Ask Your Question

Running Puppet Server in AWS for device configuration over internet

asked 2016-04-26 10:05:37 -0600

garethedavies gravatar image

Hi All,

Sorry if this is a common question or has been answered before but I haven't come across an answer for this. I am working for a company that has a number of Windows and OSX users in offices across Europe, North America and Australia, although the IT department is based in the UK. Our offices do not utilise VPN connectivity at the moment and only the UK office uses a domain. Having seen examples of Puppet and Puppet Enterprise running on a local network / domain, is this a requirement?

We are looking to improve our method of building machines and ideally would like to have the option of automating Windows configuration on devices across the internet, with minimal interaction. To do this, we would need to run a public-facing Puppet server in something like AWS which new (and existing) devices can communicate and pull configuration from. Is this possible? Is it recommended? Are there other solutions available which will do this?

Any help with this would be greatly appreciated. We are going to start using Puppet in-house anyway but being able to onboard devices via the internet would be a massive selling point to Finance / Board.



edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2016-04-26 12:21:21 -0600

DarylW gravatar image

I'm not sure if there are any issues with your client's not being reverse-addressable from the puppet master. I haven't tried a 'one way' setup before.

The things that I can think of are the following.

Make sure your puppet master's cert is signed with whatever public DNS you will be using to connect to it (Not sure if you can do that purely through Route53, or if you would use an EIP)

Make sure you create security groups for your puppet master. The best practice would be to only whitelist the networks / machines that you wish to manage, that way you wouldn't just be opening up your puppetmaster to the whole internet.

I'm sure I'm missing some things, but that's all that comes to my mind at the moment. If the hurdles are to great, there are several alternatives..

  1. Create a local puppet master at each remote site, using a common git server to host your modules, and roll them out via librarian-puppet/r10k. That way your source of truth is the common git server, but you are still managing the instances locally on their lan/vpc
  2. Same shared puppet modules, but run a puppet apply locally with the modules pulled down locally in a masterless setup. That's one approach people have made to not have to worry about scaling their masters
  3. Use a different tool. I hate to suggest this on the puppet boards, but I do know of some consultants who make heavy use of ansible for administering various systems distributed geographically across multiple companies.. It allows them to run their playbooks with only ssh access to the instances, without requiring every node to run an agent. I'm not sure if puppet provides anything similar, other than doing a 'masterless' setup and sshing out or using some other tool to remotely run a puppet apply command.

Best of luck, I'm interested to hear what ends up working for you!

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2016-04-26 10:05:37 -0600

Seen: 482 times

Last updated: Apr 26 '16