Runtime Environments > Serverless runtime environment setup in AWS > Common tasks for VPC configuration

Common tasks for VPC configuration

When you set up your cloud environment, you can add safe IP addresses for IP filtering, set up a system disk, set up a location for JAR files and external libraries, and configure TLS to authenticate REST APIs. These apply whether you set up your VPC manually or through a template.

Perform the following tasks as necessary:

•Add trusted IP addresses. If your organization filters based on IP addresses, add the safe Informatica addresses so that they won't get blocked by the firewall. For more information, see Adding trusted Informatica IP addresses.
•Configure a system disk. A system disk can help improve mapping performance. For guidelines on setting up a system disk, see Configuring a system disk. For directions on setting up the system disk, see System Disk.
•Create a supplementary file location. If your mappings use JAR files and external libraries, set up a location on Amazon S3 to store the files. For more information, see Creating the supplementary file location.
•Configure TLS to authenticate REST APIs. If you use a REST V3 Connector, you can configure TLS to authenticate REST APIs. For more information, see Configuring TLS to authenticate REST APIs.

Adding trusted Informatica IP addresses

If your organization uses trusted IP address ranges, edit the ranges in your organization properties and add the appropriate trusted IP addresses.

US

The following table lists trusted IP addresses for US regions:

Region	Trusted IP addresses
US East (N. Virginia) us-east-1	- 54.160.9.90 - 54.221.247.69
US East (Ohio) us-east-2	- 18.220.76.98 - 3.131.176.232
US West (N. California) us-west-1	- 52.52.220.198 - 13.56.74.27
US West (Oregon) us-west-2	- 44.239.8.148 - 44.242.20.143

APJ

The following table lists trusted IP addresses for APJ regions:

Region	Trusted IP addresses
Asia Pacific (Hong Kong) ap-east-1	- 18.167.71.151 - 18.163.244.73
Asia Pacific (Mumbai) ap-south-1	- 65.1.80.5 - 13.234.141.216
Asia Pacific (Osaka) ap-northeast-3	- Not available
Asia Pacific (Seoul) ap-northeast-2	- 52.79.244.47 - 3.34.56.248
Asia Pacific (Singapore) ap-southeast-1	- 52.76.184.230 - 18.140.193.120
Asia Pacific (Sydney) ap-southeast-2	- 3.24.111.61 - 54.253.179.190
Asia Pacific (Tokyo) ap-northeast-1	- 35.72.149.44 - 13.112.143.134

Canada

The following table lists trusted IP addresses for Canada regions:

Region	Trusted IP addresses
Canada (Central) ca-central-1	- 3.96.182.201 - 3.97.103.68

EMEA

The following table lists trusted IP addresses for EMEA regions:

Region	Trusted IP addresses
Europe (Frankfurt) eu-central-1	- 3.125.185.124 - 3.64.66.226
Europe (Ireland) eu-west-1	- 54.76.54.130 - 54.78.183.88
Europe (London) eu-west-2	- 35.176.60.118 - 18.135.50.152
Europe (Milan) eu-south-1	- 35.152.49.63 - 35.152.45.151
Europe (Paris) eu-west-3	- 15.237.157.126 - 15.237.97.211
Europe (Stockholm) eu-north-1	- 13.49.61.89 - 13.53.141.231

UK

The following table lists trusted IP addresses for UK regions:

Region	Trusted IP addresses
Europe (Frankfurt) eu-central-1	- 18.157.124.91
Europe (Ireland) eu-west-1	- 34.250.251.16
Europe (London) eu-west-2	- 18.170.170.192
Europe (Milan) eu-south-1	- 15.161.184.93 - 15.160.41.209
Europe (Paris) eu-west-3	- 13.37.37.71
Europe (Stockholm) eu-north-1	- 13.53.147.238

Configuring a system disk

The serverless runtime environment can use system disks for improved performance.

Configure a system disk to improve mapping performance in Data Integration.

You can configure system disks in Amazon EFS (Elastic File System) and NFS (Network File System) formats. File system connections in EFS are TLS-enabled by default. File system connections in NFS use NFSv4 (Network File System Version 4).

When you use a system disk, the serverless runtime environment creates a folder with the name <organization ID>/<serverless environment Id> on the system disk. This folder stores job metadata and logs.

Rules and guidelines for the EFS file system

Use the following guidelines when you configure system disks in the Amazon EFS format:

•Set the file system to the ID of the EFS file system.
•Allow the subnet in the serverless runtime environment to access to the Amazon EFS file system.
•Configure the EFS security group to allow inbound access from the security group configured in the serverless runtime environment.
•Configure the IAM role in the serverless environment with full access to the EFS file system. You can grant full access in the file system policy or in the IAM role. For example, the following file system policy allows root access to ServerlessRole (SREIICS) for file system fs-12345 and allows SecureTransport only:

"Version": "2012-10-17",
"Id": "efs-policy-wizard-<efs policy wizard ID>",
"Statement": [
{
"Sid": "efs-statement-<efs statement ID>",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<arn ID>:role/SREIICS"
},
"Action": [
"elasticfilesystem:ClientWrite",
"elasticfilesystem:ClientMount",
"elasticfilesystem:ClientRootAccess"
],
"Resource": "arn:aws:elasticfilesystem:us-west-2: <arn ID>:file-system/fs-12345",
"Condition": {
"Bool": {
"elasticfilesystem:AccessedViaMountTarget": "true"
}
}
},
{
"Sid": "efs-statement-<efs statement ID>",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "*",
"Resource": "arn:aws:elasticfilesystem:us-west-2: 123456789:file-system/fs-12345",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}

The following table describes the actions in the sample policy:

Action	Description
elasticfilesystem:ClientMount	Provides read-only access to a file system.
elasticfilesystem:ClientWrite	Provides write permissions on a file system.
elasticfilesystem:ClientRootAccess	Provides use of the root user when accessing a file system.

