FileMaker Cloud Getting Started Guide
Preparing to purchase and create a FileMaker Cloud instance
Getting to know Amazon Web Services
You must have an Amazon Web Services (AWS) account before you create a FileMaker Cloud instance on AWS.
If you are unfamiliar with AWS, review these sections:
Before purchasing FileMaker Cloud, decide which type of license subscription you want:
- To purchase a new FileMaker Cloud license, determine the number of User Connections client connections you need. You can choose from SKUs with 5, 10, 25, and 100 user connections.
- To use an existing FileMaker Server license, or if the number of User Connections client connections needed differs from the AWS SKUs, choose FileMaker Cloud BYOL.
Understanding AWS regions
Most Amazon Web Services offer regional endpoints to reduce data latency in applications. FileMaker Cloud supports these regions:
- US East (Northern Virginia)
- US West (Oregon)
The resources in each region are independent. For example, if you create FileMaker Cloud instances in US West and US East, the two instances are independent.
When you sign in to the AWS Elastic Computer Cloud (EC2) console, you choose a region from the list next to your username in the navigation bar. Due to data latency, FileMaker Inc. recommends choosing the region nearest you.
Step 1: Create your Elastic Compute Cloud (EC2) key pair
Note: Key pairs are region specific. When you create the key pair, it is valid only for the region selected upon sign-in.
- Sign in to the EC2 console: https://console.aws.amazon.com/ec2
- If a region isn't already selected, select one from the top navigation bar.
- In the left navigation pane, under Network and Security, choose Key Pairs.
- Click Create Key Pair.
- In the Create Key Pair dialog box, name your key pair and click Create.
- The key pair is downloaded by your browser to your computer. If the extension .txt is added, delete that extension so that the key pair filename ends in .pem.
Step 2: Purchase FileMaker Cloud on the AWS Marketplace
Note: Key pairs are region specific. When you create the key pair, it is valid only for the region selected upon sign-in.
If you are not signed in to https://aws.amazon.com/marketplace, sign in using your AWS account, user name, and password. (Do not use private Amazon credentials.)
Note: You might have to sign in again to AWS Marketplace. If so, click Sign in at the top of the page.
- Search for FileMaker Cloud.
- Click the SKU you want to purchase.
Click Continue on the FileMaker Cloud homepage.
Click Accept Software Terms on the next page.
On the Next Steps page, click Usage Instructions to display instructions and links necessary for creating your instance.
Create your FileMaker Cloud instance
Step 1: Create your cloud instance
To create your instance from the FileMaker Cloud homepage in AWS:
- Click Usage Instructions.
On the Usage Instructions page, click the link for a regional cloud template. Choose the link for the region nearest you. If you previously created a key pair, choose the same region as before.
- US East (N. Virginia)
- US West (Oregon)
The Create Stack wizard guides you through the four steps to create an instance.
On the Select Template page, click Next to use the stack template URL selected at the bottom of the screen. This URL determines the properties of the cloud stack that will be created.
On the Specify Details page, enter the following and then click Next.
- A stack name. This name identifies your stack in AWS. It can contain only letters, numbers, and dashes.
- An email address for logging in to FileMaker Cloud. This email address will be the root administrator user name.
- An instance type.
- The KeyName of your key pair.
Click Next on the Options page to continue. (These settings are optional.)
Review your settings, acknowledge possible Identity and Access Management (IAM) resource creation, and click Create.
The Cloud Management Console screen appears. If you have not created stacks before, no stacks are listed. You can check on your stack by clicking the Refresh button at the top right of the list.
The stack status is CREATE_IN_PROGRESS.
Wait several minutes while the stack is created. The status changes to CREATE_COMPLETE when the process is finished.
- If the stack detects an internal failure during creation, the cloud formation template terminates the stack, and the Cloud Formation Console displays a failure message.
- If the stack creation is successful, the console displays a success message.
- If the stack times out, its creation is rolled back and the console displays a "wait condition" message. The default wait time is 15 minutes, and the timer starts after the instance is created.
Step 2: Set up FileMaker Cloud
- If you did not select a BYOL license, skip to step 2. If you selected a BYOL license, you receive an email with a link to the FileMaker Store, sent to the email address specified when you created the instance. After the FileMaker Store completes your transaction, you receive the email shown in the next step.
Wait to receive an email from the FileMaker Cloud administrator, sent to the address specified when you created the instance.
Note: If you plan to use a custom signed SSL certificate instead of the default Comodo certificate, copy and save the URL that appears in the browser when you click the here link in the email. You will need the generated host name for Domain Name Service (DNS) mapping when you import the custom certificate.
- Click the link in the email, complete these fields on the Welcome page, and then click Set Up:
- Amazon Account Number: Your Amazon account number. To locate it on the AWS Management Console, click Support, choose Support Center, and view your 12-digit account number at the upper right.
- Host Name: Create a host name for FileMaker Cloud. This name appears in the server URL, and cannot exceed 40 characters.
- Password: Create a password. The password must have from 8 to 128 characters and include 3 of these 4 character types: uppercase letter, lowercase letter, number, and symbol.
- Confirm Password: Confirm the password you created.
- Local time zone: Select your local time zone from the list.
After you click Submit, the Admin Console Set Up page appears, displaying a countdown timer.
Sign in when the Admin Console Sign In page appears. Your name is the email address you specified when you created the instance.
- Once the stack creation is complete, charges for your instance begin accruing on AWS.
- BYOL users may have to wait as long as a day for the FileMaker Store to validate their license. During any wait time, they will accrue AWS charges before receipt of the welcome email.
