How to configure PAM cluster in AWS (Amazon Web Services) private subnet without using Elastic IP (EIP)

Document ID : KB000098267
Last Modified Date : 13/07/2018
Show Technical Document Details
Documentation shows generic case where PAM cluster in AWS is configured by assigning Elastic IPs (EIPs) which have Public IPs. Although we can configure Security Group or Network ACL in AWS to block accesses from the Internet, for tighter security reason, we may want to deployed PAM within AWS Private network only. This means we don't want to assign EIPs. Can PAM cluster in AWS be configured properly in this kind of requirements? PAM cluster seems to be up and running, however VIP assignment failed. What is the correct PAM cluster configuration in this case?

This article shows step-by-step procedure how to configure PAM cluster in this kind AWS environment.
This article assumes the followings
    a. One Site with two PAM nodes cluster
    b. All PAM nodes have the same version and license
    c. All PAM nodes in the same VPC, subnet and availability zone
    b. You have your AWS user account's Access Key ID and Secret Access Key at hand, i.e. the user account you use to create the PAM node instances
    d. All PAM nodes are accessible using their Private IP from your office network
PAM 2.8.x onward
We can utilize AWS EC2 VPC Endpoint to address PAM cluster configuration in Private network.
Here are the steps.

1. Create a Security Group for EC2 VPC Endpoint so PAM servers in the Private subnet are able to access its HTTP or HTTPS ports. Login to AWS and access EC2 Console, select NETWORK & SECURITY > Security Groups and click [Create Security Group]. Create Security Group similar to the following for the subnet (e.g. where PAM servers reside.

Security group for EC2 Endpoint

2. Create EC2 VPC Endpoint and assign it to subnet where PAM servers reside and assign created Security Group above to the Endpoint. Select Services > VPC to go to VPC Dashboard and then select Endpoints and click [Create Endpoint] button. Select AWS services as Service category and select com.amazonaws.<region>.ec2 as Service Name, select appropriate VPC and subnet where PAM servers reside and leave Enable Private DNS Name box selected and select created Security Group above and click [Create endpoint].

EC2 Endpoint Setup 1
EC2 Endpoint Setup 2
EC2 Endpoint Setup 3

3. Now, we need to create an AWS connection before we can setup cluster. Access the 1st PAM node from your enterprise network using Internet browser. Login as super user. Go to Targets > Accounts page, click [Add] button and click the magnifying glass icon beside Application Name field and select AWS Access Credential Accounts as application. Host Name and Device Name will be defaulted to Select Access Key as AWS Access Credential Type and key in your AWS account's Access Key ID and Secret Access Key along with appropriate User Friendly Account Name (arbitrary name that you can remember). You should use the same AWS account you have used to create/configure PAM instances. Click the [Save] button.

AWS Access Credential Account

Go to Config > 3rd Party page, and in Add AWS Connection section select Access Key Alias, i.e. User Friendly Account Name of previously configured AWS account, select Active check box if you want to import AWS instances as devices into PAM and select AWS Region where you have the PAM nodes run. The new AWS Connection will be shown in AWS Configuration section, click [Test] button and confirm the connection is successful.

AWS Connection

4. Now we are ready to configure cluster. Go to Config > Clustering page, put a passphrase and click [Generate Key] to generate Shared Key. Select created AWS connection from AWS Provision drop down. In the Virtual Management (VIP) section, key in unused private IP as VIP. Add the Cluster Members so that the 1st PAM Node's IP is on top. See below.

Cluster Configuration
Click [Save Config Locally].
Copy the Shared Key and access the 2nd PAM node, go to Config > Clustering page, paste the Shared Key and click [Save Config Locally].
Now, go back to the 1st PAM node's Config > Clustering page and click [Save To Cluster]. You should see "Successfully saved cluster configuration to all members" message.

5. The last step is to start cluster by clicking [Turn Cluster ON]. Once cluster is up, click [View Cluster Logs] and verify there is no error. Try to access using VIP and verify VIP works as expected.

Additional Information:
AWS VPC Endpoints
How to configure PAM cluster in AWS (Amazon Web Services)
There is a known issue about cluster VIP assignment failure in AWS. If you encounter this problem, please refer KB000106229.