Getting Started > Runtime environment configuration > Runtime environment configuration in a cloud environment

Runtime environment configuration in a cloud environment

You can install and run a Secure Agent on AWS, Google Cloud, or Microsoft Azure.

Install a Secure Agent in the following ways based on your cloud environment:

•If you choose AWS, you're redirected to the AWS Marketplace to continue the installation.
•If you choose Google Cloud, you log in using your Google credentials and then enter the Secure Agent configuration details.
•If you choose Microsoft Azure, you log in using your Azure credentials and then enter the Secure Agent configuration details.

You can install a Secure Agent in a cloud environment on the Runtime Environments page in Administrator. Click Manage Cloud Secure Agents to open the installer, as shown in the following image:

The "Manage Cloud Secure Agents" button appears at the top of the Environments list on the Runtime Environments page in Adminstrator.

If your organization uses the unified Home page and your organization doesn't have any runtime environments, you can also install a Secure Agent in a cloud environment by clicking Next in the To get started, you must first set up a runtime environment panel, as shown in the following image:

If your organization uses the unified Home page, you can install a Secure Agent in a cloud environment by clicking Next in the "To get started, you must first set up a runtime environment" panel. This panel appears at the top of the page when your organization has no runtime environments.

Installing in AWS

The Secure Agent installer can help you create a runtime environment on Amazon Web Services (AWS). The runtime environment you create is a Secure Agent group that contains one Secure Agent.

When you create a runtime environment on AWS, you create a new stack where the Secure Agent is deployed. You can create the stack in a new or existing virtual private cloud (VPC). The installer creates an Amazon Elastic Compute Cloud (EC2) instance within the VPC.

To create a runtime environment, you must have a subscription with AWS that includes create, modify, and delete privileges for the following resource types:

•EC2 instances
•Elastic IP addresses
•Elastic network interfaces
•Internet gateways
•Route tables
•Security groups
•Subnets
•VPCs

You must also have read and launch permissions for machine images.

1In Administrator, select Runtime Environments.

2On the Runtime Environments page, click Manage Cloud Secure Agents.

3Click New Cloud Secure Agent.

4Select Amazon Web Services.

5Click Next.

6On the Environment Configuration page, copy the install token.

The install token is valid for 24 hours and can't be reused.

7 Choose whether to create the runtime environment on an existing or new VPC.

8Click Continue Configuration in AWS.

The AWS Sign in screen opens in a new browser tab.

9Sign in to your AWS account.

The Quick create stack page opens.

10In the Stack name area, enter a stack name.

11In the Parameters area, under Network Configuration, configure the following properties based on whether you're using an existing VPC or a new VPC.

- For an existing VPC, configure the following properties:

Property	Value
VPC ID	Select the ID for the VPC where you want to deploy the Secure Agent.
Subnet ID	Enter or select a subnet within the VPC.
Allowed Remote Access CIDR	Enter the CIDR block that specifies the IP addresses where the Secure Agent can be installed. CIDR (Classless Inter-Domain Routing) is a method for allocating IP addresses. It configures a network rule to allow remote access to the Secure Agent. The "/x" portion of the address determines how many IP addresses are available in the subnet, for example: 108.124.81.10/32

- For a new VPC, configure the following properties:

Property	Value
Availability Zones	Select the availability zone for your region.
VPC CIDR	Enter the CIDR block that specifies the IP addresses where you want to create the VPC.
Subnet CIDR	Enter the CIDR block that specifies the IP addresses for the subnet in the availability zone that you selected.
Allowed Remote Access CIDR	Enter the CIDR block that specifies the IP addresses where the Secure Agent can be installed.

12Under Amazon EC2 Configuration, configure the following properties:

Property	Value
Key Pair Name	Enter the name of an existing EC2 key pair to enable external access to the EC2 instance. Corresponding key pair files are required for SSH access to the server.
Instance Type	Select the instance type for the EC2 instance or accept the default. Default is m5.xlarge.
Enable Elastic IP Addressing	Choose whether to assign elastic IP addresses to the EC2 instance or accept the default. Default is no.

