Deploy and Manage Business Process Automation Applications on Amazon EKS: a Practical Guide

Available Languages

Download Options

PDF (2.5 MB)
View with Adobe Reader on a variety of devices
ePub (2.5 MB)
View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle) (1.9 MB)
View on Kindle device or Kindle app on multiple devices

Updated:October 10, 2024

Document ID:222462

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Abstract

This paper presents a comprehensive guide on deploying and managing Business Process Automation (BPA) applications using Amazon Elastic Kubernetes Service (EKS). It outlines the prerequisites, highlights the benefits of utilizing EKS, and provides step-by-step instructions for setting up an EKS cluster, Amazon RDS database, and MongoDB Atlas. Additionally, the paper delves into the deployment architecture and specifies the environment requirements, offering a thorough resource for organizations aiming to leverage EKS for their containerized BPA applications.

Keywords

Amazon EKS, Kubernetes, AWS, RDS, MongoDB Atlas, DevOps, Cloud Computing, Business Process Automation.

Introduction

BPA

In today's digital era, enterprises seek to streamline and automate complex business processes across a diverse range of IT environments. Business Process Automation (BPA) has emerged as a pivotal technology, enabling organizations to enhance operational efficiency, reduce errors, and improve service delivery. BPA introduces several key innovations and enhancements aimed at advancing workflow automation, service provisioning, and off-the-shelf automation applications.

The BPA platform hosts business and IT/operational use cases and applications, such as OS upgrades, service provisioning, and integration to orchestration engines. Customers have access to a lifecycle of services and BPA capabilities including advisory, implementation, business critical services, and solution support delivered through Cisco experts, best practices, and proven techniques and methodologies that help automate their business processes and de-risk their systems.

These lifecycle capabilities can be subscription-based or customized to individual needs. Implementation services help define, integrate, and deploy tools and processes to accelerate automation. Cisco experts conduct a formal process for gathering requirements, designs and develops user stories based on agile processes and Continuous Integration and Continuous Delivery (CICD) tools, and implements flexible services with automated testing of new or existing workflows, devices, and services. With Solution Support, customers get access to 24/7, centralized support with a focus on software-centric issues coupled with multivendor and open-source support offered through Cisco’s tiered software model. Cisco solution support experts help manage your case from first call to final resolution and act as the main point of contact working with multiple vendors simultaneously. You could experience up to 44 percent fewer issues working with solution-level experts, helping you maintain business continuity and get faster return on your BPA investment.

Key technical features, such as support for FMC and Ansible-managed devices, parallel executions using the Advanced Queuing Framework (AQF), and expanded configuration compliance for NDFC and FMC devices, position BPA as a comprehensive solution for large-scale enterprise automation. With added capabilities in SD-WAN management, device onboarding, and firewall policy governance, the release addresses critical aspects of network security and automation, catering to the demands of large-scale, multi-vendor environments.

EKS

Amazon Elastic Kubernetes Service (EKS) is a fully managed Kubernetes service provided by Amazon Web Services (AWS). Launched in 2018, EKS simplifies the process of deploying, managing, and scaling containerized applications using Kubernetes, an open-source container orchestration platform. EKS abstracts the complexities of Kubernetes cluster management, allowing developers to focus on building and running applications without the need to handle the underlying infrastructure.

Benefits of Using Amazon EKS for Application Deployment

Amazon EKS offers several benefits for application deployment, making it a popular choice for organizations leveraging containerized applications and microservices.

Key advantages include:

Managed Kubernetes Control Plane: EKS handles the deployment, scaling, and maintenance of the Kubernetes control plane, reducing operational burden.
Simplified Cluster Management: EKS abstracts the complexities of setting up and managing Kubernetes clusters.
Scalability: EKS allows for easy scaling of clusters to accommodate growing workloads.
High Availability: EKS supports multi-Availability Zone deployments, enhancing availability and fault tolerance.
Integration with AWS Services: EKS integrates seamlessly with various AWS services.
DevOps Automation: EKS supports continuous integration and continuous deployment (CI/CD) for containerized applications.

