In my previous post Blockchain on AWS (https://dev.to/aws-builders/blockchain-on-aws-i6o ) we discussed various services provided by AWS to work with blockchain technology. In this article we will explore how to use AWS Blockchain Templates to configure and create blockchain based networks.
AWS Blockchain Templates
Using popular open source frameworks, AWS Blockchain Templates makes it quick and easy to develop and deploy secure Blockchain networks. Instead of wasting time and resources manually setting up your Blockchain network, you can focus on building your Blockchain apps with these templates.
The Blockchain framework you pick is deployed as containers on an Amazon Elastic Container Service (ECS) cluster or directly on an EC2 host running Docker. You may leverage your VPC subnets and network Access Control Lists to build your blockchain network on your own Amazon VPC.
AWS offers two different templates: Blockchain for Ethereum and Blockchain for Hyperledger Fabric
We will use AWS Blockchain Template for Ethereum to create a private Ethereum network on AWS through AWS CloudFormation. The network that we will create has two Ethereum clients and one miner running on Amazon EC2 instances in an Amazon ECS cluster. Amazon ECS runs these services in Docker containers pulled from Amazon ECR.
Before proceeding, as a prerequisite set up an IAM user and create a key pair . For help refer , https://docs.aws.amazon.com/blockchain-templates/latest/developerguide/blockchain-templates-setting-up.html
After prerequisites are met , the next steps would be as below:
- Create a VPC and subnets
- Create security groups
- Create an IAM Role for Amazon ECS and an EC2 Instance Profile
- Create bastion host
Now we will walkthrough each step in detail below:
Creating a VPC and subnets
- First we will create Elastic IP address to be used for VPC creation
- Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
- Choose Elastic IPs, Allocate new address, Allocate
- Make a note of the Elastic IP address that you create and choose Close.
- In the list of Elastic IP addresses, find the Allocation ID for the Elastic IP address created earlier. We use this when we create the VPC.
- Select the same Region for VPC in which you created your key pair in and where you are launching the Ethereum stack
- To create a VPC , on the VPC dashboard choose Launch VPC Wizard
- On Select a VPC Configuration page, choose VPC with Public and Private Subnets. Click on Select
- Enter VPC name, name for public and private subnet , select elastic allocation ID created earlier . Click on Create VPC
- To create second subnet, Choose Subnets and then select the public subnet that you created earlier from the list. Select the Route Table tab and note the Route table ID. We specify this same route table for the second public subnet we will create.
- Choose Create Subnet, choose a different availability zone , enter a name and click on create subnet
- With the subnet selected from the list, choose Subnet Actions, Modify auto-assign IP settings. Select Auto-assign IPs, Save, Close. This allows the bastion host to obtain a public IP address when you create it in this subnet.
- On the Route Table tab, choose Edit. For Change to, select the route table ID that you noted earlier and choose Save.
Creating Security groups
We need to create two security groups one for EC2 instance and for Load balancer
- Open the EC2 Console , choose Security Groups, Create Security Group and enter a name for security group to be created for EC2 instance and select the VPC we created earlier
- Repeat same step and create one more security group for load balancer
-
Add inbound rules to the security group for EC2 instances
- Select the EC2 instance security group
- On the Inbound tab, choose Edit and For Type, choose All traffic. For Source, leave Custom selected, and then choose the security group you are currently editing from the list
- Add one more rule and For Type, choose All traffic. For Source, leave Custom selected, and then choose the security group we created for load balancer
-
Add inbound and edit outbound rules for the security group for the Application Load Balancer
- Select the Application Load balancer security group
- On the Inbound tab, choose Edit and For Type, choose All traffic. For Source, leave Custom selected, and then choose the security group you are currently editing from the list
- Add one more rule and For Type, choose All traffic. For Source, leave Custom selected, and then choose the security group we created for EC2 instance
- Add one more rule and For Type, choose SSH. For Source, select My IP, which detects your computer's IP CIDR and enters it.
- On the Outbound tab, choose Edit and delete the rule that was automatically created to allow outbound traffic to all IP addresses.
- Add one more rule and For Type, choose All traffic. For Source, leave Custom selected, and then choose the security group you are currently editing from the list.
- Add one more rule and For Type, choose All traffic. For Source, leave Custom selected, and then choose the security group we created for EC2 instance
By this time , you are already half done :)
Creating an IAM Role for Amazon ECS and an EC2 Instance Profile
- Open the IAM console at https://console.aws.amazon.com/iam/.
