1 2 Previous Next 18 Replies Latest reply on Oct 26, 2017 2:36 AM by Sivasankar Muthusamy

    Tableau Server & Amazon AWS - Installation Walkthrough

    Brian Lockhart

      Introduction:

       

      Many of our Tableau Server customers have asked about the viability of running Tableau Server on top of 3rd party public cloud platforms. This walkthrough guide will focus on how to get Tableau Server running within Amazon Web Services (AWS). We're going to be leveraging existing documentation for Tableau Server, and Amazon Web Services. This guide assumes you have already achieved some familiarity with both Tableau Server and Amazon Web Services. If you've never worked with either or both of these before, you might want to spend some time reading through this guide, and reading the linked docs below before diving into the implementation steps. Once you've got all the prerequisites lined up, and you're familiar with the documents, you can follow these steps and be up and running with a Tableau Server in AWS in about an hour.

      Tableau Server

      Tableau Server is business intelligence software that allows you to publish the visualizations you create in Tableau Desktop to a common and secure place on the network.

      Amazon Web Services (AWS)

      Amazon is a leader in the cloud infrastructure space. With solutions to fit any scale, they're a great option for Tableau Server.

       

      More about Amazon Web Services:

      Prerequisites:

      Once you're familiar with Tableau Server and are set up with an Amazon Web Services account, you'll need the following to proceed:

      Steps to set up a Tableau Server in AWS, single server configuration:

      At a high level, we're going to do the following 5 steps:

      1. Pick a global region to set up in
      2. Build an Amazon AWS Virtual Private Cloud (VPC) in your AWS region
      3. Configure network access and security for your VPC
      4. Launch a EC2 Virtual Machine (VM) inside your new VPC
      5. Install Tableau Server on your EC2 instance running in your VPC

      Let's go!

      1) Pick a global region to set up in:


      In general, you should pick the AWS region that offers the closest physical proximity to your data sources and your intended endusers. This will provide the lowest connection times, and therefore the best network performance.

      Related reading: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html


      For this demo, we're going to pretend we're setting up a new department in Japan. We'll select "Asia Pacific (Tokyo)".

      image1tokyoAZ.png

      2) Build an Amazon AWS Virtual Private Cloud (VPC) in that region:


      Now that you've chosen which region to work in, we're going to take advantage of AWS's Virtual Private Cloud (VPC) feature to set up a separate logically isolated network for you to launch and run your server in. VPCs allow you to define security and connectivity to your server with much finer levels of control than non-VPC installations, and is the only AWS configuration Tableau recommends you install your server with. We're going to launch a new VPC, then define what can get in and out of it before we go any further.


      Related reading:

      set up an AWS Virtual Private Cloud (VPC) network:

      image2-yourvpc.png

      Choose "VPC with a Single Public Subnet Only" then click "Create VPC"

       

      image3-createvpc.png

      You now have a running VPC that is ready to launch EC2 instances into:

       

      image4.png

      3) Configure network access and security for your VPC:

       

      Now that you've created your VPC, you need to define what types of network traffic can access and enter it, and what network traffic can take place among servers running within it.


      Related reading:

       

      To install Tableau, you'll want to be able to connect to the box via RDP using a Remote Desktop client to access and manage the machine(s).To let users publish to the Tableau Server, and view content hosted on it, you'll want to enable standard web traffic via HTTP and HTTPS.


      For this guide we're going to enable 3 standard ports for inbound traffic: HTTP 80, HTTPS 443, and RDP 3389 by adding the relevant port rules to your security filter policies.


      Note: We are going to allow these ports inbound entry from any external address on the internet. For demonstration purposes, this will suffice. In practice, with production data and systems, you probably would not do this. Only a small number of trusted individuals are likely to need Remote Windows Desktop access to the Tableau Server installation. You can limit the RDP (Port 3389) access to only the narrow range of IP addresses needed by these individuals. You could also limit the HTTP and HTTPS traffic to certain ranges. We'll cover further network security considerations in a separate document.