•Create any folder required by an access point before creating the access point itself. For example, if the access point refers to the folder /my-company/dev, then define this folder first before you set up the access point.
•Configure the IAM role to restrict access to specific access points on the file system. For more information, see https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html

Rules and guidelines for the NFS file system

Use the following guidelines when you configure system disks in the NFS format.

•Set the file system to the DNS of the NFS server.
•Configure the subnet in the serverless runtime environment to allow access to the NFS file server.
•Configure the file server security group to allow inbound access from the security group configured in the serverless runtime environment.

Using EFS or NFS directories as data disks

To use existing EFS or NFS directories as data disks in a serverless runtime environment, perform some setup steps so that the serverless runtime environment has permissions to access these directories. When the setup is complete, the serverless runtime environment can read existing files and write new files to these directories.

1Mount the EFS or NFS directories in an EC2 instance that you have.

2Log in to the EC2 instance.

3Locate a user with ID=501. If one doesn't exist, create a new user with this ID.

User ID 501 is the user cldagnt, which the serverless runtime environment uses to access mounted EFS or NFS directories.

4Assign read and write permissions to the mounted directories for user 501.

For more information, see the following topic in the AWS documentation: Working with users, groups, and permissions at the Network File System Level.

Configuring a data disk

Create a data disk in your serverless runtime environment if you have files in EFS or NFS directories that you want to use in the environment, without updating all your mappings.

Once you mount your EFS or NFS locations in a data disk, you have access to the following features:

•Flat file support. You can use flat files from the mounted EFS or NFS locations in your mappings.
•Parameter file support. You can use parameter files stored in the mounted EFS or NFS locations. This simplifies migrating jobs from a Secure Agent group to a serverless runtime environment, since you do not need to modify your mappings.

Tip: If you create data disks, ensure that you've set up the correct user and permissions to use the mounted directories as data disks. For more information, see Using EFS or NFS directories as data disks.

For information on configuring data disks, see Data Disk.

Creating the supplementary file location

If mappings use JAR files and external libraries, dedicate a location on Amazon S3 to store the files and create folders for each file type.

To create the supplementary file location:

1Create the following file structure on Amazon S3:

<Supplementary file location>
├── ext
├── odbc
│ └── lib
└── serverless_agent_config
├── jars
├── SSL
├── j_depends
└── py_depends

2Create a serverlessUserAgentConfig.yml file. For a template, see Populating the serverlessUserAgentConfig.yml File.
3Add the serverlessUserAgentConfig.yml file directly under the serverless_agent_config directory.

The following table lists the file types that you can store in each location:

Location	Files
<Supplementary file location>/ext	JDBC JAR files
<Supplementary file location>/odbc	The following files: - odbc.ini - odbcinst.ini - exports.ini
<Supplementary file location>/odbc/lib	ODBC shared libraries for a Linux operating system
<Supplementary file location>/serverless_agent_config	The following files: - serverlessUserAgentConfig.yml - JDBC V2 Connector JAR files - REST V3 Connector truststore and keystore certificates - JAR files for the Java transformation - Installation and resource files for the Python transformation You can customize the directory structure under the serverless_agent_config folder and specify the relative path to each file in the serverlessUserAgentConfig.yml file.

Configuring TLS to authenticate REST APIs

If you use REST V3 Connector with an API collection or Machine Learning transformation that runs in a serverless runtime environment, you can configure TLS to establish one-way or two-way secure communication to authenticate REST APIs.

Contact Informatica Global Customer Support to request the required custom properties. Make sure that truststore and keystore certificates are in JKS format.

1Navigate to the supplementary file location on Amazon S3.

2In the serverless_agent_config folder, create a subfolder called SSL.

3Add the truststore and keystore certificates to the SSL folder.

For one-way secure communication, add the truststore certificates. For two-way secure communication, add both the truststore and keystore certificates.

4 Copy the following code snippet to a text editor and add the relative path to each certificate in the supplementary file location:

version: 1
agent:
agentAutoApply:
general:
sslStore:
- fileCopy:
sourcePath: SSL/<REST V3 truststore certificate name>.jks
- fileCopy:
sourcePath: SSL/<REST V3 keystore certificate name>.jks

5In the serverless_agent_config folder, open the serverlessUserAgentConfig.yml file.

6Add the code snippet to the serverlessUserAgentConfig.yml file and save the file.

The serverless runtime environment will copy the certificates from the supplementary file location to its own reference directory so that it can use the certificates at run time.

7In the REST V3 connection properties, use the following format to specify each truststore and keystore file path in the serverless runtime environment: /home/cldagnt/SystemAgent/serverless/configurations/ssl_store/<certificate name>.jks

Provide the custom properties to your developer. Developers enter the custom properties in mapping tasks that run in the serverless runtime environment.