You must run PE on an approprate EC2 instance, and manage nodes within a securely configured EC2 VPC to accomodate PE's required network ports.
EC2 instance types
You must run PE on an EC2 instance with sufficient memory and processing power.
To fulfill the hardware requirements, use an m4.xlarge instance as a minimum baseline. The PE installation contained in this image does not include additional Puppet compile masters and therefore should not manage more than 4,000 nodes.
EC2 security groups
Use this image to manage nodes within a securely configured EC2 VPC and security group. When enabling network ports for inbound connections to the Puppet master, refer to the table below, and see the EC2 security group policy example for this configuration in EC2-style JSON.
| TCP port | Description | VPC Access |
|---|---|---|
| 22 | SSH | Outside VPC |
| 443 | Puppet Enterprise console (HTTPS) | Outside VPC |
| 8140 | Puppet master | Inside VPC only |
| 8142 | Orchestration services | Inside VPC only |
| 8143 | Orchestration services | Inside VPC only |
| 61613 | MCollective | Inside VPC only |
For more information about PE's required network availablity, see the PE firewall configuration guide for the version of PE you are using.
Configuring the metered billing service (PAYG)
When launching the pay-as-you-go (PAYG) AMI, your EC2 instance and VPC must be configured for outbound (egress) access to the public internet, or an internet gateway allowing it to communicate with the AWS metering service. The EC2 instance must be launched with an IAM role permitted to use the metering service. For more details, see the AWS metering service guide, and the IAM role documentation.