circle-info
Release Notes
arrow-up-right
search
Erigon Tech Blog
Page cover

How to run AWS nodes

circle-info

The information on this page are provided by the AWS team; proprietary software used.

hashtag
Architecture Overviewarrow-up-right

This blueprint has two options for running nodes. You can set up a single JSON RPC node or multiple nodes in highly-available setup. The details are below.

hashtag
Single RPC node setup

This setup is for small scale PoC or development environments. It deploys a single EC2 instance with both consensus and execution clients. The RPC port is exposed only to internal IP range of the VPC, while P2P ports allow external access to keep the clients synced.

hashtag
Highly available setup

  1. An ongoing data synchronization process is configured with nodes in the Ethereum network with a sync node and RPC nodes.

  2. The sync node is used to create a copy of node's state data in Amazon S3 bucket.

  3. When new RPC nodes are provisioned, they copy state data from Amazon S3 bucket to speed up the initial sync process.

  4. Applications and smart contract development tools access highly available RPC nodes behind the Application Load Balancer.

hashtag
Well-Architectedarrow-up-right

chevron-rightReview the for pros and cons of this solution.hashtag

hashtag
Well-Architected Checklistarrow-up-right

This is the Well-Architected checklist for Ethereum nodes implementation of the AWS Blockchain Node Runner app. This checklist takes into account questions from the AWS Well-Architected Frameworkarrow-up-right which are relevant to this workload. Please feel free to add more checks from the framework if required for your workload.

hashtag
Security

  • Network protection

    • Are there unnecessary open ports in security groups?

      • Please note that Erigon snap sync port remains open for non-erigon clients, i.e. Port 42069 (TCP/UDP).

    • Traffic inspection

      • AWS WAF could be implemented for traffic inspection. Additional charges will apply.

  • Compute protection

    • Reduce attack surface

      • This solution uses Amazon Linux 2 AMI. You may choose to run hardening scripts on it.

    • Enable people to perform actions at a distance

      • This solution uses AWS Systems Manager for terminal session, not ssh ports.

  • Data protection at rest

    • Use encrypted Amazon Elastic Block Store (Amazon EBS) volumes

      • This solution uses encrypted Amazon EBS volumes.

    • Use encrypted Amazon Simple Storage Service (Amazon S3) buckets

      • This solution uses Amazon S3 managed keys (SSE-S3) encryption.

  • Data protection in transit

    • Use TLS

      • The AWS Application Load balancer currently uses HTTP listener. Create HTTPS listener with self signed certificate if TLS is desired.

  • Authorization and access control

    • Use instance profile with Amazon Elastic Compute Cloud (Amazon EC2) instances

      • This solution uses AWS Identity and Access Management (AWS IAM) role instead of IAM user.

    • Following principle of least privilege access

      • In sync node, root user is not used (using special user "ethereum" instead").

  • Application security

    • Security focused development practices

      • cdk-nag is being used with appropriate suppressions.

hashtag
Cost Optimization

  • Service selection

    • Use cost effective resources

      • AWS Graviton-based Amazon EC2 instances are being used, which are cost effective compared to Intel/AMD instances.

  • Cost awareness

    • Estimate costs

      • One sync node with m7g.2xlarge for geth-lighthouse configuration (2048GB ssd) will cost around US$430 per month in the US East (N. Virginia) region. Additional charges will apply if you choose to deploy RPC nodes with load balancer.

hashtag
Reliability

  • Resiliency implementation

    • Withstand component failures

      • This solution uses AWS Application Load Balancer with RPC nodes for high availability. If sync node fails, Amazon S3 backup can be used to reinstate the nodes.

  • Data backup

    • How is data backed up?

    • Resource monitoring

      • How are workload resources monitored?

        • Resources are being monitored using Amazon CloudWatch dashboards. Amazon CloudWatch custom metrics are being pushed via CloudWatch Agent.

hashtag
Performance Efficiency

  • Compute selection

    • How is compute solution selected?

