For a new NC2 on AWS deployment where workload VMs have low storage and memory requirements but high CPU frequency ( > 3.0 GHz) requirements, and the goal is to minimize the number of CPU cores to reduce application licensing costs, thei3.metalinstance type is the most suitable.

i3.metal:

High CPU Frequency: i3.metal instances offer high-frequency Intel Xeon processors (up to 3.1 GHz) which meet the high CPU frequency requirement.

Low Storage and Memory: These instances come with a balanced amount of storage and memory, suitable for workloads with low requirements in these areas.

Minimized CPU Cores: i3.metal instances have fewer CPU cores compared to other high-frequency instances like i4i.metal, making them ideal for minimizing application licensing costs.

Other Instance Types:

z1d.metal: While also offering high CPU frequency, these instances typically come with a higher core count and more memory, which may not be optimal for minimizing licensing costs.

i4i.metal: Designed for I/O intensive applications with higher core counts.

m5d.metal: Balanced instance type but with more cores and not as high CPU frequency as required.

AWS EC2 Instance Types Documentation

Nutanix Cloud Clusters on AWS Administration Guide

Nutanix Best Practices for Instance Selection

Multi-Cloud Snapshot Technology (MST) allows Nutanix clusters to protect data by taking snapshots directly to cloud object storage, such as Amazon S3.

When an administrator initiates a recovery from these snapshots, the process is managed throughPrism Central (PC), which serves as the orchestration layer for disaster recovery. Specifically, the execution and progress of the recovery are tracked under theRecovery Planssection within the Data Protection menu. Recovery Plans define the order of VM power-ons, IP address changes, and script executions. By monitoring this section, administrators can verify the status of each step, ensure that the RTO (Recovery Time Objective) is being met, and troubleshoot any failures during the restoration of workloads from the cloud snapshots.

TheCluster Protectfeature is the native Nutanix solution designed specifically for NC2 on AWS to protect both the cluster data and thePrism Centralmanagement instance. Unlike standard replication, Cluster Protect utilizesAmazon S3 bucketsto store snapshots of the cluster configuration, Prism Central metadata, and User VM data. This is considered the " best way " for native protection because the entire recovery workflow is orchestrated directly from theNC2 console. If a cluster or an entire Availability Zone fails, the administrator can use the NC2 portal to redeploy the cluster and restore the Prism Central instance and data from the S3 bucket, eliminating the need for third-party backup software while maintaining a simple cloud-native recovery path.

When a " boot timeout " alert occurs during a cluster expansion, it often indicates that the NC2 console requested a new instance from AWS, but the instance failed to reach a " healthy " state within the allotted time. While networking can be a factor, common " hard " stops at the AWS API level includeService QuotasandInstance Limits. AWS accounts have default limits on the number of bare-metal instances (like i3.metal or i4i.metal) that can be active in a single region. If the expansion request exceeds thevCPU quotaor the specificinstance type limit, AWS will deny the request or fail to provision the hardware. Administrators must verify these quotas in the AWS Service Quotas console and request an increase to support the additional nodes required for the Nutanix cluster.

A standard NC2 deployment typically requires a management subnet and a public subnet for basic internet and console access. However, when moving to aFlow-based deployment(using Flow Virtual Networking), the architecture becomes more complex, requiringManagementandFlow Virtual Networksubnets specifically tailored for the overlay. TheManagement subnetis used for the bare-metal hosts and CVMs to communicate with the NC2 portal and Prism Central. TheFlow Virtual Network subnet(often the Transit VPC subnet) is required to host the distributed gateways that manage encapsulated Geneve traffic. These subnets are essential for segregating the management traffic from the virtualized workload traffic, ensuring that the software-defined overlay has a dedicated and secure path through the AWS VPC infrastructure.

When creating an NC2 cluster in AWS, the account used to run the CloudFormation script requires specific permissions to ensure the deployment is successful. The required permissions are:

IAMFullAccess: Provides full access to IAM resources.

AmazonEC2FullAccess: Allows full access to EC2 resources.

AWSCIoudFormationFullAccess: Grants full access to manage AWS CloudFormation stacks.

These permissions are necessary to create, manage, and deploy the required AWS resources for the NC2 cluster.

Nutanix Support and Insights

AWS IAM Documentation

To ensure that every NC2 on AWS cluster deployed allows full access from the on-premises CVM subnet efficiently, the administrator should create a custom AWS Network Security Group.

Use a key value oftag:nutanix:clusters:externalfor the security group, and set the inbound allow address to the on-premises subnet.

This approach leverages AWS tags to manage security group rules dynamically and ensures that the necessary access permissions are applied automatically to all clusters with the specified tag.

This method reduces the need for manual configuration of each cluster ' s security group, streamlining the process for a test/dev environment where clusters are frequently created and destroyed.

Refer to the AWS documentation on Network Security Groups and Nutanix documentation on best practices for securing NC2 clusters.

To add an AWS account to the NC2 console, an AWS IAM user needs to be configured with the appropriate permissions to manage the EC2 resources. The required permission for the IAM user includes full access to manage EC2 instances, volumes, and related resources.

AmazonEC2FullAccess:

This permission grants full access to all EC2 resources, including the ability to create, modify, and delete instances, volumes, security groups, and more.

Essential for NC2 operations to manage the lifecycle of EC2 instances and associated components within the AWS environment.

Why Not Other Permissions:

IAMFullAccess: Grants full access to IAM resources but not specifically needed for EC2 operations.

IAMReadOnlyAccess: Only provides read access to IAM resources, insufficient for managing EC2 instances.

AmazonEC2ReadOnlyAccess: Provides read-only access to EC2 resources, insufficient for creating or modifying instances and other resources.

AWS IAM Policies Documentation

Nutanix Cloud Clusters on AWS Administration Guide

Nutanix Best Practices for IAM User Permissions

To provide VMs with outbound internet connectivity in AWS using a private subnet, the administrator needs to create the following components in the VPC:

Private Subnet: A private subnet is required to house the VMs that need outbound internet access but do not require direct inbound access from the internet.

NAT Gateway: A NAT (Network Address Translation) Gateway is necessary to allow instances in the private subnet to connect to the internet or other AWS services while preventing the internet from initiating a connection with those instances.

Public EIP (Elastic IP Address): An EIP is associated with the NAT Gateway to provide a persistent public IP address that allows outbound internet traffic from the private subnet to be routed correctly.

Route Table: A route table is configured to route traffic from the private subnet to the NAT Gateway for outbound internet access.

AWS NAT Gateway Documentation

AWS VPC Subnet Basics

To manually create an AWS VPC with Public access to Prism Element for testing purposes, the following components must be created:

VPC: A Virtual Private Cloud to provide an isolated network for the resources.

Delegated Subnets: Subnets within the VPC to segment the network and allocate IP ranges.

Route Tables: To define routing rules for the subnets to ensure proper traffic flow.

NAT Gateway: To enable instances in the private subnets to access the internet.

Internet Gateway: To allow direct internet access to instances in the public subnets.

Load Balancer: To distribute traffic across multiple instances for improved availability and redundancy.

Refer to the AWS documentation on VPC creation and Nutanix documentation on network setup for Prism Element access.