Free Tier AWS Hosting for RockRMS

Shared by Ben Murphy, Harvest Bible Chapel Pittsburgh North
4 years ago

General, Web, Communications Advanced

This long-form recipe has been depricated by the "turn-key" recipe, where you can be up and running in under an hour!
https://community.rockrms.com/recipes/190/turn-key-rockrms-hosting-with-aws

Free?!?!

Yes free (for 12 months), but in order to stay within Amazon's Free Tier limitations this is only useful for:

Very small <=50 to small churches <= 250 average weekly attendees
Demo sites to train staff on (clean build is easily refreshed after a training session)
Testing new code or ideas with limited data-sets
Churches considering RockRMS from their current ChMS that need to really kick the tires and discover how best to import their current data into RockRMS
Churches that either do not have a 501c3 status or do not prefer to go through any not-for-profit programs offered by other large technology companies

Note: this is a lengthy dive into the how's and why's behind using Amazon's cloud services to host your RockRMS install or demo site. This can take a relatively experienced person a half day to fully setup (3-5hrs). At the end of the 12 month free tier period you will incur month to month costs; researching and purchasing a reserved instance will save you money (think of it as pre-purchasing for the next 1, 2, 3 years).

Our heart is for the small yet big "C" church and we plan to lower this barrier to entry significantly in the future by offering several Cloudformation configurations(think turnkey templates), that others can build off of to get started much faster with RockRMS. Our future plan is to develop a start to finish cloud hosted solution with AWS down to 15-30 minutes with little technical knowledge needed.

Prerequisites

Create/have a user and login to www.rockrms.com
Download install helper script: https://www.rockrms.com/GetStarted
(this .zip and unpacked .aspx script will be copied onto the Virtual RDP server once configured to build the database for RockRMS)
Create an AWS account and login to https://aws.amazon.com
Note: A valid Amazon account that you have today works just fine, no need to create a new one. But it is likely best to use an email account from your church's domain as each year you'll have to move this free tier setup to a new user account/email.
Ensure that you have access to your church's website domain and DNS settings.
This is so that you can setup AWS's free SSL wildcard certificate and set the new RockRMS install internal and external sites with new sub-domains as you see fit.

Big thanks to our main narrator Michael Wolski!! This humble AWS Certified database ninja moonlights as our church's AVL Ministry Leader. Without him Harvest Bible Chapel Pittsburgh North wouldn't have ever dreamed of being able to pursue such an amazing system to bring people to the love of Christ!!

Main - Table of Contents

Click on the topics below to jump to that section:

Part 1 - AWS Setup
Part 2 - RockRMS Install RDP Login
Part 3 - SSL Certificate and Backups
Part 4 - Updating RockRMS and Backups
Part 5 - Migrating your AWS Database & SSL Cert. (to another region if needed)
Part 6 - Setting up Customer Engagement: Amazon Simple Email Service (SES)
Part 7 - Future of AWS Hosting for RockRMS (Fast Build / Turn-key)

Amazon AWS Setup

Part 1 - Create the VPC (Virtual Private Cloud)

RockRMS_AWS DemoSiteInstall_Part1 from Harvest Pittsburgh North on Vimeo.

Part 1 - Table of Contents

Click on the topics below to jump to that section:

AWS Overview
Create the VPC
Create Subnets
Create the Internet Gateway
Create Routing Tables
Create the VPC Endpoint
Create Security Groups
Configure Security Groups
Create and Configure Admin Security Group
Create an RDS Database Subnet Group
Create S3 Bucket for Storage
Launch the EC2 Virtual Server
Launch the RDS Instance
Log in to your EC2 Instance with RDP

After you've logged into/created your Amazon account and gone to https://aws.amazon.com
In the top header go to the "Services" drop-down next to the AWS logo
In the search bar type "VPC" and select the first result "VPC Isolated Cloud Resources"
[Video Timestamp - Part 1 - 0:03:33]
This loads the VPC Dashboard where we will build our virtual machine from scratch
Choose the region that your service will be run from (locale and population density should be considered)
[Video Timestamp - Part 1 - 0:03:55]
P1-3A: Make this selection from the drop-down by your user name
Delete pre-setup VPC Subnets (we will be building these manually) Back to Top of Part 1
[Video Timestamp - Part 1 - 0:06:45]
P1-4A: Go-to "Your VPCs" in the left-hand navigation
Note: By default Amazon provides some generic CIDR block range which is your network address space; by default Amazon sets this in the 172.x.x.x address space. You can use these defaults, however it is a much larger network space than is necessary to host a small RockRMS install.
P1-4B: Select/Check the default VPC that Amazon has provided
P1-4C: Go-to the Actions menu and select "Delete VPC" to delete the default VPC that Amazon creates initially
P1-4D: Select the "I acknowledge" check box and then click the "Delete VPC" button in the bottom right corner of the confirmation dialog
Create your VPC  Back to Top of Part 1
[Video Timestamp - Part 1 - 0:07:30]
P1-5A: Click on either "Create VPC" buttons at the top or center of the "Your VPCs" page

P1-5B: Enter a Name Tag for your VPC
P1-5C: Enter an IPv4 CIDR block range (we are using the 10.0.0.0/26 address space)
    Note: Your CIDR block range can be anywhere from 16-28. The higher the number the smaller the size of address space you have
    We chose a /26 which will give us 64 addresses; of which we really only need 2. The lower the number the larger or more address space you will have. Keep this in mind if you want more space to add in redundancy later on. However this isn't needed for a small build.
P1-5D: Set the Tenancy to "Default"
    Note: Switching this to "Dedicated" will require an additional cost
P1-5E: Click "Create" to setup your VPC
P1-5F: Once created, click the "Close" button
Create Subnets (Networking) Back to Top of Part 1
[Video Timestamp - Part 1 - 0:09:00]
We setup the block of 64 addresses that we now want to carve up into 4 different subnets
We will be setting up 2 database subnets, and 2 web subnets
[Video Timestamp - Part 1 - 0:09:24 - 0:09:50 technical background on carving out subnets; not necessarily important to this simple setup]
Note: For failover purposes you could setup 6 subnets and divide 2 out for the load-balancer. For our purposes this is unnecessary at this point. IF you wanted to go this direction you would want a smaller initial CIDR block range to allow for more address space.
P1-6A: Click on either "Create subnet" buttons at the top or center of the "Your Subnets" page
[Video Timestamp - Part 1 - 0:10:00]

P1-6B: Add a Name Tag to the first subnet being created, select the VPC that was initially created
Note: You will be creating 2 web subnets and 2 db subnets

P1-6C: Select "2a" from the availability zone
P1-6D: Fill in the CIDR block range as "10.0.0.0/28", this will give you a 16 IP subnet range to work with (10.0.0.0-10.0.0.15)
P1-6E: Click "Create" to setup your first Subnet
P1-6F: Once created, click the "Close" button

P1-6G: Create 3 more subnets for the remaining web and 2 remaining db subnets needed, carving up all of the remaining available address space of the VPC CIDR block using the previous process...
Create the following additional subnets: (IMPORTANT! the next subnet must start at the beginning of the next IP range being created)
- Web 2, 2b, 10.0.0.16/28 creates this range (10.0.0.16-10.0.0.31)
- db1, 2a, 10.0.0.32/28 creates this range (10.0.0.32-10.0.0.47)
- db2, 2b, 10.0.0.48/28 creates this range (10.0.0.48-10.0.0.64)
Note: Amazon keeps some of the IPs within each range in reserve so only a portion of the 16 in each subnet will be available.
Create Internet Gateway Back to Top of Part 1
[Video Timestamp - Part 1 - 0:13:10]
P1-7A: Click on either "Create Internet Gateway" buttons at the top or center of the "Internet Gateways" page

P1-7B: Enter a Name Tag for your Internet Gateway
P1-7C: Click "Create" to setup your Internet Gateway
P1-7D: Once created, click the "Close" button
Note: This creates the Internet Gateway but is in a "detached" status.

P1-7E: Connect the Internet Gateway to the VPC by clicking on the "Actions" menu and selecting "Attach to VPC"

P1-7F: Select your VPC from the drop down menu and click "Attach"
Setup Routing on the Subnets - Create 2 New Route Tables (for Web & db subnets)  Back to Top of Part 1
[Video Timestamp - Part 1 - 0:14:02]
Note: By default Amazon creates a default Route Table to all of the newly created subnets. These will be implicitly attached. We want to create new ones to have more control over the previously created subnets. For security purposes your database should reside within a private subnet which is why we will be creating new route tables for the web and db subnets.
[Video Timestamp - Part 1 - 0:15:46]
P1-8A: Click on "Create Route Table" button at the top or center of the "Route Tables" page
P1-8B: Enter a Name Tag for your Route Table
P1-8C: Select your VPC from the drop down menu and click "Attach"
P1-8D: Click "Create" to setup your Route Table
P1-8E: Once created, click the "Close" button
P1-8F: Repeat steps 8A-8E to create an additional Route Table for the database as “db RT”

[Video Timestamp - Part 1 - 0:16:55] - configuring the Route Tables

P1-8G: Select the "Web RT" Route Table and then click "Edit Routes" in the "Routes" tab in the panel below

P1-8H: Add a route destination of "0.0.0.0/0" (basically anything not within the scope of the first route 10.x.x.x/26)
    Set the target to the previously created Internet Gateway
    Click "Save routes" to setup your Route Table
    Once created, click the "Close" button

Note: This means that it is now a public route table

P1-8I: Now we'll edit the associations of this route table, click the "Subnet Associations" tab and then click the "Edit subnet associations" button within this tab

P1-8J: Select both of the web subnets "Web1 and Web2", then click "Save"

P1-8K: Then we will select the "db RT" Route Table, click the "Subnet Associations" tab, and finally click the "Edit subnet associations" button within this tab

Note: We don't need to edit routes, just the association needs to be updated for the db RT

P1-8L: Select both of the db subnets "db1 and db2", then click "Save"
Setup VPC Endpoint for the S3 (Simple Storage Service) Back to Top of Part 1
[Video Timestamp - Part 1 - 0:18:10]
Note: We will be setting up the connection to this storage service because we will be using the S3 Bucket for snapshot storage and restores of the RDS database instance if required.

