Tigera Calico on the AWS Cloud

Quick Start Reference Deployment

QS

December 2020
Casey Davenport, Tigera
Troy Ameigh, AWS Quick Start team

Visit our GitHub repository for source files and to post feedback, report bugs, or submit feature ideas for this Quick Start.

This Quick Start was created by Tigera in collaboration with Amazon Web Services (AWS). Quick Starts are automated reference deployments that use AWS CloudFormation templates to deploy key technologies on AWS, following AWS best practices.

Overview

This Quick Start guide provides step-by-step instructions for deploying Tigera Calico on the AWS Cloud. It’s for users who want to use Calico to provide network-policy enforcement on Amazon Elastic Kubernetes Service (Amazon EKS) clusters. This provides a rich network-policy model that lets you limit communications to only the traffic flows you want. Clusters deployed by this Quick Start can be upgraded for enterprise-grade security and compliance use cases.

Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.

Software licenses

Calico binaries are provided for free under the Apache 2.0 license. To enable Calico Enterprise Features. follow the steps below to get your free trial to access Calico Enterprise and run it directly on your EKS cluster.

  • Go to the Calico Enterprise trial registration website using this link.

  • Fill out your contact details along with your work email address to ensure you receive your trial environment details promptly.

  • Select Amazon EKS as your Kubernetes distro.

  • For the Promo Code, please use PAR-AWS-EKS-QUICKSTART. It is critical for you to use this code as it is used to automatically approve trial requests for this Quickstart.

  • Review and accept the terms of service and click the START YOUR TRIAL button.

  • Somebody from the Tigera team will provision your environment and send you an email with the details you need. This is currently a manual process and can take up to half an hour during business hours M-F 9 am - 5 pm PT. Requests received during non-business hours will be provisioned on the next business day.

  • Once you receive the email titled "Your Calico Enterprise Trial Credentials" from cet@tigera.io (make sure it’s not going to your spam folder). You will be supplied with a single command to run against your EKS cluster that you launch using this quickstart. This command will automatically install the required Calico Enterprise components on your EKS cluster so you will be able to use a dedicated management portal to manage this cluster.

Architecture

Deploying this Quick Start with default parameters into an existing Amazon EKS cluster builds the following environment. For a diagram of the new virtual private cloud (VPC) and Amazon EKS cluster, see Amazon EKS on the AWS Cloud.

Architecture
Figure 1. Quick Start architecture for Tigera Calico on the AWS Cloud

As shown in Figure 1, the Quick Start sets up the following:

  • Tigera Operator and associated resources in its own namespace.

  • A custom resource that configures the Calico installation.

  • Calico resources in the calico-system namespace.

Planning the deployment

Specialized knowledge

This deployment guide requires a moderate level of familiarity with AWS services. If you’re new to AWS, see the Getting Started Resource Center and AWS Training and Certification. These sites provide materials for learning how to design, deploy, and operate your infrastructure and applications on the AWS Cloud.

This Quick Start also assumes familiarity with the basic concepts of container networking, Amazon EKS, and Kubernetes.

AWS account

If you don’t already have an AWS account, create one at https://aws.amazon.com by following the on-screen instructions. Part of the sign-up process involves receiving a phone call and entering a PIN using your phone’s keypad.

Your AWS account is automatically signed up for all AWS services. You are charged only for the services you use.

Amazon EKS cluster

If you deploy your cluster into an existing Amazon EKS cluster that was not created by the Amazon EKS on the AWS Cloud Quick Start, you must configure your cluster to allow this Quick Start to manage it. For more information, see the Deployment steps section.

IAM permissions

Before launching the Quick Start, you must log in to the AWS Management Console with AWS Identity and Access Management (IAM) permissions for the resources and operations that each template deploys.

The AdministratorAccess managed policy within IAM provides sufficient permissions, although your organization may choose to use a custom policy with more restrictions.

Deployment options

This Quick Start provides three deployment options:

  • Deploy Calico into a new VPC (end-to-end deployment). This option builds a new AWS environment consisting of the VPC, subnets, NAT gateways, security groups, bastion hosts, EKS cluster, a node group, and other infrastructure components. It then deploys Calico into this new EKS cluster.

