128technology · Chr1st0ph3rTurn3r · Apr 17, 2026 · Apr 17, 2026 · Apr 21, 2026 · Apr 24, 2026
@@ -0,0 +1,53 @@
+<!--- AWS Account Setup --->
+
+### Create an AWS Account
+
+If you already have an AWS account, skip to [Set Up IAM Access](#set-up-iam-access).
+
+1. Open a web browser and navigate to [https://aws.amazon.com/](https://aws.amazon.com/).
+2. Click **Create an AWS Account**.
+3. Enter your email address and choose an AWS account name, then click **Verify email address**. Check your inbox for the verification code and enter it when prompted.
+4. Set a strong password for the root user and click **Continue**.
+5. On the **Contact Information** page, select **Personal** or **Business** as appropriate, fill in all required fields, and click **Continue**.
+6. On the **Billing Information** page, enter a valid payment method. AWS requires a credit or debit card to verify identity. Click **Verify and Continue**.
+7. On the **Identity Verification** page, choose your verification method (SMS or voice call), enter your phone number, and complete the verification.
+8. Select a **Support Plan**. The **Basic** plan is free and suitable for evaluation. Click **Complete sign up**.
+9. Click **Go to the AWS Management Console** and sign in with your root account credentials.
+
+:::important
+AWS best practice is to avoid using the root account for day-to-day operations. Perform the IAM setup in the next section before proceeding.
+:::
+
+### Set Up IAM Access
+
+Create a dedicated IAM user with the permissions required to deploy SSR infrastructure.
+
+1. In the AWS Console, search for **IAM** in the top search bar and select it.
+2. In the left navigation, select **Users**, then click **Create user**.
+3. Enter a username (for example, `ssr-deploy-admin`) and click **Next**.
+4. On the **Set permissions** page, select **Attach policies directly**.
+5. Attach the following AWS managed policies:
+   - `AmazonEC2FullAccess`
+   - `AmazonVPCFullAccess`
+   - `AWSCloudFormationFullAccess`
+   - `IAMReadOnlyAccess`
+6. Click **Next**, review the summary, then click **Create user**.
+7. Select the newly created user and navigate to the **Security credentials** tab.
+8. Under **Access keys**, click **Create access key**. Choose **Command Line Interface (CLI)** as the use case, acknowledge the recommendation, and click **Next**.
+9. Click **Create access key**, then **Download .csv file** to save your credentials securely. Click **Done**.
+
+:::note
+Store your access keys in a secure location. They cannot be retrieved after the initial creation. If lost, deactivate the old key and create a new one.
+:::
+
+10. To use the AWS CLI, configure it with your new credentials:
+
+```bash
+aws configure
+```
+
+When prompted, enter:
+- **AWS Access Key ID**: from the downloaded CSV
+- **AWS Secret Access Key**: from the downloaded CSV
+- **Default region name**: your target deployment region (for example, `us-east-1`)
+- **Default output format**: `json`
@@ -0,0 +1,33 @@
+<!--- AWS EC2 Key Pair Setup --->
+
+#### Create an EC2 Key Pair
+
+An EC2 key pair is required to authenticate SSH access to your SSR instances.
+
+1. In the AWS Console, navigate to **EC2**.
+2. In the left navigation pane, under **Network & Security**, click **Key Pairs**.
+3. Click **Create key pair**.
+4. Enter the following values:
+
+   | Field | Value |
+   | ----- | ----- |
+   | Name | A descriptive name, for example `ssr-keypair` |
+   | Key pair type | RSA |
+   | Private key file format | `.pem` (for Linux/macOS/AWS CLI) or `.ppk` (for PuTTY on Windows) |
+
