Creating a Template

Prior to launching a cluster, you must configure a template with your settings. Configure the cluster template to match your environment settings. For most deployments, you need to modify only two sections: Provider and DNS configuration. Your cluster is configured to maximize performance, but if you need to transfer at higher speeds or transfer hundreds of thousands of files, see additional configuration suggestions in Performance Tuning.
  1. In the ATC Manager console, click Templates.
  2. In the row for the default template, EC2 Default, click the Action drop-down menu and click Duplicate.
  3. Edit the Provider section.
    Setting Description
    IAM Role The name of the role you set for the transfer nodes.
    AMI Identifier The unique identifier of the transfer node AMI.
    Instance Type Your AMI's instance type. Aspera recommends instance types with at least 7.5 GB memory and adequate network performance.
    Region The region where the cluster will be deployed. This has to be the same region where the S3 buckets are located that are accessed by the cluster.
    Subnet IDs The ID of your VPC subnet. Cluster nodes are distributed across the different subnets in a round-robin fashion.
    Security Groups The security group created for use by the transfer nodes.
    Availability Zone (Optional) Specify the specific zone or zones for launching a cluster. If not set, the cluster manager distributes the nodes across the availability zones in your chosen region.
    Elastic IP Addresses (eip_pool) The Elastic IP (EIP) addresses assigned to your cluster. EIP addresses are only needed if transfer clients require IP address whitelisting.
    Tags An array of key-value pairs that used to tag cluster node instances. You can define multiple tags. They are assigned to every new cluster node that is launched. ATCM automatically adds a tag "cc" with the DNS name of the ATC Manager instance as the value.
    Volume Size The size (GB) of the root partition of the transfer nodes. The default is 20 GB.
    Swap Volume Defines the volume size and volume type of the swap volume. For more information on available volume type, see the Amazon EBS Volume Types article on the AWS website:

    http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html

    {
        "type": "AWS_EC2",
        "aws_credentials": {
            "iam_role_name": "node_iam_role"
        },
        "ami_identifier": "ami-identifier",
        "instance_type": "type.size",
        "subnet_ids": [
            "subnet-identifier",
            "subnet-identifier"
        ],
        "availability_zones": [ 
            "available_zone1",
            "available_zone2" 
            ]
        "security_groups": [
            "security_group"
        ],
        "key_name": "key_name",
        "eip_pool": "eip_address1, eip_address2",
        "region": "region",
        "tags": {
            "Department": "department",
            "Project_ID": "ID"
        }
        "volume_size": "disk_size"
        "swap_volume": {
            "size": volume_size,
            "type": "volume_type"
        }
    }
    For example:
    {
        "type": "AWS_EC2",
        "aws_credentials": {
            "iam_role_name": "atc-node"
        },
        "ami_identifier": "ami-fb25e890",
        "instance_type": "m4.xlarge",
        "subnet_ids": [
            "subnet-03beee3b",
            "subnet-9ce3e2ef"
        ],
        "availability_zones": [
            "us-east-1"
            "us-west-1"
        ]
        "security_groups": [
            "sg-417d2630"
        ],
        "key_name": "aws_dev_ops",
        "eip_pool": "36.6.72.102, 54.3.66.210",
        "region": "us-west-2",
        
        "tags": {
            "Department": "dev_ops",
            "Project_ID": "AXF-1234"
        }
        "volume_size": "20"
        "swap_volume": {
            "size": 8,
            "type": "gp2"
        }
    }
    Instead of authenticating with an IAM role, you can isntead choose to authenticate with your Amazon Access and Secret Access Keys. You can create and obtain your Access Key ID and Secret Access Key ID by following the steps on the Amazon website: http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html. Instead of using the iam_role_name element in the aws_credentials object, use the access_key_id and the secret_access_key elements:
    {
        ...
        "aws_credentials": { 
            "access_key_id": "access_key",
            "secret_access_key": "secret_key"
        ...
    }
    For example:
    {
        ...
        "aws_credentials": { 
            "access_key_id": "AKIAIOSFODNN7EXAMPLE",
            "secret_access_key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
        ...
    }
    Alternatively, you can authenticate with your Amazon Access amd Secret Access Keys instead.
    Note: If the ATC Manager is running outside of AWS, but you want to launch nodes in AWS with an IAM role, you have to specify both an Access Key and an IAM Role in the cluster template. The ATC Manager uses the Access Key, but instructs the nodes to run in AWS with the given role.
    {
        ...
        "aws_credentials": {
              "access_key_id": "access_key",
              "secret_access_key": "secret_key",
              "iam_role_name": "node_iam_role"
        ...
    }
    For example:
    {
        ...
        "aws_credentials": {
              "access_key_id": "AKIAIOSFODNN7EXAMPLE",
              "secret_access_key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
              "iam_role_name": "atc-node"
        ...
    }
  4. Edit the DNS Configuration.
    The first entry in the DNS configuration is the service type: Route 53 ("AWS_Route53"). If you are using a different DNS service than the one in your template, open the default template for the corresponding service provider and copy the DNS Configuration template over.