P1-9A: Go-to "Endpoints" in the left-hand navigation (4th up from the bottom of the Virtual Private Cloud section)

P1-9B: Click on either "Create Endpoint" buttons at the top or center of the "Endpoints" page

P1-9C: Select the "com.amazonaws.us-east-2.s3" Gateway
[Video Timestamp - Part 1 - 0:18:58 - 0:20:11 technical background on what this endpoint is doing for the VPC to talk to the S3 bucket directly and not go over the open internet]

P1-9D: Select your VPC from the drop down menu at the bottom of this service menu and DO NOT click "Create endpoint" at this time

Select your 2 Route Tables (Web and db showing both subnets attached to each)

Note: This endpoint is a gateway and requires this additional step, explanation provided in the video.
P1-9E: Leave the default selected Policy set to "Full Access" as we want all S3 traffic to go over this endpoint
Click "Create Endpoint", then click the "Close" button to setup your S3 bucket endpoint

[Video Timestamp - Part 1 - 0:21:24 - 0:22:01 technical background on what creating the S3 endpoint did and how it relates to the Route Tables that were previously created]
Setup Security Groups "a virtual firewall" Back to Top of Part 1
[Video Timestamp - Part 1 - 0:22:02]
P1-10A: Go-to "Security Groups" in the left-hand navigation (2nd down in the Security section/banner)
Note: The default security group that exists by default is "very loose" in its permissions, so you don't want to use it for this application

P1-10B: Click on the "Create security group" button at the top of the "Security Groups" page
Note: We will be creating 3 security groups (1 for the database, 1 for the web instance, and then 1 for the load balancer)
P1-10C: Enter a Security Group Name for your database security group such as "db SG" and a description for clarity on what the security group will be used for.
P1-10D: Select your VPC from the drop down menu and click "Create"

Once created, click the "Close" button
P1-10E: Repeat steps 10B-10D to create two additional Security Groups for the web instance as “web SG” and load balancer as "lb SG"
[Video Timestamp - Part 1 - 0:23:31 - 0:24:08 technical background on what the security groups are doing]
Configure the Security Groups Back to Top of Part 1
[Video Timestamp - Part 1 - 0:24:15]
P1-11A: Select the load balancer "lb SG" security group to begin the configuration, then click the "Inbound Rules" tab at the bottom to begin editing our rules

P1-11B: Click the "Edit Rules" button in the "Inbound Rules" tab and then click "Add Rule" on the "Edit inbound rules" page

Add a rule for both HTTP on port 80 and HTTPS on port 443 with an IPv4 and IPv6 source of "0.0.0.0/0, ::/0"

P1-11C: Once created, click the "Save rules" button and then the "Close" button on the confirmation screen
P1-11D: Continue with the selected load balancer "lb SG" security group and then click the "Outbound Rules" tab at the bottom to begin editing our rules. Click the "Edit Rules" button in the "Outbound Rules" tab and then click "Add Rule" on the "Edit outbound rules" page

P1-11E: Add a rule for HTTP outbound traffic on port 80 and with a destination source of the security group you created for the web security group (because we want the load balancer to be able to talk to the web security group)
Hint: delete the "0.0.0.0/0, ::/0" and begin typing "sg" to have it auto complete the list for you, select the web security group.
Once created, click the "Save rules" button and then the "Close" button on the confirmation screen

Note: We are only setting up an HTTP rule because we'll be setting up HTTPS / SSL on the load balancer in a future step

P1-11F: Configure the "Web Security Group" [Video Timestamp - Part 1 - 0:27:22]
Note: Configuring the web security group means "stringing along the security groups", this should feel familiar to what we did by configuring the load balancer security group in steps P1-11A through P1-11E, but the traffic and destinations are all unique for the remaining security groups.
Select the "web SG" security group to begin the configuration, then click the "Outbound Rules" tab at the bottom to begin editing our rules

Click the "Edit Rules" button in the "Outbound Rules" tab and then click "Add Rule" on the "Edit outbound rules" page
Add a rule for "MS SQL" outbound traffic, begin by typing "ms" to find "MS SQL" for the type which will be on port 1443 and with a destination source of the security group you created for the web security group (because we want the web security group to be able to talk to the db security group)
Hint: delete the "0.0.0.0/0, ::/0" and begin typing "sg" to have it auto complete the list for you, select the database security group.

Once created, click the "Save rules" button and then the "Close" button on the confirmation screen

P1-11G: Configure the "db Security Groups" [Video Timestamp - Part 1 - 0:28:44]
Note: Configuring the database security group means "stringing along the security groups", this should feel familiar to what we did by configuring the load balancer and web security groups in steps 11A-11F, but the traffic and destinations are all unique for the remaining security group.
Select the "db SG" security group to begin the configuration, then click the "Inbound Rules" tab at the bottom to begin editing our rules

Click the "Edit Rules" button in the "Inbound Rules" tab and then click "Add Rule" on the "Edit inbound rules" page
Add a rule for "MS SQL" inbound traffic, begin by typing "ms" to find "MS SQL" for the type which will be on port 1443 and with a destination source of the security group you created for the web security group (because we want the web security group to be able to talk to the db security group)
Hint: delete the "0.0.0.0/0, ::/0" and begin typing "sg" to have it auto complete the list for you, select the web security group.

Once created, click the "Save rules" button and then the "Close" button on the confirmation screen
P1-11H: Continue with the selected "db SG" security group to begin the configuration, then click the "Outbound Rules" tab at the bottom to begin editing our rules

Click the "Edit Rules" button in the "Outbound Rules" tab and then click "X" at the right of the existing rule on the "Edit outbound rules" page to remove this rule

Note: The database doesn't need to "talk" to anything, all of the connections are being established with the database.
Once deleted, click the "Save rules" button and then the "Close" button on the confirmation screen

P1-11I: Add HTTPS outbound rules for both Web and database security rules
[Video Timestamp - Part 1 - 0:29:22]
Note: This is to ensure that traffic out to the S3 bucket will not go over the public internet
Temporarily go to the Route Tables in the left-hand navigation, select either the Web or database Route Table
Click on the "Routes" tab and select the beginning of the Destination text starting with "pl-xxxxxxxxx" and copy this text to your clipboard for pasting purposes (you'll need this for the outbound web and db security group rules)

P1-11J: Go back to your Security Groups in the left navigation and add outbound rules for both the web and db security groups
Click the "Edit Rules" button in the "Outbound Rules" tab and then click "Add Rule" on the "Edit outbound rules" page
Add a rule for HTTPS on port 443 with a destination of the copied route txt by pasting in the "pl-xxxxxxxxx" for both the database

and web security groups

Once created, click the "Save rules" button and then the "Close" button on the confirmation screen
Create and Configure an Admin Security Group "for common tasks" Back to Top of Part 1
[Video Timestamp - Part 1 - 0:30:45]
P1-12A: Continue in the "Security Groups" in the left-hand navigation (2nd down in the Security section/banner)
Click on the "Create security group" button at the top of the "Security Groups" page

P1-12B: Enter a Security Group Name for your admin security group such as "admin SG" and a description for clarity on what the security group will be used for.
Select your VPC from the drop down menu and click "Create"

Once created, click the "Close" button on the confirmation screen

P1-12C: Configure the Admin Security Group for RDP access
[Video Timestamp - Part 1 - 0:31:25]
Select the "admin SG" security group to begin the configuration, then click the "Inbound Rules" tab at the bottom to begin editing our rules
Click the "Edit Rules" button in the "Inbound Rules" tab and then click "Add Rule" on the "Edit inbound rules" page

Add a rule for "RDP" inbound traffic, begin by typing "rdp" to find "RDP" for the type which will be on port 3389 and with a destination source of "My IP" Hint: delete the "0.0.0.0/0, ::/0" and select "My IP" from the drop-down in the "Custom" destination area.

Note: Setting this to My IP keeps RDP from being accessible to the wide open direct internet traffic, you'll be able to access the RDP with a generated token key later.
Once created, click the "Save rules" button and then the "Close" button on the confirmation screen

P1-12D: Continue with the selected "admin SG" security group to begin the configuration, then click the "Outbound Rules" tab at the bottom to begin editing our rules
[Video Timestamp - Part 1 - 0:32:57] - Full disclosure: this step was added into the how-to steps later as we realized that outbound for the RDP was necessary to download the RockRMS installer and SQL Server Manager tools through a simple web browser interface.
Click the "Edit Rules" button in the "Outbound Rules" tab and add a rule for all outbound traffic, begin by typing "all" to find "All traffic" for the type which will be port range 0-65535 and with a destination source of "Anywhere" from the drop-down list which is the "0.0.0.0/0, ::/0".