13Under Informatica Intelligent Data Management Cloud (IDMC) Account Details, configure the following properties:

Property	Value
IDMC POD Master URL	Accept the default value for the IDMC POD Master URL. This is the URL that you use to access Informatica Intelligent Cloud Services. Warning: Changing this URL can result in stack deployment failure.
IDMC User Name	Enter your Informatica Intelligent Cloud Services user name.
IDMC User Token	Paste the install token that you copied. If you forgot to copy the install token, you can switch back to Informatica Intelligent Cloud Services and generate a new one.
Secure Agent Group Name	Accept the default value for the Secure Agent group name. This is the name of the runtime environment that you're creating.

14Click Create stack.

It takes a few minutes to create the stack. Be sure to monitor the stack creation and address any issues that might occur.

When the stack is created successfully, the EC2 Instance status changes from CREATE_IN_PROGRESS to CREATE_COMPLETE.

15In Informatica Intelligent Cloud Services, on the Environment Configuration page, click Finish.

IICS creates your runtime environment and displays it on the Runtime Environments page.

Tip: To see the progress of your pending Secure Agents, click Manage Cloud Secure Agents on the Runtime Environments page. The status appears at the top of the page.

It takes a few minutes for the Secure Agent services to start. When the Secure Agent is ready to use, the status changes from "Pending Environment Set Up" to "Up and Running." You might need to refresh the page to see the updated status.

Installing in Google Cloud

The Secure Agent installer can create a runtime environment on Google Cloud for you, based on just a few properties that you enter on the configuration page.

Note: You must have a subscription with Google Cloud that includes permissions to deploy resources.

1In Administrator, select Runtime Environments.
2On the Runtime Environments page, click Manage Cloud Secure Agents.
3Select Google Cloud Platform.
4Click Next.
5Select the Google account to use.
6Enter the following properties:

Property	Description
Project	A project defines how Informatica Intelligent Cloud Services interacts with Google services and what resources it uses. Select your Google Cloud project from the drop-down list. Note: If you don't have a project, exit the installation wizard and create your project on Google Cloud. You can't create a project from within Informatica Intelligent Cloud Services.
Secure Agent Name	Enter a name for your Secure Agent. The name needs to conform to the following rules: - The name can be up to 43 characters long, with a combination of letters, numbers, and hyphens. - The first character must be a lowercase letter. - The last character can't be a hyphen. - All letters must be lowercase. By default, the runtime environment uses the same name as the agent.
Region	Select the region to deploy the Secure Agent. Choose a region that's appropriate for your organization and your customers.
Machine Type	Select the machine type for your virtual machine. If you're not familiar with Google machine types, start with a size with at least 4 cores and 16 GB of memory.
Virtual Network	Specify whether to use an existing virtual network based on your Google subscription or create a new virtual network. A virtual network uses hardware and software to emulate a physical network.
Virtual Network Name	Select an existing virtual network or enter the name for a new virtual network.
Subnet	Select the subnet to use or enter a name for a new subnet.
Subnet Address	Select the subnet address that includes all the resources or enter a new subnet address. Subnet addressing allows a system made up of multiple networks to share the same Internet address.

7Select the I acknowledge this action will incur costs in Google Cloud Platform check box to acknowledge that costs will be incurred on your Google account.
8Click Create.

Informatica Intelligent Cloud Services creates your runtime environment and displays it on the Runtime Environments page.

Troubleshooting connection issues on Google Cloud

The firewall in Google Cloud can block access to your VM. If this occurs, add a firewall rule to allow RDP and SSH access to your VM instances.

When Google Cloud blocks access, the runtime environment fails to start with the following error:

Connection Failed. We are unable to connect to the VM on port 22.

1In the Google Cloud console, go to the Firewall Rules page.

2Click Create firewall rule.

