Learning Forum

[Ashwini Kumar]

/ Introduction

To enable your company to access Amazon Web Services (AWS) resources via Ansys Gateway powered by AWS, you must complete a setup process. This is automatically launched on the screen when you subscribe to Ansys Gateway powered by AWS. There are two options available for setting up Ansys Gateway powered by AWS: Express and Manual. See Gateway onboarding methods (ansys.com) Ansys recommends Express setup as it requires minimal IT expertise and configuration. Manual setup is only needed if you want to integrate Active Directory with Ansys Gateway powered by AWS. Please see the IT Administration Videos here. To perform the setup, you must have an Ansys ID. For more information about Ansys ID see the Ansys Account Management guide or the Ansys Sign-In Help. Post onboarding, users can sign in to Ansys Gateway web portal if following criteria are met.

1. User's Ansys ID email address domain matches the Ansys ID email address domain of the IT administrator, which is used during onboarding.
2. User's Ansys ID email address is added in the mail property of Actitve Directory user profile.

Users need to be explicitly added to Project Space/s to view or access any Project Space. To prepare for connecting to Ansys Gateway powered by AWS, ensure that you meet the prerequisites for your desired setup method.

---

This article refers to Manual Setup, For Express Setup, please see: Ansys Gateway powered by AWS – Express Setup Overview and Prerequisites

/ Overview of Manual Setup Process

To connect your local network to Ansys Gateway powered by AWS, you will enter information in the wizard and perform tasks in your local IT environment, AWS Cloud, and Ansys Gateway powered by AWS. Please see short video of Manual Setup process at Ansys Gateway powered by AWS: Manual Setup (youtube.com)

/ How Ansys Gateway powered by AWS works

Here is an overview of how everything connects and works together.

 

/ Prerequisites

To prepare for connecting to Ansys Gateway powered by AWS, you must have the following set up in AWS:

1. AWS Administrator who is running Manual setup should have full administrative privileges to run AWS Cloud Formation Template (AWSCloudFormationFullAccess policy) on their AWS account. Post Manual setup, AWS Administrator will be asked to run an AWS Cloud Formation Template which provides a shared access role with the following policies to Ansys Gateway by AWS.

• AmazonEC2FullAccess
• ServiceQuotasFullAccess
• AWSPriceListServiceFullAccess

This onboarding wizard is configured for customers with a single domain only. If your email/authentication/active directory domains are different, please contact Ansys support. This guide assumes that you have the following already set up:

/ Ansys ID Requirement

To be able to launch Manual setup or sign in to Ansys Gateway powered by AWS, you must have an Ansys ID. If you do not have one, you will be prompted to create an Ansys account when signing in.

/  Prepare your local IT environment

To prepare for connecting to Ansys Gateway powered by AWS, you must have the following set up in your local environment:

 

1.     A local server hosting Active Directory

Requirements:

• LDAP for querying the AD and authenticating access to it
• AD service account with permissions to:
  • Join a machine to the domain
  • Create groups and machines within a specified  Organizational Unit (OU). Permission to create groups can be removed after successful onboarding. 
  • Read users in the groups within the specified Organizational Unit.
• All user accounts should have Ansys ID email address defined in the user account mail property - Active Directory>User account>Attribute Editor>mail property
• Following user data attributes are synchronized between Active Directory and Ansys Gateway
  • "userprincipalname"
  • "samaccountname"
  • "givenname"
  • "mail"
  • "displayname"
  • "name"
  • "distinguishedname"

To Do: Set up an Organizational Unit (OU)

• You must create an Organizational Unit (OU) to be used for Ansys Gateway operations.
• On the server hosting Active Directory (AD), open Active Directory Users and Computers.
• From the View menu, select Advanced Features.
• Right-click your domain and select New > Organizational Unit.
• Specify a name for the Organization Unit that identifies it as OU for Ansys Gateway powered by AWS (for example, "AGW"). Make note of the specified name as you will need it later.

2. A server to host the Ansys Gateway powered by AWS AD Connector service

Have a server ready or create and certify a server to host the Ansys Gateway powered by AWS AD Connector proxy service. The server can be an on-premises machine or VM in AWS Cloud which meets the requirements below.

Requirements:

• Should be close to the server hosting Active Directory to ensure fast communication with that server
• Operating System: Windows Server 2016 or later
• Port 16402 incoming must be open between the Ansys Gateway powered by AWS AD Connector server and the VPC
• Ports 389 (LDAP) and 3268 (GC) outgoing must be open between the Ansys Gateway powered by AWS AD Connector server and Active Directory
• Port 443 outgoing must be open between the Ansys Gateway powered by AWS AD Connector server and the Internet
• Certificate specifying the hostname of the Ansys Gateway powered by AWS AD Connector Service and connectivity to validate the certificate
• Account with Local Admin rights

Note: You will download and install the Ansys Gateway powered by AWS AD Connector service in a later step.

 

/ Prepare your AWS environment

To prepare for connecting to Ansys Gateway powered by AWS, you must have the following set up in AWS:

1. A Virtual Private Cloud (VPC) for each region in which you want to use Ansys Gateway powered by AWS

A Virtual Private Cloud (VPC) is a pool of shared resources allocated within AWS Cloud. Each VPC is associated with a specific region. This determines the AWS data center that will provision the resources. Learn more about Amazon VPC.

Requirements for each VPC:

• From the VPC to the Internet:
  • Port 443 outbound to enable communication to the Ansys Gateway powered by AWS Control Plane and the virtual machines
  • Port 22 inbound and port 443 inbound to facilitate connections to the virtual machines
• From the VPC to another VPC:
  • Port 445 inbound/outbound [Optional for SMB Connectivity]
• From the VPC to the Ansys Gateway powered by AWS AD Connector Service:
  • Port 16402 outbound to enable communication with the Ansys Gateway powered by AWS AD Connector Service
• Standard connectivity to Active Directory including port 389 for domain join connectivity
• At least one subnet
• DNS connectivity
• AWS EC2 Service Quotas for provisioning instances in the associated region

 

2. Established connection between local network and VPC

There must be a secure and private connection between your local network and the AWS Virtual Private Cloud.  AWS recommends site-to-site VPN or Client VPN. Learn more about Amazon Virtual PrivateNetwork.

 

Updated August 3, 2023

[Eduard Van Niekerk]

Where can I find the remaining steps to be completed in AWS (e.g. IAM Role permissions)

[Masataka Nakamura]

Hi Eduard, The remaining steps for administrator can be found in the Setup Process section of the link below. Could you please confirm it.

Requirements for Integrating with Ansys Gateway powered by AWS

 

[Vaibhav Dixit]

Q: How many subnets / etc are required? 
A: Minimum 1 subnet