Once added, click the "Save" button and then the "Close" button on the confirmation screen
[Video Timestamp - Part 1 - 0:33:37 - 0:34:14 summation and technical background on what the security groups are doing after being completed]
Create a RDS Database Subnet Group Back to Top of Part 1
[Video Timestamp - Part 1 - 0:34:15]
P1-13A: In the top header go to the "Services" drop-down next to the AWS logo
In the search bar type "RDS" and select the first result "Managed Relational Database Service"
Note: This loads the RDS Dashboard where we will build our database from

P1-13B: Go-to "Subnet Groups" in the left-hand navigation
Click "Create DB Subnet Group" on the main "Subnet Groups" page

[Video Timestamp - Part 1 - 0:35:02 - 0:35:56 technical background on what the DB subnet groups are used for]
Note: We are pulling the two initially created db1 and db2 subnets into a single DB subnet group
P1-13C: Enter a DB Subnet Group Name such as "db-rock-prod, db-rock-dev, or db-rock-demo" and a description for clarity on what the DB subnet group will be used for.
Select your VPC from the drop down menu (only one available so it's auto-selected)

P1-13D: Select the "2a" availability zone in the "Add Subnets" area, select the correct subnet from the "Subnet" drop-down, click "Add Subnet"
Repeat this again and Select the "2b" availability zone in the "Add Subnets" area, select the correct subnet from the "Subnet" drop-down , click "Add Subnet"

P1-13E: Click "Create" to complete the DB Subnet Group creation

The DB Subnet Group is completed
Setup the S3 Bucket for Storage Back to Top of Part 1
[Video Timestamp - Part 1 - 0:37:35]
P1-14A: In the top header go to the "Services" drop-down next to the AWS logo
In the search bar type "S3" and select the first result "Simple Storage Service" or select "S3" from the Storage section of the main Services page
Note: This loads the S3 Dashboard where we can store our RDS backups if we need to restore the database for any reason

P1-14B: In the S3 dashboard click the "+ Create bucket" button

Enter an S3 Bucket Name such as "s3-demo-rock-backup-yourchurchnamehere"
Note: All S3 users share the same namespace and the bucket name must be unique just like a URL or gmail username. You may not get your name on the first try, modify until you get something understandable and available.

P1-14C: Click the "Next" button to continue the S3 Bucket setup
On the next page of the S3 Bucket creation step turn on versioning and AES-256 default encryption
Note: The advanced settings and CloudWatch monitoring are unnecessary for the RockRMS storage needs. Turning on CloudWatch will be an additional cost and put you outside of the AWS free tier resources

P1-14D: Click the "Next" button to continue the S3 Bucket setup

P1-14E: IMPORTANT! Ensure that "Block all public access" is checked so that this database backup storage is not accessible by the public internet
By default continue with the "Do not grant Amazon S3 Log Delivery" option selected
Click the "Next" button to continue the S3 Bucket setup

Review all of the S3 Bucket creation settings and click the "Create Bucket" button to confirm
Launch the EC2 Virtual Server Back to Top of Part 1
[Video Timestamp - Part 1 - 0:40:58]
P1-15A: In the top header go to the "Services" drop-down next to the AWS logo
In the search bar type "EC2 (Virtual Servers in the Cloud)" or select "EC2" from the 1st option within the Compute section of the main Services page
Note: This loads the EC2 Dashboard where we can manage our virtual servers at any point.

[Video Timestamp - Part 1 - 0:41:12-0:42:22] - Free Tier thresholds explanation and considerations with RockRMS.
- T2 micro free for 12mos. *move the database snapshot and virtual server setup to a new account if you stay within the free tier threshold to renew; backup and restore covered later

P1-15B: Click "Launch Instance" to begin the compute selection criteria

P1-15C: Select the AMI (Amazon Machine Image) Microsoft Server 2016 or 2019 Base free tier eligible, click on the "Select" button to continue
Note: You can filter this long list of AMIs down quickly by selecting the "Free tier eligible only" check box on the left-hand navigation

P1-15D: Choose your Instance Type by leaving it selected on the default free tier eligible T2 Micro, click the "Next: Configure Instance Details" button

P1-15E: Configure Instance Details
[Video Timestamp - Part 1 - 0:43:22]
Set the following:
Number of Instances = 1
Network = select your VPC that was previously setup from the list
Subnet = select either of the "Web" subnets, doesn't matter which
Auto-assign Public IP = select "Enable"
Shutdown behavior = "Stop"
Enable termination protection = select to enable

P1-15F: Click "Next: Add Storage" to add the machine storage
Note: The free tier T2 Micro gives you up to a 30Gb machine storage space selected by default, no need to lower this
Select the disc encryption with the available "(default) aws/ebs" in order to encrypt the root disc machine image

Click the "Next: Add Tags" button to provide an easy way to identify the AMI in other services of your AWS account
Enter a key and value pair that will help you identify this virtual machine in the future

P1-15G: Click the "Next: Configure Security Group" button
Select the "Select an existing security group radio button and then select the previously setup "admin SG" and "web SG" security groups

P1-15H: Click the "Review and Launch" button to check your selection one last time

P1-15I: Select "Create a new key pair" in the pop-up dialog
Note: A key pair is a private and public key that allows you to ssh into the machine (Linux) but Windows uses standard username and password. Amazon uses this key pair to decrypt the username and password for the Windows Administrator login for RDP.
Enter a Key pair name just to remember what the key pair is used for.
Note: If you decide not to change the default Windows Administrator password you'll need this to get a new Key Pair when logging into the Virtual Machine through RDP. If this machine will not be accessed often it's best to keep it this way as that adds another step of security.
Click "Download Key Pair" to save the encrypted username and password file to your local machine (you'll need this as soon as the machine is launched)

P1-15J: Click the "Launch Instance" to spin up your newly created free virtual machine!
Click the "View Instances" button to see the status of the machine
Launch the RDS Instance (Create the database) Back to Top of Part 1
[Video Timestamp - Part 1 - 0:47:49]
P1-16A: In the top header go to the "Services" drop-down next to the AWS logo
In the search bar type "RDS" and select the first result "Managed Relational Database Service" or select "RDS" from your history in the left-hand navigation
Note: This loads the RDS Dashboard where we will build our database from
Click the "Create Database" from the RDS Dashboard page

P1-16B: Select The "Standard Create" method and then select the "Microsoft SQL Server" option

P1-16C: Select the "SQL Server Express Edition" as this lighter-weight version will suffice and help resources remain within the free tier

Select the most recent version of SQL Server at the bottom of the drop-down list as there don't seem to be any current issues or requirements with RockRMS and most current versions are backwards compatible.

Select the "Free tier" option within the Templates section

P1-16D: Scroll down to the Settings section
Enter a database identifier (basically a name of the database that make sense for your needs)

Setup the database credentials so that you can log into the database that you will access through the RDP
[Video Timestamp - Part 1 - 0:49:10-0:49:52] - technical explanation on the database credential setup
Enter "admin" for the Master username of the database, enter a Master password for the database of your choosing at this time and save it for future use as you'll need it for some provided SQL script in Part 2
(IMPORTANT! - You cannot forget this password or you will not be able to complete the database setup and RockRMS install through the RDP)

P1-16E: Select the DB instance size of "db.t2.micro" as this remains within the scope of the free tier offering by Amazon
Note: This database is spec'd to 1 vCPU, 1Gb of RAM, and is not EBS Optimized. If your organization grows beyond the free tier in the future this can be increased at a later time to become more performant for your needs.

Select your Storage options by keeping with the default option selected of "20Gb of General Purpose SSD" and be sure to disable/unselect "Enable Storage autoscaling" to keep the database from growing beyond it's capacity

Select your previously created VPC within the Connectivity section and then open up the Advanced connectivity configuration section"

P1-16F: Open the "Additional connectivity configuration" area to select your previously created Subnet group for the database
Ensure that the database is not publicly accessible by selecting "No"
In the VPC security group area select "Choose existing" then click the "X" to disable the default and select a previously created security group

Select the previously created "db SG" from the list of available security groups

Select the "2a" from the Availability zone for the db SG because we also launched the Web Instance in 2a and keep the same default port of "1433"
Note keeping the database and the instances in the same availability zone will ensure that you do not get charge for "talking" across data centers.

P1-16G: In the Backup section keep the default "Enable automatic backups" and 7 days retention period.
You may also keep the "Copy tags to snapshots" and Enable Performance insights settings as these are nice free features that Amazon provides

P1-16H: Scroll down and open the "Additional configuration" area
You can set the Time zone of your database before is gets built. This can be changed once you get into your database if it wasn't set at this time.

P1-16I: Keep the default "Enable auto minor version upgrade" setting to allow Amazon/Microsoft to upgrade the database version to any security point releases in order to lower your maintenance requirements and also to keep it more secure.

Note: You may set a Maintenance window to ensure that any auto minor version upgrades don't occur during peak hours or when typical RockRMS jobs are scheduled.

P1-16J: Keep the default "Enable deletion protection" enabled in the Deletion protection area
Finally you can click the "Create database" button!

