Free?!?!

Yes free (for 12 months), but in order to stay within Amazon's Free Tier limitations this is only useful for:

  • Very small <=50 to small churches <= 250 average weekly attendees
  • Demo sites to train staff on (clean build is easily refreshed after a training session)
  • Testing new code or ideas with limited data-sets
  • Churches considering RockRMS from their current ChMS that need to really kick the tires and discover how best to import their current data into RockRMS
  • Churches that either do not have a 501c3 status or do not prefer to go through any not-for-profit programs offered by other large technology companies

    Note: this is a lengthy dive into the how's and why's behind using Amazon's cloud services to host your RockRMS install or demo site. This can take a relatively experienced person a half day to fully setup (3-5hrs). At the end of the 12 month free tier period you will incur month to month costs; researching and purchasing a reserved instance will save you money (think of it as pre-purchasing for the next 1, 2, 3 years). 

Our heart is for the small yet big "C" church and we plan to lower this barrier to entry significantly in the future by offering several Cloudformation configurations(think turnkey templates), that others can build off of to get started much faster with RockRMS. Our future plan is to develop a start to finish cloud hosted solution with AWS down to 15-30 minutes with little technical knowledge needed.

Prerequisites

  • Create/have a user and login to www.rockrms.com
  • Download install helper script: https://www.rockrms.com/GetStarted
    (this .zip and unpacked .aspx script will be copied onto the Virtual RDP server once configured to build the database for RockRMS)  
  • Create an AWS account and login to https://aws.amazon.com
    Note: A valid Amazon account that you have today works just fine, no need to create a new one. But it is likely best to use an email account from your church's domain as each year you'll have to move this free tier setup to a new user account/email.
  • Ensure that you have access to your church's website domain and DNS settings.
    This is so that you can setup AWS's free SSL wildcard certificate and set the new RockRMS install internal and external sites with new sub-domains as you see fit.

    Big thanks to our main narrator Michael Wolski!! This humble AWS Certified database ninja moonlights as our church's AVL Ministry Leader. Without him Harvest Bible Chapel Pittsburgh North wouldn't have ever dreamed of being able to pursue such an amazing system to bring people to the love of Christ!!

Main - Table of Contents

Click on the topics below to jump to that section:


Amazon AWS Setup

Part 1 - Create the VPC (Virtual Private Cloud)

  Back to Top

RockRMS_AWS DemoSiteInstall_Part1 from Harvest Pittsburgh North on Vimeo.


Part 1 - Table of Contents

Click on the topics below to jump to that section:

  1. After you've logged into/created your Amazon account and gone to https://aws.amazon.com
    In the top header go to the "Services" drop-down next to the AWS logo
    AWS_How-to_Part1-VPC_Step1a.JPG

  2. In the search bar type "VPC" and select the first result "VPC Isolated Cloud Resources"
    [Video Timestamp - Part 1 - 0:03:33]

    This loads the VPC Dashboard where we will build our virtual machine from scratch

  3. Choose the region that your service will be run from (locale and population density should be considered)
    [Video Timestamp - Part 1 - 0:03:55]

    P1-3A: Make this selection from the drop-down by your user name
    AWS_How-to_Part1-VPC_Step3.JPG

  4. Delete pre-setup VPC Subnets (we will be building these manually)  Back to Top of Part 1
    [Video Timestamp - Part 1 - 0:06:45]

    P1-4A: Go-to "Your VPCs" in the left-hand navigation
    Note: By default Amazon provides some generic CIDR block range which is your network address space; by default Amazon sets this in the 172.x.x.x address space. You can use these defaults, however it is a much larger network space than is necessary to host a small RockRMS install.
    P1-4B: Select/Check the default VPC that Amazon has provided
    P1-4C: Go-to the Actions menu and select "Delete VPC" to delete the default VPC that Amazon creates initially
    P1-4D: Select the "I acknowledge" check box and then click the "Delete VPC" button in the bottom right corner of the confirmation dialog
    AWS_How-to_Part1-VPC_Step3c.JPG AWS_How-to_Part1-VPC_Step3d.JPG

  5. Create your VPC  Back to Top of Part 1
    [Video Timestamp - Part 1 - 0:07:30]

    P1-5A: Click on either "Create VPC" buttons at the top or center of the "Your VPCs" page
    AWS_How-to_Part1-VPC_Step5a.JPG
    P1-5B: Enter a Name Tag for your VPC
    P1-5C: Enter an IPv4 CIDR block range (we are using the 10.0.0.0/26 address space)
        Note: Your CIDR block range can be anywhere from 16-28. The higher the number the smaller the size of address space you have
        We chose a /26 which will give us 64 addresses; of which we really only need 2. The lower the number the larger or more address space you will have. Keep this in mind if you want more space to add in redundancy later on. However this isn't needed for a small build.
    P1-5D: Set the Tenancy to "Default"
        Note: Switching this to "Dedicated" will require an additional cost
    P1-5E: Click "Create" to setup your VPC
    P1-5F: Once created, click the "Close" button
    AWS_How-to_Part1-VPC_Step5b-e.JPG

  6. Create Subnets (Networking)  Back to Top of Part 1
    [Video Timestamp - Part 1 - 0:09:00]

    We setup the block of 64 addresses that we now want to carve up into 4 different subnets
    We will be setting up 2 database subnets, and 2 web subnets
    [Video Timestamp - Part 1 - 0:09:24 - 0:09:50 technical background on carving out subnets; not necessarily important to this simple setup]
    Note: For failover purposes you could setup 6 subnets and divide 2 out for the load-balancer. For our purposes this is unnecessary at this point. IF you wanted to go this direction you would want a smaller initial CIDR block range to allow for more address space.
    P1-6A: Click on either "Create subnet" buttons at the top or center of the "Your Subnets" page
    [Video Timestamp - Part 1 - 0:10:00]
    AWS_How-to_Part1-VPC_Step6a.JPG
    P1-6B: Add a Name Tag to the first subnet being created, select the VPC that was initially created
    Note: You will be creating 2 web subnets and 2 db subnets

    P1-6C: Select "2a" from the availability zone
    P1-6D: Fill in the CIDR block range as "10.0.0.0/28", this will give you a 16 IP subnet range to work with (10.0.0.0-10.0.0.15)
    P1-6E: Click "Create" to setup your first Subnet
    P1-6F: Once created, click the "Close" button
    AWS_How-to_Part1-VPC_Step6b-e.JPG
    P1-6G: Create 3 more subnets for the remaining web and 2 remaining db subnets needed, carving up all of the remaining available address space of the VPC CIDR block using the previous process...
    Create the following additional subnets: (IMPORTANT! the next subnet must start at the beginning of the next IP range being created)
    - Web 2, 2b, 10.0.0.16/28 creates this range (10.0.0.16-10.0.0.31)
    - db1, 2a, 10.0.0.32/28 creates this range (10.0.0.32-10.0.0.47)
    - db2, 2b, 10.0.0.48/28 creates this range (10.0.0.48-10.0.0.64)
    Note: Amazon keeps some of the IPs within each range in reserve so only a portion of the 16 in each subnet will be available.
    AWS_How-to_Part1-VPC_Step6f-g.JPG

  7. Create Internet Gateway  Back to Top of Part 1
    [Video Timestamp - Part 1 - 0:13:10]

    P1-7A: Click on either "Create Internet Gateway" buttons at the top or center of the "Internet Gateways" page
    AWS_How-to_Part1-VPC_Step7a.JPG
    P1-7B: Enter a Name Tag for your Internet Gateway
    P1-7C: Click "Create" to setup your Internet Gateway
    P1-7D: Once created, click the "Close" button
    Note: This creates the Internet Gateway but is in a "detached" status.

    P1-7E: Connect the Internet Gateway to the VPC by clicking on the "Actions" menu and selecting "Attach to VPC"
    AWS_How-to_Part1-VPC_Step7e.JPG

    P1-7F: Select your VPC from the drop down menu and click "Attach"
    AWS_How-to_Part1-VPC_Step7f.JPG

  8. Setup Routing on the Subnets - Create 2 New Route Tables (for Web & db subnets)  Back to Top of Part 1
    [Video Timestamp - Part 1 - 0:14:02]
    Note: By default Amazon creates a default Route Table to all of the newly created subnets. These will be implicitly attached. We want to create new ones to have more control over the previously created subnets. For security purposes your database should reside within a private subnet which is why we will be creating new route tables for the web and db subnets.
    [Video Timestamp - Part 1 - 0:15:46]
    P1-8A: Click on "Create Route Table" button at the top or center of the "Route Tables" page
    P1-8B: Enter a Name Tag for your Route Table
    P1-8C: Select your VPC from the drop down menu and click "Attach"
    P1-8D: Click "Create" to setup your Route Table
    P1-8E: Once created, click the "Close" button
    P1-8F: Repeat steps 8A-8E to create an additional Route Table for the database as “db RT”
    AWS_How-to_Part1-VPC_Step8a.JPG

    AWS_How-to_Part1-VPC_Step8b-e.JPG
    [Video Timestamp - Part 1 - 0:16:55] - configuring the Route Tables

    P1-8G: Select the "Web RT" Route Table and then click "Edit Routes" in the "Routes" tab in the panel below
    AWS_How-to_Part1-VPC_Step8g.JPG

    P1-8H: Add a route destination of "0.0.0.0/0" (basically anything not within the scope of the first route 10.x.x.x/26)
        Set the target to the previously created Internet Gateway
        Click "Save routes" to setup your Route Table
        Once created, click the "Close" button
    AWS_How-to_Part1-VPC_Step8h.JPG
    AWS_How-to_Part1-VPC_Step8hh.JPG
    AWS_How-to_Part1-VPC_Step8hhh.JPG
    Note: This means that it is now a public route table

    P1-8I: Now we'll edit the associations of this route table, click the "Subnet Associations" tab and then click the "Edit subnet associations" button within this tab
    AWS_How-to_Part1-VPC_Step8i.JPG

    P1-8J: Select both of the web subnets "Web1 and Web2", then click "Save"
    AWS_How-to_Part1-VPC_Step8j.JPG

    P1-8K: Then we will select the "db RT" Route Table, click the "Subnet Associations" tab, and finally click the "Edit subnet associations" button within this tab
    AWS_How-to_Part1-VPC_Step8k.JPG
    Note: We don't need to edit routes, just the association needs to be updated for the db RT

    P1-8L: Select both of the db subnets "db1 and db2", then click "Save"
    AWS_How-to_Part1-VPC_Step8l.JPG

  9. Setup VPC Endpoint for the S3 (Simple Storage Service)  Back to Top of Part 1
    [Video Timestamp - Part 1 - 0:18:10]

    Note: We will be setting up the connection to this storage service because we will be using the S3 Bucket for snapshot storage and restores of the RDS database instance if required.