3Create a firewall rule with the following settings:

Setting	Value
Name	Enter a name for the firewall rule. For example: allow-ingress-from-iap(<name>)
Direction of traffic	Ingress
Action on match	allow
Target	All instances in the network
Source filter	IP ranges
Source IP ranges	35.235.240.0/20
Protocols and ports	Select TCP and enter 22,3389 to allow both RDP and SSH.

4Click Create.

Installing in Microsoft Azure

The Secure Agent installer can configure a runtime environment on Microsoft Azure. Note that running data integration tasks on Azure incurs costs based on the workload and the VM size.

Note: You need a Microsoft Azure subscription with permissions that allow you to deploy resources. If admin consent is enabled at your organization, reach out to the Azure administrator for app consent approvals. For more information about admin consent requests, see the Microsoft documentation.

1In Administrator, select Runtime Environments.
2On the Runtime Environments page, click Manage Cloud Secure Agents.
3Click New Cloud Secure Agent.
4Select Microsoft Azure.
5Click Next.
6Select the Microsoft account to use.
7Enter the following properties:

Property	Description
Subscription	Select your Microsoft Azure subscription. The subscription must include permissions to deploy the following resources: - Network security group - Virtual network (including subnet) - Network interface - Public IP address - OS disk - Virtual machine Be sure to grant permission to the Hyperscalar Azure Integration App when prompted. Note: If you do not have an Azure subscription, exit the installer and sign up for one with Microsoft. You cannot sign up from within Informatica Intelligent Cloud Services.
Resource Group	A resource group is a container that holds related resources for your runtime environment. Informatica Intelligent Cloud Services uses one resource group for each Secure Agent to simplify management of the VM resources for that agent. You typically create new resource groups, but you can use any existing group that is empty. Tip: Use the same or similar name as the Secure Agent to more easily identify which resource group belongs with each agent.
Resource Group Name	Name of the resource group. Enter the name of a new group or select an existing group. Ensure that any existing resource group is empty, otherwise this message appears: "API Input validation failed."
Location	Select the region to deploy the Secure Agent. Choose the Azure region that's appropriate for your organization and your customers. Not every resource is available in every region.
VM Name	Enter a name for the virtual machine (VM) that will be created.
VM User Name	Enter your name as the virtual machine user.
VM Password	Enter a password to access the virtual machine.
Secure Agent Name	Enter a name for your Secure Agent. By default, the runtime environment has the same name as the agent. Tip: Use the same or similar name as the resource group, to more easily identify which resource group belongs with each agent.
VM Size	Select a size for your virtual machine. If you are unfamiliar with Azure image sizing, start with a size with at least 4 cores and 16 GB of memory. Note that your Azure hourly charges are affected by the VM size.
Virtual Network	Select an existing virtual network based on your Microsoft Azure subscription and location or create a new virtual network.
Virtual Network Name	Select an existing virtual network or enter the name for a new virtual network. When you select an existing virtual network, this associates the newly created VM with the existing VNet.
Virtual Network Address	Select an existing virtual network address or enter a new address.
Subnet Name	Select the subnet to use or enter a name for a new subnet. The subnet holds all the Azure resources that are deployed to the virtual network.
Subnet Address	Select the subnet address that includes all the resources or enter a new subnet address. Subnet addressing allows a system made up of multiple networks to share the same Internet address.
CIDR IP Address Range	Enter the CIDR IP address range. CIDR (Classless Inter-Domain Routing) is a method for allocating IP addresses. It configures a network rule to allow remote access to the Secure Agent. The "/x" portion of the address determines how many IP addresses are available in the subnet, for example: 108.124.81.10/32

Tip: For more information, refer to "Explore Azure Virtual Networks" in the Microsoft documentation.

8Click Create. Administrator creates your runtime environment and displays it on the Runtime Environments page.

Tip: To see the progress of your pending Secure Agents, click Manage Cloud Secure Agents on the Runtime Environments page. The status appears at the top of the page.