Skip to content

Deploying OpCenter without a public IP address in AWS

Organizations with stringent security policies may require that OpCenters do not have public IPv4 addresses. In such cases, you must deploy an alternative method of reaching the OpCenter from a remote network. One solution is to use a VPN tunnel that extends your on-premises network into the dedicated VPC so that all network traffic stays within your private network. In this case, you must access the OpCenter from inside your organization's private network.

A less stringent solution uses a bastion host and a NAT gateway (as shown in the figure).

OpCenter without public IP address

In the solution shown, only the bastion host can receive incoming connections from the public Internet. After you ssh into the bastion host, you can ssh into the OpCenter using the private IP address space configured for your VPN. Once you have established a terminal session with the OpCenter, you can use float CLI commands to reach the public Internet (for example, to assign a license to the OpCenter) or to run jobs. Worker nodes can also access resources across the public Internet, for example, GitHub.

Note

In this configuration, the OpCenter and worker nodes cannot receive incoming connect requests from the public Internet. By sending traffic to the NAT gateway, the OpCenter and worker nodes can initiate outgoing connections to destinations across the public Internet. AWS charges an hourly rate for the NAT gateway and an additional data processing fee for every GB of data that passes through the NAT gateway.

For demonstration purposes, you can use the dedicated VPC you deploy using the procedure described in Deploying OpCenter in a Dedicated VPC in AWS. You can deploy your own bastion host in one of the VPC's public subnets or simply use the OpCenter you deploy in a public subnet as part of the procedure described in Deploy OpCenter in the Dedicated VPC as a bastion host.

To demonstrate how to use a bastion host to access an OpCenter in a private subnet, complete the following steps.

  • Deploy a bastion host in a public subnet in your dedicated VPC

  • Deploy an OpCenter in a private subnet in your dedicated VPC by following the procedure described in Deploy OpCenter in the Dedicated VPC with the following differences:

    • 22SubnetId: From the pull-down menu, select a private subnet
    • 31PublicService: Select False to assign a private IP address (only) to the OpCenter

  • Use sftpto upload the key pair you select for 14KeyName to the bastion host

  • Create a NAT gateway in a public subnet in your dedicated VPC by completing the following steps

    • Go to the VPC dashboard and select Virtual private cloud -> NAT gateways from the left-hand panel

    • Click Create NAT gateway (top, right-hand side), then fill in the form

      OpCenter without public IP address OpCenter without public IP address

  • Modify the route table in the private subnet where the OpCenter is deployed so that all outbound traffic to the public Internet is sent to the NAT gateway by completing the following steps

    • Go to the VPC dashboard and select Virtual private cloud -> Subnets from the left-hand panel
    • From the list of subnets, click the private subnet where you deploy the OpCenter

    • On the right-hand side, click the route table ID

      Edit subnet route table

    • Under Actions, use the pull-down menu to select Edit routes

      Edit subnet route table

    • Edit the route table to route all non-local traffic to the NAT gateway, then click Save changes

      Edit subnet route table

Run a multi-region "Hello World" job

To check the configuration, run a simple "Hello World" job that tests the following.

  • Resources across the public Internet are reachable from the OpCenter and a worker node deployed in a private subnet
  • Access to S3 does not use the public internet

Complete the following steps.

  • Use ssh to open a terminal session on the bastion host, for example,

    ssh -i "FILENAME.pem" USERNAME@BASTION_HOST_PUBLIC_IP

    Replace:

    • FILENAME.pem with the name of the pem file for the bastion host
    • USERNAME with a username to access the bastion host
    • BASTION_HOST_PUBLIC_IP with the public IPv4 address of the bastion host

  • From the terminal session on the bastion host, use ssh to open a terminal session on the OpCenter running in the private subnet, for example,

    ssh -i "FNAME.pem" mmc@OPCENTER_PRIVATE_IP

    Replace:

    • FNAME.pem with the pem file to access the OpCenter
    • OPCENTER_PRIVATE_IP with the private IPv4 address of the OpCenter

  • From the terminal session on the OpCenter, use the float CLI to complete the following tasks

    • Log in to the OpCenter

      float login -u admin -p memverge -a OPCENTER_PRIVATE_IP

      Replace:

      • OPCENTER_PRIVATE_IP with the private IPv4 address of the OpCenter

    • Apply the license

      float license acquire -A LICENSE_SVR_UNAME -P LICENSE_SVR_PW

      Replace:

      • LICENSE_SVR_UNAME with the username for accessing the MemVerge license server
      • LICENSE_SVR_PW with the password for accessing the MemVerge license server

      Note

      This command tests that the OpCenter can access the public Internet.

    • Load a generic linux image, for example,

      float image add rockylinux quay.io/rockylinux/rockylinux:8

    • Run a "Hello World" job, for example,

      float submit -i rockylinux -j hellow.sh -c 2 -m 4 --dataVolume [size=10]:/data --noPublicIP --subnet PRIVATE_SUBNET_ID

      Replace:

      • PRIVATE_SUBNET_ID with the the ID of the private subnet where the OpCenter is running
      • hellow.sh with the following shell script (replace ACCOUNT_ID with your AWS account ID and MRAP_ALIAS with the MRAP alias)
      #!/usr/bin/bash
# use aws cli tools
export PATH=/opt/aws/dist:$PATH
LOG_PATH=$1
LOG_FILE=$LOG_PATH/output
touch $LOG_FILE
exec >$LOG_FILE 2>&1
echo "Congratulations! You have submitted your first private subnet OpCenter job"
cd /mydata
echo "Hello World" >test5.file
echo "Job complete" >> test5.file
aws s3 cp test5.file s3://arn:aws:s3::ACCOUNT_ID:accesspoint/MRAP_ALIAS.mrap
aws s3 ls s3://arn:aws:s3::ACCOUNT_ID:accesspoint/MRAP_ID.mrap
aws s3api get-object --bucket arn:aws:s3::ACCOUNT_ID:accesspoint/MRAP_ALIAS.mrap --key test5.file home1.file
ls *.*
# Test reachability across the public Internet
/usr/bin/ping 8.8.8.8 -c 5
echo "Job complete"

    • After the job completes, check the output (replace JOB_ID with the ID for the Hello World job)

      $ float log cat output  -j JOB_ID
Congratulations! You have submitted your first private subnet OpCenter job
upload: ./test5.file to s3://arn:aws:s3::xxx:accesspoint/yyy.mrap/test5.file
2025-10-05 21:28:47         25 test5.file
{
    "AcceptRanges": "bytes",
    "LastModified": "2025-10-05T21:28:47+00:00",
    "ContentLength": 25,
    "ETag": "\"7cf53ce5e3e6802a32375b008e45dd91\"",
    "ContentType": "binary/octet-stream",
    "ServerSideEncryption": "AES256",
    "Metadata": {}
}
home1.file
test5.file
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=113 time=1.37 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=113 time=0.656 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=113 time=0.683 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=113 time=0.701 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=113 time=1.18 ms

--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4097ms
rtt min/avg/max/mdev = 0.656/0.917/1.373/0.299 ms
Job complete