +182,18 @@ A description of the parameters of the template are listed in the following tabl
 
 | Parameter            | Description |
 | -------------------- | ----------- |
-| Stack name           | Fill out the Instance Name field to provide a name to the VM for the Mist-managed router.|
-| VPC ID               | ID of the existing VPC where the Mist-managed router is going to be deployed. |
-| Public Subnet ID     | ID of the public subnet within the VPC. |
-| Public Subnet Allowed CIDR | The IP CIDR range of the endpoints allowed to originate traffic to the Router's public interface in the public subnet. |
-| Private Subnet ID    | ID of the private subnet within the VPC. |
-| Private Subnet Allowed CIDR | The IP CIDR range of the endpoints allowed to originate traffic to the Router's private interface in the private subnet. |
-| Admin Allowed CIDR   | The IP CIDR range of the endpoints allowed to SSH to the EC2 instance as well as login to the Router's GUI. |
-| Registration Code   | The Mist registration used for adoption of the EC2 instance to a Mist organization. |
+| Router Name          | Name of the VM for the Mist-managed router.|
 | Version | SSR software version installed on the instance. |
+| Registration Code   | The Mist registration used for adoption of the EC2 instance to a Mist organization. |
 | Instance size        | Size of the EC2 instance.|
-| Key Name             | IAM user key (SSH public key) to login to the EC2 instance (Linux) via SSH.|
+| SSH IAM Key             | IAM user key (SSH public key) to login to the EC2 instance (Linux) via SSH.|
+| VPC ID               | ID of the existing VPC where the Mist-managed router is going to be deployed. |
+| Public Inteface Subnet     | ID of the public subnet within the VPC. |
+| Public Interface Allowed CIDR | The IP CIDR range of the endpoints allowed to originate traffic to the Router's public interface in the public subnet. |
+| Admin Allowed CIDR   | The IP CIDR range of the endpoints allowed to SSH to the EC2 instance as well as login to the Router's GUI. |
+| Private Interface Subnet    | ID of the private subnet within the VPC. |
+| Private Subnet Allowed CIDR | The IP CIDR range of the endpoints allowed to originate traffic to the Router's private interface in the private subnet. |
+| Mangement Interface Subnet [OPTIONAL]    | Optional ID of the management subnet within the VPC. |
 
 #### AWS Console
 
@@ -226,17 +229,18 @@ Paste the following JSON content. Please adjust the values to your specific envi
 
 ```
 {
-  "StackName": "<instance name>",
+  "Name": "<instance name>",
+  "Version": "<ssr-version>",
+  "RegistrationCode": "<Registration-code>",
+  "InstanceType": "c5.xlarge",
+  "KeyName": "<ssh-key-name>"
   "VpcId": "<ID of the VPC>",
   "PublicSubnet": "<ID of the public subnet within the VPC>",
   "PublicSubnetAllowedCidr": "0.0.0.0/0",
-  "PrivateSubnet": "<ID of the public subnet within the VPC>",
-  "PrivateSubnetAllowedCidr": "0.0.0.0/0",
   "AdminAllowedCidr": "0.0.0.0/0",
-  "RegistrationCode": "<Registration code>",
-  "SSRVersion": "<ssr-version>",
-  "InstanceType": "c5.xlarge",
-  "KeyName": "<username>"
+  "PrivateSubnet": "<ID of the private subnet within the VPC>",
+  "PrivateSubnetAllowedCidr": "0.0.0.0/0",
+  "ManagementSubnet": "<Optional ID of the management subnet within the VPC>"
 }
 ```
 

docs/release_notes_byol_3.0.md

@@ -0,0 +1,20 @@
+---
+title: Bring Your Own License (BYOL)
+sidebar_label: '3.0'
+---
+## Release 3.0.0
+
+**Release Date:** June 26, 2025
+
+### New Features
+- **I95-59197 BYOL support for EL9:** Update The base BYOL image to use Oracle Linux 9.
+- **I95-60147 Conditionally management subnet:** The Management Interface is now optional in all SSR templates.
+- **WAN-3513 Support Azure VMBus UUID in UDev rules:** Added support for Azure VMBus UUID in UDev rules instead of MAC Addresses.
+- **I95-60201 AWS IMDSv2 Support:** Added support for IMDSv2 in AWS for added security. For more information, please see the [AWS documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html).
+- **I95-60148 Template Improvements** General quality of life improvements to the provided AWS and Azure templates.
+
+
+### Resolved Issues
+- **I95-60395 AWS BYOL Mist Manual Onboarding Method Fails** An erroneous IP route to the IMDS endpoint was being created on the wrong interface causing the instance to fail onboarding.
+- **WAN-4006 Password authentication is allowed and authorized keys are not copied over** SSR default passwords were created and the configured authorized keys were not copied once SSR software was installed.
+- **I95-60102 Management interface setup is incorrect** The provided conductor-managed and mist-managed router templates created a `management` inteface, but it was not configured as out of band management.

sidebars.js

@@ -68,6 +68,7 @@ module.exports = {
         "type": "category",
         "label": "BYOL Cloud Images",
         "items": [
+          "release_notes_byol_3.0",
           "release_notes_byol_2.0",
           "release_notes_byol"
         ]