    P1-9A: Go-to "Endpoints" in the left-hand navigation (4th up from the bottom of the Virtual Private Cloud section)
    AWS_How-to_Part1-VPC_Step9A.JPG

    P1-9B: Click on either "Create Endpoint" buttons at the top or center of the "Endpoints" page
    AWS_How-to_Part1-VPC_Step9B.JPG

    P1-9C: Select the "com.amazonaws.us-east-2.s3" Gateway
    [Video Timestamp - Part 1 - 0:18:58 - 0:20:11 technical background on what this endpoint is doing for the VPC to talk to the S3 bucket directly and not go over the open internet]
    AWS_How-to_Part1-VPC_Step9C.JPG

    P1-9D: Select your VPC from the drop down menu at the bottom of this service menu and DO NOT click "Create endpoint" at this time
    AWS_How-to_Part1-VPC_Step9d.JPG
    Select your 2 Route Tables (Web and db showing both subnets attached to each)
    AWS_How-to_Part1-VPC_Step9dd.JPG
    Note: This endpoint is a gateway and requires this additional step, explanation provided in the video.
    P1-9E: Leave the default selected Policy set to "Full Access" as we want all S3 traffic to go over this endpoint
    Click "Create Endpoint", then click the "Close" button to setup your S3 bucket endpoint 
    AWS_How-to_Part1-VPC_Step9e.JPG
    [Video Timestamp - Part 1 - 0:21:24 - 0:22:01 technical background on what creating the S3 endpoint did and how it relates to the Route Tables that were previously created]

  10. Setup Security Groups "a virtual firewall"  Back to Top of Part 1
    [Video Timestamp - Part 1 - 0:22:02]

    P1-10A: Go-to "Security Groups" in the left-hand navigation (2nd down in the Security section/banner)
    Note: The default security group that exists by default is "very loose" in its permissions, so you don't want to use it for this application
    AWS_How-to_Part1-VPC_Step10a.JPG
    P1-10B: Click on the "Create security group" button at the top of the "Security Groups" page
    Note: We will be creating 3 security groups (1 for the database, 1 for the web instance, and then 1 for the load balancer)
    P1-10C: Enter a Security Group Name for your database security group such as "db SG" and a description for clarity on what the security group will be used for.
    P1-10D: Select your VPC from the drop down menu and click "Create
    AWS_How-to_Part1-VPC_Step10b-d.JPG
    Once created, click the "Close" button
    P1-10E: Repeat steps 10B-10D to create two additional Security Groups for the web instance as “web SG” and load balancer as "lb SG"
    [Video Timestamp - Part 1 - 0:23:31 - 0:24:08 technical background on what the security groups are doing]

  11. Configure the Security Groups  Back to Top of Part 1
    [Video Timestamp - Part 1 - 0:24:15]

    P1-11A: Select the load balancer "lb SG" security group to begin the configuration, then click the "Inbound Rules" tab at the bottom to begin editing our rules
    AWS_How-to_Part1-VPC_Step11a.JPG
    P1-11B: Click the "Edit Rules" button in the "Inbound Rules" tab and then click "Add Rule" on the "Edit inbound rules" page
    AWS_How-to_Part1-VPC_Step11b.JPG
    Add a rule for both HTTP on port 80 and HTTPS on port 443 with an IPv4 and IPv6 source of "0.0.0.0/0, ::/0"
    AWS_How-to_Part1-VPC_Step11bb.JPG
    AWS_How-to_Part1-VPC_Step11bbb.JPG
    P1-11C: Once created, click the "Save rules" button and then the "Close" button on the confirmation screen
    P1-11D: Continue with the selected load balancer "lb SG" security group and then click the "Outbound Rules" tab at the bottom to begin editing our rules. Click the "Edit Rules" button in the "Outbound Rules" tab and then click "Add Rule" on the "Edit outbound rules" page
    AWS_How-to_Part1-VPC_Step11c.JPG

    P1-11E: Add a rule for HTTP outbound traffic on port 80 and with a destination source of the security group you created for the web security group (because we want the load balancer to be able to talk to the web security group)
    Hint: delete the "0.0.0.0/0, ::/0" and begin typing "sg" to have it auto complete the list for you, select the web security group.
    Once created, click the "Save rules" button and then the "Close" button on the confirmation screen
    AWS_How-to_Part1-VPC_Step11cc.JPG
    Note: We are only setting up an HTTP rule because we'll be setting up HTTPS / SSL on the load balancer in a future step

    P1-11F: Configure the "Web Security Group" [Video Timestamp - Part 1 - 0:27:22]
    Note: Configuring the web security group means "stringing along the security groups", this should feel familiar to what we did by configuring the load balancer security group in steps P1-11A through P1-11E, but the traffic and destinations are all unique for the remaining security groups.
    Select the "web SG" security group to begin the configuration, then click the "Outbound Rules" tab at the bottom to begin editing our rules
    AWS_How-to_Part1-VPC_Step11f.JPG
    Click the "Edit Rules" button in the "Outbound Rules" tab and then click "Add Rule" on the "Edit outbound rules" page
    Add a rule for "MS SQL" outbound traffic, begin by typing "ms" to find "MS SQL" for the type which will be on port 1443 and with a destination source of the security group you created for the web security group (because we want the web security group to be able to talk to the db security group)
    Hint: delete the "0.0.0.0/0, ::/0" and begin typing "sg" to have it auto complete the list for you, select the database security group.
    AWS_How-to_Part1-VPC_Step11ff.JPG
    Once created, click the "Save rules" button and then the "Close" button on the confirmation screen

    P1-11G: Configure the "db Security Groups" [Video Timestamp - Part 1 - 0:28:44]
    Note: Configuring the database security group means "stringing along the security groups", this should feel familiar to what we did by configuring the load balancer and web security groups in steps 11A-11F, but the traffic and destinations are all unique for the remaining security group.
    Select the "db SG" security group to begin the configuration, then click the "Inbound Rules" tab at the bottom to begin editing our rules
    AWS_How-to_Part1-VPC_Step11g.JPG
    Click the "Edit Rules" button in the "Inbound Rules" tab and then click "Add Rule" on the "Edit inbound rules" page
    Add a rule for "MS SQL" inbound traffic, begin by typing "ms" to find "MS SQL" for the type which will be on port 1443 and with a destination source of the security group you created for the web security group (because we want the web security group to be able to talk to the db security group)
    Hint: delete the "0.0.0.0/0, ::/0" and begin typing "sg" to have it auto complete the list for you, select the web security group.
    AWS_How-to_Part1-VPC_Step11gg.JPG
    Once created, click the "Save rules" button and then the "Close" button on the confirmation screen
    P1-11H: Continue with the selected "db SG" security group to begin the configuration, then click the "Outbound Rules" tab at the bottom to begin editing our rules
    AWS_How-to_Part1-VPC_Step11h.JPG
    Click the "Edit Rules" button in the "Outbound Rules" tab and then click "X" at the right of the existing rule on the "Edit outbound rules" page to remove this rule
    AWS_How-to_Part1-VPC_Step11hh.JPG
    Note: The database doesn't need to "talk" to anything, all of the connections are being established with the database.
    Once deleted, click the "Save rules" button and then the "Close" button on the confirmation screen

    P1-11I: Add HTTPS outbound rules for both Web and database security rules
    [Video Timestamp - Part 1 - 0:29:22]

    Note: This is to ensure that traffic out to the S3 bucket will not go over the public internet
    Temporarily go to the Route Tables in the left-hand navigation, select either the Web or database Route Table
    Click on the "Routes" tab and select the beginning of the Destination text starting with "pl-xxxxxxxxx" and copy this text to your clipboard for pasting purposes (you'll need this for the outbound web and db security group rules)
    AWS_How-to_Part1-VPC_Step11i.JPG
    P1-11J: Go back to your Security Groups in the left navigation and add outbound rules for both the web and db security groups
    Click the "Edit Rules" button in the "Outbound Rules" tab and then click "Add Rule" on the "Edit outbound rules" page
    Add a rule for HTTPS on port 443 with a destination of the copied route txt by pasting in the "pl-xxxxxxxxx" for both the database
    AWS_How-to_Part1-VPC_Step11j.JPG
    and web security groups
    AWS_How-to_Part1-VPC_Step11jj.JPG
    Once created, click the "Save rules" button and then the "Close" button on the confirmation screen


  12. Create and Configure an Admin Security Group "for common tasks"  Back to Top of Part 1
    [Video Timestamp - Part 1 - 0:30:45]
     
    P1-12A: Continue in the "Security Groups" in the left-hand navigation (2nd down in the Security section/banner)
    Click on the "Create security group" button at the top of the "Security Groups" page
    AWS_How-to_Part1-VPC_Step12a.JPG

    P1-12B: Enter a Security Group Name for your admin security group such as "admin SG" and a description for clarity on what the security group will be used for.
    Select your VPC from the drop down menu and click "Create"
    AWS_How-to_Part1-VPC_Step12aa.JPG
    Once created, click the "Close" button on the confirmation screen

    P1-12C: Configure the Admin Security Group for RDP access
    [Video Timestamp - Part 1 - 0:31:25]

    Select the "admin SG" security group to begin the configuration, then click the "Inbound Rules" tab at the bottom to begin editing our rules
    Click the "Edit Rules" button in the "Inbound Rules" tab and then click "Add Rule" on the "Edit inbound rules" page
    AWS_How-to_Part1-VPC_Step12c.JPG
    Add a rule for "RDP" inbound traffic, begin by typing "rdp" to find "RDP" for the type which will be on port 3389 and with a destination source of "My IP" Hint: delete the "0.0.0.0/0, ::/0" and select "My IP" from the drop-down in the "Custom" destination area.
    AWS_How-to_Part1-VPC_Step12cc.JPG
    Note: Setting this to My IP keeps RDP from being accessible to the wide open direct internet traffic, you'll be able to access the RDP with a generated token key later.
    Once created, click the "Save rules" button and then the "Close" button on the confirmation screen

    P1-12D: Continue with the selected "admin SG" security group to begin the configuration, then click the "Outbound Rules" tab at the bottom to begin editing our rules
    [Video Timestamp - Part 1 - 0:32:57] - Full disclosure: this step was added into the how-to steps later as we realized that outbound for the RDP was necessary to download the RockRMS installer and SQL Server Manager tools through a simple web browser interface.
    Click the "Edit Rules" button in the "Outbound Rules" tab and add a rule for all outbound traffic, begin by typing "all" to find "All traffic" for the type which will be port range 0-65535 and with a destination source of "Anywhere" from the drop-down list which is the "0.0.0.0/0, ::/0".
    AWS_How-to_Part1-VPC_Step12d.JPG
    AWS_How-to_Part1-VPC_Step12ddd.JPG

    Once added, click the "Save" button and then the "Close" button on the confirmation screen
    [Video Timestamp - Part 1 - 0:33:37 - 0:34:14 summation and technical background on what the security groups are doing after being completed]

  13. Create a RDS Database Subnet Group  Back to Top of Part 1
    [Video Timestamp - Part 1 - 0:34:15]

    P1-13A: In the top header go to the "Services" drop-down next to the AWS logo
    In the search bar type "RDS" and select the first result "Managed Relational Database Service"
    Note: This loads the RDS Dashboard where we will build our database from
    AWS_How-to_Part1-VPC_Step13a.JPG
    P1-13B: Go-to "Subnet Groups" in the left-hand navigation
    Click "Create DB Subnet Group" on the main "Subnet Groups" page
    AWS_How-to_Part1-VPC_Step13b.JPG
    [Video Timestamp - Part 1 - 0:35:02 - 0:35:56 technical background on what the DB subnet groups are used for]
    Note: We are pulling the two initially created db1 and db2 subnets into a single DB subnet group
    P1-13C: Enter a DB Subnet Group Name such as "db-rock-prod, db-rock-dev, or db-rock-demo" and a description for clarity on what the DB subnet group will be used for.
    Select your VPC from the drop down menu (only one available so it's auto-selected)
    AWS_How-to_Part1-VPC_Step13c.JPG
    P1-13D: Select the "2a" availability zone in the "Add Subnets" area, select the correct subnet from the "Subnet" drop-down, click "Add Subnet"
    Repeat this again and Select the "2b" availability zone in the "Add Subnets" area, select the correct subnet from the "Subnet" drop-down , click "Add Subnet"
    AWS_How-to_Part1-VPC_Step13cc.JPG

    P1-13E: Click "Create" to complete the DB Subnet Group creation
    AWS_How-to_Part1-VPC_Step13ccc.JPG
    The DB Subnet Group is completed

  14. Setup the S3 Bucket for Storage  Back to Top of Part 1
    [Video Timestamp - Part 1 - 0:37:35]

    P1-14A: In the top header go to the "Services" drop-down next to the AWS logo
    In the search bar type "S3" and select the first result "Simple Storage Service" or select "S3" from the Storage section of the main Services page
    Note: This loads the S3 Dashboard where we can store our RDS backups if we need to restore the database for any reason
    AWS_How-to_Part1-VPC_Step14a.JPG