+5. Click **Create key pair**. The private key file downloads automatically.
+6. Move the downloaded key file to a secure location, for example `~/.ssh/`, and set restrictive permissions:
+
+```bash
+chmod 400 ~/.ssh/ssr-keypair.pem
+```
+
+:::important
+This is the only time you can download the private key. If you lose it, you must create a new key pair. Store your key file securely and do not share it.
+:::
+
+To connect to an instance using this key pair:
+
+```bash
+ssh -i ~/.ssh/ssr-keypair.pem t128@<instance-public-ip>
+```
@@ -0,0 +1,68 @@
+<!--- AWS Security Groups for SSR --->
+
+#### Create the Conductor Security Group
+
+The Conductor security group controls inbound access to the Conductor instance.
+
+1. In the AWS Console, navigate to **EC2**.
+2. In the left navigation pane, under **Network & Security**, click **Security Groups**.
+3. Click **Create security group**.
+4. Enter the following:
+
+   | Field | Value |
+   | ----- | ----- |
+   | Security group name | `ssr-conductor-sg` |
+   | Description | `Security group for SSR Conductor` |
+   | VPC | Select your `ssr-vpc` |
+
+5. Under **Inbound rules**, click **Add rule** and add the following rules:
+
+   | Type | Protocol | Port range | Source | Description |
+   | ---- | -------- | ---------- | ------ | ----------- |
+   | SSH | TCP | 22 | Your admin CIDR (e.g. `203.0.113.0/24`) | Admin SSH access |
+   | HTTPS | TCP | 443 | Your admin CIDR | Conductor GUI access |
+   | Custom TCP | TCP | 930 | `10.0.0.0/16` (VPC CIDR) | SSR to Conductor control |
+   | Custom TCP | TCP | 4505 | `10.0.0.0/16` | Salt master (router mgmt) |
+   | Custom TCP | TCP | 4506 | `10.0.0.0/16` | Salt master (router mgmt) |
+
+6. Leave **Outbound rules** as the default (all traffic allowed).
+7. Click **Create security group**.
+
+:::note
+Replace `Your admin CIDR` with the specific IP range of your management workstations. Using `0.0.0.0/0` is not recommended for production deployments.
+:::
+
+#### Create the Router Security Group
+
+The Router security group controls inbound access to the SSR Router instance.
+
+1. Click **Create security group** again.
+2. Enter the following:
+
+   | Field | Value |
+   | ----- | ----- |
+   | Security group name | `ssr-router-sg` |
+   | Description | `Security group for SSR Router` |
+   | VPC | Select your `ssr-vpc` |
+
+3. Under **Inbound rules**, add the following:
+
+   | Type | Protocol | Port range | Source | Description |
+   | ---- | -------- | ---------- | ------ | ----------- |
+   | SSH | TCP | 22 | Your admin CIDR | Admin SSH access |
+   | HTTPS | TCP | 443 | Your admin CIDR | Router GUI access |
+   | Custom UDP | UDP | 1280 | `0.0.0.0/0` | SVR peer communication |
+   | Custom TCP | TCP | 1280 | `0.0.0.0/0` | SVR peer communication |
+   | Custom TCP | TCP | 1283 | `0.0.0.0/0` | SVR peer communication |
+   | Custom TCP | TCP | 16385-65533 | `0.0.0.0/0` | SVR dynamic ports |
+   | Custom UDP | UDP | 16385-65533 | `0.0.0.0/0` | SVR dynamic ports |
+
+4. Click **Create security group**.
+
+:::note
+For a detailed reference of all ports required for SSR operation, see [Enable Ports on the Firewall](config_firewall_ports.md).
+:::
+
+:::important
+Do **not** enable the CloudFormation templates' default security group if you have created custom security groups as described above. You will specify your custom security groups during template deployment.
+:::
@@ -0,0 +1,99 @@
+<!--- AWS VPC and Subnet Setup --->
+
+#### Create the VPC
+
+A dedicated VPC isolates your SSR deployment and gives you full control over routing and network segmentation.
