GEOG 865
Cloud and Server GIS

Introduction to ArcGIS Server Cloud Builder

PrintPrint

In the previous lesson, you used the AWS Management Console to set up an EC2 instance. When you build an ArcGIS Server site on Amazon EC2, you typically use a different application, called ArcGIS Server Cloud Builder. This is a simple wizard-driven desktop application that Esri created specifically for creating ArcGIS Server sites on Amazon EC2. Cloud Builder abstracts or hides some of the advanced options that you see in the AWS Management Console. Cloud Builder also does a lot of work behind the scenes to "wire" your GIS servers together, license your software, and create your site.

It's possible to build simple one-machine ArcGIS Server sites with the AWS Management Console. You can even put several of these "siloed" sites under a load balancer to get more computing power. However, to get the full benefit of the ArcGIS Server architecture, in which multiple GIS servers process and balance loads in a peer-to-peer fashion, you must use Cloud Builder.

Getting and installing Cloud Builder

Cloud Builder is available as a free download on the Esri Customer Care website for anyone who has purchased ArcGIS Server. Since you cannot access the Customer Care site, your instructor has hosted the Cloud Builder download via a link available on the Student Downloads page, which is located in the Course Resources section of the Course Introduction module in Canvas. 

Copy the installer .exe to your own computer and step through the installer wizard. You can take the default settings. Adobe Air is required to run Cloud Builder and Air will be installed for you if you don't have it. If the Cloud Builder installer fails to launch, then install the latest version of Adobe Air yourself and try again.

Getting access to the ArcGIS Server AMIs

Cloud Builder uses some Esri-created Amazon Machine Images (AMIs) behind the scenes to create your ArcGIS Server site. These AMIs have ArcGIS Server, ArcGIS Desktop and in some cases, a database installed on them.

The AMIs require that you "bring your own license" and apply it to any Esri software that you run on the EC2 instances. In other words, Esri pricing is not built into the hourly fees for the instance, like it is with Windows. The Esri AMIs are accessible by anyone in the AWS Marketplace, but you must log in with your Amazon account and accept the terms and conditions for using them.

  1. Go to the AWS Marketplace page for the Esri ArcGIS Enterprise 10.5.1. with SQL Server Express AMI.
  2. If necessary, click the Continue button and log in with your Amazon account.
  3. Click Accept Software Terms & Launch with 1-Click.

This doesn't actually launch anything right now, but if you don't perform this step and accept the terms, Cloud Builder will fail when you try to create a site. In fact, if you ever experience Cloud Builder failures in the future, you should check to make sure you have accepted the software terms for the exact AMIs that you are trying to use.

Getting access keys for your Amazon account

In order for a third-party application like Cloud Builder to access your Amazon Web Services account, it needs to have two pieces of information known as an access key and secret access key. As the owner of the AWS account, you can create these keys (with varying privilege levels) and distribute them to whichever application needs them.

You manage your keys through an AWS service called Identity and Access Management (IAM), and you work with IAM through the AWS Management Console.

Let's create a key that you can use with Cloud Builder. This particular key requires Administrator access to your account because Cloud Builder has the potential to create a lot of resources and do things of a sensitive nature.

  1. Log in to the AWS Management Console if you are not logged in already.
  2. Click Services > IAM.
  3. Click Groups > Create a New Group.
  4. Specify a group name, such as 'Students', and click Next Step until you get all through the wizard. Don't change any more settings; just click Create Group. Also, you'll probably just have one member in this group, but that's okay.

    Now you will give this group all the permissions that Cloud Builder needs in order to make ArcGIS Server sites on Amazon EC2. This gets a little technical, so follow the instructions carefully.
  5. From your list of displayed groups, click your newly-made Students group (the name of the group, not the checkbox).
  6. Click the Permissions tab.
  7. Click Inline Policies, then click the link to create one.
  8. Click Custom Policy and then click the Select button.
  9. Name your policy something like StudentCloudBuilderPermissions (spaces are not allowed).
  10. In the Policy Document input box, paste the policy code from this Esri document (Build an ArcGIS Server site on Amazon EC2). The code contains all the permissions that Cloud Builder needs. The code at the time of this writing is shown below:
     