[Video Timestamp - Part 1 - 0:54:02] - the database is created
Log into your EC2 Instance with RDP Back to Top of Part 1
[Video Timestamp - Part 1 - 0:54:06]
P1-17A: In the top header go to the "Services" drop-down next to the AWS logo
In the search bar type "EC2 (Virtual Servers in the Cloud)" or select "EC2" from your history in the left-hand navigation
Note: This loads the EC2 Dashboard where we can manage our virtual servers at any point.
Select "Instances" from the left-hand navigation or the "Running Instances" from the EC2 dashboard page

P1-17B: Select your previously created running instance to see more details on it below
Select and copy or use the copy button in order to have the Public IP of the instance available in the clip-board for pasting purposes.
You are going to need this in Part 2 when you log into your Virtual Machine for the first time with Remote Desktop

Installing RockRMS

If you’ve made it this far that means you’re a determined person that can handle anything thrown your way. You also like to overturn any rock you find. The next few parts will seem like a breeze compared to that lengthy manual “from scratch” AWS creation of the VCP and database.

Remember that we are actively working towards lowering that initial bar by creating several Cloudformations ready to use and possible even script some of the next areas to get a pseudo-turnkey installation within 15-30mins.

Note: Some of the sequences shown below are sped up due to time constraints. No action is being taken during these portions. Remember that this is a very low powered virtual build with 1 Gb of RAM and things can load slowly initially. Once configured and cached the system performs adequately for its use-case of small church needs or demo purposes.

Part 2 - Microsoft SQL Server and Database Setup

RockRMS_AWS DemoSiteInstall_Part2 from Harvest Pittsburgh North on Vimeo.

Part 2 - Table of Contents

Click on the topics below to jump to that section:

Log into the Virtual Machine through RDP
Install SQL Server Manager
Login to the Microsoft SQL Server Management Studio
Install IIS Web Server and Features
Configure the IIS Web Server and Features
Creating the admin user in MS SQL Server Management Studio
Launching the RockRMS Installation

Log into the Virtual Machine through RDP (Remote Desktop Protocol) Back to Top of Part 2
[Video Timestamp - Part 2 - 0:00:00]
P2-1A: Open up an available RDP application either on Windows or iOS
In Windows go to the search icon on the taskbar and begin typing "remote" to find the default Remote Desktop Application

Once the RDP Connection window launches paste the Public IP address of the instance that you previously copied into the Computer field
Note: Additional options are not required.
P2-1B: Click the "Connect" button to proceed

A connection trust dialog will pop up, you may choose to select "Do not ask me again..." and then click the "Connect" button to continue

P2-1C: Next you will be asked how to log into the instance through RDP. Select the "More choices - Use a different account" option below the default windows user that is presented. Click "OK"

Enter "administrator" into the username field and follow the additional steps below to copy the password for the instance

P2-1D: Go-to the "Actions" menu of your selected EC2 instance and select "Get Windows Password"

P2-1E: Click the "Choose file" button and select the SSH Key-pair file that we created earlier in order for Amazon to decrypt the key-pair and give you a new password for the RDP login.

P2-1F: Navigate to where you saved your key pair file on your system earlier, select it, and click the "Open" button

P2-1G: Click the "Decrypt Password" button

P2-1H: Copy the decrypted password by highlight/selecting the decrypted password and right-click or CTRL+C copy or click the small copy button to put it into your clipboard and then click the "Close" button

Paste the copied decrypted password into the login dialog and click the "OK" button

P2-1I: You will be presented with another security certificate warning and you may choose to select the "Don't ask me again..." and click the "Yes" button to continue connecting to your instance via RDP.

P2-1J: After the connection has been established and a few moments of initial setup of the Windows Server environment you will now have remote desktop access to your new virtual machine in the cloud.
Note: You may change the administrator password of the system once you login or keep it in this decrypted fashion where Amazon rotates the key and you will have to follow that process in the future. This is a better use case if you do not need to log into the virtual environment often or require more than one person to access the system through RDP as they can pull a new decrypted password versus having to share a specific one that you would create.

P2-1K: Click the "No" button if you are presented with allowing the network to be discoverable by other PCs and devices on the network.

Now we may proceed with the remaining SQL server setup and launch the RockRMS startup script.
Install SQL Server Manager Back to Top of Part 2
[Video Timestamp - Part 2 - 0:02:22]
P2-2A: Copy the RockRMS installer onto the RDP by connecting a local drive or download the installation package from https://www.rockrms.com/Download using a web browser (see the next optional step if downloading directly via a web browser from within the RDP environment).

P2-2B: Optional Step to Lower Internet Explorer security settings
[Video Timestamp - Part 2 - 0:03:03]
Search for "server manager" from the Windows toolbar or Start Menu and launch the Server Manager app.

Click on the "Local Server" from the left-hand navigation to launch the properties.

Click on the "On" link in the IE Enhanced Security Configuration settings.

Turn both the Administrators and Users security settings to "Off" and click the "OK" button.

You can now close the Server Manager application. If you use Internet Explorer to download the RockRMS installer or the upcoming Microsoft SQL Server Management Studio you will not have to add each site to the "white-list" for access purposes. This can become quite a overly secure nuisance.

P2-2C: Download Microsoft SQL Server Management Studio
[Video Timestamp - Part 2 - 0:04:02]
Open up Internet Explorer and run a search on "ssms". One of the first results will give you the documentation page which has the latest version of the software to download, currently v18.4
https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms

Download and install the latest version with defaults remaining.
Login to the Microsoft SQL Server Management Studio Back to Top of Part 2
[Video Timestamp - Part 2 - 0:05:24]
P2-3A: Launch the Microsoft SQL Server Management Studio by searching for "studio" from the Windows toolbar or Start Menu and launch the app.

Once launched you will be presented with a database connection dialog

P2-3B: You'll need the RDS endpoint url for the server name field. For the next few steps you will need to switch away from your RDP virtual pc environment back to your AWS account in your web browser.

In the top header go to the "Services" drop-down next to the AWS logo
In the search bar type "RDS" and select the first result "Managed Relational Database Service"
Note: This loads the RDS Dashboard where we initially built our database from.

P2-3C: Once in the RDS dashboard, select your database to pull up it's details.

Once you've selected your database from the dashboard navigate to the Connectivity & security tab (shown by default)

P2-3D: Highlight and copy your specific Endpoint URL

P2-3E: Switch back to your RDP virtual pc environment.
Paste the endpoint URL that you copied from your AWS RDS dashboard and into the MS SQL Server Management Studio - SQL Server connection dialog for the Server Name field.
Select SQL Server Authentication for the Authentication method

P2-3F: Enter the Login and Password that were previously created during the RDS setup (See step P1-16D: Video Timestamp - Part 1 - 0:49:10-0:49:52 - technical explanation on the database credential setup)
Click the "Connect" button and you will now have access to your empty database

P2-3G: Click the "New Query" button to start a blank query tab which we will use to setup and establish the admin user for the RockRMS installation shortly.
Install IIS Web Server and Features Back to Top of Part 2
[Video Timestamp - Part 2 - 0:07:31]
We will now switch gears for a little bit and set up some additional services before creating an admin login for the RockRMS install.
You this next group of steps we will be referring to and utilizing the RockRMS Internal Hosting Guide to setup the IIS Web Server and .Net Frameworks before proceeding to the main RockRMS Install. It is important to thoroughly read through this entire guide before utilizing the few sections that we will cover.

P2-4A: Search for "server manager" from the Windows toolbar or Start Menu and launch the Server Manager app if you've closed this app from our previous optional Internet Explorer security settings changes.

Click on the "Local Server" from the left-hand navigation to launch the properties.

P2-4B: Click on the "Add Roles and Features" from the Manage menu in the upper-right navigation

P2-4C: Select "Role-based or feature-based installation" and then click the "Next >" button

P2-4D: For the Server Selection keep the presented defaults based on "Select a server from the server pool" and then click the "Next >" button

P2-4E: For the Server Roles select the "Web Server (IIS)" leaving all other defaults and then click the "Next >" button

You will be presented with an Add Roles and Features Wizard confirmation, click the "Add Features" button to continue

P2-4F: For the Features section, select the ".NET Framework 3.5 Features" leaving and other defaults and then click the "Next >" button

P2-4G: In the Role Services section, drill open the Application Development area and select the ".NET Extensibility 4.7, Application Initialization, and ASP.NET 4.7" leaving all other defaults and then click the "Next >" button

You will be presented with an Add Roles and Features Wizard confirmation, click the "Add Features" button to continue

P2-4H: In the Confirmation area select the "Restart the destination server automatically if required" checkbox and then click the "Install" button at the bottom to begin the IIS and .NET Framework services installation
Configure the IIS Web Server and Features Back to Top of Part 2
[Video Timestamp - Part 2 - 0:10:38]
In this next group of steps we continue referring to the RockRMS Internal Hosting Guide in order to configure the IIS Web Server before proceeding to the main RockRMS Install. It is important to thoroughly read through this entire guide before utilizing the few sections that we will cover.

P2-5A: Search for "manager" from the Windows toolbar or Start Menu and launch the Internet Information Services (IIS) Manager app

Once the IIS Server Manager is launched drill-down on the name of the localhost server that was setup during the previous steps on the left-hand navigation.