    P1-14B: In the S3 dashboard click the "+ Create bucket" button
    AWS_How-to_Part1-VPC_Step14aa.JPG
    Enter an S3 Bucket Name such as "s3-demo-rock-backup-yourchurchnamehere"
    Note: All S3 users share the same namespace and the bucket name must be unique just like a URL or gmail username. You may not get your name on the first try, modify until you get something understandable and available.
    AWS_How-to_Part1-VPC_Step14bb.JPG

    AWS_How-to_Part1-VPC_Step14bbb.JPG

    P1-14C: Click the "Next" button to continue the S3 Bucket setup
    On the next page of the S3 Bucket creation step turn on versioning and AES-256 default encryption
    Note: The advanced settings and CloudWatch monitoring are unnecessary for the RockRMS storage needs. Turning on CloudWatch will be an additional cost and put you outside of the AWS free tier resources
    AWS_How-to_Part1-VPC_Step14bbbb.JPG

    P1-14D: Click the "Next" button to continue the S3 Bucket setup
    AWS_How-to_Part1-VPC_Step14bbbbb.JPG

    P1-14E: IMPORTANT! Ensure that "Block all public access" is checked so that this database backup storage is not accessible by the public internet
    By default continue with the "Do not grant Amazon S3 Log Delivery" option selected
    Click the "Next" button to continue the S3 Bucket setup
    AWS_How-to_Part1-VPC_Step14bbbbbb.JPG

    Review all of the S3 Bucket creation settings and click the "Create Bucket" button to confirm
    AWS_How-to_Part1-VPC_Step14bbbbbbb.JPG

  15. Launch the EC2 Virtual Server  Back to Top of Part 1
    [Video Timestamp - Part 1 - 0:40:58]

    P1-15A: In the top header go to the "Services" drop-down next to the AWS logo
    In the search bar type "EC2 (Virtual Servers in the Cloud)" or select "EC2" from the 1st option within the Compute section of the main Services page
    Note: This loads the EC2 Dashboard where we can manage our virtual servers at any point.
    AWS_How-to_Part1-VPC_Step15a.JPG
    [Video Timestamp - Part 1 - 0:41:12-0:42:22] - Free Tier thresholds explanation and considerations with RockRMS.
    - T2 micro free for 12mos. *move the database snapshot and virtual server setup to a new account if you stay within the free tier threshold to renew; backup and restore covered later

    P1-15B: Click "Launch Instance" to begin the compute selection criteria
    AWS_How-to_Part1-VPC_Step15b.JPG 


    P1-15C: Select the AMI (Amazon Machine Image) Microsoft Server 2016 or 2019 Base free tier eligible, click on the "Select" button to continue
    Note: You can filter this long list of AMIs down quickly by selecting the "Free tier eligible only" check box on the left-hand navigation
    AWS_How-to_Part1-VPC_Step15bb.JPG
    AWS_How-to_Part1-VPC_Step15bbb.JPG

    P1-15D: Choose your Instance Type by leaving it selected on the default free tier eligible T2 Micro, click the "Next: Configure Instance Details" button
    AWS_How-to_Part1-VPC_Step15bbbb.JPG
    P1-15E: Configure Instance Details
    [Video Timestamp - Part 1 - 0:43:22]
    Set the following:
    Number of Instances = 1
    Network = select your VPC that was previously setup from the list
    Subnet = select either of the "Web" subnets, doesn't matter which
    Auto-assign Public IP = select "Enable"
    Shutdown behavior = "Stop"
    Enable termination protection = select to enable
    AWS_How-to_Part1-VPC_Step15c.JPG
    AWS_How-to_Part1-VPC_Step15cc.JPG

    AWS_How-to_Part1-VPC_Step15ccc.JPG

    P1-15F: Click "Next: Add Storage" to add the machine storage
    Note: The free tier T2 Micro gives you up to a 30Gb machine storage space selected by default, no need to lower this
    Select the disc encryption with the available "(default) aws/ebs" in order to encrypt the root disc machine image
    AWS_How-to_Part1-VPC_Step15cccc.JPG

    Click the "Next: Add Tags" button to provide an easy way to identify the AMI in other services of your AWS account
    Enter a key and value pair that will help you identify this virtual machine in the future
    AWS_How-to_Part1-VPC_Step15ccccc.JPG

    P1-15G: Click the "Next: Configure Security Group" button
    Select the "Select an existing security group radio button and then select the previously setup "admin SG" and "web SG" security groups
    AWS_How-to_Part1-VPC_Step15ccccccc.JPG


    P1-15H: Click the "Review and Launch" button to check your selection one last time
    AWS_How-to_Part1-VPC_Step15ccccccccc.JPG

    P1-15I: Select "Create a new key pair" in the pop-up dialog
    Note: A key pair is a private and public key that allows you to ssh into the machine (Linux) but Windows uses standard username and password. Amazon uses this key pair to decrypt the username and password for the Windows Administrator login for RDP.
    Enter a Key pair name just to remember what the key pair is used for.
    Note: If you decide not to change the default Windows Administrator password you'll need this to get a new Key Pair when logging into the Virtual Machine through RDP. If this machine will not be accessed often it's best to keep it this way as that adds another step of security.
    Click "Download Key Pair" to save the encrypted username and password file to your local machine (you'll need this as soon as the machine is launched)
    AWS_How-to_Part1-VPC_Step15ccccccccccc.JPG

    P1-15J: Click the "Launch Instance" to spin up your newly created free virtual machine!
    Click the "View Instances" button to see the status of the machine
    AWS_How-to_Part1-VPC_Step15cccccccccccc.JPG

  16. Launch the RDS Instance (Create the database)  Back to Top of Part 1
    [Video Timestamp - Part 1 - 0:47:49]  

    P1-16A: In the top header go to the "Services" drop-down next to the AWS logo
    In the search bar type "RDS" and select the first result "Managed Relational Database Service" or select "RDS" from your history in the left-hand navigation
    Note: This loads the RDS Dashboard where we will build our database from
    Click the "Create Database" from the RDS Dashboard page
    AWS_How-to_Part1-VPC_Step16a.JPG

    P1-16B: Select The "Standard Create" method and then select the "Microsoft SQL Server" option
    AWS_How-to_Part1-VPC_Step16aa.JPG

    P1-16C: Select the "SQL Server Express Edition" as this lighter-weight version will suffice and help resources remain within the free tier
    AWS_How-to_Part1-VPC_Step16aaa.JPG
    Select the most recent version of SQL Server at the bottom of the drop-down list as there don't seem to be any current issues or requirements with RockRMS and most current versions are backwards compatible.

    Select the "Free tier" option within the Templates section
    AWS_How-to_Part1-VPC_Step16aaaa.JPG

    P1-16D: Scroll down to the Settings section
    Enter a database identifier (basically a name of the database that make sense for your needs)
    AWS_How-to_Part1-VPC_Step16b.JPG

    Setup the database credentials so that you can log into the database that you will access through the RDP
    [Video Timestamp - Part 1 - 0:49:10-0:49:52] - technical explanation on the database credential setup
    Enter "admin" for the Master username of the database, enter a Master password for the database of your choosing at this time and save it for future use as you'll need it for some provided SQL script in Part 2
    (IMPORTANT! - You cannot forget this password or you will not be able to complete the database setup and RockRMS install through the RDP)
    AWS_How-to_Part1-VPC_Step16bb.JPG

    P1-16E: Select the DB instance size of "db.t2.micro" as this remains within the scope of the free tier offering by Amazon
    Note: This database is spec'd to 1 vCPU, 1Gb of RAM, and is not EBS Optimized. If your organization grows beyond the free tier in the future this can be increased at a later time to become more performant for your needs.
    AWS_How-to_Part1-VPC_Step16bbb.JPG

    Select your Storage options by keeping with the default option selected of "20Gb of General Purpose SSD" and be sure to disable/unselect "Enable Storage autoscaling" to keep the database from growing beyond it's capacity
    AWS_How-to_Part1-VPC_Step16bbbb.JPG

    Select your previously created VPC within the Connectivity section and then open up the Advanced connectivity configuration section"
    AWS_How-to_Part1-VPC_Step16bbbbb.JPG

    P1-16F: Open the "Additional connectivity configuration" area to select your previously created Subnet group for the database
    Ensure that the database is not publicly accessible by selecting "No"
    In the VPC security group area select "Choose existing" then click the "X" to disable the default and select a previously created security group
    AWS_How-to_Part1-VPC_Step16bbbbbb.JPG

    Select the previously created "db SG" from the list of available security groups
    AWS_How-to_Part1-VPC_Step16bbbbbbb.JPG

    Select the "2a" from the Availability zone for the db SG because we also launched the Web Instance in 2a and keep the same default port of "1433" 
    Note keeping the database and the instances in the same availability zone will ensure that you do not get charge for "talking" across data centers.
    AWS_How-to_Part1-VPC_Step16bbbbbbbb.JPG

    P1-16G: In the Backup section keep the default "Enable automatic backups" and 7 days retention period.
    You may also keep the "Copy tags to snapshots" and Enable Performance insights settings as these are nice free features that Amazon provides
    AWS_How-to_Part1-VPC_Step16bbbbbbbbbb.JPG

    P1-16H: Scroll down and open the "Additional configuration" area
    You can set the Time zone of your database before is gets built. This can be changed once you get into your database if it wasn't set at this time.
    AWS_How-to_Part1-VPC_Step16bbbbbbbbb.JPG

    P1-16I: Keep the default "Enable auto minor version upgrade" setting to allow Amazon/Microsoft to upgrade the database version to any security point releases in order to lower your maintenance requirements and also to keep it more secure.
    AWS_How-to_Part1-VPC_Step16bbbbbbbbbbbb.JPG
    Note: You may set a Maintenance window to ensure that any auto minor version upgrades don't occur during peak hours or when typical RockRMS jobs are scheduled.

    P1-16J: Keep the default "Enable deletion protection" enabled in the Deletion protection area
    Finally you can click the "Create database" button!
    AWS_How-to_Part1-VPC_Step16bbbbbbbbbbbbb.JPG
    [Video Timestamp - Part 1 - 0:54:02] - the database is created

  17. Log into your EC2 Instance with RDP  Back to Top of Part 1
    [Video Timestamp - Part 1 - 0:54:06]
    P1-17A: In the top header go to the "Services" drop-down next to the AWS logo
    In the search bar type "EC2 (Virtual Servers in the Cloud)" or select "EC2" from your history in the left-hand navigation
    Note: This loads the EC2 Dashboard where we can manage our virtual servers at any point.
    Select "Instances" from the left-hand navigation or the "Running Instances" from the EC2 dashboard page
    AWS_How-to_Part1-VPC_Step16c.JPG

    P1-17B: Select your previously created running instance to see more details on it below
    Select and copy or use the copy button in order to have the Public IP of the instance available in the clip-board for pasting purposes.
    You are going to need this in Part 2 when you log into your Virtual Machine for the first time with Remote Desktop
    AWS_How-to_Part1-VPC_Step16cc.JPG



Installing RockRMS

  Back to Top

If you’ve made it this far that means you’re a determined person that can handle anything thrown your way. You also like to overturn any rock you find. The next few parts will seem like a breeze compared to that lengthy manual “from scratch” AWS creation of the VCP and database.

Remember that we are actively working towards lowering that initial bar by creating several Cloudformations ready to use and possible even script some of the next areas to get a pseudo-turnkey installation within 15-30mins.

Note: Some of the sequences shown below are sped up due to time constraints. No action is being taken during these portions. Remember that this is a very low powered virtual build with 1 Gb of RAM and things can load slowly initially. Once configured and cached the system performs adequately for its use-case of small church needs or demo purposes.