- Choose Roles and Select Elastic Container Service as service , enter a Name and choose Create role.
- Select the role that you just created from the list. If your account has many roles, you can search for the role name
- Copy the Role ARN value and save it so that you can copy it again. You need this ARN when you create the Ethereum network
- To create an EC2 instance profile
- Choose Policies in the navigation pane, Create policy. Enter policy name and, choose create policy
- Choose Roles ,Choose EC2 , In the Search field, enter the name of the permissions policy that you created earlier
- Select the check mark for the policy that you created earlier, and choose Next: Review
- For Role name, enter a value that helps you identify the role
- Select the role that you just created from the list and Copy the Instance Profile ARN value and save it.
Creating a Bastion Host
To be able to access the Ethereum network, trusted clients need to be set up to connect through the bastion host. For more information, see Connect to EthStats and EthExplorer Using the Bastion Host. A bastion host is one approach. You can use any approach that provides access from trusted clients to private resources within a VPC.
- Create an EC2 linux instance ( for help refer https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html#ec2-launch-instance)
- Choose Edit Instance Details. For Network, choose the VPC you created earlier, for Subnet select the second public subnet that you created earlier. Leave all other settings to their defaults.
- Confirm the change when prompted, and then choose Review and Launch.
- Choose Edit Security Groups. For Assign a security group, choose Select an existing security group.
- From the list of security groups, select the security group for the Application Load Balancer that you created earlier, and then choose Review and Launch.
- Choose Launch.
- Note the instance ID. You need it later when you Connect to EthStats and EthExplorer using the Bastion Host
And the final stage is here ,
Creating the Ethereum Network
- See Getting Started with AWS Blockchain Templates, and open the latest AWS Blockchain Template for Ethereum in the AWS CloudFormation console using the quick-links for your AWS Region.
- Choose create stack and enter a name for stack.
Under EC2 configuration, select options according to the following guidelines:
- For EC2 Key Pair, select a key pair.
- For EC2 Security Group, select the security group you created earlier in Create Security Groups.
- For EC2 Instance Profile ARN, enter the ARN of the instance profile that you created earlier in Create an IAM Role for Amazon ECS and an EC2 Instance Profile.
- Under VPC network configuration, select options according to the following guidelines:
- For VPC ID, select the VPC that you created earlier in Create a VPC and Subnets.
- For Ethereum Network Subnet IDs, select the single private subnet that you created earlier in the procedure To create the VPC.
- Under ECS cluster configuration, leave the defaults. This creates an ECS cluster of three EC2 instances.
- Under Application Load Balancer configuration (ECS only), select options according to the following guidelines:
- For Application Load Balancer Subnet IDs, select two public subnets from the list of subnets that you noted earlier
- For Application Load Balancer Security Group, select the security group for the Application Load Balancer that you created earlier in Create Security Groups
- For IAM Role, enter the ARN of the ECS role that you created earlier in Create an IAM Role for Amazon ECS and an EC2 Instance Profile
- Under EthStats, select options according to the following guidelines:
- For Deploy EthStats, leave the default setting, which is true.
- For EthStats Connection Secret, type an arbitrary value that is at least six characters.
- Under EthExplorer, leave the default setting for Deploy EthExplorer, which is true.
- Under Other parameters, leave the default value for Nested Template S3 URL Prefix and make a note of it. This is where you can find nested templates.
- Choose Create Stack
- When all stacks show CREATE_COMPLETE for Status, you can connect to Ethereum user interfaces to verify that the network is running and accessible. When you use the ECS container platform, URLs for connecting to EthStats, EthExplorer, and EthJsonRPC through the Application Load Balancer are available on the Outputs tab of the root stack.
- The Output tab of the root stack provides links to services running on the Application Load Balancer. These URLs are not directly accessible for security reasons. To connect, you can set up and use a bastion host to proxy connections to them After completing this tutorial, don't forget to clean up your AWS resources. You can use AWS cloudformation to delete all resources. For more details follow on https://docs.aws.amazon.com/blockchain-templates/latest/developerguide/blockchain-templates-cleanup.html
Top comments (5)
Thanks for sharing this! I had no idea this was possible on AWS nowadays - I only knew about Azure's EBaaS. I'm sure I'll definitely find myself using this quite a bit.
Glad it was helpful :)
I wish I wouldn't have sold my Ethereum quite so soon... 😆
I wish the same for DOGE 😆
Can you please help me with the deployment of smart contract to this blockchain? I couldn't find any resource related to this.