P2-5B: Click on the "Application Pools" in the left-hand navigation from under your local server name and then right-click on the "DefaultAppPools" in the main area. Finally click on "Advanced Settings..." to get to the settings you'll need to adjust

P2-5C: In the DefaultAppPools Advanced Setting dialog ensure that the .NET CLR Version is set to "v4.0", the Start Mode is set to "AlwaysRunning", the Identity is set to "LocalSystem", and the Idle Time-out (minutes) is set to "0".
Click the "OK" button to save these setting changes

P2-5D: Once back out into the main application. Repeat similar steps by clicking on the "Application Pools" in the left-hand navigation from under your local server name and then right-click on the "DefaultAppPools" in the main area. Finally click on "Recycling..." to get to the settings you'll need to adjust

Select the "Specific time(s): checkbox and set the field to 4:00 AM as suggested in the RockRMS Internal Hosting guide.
Click the "Next" button at the bottom of the dialog to save the changes.

In the next section of the Recycling settings dialog, keep all of the checked defaults and click the "Finish" button to complete your DefaultAppPools Recycling settings

P2-5E: For the final IIS Server settings you will need to drill-down on "Sites" and then right-click on the "Default Web Site" in the left-hand navigation, click on "Manage Website", and finally click on "Advanced Settings..." to get to the settings you'll need to adjust

In the Default Web Site Advanced Settings dialog you need to change the Preload Enabled setting to "True".
Click the "OK" button at the bottom of the dialog to complete your settings

P2-5F: You have now completed the setup of the IIS Web Server and may close the IIS Manager application. You may now close the Server Manager application and/or Internet Explorer application if you have not already done so.
Creating the admin user in MS SQL Server Management Studio Back to Top of Part 2
[Video Timestamp - Part 2 - 0:14:31]
In the Windows RDP virtual environment switch back to the Microsoft SQL Server Management Studio application. If you've closed it for any reason or have yet to launch and log into the database from the application refer to the previous steps P2-3A to P2-3G.
Well will now be creating a new admin login for the RockRMS database. Because we've setup many things ahead of time through AWS we will be skipping/modifying many of the settings in the RockRMS Internal Hosting Guide.

P2-6A: Create db admin user / pass using a modified SQL script from this site (https://stackoverflow.com/questions/47112496/aws-rds-microsoft-sql-server-express-cannot-add-users-with-permissions-to-se)
Copy and paste the code below and modify for your needs. Change the login username from "rockuser" to whatever you choose or keep this as is.

P2-6B: Change the password in the "enteryourpasswordhere" section before running the script to create the user.
[Video Timestamp - Part 1 - 0:15:50-0:16:43] - technical explanation on the user role creation
```
USE master;
GO
CREATE LOGIN [rockuser]
WITH PASSWORD = N'enteryourpasswordhere',
CHECK_POLICY = OFF,
CHECK_EXPIRATION = OFF;
GO
GRANT ALTER ANY CONNECTION TO [rockuser] WITH GRANT OPTION;
GRANT CREATE ANY DATABASE TO [rockuser] WITH GRANT OPTION;
GRANT VIEW ANY DATABASE TO [rockuser] WITH GRANT OPTION;
GRANT VIEW ANY DEFINITION TO [rockuser] WITH GRANT OPTION;
GRANT VIEW SERVER STATE TO [rockuser] WITH GRANT OPTION;
```
Once you have filled in your user name and password in the script, click on the "Execute" button above your Query window to create the user role

P2-6C: In the left-hand Object Explorer navigation click the "refresh" button, drill-down to the Security and Logins area. You should now see your newly created user role in the Logins list of the Object Explorer, if not, collapse the Logins area and click the refresh button again.
Once you have confirmed that your new user role is created and shown in the Logins area, you may close the Query tab.

P2-6D: We have now completed the setup of the MS SQL Database and no further setting changes from the guide are necessary. All of these have been accomplished during the AWS RDS setup prior to the initial RDP login.
[Video Timestamp - Part 1 - 0:18:07-0:18:50] - technical explanation on why we're skipping the remaining guide steps
Launching the RockRMS Installation Back to Top of Part 2
[Video Timestamp - Part 2 - 0:18:51]
This is what we've been working so diligently for! The time has come to finally launch the RockRMS installation.
All management or settings applications can be closed at this point from previous steps.
P2-7A: Open up a few Windows Explorer windows and navigate to the unzipped rockrms-install folder. Also navigate to the "C:\inetpub\wwwroot" folder and copy the "Start.aspx" file to this folder on the local virtual machine drive.

P2-7B: You may now close these Windows Explorer windows upon successfully copying the Start.aspx file.
Open up Internet Explorer and enter "http://localhost/Start.aspx" into the address bar and press "enter" on your keyboard to launch the installation.

P2-7C: The remaining steps take you through the installation screens in the browser window. The fields entered will all be based on the names and information you've previously used for your AWS and database setup.
Click the "Get Started >" button to proceed

Enter your specific RDS Endpoint URL into the Database Server field (see steps P2-3B through P2-3E)

After you've copy and pasted your RDS Endpoint URL then enter the previously create name for the Database, enter the same username and password that was created with the SQL command from step P2-6B and click the "Next >" button to continue

P2-7D: The RockRMS installer does some environment checks and tests, ensure that all items have the green check marks and then click the "Next >" button to continue. If you do not see all green check marks, pause and correct the issue before continue to ensure a proper installation.
[Video Timestamp - Part 2 - 0:21:22]

Create a new admin RockRMS Administrator username and password and click the "Next >" button.
Note: This user will have access to the entire RockRMS internal site settings.

Enter the Internal and External URLs for your RockRMS site. Select a Timezone preference and click the "Next >" button. You can enter the URLs that you want it to be now and then in Part 3 we can ensure these will work by setting up the SSL cert and Domain DNS settings.
Note: These settings can be changed after the setup has been completed in the RockRMS Admin Tools - General Settings - Global Attributes page.

Enter the Organization Information for your RockRMS site and click the "Next >" button.
Note: These settings can be changed after the setup has been completed in the RockRMS Admin Tools - General Settings - Global Attributes page. The information entered in these fields have no direct impact on your setup and used mainly for display purposes.

The RockRMS installation begins. You can click the "Show Console" button to watch as the script does all of the fun setup stuff if you'd like...or you can step away to stretch and reward yourself with some coffee. You've earned it!
Be patient while it's installing, this can take some time.

Once the installation is complete you can now press the "Flip the Switch" button to start the RockRMS web service.
Be patient while it's loading for the first time, this can take some time.
[Video Timestamp - Part 2 - 0:23:55 - 0:24:47] Technical explanation on the free loadbalancer and SSL cert from AWS

Enter the login credentials you created during the RockRMS installation process and click the "Log In" button to enter the internal administration site for the first time.
Be patient while it's loading for the first time, this can take some time until items are cached.

Once successfully logged in you can hover at the bottom of the page and click the "i" icon in the action bar to bring up the System Information dialog.
Note: Unit we setup the loadbalancer and SSL cert and create some CNAME records in our domain registrar's DNS settings, we are still only logged into the RockRMS web service from the virtual machine inside of the RDP. You could hit this site now that it's running externally with the AWS RDS endpoint URL until Part 3 is completed.
[Video Timestamp - Part 2 - 0:25:38] More technical explanation on the free loadbalancer and SSL cert from AWS

You can review your current RockRMS version in the System Information and check the Diagnostics to get detailed information on your Database.

Congratulations, you have now successfully created a clean RockRMS installation on Amazon's Web Services for free!
Note: Don't make any drastic configuration changes, updates, or tweaks until you've completed Part 3.

The Finishing Touches

We're almost there! In the next part we will be setting up a loadbalance in AWS to take care of the SSL certification and authentication and then setting our domain registrar to have some new records so that we can get to this new web service with a clean and memorable URL for your organization's needs. We will also be taking a snapshot of the database through the AWS services console and backing up the inetpub directory for safe keeping.

Note: Some of the sequences shown below are sped up due to time constraints. No action is being taken during these portions. Remember that this is a very low powered virtual build with 1 Gb of RAM and things can load slowly initially. Once configured and cached the system performs adequately for its use-case of small church needs or demo purposes.

Part 3 - SSL Cert/Domain DNS Setup and Database Backup

RockRMS_AWS DemoSiteInstall_Part3 from Harvest Pittsburgh North on Vimeo.

Part 3 - Table of Contents

Click on the topics below to jump to that section:

Create the AWS SSL Certificate and DNS CNAME Record
Create and Setup the Loadbalancer
Configure the Loadbalancer
Create a Database Backup (snapshot)
WWWroot and inetpub folder backup on the VCP Windows Virtual Machine

Create the AWS SSL Certificate and DNS CNAME Record Back to Top of Part 3
[Video Timestamp - Part 3 - 0:00:00]
P3-1A: You may now switch away from your RDP virtual machine and return to the AWS services account through your web browser
In the top header go to the "Services" drop-down next to the AWS logo
In the search bar type "ACM" and select the first result "Certificate Manager - Provision, Manage, and Deploy SSL/TLS Certificates"
This loads the Certificate Manager where we will provide AWS with our domain information

Click the "Get started" button under the Provision certificates section in order to start the process.

Select "Request a public certificate" and click the "Request a certificate" button to continue

P3-1B: Add your main website domain without any http or https qualifier as well as a wildcard version of your website domain including the preceding "*." Click the "Next" button to continue
Note: Unlike other free SSL certificate services like ACME, AWS provides free wildcard certificates on your domain for 1 year. This allows for an unlimited number of sub-domains that you may setup.

Select "DNS validation" and then click the "Review" button to see the previous settings you've selected.
Note: DNS validation requires access to your domain registrar's settings in order for Amazon to validate your domain is owned by you.