      For AWS you'll need to do this in 3 separate places:

        1. the VPC console at the Security Group level
        2. the VPC console at Network ACL level
        3. the EC2 console at the Security Group level.

       

      a) VPC Dashboard, Security Group:


      Add 3 new filters, one for each protocol/port. It will look like this when you are done:

      image5vpc3a.png

      b) VPC Dashboard, Network ACL:

      image6vpc3b.png

      c) EC2 Dashboard, Security Group::

      EC2_security_group.png

      For now, we're going to leave all other defaults in place, only allowing RDP, HTTP, and HTTPS inbound traffic.

       

      set up AWS EIP (Elastic IP) address:


      EIPs are public internet-facing static IPs that persist across instance stops/starts. You'll want this to maintain a constant external-facing IP address for your Primary / Gateway box, so you can have an address to share with others that does not change.


      Related reading:

      http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html


      Note: while you DO need an EIP for your gateway VM(s), you likely do NOT need them for any other VM in your Tableau Server VPC. You're actually better off from a security standpoint if you don't even allow those VMs to have externally accessible IP addresses at all. Just use the private IP addresses (10.x.x.x) for internal VPC connectivity. You can always manage them via RDP by "double jumping" to them - i.e. remote desktop to your gateway VM, then from there open additional RDP sessions to the other VMs via their private IP addresses. VMs can talk to each other within the VPC just fine. But if they don't need to talk to things outside the VPC, why let them?

       

      Since this is a new VPC, go ahead and allocate a single new EIP address inside it:

      image8eip.png


      All set - we'll come back to this later once we've completed the next step and need that EIP address.

       

      4) Launch a EC2 Virtual Machine (VM) inside your new VPC:


      Now that you've completed your network by building and configuring a VPC, it's time to think about what you want to have running inside that VPC. The AMI is the base operating system you want to run your application on top of. You can create your own and upload it, or buy an existing one from the Amazon marketplace. For this demo, we're going to keep it simple and just choose an existing Amazon-provided AMI image - Windows Server 2008 R2, 64 bit.image9.png

      Choose an AWS instance type:

      The AWS EC2 instance is the "size" of server you're going to run your AMI image on top of. AMIs run on/as Instances. The two are independent of each other - you can pick an AMI and run it on a variety of instance types, depending on what level of resources you need like memory, disk speed, network, CPU cores, etc. And you can "re-size" your VM later if you want to change up to a larger type, or scale down to a smaller one. Full list of available options is here: http://aws.amazon.com/ec2/instance-types


      For this demo, we're going to pick a "m1.xlarge" instance, which offers a reasonable level of performance for a Tableau Server single server installation.

      image10.png

      Launch your AMI EC2 instance into your newly-created VPC:

      Now that we've selected an AMI, and chosen an EC2 Instance to run it on, we're going to fire it up inside the VPC network we created earlier. For this demo, we're mostly going to just go with the defaults but there are some exceptions. At this screen, be sure to select your VPC under the Network dropdown box, and do not leave it at the default "Launch into EC2 Classic". In this example we're selecting "vpc-531b1231"


      image11.png



      Now select any storage options you want - for this example we're just going to use the default of 30 GB of standard performance disk. You can change this later if needed.


      image12.png



      Tag / name the instance if you want. If you plan on running several instances it helps to have them tagged with user-recognizable names. For this demo we'll create a tag called "Name" and call it "Tableau Server".image13.png



      Select the "existing" security group you edited earlier (which allows RDP, HTTP, and HTTPS inbound traffic):

      image14.png

      Select your AWS security keypair: (for this example I've already created one and I have the key files stored securely on my local system). You'll need a keypair for each AWS region you intend to work with. Treat these carefully. You'll need them later!image15.png

      At this point you're ready to launch your instance! Once you click that "Launch Instance" button you'll be taken back to the EC2 dashboard, and you'll see your nicely named instance starting up. At this point the meter is running, and you'll be charged for a running instance.