Part 2 - Microsoft SQL Server and Database Setup

RockRMS_AWS DemoSiteInstall_Part2 from Harvest Pittsburgh North on Vimeo.


Part 2 - Table of Contents

Click on the topics below to jump to that section:

  1. Log into the Virtual Machine through RDP (Remote Desktop Protocol)  Back to Top of Part 2
    [Video Timestamp - Part 2 - 0:00:00]
    P2-1A: Open up an available RDP application either on Windows or iOS
    In Windows go to the search icon on the taskbar and begin typing "remote" to find the default Remote Desktop Application
    AWS_How-to_Part1-VPC_Step16ccc.JPG

    Once the RDP Connection window launches paste the Public IP address of the instance that you previously copied into the Computer field 
    Note: Additional options are not required.
    P2-1B: Click the "Connect" button to proceed

    AWS_How-to_Part2-RDP_Step1a.JPG

    A connection trust dialog will pop up, you may choose to select "Do not ask me again..." and then click the "Connect" button to continue
    AWS_How-to_Part2-RDP_Step1bbb.JPG

    P2-1C: Next you will be asked how to log into the instance through RDP. Select the "More choices - Use a different account" option below the default windows user that is presented. Click "OK"
    AWS_How-to_Part2-RDP_Step1bbbbb.JPG

    Enter "administrator" into the username field and follow the additional steps below to copy the password for the instance
    AWS_How-to_Part2-RDP_Step1bbbbbb.JPG

    P2-1D: Go-to the "Actions" menu of your selected EC2 instance and select "Get Windows Password"
    AWS_How-to_Part2-RDP_Step1bbbbbbb.JPG

    P2-1E: Click the "Choose file" button and select the SSH Key-pair file that we created earlier in order for Amazon to decrypt the key-pair and give you a new password for the RDP login.
    AWS_How-to_Part2-RDP_Step1bbbbbbbb.JPG

    P2-1F: Navigate to where you saved your key pair file on your system earlier, select it, and click the "Open" button
    AWS_How-to_Part2-RDP_Step1bbbbbbbbb.JPG

    P2-1G: Click the "Decrypt Password" button
    AWS_How-to_Part2-RDP_Step1bbbbbbbbbb.JPG

    P2-1H: Copy the decrypted password by highlight/selecting the decrypted password and right-click or CTRL+C copy or click the small copy button to put it into your clipboard and then click the "Close" button
    AWS_How-to_Part2-RDP_Step1bbbbbbbbbbb.JPG

    Paste the copied decrypted password into the login dialog and click the "OK" button
    AWS_How-to_Part2-RDP_Step1bbbbbbbbbbbbb.JPG

    P2-1I: You will be presented with another security certificate warning and you may choose to select the "Don't ask me again..." and click the "Yes" button to continue connecting to your instance via RDP.
    AWS_How-to_Part2-RDP_Step1bbbbbbbbbbbbbb.JPG

    P2-1J: After the connection has been established and a few moments of initial setup of the Windows Server environment you will now have remote desktop access to your new virtual machine in the cloud.
    Note: You may change the administrator password of the system once you login or keep it in this decrypted fashion where Amazon rotates the key and you will have to follow that process in the future. This is a better use case if you do not need to log into the virtual environment often or require more than one person to access the system through RDP as they can pull a new decrypted password versus having to share a specific one that you would create.

    P2-1K: Click the "No" button if you are presented with allowing the network to be discoverable by other PCs and devices on the network.
    AWS_How-to_Part2-RDP_Step1bbbbbbbbbbbbbbbbb.JPG

    Now we may proceed with the remaining SQL server setup and launch the RockRMS startup script.

  2. Install SQL Server Manager  Back to Top of Part 2
    [Video Timestamp - Part 2 - 0:02:22]

    P2-2A: Copy the RockRMS installer onto the RDP by connecting a local drive or download the installation package from https://www.rockrms.com/Download using a web browser (see the next optional step if downloading directly via a web browser from within the RDP environment).
    AWS_How-to_Part2-RDP_Step2a.JPG

    P2-2B: Optional Step to Lower Internet Explorer security settings
    [Video Timestamp - Part 2 - 0:03:03]
    Search for "server manager" from the Windows toolbar or Start Menu and launch the Server Manager app.
    AWS_How-to_Part2-RDP_Step2b.JPG

    Click on the "Local Server" from the left-hand navigation to launch the properties.
    AWS_How-to_Part2-RDP_Step2bb.JPG

    Click on the "On" link in the IE Enhanced Security Configuration settings.
    AWS_How-to_Part2-RDP_Step2bbb.JPG

    Turn both the Administrators and Users security settings to "Off" and click the "OK" button.
    AWS_How-to_Part2-RDP_Step2bbbb.JPG

    You can now close the Server Manager application. If you use Internet Explorer to download the RockRMS installer or the upcoming Microsoft SQL Server Management Studio you will not have to add each site to the "white-list" for access purposes. This can become quite a overly secure nuisance.

    P2-2C: Download Microsoft SQL Server Management Studio
    [Video Timestamp - Part 2 - 0:04:02]
    Open up Internet Explorer and run a search on "ssms". One of the first results will give you the documentation page which has the latest version of the software to download, currently v18.4
    https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms

    Download and install the latest version with defaults remaining.
     AWS_How-to_Part2-RDP_Step2c.JPG
    AWS_How-to_Part2-RDP_Step2cc.JPG


  3. Login to the Microsoft SQL Server Management Studio  Back to Top of Part 2
    [Video Timestamp - Part 2 - 0:05:24]
    P2-3A: Launch the Microsoft SQL Server Management Studio by searching for "studio" from the Windows toolbar or Start Menu and launch the app.
    AWS_How-to_Part2-RDP_Step2ccc.JPG

    Once launched you will be presented with a database connection dialog
    AWS_How-to_Part2-RDP_Step3aa.JPG

    P2-3B: You'll need the RDS endpoint url for the server name field. For the next few steps you will need to switch away from your RDP virtual pc environment back to your AWS account in your web browser.

    In the top header go to the "Services" drop-down next to the AWS logo
    In the search bar type "RDS" and select the first result "Managed Relational Database Service"
    Note: This loads the RDS Dashboard where we initially built our database from.AWS_How-to_Part2-RDP_Step3aaa.JPG

    P2-3C: Once in the RDS dashboard, select your database to pull up it's details.
    AWS_How-to_Part2-RDP_Step3aaaaa.JPG

    Once you've selected your database from the dashboard navigate to the Connectivity & security tab (shown by default)
    AWS_How-to_Part2-RDP_Step3aaaaaa.JPG

    P2-3D: Highlight and copy your specific Endpoint URL
    AWS_How-to_Part2-RDP_Step3aaaaaaa.JPG

    P2-3E: Switch back to your RDP virtual pc environment.
    Paste the endpoint URL that you copied from your AWS RDS dashboard and into the MS SQL Server Management Studio - SQL Server connection dialog for the Server Name field.
    Select SQL Server Authentication for the Authentication method
    AWS_How-to_Part2-RDP_Step3aaaaaaaa.JPG

    P2-3F: Enter the Login and Password that were previously created during the RDS setup (See step P1-16D: Video Timestamp - Part 1 - 0:49:10-0:49:52 - technical explanation on the database credential setup)
    Click the "Connect" button and you will now have access to your empty database
    AWS_How-to_Part2-RDP_Step3aaaaaaaaa.JPG

    AWS_How-to_Part2-RDP_Step3aaaaaaaaaa.JPG

    P2-3G: Click the "New Query" button to start a blank query tab which we will use to setup and establish the admin user for the RockRMS installation shortly.
    AWS_How-to_Part2-RDP_Step3aaaaaaaaaaa.JPG


  4. Install IIS Web Server and Features  Back to Top of Part 2
    [Video Timestamp - Part 2 - 0:07:31]

    Rock-Solid-Internal-Hosting.jpgWe will now switch gears for a little bit and set up some additional services before creating an admin login for the RockRMS install.
    You this next group of steps we will be referring to and utilizing the RockRMS Internal Hosting Guide to setup the IIS Web Server and .Net Frameworks before proceeding to the main RockRMS Install. It is important to thoroughly read through this entire guide before utilizing the few sections that we will cover.

    P2-4A: Search for "server manager" from the Windows toolbar or Start Menu and launch the Server Manager app if you've closed this app from our previous optional Internet Explorer security settings changes.
    AWS_How-to_Part2-RDP_Step2b.JPG

    Click on the "Local Server" from the left-hand navigation to launch the properties.
    AWS_How-to_Part2-RDP_Step2bb.JPG

    P2-4B: Click on the "Add Roles and Features" from the Manage menu in the upper-right navigation
    AWS_How-to_Part2-RDP_Step4a.JPG

    P2-4C: Select "Role-based or feature-based installation" and then click the "Next >" button
    AWS_How-to_Part2-RDP_Step4aa.JPG

    P2-4D: For the Server Selection keep the presented defaults based on "Select a server from the server pool" and then click the "Next >" button
    AWS_How-to_Part2-RDP_Step4aaa.JPG

    P2-4E: For the Server Roles select the "Web Server (IIS)" leaving all other defaults and then click the "Next >" button
    AWS_How-to_Part2-RDP_Step4aaaa.JPG

    You will be presented with an Add Roles and Features Wizard confirmation, click the "Add Features" button to continue
    AWS_How-to_Part2-RDP_Step4aaaaa.JPG

    P2-4F: For the Features section, select the ".NET Framework 3.5 Features" leaving and other defaults and then click the "Next >" button
    AWS_How-to_Part2-RDP_Step4aaaaaa.JPG

    P2-4G: In the Role Services section, drill open the Application Development area and select the ".NET Extensibility 4.7, Application Initialization, and ASP.NET 4.7" leaving all other defaults and then click the "Next >" button

    AWS_How-to_Part2-RDP_Step4aaaaaaaaaa.JPG

    You will be presented with an Add Roles and Features Wizard confirmation, click the "Add Features" button to continue
    AWS_How-to_Part2-RDP_Step4aaaaaaaaa.JPG

    P2-4H: In the Confirmation area select the "Restart the destination server automatically if required" checkbox and then click the "Install" button at the bottom to begin the IIS and .NET Framework services installation
    AWS_How-to_Part2-RDP_Step4aaaaaaaaaaa.JPG


  5. Configure the IIS Web Server and Features  Back to Top of Part 2
    [Video Timestamp - Part 2 - 0:10:38]

    Rock-Solid-Internal-Hosting.jpgIn this next group of steps we continue referring to the RockRMS Internal Hosting Guide in order to configure the IIS Web Server before proceeding to the main RockRMS Install. It is important to thoroughly read through this entire guide before utilizing the few sections that we will cover.

