Another EUC Blog

Expand search form
Menu

Deployment of VMware Unified Access Gateway (UAG) on AWS as EC2 instance

Horizon View, VMware by Hari Patel Leave a Comment on Deployment of VMware Unified Access Gateway (UAG) on AWS as EC2 instance

Deployment of VMware Unified Access Gateway (UAG) on AWS as EC2 instance

In this post, I’ll provide guidance on how to Deploy VMware Unified Access Gateway in AWS Amazon Native VPC as EC2 instance. 

Before we proceed, currently UAG FIPS is only supported on the vSphere environment to all other deployment such as AWS and Azure needs to have non-FIPS deployment.

Create your AMIs for Unified Access Gateway:

1. Make sure you have downloaded the OVA of Unified Access Gateway version 3.5.x from myvmware.com download page.

2. Extract the ova file to your local machine with 7zip or any software you have. In my case, I am extracting OVA under “C:UAG” folder of my local machine.

3. Login to your Amazon AWS account from web browser > Create an Access Key and obtain the Access Key ID and Secret Access Key.

4. Run Windows PowerShell on your local machine with Administrator privilege.

5. Execute below command to install AWS PowerShell module on your machine.

Install-Module -Name AWSPowerShell -Force
Install-Package 7Zip4PowerShell

6. Set your AWS Credential in the default profile.

Set-AWSCredential -AccessKey AKIAI6428NKYOAME  -SecretKey bvfhkvvfhsbvhsdbhfbvfhfhvfhdskvbhfvbfhAME -StoreAs default

7. Set your default AWS region (optional)

Set-DefaultAWSRegion -Region ap-northeast-1

8. Verify your default AWS region (optional)

Get-DefaultAWSRegion

9. Create a bucket in Amazon S3 to store UAG .vmdk image if one doesn’t already exist.

$bucket="vmw-uag"
New-S3Bucket -BucketName $bucket -Region ap-northeast-1

10. Create an IAM role in Amazon AWS called “vmimport” and apply a policy to the role.

$importPolicyDocument = @"
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"",
"Effect":"Allow",
"Principal":{
"Service":"vmie.amazonaws.com"
},
"Action":"sts:AssumeRole",
"Condition":{
"StringEquals":{
"sts:ExternalId":"vmimport"
}
}
}
]
}
"@
New-IAMRole -RoleName vmimport -AssumeRolePolicyDocument $importPolicyDocument
$bucket="vmw-uag"
$rolePolicyDocument = @"
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::$bucket",
"arn:aws:s3:::$bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:ModifySnapshotAttribute",
"ec2:CopySnapshot",
"ec2:RegisterImage",
"ec2:Describe*"
],
"Resource": "*"
}
]
}
"@

Write-IAMRolePolicy -RoleName vmimport -PolicyName vmimport -PolicyDocument $rolePolicyDocument

11. Upload *.vmdk image into the S3 bucket.

$vmdkImage="euc-unified-access-gateway-x.y.0.0-12345678-system.vmdk"
$bucket="vmw-uag"
$region="ap-northeast-1"
$params = @{
"BucketName"=$bucket
"File"="C:uag"+$vmdkImage
"key"="/"+$vmdkImage
"Region"=$region
}
Write-S3Object @params

12. Import EC2 Snapshot.

$params = @{
"DiskContainer_Format"="VMDK"
"DiskContainer_S3Bucket"=$bucket
"DiskContainer_S3Key"=$vmdkImage
"Region"=$region
}
$impId=Import-EC2Snapshot @params

13. You can check the upload progress with below command.

(Get-EC2ImportSnapshotTask -ImportTaskId $impId.ImportTaskId).SnapshotTaskDetail

Note: It may take sometime to create the snapshot. Confirm the status is showing as completed.

14. You can confirm snapshotID with below command.

(Get-EC2ImportSnapshotTask -ImportTaskId $impId.ImportTaskId).SnapshotTaskDetail.SnapshotId

15. Register the UAG image as an Amazon Machine Image (AMI)

$bdm=New-Object Amazon.EC2.Model.BlockDeviceMapping
$bd=New-Object Amazon.EC2.Model.EbsBlockDevice
$bd.SnapshotId=(Get-EC2ImportSnapshotTask -ImportTaskId $impId.ImportTaskId).SnapshotTaskDetail.SnapshotId
$bd.DeleteOnTermination=$true
$bdm.DeviceName="/dev/sda1"
$bdm.Ebs=$bd
$params = @{
"BlockDeviceMapping"=$bdm
"RootDeviceName"="/dev/sda1"
"Name"=$vmdkImage
"Architecture"="x86_64"
"VirtualizationType"="hvm"
"EnaSupport"=$true
}
Register-EC2Image @params

Note: If AMI import succeeded, you will see the AMI number as highlighted in red below.

16. Go to your AWS console > AMIs and confirm your AMI exists in list.

17. Go to your AWS console > EC2 Service > Lunch Instance > My AMIs. You should see your AMI is available for EC2 deployment.

Deploy UAG from your AMI:

Download the uagdeploy PowerShell script zip file from myvmware.com download page and extract it. Zip file consists the scrip for vmware and azure deployment as well. You will see the files like below. You will need “uag11-ec2.ini”, “uagpeploy.psm1” and “uagdeployec2.ps1”.

18. Open uag11-ec2.ini file in text editor and modify it matching the UAG parameters with your AWS environment and your requirement. Below is ini file (uag1.ini) I am using to deploy UAG with 2 nics in my AWS environment.

19. Once you get ready with your .ini file, run Windows PowerShell on your local machine with Administrator privilege and set your AWS Credential in default profile if you have not done yet.

Set-AWSCredential -AccessKey AKIAI6428NKYOAME  -SecretKey bvfhkvvfhsbvhsdbhfbvfhfhvfhdskvbhfvbfhAME -StoreAs default

20. Execute below PowerShell scrip.

21. Login to AWS console and confirm “uag01-az1” is deployed successfully and  Instance Status is showing as “running”.

22. Login to UAG admin console on web-browser with https://uag-ip or dnsname:9443/admin and proceed the configuration according to your requirement.

Hari Patel

Hari Patel

You might be interested in …

Install and configure VMware PowerCLI version 10

Home, VMware

VMware PowerCLI is a collection of Windows Powershell modules that are used to manage and maintain a VMware virtual environment. VMware PowerCLI contains modules of cmdlets based on Microsoft PowerShell for automating vSphere, VMware Site Recovery Manager,vSphere Automation SDK, vCloud Director, vCloud Air, vSphere Update Manager, vRealize Operations Manager, VMware Horizon, NSX-T, and VMware Cloud on AWS administration. VMware PowerCLI provides a PowerShell interface to the VMware product […]

Read More

Duplicate “ViewClient_Client_ID” and Multi Session issues on Horizon View

Horizon View, VMware

Multi-Session Issue on VMware Horizon View Due to Duplicate “ViewClient_Client_ID”   Problem:              When we enable the “Allow multiple sessions per user” settings in VDI Pool, a user that connect from different client devices receive different desktop sessions. To reconnect to an existing desktop session, user must use the same […]

Read More

Workspace ONE Access Multisite Tasks – One Pager

vIDM, VMware, Workspace ONE Access

For the past few weeks, I have been working with my project team and my customer to help them stand up VMware Access on a secondary site. With the help of Haseeb Waseem, I have created a single spreadsheet which includes all the major steps needed to create a secondary site. Hope this is helpful […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

Close Menu