      image16.png

      Assign static EIP address to your instance:

      Now that your instance is up and running, time to assign a static public-facing IP address to it. We're going to use the existing EIP address you already allocated inside this VPC, and assign it to this newly-created instance.From the EC2 dashboard, under "Network & Security" on the left, select "Elastic IPs". You'll see the address you were allocated earlier. Select that address, then click the "Associate Address" button, and chose the named Instance you created. Now you can connect to that instance at that IP address, which will not change if you shut it down or reboot it.

      image17.png

      Connect to your new EC2 instance:


      Now go back to the "Instances" list, and select your Tableau Server instance. Click the "Connect" button which brings up the following dialog. Download the remote desktop file (RDP), then click the "Get Password" button. Note that you may get a "password not ready" message if you just created the instance for the first time. The Windows operating system install may not be complete yet, refill your cup of coffee and try again in a few minutes.image18.png

      Click the "Get Password" button and provide your previously-created keyfile to decrypt the administrator password for your instance:

      image19.png

      Then, using the local administrator credentials you just retrieved, connect via your preferred RDP client (Windows Remote Desktop, OSX Remote Desktop Connection, etc.) - you'll then be logged into the box as a local Windows server administrator.


      For more on troubleshooting connectivity problems to your EC2 instance, see:


      http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/LaunchingAndUsingInstancesWindows.html

       

      5) Install Tableau Server on your EC2 instance running in your VPC


      Now that you've connected to your new AWS EC2 instance, running a Windows 2008R2 server AMI, via a remote desktop connection - you're ready to do whatever you want with the box. Time to install Tableau Server!


      Using the file/drive sharing feature of your RDP client, upload your copy of the Tableau Server install package to your logged in VM, and follow the instructions in the Administrator's Guide:

      http://onlinehelp.tableausoftware.com/current/server/en-us/help.htm#admin.htm


      When finished, you should be able to hit the server from the open internet. Let's try hitting this sample viz from the Tableau Server default install:


      http://<TableauServerIP>/views/Finance/Taleof100Start-ups


      replace <TableauServerIP> with the EIP address you created at the end of step 3, and assigned to your VM in step 4.


      You're done!


      You now have a single-instance installation of Tableau Server, running on a EC2 VM, inside a secure VPC within Amazon's AWS network, that can be reached by anyone with the correct login credentials.

       

      Steps to set up a Tableau Server in AWS, distributed server configuration:


      <assumes you have already completed all steps for single server, above>


      We're now going to expand our Tableau Server by adding a worker node, to create a distributed cluster. Note that for a Tableau Server distributed install, all machines in the cluster need to be members of the same domain.


      So we're going to do the following:


        1. Set up a Active Directory domain controller + DNS server inside your VPC
        2. Join your Tableau Server to the new domain
        3. Set up a new VM to be a Tableau Server Worker Node
        4. Run a standard distributed install to add the Worker to the Server

       

      1) Set up a Domain Controller + DNS server inside your VPC:

       

      Note: planning a complex Active Directory scheme is outside the scope of this guide. It's possible to do more advanced configurations including setting up both Primary and Secondary controllers, integrating with other Domains both inside and outside of the current AWS region (or with your corporate in-house Domain) but for simplicity this guide assumes you're setting up a single standalone Domain.

      Related reading:

       

      Following the same steps as you did before with your Tableau Server, launch a new Windows Server AMI instance into the same VPC as your existing Tableau Server.

      For this guide we'll be using Windows 2008R2 Server, 64 bit. Select a "m1.medium" instance type.