    P2-5A: Search for "manager" from the Windows toolbar or Start Menu and launch the Internet Information Services (IIS) Manager app 
    AWS_How-to_Part2-RDP_Step5a.JPG

    Once the IIS Server Manager is launched drill-down on the name of the localhost server that was setup during the previous steps on the left-hand navigation.
    AWS_How-to_Part2-RDP_Step5aa.JPG

    P2-5B: Click on the "Application Pools" in the left-hand navigation from under your local server name and then right-click on the "DefaultAppPools" in the main area. Finally click on "Advanced Settings..." to get to the settings you'll need to adjust
    AWS_How-to_Part2-RDP_Step5aaa.JPG

    P2-5C: In the DefaultAppPools Advanced Setting dialog ensure that the .NET CLR Version is set to "v4.0", the Start Mode is set to "AlwaysRunning", the Identity is set to "LocalSystem", and the Idle Time-out (minutes) is set to "0".
    Click the "OK" button to save these setting changes
    AWS_How-to_Part2-RDP_Step5aaaaaa.JPG

    P2-5D: Once back out into the main application. Repeat similar steps by clicking on the "Application Pools" in the left-hand navigation from under your local server name and then right-click on the "DefaultAppPools" in the main area. Finally click on "Recycling..." to get to the settings you'll need to adjust
    AWS_How-to_Part2-RDP_Step5aaaaaaa.JPG

    Select the "Specific time(s): checkbox and set the field to 4:00 AM as suggested in the RockRMS Internal Hosting guide.
    Click the "Next" button at the bottom of the dialog to save the changes.
    AWS_How-to_Part2-RDP_Step5aaaaaaaa.JPG

    In the next section of the Recycling settings dialog, keep all of the checked defaults and click the "Finish" button to complete your DefaultAppPools Recycling settings
    AWS_How-to_Part2-RDP_Step5aaaaaaaaa.JPG

    P2-5E: For the final IIS Server settings you will need to drill-down on "Sites" and then right-click on the "Default Web Site" in the left-hand navigation, click on "Manage Website", and finally click on "Advanced Settings..." to get to the settings you'll need to adjust 
    AWS_How-to_Part2-RDP_Step5aaaaaaaaaa.JPG

    In the Default Web Site Advanced Settings dialog you need to change the Preload Enabled setting to "True".
    Click the "OK" button
    at the bottom of the dialog to complete your settings
    AWS_How-to_Part2-RDP_Step5aaaaaaaaaaa.JPG

    P2-5F: You have now completed the setup of the IIS Web Server and may close the IIS Manager application. You may now close the Server Manager application and/or Internet Explorer application if you have not already done so.
    AWS_How-to_Part2-RDP_Step5aaaaaaaaaaaa.JPG


  6. Creating the admin user in MS SQL Server Management Studio  Back to Top of Part 2
    [Video Timestamp - Part 2 - 0:14:31] 

    In the Windows RDP virtual environment switch back to the Microsoft SQL Server Management Studio application. If you've closed it for any reason or have yet to launch and log into the database from the application refer to the previous steps P2-3A to P2-3G.
    Well will now be creating a new admin login for the RockRMS database. Because we've setup many things ahead of time through AWS we will be skipping/modifying many of the settings in the RockRMS Internal Hosting Guide

    P2-6A: Create db admin user / pass using a modified SQL script from this site (https://stackoverflow.com/questions/47112496/aws-rds-microsoft-sql-server-express-cannot-add-users-with-permissions-to-se)
    Copy and paste the code below and modify for your needs. Change the login username from "rockuser" to whatever you choose or keep this as is.
    AWS_How-to_Part2-RDP_Step6aa.JPG

    P2-6B: Change the password in the "enteryourpasswordhere" section before running the script to create the user.
    [Video Timestamp - Part 1 - 0:15:50-0:16:43] - technical explanation on the user role creation
    USE master;
    GO
    CREATE LOGIN [rockuser]
    WITH PASSWORD = N'enteryourpasswordhere',
    CHECK_POLICY = OFF,
    CHECK_EXPIRATION = OFF;
    GO
    GRANT ALTER ANY CONNECTION TO [rockuser] WITH GRANT OPTION;
    GRANT CREATE ANY DATABASE TO [rockuser] WITH GRANT OPTION;
    GRANT VIEW ANY DATABASE TO [rockuser] WITH GRANT OPTION;
    GRANT VIEW ANY DEFINITION TO [rockuser] WITH GRANT OPTION;
    GRANT VIEW SERVER STATE TO [rockuser] WITH GRANT OPTION;
    Once you have filled in your user name and password in the script, click on the "Execute" button above your Query window to create the user role
    AWS_How-to_Part2-RDP_Step6a.JPG

    P2-6C: In the left-hand Object Explorer navigation click the "refresh" button, drill-down to the Security and Logins area. You should now see your newly created user role in the Logins list of the Object Explorer, if not, collapse the Logins area and click the refresh button again.
    Once you have confirmed that your new user role is created and shown in the Logins area, you may close the Query tab.
    AWS_How-to_Part2-RDP_Step6aaa.JPG

    P2-6D: We have now completed the setup of the MS SQL Database and no further setting changes from the guide are necessary. All of these have been accomplished during the AWS RDS setup prior to the initial RDP login.
    [Video Timestamp - Part 1 - 0:18:07-0:18:50] - technical explanation on why we're skipping the remaining guide steps


  7. Launching the RockRMS Installation  Back to Top of Part 2
    [Video Timestamp - Part 2 - 0:18:51]

    This is what we've been working so diligently for! The time has come to finally launch the RockRMS installation.
    All management or settings applications can be closed at this point from previous steps.
    P2-7A: Open up a few Windows Explorer windows and navigate to the unzipped rockrms-install folder. Also navigate to the "C:\inetpub\wwwroot" folder and copy the "Start.aspx" file to this folder on the local virtual machine drive.
    AWS_How-to_Part2-RDP_Step7aa.JPG

    P2-7B: You may now close these Windows Explorer windows upon successfully copying the Start.aspx file.
    Open up Internet Explorer and enter "http://localhost/Start.aspx" into the address bar and press "enter" on your keyboard to launch the installation.
    AWS_How-to_Part2-RDP_Step7aaa.JPG

    P2-7C: The remaining steps take you through the installation screens in the browser window. The fields entered will all be based on the names and information you've previously used for your AWS and database setup.
    Click the "Get Started >" button to proceed
    AWS_How-to_Part2-RDP_Step7aaaa.JPG

    Enter your specific RDS Endpoint URL into the Database Server field (see steps P2-3B through P2-3E)
    AWS_How-to_Part2-RDP_Step7aaaaa.JPG

    After you've copy and pasted your RDS Endpoint URL then enter the previously create name for the Database, enter the same username and password that was created with the SQL command from step P2-6B and click the "Next >" button to continue
    AWS_How-to_Part2-RDP_Step7aaaaaa.JPG

    P2-7D: The RockRMS installer does some environment checks and tests, ensure that all items have the green check marks and then click the "Next >" button to continue. If you do not see all green check marks, pause and correct the issue before continue to ensure a proper installation.
    [Video Timestamp - Part 2 - 0:21:22]
    AWS_How-to_Part2-RDP_Step7aaaaaaa.JPG

    Create a new admin RockRMS Administrator username and password and click the "Next >" button.
    Note: This user will have access to the entire RockRMS internal site settings.
    AWS_How-to_Part2-RDP_Step7aaaaaaaa.JPG

    Enter the Internal and External URLs for your RockRMS site. Select a Timezone preference and click the "Next >" button. You can enter the URLs that you want it to be now and then in Part 3 we can ensure these will work by setting up the SSL cert and Domain DNS settings.
    Note: These settings can be changed after the setup has been completed in the RockRMS Admin Tools - General Settings - Global Attributes page.
    AWS_How-to_Part2-RDP_Step7aaaaaaaaa.JPG

    Enter the Organization Information for your RockRMS site and click the "Next >" button
    Note: These settings can be changed after the setup has been completed in the RockRMS Admin Tools - General Settings - Global Attributes page. The information entered in these fields have no direct impact on your setup and used mainly for display purposes.
    AWS_How-to_Part2-RDP_Step7aaaaaaaaaa.JPG

    The RockRMS installation begins. You can click the "Show Console" button to watch as the script does all of the fun setup stuff if you'd like...or you can step away to stretch and reward yourself with some coffee. You've earned it!
    Be patient while it's installing, this can take some time.
    AWS_How-to_Part2-RDP_Step7aaaaaaaaaaa.JPG
    AWS_How-to_Part2-RDP_Step7aaaaaaaaaaaa.JPG

    Once the installation is complete you can now press the "Flip the Switch" button to start the RockRMS web service.
    Be patient while it's loading for the first time, this can take some time.
    [Video Timestamp - Part 2 - 0:23:55 - 0:24:47] Technical explanation on the free loadbalancer and SSL cert from AWS
    AWS_How-to_Part2-RDP_Step7aaaaaaaaaaaaa.JPG

    Enter the login credentials you created during the RockRMS installation process and click the "Log In" button to enter the internal administration site for the first time.
    Be patient while it's loading for the first time, this can take some time until items are cached.
    AWS_How-to_Part2-RDP_Step7aaaaaaaaaaaaaaaa.JPG

    Once successfully logged in you can hover at the bottom of the page and click the "i" icon in the action bar to bring up the System Information dialog.
    Note: Unit we setup the loadbalancer and SSL cert and create some CNAME records in our domain registrar's DNS settings, we are still only logged into the RockRMS web service from the virtual machine inside of the RDP. You could hit this site now that it's running externally with the AWS RDS endpoint URL until Part 3 is completed.
    [Video Timestamp - Part 2 - 0:25:38] More technical explanation on the free loadbalancer and SSL cert from AWS
    AWS_How-to_Part2-RDP_Step7aaaaaaaaaaaaaaaaaaaa.JPG

    You can review your current RockRMS version in the System Information and check the Diagnostics to get detailed information on your Database.
    AWS_How-to_Part2-RDP_Step7aaaaaaaaaaaaaaaaaa.JPG
    AWS_How-to_Part2-RDP_Step7aaaaaaaaaaaaaaaaaaa.JPG

    Congratulations, you have now successfully created a clean RockRMS installation on Amazon's Web Services for free!
    Note: Don't make any drastic configuration changes, updates, or tweaks until you've completed Part 3.


The Finishing Touches

  Back to Top

We're almost there! In the next part we will be setting up a loadbalance in AWS to take care of the SSL certification and authentication and then setting our domain registrar to have some new records so that we can get to this new web service with a clean and memorable URL for your organization's needs. We will also be taking a snapshot of the database through the AWS services console and backing up the inetpub directory for safe keeping.

Note: Some of the sequences shown below are sped up due to time constraints. No action is being taken during these portions. Remember that this is a very low powered virtual build with 1 Gb of RAM and things can load slowly initially. Once configured and cached the system performs adequately for its use-case of small church needs or demo purposes.

Part 3 - SSL Cert/Domain DNS Setup and Database Backup

RockRMS_AWS DemoSiteInstall_Part3 from Harvest Pittsburgh North on Vimeo.


Part 3 - Table of Contents

Click on the topics below to jump to that section:

  1. Create the AWS SSL Certificate and DNS CNAME Record  Back to Top of Part 3
    [Video Timestamp - Part 3 - 0:00:00]
    P3-1A: You may now switch away from your RDP virtual machine and return to the AWS services account through your web browser
    In the top header go to the "Services" drop-down next to the AWS logo
    In the search bar type "ACM" and select the first result "Certificate Manager - Provision, Manage, and Deploy SSL/TLS Certificates"
    This loads the Certificate Manager where we will provide AWS with our domain information
    AWS_How-to_Part3-SSL_Step1a.JPG

    Click the "Get started" button under the Provision certificates section in order to start the process.
    AWS_How-to_Part3-SSL_Step1aa.JPG

    Select "Request a public certificate" and click the "Request a certificate" button to continue
    AWS_How-to_Part3-SSL_Step1aaa.JPG
    P3-1B: Add your main website domain without any http or https qualifier as well as a wildcard version of your website domain including the preceding "*." Click the "Next" button to continue
    Note: Unlike other free SSL certificate services like ACME, AWS provides free wildcard certificates on your domain for 1 year. This allows for an unlimited number of sub-domains that you may setup.
    AWS_How-to_Part3-SSL_Step1aaaa.JPG

    Select "DNS validation" and then click the "Review" button to see the previous settings you've selected.
    Note: DNS validation requires access to your domain registrar's settings in order for Amazon to validate your domain is owned by you.
    AWS_How-to_Part3-SSL_Step1aaaaa.JPG
    Review the selections you've previously made and then click the "Confirm and request" button to continue
    AWS_How-to_Part3-SSL_Step1aaaaaa.JPG
    On the Validation page of the certificate request process, drill-down both domains. Do not click the Continue button at this point as we need to login to your domain registrar in order to create a few CNAME records first.
    AWS_How-to_Part3-SSL_Step1aaaaaaaa.JPG
    AWS_How-to_Part3-SSL_Step1aaaaaaaaaaa.JPG

    Note: You only need to copy the prefix portion of the supplied Name starting with the underscore up to your domain.

