Prerequisites and Considerations - Amazon Managed Blockchain (AMB)

Prerequisites and Considerations

To complete this tutorial, you must have the resources listed in this section. Unless specifically stated otherwise, the requirements apply to both network creators and invited members.

An AWS account

Before you use AMB Access for the first time, you must sign up for an Amazon Web Services (AWS) account.

If you do not have an AWS account, complete the following steps to create one.

To sign up for an AWS account
  1. Open https://portal.aws.amazon.com/billing/signup.

  2. Follow the online instructions.

    Part of the sign-up procedure involves receiving a phone call and entering a verification code on the phone keypad.

    When you sign up for an AWS account, an AWS account root user is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform tasks that require root user access.

A Linux Client (EC2 Instance)

You must have a Linux computer with access to resources in the VPC to serve as your Hyperledger Fabric client. This computer must have version 1.16.149 or later of the AWS CLI installed. Earlier versions of the AWS CLI do not have the managedblockchain command. We recommend that you use the latest version of the AWS CLI available. For information about updating the AWS CLI, see Update the AWS CLI version 2 on Linux in the AWS Command Line Interface User Guide.

We recommend creating an Amazon Elastic Compute Cloud (Amazon EC2) instance in the same VPC and AWS Region as the VPC endpoint for the Hyperledger Fabric network on AMB Access. This is the setup that the tutorial uses. For instructions to set up a Hyperledger Fabric client using this configuration, see Step 4: Create an Amazon EC2 Instance and Set Up the Hyperledger Fabric Client.

An AWS CloudFormation template to create a Hyperledger Fabric client is available in the amazon-managed-blockchain-client-templates repository on Github. For more information, see the readme.md in that repository. For more information about using AWS CloudFormation, see Getting Started in the AWS CloudFormation User Guide.

A VPC

You must have a VPC with an IPv4 CIDR block, and the enableDnsHostnames and enableDnsSupport options must be set to true. If you will connect to the Hyperledger Fabric client using SSH, the VPC must have an internet gateway, and the security group configuration associated with the Hyperledger Framework client must allow inbound SSH access from your SSH client.

Permissions to Create an Interface VPC Endpoint

The IAM principal (user) identity that you are using must have sufficient IAM permissions to create an interface VPC endpoint in your AWS account. For more information, see Controlling Access - Creating and Managing VPC Endpoints in the Amazon VPC User Guide.

EC2 Security Groups That Allow Communication on Required Ports

The EC2 security groups associated with the Hyperledger Fabric client Amazon EC2 instance and the Interface VPC Endpoint that you create during this tutorial must have rules that allow traffic between them for required Hyperledger Fabric services. EC2 security groups are restrictive by default, so you need to create security group rules that allow required access. In addition, a security group associated with the Hyperledger Fabric client Amazon EC2 instance must have an inbound rule that allows SSH traffic (Port 22) from trusted SSH clients.

For the purposes of simplicity in this tutorial, we recommend that you create an EC2 security group that you associate only with the Hyperledger Fabric client Amazon EC2 instance and the Interface VPC Endpoint. Then create an inbound rule that allows all traffic from within the security group. In addition, create another security group to associate with the Hyperledger Fabric client Amazon EC2 instance that allows inbound SSH traffic from trusted clients.

Important

This security group configuration is recommended for this tutorial only. Carefully consider security group settings for your desired security posture. For information about the minimum required rules, see Configuring Security Groups for Amazon Managed Blockchain (AMB) Hyperledger Fabric.

To create a security group that allows traffic between the Hyperledger Fabric client and the interface VPC endpoint for use in this tutorial
  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Choose Security groups in the navigation pane, and then choose Create security group.

  3. Enter a Security group name and Description for the security group that helps you find it. For example, HFClientAndEndpoint.

  4. Make sure that the VPC you select is the default VPC for your account. This is the VPC in which Hyperledger Fabric network resources and the interface VPC endpoint are created.

  5. Choose Create.

  6. Select the security group that you just created from the list, choose Inbound, and then choose Edit.

  7. Under Type, select All traffic from the list.

  8. Under Source, leave Custom selected, and then begin typing the name or ID of this same security group—for example, HFClientAndEndpoint—and then select the security group so that its ID appears under Source.

  9. Choose Save.

    You reference this security group later in this tutorial in Step 2: Create and Configure the Interface VPC Endpoint and Step 4: Create an Amazon EC2 Instance and Set Up the Hyperledger Fabric Client.

To create a security group for the Hyperledger Fabric client that allows inbound SSH connections from the computer that you are working with
  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Choose Security groups in the navigation pane, and then choose Create security group.

  3. Enter a Security group name and Description for the security group that helps you find it. For example, HFClientSSH.

  4. Make sure that the VPC you select is the same VPC that you will select for the interface VPC endpoint.

  5. Choose Inbound, and then choose Add rule.

  6. Under Type, select SSH from the list.

  7. Under Source, select My IP. This adds the detected IP address of your current computer. Optionally, you can create additional rules for SSH connections from additional IP addresses or sources if required.

  8. Choose Create.

    You will reference this security group later in this tutorial in Step 4: Create an Amazon EC2 Instance and Set Up the Hyperledger Fabric Client.

Additional Considerations

  • All commands in the tutorial assume that you are using an Amazon EC2 instance with an Amazon Linux AMI. Unless noted otherwise, instructions also assume that you are running commands in the default home directory (/home/ec2-user). If you have a different configuration, modify instructions to fit your home directory as necessary.

  • Hyperledger Fabric 2.2 requires that a channel ID contain only lowercase ASCII alphanumeric characters, dots (.), and dashes (-). It must start with a letter, and must be fewer than 250 characters.