Review the selections you've previously made and then click the "Confirm and request" button to continue

On the Validation page of the certificate request process, drill-down both domains. Do not click the Continue button at this point as we need to login to your domain registrar in order to create a few CNAME records first.

Note: You only need to copy the prefix portion of the supplied Name starting with the underscore up to your domain.

Copy the wildcard domain validation Name to your clipboard

P3-1C: Log in to your domain registrar's account console and manage or edit the domain DNS setting that matches your website.
Note: Each organization's domain registrar system may differ.

P3-1D: Create a new CNAME record and paste the wildcard record NAME provided by AWS into the CNAME Name field

When pasting the name from the AWS certificate console, drop the domain suffix from the supplied record name Amazon supplies for you. You just need the part that start with the underscore up to your domain "_xxxxxxx"

Briefly switch back to the AWS Certificate console and copy the "Value" field supplied.

P3-1E: After you've set your new record type to "CNAME", pasted in both the Host Name and Points to Value records supplied from Amazon, you may click the "Save" button. Note: You may consider temporarily setting a custom TTL (Time to live) value of 600 seconds to help resolve this new record quickly. Once resolved you'll want to set it back to the 1 hour default to avoid latency issues.

You can adjust the new CNAME record by clicking edit or a pencil icon depending on your domain registrar's user interface.

Click the "Save" button to keep the custom TTL setting.

Check the AWS Certificate page to ensure that the new record you created in your domain registrar's DNS management has been successfully validated by Amazon.

P3-1F: Use a service to check that this new record is propagation to other DNS servers throughout the globe such as: https://dnschecker.org
Paste in your full record name supplied by Amazon Certificate manager, including the domain, select the "CNAME" record and click the "Search" button to check the global servers.

After a few refreshes of this page you will start to see major DNS servers start to validate the new CNAME record. You may now proceed and check this later to ensure that all have properly resolved as this can take some time.

P3-1G: Once everything shows "Success" and you've ensured that it is propagating to other DNS servers throughout the globe, you can click the "Export DNS configuration to a file" button to have a backup of the DNS values for safe keeping. You can return to the AWS Certificated page at any point to retrieve this information if needed.
Finally, click the "Continue" button to finish the certificate setup.

You may now continue on to setting up the Loadbalancer to server up this new SSL certificate so that any web request properly gets routed to the secure https method.
Create and Setup the Loadbalancer Back to Top of Part 3
[Video Timestamp - Part 3 - 0:06:44]
P3-2A: In the top header go to the "Services" drop-down next to the AWS logo
In the search bar type "EC2" (Virtual Servers in the Cloud) or select "EC2" from the 1st option within the Compute section of the main Services page, if it’s not already available in your history in the left-hand navigation.
Note: This loads the EC2 Dashboard where we can manage our virtual servers at any point.

P3-2B: From the EC2 Dashboard click the “Load Balancers” button from the Load Balancing section of the left-hand navigation. From the Load Balancers page click the large blue “Create Load Balancer” button at the top of the page.

P3-2C: Select the “HTTP / HTTPS” Application Load Balancer from the Load Balancer Type screen to continue.

Fill out the Load Balancer Basic Configuration page by giving it a recognizable Name, selecting "internet-facing" for the Scheme, keeping the default IP address type of "ipv4", and adding an additional Listener of "HTTPS" on port 443.

Select both previously setup Availability Zones and select the "Web1" and "Web2" subnets that were previously created.
Click the "Next: Configure Security Settings" button at the bottom to continue.
Note: You must ensure that you've added the additional HTTPS listener before proceeding.

P3-2D: Select "Choose a certificate from ACM (recommended)", ensure that your previously setup certificate is selected in the "Certificate Name" field, and select a security policy.

Your Security policy is likely going to be the most current one offered by AWS.
Click the "Next: Configure Security Groups" button to continue.

P3-2E: Ensure that "Select an existing security group" is the field for assigning a security group. Select the previously created security group for the load balancer below.
Click the "Next: Configure Routing" button to continue.

P3-2F: Set a New Target Group by giving it a new Name such as "RockDemoWebServer", and keeping the defaults of "Instance" for the Target Type, "HTTP" for the Protocol on port 80. No changes need to be made within the Advanced Settings.
Click the "Next: Register Targets" button to continue

Select both the available target and instances, then click the "Next: Review" button to continue

Review the information you've provided thoroughly and then click the blue "Create" button at the bottom of the page to complete the Load Balancer.

Click the "Close" button after the Load Balancer has successfully been created to return to the Load Balancers dashboard page to see the status of your newly created Load Balancer.
Configure the Loadbalancer Back to Top of Part 3
[Video Timestamp - Part 3 - 0:10:51]
P3-3A: While the Load Balancer is being provisioned we can add some additional configurations.
From the Load Balancer dashboard click the "Listeners" tab at the bottom from your selected load balancer, click on the "View/edit rules" link on your HTTP listener.

P3-3B: Click on the "Edit/Pencil" icon at the top of the Rules page (next to the "+" tab) to edit an existing rule on the HTTP listener set.
Click on the "Edit/Pencil" icon next to the existing HTTP 80: default action rule line.

Delete part of the existing rule on the HTTP listener by clicking the "Delete/Trashcan" icon on the THEN portion of the rule.

Edit the THEN statement by selecting a "Redirect to..." and setting it to "HTTPS" and port "443", leaving the remaining fields as default and clicking the "Okay/Checkmark" set icon

Click the blue "Update" button to complete the Rule change on the HTTP listener.

[Video Timestamp - Part 3 - 0:11:56]
P3-3C: Once the Load Balancer dashboard page loads click on the "Target Groups" link from the left-hand navigation under the Load Balancing section. As the previously created RockDemoWebServer target group is selected click on the "Targets" tab and then hover over the "i" link to see the health status of the target group. This will likely be unhealthy to start because we have a few more settings to change.
Note: You're almost there don't give up now!! These last remaining settings will complete the SSL / Load Balancer setup and allow us to view the install from outside of the RDP with a nice new clean subdomain on your existing church's URL.

P3-3D: Click on the "Health Checks" tab then click on the "Edit health check" button below

Change the path of the internal login page of the RockRMS install as "/page/3" and reduce the Interval to "15" seconds keeping all other settings as the default. Click the blue "Save" button to continue.

After the health check settings have been saved click the "Targets" tab again and hover over the "i" link in the registered targets area and you should now see a healthy status. Ensure that you do before moving forward.

P3-3E: Navigate back to the Load Balancer dashboard page by clicking on the "Load Balancer" link in the left-hand navigation.
Copy the DNS Name to your clipboard from the Description tab of the Load Balancer dashboard. This will be used to create another CNAME record in your domain registrar's DNS settings for the subdomain you choose to have your RockRMS pointed to.

P3-3F: Navigate to your domain registrar's DNS settings and add a new "CNAME" type record. Paste the DNS record that you copied from your AWS Load Balancer into the "Points to" field, add a subdomain of your choosing into the "Host" field and set a low custom TTL for now so that the world-wide DNS servers will quickly propagate this new DNS record. Click save to add the CNAME record.
Note: You can add multiple CNAME records for as many sub-domains as you want or need for the RockRMS install now using the Load Balancer DNS record supplied by AWS. Hint: You may want separate sub-domains for your internal and external facing RockRMS pages.

P3-3G: Once your new DNS record has been saved you can once again check the status of it by utilizing https://dnschecker.org and entering your new sub-domain CNAME record and checking the world-wide propagation status. This should resolve immediately as AWS is now offloading the original CNAME and pointing it to the new clean sub-domain.

Don't get ahead of yourself just yet, let's fix those unnecessarily low TTL DNS settings first.
Go back to your domain registrar's DNS management and adjust the new records to the TTL default or 1 Hour or 1 Day. To understand why you should do this read up on this article: Stop using ridiculously low DNS TTLs

The moment you've been waiting for is here!!!
[Video Timestamp - Part 3 - 0:14:37]

P3-3F: Open up a new browser tab on your local machine and go to your new sub domain website.
You should be able to successfully navigate to this domain which points it to the internal login screen from any public computer in the world.

You can click on the lock icon in Chrome to view the new SSL certificate information. If you click the "Certificate" link on this popup you will see all of the Amazon provided certificate information for your domain name.

Enter your admin Username and Password and log in!!
Congratulations, you now have a fully secure, clean, and free AWS hosted install of RockRMS!
Create a Database Backup (snapshot) Back to Top of Part 3
[Video Timestamp - Part 3 - 0:23:44]
P3-4A: Navigate back to your AWS web browser tab/page. In the top header go to the "Services" drop-down next to the AWS logo
In the search bar type "RDS" and select the first result "Managed Relational Database Service" or select "RDS" from your history in the left-hand navigation
Note: This loads the RDS Dashboard where we can manage the existing database we've created

P3-4B: Select your previously created database from the RDS dashboard or from the Databases link on the left-hand navigation

Click on the "Maintenance & Backups" tab from your selected database dashboard.
From the Maintenance & Backups tab scroll far down until you get to the Snapshots section. This is where you will see all automated and manual database snapshots (backups).
Note: You can also get to the Snapshots area directly by clicking the "Snapshots" link from the left-hand navigation.