    Copy the wildcard domain validation Name to your clipboard
    AWS_How-to_Part3-SSL_Step1aaaaaaaaaaaa.JPG

    P3-1C: Log in to your domain registrar's account console and manage or edit the domain DNS setting that matches your website.
    Note: Each organization's domain registrar system may differ. 
    AWS_How-to_Part3-SSL_Step2a.JPG

    P3-1D: Create a new CNAME record and paste the wildcard record NAME provided by AWS into the CNAME Name field
    AWS_How-to_Part3-SSL_Step2aa.JPG

    AWS_How-to_Part3-SSL_Step2aaa.JPG AWS_How-to_Part3-SSL_Step2aaaa.JPG

    When pasting the name from the AWS certificate console, drop the domain suffix from the supplied record name Amazon supplies for you. You just need the part that start with the underscore up to your domain "_xxxxxxx"
    AWS_How-to_Part3-SSL_Step2aaaaa.JPG

    Briefly switch back to the AWS Certificate console and copy the "Value" field supplied.
    AWS_How-to_Part3-SSL_Step2aaaaaa.JPG

    P3-1E: After you've set your new record type to "CNAME", pasted in both the Host Name and Points to Value records supplied from Amazon, you may click the "Save" button. Note: You may consider temporarily setting a custom TTL (Time to live) value of 600 seconds to help resolve this new record quickly. Once resolved you'll want to set it back to the 1 hour default to avoid latency issues.
    AWS_How-to_Part3-SSL_Step2aaaaaaa.JPG
    You can adjust the new CNAME record by clicking edit or a pencil icon depending on your domain registrar's user interface.
    AWS_How-to_Part3-SSL_Step2aaaaaaaaaa.JPG
    Click the "Save" button to keep the custom TTL setting.
    AWS_How-to_Part3-SSL_Step2aaaaaaaaaaaa.JPG
    Check the AWS Certificate page to ensure that the new record you created in your domain registrar's DNS management has been successfully validated by Amazon.
    AWS_How-to_Part3-SSL_Step2aaaaaaaaaaaaa.JPG
    P3-1F: Use a service to check that this new record is propagation to other DNS servers throughout the globe such as: https://dnschecker.org
    Paste in your full record name supplied by Amazon Certificate manager
    , including the domain, select the "CNAME" record and click the "Search" button to check the global servers.
    AWS_How-to_Part3-SSL_Step2aaaaaaaaaaaaaaaaa.JPG

    After a few refreshes of this page you will start to see major DNS servers start to validate the new CNAME record. You may now proceed and check this later to ensure that all have properly resolved as this can take some time.
    AWS_How-to_Part3-SSL_Step2aaaaaaaaaaaaaaaaaa.JPG

    P3-1G: Once everything shows "Success" and you've ensured that it is propagating to other DNS servers throughout the globe, you can click the "Export DNS configuration to a file" button to have a backup of the DNS values for safe keeping. You can return to the AWS Certificated page at any point to retrieve this information if needed.
    Finally, click the "Continue" button to finish the certificate setup.
    AWS_How-to_Part3-SSL_Step2aaaaaaaa.JPG

    You may now continue on to setting up the Loadbalancer to server up this new SSL certificate so that any web request properly gets routed to the secure https method.

  2. Create and Setup the Loadbalancer   Back to Top of Part 3
    [Video Timestamp - Part 3 - 0:06:44]

    P3-2A: In the top header go to the "Services" drop-down next to the AWS logo
    In the search bar type "EC2" (Virtual Servers in the Cloud) or select "EC2" from the 1st option within the Compute section of the main Services page, if it’s not already available in your history in the left-hand navigation.
    Note: This loads the EC2 Dashboard where we can manage our virtual servers at any point.
    AWS_How-to_Part3-SSL_Step3a.JPG

    P3-2B: From the EC2 Dashboard click the “Load Balancers” button from the Load Balancing section of the left-hand navigation. From the Load Balancers page click the large blue “Create Load Balancer” button at the top of the page. 
    AWS_How-to_Part3-SSL_Step3bb.JPG

    P3-2C: Select the “HTTP / HTTPS Application Load Balancer from the Load Balancer Type screen to continue.
    AWS_How-to_Part3-SSL_Step3bbb.JPG

    Fill out the Load Balancer Basic Configuration page by giving it a recognizable Name, selecting "internet-facing" for the Scheme, keeping the default IP address type of "ipv4", and adding an additional Listener of "HTTPS" on port 443.
    AWS_How-to_Part3-SSL_Step3bbbb.JPG

    Select both previously setup Availability Zones and select the "Web1" and "Web2" subnets that were previously created.
    Click the "Next: Configure Security Settings" button at the bottom to continue.
    Note: You must ensure that you've added the additional HTTPS listener before proceeding.
    AWS_How-to_Part3-SSL_Step3bbbbbbb.JPG

    P3-2D: Select "Choose a certificate from ACM (recommended)", ensure that your previously setup certificate is selected in the "Certificate Name" field, and select a security policy.
    AWS_How-to_Part3-SSL_Step3bbbbbbbb.JPG

    Your Security policy is likely going to be the most current one offered by AWS.
    Click the "Next: Configure Security Groups" button to continue.
    AWS_How-to_Part3-SSL_Step3bbbbbbbbb.JPG

    P3-2E: Ensure that "Select an existing security group" is the field for assigning a security group. Select the previously created security group for the load balancer below.
    Click the "Next: Configure Routing" button
    to continue.
    AWS_How-to_Part3-SSL_Step3bbbbbbbbbb.JPG

    P3-2F: Set a New Target Group by giving it a new Name such as "RockDemoWebServer", and keeping the defaults of "Instance" for the Target Type, "HTTP" for the Protocol on port 80. No changes need to be made within the Advanced Settings.
    Click the "Next: Register Targets" button to continue
    AWS_How-to_Part3-SSL_Step3bbbbbbbbbbb.JPG

    Select both the available target and instances, then click the "Next: Review" button to continue
    AWS_How-to_Part3-SSL_Step3bbbbbbbbbbbb.JPG

    Review the information you've provided thoroughly and then click the blue "Create" button at the bottom of the page to complete the Load Balancer.
    AWS_How-to_Part3-SSL_Step3bbbbbbbbbbbbb.JPG

    Click the "Close" button after the Load Balancer has successfully been created to return to the Load Balancers dashboard page to see the status of your newly created Load Balancer.
    AWS_How-to_Part3-SSL_Step3bbbbbbbbbbbbbb.JPG

     
  3. Configure the Loadbalancer  Back to Top of Part 3
    [Video Timestamp - Part 3 - 0:10:51]
    P3-3A: While the Load Balancer is being provisioned we can add some additional configurations.
    From the Load Balancer dashboard click the "Listeners" tab at the bottom from your selected load balancer, click on the "View/edit rules" link on your HTTP listener.
    AWS_How-to_Part3-SSL_Step3c.JPG

    P3-3B: Click on the "Edit/Pencil" icon at the top of the Rules page (next to the "+" tab) to edit an existing rule on the HTTP listener set.
    Click on the "Edit/Pencil" icon next to the existing HTTP 80: default action rule line.
    AWS_How-to_Part3-SSL_Step3cc.JPG

    Delete part of the existing rule on the HTTP listener by clicking the "Delete/Trashcan" icon on the THEN portion of the rule.
    AWS_How-to_Part3-SSL_Step3ccc.JPG
    Edit the THEN statement by selecting a "Redirect to..." and setting it to "HTTPS" and port "443", leaving the remaining fields as default and clicking the "Okay/Checkmark" set icon
    AWS_How-to_Part3-SSL_Step3cccc.JPG
    Click the blue "Update" button to complete the Rule change on the HTTP listener.
    AWS_How-to_Part3-SSL_Step3ccccc.JPG

    [Video Timestamp - Part 3 - 0:11:56]
    P3-3C: Once the Load Balancer dashboard page loads click on the "Target Groups" link from the left-hand navigation under the Load Balancing section. As the previously created RockDemoWebServer target group is selected click on the "Targets" tab and then hover over the "i" link to see the health status of the target group. This will likely be unhealthy to start because we have a few more settings to change.
    Note: You're almost there don't give up now!! These last remaining settings will complete the SSL / Load Balancer setup and allow us to view the install from outside of the RDP with a nice new clean subdomain on your existing church's URL.

    AWS_How-to_Part3-SSL_Step3cccccc.JPG

    P3-3D: Click on the "Health Checks" tab then click on the "Edit health check" button below
    AWS_How-to_Part3-SSL_Step3ccccccc.JPG

    Change the path of the internal login page of the RockRMS install as "/page/3" and reduce the Interval to "15" seconds keeping all other settings as the default. Click the blue "Save" button to continue.
    AWS_How-to_Part3-SSL_Step3cccccccc.JPG

    After the health check settings have been saved click the "Targets" tab again and hover over the "i" link in the registered targets area and you should now see a healthy status. Ensure that you do before moving forward.
    AWS_How-to_Part3-SSL_Step3ccccccccc.JPG

    P3-3E: Navigate back to the Load Balancer dashboard page by clicking on the "Load Balancer" link in the left-hand navigation.
    Copy the DNS Name to your clipboard from the Description tab of the Load Balancer dashboard. This will be used to create another CNAME record in your domain registrar's DNS settings for the subdomain you choose to have your RockRMS pointed to.
    AWS_How-to_Part3-SSL_Step3cccccccccc.JPG


    P3-3F: Navigate to your domain registrar's DNS settings and add a new "CNAME" type record. Paste the DNS record that you copied from your AWS Load Balancer into the "Points to" field, add a subdomain of your choosing into the "Host" field and set a low custom TTL for now so that the world-wide DNS servers will quickly propagate this new DNS record. Click save to add the CNAME record.
    Note: You can add multiple CNAME records for as many sub-domains as you want or need for the RockRMS install now using the Load Balancer DNS record supplied by AWS. Hint: You may want separate sub-domains for your internal and external facing RockRMS pages.
    AWS_How-to_Part3-SSL_Step3ccccccccccc.JPG
    P3-3G: Once your new DNS record has been saved you can once again check the status of it by utilizing https://dnschecker.org and entering your new sub-domain CNAME record and checking the world-wide propagation status. This should resolve immediately as AWS is now offloading the original CNAME and pointing it to the new clean sub-domain.
    AWS_How-to_Part3-SSL_Step3cccccccccccccccc.JPG

    Don't get ahead of yourself just yet, let's fix those unnecessarily low TTL DNS settings first.
    Go back to your domain registrar's DNS management and adjust the new records to the TTL default or 1 Hour or 1 Day. To understand why you should do this read up on this article: Stop using ridiculously low DNS TTLs
    AWS_How-to_Part3-SSL_Step3cccccccccccccccccc.JPG
    The moment you've been waiting for is here!!!
    [Video Timestamp - Part 3 - 0:14:37]


    P3-3F: Open up a new browser tab on your local machine and go to your new sub domain website.
    You should be able to successfully navigate to this domain which points it to the internal login screen from any public computer in the world.
    AWS_How-to_Part3-SSL_Step3cccccccccccc.JPG

    You can click on the lock icon in Chrome to view the new SSL certificate information. If you click the "Certificate" link on this popup you will see all of the Amazon provided certificate information for your domain name.
    AWS_How-to_Part3-SSL_Step3ccccccccccccc.JPG
    Enter your admin Username and Password and log in!!
    Congratulations, you now have a fully secure, clean, and free AWS hosted install of RockRMS!