BPA Deployment Architecture

BPA Deployment Architecture

This image represents a high-level architecture of a cloud-based infrastructure deployed on AWS , using several key components. Here's a breakdown of the diagram:

Amazon EKS (Elastic Kubernetes Service): At the core of the diagram, Amazon EKS is deployed across three availability zones (AZ1, AZ2, AZ3), with Kubernetes worker nodes inside each zone. This indicates a highly available and fault-tolerant setup, as the workloads are spread across multiple availability zones.
ALB (Application Load Balancer): This is positioned at the front, receiving traffic from users and distributing it across the EKS cluster for handling application workloads. The load balancer ensures that the requests are evenly distributed and can handle scaling based on traffic demand.
Amazon RDS (Relational Database Service) - PostgreSQL: On the right side of the diagram, an Amazon RDS instance running PostgreSQL is present. This database can be accessed by applications running within the EKS cluster.
ECR (Elastic Container Registry): This is where Docker container images are stored and managed, which are then deployed to Amazon EKS for running the workloads.
MongoDB Atlas: On the left side, MongoDB Atlas is integrated into the architecture through a private endpoint. MongoDB Atlas is a cloud-hosted NoSQL database service, used here to handle document-based database requirements. The private endpoint ensures secure, private communication between the MongoDB Atlas instance and other AWS components.
Bastion Host: Positioned within the VPC (Virtual Private Cloud), a Bastion Host provides a secure entry point for administrators to access resources inside the VPC without directly exposing them to the internet.

Overall, this architecture provides a highly available, scalable, and secure solution for deploying and managing containerized applications using Amazon EKS, with support for both relational (PostgreSQL) and NoSQL (MongoDB) databases.

EKS Cluster Setup
To create an Amazon EKS cluster using the AWS CLI, the eksctl command-line utility can be used. This is an example command:

eksctl create cluster \
  --name <my-eks-cluster> \
  --region us-west-2 \
  --nodegroup-name standard-workers \
  --node-type t3.medium \
  --nodes 4 \
  --nodes-min 4 \
  --nodes-max 6

RDS Database Setup

Deploying a relational database on Amazon RDS involves these steps:
- Access the AWS Management Console and navigate to the Amazon RDS service.
- Create a new database instance with the desired specifications.
- Configure the security group to allow incoming connections from your Amazon EKS cluster.
Using the drop-down menu, select the most recent version of PostgreSQL. In our case, it is “PostgreSQL 16.3-R1.”

For this give the database instance a name and create a username and password.

Ensure that the default settings for “DB instance size” and “Storage” are selected.

Depending on the cluster size and data requirements, select the appropriate DB instance size and storage type.

Based on our use case, we have chosen the following configuration:
- DB Instance Size: db.m5d.2xlarge
  - 8 vCPUs
  - 32 GiB RAM
  - Network: 4,750 Mbps
  - 300 GB Instance Store
Select appropriate values according to your use case. We have selected the default values.

Make sure in “Database authentication” we have selected Password authentication. Authenticates using database passwords.

Once that is verified, we are ready to create the database. Return to the Amazon RDS dashboard. Confirm that the instance is available for use.

Security Group Rules

Update the inbound security group with the pod CIDR and node CIDR block.

In RDS -> Databases -> DB-NAME, click configuration and refer the Parameter Group section and click the parameter group to view.

Search for “password_encryption” and change the value to md5 from blank / other value. This is needed for camunda configurations to work.

Create these Databases along with users by connecting to the RDS.
```
PG_ROOT_DATABASE=admin
PG_INITDB_ROOT_USERNAME=admin
PG_INITDB_ROOT_PASSWORD=Bp@Chang3d!
AUTH_DB_NAME=kong
AUTH_DB_USER=kong
AUTH_DB_PASSWORD=K@ngPwdCha*g3
WFE_DB_USER=camunda
WFE_DB_PASSWORD=W0rkFlo#ChangeNow
WFE_DB_NAME=process-engine
```
Password authentication