  • Deploy Calico into a new EKS cluster of an existing VPC. This option builds a new Amazon EKS cluster, node group, and other infrastructure components into an existing VPC. It then deploys Calico into this new EKS cluster.

  • Deploy Calico into an existing EKS cluster. This option provisions Calico in your existing AWS infrastructure. Note that when deploying into an EKS cluster that was not created by the Amazon EKS on the AWS Cloud Quick Start, you must prepare the cluster as described in the Deployment steps section.

Deployment steps

Prepare an existing EKS cluster

This step is only required if you launch this Quick Start into an existing Amazon EKS cluster that was not created using the Amazon EKS on the AWS Cloud deployment. If you want to create a new EKS cluster with your deployment, skip to step 3.

  1. Sign in to your AWS account at https://aws.amazon.com with an IAM user role that has the necessary permissions. For details, see Planning the deployment, earlier in this guide.

  2. Launch the cluster preparation template.

  3. The template launches in the US East (Ohio) Region by default. To change the Region, choose another Region from the list in the upper-right corner of the navigation bar.

  4. On the Create stack page, keep the default setting for the template URL, and then choose Next.

  5. On the Specify stack details page, change the stack name if needed. Enter the name of the Amazon EKS cluster you want to deploy to in addition to the subnet IDs and security group ID associated with the cluster. These can be obtained from the EKS cluster console.

  6. On the Options page, specify the key-value pairs for resources in your stack, and set advanced options. When you’re done, choose Next.

  7. On the Review page, review and confirm your template settings. Under Capabilities, select the two check boxes to acknowledge that the template creates IAM resources and might require the ability to automatically expand macros.

  8. Choose Create stack to deploy the stack.

  9. Monitor the stack’s status until it is CREATE_COMPLETE.

  10. From the Outputs section of the stack, note the KubernetesRoleArn and HelmRoleArn roles.

  11. Add the roles to the aws-auth config map in your cluster, specifying system:masters for the groups. This allows the Quick Start to manage your cluster via AWS CloudFormation. For more information, see Managing users or IAM roles for your cluster.

Unless you are customizing the Quick Start templates for your own deployment projects, we recommend that you keep the default settings for the parameters labeled Quick Start S3 bucket name, Quick Start S3 bucket Region, and Quick Start S3 key prefix. Changing these parameter settings automatically updates code references to point to a new Quick Start location. For more information, see the AWS Quick Start Contributor’s Guide.

Launch the Quick Start

You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using this Quick Start. For full details, see the pricing pages for each AWS service used by this Quick Start. Prices are subject to change.

  1. Sign in to your AWS account, and choose one of the following options to launch the AWS CloudFormation template. For help with choosing an option, see the Deployment options section, earlier in this guide.

Deploy into a new VPC and new Amazon EKS cluster

Deploy into a new Amazon EKS cluster in an existing VPC

Deploy into an existing Amazon EKS cluster

View template

View template

View template

New clusters take about 1.5 hours to deploy. Existing clusters take about 5–30 minutes to deploy.

If you deploy Calico into an existing VPC, ensure that any private subnets have NAT gateways in their route tables to allow the Quick Start to download packages and software. Also, ensure that the domain name in the DHCP options is configured. For more information, see DHCP options sets.

  1. Check the AWS Region that’s displayed in the upper-right corner of the navigation bar, and change it if necessary. This is where the network infrastructure for Calico is built. The template launches in the us-east-1 Region by default.

  2. On the Create stack page, keep the default setting for the template URL, and then choose Next.

  3. On the Specify stack details page, change the stack name if needed. Review the parameters for the template. A reference is provided in the Parameter reference section. Provide values for the parameters that require input. For all other parameters, review the default settings, and customize them as necessary.

  4. On the Options page, specify the key-value pairs for resources in your stack, and set advanced options. When you’re done, choose Next.