  4. Create a Database Backup (snapshot)  Back to Top of Part 3
    [Video Timestamp - Part 3 - 0:23:44]

    P3-4A: Navigate back to your AWS web browser tab/page. In the top header go to the "Services" drop-down next to the AWS logo 
    In the search bar type "RDS" and select the first result "Managed Relational Database Service" or select "RDS" from your history in the left-hand navigation
    Note: This loads the RDS Dashboard where we can manage the existing database we've created
    AWS_How-to_Part1-VPC_Step13a.JPG

    P3-4B: Select your previously created database from the RDS dashboard or from the Databases link on the left-hand navigation
    AWS_How-to_Part3-SSL_Step4a.JPG

    Click on the "Maintenance & Backups" tab from your selected database dashboard.
    From the Maintenance & Backups tab scroll far down until you get to the Snapshots section. This is where you will see all automated and manual database snapshots (backups).
    Note: You can also get to the Snapshots area directly by clicking the "Snapshots" link from the left-hand navigation.
    AWS_How-to_Part3-SSL_Step4aa.JPG

    P3-4C:  If you remember some of the settings we chose when setting up the RDP database we selected a daily automatic backup process. These rotate daily for a 7-day period as was selected for the free tier. In order to created a clean install backup we need to take a manual snapshot which will stay in this area permanently.
    Click the "Take snapshot" button in the upper right-hand corner of the Snapshots section
    AWS_How-to_Part3-SSL_Step4aaa.JPG

    Creating a manual snapshot is as simple as giving it a name and then clicking the "Take Snapshot" button to start it's creation.
    AWS_How-to_Part3-SSL_Step4aaaa.JPG

    This will take a few minutes to complete and you can check the Status and Progress of the snapshot from here.
    AWS_How-to_Part3-SSL_Step4aaaaa.JPG
    Note: It's good practice to take a manual snapshot before each major version upgrade of RockRMS.

  5. Backup the wwwroot and inetpub folder on the VCP Windows Virtual Machine  Back to Top of Part 3
    [Video Timestamp - Part 3 - 0:24:55]
    P3-5A: Log in to your RDP. Use steps P2-1A through P2-1I as a refresher on how to do this.
    Open up a Windows Explorer window and navigate to the "inetpub" folder, likely "C:\inetpub\"

    P3-5B: Right-click on the "wwwroot" folder and go to the "Send to" context command to create a compressed zip file of the entire folder's contents.
    AWS_How-to_Part3-SSL_Step5a.JPG

    Once the zipped file is created, name it appropriately for your backup state. Copy this file and save it to your local machine or cloud storage provider for safe keeping.
    AWS_How-to_Part3-SSL_Step5aa.JPG AWS_How-to_Part3-SSL_Step5aaa.JPG

    This concludes Part 3 of the AWS setup. Note: You can technically backup the EC2 virtual machine however the size of this backup will bump up against the free tier limits and may cause charges to your account. Backing up the actual VPC isn't really necessary as we'll discuss migrating in a future part. Doing a backup of this nature creates an actual image of the virtual machine taking up space on Amazon's S3 bucket.


Upgrading RockRMS

You've done it! You have successfully setup a full stack AWS virtual machine, database, and backup solution for your church's needs. In the next part we will be going through the steps needed to upgrade RockRMS through major and minor releases and then taking another snapshot of the database through the AWS services console and backing up the inetpub directory for safe keeping.

Note: Some of the sequences shown below are sped up due to time constraints. Also, the fantastic technical explanations by Mike Wolski weren't captured in this segment. However, the tutorial is still solid and can easily be followed. The re-dubbing of the audio may be recorded at a later time and the video replaced.

Part 4 - Upgrading RockRMS and Database Backup

  Back to Top

RockRMS_AWS DemoSiteInstall_Part4 from Harvest Pittsburgh North on Vimeo.


Part 4 - Table of Contents

Click on the topics below to jump to that section:

  1. Upgrade RockRMS  Back to Top of Part 4
    [Video Timestamp - Part 4 - 0:00:00]
    P4-1A: You may now switch away from your AWS services account and to your RockRMS install administration page through your web browser
    AWS_How-to_Part4-Upgrading_Step1a.JPG

    Click the "Rock Update" link in the General Settings page
    AWS_How-to_Part4-Upgrading_Step1aa.JPG

    When updates are available you will see the "New Pieces Available" call-out at the top of the page. Scroll down to see all of the releases.
    AWS_How-to_Part4-Upgrading_Step1aaa.JPG

    Click the blue "Install" button to the left of the release you are choosing to upgrade to.
    Note: Each release has a link to the Release Notes page giving you detail on the fixes and enhancements of the major and minor releases.
    AWS_How-to_Part4-Upgrading_Step1aaaa.JPG

    Once the release install is completed you will see a "Eureka, Pay Dirt!" confirmation.
    Click the green "Restart" button to restart the RockRMS service on the virtual machine.
    AWS_How-to_Part4-Upgrading_Step1aaaaa.JPG

    During the service restart you may get a "504 Gateway Time-out" browser error because the service is not yet back up and running.
    Click on the refresh button or hit F5 on your keyboard to refresh the page until your RockRMS service comes back up.
    AWS_How-to_Part4-Upgrading_Step1aaaaaa.JPG
    Once you've upgraded to the most current release you will get a "Everything Is Shipshape" confirmation on the Rock Update page.
    AWS_How-to_Part4-Upgrading_Step1aaaaaaaa.JPG

    You can confirm your currently running version by clicking the "i" icon in the Admin action bar when you hover at the bottom of the screen in your browser.
    AWS_How-to_Part4-Upgrading_Step1aaaaaaaaa.JPG

    You may clear off any of the Update Notifications from your Admin home page by clicking the "x" buttons for each as needed.
    AWS_How-to_Part4-Upgrading_Step1aaaaaaaaaa.JPG

    Some releases may require manual checks or changes as refactoring occurs to the code base. All RockRMS admins should check the Technical Release Notes to ensure that they have their installs secure and in good working order.
    AWS_How-to_Part4-Upgrading_Step1aaaaaaa.JPG

    Now that you've updated the install to the most current version it's time to take another clean snapshot(backup) of the database and make a zip file backup of the inetpub and wwwroot folders.

  2. Backup RDS and RockRMS inetpub and wwwroot folder for clean v9 build  Back to Top of Part 4
    [Video Timestamp - Part 4 - 0:10:34]
    P4-2A: Creating the database backup and wwwroot backups is the same process as outlined in Part 3 steps P3-4A through P3-5B.
    Simply rename the new manual backup with your current build version for your clean install.AWS_How-to_Part4-Upgrading_Step2a.JPG
    AWS_How-to_Part4-Upgrading_Step2aa.JPG
    It is a good idea to create a manual snapshot (backup) of the database and wwwroot folder before any major release or before installing a bunch of plugins to be safe if needing to roll-back due to any errors.

Post Install How-to Considerations

  1. Admin Tools - General Settings - Global Attributes - Configure RockRMS: Double check Internal & Public Application root URLs based on your domain CNAME settings
  2. Admin Tools - General Settings - Global Attributes - Configure RockRMS: Organization email (exceptions and system emails go to this address)
  3. Admin Tools - Rock Shop - Log into your RockRMS account and download some valuable plugins

Part 5 - Migrating your AWS Database & SSL Cert. (to another region)

You’ve been running your RockRMS environment successfully on AWS for almost a year and now your free tier trial is almost up. Once your 12 months official lapse you will begin to incur month to month charges on the credit card that was originally setup with the AWS account.
If you want to continue using AWS as your RockRMS hosting provided you can look into the TechSoup credits which can be applied to month to month instances upwards of $2,000 a year with a one time $175 admin fee. We also suggest considering a Reserved Instances which can save your church a ton of money over a fixed pre-paid amount of time such as 1, 2, or 3 year period. Smaller churches that can run just fine off of the original 12mo. free tier can purchase a reserved instance equivalent and/or better for as little as $22/month for a 2-3 year reservation.

You also should continually evaluate your environment's performance and consider boosting your EC2 spec if needed which only requires a few clicks and not an entire migration procedure (we'll cover more on this in another tutorial). 

In the following migration procedure we’re assuming that you’d only like to transfer your environment to another region that may have additional features that you want to use. Not all AWS regions are alike and some have additional services and regions that you may want to take advantage of for your organization's purposes. Even though it may not be geographically close to your physical location, choosing an alternate region has benefits.


Part 5 - Table of Contents

Click on the topics below to jump to that section:

  1. Create a brand new AWS account (new email required)  Back to Top of Part 5
    [Video Timestamp - Part 5 - 0:00:00]
    Since we never truly captured the original account creation in Part 1, you can follow along starting here assuming that this is only due to a region change and for backup purposes you want to keep the original account. Otherwise you can migrate regions within the same original AWS account by following this process.
    P5-1A: Create a brand new Amazon AWS account at https://aws.amazon.com and click on the big orange "Create an AWS Account" button in the upper-right corner of the page. This will send you to the sign-in page where you can sign in with an existing account or create a new one. Click the gray "Create an AWS Account" button underneath the sign-in or New to AWS? area.
    AWS_How-to_Part5-Migration_Step1a.JPG
    AWS_How-to_Part5-Migration_Step1aa.JPG or  AWS_How-to_Part5-Migration_Step1aaa.JPG

    P5-1B: Once on the new account creation page, enter an email address and a password that you’ll remember or stored in a password vault. Enter a memorable account name and then click on the yellow "Continue" button at the bottom of the form.

    AWS_How-to_Part5-Migration_Step1aaaa.JPG

    P5-1C: On the next page fill out your contact details, most likely a Professional account if you are setting this up for your church. Ensure that you have read and agreed to Amazon’s terms of service. Add a phone number that you can validate your account with via SMS or automated call. Click on the yellow "Create Account and Continue" button at the bottom of the form.
    AWS_How-to_Part5-Migration_Step1aaaaa.JPG

    P5-1D: Fill out a valid payment method and billing address. This is a mandatory step as any account can easily go over the free tier limits once your church grows. Check the AWS pricing page for options, better yet pay in advanced with Reserved Instances to save!
    AWS_How-to_Part5-Migration_Step1aaaaaa.JPG
    Click on the yellow "Verify and Add" button at the bottom of the form. They have to make sure that you're human several times in this process or bots could really abuse creating AWS accounts.
    AWS_How-to_Part5-Migration_Step1aaaaaaa.JPG AWS_How-to_Part5-Migration_Step1aaaaaaaa.JPG

    AWS_How-to_Part5-Migration_Step1aaaaaaaaa.JPG

    P5-1E: Once your account has been validated you'll be presented with a Support Plan selection screen. Select the Basic Plan by clicking on the yellow "Free" button.
    AWS_How-to_Part5-Migration_Step1aaaaaaaaaa.JPG
    You have now successfully setup a brand new Amazon AWS account!

    [Video Timestamp - Part 5 - 0:03:12]
    P5-1F: Sign in to your newly created and verified account by clicking on the yellow "Sign in to the Console" button from the welcome screen. You can always sign-in by going to the main AWS site here: https://aws.amazon.com 
    AWS_How-to_Part5-Migration_Step1aaaaaaaaaaa.JPG

    Enter your email and password that was just setup for your account and then click on the blue "Sign in" button to continue.
    AWS_How-to_Part5-Migration_Step1aaaaaaaaaaaa.JPG

    You will now see your fresh AWS Management Console
    AWS_How-to_Part5-Migration_Step1aaaaaaaaaaaaa.JPG

  2. Sharing Data between two AWS accounts Back to Top of Part 5
    [Video Timestamp - Part 5 - 0:03:49 - 0:04:24] explanation on region settings
    [Video Timestamp - Part 5 - 0:04:26] Finding your Account ID
    P5-2A: Click on your account name in the top menu bar and select "My Account" in the drop-down. This will give you access to your Account Settings and Account ID (needed for sharing the previous build with the new account for migration purposes).