    The DNS configuration requires the following settings:

    Setting Description
    Hosted Zone The hosted zone name. The name must include the final dot (for example, dev_ops.company.com.).
    Hosted Zone ID The hosted zone ID is optional and is only needed if you have multiple hosted zones with the same name (for example, the same zone for both private and public networks).
    TTL The time-to-live in seconds for DNS responses.
    Storage Credentials Enter the access credentials for your storage as described in the following sections.

    Configuration with IAM Roles

    Cluster nodes connect to Route 53 using the permissions with which the node is running. If the node is running with an IAM role (in other words, the "iam_role_name" option is used in the Provider section), then that role needs the necessary permissions to access Route 53. The ATC Manager must be using an IAM role with the same Route 53 policy as the node (see Creating IAM Roles).
    {
        "type": "AWS_ROUTE53",
        "hosted_zone": "hosted_zone.",
        "hosted_zone_id": "hosted_zone_id"
        "ttl": 1
    }
    Important: The hosted zone name must include the final dot.

    For example:

    {
        "type": "AWS_ROUTE53",
        "hosted_zone": "dev_ops.company.com.",
        "hosted_zone_id": "Z1ZXQD414LGXRA"
        "ttl": 1
    }

    Using an Assume Role for Authentication

    If your atc-manager and atc-node IAM roles do not include the atc-route53-policy, you can create a separate atc-route53 IAM role (see Creating the Route 53 IAM Role) and have the manager and the nodes assume that role's permissions. To configure this, add an "aws_credentials" object with an "assume_role_arn" element as follows:
    {
        "type": "AWS_ROUTE53",
        "aws_credentials": {
            "assume_role_arn" : "arn:aws:iam::YOUR_AWS_ACCOUNT_ID:role/atc-route53"
        },
        "hosted_zone": "hosted_zone",
        "hosted_zone_id": "hosted_zone_id"
        "ttl": 1
    }

    For example:

    {
        "type": "AWS_ROUTE53",
        "aws_credentials": {
            "assume_role_arn" : "arn:aws:iam::123456789012:role/atc-route53"
        },
        "hosted_zone": "dev_ops.company.com.",
        "hosted_zone_id": "Z1ZXQD414LGXRA"
        "ttl": 1
    }

    Using AWS Access Keys for Route 53 Authentication

    If your atc-manager and atc-node IAM roles do not include the atc-route53-policy, you can authenticate to Route 53 with access keys. The access key must be associated with an AWS user that needs to have permission to update Route 53. You need both your Access Key and Secret Access Key IDs. You can create and obtain your Access Key ID and Secret Access Key ID by following the steps on the Amazon website: http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html.
    {
        "type": "AWS_ROUTE53",
        "aws_credentials": {
            "access_key_id": "access_key",
            "secret_access_key": "secret_key"
        },
        "hosted_zone": "hosted_zone",
        "hosted_zone_id": "hosted_zone_id"
        "ttl": 1
    } 

    For example:

    {
        "type": "AWS_ROUTE53",
        "aws_credentials": {
            "access_key_id": "AKIAIOSFODNN7EXAMPLE",
            "secret_access_key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
        },
        "hosted_zone": "dev_ops.company.com.",
        "hosted_zone_id": "Z1ZXQD414LGXRA"
        "ttl": 1
    } 
  5. To customize your cluster nodes, enter a shell script into the Firstboot Script field.
    You can customize your transfer nodes by specifying a first-boot script when launching the cluster. This script is run before all other first-boot scripts. For more information on using first-boot scripts, see Customizing Cluster Nodes Using First-boot Scripts.
  6. Click Save Changes.