  5. On the Review page, review and confirm the template settings. Under Capabilities, select the two check boxes to acknowledge that the template creates IAM resources and might require the ability to automatically expand macros.

  6. Choose Create stack to deploy the stack.

  7. Monitor the status of the stack. When the status is CREATE_COMPLETE, the Calico deployment is ready.

  8. Use the values displayed in the Outputs tab for the stack, as shown in the following figure.

cfn_outputs
Figure 2. Calico outputs after successful deployment

Test the deployment

Once installed, run the following command to verify that everything is working:

kubectl get tigerastatus

A successful installation has a status of Available with Degraded and Progressing marked as False:

NAME     AVAILABLE   PROGRESSING   DEGRADED   SINCE
calico   True        False         False      1m16s

Post-deployment steps

Calico is now ready to use. To get started, see Get started with Kubernetes network policy.

To enable additional features, see Calico Enterprise Features on the Tigera website. Features that can be enabled include the following:

  • Hierarchical network policy

  • FQDN/DNS-based network policy

  • Rich graphical user interface

  • RBAC controls with audit trail and continuous compliance

For a complete list of enterprise features for Calico, see the Calico Enterprise documentation.

Other useful information for Calico

FAQ

Q. I encountered a CREATE_FAILED error when I launched the Quick Start.

A. If AWS CloudFormation fails to create the stack, we recommend that you relaunch the template with Rollback on failure set to Disabled. (This setting is under Advanced in the AWS CloudFormation console, Options page.) With this setting, the stack’s state is retained, and the instance remains running so you can troubleshoot the issue. (For Windows, look at the log files in %ProgramFiles%\Amazon\EC2ConfigService and C:\cfn\log.)

When you set Rollback on failure to Disabled, you continue to incur AWS charges for the stack. Ensure to delete the stack when you finish troubleshooting.

For more information, see Troubleshooting AWS CloudFormation.

Q. I encountered a size limitation error when I deployed the AWS CloudFormation templates.

A. We recommend that you launch the Quick Start templates from the links in this guide or from another S3 bucket. If you deploy the templates from a local copy on your computer, or from a location other than an S3 bucket, you might encounter template size limitations. For more information, see AWS CloudFormation quotas.

Q. Does this Quick Start install Calico networking for Kubernetes pods as well as a network policy?

A. This Quick Start installs Calico for a policy only, with networking provided by the Amazon VPC CNI plugin.

Parameter reference

Deploy into a new VPC and new Amazon EKS cluster

A list of parameters for this entry point are documented in Amazon EKS on the AWS Cloud.

Deploy into a new Amazon EKS cluster in an existing VPC

A list of parameters for this entry point are documented in Amazon EKS on the AWS Cloud.

Launch Calico into Amazon EKS Quick Start

Table 1. Configure Calico install
Parameter label (name) Default value Description

EKS cluster name (KubeClusterName)

Requires input

Name of the EKS cluster in which to deploy Calico.
Table 2. AWS Quick Start configuration
Parameter label (name) Default value Description

Quick Start S3 bucket name (QSS3BucketName)

aws-quickstart

S3 bucket name for the Quick Start assets. This string can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).

Quick Start S3 key prefix (QSS3KeyPrefix)

quickstart-eks-tigera-calico/

S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), dots(.) and forward slash (/).

Quick Start S3 bucket region (QSS3BucketRegion)

us-east-1

The Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value.

Send us feedback

To post feedback, submit feature ideas, or report bugs, use the Issues section of the GitHub repository for this Quick Start. If you want to submit code, review the Quick Start Contributor’s Guide.

Quick Start reference deployments

See the AWS Quick Start home page.

GitHub repository

See the GitHub repository to download the templates and scripts for this Quick Start, post comments, and share customizations with others.

Notices

This document is provided for informational purposes only. It represents AWS’s current product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS’s products or services, each of which is provided “as is” without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at http://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either expressed or implied. See the License for specific language governing permissions and limitations.

Privacy | Site terms | © 2020, Amazon Web Services, Inc. or its affiliates and Tigera. All rights reserved.