Part 6 - Setting up Customer Engagement: Amazon Simple Email Service (SES) with SMTP Transport

  Back to Top

Amazon Simple Email Service (SES) is a free SMTP mail delivery service that also falls into the free tier. You can send up to 50,000 emails per month within this free limit. See AWS SES Pricing for details.
As it works today with the standard SMTP mail transport it does not capture open or click tracking back into RockRMS. At the end of this section there is another video to show you a high-level overview of how to get Open/Clicks tracking through AWS CloudWatch and PostFix. (If anyone is willing to help with developing a modified Communication Analytics block to pull in the AWS CloudWatch Click/Open data into RockRMS please contact us)


RockRMS_AWS DemoSiteInstall_Part6_SES from Harvest Pittsburgh North on Vimeo.

Part 6 - Table of Contents

Click on the topics below to jump to that section:

  1. Setup SES on your existing AWS account  Back to Top of Part 6
    [Video Timestamp - Part 6 - 0:00:00]
    P6-1A: After you've logged into your Amazon account at https://aws.amazon.com
    In the top header go to the "Services" drop-down next to the AWS logo
    AWS_How-to_Part1-VPC_Step1a.JPG

    In the search bar type "SES" and select the first result "Simple Email Service"

    AWS_How-to_Part6-SESmail_Step1a.JPG

    This loads the SES Home Dashboard where we will setup our email communications service

    P6-1B: Click the "Domains" link in the left-hand navigation menu. Then click the blue "Verify a New Domain" button to add your domain identity.

    AWS_How-to_Part6-SESmail_Step1aa.JPG
    AWS_How-to_Part6-SESmail_Step1aaa.JPG
    Enter your domain (removing any sub domain prefixes) and select the Generate DKIM Settings toggle and then click the blue "Verify This Domain" button.
    AWS_How-to_Part6-SESmail_Step1aaaa.JPG

    After that step you can expand your domain identity section details to see the status, which will be unverified at this time. You can return to this area to check on the status as you continue the verification process.
    AWS_How-to_Part6-SESmail_Step1aaaaa.JPG
    [Video Timestamp - Part 6 - 0:01:30]
    P6-1C: Click on the actual Domain Identity link, this page will show you all of the detail regarding the status and records on the domain that you are validating. Amazon will give you a few validation records that you will need to copy and put in your domains DNS settings.
    Log in to your DNS service and add a new TXT record. Copy and paste the TXT Name and TXT Value provided in this Domains dashboard so that AWS can validate the ownership of your domain for the SES service.
    Once you've added these records in your DNS settings you will see the status of your domain record update from Pending to Verified.
    AWS_How-to_Part6-SESmail_Step1aaaaaa.JPG
    Now you can successfully use your new SES service to send emails. However, out of the gate AWS puts your new domain into a "sandbox" for testing purposes reducing the number of emails you can send as well as only allowing sends from within your own domain space (you can't send to any other email account such as @gmail.com, @yahoo.com, @mail.com until moving on to the next step).

  2. Update SES Account from Sandbox to Production Back to Top of Part 6
    [Video Timestamp - Part 6 - 0:02:00]
    P6-2A: Open up a support ticket by clicking on the "Support" menu in the upper-right hand corner of the page then click on the "Support Center" link within the drop-down menu.
    AWS_How-to_Part6-SESmail_Step2a.JPG

    P6-2B: In the Support Center page you'll begin the process of getting out of the SES sandbox by clicking the orange "Create case" button in the upper-right hand corner of the My support cases area.
    AWS_How-to_Part6-SESmail_Step2aa.JPG

    In the newly opened case, provide details as to what you will be using the SES service for. Feel free to use ours as a template below and modify according to your organization and AWS account details:

    Limit Increase Request 1
    Service: SES Sending Limits
    Region: US East (Northern Virginia)
    Limit Name: Desired Daily Sending Quota
    New Limit value: 500
    --------
    Limit Increase Request 2
    Service: SES Sending Limits
    Region: US East (Northern Virginia)
    Limit Name: Desired Maximum Send Rate
    New Limit value: 25
    --------
    Use case description: We are primarily using the SES service for internal system email from a ChMS system. We plan in the future to send correspondences to those signing up for events and overall notifications for volunteers / staff members.
    Mail Type: Marketing
    Website URL: rock.harvestpittsburghnorth.org
    Describe how you will comply with http://aws.amazon.com/service-terms and http://aws.amazon.com/aup : We only send to recipients in our system's collection
    Describe how you will only send to recipients who have specifically requested your mail: Users must provide their email and opt-in to receiving our communication.
    Describe the process that you will follow when you receive bounce and complaint notifications: We can remove stale email addresses and have a 'Unsubscribe / Remove me from your list' link in all of our email templates.

    Category: Service Limit Increase, SES Sending Limit
    Cage Type: Service limits

    AWS_How-to_Part6-SESmail_Step2aaa.JPG

    Once the case has been marked Resolved and the temporary sandbox restriction lifted you can now move on. This may take a few business days.
    You may now go back to your Domain Settings in the SES dashboard.

    [Video Timestamp - Part 6 - 0:04:28]
    P6-2C: In order for us to use this mail transport we need to create SMTP credentials in order to authenticate our AWS account within RockRMS for the SMTP transport.
    Click on the "SMTP Settings" link from the left-hand navigation and then click the blue "Create My SMTP Credentials" button.
    AWS_How-to_Part6-SESmail_Step2aaaa.JPG
    AWS_How-to_Part6-SESmail_Step2aaaaa.JPG
    Provide an IAM User Name that is recognizable for your organizational needs. Then click on the blue "Download Credentials" button in the lower right-hand corner of this screen.
    AWS_How-to_Part6-SESmail_Step2aaaaaa.JPG
    AWS_How-to_Part6-SESmail_Step2aaaaaaa.JPG

    Save your credentials file (CSV) on your desktop or wherever you can easily find it later. Do not lose track of this file.
    AWS_How-to_Part6-SESmail_Step2aaaaaaaa.JPG

    You may now close the SMTP Credentials window and it'll return you to the Identity and Access Management (IAM) dashboard. There is no action we need to take here at this time.
    AWS_How-to_Part6-SESmail_Step2aaaaaaaaa.JPG 

  3. Ensure the EC2 has outbound access for the SMTP service Back to Top of Part 6
    [Video Timestamp - Part 6 - 0:05:53]
    P6-3A: We now need to ensure that our EC2 has outbound access to the mail relay ports. So we'll do this by checking our security groups Outbound rules settings.
    In the top header go to the "Services" drop-down next to the AWS logo
    In the search bar type "EC2" or find it in your history.
    AWS_How-to_Part6-SESmail_Step3a.JPG

    P6-3B: Navigate to the Security Groups from within the EC2 dashboard by clicking on "Security Groups" from the left-hand navigation under the Network and Security section.
    AWS_How-to_Part6-SESmail_Step3aa.JPG

    Select the "web_sg" security group if that's what you named yours and navigate to the "Outbound" rules tab.

    P6-3C: Create a new Custom TCP Rule on port 587 with a destination of 0.0.0.0/0, you can add a description of "SMTP" so that you remember why this port is opened, for outgoing mail service.
    AWS_How-to_Part6-SESmail_Step3aaa.JPG

  4. Setting up the RockRMS SMTP Mail Transport Back to Top of Part 6
    [Video Timestamp - Part 6 - 0:06:35]
    P6-4A: You are now ready to setup your RockRMS SMTP Mail Transport with the AWS SES service.
    Begin by logging into your RockRMS admin site, navigate to Admin Tools (Briefcase Icon on left-hand nav) and then Communications.
    Once you get to the Communications page you'll want to select the Communication Transports button notated by the truck icon.

    AWS_How-to_Part6-SESmail_Step4a.JPG
    AWS_How-to_Part6-SESmail_Step4aa.JPG

    P6-4B: Within the Communication Transports page you'll then want to click on the SMTP transport to edit it and enter your new AWS SES credentials we previously generated.
    AWS_How-to_Part6-SESmail_Step4aaa.JPG

    [Video Timestamp - Part 6 - 0:07:30] 
    P6-4C: In order to properly setup the SMTP Transport you need some an access key for the new SES user we previously created.
    In the top header go to the "Services" drop-down next to the AWS logo
    In the search bar type "IAM" to go to the Identity and Access Management dashboard or find it in your history.
    AWS_How-to_Part6-SESmail_Step4aaaaa.JPG
    From this dashboard click on the "Users" link in the left-hand navigation and then select your newly created ses IAM user account.
    AWS_How-to_Part6-SESmail_Step4aaaaaa.JPG

    In the Summary screen for this user click on the "Security Credentials" tab.
    AWS_How-to_Part6-SESmail_Step4aaaaaaa.JPG
    Here you can copy the Access Key ID for the ses IAM account below and paste it into the User Name field of the SMTP Transport in RockRMS.
    AWS_How-to_Part6-SESmail_Step4aaaaaaaa.JPG

    [Video Timestamp - Part 6 - 0:08:40]
    P6-4D: Open up the credentials.csv file that was your saved AWS SES credentials in order to copy/paste the Password (highlighted in green below) into the RockRMS SMTP setting dialog. Ensure that the Port is set to 587, the transport is set to Active, and that Use SSL is set to Yes.
    You will need to update the Server field to the region that you are running your AWS services from such as email-smtp.xx-xxxx-x.amazonaws.com
    Note: The SES service is only available on 5 or so regions, pick the one closest to the region you are hosting from that has SES available, it does not have to directly match yours.
    AWS_How-to_Part6-SESmail_Step4aaaaaaaaa.JPG
    AWS_How-to_Part6-SESmail_Step4aaaaaaaaaa.JPG
    AWS_How-to_Part6-SESmail_Step4aaaa.JPG
    Click the "Save" button on the SMTP Properties dialog.

  5. Send an Internal Communication Email Test - Back to Top of Part 6
    [Video Timestamp - Part 6 - 0:10:05]

    P6-5A: Now that all of the SES and SMTP settings have been established we can send the first internal email communication for testing purposes. You'll want to be familiar with how to send emails within RockRMS so you'll want to read and reference the Communicating Using Rock manual and/or check out all of the Communication RockU Videos

    Ensure that your domain has been validated in the SES dashboard then in RockRMS go to People - New Communication to create a test email.
    AWS_How-to_Part6-SESmail_Step4aaaaaaaaaaa.JPG

    P6-5B:Once the New Communication email has been sent you can check the status within RockRMS by navigating to People - Communication History and finding the email communication sent to check the delivery status. 
    AWS_How-to_Part6-SESmail_Step4aaaaaaaaaaaa.JPG
    You can also check your domain's reputation status in the SES dashboard by clicking the "Reputation Dashboard" link from the left-hand navigation menu.
    Once your Service Ticket for the sending limits has been approved and the limits lifted you'll be able to send easily outside of your domain and to your entire congregation.
    Note: At this time clicks and opens are not tracked within RockRMS for SES. Below is a high-level overview of how we're using AWS's Cloudwatch service and a simple turn-key linux VM using the PostFix service to capture each communication and re-write the header information in order to then track Clicks and Opens in your email communications.

    If anyone is interested in partnering with us to modify/fork the existing Communications Analytics block to digest the AWS Cloudwatch API we'd greatly appreciate the support. Please email support@harvestpittsburghnorth.org for inquiries.

    RockRMS_AWS DemoSiteInstall_Part6_PostfixCloudwatchAnalytics from Harvest Pittsburgh North on Vimeo.

    Back to Top of Part 6


Part 7 - Future of AWS Hosting for RockRMS (Fast Build / Turn-key)

A "turn-key" hosting solution was posted as a separate recipe in Aug 2019. You'll be able to get up and running with RockRMS on AWS in under an hour easily. Check it out here!


 Back to Top of Recipe