UiPath Automation Suite on AWS

Partner Solution Deployment Guide

QS

January 2023
Andrei Barbu, Andrei Oprea, UiPath
Shivansh Singh, AWS Integration & Automation team

Refer to the GitHub repository to view source files, report bugs, submit feature ideas, and post feedback about this Partner Solution. To comment on the documentation, refer to Feedback.

This Partner Solution was created by UiPath in collaboration with Amazon Web Services (AWS). Partner Solutions are automated reference deployments that help people deploy popular technologies on AWS according to AWS best practices. If you’re unfamiliar with AWS Partner Solutions, refer to the AWS Partner Solution General Information Guide.

Overview

This guide covers the information you need to deploy the UiPath Automation Suite Partner Solution in the AWS Cloud.

Costs and licenses

There is no cost to use this Partner Solution, but you will be billed for any AWS services or resources that this solution deploys. For more information, refer to the AWS Partner Solution General Information Guide.

A license for UiPath is required. To sign up, contact UiPath sales. A free 60-day non-production trial license is available.

Manually provide your Automation Suite and UiPath High Availability add-on license keys after the stack is deployed. For more information, refer to About licensing.

The Partner Solution uses only the Red Hat Enterprise Linux distribution, provided by AWS. An Amazon Machine Image (AMI) subscription is not required.

Architecture

Deploying this Partner Solution with default parameters builds the following Automation Suite environment in the AWS Cloud.

Architecture
Figure 1. Partner Solution architecture for Automation Suite on AWS

As shown in Figure 1, this Partner Solution sets up the following:

  • A highly available architecture that spans two or more Availability Zones.

  • A virtual private cloud (VPC) configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*

  • In the public subnets:

    • A Linux bastion host to control inbound SSH (Secure Shell) access (port 22) to Amazon Elastic Compute Cloud (Amazon EC2) instances in the private subnets.

    • Bastion security group for fine-grained inbound access to the bastion host instance.

  • In the private subnets:

    • Security groups for fine-grained access to the Kubernetes server and agent nodes.

    • An Application Load Balancer or a Network Load Balancer to balance 443 inbound traffic between all Kubernetes nodes.

    • An Amazon EC2 Auto Scaling group with Kubernetes agent nodes. Nodes are hosted on Amazon EC2 instances running Linux.

    • An Amazon EC2 Auto Scaling group with Kubernetes server nodes. Nodes are hosted on Amazon EC2 instances running Linux.

    • An internal Network Load Balancer to balance 6443 (the Kubernetes API) and 9345 (the RKE2 registration address) traffic between the Kubernetes server nodes.

    • A database subnet security group for Amazon Relational Database Service (Amazon RDS) database instances running Microsoft SQL Server.

  • Amazon Elastic File System (Amazon EFS) for storing backup data.

  • AWS Certificate Manager (ACM) for domain registration with an SSL certificate.

  • Amazon Route 53 as Domain Name System (DNS) provider to route traffic to the Application Load Balancer.

  • AWS Secrets Manager for secure storage of cluster configuration and platform-generated credentials.

  • Multiple AWS Identity and Access Management (IAM) roles granting access to various operations required during deployment and installation.

* The template that deploys this Partner Solution into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

Deployment and instance type mapping

The template dynamically computes the hardware needed for the deployment as follows:

  • It sets minimum requirements for a cluster.

  • Depending on the deployment profile (multi-node or single-node profile), it sets minimum requirements for a single virtual machine (VM).

  • Selects the instance types based on their availability in the Region you deploy and the requirements for the cluster or single VM.

The following table shows the mappings between deployment and possible instance types:

Deployment type Instance type

Single-node, services selection that needs less than 16 CPUs

c5.4xlarge, c5a.4xlarge, m5.4xlarge, m5a.4xlarge

Single-node, services selection that needs more than 16 CPUs

c5a.8xlarge, c5.9xlarge, m5.8xlarge

Multi-node, services selection that needs less than 48 CPUs

c5.4xlarge, c5a.4xlarge, m5.4xlarge, m4.4xlarge

Multi-node, services selection that needs more than 48 CPUs

c5a.8xlarge, c5.9xlarge, m5.8xlarge, m5a.8xlarge

Security groups and firewalls

When Amazon EC2 instances are launched, they must be associated with a security group, which acts as a stateful firewall. You have complete control over the security group’s inbound and outbound network traffic. You can build granular rules that are scoped by protocol, port number, and source/destination IP address, or other security groups. By default, all outbound traffic from security groups is permitted. Inbound traffic, however, must be configured to allow the appropriate traffic to reach your instances. You should tightly control inbound traffic to reduce the attack surface of your EC2 instances while leaving the following ports open for application communication.