Authenticates using database passwords.
Atlas MongoDB Setup
Setting up Atlas MongoDB involves:
- Logging into Atlas MongoDB.
- Selecting the organization and project.
- Creating a dedicated cluster with the appropriate specifications.
- Select the Dedicated tier, Cloud Provider & Region.
- Select appropriate tier(we have used M30 as tier) dedicated cluster and provide appropriate cluster name and click on Create Cluster. It will initialize the Atlas monogodb cluster.
  - Setting up VPC private endpoint for the Atlas and K8S cluster.
    - Click on the Network Access Select Private Endpoint à Click on Add Private Endpoint.
    - Select Cloud Provider as AWS, select respective Region and click on Next.
    - Provide Respective PVC id and subnet ids. Once you enter the details, Copy the vpc end point creation command and execute it in aws console. You will get the vpc endpoint id as output.
    - Click on Next to paste the VPC endpoint ID and click on Create.
    - Once it is successfully created, Endpoint status will be Available as shown in the next picture. VPC end-point must be created for pod cidr. In our case we have used "100.64.0.0/16" .
    - Add inbound rules to newly created vpc-endpoint. The vpc-endpoint will be in the parent account and a security group must be assigned to the newly created vpc-endpoint.

ECR as image registry
Creating Amazon ECR repositories and pushing Docker images into them involves several steps. These are the steps to create an ECR repository, tag a Docker image, and push it to the repository using the AWS CLI.

aws ecr create-repository --repository-name your-image-name --region your-region

Replace:

your-image-namewith the desired name for your ECR repository.
your-regionwith your AWS region

Configure IAM Role for EKS Nodes

Ensure that the EKS worker nodes (EC2 instances) have the necessary IAM role attached with permissions to pull images from ECR. The IAM policy required is:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
        "ecr:BatchCheckLayerAvailability"
      ],
      "Resource": "*"
    }
  ]
}

Attach this policy to the IAM role associated with your EKS worker nodes.

BPA Deployment
The deployment of BPA involves several steps, including labeling EKS worker nodes, preparing directories on nodes, copying BPA packages, and deploying BPA using Helm.

For our customer deployment, we have utilized the following versions of software and cloud services:

BPA: 4.0.3-6
RDS (Relational Database Service): 16.3-R2
MongoDB Atlas: v5.0.29
EKS (Elastic Kubernetes Service): v1.27

These components ensure that our deployment is robust, scalable, and capable of handling the required workloads efficiently.

Labeling EKS Worker Nodes

kubectl label node <worker_node_1> name=node-1
kubectl label node <worker_node_2> name=node-2
kubectl label node <worker_node_3> name=node-3
kubectl label node <worker_node_4> name=node-4

Preparing Directories on Nodes
Node 1:

rm -rf /opt/bpa/data/
mkdir -p /opt/bpa/data/zookeeper1
mkdir -p /opt/bpa/data/zookeeper4
mkdir -p /opt/bpa/data/zookeeper5
chmod 777 /opt/bpa/data/zookeeper1
chmod 777 /opt/bpa/data/zookeeper4
chmod 777 /opt/bpa/data/zookeeper5
mkdir -p /opt/bpa/data/kafka1
chmod 777 /opt/bpa/data/kafka1
sysctl -w vm.max_map_count=262144

Node 2:

rm -rf /opt/bpa/data
sysctl -w vm.max_map_count=262144
mkdir -p /opt/bpa/data/kafka2
mkdir -p /opt/bpa/data/zookeeper2
mkdir -p /opt/bpa/data/zookeeper4
mkdir -p /opt/bpa/data/zookeeper5
chmod 777 /opt/bpa/data/kafka2
chmod 777 /opt/bpa/data/zookeeper2
chmod 777 /opt/bpa/data/zookeeper4
chmod 777 /opt/bpa/data/zookeeper5

Node 3:

rm -rf /opt/bpa/data
sysctl -w vm.max_map_count=262144
mkdir -p /opt/bpa/data/kafka3
mkdir -p /opt/bpa/data/zookeeper3
mkdir -p /opt/bpa/data/zookeeper4
mkdir -p /opt/bpa/data/zookeeper5
chmod 777 /opt/bpa/data/kafka3
chmod 777 /opt/bpa/data/zookeeper3
chmod 777 /opt/bpa/data/zookeeper4
chmod 777 /opt/bpa/data/zookeeper5