P3-4C: If you remember some of the settings we chose when setting up the RDP database we selected a daily automatic backup process. These rotate daily for a 7-day period as was selected for the free tier. In order to created a clean install backup we need to take a manual snapshot which will stay in this area permanently.
Click the "Take snapshot" button in the upper right-hand corner of the Snapshots section

Creating a manual snapshot is as simple as giving it a name and then clicking the "Take Snapshot" button to start it's creation.

This will take a few minutes to complete and you can check the Status and Progress of the snapshot from here.

Note: It's good practice to take a manual snapshot before each major version upgrade of RockRMS.
Backup the wwwroot and inetpub folder on the VCP Windows Virtual Machine Back to Top of Part 3
[Video Timestamp - Part 3 - 0:24:55]
P3-5A: Log in to your RDP. Use steps P2-1A through P2-1I as a refresher on how to do this.
Open up a Windows Explorer window and navigate to the "inetpub" folder, likely "C:\inetpub\"

P3-5B: Right-click on the "wwwroot" folder and go to the "Send to" context command to create a compressed zip file of the entire folder's contents.

Once the zipped file is created, name it appropriately for your backup state. Copy this file and save it to your local machine or cloud storage provider for safe keeping.

This concludes Part 3 of the AWS setup. Note: You can technically backup the EC2 virtual machine however the size of this backup will bump up against the free tier limits and may cause charges to your account. Backing up the actual VPC isn't really necessary as we'll discuss migrating in a future part. Doing a backup of this nature creates an actual image of the virtual machine taking up space on Amazon's S3 bucket.

Upgrading RockRMS

You've done it! You have successfully setup a full stack AWS virtual machine, database, and backup solution for your church's needs. In the next part we will be going through the steps needed to upgrade RockRMS through major and minor releases and then taking another snapshot of the database through the AWS services console and backing up the inetpub directory for safe keeping.

Note: Some of the sequences shown below are sped up due to time constraints. Also, the fantastic technical explanations by Mike Wolski weren't captured in this segment. However, the tutorial is still solid and can easily be followed. The re-dubbing of the audio may be recorded at a later time and the video replaced.

Part 4 - Upgrading RockRMS and Database Backup

RockRMS_AWS DemoSiteInstall_Part4 from Harvest Pittsburgh North on Vimeo.

Part 4 - Table of Contents

Click on the topics below to jump to that section:

Upgrade RockRMS
Backup RDS and RockRMS wwwroot folder

Upgrade RockRMS Back to Top of Part 4
[Video Timestamp - Part 4 - 0:00:00]
P4-1A: You may now switch away from your AWS services account and to your RockRMS install administration page through your web browser

Click the "Rock Update" link in the General Settings page

When updates are available you will see the "New Pieces Available" call-out at the top of the page. Scroll down to see all of the releases.

Click the blue "Install" button to the left of the release you are choosing to upgrade to.
Note: Each release has a link to the Release Notes page giving you detail on the fixes and enhancements of the major and minor releases.

Once the release install is completed you will see a "Eureka, Pay Dirt!" confirmation.
Click the green "Restart" button to restart the RockRMS service on the virtual machine.

During the service restart you may get a "504 Gateway Time-out" browser error because the service is not yet back up and running.
Click on the refresh button or hit F5 on your keyboard to refresh the page until your RockRMS service comes back up.

Once you've upgraded to the most current release you will get a "Everything Is Shipshape" confirmation on the Rock Update page.

You can confirm your currently running version by clicking the "i" icon in the Admin action bar when you hover at the bottom of the screen in your browser.

You may clear off any of the Update Notifications from your Admin home page by clicking the "x" buttons for each as needed.

Some releases may require manual checks or changes as refactoring occurs to the code base. All RockRMS admins should check the Technical Release Notes to ensure that they have their installs secure and in good working order.

Now that you've updated the install to the most current version it's time to take another clean snapshot(backup) of the database and make a zip file backup of the inetpub and wwwroot folders.
Backup RDS and RockRMS inetpub and wwwroot folder for clean v9 build Back to Top of Part 4
[Video Timestamp - Part 4 - 0:10:34]
P4-2A: Creating the database backup and wwwroot backups is the same process as outlined in Part 3 steps P3-4A through P3-5B.
Simply rename the new manual backup with your current build version for your clean install.

It is a good idea to create a manual snapshot (backup) of the database and wwwroot folder before any major release or before installing a bunch of plugins to be safe if needing to roll-back due to any errors.

Post Install How-to Considerations

Admin Tools - General Settings - Global Attributes - Configure RockRMS: Double check Internal & Public Application root URLs based on your domain CNAME settings
Admin Tools - General Settings - Global Attributes - Configure RockRMS: Organization email (exceptions and system emails go to this address)
Admin Tools - Rock Shop - Log into your RockRMS account and download some valuable plugins

Part 5 - Migrating your AWS Database & SSL Cert. (to another region)

You’ve been running your RockRMS environment successfully on AWS for almost a year and now your free tier trial is almost up. Once your 12 months official lapse you will begin to incur month to month charges on the credit card that was originally setup with the AWS account.
If you want to continue using AWS as your RockRMS hosting provided you can look into the TechSoup credits which can be applied to month to month instances upwards of $2,000 a year with a one time $175 admin fee. We also suggest considering a Reserved Instances which can save your church a ton of money over a fixed pre-paid amount of time such as 1, 2, or 3 year period. Smaller churches that can run just fine off of the original 12mo. free tier can purchase a reserved instance equivalent and/or better for as little as $22/month for a 2-3 year reservation.

You also should continually evaluate your environment's performance and consider boosting your EC2 spec if needed which only requires a few clicks and not an entire migration procedure (we'll cover more on this in another tutorial).

In the following migration procedure we’re assuming that you’d only like to transfer your environment to another region that may have additional features that you want to use. Not all AWS regions are alike and some have additional services and regions that you may want to take advantage of for your organization's purposes. Even though it may not be geographically close to your physical location, choosing an alternate region has benefits.

Part 5 - Table of Contents

Click on the topics below to jump to that section:

Create a brand new AWS account
Backup RDS and RockRMS wwwroot folder

Create a brand new AWS account (new email required) Back to Top of Part 5
[Video Timestamp - Part 5 - 0:00:00]
Since we never truly captured the original account creation in Part 1, you can follow along starting here assuming that this is only due to a region change and for backup purposes you want to keep the original account. Otherwise you can migrate regions within the same original AWS account by following this process.
P5-1A: Create a brand new Amazon AWS account at https://aws.amazon.com and click on the big orange "Create an AWS Account" button in the upper-right corner of the page. This will send you to the sign-in page where you can sign in with an existing account or create a new one. Click the gray "Create an AWS Account" button underneath the sign-in or New to AWS? area.

or

P5-1B: Once on the new account creation page, enter an email address and a password that you’ll remember or stored in a password vault. Enter a memorable account name and then click on the yellow "Continue" button at the bottom of the form.

P5-1C: On the next page fill out your contact details, most likely a Professional account if you are setting this up for your church. Ensure that you have read and agreed to Amazon’s terms of service. Add a phone number that you can validate your account with via SMS or automated call. Click on the yellow "Create Account and Continue" button at the bottom of the form.

P5-1D: Fill out a valid payment method and billing address. This is a mandatory step as any account can easily go over the free tier limits once your church grows. Check the AWS pricing page for options, better yet pay in advanced with Reserved Instances to save!

Click on the yellow "Verify and Add" button at the bottom of the form. They have to make sure that you're human several times in this process or bots could really abuse creating AWS accounts.

P5-1E: Once your account has been validated you'll be presented with a Support Plan selection screen. Select the Basic Plan by clicking on the yellow "Free" button.

You have now successfully setup a brand new Amazon AWS account!

[Video Timestamp - Part 5 - 0:03:12]
P5-1F: Sign in to your newly created and verified account by clicking on the yellow "Sign in to the Console" button from the welcome screen. You can always sign-in by going to the main AWS site here: https://aws.amazon.com

Enter your email and password that was just setup for your account and then click on the blue "Sign in" button to continue.

You will now see your fresh AWS Management Console
Sharing Data between two AWS accounts Back to Top of Part 5
[Video Timestamp - Part 5 - 0:03:49 - 0:04:24] explanation on region settings
[Video Timestamp - Part 5 - 0:04:26] Finding your Account ID
P5-2A: Click on your account name in the top menu bar and select "My Account" in the drop-down. This will give you access to your Account Settings and Account ID (needed for sharing the previous build with the new account for migration purposes).

Part 6 - Setting up Customer Engagement: Amazon Simple Email Service (SES) with SMTP Transport

Back to Top

Amazon Simple Email Service (SES) is a free SMTP mail delivery service that also falls into the free tier. You can send up to 50,000 emails per month within this free limit. See AWS SES Pricing for details.
As it works today with the standard SMTP mail transport it does not capture open or click tracking back into RockRMS. At the end of this section there is another video to show you a high-level overview of how to get Open/Clicks tracking through AWS CloudWatch and PostFix. (If anyone is willing to help with developing a modified Communication Analytics block to pull in the AWS CloudWatch Click/Open data into RockRMS please contact us)

RockRMS_AWS DemoSiteInstall_Part6_SES from Harvest Pittsburgh North on Vimeo.

