Appendix: AWS Running in an internal-only VPC

CloudBees will no longer be supporting CloudBees Jenkins Enterprise 1.x after July 30, 2020. This end-of-life announcement allows CloudBees to focus on driving new technology and product innovation for CloudBees CI. For information on moving to CloudBees CI, please refer to Migrating from CloudBees Jenkins Enterprise 1.x to CloudBees CI on modern cloud platforms which has been created to help you with the migration process. Existing customers can also contact their CSM to help ensure a smooth transition.

CloudBees Jenkins Enterprise installs by default by setting up public resources, such as ELBs or public IPs.

But it can be installed in an internal-only VPC if required.

Prerequisites

  • You need to have an existing VPC (or to set one up) and a subnet with outbound connectivity.

  • The workstation used for CloudBees Jenkins Enterprise installation need to have access to the VPC private network.

Reference architecture

This is the reference architecture we have been using to test this feature. Instances of the CloudBees Jenkins Enterprise cluster are created using vpc-1 and subnet-1. The CloudBees Jenkins Enterprise workstation was connected using VPN to another VPC peered to vpc-1 through a VPC peering (pcx-1). An alternative would have been to create the CloudBees Jenkins Enterprise workstation directly in the VPC, on the public subnet (subnet-2).

Table 1. AWS resources
Resource Type Elements Attributes

VPC

vpc-1

CIDR: 172.18.128.0/17

Subnet

subnet-1 (private)

CIDR: 172.18.128.0/24

Auto-assign Public IP: no

Route Table: rt-1

subnet-2 (public)

CIDR: 172.18.130.0/24

Auto-assign Public IP: yes

Route Table: rt-2

Route table

rt-1 (private)

172.18.128.0/17 → local

0.0.0.0/0 → nat-1

172.18.64.0/18 → pcx-1

rt-2 (public)

172.18.128.0/17 → local

0.0.0.0/0 → igw-1

172.18.64.0/18 → pcx-1

VPC Peering

pcx-1

Peered VPC CIDR: 172.18.64.0/18

NAT Gateway

nat-1

Attached to public subnet

Internet Gateway

igw-1

Installation

In the cluster-init.config, you will need to provide:

  • vpc_id : ID of the existing VPC

  • vpc_subnet_id : ID of the existing subnet

  • additional_security_group_id : ID of an existing security group ID that will be added to all instances and elb of the cluster.

  • internal : must be set to yes