+
+1. In the AWS Console, search for **VPC** and select it.
+2. Click **Create VPC**, and select **VPC only**.
+3. Enter the following values:
+
+   | Field | Value |
+   | ----- | ----- |
+   | Name tag | A descriptive name, for example `ssr-vpc` |
+   | IPv4 CIDR block | A private address range, for example `10.0.0.0/16` |
+   | IPv6 CIDR block | No IPv6 CIDR block |
+   | Tenancy | Default |
+
+4. Click **Create VPC**.
+
+### Create Subnets
+
+SSR requires three subnets for a conductor-managed router deployment. Create each subnet within the VPC you just created.
+
+:::note
+Subnet CIDR examples below are based on the `10.0.0.0/16` VPC range. Adjust to fit your environment.
+:::
+
+#### Management Subnet
+
+Used by the Conductor and for out-of-band administration of the Router.
+
+1. In the VPC Dashboard, click **Subnets**, then **Create subnet**.
+2. Select your VPC from the **VPC ID** dropdown.
+3. Enter the following:
+
+   | Field | Value |
+   | ----- | ----- |
+   | Subnet name | `ssr-mgmt-subnet` |
+   | Availability Zone | Choose your preferred AZ |
+   | IPv4 CIDR block | `10.0.1.0/24` |
+
+4. Click **Create subnet**.
+5. Select the new subnet, click **Actions**, and choose **Edit subnet settings**.
+6. Enable **Auto-assign public IPv4 address** and save.
+
+#### Public (WAN) Subnet
+
+Used for external connectivity and peer SSR communication.
+
+1. Click **Create subnet**, select your VPC, and enter:
+
+   | Field | Value |
+   | ----- | ----- |
+   | Subnet name | `ssr-public-subnet` |
+   | Availability Zone | Same AZ as the management subnet |
+   | IPv4 CIDR block | `10.0.2.0/24` |
+
+2. Click **Create subnet**.
+3. Enable **Auto-assign public IPv4 address** on this subnet.
+
+#### Private (LAN) Subnet
+
+Used for internal workloads and application traffic.
+
+1. Click **Create subnet**, select your VPC, and enter:
+
+   | Field | Value |
+   | ----- | ----- |
+   | Subnet name | `ssr-private-subnet` |
+   | Availability Zone | Same AZ as the other subnets |
+   | IPv4 CIDR block | `10.0.3.0/24` |
+
+2. Click **Create subnet**.
+3. Do **not** enable Auto-assign public IPv4 for this subnet.
+
+### Create and Attach an Internet Gateway
+
+The Internet Gateway provides outbound internet connectivity to the management and public subnets.
+
+1. In the VPC Dashboard, click **Internet gateways**, then **Create internet gateway**.
+2. Enter a name (for example, `ssr-igw`) and click **Create internet gateway**.
+3. Select the new Internet Gateway, click **Actions**, then **Attach to VPC**.
+4. Select your `ssr-vpc` and click **Attach internet gateway**.
+
+### Configure Route Tables
+
+Create a route table for the public-facing subnets and associate the management and public subnets with it.
+
+1. In the VPC Dashboard, click **Route tables**, then **Create route table**.
+2. Enter a name (for example, `ssr-public-rt`) and select your `ssr-vpc`.
+3. Click **Create route table**.
+4. Select the new route table, click the **Routes** tab, then **Edit routes**.
+5. Click **Add route**, enter `0.0.0.0/0` for the destination, and set the target to your `ssr-igw` Internet Gateway. Click **Save changes**.
+6. Click the **Subnet associations** tab, then **Edit subnet associations**.
+7. Select `ssr-mgmt-subnet` and `ssr-public-subnet`, then click **Save associations**.
+
+:::note
+The private subnet intentionally uses the **main (default) route table** which has no internet gateway route, ensuring internal traffic does not have a direct path to the internet.
+:::
@@ -1,10 +1,10 @@
 <!----Add the Conductor to the Authority---->
 