Node 4:

mkdir -p /opt/bpa/data/elk
mkdir -p /opt/bpa/data/metrices/prometheus
mkdir -p /opt/bpa/data/metrices/grafana
chmod 777 /opt/bpa/data/metrices
chmod 777 /opt/bpa/data/metrices/prometheus
chmod 777 /opt/bpa/data/metrices/grafana
sysctl -w vm.max_map_count=262144

Copying BPA Packages

scp -r packages to node1:/opt/bpa/
scp -r packages to node2:/opt/bpa/
scp -r packages to node3:/opt/bpa/
scp -r packages to node4:/opt/bpa/

Deploying BPA Using Helm

helm install bpa-rel --create-namespace --namespace bpa-ns /opt/EKS/bpa-helm-chart

Ingress Setup

Enabling Ingress
Update values.yamlto enable ingress:
```
ingress_controller: {create: true}
```

Creating a Secret Using BPA Certificate
Navigate to the certificate directory and create a secret:

cd /opt/bpa/<BPA helm chart location>/bpa/conf/common/certs/
kubectl create secret tls bpa-certificate-ingress --cert=bap-cert.pem --key=bap-key.pem -n bpa-ns

Updating Ingress Controller
Add the newly created secret in the ingress-controller.yaml file:

cd /opt/bpa/<BPA helm chart location>/templates/
vi ingress-controller.yaml
"- --default-ssl-certificate=$(POD_NAMESPACE)/bpa-certificate-ingress"

Updating Ingress Certificate
Perform Helm delete and install to update the ingress certificate.

Environment Specifications
The environment specifications include requirements for EC2 instances, load balancers, VPC endpoints, and RDS instances. Key specifications are:

EC2 Requirements:

Storage requirements:2TB space per nodes. Mount EBS volume to /opt and add an entry in /etc/fstab for all the nodes.

Security group inbound: 30101, 443, 0 – 65535 TCP, 22 for ssh.

Security group outbound: All traffic must be enabled.

DNS Resolver: EC2 must have on-prem resolvers in /etc/resolve.conf.

Load balancer requirements:

Listeners ports must be 443, 30101.
VPC End point Requirements (Atlas MongoDB).
VPC end points created for Atlas connectivity is available in the parent account(aws-5g-ndc-prod). VPC Endpoint must have security group which allows all inbound access(0 - 65535).

RDS Requirements:

RDS Type: db.r5b.2xlarge

Postgres Engine version: 13.7

Security group: Inboud must allow traffic from the POD CIDR source.

Key Concepts and Components
Understanding Kubernetes fundamentals is essential for effectively deploying and managing applications using Amazon EKS.

Conclusion
This paper provides a detailed guide for deploying and managing Business Process Automation (BPA) applications using Amazon EKS. By following the outlined steps and understanding the key concepts, organizations can leverage the benefits of EKS for their containerized BPA applications.

References

Amazon Web Services, "Amazon EKS Documentation," [Online]. Available:https://docs.aws.amazon.com/eks/
Kubernetes, "Kubernetes Documentation," [Online]. Available:https://kubernetes.io/docs/home/
Cisco BPA at a Glance https://www.cisco.com/c/en/us/solutions/collateral/service-provider/at-a-glance-c45-742579.html
BPA Operations Guide https://www.cisco.com/c/dam/en/us/support/docs/bpa/v403/cisco-bpa-operations-guide-v403.pdf
BPA Developer Guide https://www.cisco.com/c/dam/en/us/support/docs/bpa/v403/cisco-bpa-developer-guide-v403.pdf

Revision History

Revision	Publish Date	Comments
1.0	10-Oct-2024	Initial Release

Contributed by Cisco Engineers

Harsha H K
Software Consulting Engineer
Niranjan Nagarajaswamy
Software Consulting Engineer

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)