Automation Suite ports:

Port Protocol Purpose

22

TCP

For SSH (cluster management debugging)

443

TCP

For HTTPS (accessing Automation Suite)

2379

TCP

etcd client port

2380

TCP

etcd peer port

6443

TCP

For accessing Kubernetes API using HTTPS, and required for node joining

8472

TCP

Required for Flannel (VXLAN)

9345

TCP

For accessing Kubernetes API using HTTP, required for node joining

10250

TCP

kubelet / metrics server

30000-32767

TCP

Internal communication between nodes in a cluster

Other ports: 2049 - NFS service 1443 - RDS database instance port

This Partner Solution configures the following security groups:

Security group Associated with Inbound source Ports

ServiceFabricSecurityGroup

Server and agent Auto Scaling groups and dedicated EC2 instances

Private subnets CIDR

Inbound: 443, 22, 6443, 9345, 8472, 10250, 2379, 2380, 8472, 30000-32767
Outbound: any ports

BastionSecurityGroup

Bastion host

0.0.0.0/0

Inbound: 22
Outbound: any ports

DbSecurityGroup

RDS database instance

Private subnets CIDR

Inbound: 1443
Outbound: any ports

SharedStorageSecurityGroup

EFS volume

Private subnets CIDR

Inbound: 2049
Outbound: any ports

ELBSecurityGroup

Application Load Balancer

0.0.0.0/0

Inbound: 443
Outbound: 443

Deployment options

This Partner Solution provides the following deployment options:

This Partner Solution provides separate templates for these options. It also lets you configure Classless Inter-Domain Routing (CIDR) blocks, instance types, and Automation Suite settings.

Predeployment steps

Amazon EC2 key pairs

You need at least one EC2 key pair in the AWS account in the Region where you plan to deploy the Partner Solution. To create a key pair, refer to Amazon EC2 key pairs and Linux instances.

Valid domain name

This Partner Solution requires you to own the parent domain under which the web application will be served. If you want to register a domain, refer to Registering a public domain.

If you have registered the domain using Amazon Route 53, then the hosted zone is preconfigured, and no additional configuration is necessary.

Otherwise, you should set up a hosted zone in your AWS account with the required name server, start of authority, CNAME, and text records. For further details on how to create a public hosted zone, refer to Working with public hosted zones.

Deployment steps

  1. Sign in to your AWS account, and launch this Partner Solution, as described under Deployment options. The AWS CloudFormation console opens with a prepopulated template.

  2. Choose the correct AWS Region, and then choose Next.

  3. On the Create stack page, keep the default setting for the template URL, and then choose Next.

  4. On the Specify stack details page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary. When you finish reviewing and customizing the parameters, choose Next.

    Unless you’re customizing the Partner Solution templates or are instructed otherwise in this guide’s Predeployment section, don’t change the default settings for the following parameters: QSS3BucketName, QSS3BucketRegion, and QSS3KeyPrefix. Changing the values of these parameters will modify code references that point to the Amazon Simple Storage Service (Amazon S3) bucket name and key prefix. For more information, refer to the AWS Partner Solutions Contributor’s Guide.

  5. On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you finish, choose Next.

  6. On the Review page, review and confirm the template settings. Under Capabilities, select all of the check boxes to acknowledge that the template creates AWS Identity and Access Management (IAM) resources that might require the ability to automatically expand macros.

  7. Choose Create stack. The stack takes about 1.5 hours to deploy.

  8. Monitor the stack’s status, and when the status is CREATE_COMPLETE, the UiPath Automation Suite deployment is ready.

  9. To view the created resources, choose the Outputs tab.

Postdeployment steps

For information about postdeployment steps, refer to Post-deployment steps.

Troubleshooting

For troubleshooting common Partner Solution issues, refer to the AWS Partner Solution General Information Guide and Troubleshooting CloudFormation.

Customer responsibility

After you deploy a Partner Solution, confirm that your resources and services are updated and configured—including any required patches—to meet your security and other needs. For more information, refer to the Shared Responsibility Model.

Feedback

To submit feature ideas and report bugs, use the Issues section of the GitHub repository for this Partner Solution. To submit code, refer to the Partner Solution Contributor’s Guide. To submit feedback on this deployment guide, use the following GitHub links:

Notices

This document is provided for informational purposes only. It represents current AWS product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS products or services, each of which is provided "as is" without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at https://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "as is" basis, without warranties or conditions of any kind, either expressed or implied. Refer to the License for specific language governing permissions and limitations.