      Follow the steps detailed in this document: http://awsmedia.s3.amazonaws.com/pdf/EC2_AD_How_to.pdf

      For this guide, we're configuring a new standalone AD forest called "tabaws.ec2.internal"

      create a domain user to be used as the shared Tableau Server "run-as" account: http://onlinehelp.tableausoftware.com/v8.0/server/en-us/runas.htm

      For this guide, we're creating domain user "TABAWS\tabawsrunas"

      grant "run as service" to the run-as account: http://onlinehelp.tableausoftware.com/v8.0/server/en-us/runas_security.htm

      For this guide, we're going to add this user to the Domain Administrator group

       

      2) Join your Tableau Server to the new domain

      connect via RDP to your existing running Tableau Server VM

      change the server to use your newly-created DNS server instead of Amazon's default EC2 DNS server

      open the network configuration for IPv4, and instead of "automatically use DNS server" enter the private 10.x.x.x IP address of the DNS server you just created. Windows won't let you add it in both fields, so just leave the second one blank.

      now in a command window type "ipconfig /flushdns" and then "ipconfig /all" - confirm that your server is now using your DNS server.

      confirm DNS name resolution is working by pinging the domain controller by name, i.e. "tabaws.ec2.internal"

      join your Server to the new tabaws.ec2.internal domain - you'll be prompted to enter a domain user account, use the "tabawsrunas" account you created above

      You'll need to reboot the server, once it comes back up you now have 2 machines in the domain, and you're ready to build up a worker and add it!

       

      3) Set up a new VM to be a Tableau Server Worker Node:

      following the same steps as above, launch a new Windows Server AMI instance into the same VPC as your existing Tableau Server and DNS+Domain Controller VMs

      connect via RDP to your existing running Tableau Server VM

      Change the Worker's DNS server + join it to your domain: follow the same steps as you did above when adding your Server to the new domain

      Confirm all 3 VM instances (Server, Domain Controller, Worker) can see each other by opening a command window on each box, then "ping" the other two both my name and by IP address.

      You should now have 3 VM servers total running inside your VPC, all joined to the same domain, using the same DNS server.

      Ready to add the Worker to Tableau Server!

       

      4) Run a standard distributed install to add the Worker to the Server Cluster

      RDP connect to the Tableau Server.

      Perform a standard distributed setup:

      http://onlinehelp.tableausoftware.com/v8.0/server/en-us/distrib_setup.htm

      You're done!

       

      Congratulations - by following this installation walkthrough you've now got your very own Tableau Server up and running in the cloud!

      We hope this guide has been helpful - let us know in the comments if you have any suggestions (or notice any errors), and we'll keep this guide updated.

       


       

      Additional Options:

       

      setting up email subscriptions:

      (note that the AWS mail service requires TLS authentication, which we support in Tableau Server version 8.1 only)

      set up SMTP:

      http://onlinehelp.tableausoftware.com/v8.1/server/en-us/help.htm#email.htm

      http://docs.aws.amazon.com/ses/latest/DeveloperGuide/send-email-smtp.html

      verify at least 1 email address

      create credentials

      enable TLS authentication (required by AWS)

      You're done!

       


      Future "Tableau Server in AWS" topics:

      So now that we've successfully installed Tableau Server in AWS (either single or distributed) we're up and running in the cloud. But AWS has a lot of other services on offer, and additional "care and feeding" considerations that may or may not be relevant to your business. What would you like to learn more about? A few ideas come to mind for future postings:

       

        • Stopping instances vs. Terminating them: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/terminating-instances.html
        • Domain design considerations / AD Sync
        • connectivity to internet datasources (VPC config)
        • user tip: use DropBox to get stuff loaded up to your instances. it's VERY fast because DropBox uses AWS for their storage
        • SSL config guide
        • VPN access to VPC from your on-prem systems (hybrid cloud)
        • ELB config (incl. cross-region, cross-availability zone, etc.
        • HA config (incl.using instances in another availability zone / region
        • spot instances
        • reserve instances
        • billing considerations - consolidated billing

       

       

      Anything else you'd like to see discussed? Reply to this thread with your suggestions!

       

       

       

      Message was edited by: Brian Lockhart Changed screenshot for EC2 Dashboard, Security Group settings - now shows the desired default settings for UDP as well (previously not shown).

        1 2 Previous Next