-Take this opportunity to log into the Conductor GUI to complete the following operations. This will provide validation that the installation was successful, and familiarize you with GUI operations. 
+Take this opportunity to log into the Conductor GUI to complete the following operations. This provides validation that the installation was successful, and familiarizes you with GUI operations. 
 
 #### Connecting the Conductor to the Network
 
-To make sure the conductor is on a network and accessible via GUI, the IP address on the interface must be in the same subnet as the VLAN on the switch port. Use `https://<interface IP address>` for GUI login.
+To make sure the conductor is on a network and accessible via GUI, the IP address on the interface must be in the same subnet as the VLAN on the switch port. Use `https://192.168.128.1` for GUI login.
 
 1. Select the **Conductor** from the Authority menu on the left side of the GUI. 
 
@@ -14,7 +14,7 @@ To make sure the conductor is on a network and accessible via GUI, the IP addres
 
  ![Conductor Configuration Icon](/img/conductor_config_icon.png)
 
-3. Select the node for the conductor - in this example it is `node1`.
+3. Select the node for the conductor - in this example it is `node0`.
 
  ![Conductor Node](/img/conductor_node.png) 
 

@@ -0,0 +1,21 @@
+<!--- Deployment Guide - Network Design Reference Table --->
+
+The following IP addressing and naming scheme is used consistently throughout this guide. Substitute your own values when configuring your network.
+
+| Parameter | Example Value | Description |
+|-----------|--------------|-------------|
+| Authority Name | `Authority128` | Organizational authority name |
+| Conductor Router Name | `conductor1` | Conductor system name |
+| Conductor Node Name | `node0` | Conductor node name |
+| Conductor IP Address | `192.168.100.10` | Static management IP on the conductor |
+| Conductor Subnet Mask | `/24` | Management network prefix |
+| Conductor Gateway | `192.168.100.1` | Management network gateway |
+| Router Name | `branch1` | Branch router system name |
+| Router Node Name | `node0` | Router node name |
+| Router WAN Interface | `wan1` (`ge-0-0`) | WAN port — uses DHCP |
+| Router LAN Interface | `lan1` (`ge-0-3`) | LAN port |
+| Router LAN IP Address | `192.168.1.1/24` | LAN gateway address |
+| Tenant Name | `corp` | LAN-side user tenant |
+| Service Name | `internet` | Internet breakout service |
+| Service Address | `0.0.0.0/0` | All internet-bound traffic |
+| Neighborhood | `internet` | SVR neighborhood name |
@@ -0,0 +1,20 @@
+<!--- SSR1200 Port Mapping Info (for Conductor deployments) --->
+
+![SSR1200 Front Panel](/img/hdwr_ssr1200_faceplate.png)
+
+### Port Mapping
+
+| Name | Port | Description | PCI Address | Speed | Type |
+| --- | --- | --- | --- | --- | --- |
+| mgmt-0-0 | MGMT | Management interface | 0000:03:00.0 | 1000 | MGMT |
+| ge-0-0 | Port 0/0 | WAN 1 network interface | 0000:03:00.1 | 1000 | WAN |
+| ge-0-1 | Port 0/1 | WAN 2 network interface | 0000:03:00.2 | 1000 | WAN |
+| ge-0-2 | Port 0/2 | WAN 3 network interface | 0000:03:00.3 | 1000 | WAN |
+| ge-0-3 | Port 0/3 | LAN 1 network interface | 0000:01:00.0 | 1000 | LAN |
+| ge-0-4 | Port 0/4 | LAN 2 network interface | 0000:01:00.1 | 1000 | LAN |
+| ge-0-5 | Port 0/5 | HA Fabric network interface | 0000:01:00.2 | 1000 | HA Fabric |
+| ge-0-6 | Port 0/6 | HA Sync network interface | 0000:01:00.3 | 1000 | HASync |
+| xe-1-0 | Port 1/0 | LAN 3 network interface | 0000:07:00.3 | 10000 | LAN |
+| xe-1-1 | Port 1/1 | LAN 4 network interface | 0000:07:00.2 | 10000 | LAN |
+| xe-1-2 | Port 1/2 | LAN 5 network interface | 0000:07:00.1 | 10000 | LAN |
+| xe-1-3 | Port 1/3 | LAN 6 network interface | 0000:07:00.0 | 10000 | LAN |
@@ -0,0 +1,18 @@
+<!--- SSR130 Port Mapping Info (for Conductor deployments) --->
+
+The following image of the SSR130 includes Cellular and TAA subvariants.
+
+![SSR130 Front Panel](/img/hdwr_ssr130_faceplate.png)
+
+### Port Mapping
+
+| Name | Port | Description | PCI Address | Speed | Type |
+| --- | --- | --- | --- | --- | --- |
+| ge-0-0 | Port 0 | WAN 1 network interface | 0000:04:00.3 | 1000 | WAN |
+| ge-0-1 | Port 1 | WAN 2 network interface | 0000:04:00.2 | 1000 | WAN |
+| ge-0-2 | Port 2 | WAN 3 network interface | 0000:04:00.1 | 1000 | WAN |
+| ge-0-3 | Port 3 | LAN 1 network interface | 0000:04:00.0 | 1000 | LAN |
+| ge-0-4 | Port 4 | LAN 2 network interface | 0000:03:00.1 | 1000 | LAN |
+| ge-0-5 | Port 5 | LAN 3 network interface | 0000:03:00.0 | 1000 | LAN |
+| ge-0-6 | Port 6 | HA Fabric network interface | 0000:02:00.1 | 1000 | HA Fabric |
+| ge-0-7 | Port 7 | HA Sync network interface | 0000:02:00.0 | 1000 | HASync |
@@ -7,6 +7,6 @@ The authority represents the complete set of all SSRs managed under a single org
 