Part 6 - Table of Contents

Click on the topics below to jump to that section:

Setup SES on your existing AWS account
Update SES Account from Sandbox to Production
Ensure the EC2 has outbound access for the SMTP service
Setting up the RockRMS SMTP Mail Transport
Send an Internal Communication Email Test

Setup SES on your existing AWS account Back to Top of Part 6
[Video Timestamp - Part 6 - 0:00:00]
P6-1A: After you've logged into your Amazon account at https://aws.amazon.com
In the top header go to the "Services" drop-down next to the AWS logo

In the search bar type "SES" and select the first result "Simple Email Service"

This loads the SES Home Dashboard where we will setup our email communications service

P6-1B: Click the "Domains" link in the left-hand navigation menu. Then click the blue "Verify a New Domain" button to add your domain identity.

Enter your domain (removing any sub domain prefixes) and select the Generate DKIM Settings toggle and then click the blue "Verify This Domain" button.

After that step you can expand your domain identity section details to see the status, which will be unverified at this time. You can return to this area to check on the status as you continue the verification process.

[Video Timestamp - Part 6 - 0:01:30]
P6-1C: Click on the actual Domain Identity link, this page will show you all of the detail regarding the status and records on the domain that you are validating. Amazon will give you a few validation records that you will need to copy and put in your domains DNS settings.
Log in to your DNS service and add a new TXT record. Copy and paste the TXT Name and TXT Value provided in this Domains dashboard so that AWS can validate the ownership of your domain for the SES service.
Once you've added these records in your DNS settings you will see the status of your domain record update from Pending to Verified.

Now you can successfully use your new SES service to send emails. However, out of the gate AWS puts your new domain into a "sandbox" for testing purposes reducing the number of emails you can send as well as only allowing sends from within your own domain space (you can't send to any other email account such as @gmail.com, @yahoo.com, @mail.com until moving on to the next step).
Update SES Account from Sandbox to Production Back to Top of Part 6
[Video Timestamp - Part 6 - 0:02:00]
P6-2A: Open up a support ticket by clicking on the "Support" menu in the upper-right hand corner of the page then click on the "Support Center" link within the drop-down menu.

P6-2B: In the Support Center page you'll begin the process of getting out of the SES sandbox by clicking the orange "Create case" button in the upper-right hand corner of the My support cases area.

In the newly opened case, provide details as to what you will be using the SES service for. Feel free to use ours as a template below and modify according to your organization and AWS account details:

Limit Increase Request 1
Service: SES Sending Limits
Region: US East (Northern Virginia)
Limit Name: Desired Daily Sending Quota
New Limit value: 500
--------
Limit Increase Request 2
Service: SES Sending Limits
Region: US East (Northern Virginia)
Limit Name: Desired Maximum Send Rate
New Limit value: 25
--------
Use case description: We are primarily using the SES service for internal system email from a ChMS system. We plan in the future to send correspondences to those signing up for events and overall notifications for volunteers / staff members.
Mail Type: Marketing
Website URL: rock.harvestpittsburghnorth.org
Describe how you will comply with http://aws.amazon.com/service-terms and http://aws.amazon.com/aup : We only send to recipients in our system's collection
Describe how you will only send to recipients who have specifically requested your mail: Users must provide their email and opt-in to receiving our communication.
Describe the process that you will follow when you receive bounce and complaint notifications: We can remove stale email addresses and have a 'Unsubscribe / Remove me from your list' link in all of our email templates.

Category: Service Limit Increase, SES Sending Limit
Cage Type: Service limits

Once the case has been marked Resolved and the temporary sandbox restriction lifted you can now move on. This may take a few business days.
You may now go back to your Domain Settings in the SES dashboard.

[Video Timestamp - Part 6 - 0:04:28]
P6-2C: In order for us to use this mail transport we need to create SMTP credentials in order to authenticate our AWS account within RockRMS for the SMTP transport.
Click on the "SMTP Settings" link from the left-hand navigation and then click the blue "Create My SMTP Credentials" button.

Provide an IAM User Name that is recognizable for your organizational needs. Then click on the blue "Download Credentials" button in the lower right-hand corner of this screen.

Save your credentials file (CSV) on your desktop or wherever you can easily find it later. Do not lose track of this file.

You may now close the SMTP Credentials window and it'll return you to the Identity and Access Management (IAM) dashboard. There is no action we need to take here at this time.
Ensure the EC2 has outbound access for the SMTP service Back to Top of Part 6
[Video Timestamp - Part 6 - 0:05:53]
P6-3A: We now need to ensure that our EC2 has outbound access to the mail relay ports. So we'll do this by checking our security groups Outbound rules settings.
In the top header go to the "Services" drop-down next to the AWS logo
In the search bar type "EC2" or find it in your history.

P6-3B: Navigate to the Security Groups from within the EC2 dashboard by clicking on "Security Groups" from the left-hand navigation under the Network and Security section.

Select the "web_sg" security group if that's what you named yours and navigate to the "Outbound" rules tab.

P6-3C: Create a new Custom TCP Rule on port 587 with a destination of 0.0.0.0/0, you can add a description of "SMTP" so that you remember why this port is opened, for outgoing mail service.
Setting up the RockRMS SMTP Mail Transport Back to Top of Part 6
[Video Timestamp - Part 6 - 0:06:35]
P6-4A: You are now ready to setup your RockRMS SMTP Mail Transport with the AWS SES service.
Begin by logging into your RockRMS admin site, navigate to Admin Tools (Briefcase Icon on left-hand nav) and then Communications.
Once you get to the Communications page you'll want to select the Communication Transports button notated by the truck icon.

P6-4B: Within the Communication Transports page you'll then want to click on the SMTP transport to edit it and enter your new AWS SES credentials we previously generated.

[Video Timestamp - Part 6 - 0:07:30]
P6-4C: In order to properly setup the SMTP Transport you need some an access key for the new SES user we previously created.
In the top header go to the "Services" drop-down next to the AWS logo
In the search bar type "IAM" to go to the Identity and Access Management dashboard or find it in your history.

From this dashboard click on the "Users" link in the left-hand navigation and then select your newly created ses IAM user account.

In the Summary screen for this user click on the "Security Credentials" tab.

Here you can copy the Access Key ID for the ses IAM account below and paste it into the User Name field of the SMTP Transport in RockRMS.

[Video Timestamp - Part 6 - 0:08:40]
P6-4D: Open up the credentials.csv file that was your saved AWS SES credentials in order to copy/paste the Password (highlighted in green below) into the RockRMS SMTP setting dialog. Ensure that the Port is set to 587, the transport is set to Active, and that Use SSL is set to Yes.
You will need to update the Server field to the region that you are running your AWS services from such as email-smtp.xx-xxxx-x.amazonaws.com
Note: The SES service is only available on 5 or so regions, pick the one closest to the region you are hosting from that has SES available, it does not have to directly match yours.

Click the "Save" button on the SMTP Properties dialog.
Send an Internal Communication Email Test - Back to Top of Part 6
[Video Timestamp - Part 6 - 0:10:05]
P6-5A: Now that all of the SES and SMTP settings have been established we can send the first internal email communication for testing purposes. You'll want to be familiar with how to send emails within RockRMS so you'll want to read and reference the Communicating Using Rock manual and/or check out all of the Communication RockU Videos.

Ensure that your domain has been validated in the SES dashboard then in RockRMS go to People - New Communication to create a test email.

P6-5B:Once the New Communication email has been sent you can check the status within RockRMS by navigating to People - Communication History and finding the email communication sent to check the delivery status.

You can also check your domain's reputation status in the SES dashboard by clicking the "Reputation Dashboard" link from the left-hand navigation menu.
Once your Service Ticket for the sending limits has been approved and the limits lifted you'll be able to send easily outside of your domain and to your entire congregation.
Note: At this time clicks and opens are not tracked within RockRMS for SES. Below is a high-level overview of how we're using AWS's Cloudwatch service and a simple turn-key linux VM using the PostFix service to capture each communication and re-write the header information in order to then track Clicks and Opens in your email communications.

If anyone is interested in partnering with us to modify/fork the existing Communications Analytics block to digest the AWS Cloudwatch API we'd greatly appreciate the support. Please email support@harvestpittsburghnorth.org for inquiries.

RockRMS_AWS DemoSiteInstall_Part6_PostfixCloudwatchAnalytics from Harvest Pittsburgh North on Vimeo.
Back to Top of Part 6

Part 7 - Future of AWS Hosting for RockRMS (Fast Build / Turn-key)

A "turn-key" hosting solution was posted as a separate recipe in Aug 2019. You'll be able to get up and running with RockRMS on AWS in under an hour easily. Check it out here!

Back to Top of Recipe

Recipe

Free Tier AWS Hosting for RockRMS

Free Tier AWS Hosting for RockRMS

Free?!?!

Prerequisites

Main - Table of Contents

Amazon AWS Setup

Part 1 - Create the VPC (Virtual Private Cloud)

Part 1 - Table of Contents

Installing RockRMS

Part 2 - Microsoft SQL Server and Database Setup

Part 2 - Table of Contents

The Finishing Touches

Part 3 - SSL Cert/Domain DNS Setup and Database Backup

Part 3 - Table of Contents

Upgrading RockRMS

Part 4 - Upgrading RockRMS and Database Backup

Part 4 - Table of Contents

Post Install How-to Considerations

Part 5 - Migrating your AWS Database & SSL Cert. (to another region)

Part 5 - Table of Contents

Part 6 - Setting up Customer Engagement: Amazon Simple Email Service (SES) with SMTP Transport

Part 6 - Table of Contents

Part 7 - Future of AWS Hosting for RockRMS (Fast Build / Turn-key)

Login to add a comment...