      • Compute solution is selected based on best price-performance, i.e. AWS Graviton-based Amazon EC2 instances.

  • Storage selection

    • How is storage solution selected?

      • Storage solution is selected based on best price-performance, i.e. gp3 Amazon EBS volumes with optimal IOPS and throughput.

  • Architecture selection

    • How is the best performance architecture selected?

      • s5cmd tool has been chosen for Amazon S3 uploads/downloads because it gives better price-performance compared to Amazon EBS snapshots (including Fast Snapshot Restore, which can be expensive).

hashtag
Operational Excellence

  • Workload health

    • How is health of workload determined?

      • Health of workload is determined via AWS Application Load Balancer Target Group Health Checks, on port 8545.

hashtag
Sustainability

  • Hardware & services

    • Select most efficient hardware for your workload

    • This solution uses AWS Graviton-based Amazon EC2 instances which offer the best performance per watt of energy use in Amazon EC2.

hashtag
Solution Walkthrough

hashtag
Open AWS CloudShell

To begin, ensure you login to your AWS account with permissions to create and modify resources in IAM, EC2, EBS, VPC, S3, KMS, and Secrets Manager.

From the AWS Management Console, open the AWS CloudShellarrow-up-right, a web-based shell environment. If unfamiliar, review the 2-minute YouTube videoarrow-up-right for an overview and check out CloudShell with VPC environmentarrow-up-right that we'll use to test nodes API from internal IP address space.

Once ready, you can run the commands to deploy and test blueprints in the CloudShell.

hashtag
Clone this repository and install dependencies

circle-info

NOTE: In this tutorial we will set all major configuration through environment variables, but you also can modify parameters in config/config.ts.

hashtag
Prepare to deploy nodes

  1. Make sure you are in the root directory of the cloned repository

  2. If you have deleted or don't have the default VPC, create default VPC

circle-info

NOTE: You may see the following error if the default VPC already exists:

An error occurred (DefaultVpcAlreadyExists) when calling the CreateDefaultVpc operation: A Default VPC already exists for this account in this region.

That means you can just continue with the following steps.

circle-info

NOTE: The default VPC must have at least two public subnets in different Availability Zones, and public subnet must set Auto-assign public IPv4 address to YES.

  1. With the Node Runners blueprints for Ethereumarrow-up-right, you can deploy both single Ethereum nodes and multi-node high-availability configurations on AWS. Furthermore, Node Runners is designed to support client diversity, with configurations available for a variety of client combinations for the Execution Layer (EL) and Consensus Layer (CL).

Configure your setup.

hashtag
Consensus Layer Client Options

To specify the Ethereum client combination you wish to deploy, create your own copy of .env file and edit it using your preferred text editor. The contents of your file for a Erigon / Lighthouse node deployment is as follows, which uses a sample config from the repository:

chevron-rightLighthousehashtag

chevron-rightPrysmhashtag

NOTE: You can find more examples inside the sample-configs directory, which illustrate other Ethereum client combinations.

Don’t see a client or client combination you would like supported? Open a GitHub issuearrow-up-right or Pull Requestarrow-up-right, we encourage contributionarrow-up-right to Node Runners!

  1. Deploy common components such as IAM role, and Amazon S3 bucket to store data snapshots

hashtag
Option 1: Single RPC Node

  1. Deploy Single RPC Node

circle-info

NOTE: The default VPC must have at least two public subnets in different Availability Zones, and public subnet must set Auto-assign public IPv4 address to YES

  1. After starting the node you need to wait for the inital syncronization process to finish. It may take from half a day to about 6-10 days depending on the client combination and the state of the network. You can use Amazon CloudWatch to track the progress. There is a script that publishes CloudWatch metrics every 5 minutes, where you can watch sync distance for consensus client and blocks behind for execution client. When the node is fully synced those two metrics shold show 0. To see them:

    • Navigate to CloudWatch servicearrow-up-right (make sure you are in the region you have specified for AWS_REGION)

    • Open Dashboards and select eth-sync-node-<your-eth-client-combination> from the list of dashboards.