  ![Authority Settings](/img/conductor_authority_name.png)
 
-3. Under Basic Information, enter the new Authority name. For example, a good name for the Authority would be the name of the business, e.g., Acme Corp. 
+3. Under Basic Information, enter the new Authority name.  
 
  ![Basic Information](/img/conductor_authority_name2.png)
@@ -0,0 +1,49 @@
+<!--- VMware Conductor - Find NIC PCI Address --->
+
+The SSR conductor configuration requires the PCI address of the VMXNet3 management NIC. Because VMware assigns PCI addresses dynamically based on VM slot assignment, you must discover the address from the running VM rather than assuming a fixed value.
+
+### Identify the Interface Name
+
+1. Log in to the conductor CLI or SSH session:
+
+   ```
+   ssh admin@192.168.100.10
+   ```
+
+2. Enter the Linux shell from the PCLI:
+
+   ```
+   admin@node0.conductor1# shell
+   ```
+
+3. List the network interfaces:
+
+   ```bash
+   ip link show
+   ```
+
+   The output shows the Linux interface names for each NIC. A VMXNet3 NIC on VMware is commonly named `ens192`, `ens160`, or `eth0`. Identify the interface that corresponds to the management network.
+
+### Find the PCI Address
+
+4. Use `ethtool` to retrieve the PCI bus info for that interface. Replace `ens192` with your actual interface name:
+
+   ```bash
+   ethtool -i ens192 | grep bus-info
+   ```
+
+   Example output:
+
+   ```
+   bus-info: 0000:0b:00.0
+   ```
+
+   The value after `bus-info:` (for example `0000:0b:00.0`) is the PCI address to use in the SSR conductor configuration.
+
+:::tip
+If `ethtool` is not available, you can find the PCI address using:
+```bash
+ls -la /sys/class/net/ens192/device
+```
+The symlink target contains the PCI address in the path, for example `../../../0000:0b:00.0`.
+:::