Benefits of deploying The Tableau Server Management Add-On using AWS.
This post is not intended to be an exhaustive introduction to either Amazon Web Services or to Tableau Server and the Server Management Add-On as those would both require dedicated posts, covering the topic in far more detail. The purpose of this is to introduce the concept of deploying a Tableau Server instance with the Server Management add-on using AWS, and some of the specific benefits of doing so. For those that are completely new to both topics though, I will provide a very short description of both below.
What is AWS
AWS is Amazon’s cloud computing offering, and it allows users to leverage and deploy a plethora of services in the cloud. Benefits of using AWS is that it offers users a great deal of flexibility to pick and choose the services that they need but without the stress of having to provision or maintain their own hardware. Additional benefits are scalability; because services are deployed in the cloud, it is easy to scale up, or scale down depending on requirements. Cost is also a driving factor, because it eliminates the need to spend money on buying and maintaining physical hardware.
What is the Server Management Add-On.
Tableau Server should be fairly well known to most Tableau users, but a very brief description of it would be, a server based space where Tableau content within an organisation can viewed or published. What may be less well known is the Server Management Add-On. This is a separately licensed component that provides user with additional tools to help with server administration. Some of these are additional components that need to be installed, but others such as the ones I will be focusing on, are server features which are only made possible by deploying on AWS
Externalise the Repository
The Postgres repository is a key component of any server installation, again the Postgres database could be covered in it’s entirety in a separate post, but it summary it contains information about all of the tables, data sources and users related to the server. In a regular installation it would be located on the same machine that the server is installed, but one of the features of deploying Tableau Server on AWS is that with the Server Management Add-On it’s possible to provision for the repository to sit externally in a different service. What this means in a nutshell is that while the server would be running on one AWS service, the Postgres repository would be running on another.
The primary benefit of this is fault tolerance. If the Postgres installation were to ever fall over, then the entire server would cease to run, thereby making it a single point of failure. But by having the repository hosted on a service by AWS and distributed across multiple nodes it helps to mitigate this potential issue.
Externalise the Extract Encryption
This allows users to export the encryption of extracts to AWS and the main reason for doing so is increased fault tolerance and security. It can be a little tricky to actually get your head around what this feature entails, so I will try my best to break this down simply. In a regular Tableau Server installation the local Key Management System is used for encrypting extracts. There is a hierarchy in place relating to this and at the root is the Java keystore, which handles the storage and encryption of the master extract key, and is installed with the server.
Using the AWS Key Management Service allows Tableau Server to generate a data key using the AWS Customer master key, and this data key then acts as the root master key for all encrypted extracts. This is beneficial as it means the master key is not stored using the same permissions as extracts.
How to set this up.
Now that I’ve explained these components, I’ll go about giving an overview of how I went about setting this up and the resources that I used to help with this.
Install Tableau Server on EC2
- Valid Server Management Add-On license
- Sever environment must be installed on either AWS or Azure.
- PostgreSQL database install set up and ready on AWS Relational Database Service.
- A copy the endpoint URL of the PostgreSQL database.
- Download the certificate (.pem) for the Amazon RDS PostgreSQL instance.
The guide on the Tableau help site that I followed can be found here:
EC2 is the virtual computing component within AWS, and this is the component on which the server will be installed. So my first port of call was to create a new Windows Server instance of the relevant size. In my case I used M4a.2x.Large.
Initially I attempted to set this up using a snapshot of a machine which previously had the server installed, but this created problems down the line when trying to set up the AWS components so ultimately I opted for a completely fresh install.
A couple of admin steps to be completed beforehand.
- Create an elastic IP for this machine and assign it so that it wouldn’t change.
- I also had to create a key pair that I could use when creating it, and then also amend the security policy so that I could remote into it from my home network.
I won’t go in depth with every single step but will instead provide an overview of what I did and the difficulties encountered.
- The first step was to set up the PostgreSQL instance on AWS Relational Database Service, as this was going to be the location of the repository.
- Create the json configuration file. This file contains information that will used by the server to connect to the Postgres database, such as the master username and password, the Postgres database host name and the port number.
- Once this was set up I then used Remote Desktop to connect to the EC2 instance and then run the Tableau Server installation using the command line, stopping before the step to configure the initial node.
- Configure the server to use an external repository by running two commands; one which references the settings in the JSON file created in an earlier step.
tsm topology external-services repository enable -f <filename>.json -c <ssl certificate file>.pem
And another to apply the changes made.
tsm pending-changes apply
The final step is to then to complete the installation and initialise the server and complete the installation.
tsm initialize –start-server –request-timeout 1800
To check that the process was completed correctly, log into TSM(Tableau Services Manager) and check the status. As shown in the image below, the repository should be marked as external.
Setting up the External KMS
Before the setting up the external KMS there are a couple of prerequisites that need to be met:
- Tableau Server deployed on EC2.
- Tableau Server configured with the Server Management Add-On.
- Must have administrative control of a Customer Master Key created in Amazon KMS.
The process of setting this up can be a little convoluted but I will try my best to keep this as simplified and easy to follow. The guide that I followed to complete this process can be found below and this will provide a more detailed description. I would strongly encourage checking this out as it also contains some links to other key concepts such as IAM roles.
- The first step is to create a CMK(customer master key) within the KMS. The server instance on EC2 must have its IAM role updated with a policy which grants permission to call “GenerateDataKey” and “Decrypt” actions on the CMK.
- Locate the ARN (Amazon Resource Name) from the KMS. It can be found in the configuration section of the KMS and will have the following format.
- The next configuration step is to run the following command in Tableau Server.
tsm security kms set-mode aws – aws-region "<region>" – key-arn "arn:aws:kms:<region>:<account_number>:key/<CMK_ID>"
- The final step is to validate the install by running the following commands:
tsm security kms status
So this concludes the rough overview of how to set up the AWS specific Server management components. If this is a topic of interest, I would advise looking at the documentation on the Tableau help site to learn a bit more about some of the other useful features of the Server Management Add-On. As I’ve mentioned earlier as well, it also contains a wealth of information on how the server can be configured with AWS.