  2. Once the initial synchronization is done, you should be able to access the RPC API of that node from within the same VPC. The RPC port is not exposed to the Internet. Turn the following query against the private IP of the single RPC node you deployed:

Copy output from the last echo command with NODE_INTERNAL_IP=<internal_IP> and open CloudShell tab with VPC environmentarrow-up-right to access internal IP address space. Paste NODE_INTERNAL_IP=<internal_IP> into the new CloudShell tab. Then query the API:

The result should be like this (the actual balance might change):

hashtag
Option 2: Highly Available RPC Nodes

  1. Deploy Sync Node

circle-info

NOTE: The default VPC must have at least two public subnets in different Availability Zones, and public subnet must set Auto-assign public IPv4 address to YES

  1. After starting the node you need to wait for the inital syncronization process to finish. It may take from half a day to about 6-10 days depending on the client combination and the state of the network. You can use Amazon CloudWatch to track the progress. There is a script that publishes CloudWatch metrics every 5 minutes, where you can watch sync distance for consensus client and blocks behind for execution client. When the node is fully synced those two metrics shold show 0. To see them:

    • Navigate to CloudWatch servicearrow-up-right (make sure you are in the region you have specified for AWS_REGION)

    • Open Dashboards and select eth-sync-node-<your-eth-client-combination> from the list of dashboards.

Once synchronization process is over, the script will automatically stop both clients and copy all the contents of the /data directory to your snapshot S3 bucket. That may take from 30 minutes to about 2 hours. During the process on the dashboard you will see lower CPU and RAM utilization but high data disc throughput and outbound network traffic. The script will automatically start the clients after the process is done.

circle-info

Note: The snapshot backup process will automatically run ever day at midnight time of the time zone were the sync node runs. To change the schedule, modify crontab of the root user on the node's EC2 instance.

  1. Configure and deploy 2 RPC Nodes

  1. Give the new RPC nodes about 30 minutes (up to 2 hours for Erigon) to initialize and then run the following query against the load balancer behind the RPC node created

The result should be like this (the actual balance might change):

If the nodes are still starting and catching up with the chain, you will see the following repsonse:

circle-info

NOTE: By default and for security reasons the load balancer is available only from within the default VPC in the region where it is deployed. It is not available from the Internet and is not open for external connections. Before opening it up please make sure you protect your RPC APIs.

hashtag
Clearing up and undeploying everything

  1. Destroy RPC Nodes, Sync Nodes and Common components

Visit the AWS Blockchain Node Runnersarrow-up-right page to learn more about the Node Runners project. If you have questions, you can ask them on AWS Re:Postarrow-up-right, with a “blockchain” tag.

hashtag
FAQ

  1. How to check the logs of the clients running on my sync node?

NOTE: In this tutorial we chose not to use SSH and use Session Manager instead. That allows you to log all sessions in AWS CloudTrail to see who logged into the server and when. If you receive an error similar to SessionManagerPlugin is not found, install Session Manager plugin for AWS CLIarrow-up-right

  1. How to check the logs from the EC2 user-data script?

  1. I'm running sync node with Ethereum and Prysm or Lighthouse and it gets stuck during syncing, what should I do?

Usually restart helps Erigon client to re-connect with other nodes and continue syncing. To restart do the following:

hashtag
Resource links

AWS Blockchain Node Runners | AWS Blockchain Node Runnersaws-samples.github.iochevron-right
Run blockchain nodes on cloud
LogoGitHub - aws-samples/aws-blockchain-node-runners: Run blockchain nodes on cloudGitHubchevron-right
AWS Blockchain Node Runners

Last updated

Was this helpful?