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "iam:GetUser",
                    "iam:ListServerCertificates",
                    "iam:UploadServerCertificate"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": "s3:*",
                "Resource": [
                    "arn:aws:s3:::arcgis101-sites-*",
                    "arn:aws:s3:::arcgis101sp1-sites-*",
                    "arn:aws:s3:::arcgis101sp2-sites-*",
                    "arn:aws:s3:::arcgis102-sites-*",
                    "arn:aws:s3:::arcgis1021-sites-*",
                    "arn:aws:s3:::arcgis1031-sites-*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:AttachInternetGateway",
                    "ec2:AuthorizeSecurityGroupIngress",
                    "ec2:CreateImage",
                    "ec2:CreateInternetGateway",
                    "ec2:CreateKeyPair",
                    "ec2:CreateRoute",
                    "ec2:CreateSecurityGroup",
                    "ec2:CreateSubnet",
                    "ec2:CreateTags",
                    "ec2:CreateVpc",
                    "ec2:DeleteSecurityGroup",
                    "ec2:DeleteSnapshot",
                    "ec2:DeregisterImage",
                    "ec2:DescribeAvailabilityZones",
                    "ec2:DescribeImages",
                    "ec2:DescribeInstances",
                    "ec2:DescribeKeyPairs",
                    "ec2:DescribeRegions",
                    "ec2:DescribeRouteTables",
                    "ec2:DescribeSecurityGroups",
                    "ec2:DescribeSubnets",
                    "ec2:DescribeVolumes",
                    "ec2:DescribeVpcs",
                    "ec2:ModifyImageAttribute",
                    "ec2:ModifyInstanceAttribute",
                    "ec2:RunInstances",
                    "ec2:StartInstances",
                    "ec2:StopInstances",
                    "ec2:TerminateInstances"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "elasticloadbalancing:ConfigureHealthCheck",
                    "elasticloadbalancing:CreateLoadBalancer",
                    "elasticloadbalancing:CreateLoadBalancerListeners",
                    "elasticloadbalancing:DeleteLoadBalancer",
                    "elasticloadbalancing:DeleteLoadBalancerListeners",
                    "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
                    "elasticloadbalancing:DescribeInstanceHealth",
                    "elasticloadbalancing:DescribeLoadBalancers",
                    "elasticloadbalancing:RegisterInstancesWithLoadBalancer"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "cloudwatch:PutMetricAlarm",
                    "cloudwatch:DescribeAlarms",
                    "cloudwatch:DeleteAlarms"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "autoscaling:CreateAutoScalingGroup",
                    "autoscaling:CreateLaunchConfiguration",
                    "autoscaling:DeleteAutoScalingGroup",
                    "autoscaling:DeleteLaunchConfiguration",
                    "autoscaling:DeletePolicy",
                    "autoscaling:DescribeAutoScalingGroups",
                    "autoscaling:DescribeAutoScalingInstances",
                    "autoscaling:DescribeLaunchConfigurations",
                    "autoscaling:DescribePolicies",
                    "autoscaling:DescribeScalingActivities",
                    "autoscaling:PutScalingPolicy",
                    "autoscaling:UpdateAutoScalingGroup"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "rds:AddTagsToResource",
                    "rds:AuthorizeDBSecurityGroupIngress",
                    "rds:CreateDBInstance",
                    "rds:CreateDBSecurityGroup",
                    "rds:CreateDBSnapshot",
                    "rds:CreateDBSubnetGroup",
                    "rds:CreateOptionGroup",
                    "rds:DeleteDBInstance",
                    "rds:DeleteDBSecurityGroup",
                    "rds:DeleteDBSnapshot",
                    "rds:DeleteOptionGroup",
                    "rds:DescribeDBInstances",
                    "rds:DescribeDBSnapshots",
                    "rds:DescribeDBSecurityGroups",
                    "rds:DescribeOptionGroups",
    		"rds:DescribeDBSubnetGroups",
                    "rds:ModifyDBInstance",
                    "rds:ModifyOptionGroup",
                    "rds:RestoreDBInstanceFromDBSnapshot"
                ],
                "Resource": "*"
            }
        ]
    }
  11. Click Validate Policy and if you don't get an error, go ahead and click Apply Policy.

Now that you've got a group set up with the appropriate permissions, follow the steps below to add a user into your new group.

  1. Continuing from where you left off in the IAM Management Console, click the Users link and then click the Add User button. You'll see an input box where you can type a user name.
  2. Type a user name, such as your own name, check Programmatic Access and click Next: Permissions
  3. In the list of groups that appear click the check box next to "Students" (or whatever you called your group above, and then click Next: Review.
  4. Click Create User
  5. Click Download .csv and save the CSV file to a safe place on disk. This contains your Access Key and Secret Access Key that you will use with Cloud Builder. Do not lose this file. Once you download your credentials, there's no way to get them back without creating a new user. This is for security purposes.
  6. Click Close.
     

In summary, you made an AWS user group, applied a security policy, created a user, placed the user in your new group, and downloaded the user credentials. Now, whenever you supply the user credentials to a third party application (such as Cloud Builder), that application will have access to your AWS account, allowing the application to do such things as creating and terminating instances, etc.

Logging in to Cloud Builder

Cloud Builder creates EC2 instances, Amazon Elastic Load Balancers, and other resources that are charged to your Amazon account. Before you can start using Cloud Builder, you must sign in using your Amazon Access Key and Secret Access Key that you retrieved in the previous section.

There are a couple of reasons that Cloud Builder requires the sign in. First of all, as described above, you can't create any resource on Amazon EC2 without providing the information about an account that will be charged for the resources. Cloud Builder uses these credentials behind the scenes for every action that it performs. Also, in a large organization the sign-in screen allows the management of multiple accounts with the same Cloud Builder install. You just sign out and sign in to work with the different accounts.

Follow these steps to get your access credentials and log in to Cloud Builder:

  1. Launch ArcGIS Server Cloud Builder.
  2. Provide values for the Access key ID and Secret access key input boxes using the credentials you saved in the previous section. If you're the only one using this computer, you can also click Remember keys so that you don't have to sign in each time you use Cloud Builder.
  3. Click Sign In.

You're now logged in to Cloud Builder and you can start creating an ArcGIS Server site. This process is described in the next section of the lesson.