- AWS users can register their purchase at any time on the Subscription Center page in FileMaker Cloud.
FileMaker Cloud system requirements
Hardware and software requirements
FileMaker Cloud hardware and software requirements are listed here:
FileMaker Cloud Technical Specifications
Supported data sources
The following ESS data sources are supported:
- Microsoft SQL Server 2008 R2, 2012, and 2012 SP1
- MySQL 5.6.12 Community Edition (free)
- Oracle 11g R2 and Oracle 12c R1
The following Linux ODBC drivers are supported:
- Microsoft ODBC Driver 11 for SQL Server (version 11.0.2270.0 , 64-bit)
- MySQL ODBC 5.2 Unicode Driver (version 5.2.7, 64-bit)
- Oracle Database 12c Release 1 Client for Microsoft Windows (version 188.8.131.52.0 , 64-bit)
Instance sizing and pricing
Review the AWS/Amazon EC2/Instance types to choose the instance type that best suits your needs. See the following summary table, or visit:https://aws.amazon.com/ec2/instance-types/
- Review the pricing details for your instance type on the FileMaker Cloud homepage. Visit: http://aws.amazon.com/ec2/pricing/
Important: Your FileMaker Cloud instance is a compute resource in AWS. If you have an hourly subscription, you pay on an hourly basis from the time you launch or start a compute resource until the time you stop or terminate it. (For data storage and transfer, you pay on a per gigabyte basis.) You can turn off your compute resources and stop paying for them when you don’t need them. See: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Stop_Start.html
This table summarizes the instance types supported for FileMaker Cloud. For each type, storage is Amazon Elastic Block Storage (EBS), a durable block-level storage volume attached to a single EC2 instance. For optimal operation, FileMaker Cloud requires 40 GB of storage. Each instance will include 40GB of EBS. You can upgrade the volume size at additional cost.
|Type||Description||Use for||vCPU||CPU credits/hour||Memory (GiB)|
Used for workloads that don’t use the full CPU often or consistently, but occasionally need to "burst" (surge). The baseline performance and ability to burst are governed by CPU Credits.
Early product experiments, small databases
Provides a balance of compute, memory, and network resources. A good choice for many applications. Provides EBS optimization through dedicated EBS throughput of 750 Mbps. Provides support for EC2 Enhanced Networking.
|c4.xlarge||Features the highest performing processors and the lowest price/compute performance in EC2. Provides EBS optimization through dedicated EBS throughput of 750 Mbps. Provides support for Enhanced Networking and Clustering.||High compute performance and advanced optimization||4||7.5|
FileMaker Cloud security
AWS security features
This section describes AWS security features and the steps you can take as the root administrator to apply these security features to your FileMaker Cloud instance.
Root credentials: Secure your root AWS account credentials by setting up multifactor authentication, to require more than one method of authentication: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html
Protecting your key pair
You created an EC2 key pair used to launch your FileMaker Cloud instance and to provide Secure Shell (SSH) access. Amazon EC2 stores the public key only, and you store the private key. Anyone who possesses your private key can decrypt your login information, so it's important that you store your private keys in a secure place.
For increased security, instead of using Amazon EC2 to create your key pair, you can create an RSA key pair using a third-party tool and import the public key into Amazon EC2. For example, use
ssh-keygen (provided with the standard OpenSSH installation) to create a key pair and protect your key pair with a passphrase.
To create a key pair with passphrase protection using
- On the Linux command line of your local machine, enter:
Your private key will be stored in the path and file specified. For example:
- When prompted, enter and re-enter a passphrase.
The key pair is generated, as shown in a series of messages.
- Import the public key: in the AWS Management Console, under Network and Security, choose Key Pairs and click the Import Key Pair tab.
- In the Import Key Pair dialog box, browse to the public key file location, or use the
catcommand to copy and paste the public key.
To connect to your instance using the passphrase-protected private key:
- On the Linux command line, enter:
ssh -i /path/filename centos@ipaddress
yeswhen prompted to connect.
- Enter the passphrase in the dialog box, and click OK.
AWS Simple Email Service (SES): FileMaker Cloud uses AWS SES for sending emails to administrators. Security is enhanced because you don't have to set up an SMTP server and open port 25.
AWS Web Application Firewall (WAF): Consider purchasing AWS WAF, a web application firewall that can help protect FileMaker Cloud against web security risks. With AWS WAF, you first identify the Amazon CloudFront web distribution to protect, and then create and deploy the rules and filters that will best protect your instance. See https://aws.amazon.com/waf/details/.
Managing ports in your security group
Control network access to your EC2 instance through the security group, which acts like a built-in software firewall for your instance. The security group allows you to filter both inbound and outbound traffic. FileMaker Cloud doesn't filter outbound traffic because each customer's users will be unique. However, if you have a known set of outbound ports, you can configure them for your instance's security.
Limit inbound traffic to specific ports and protocols, and specify which IP addresses can have access to your instance. FileMaker Cloud restricts access for each instance's default security group to the following inbound ports:
|80||FileMaker Cloud, FileMaker Cloud web server, FileMaker Cloud Admin Console users, client users||HTTP|
|443||FileMaker Cloud, FileMaker Cloud web server, client users||HTTPS|
|5003||FileMaker Cloud, FileMaker Pro and FileMaker Go client users||Hosting databases|
You may need to configure two additional ports for your FileMaker Cloud instance:
- For Secure Shell (SSH) access, open port 22.
- For access by ODBC or JDBC clients, open port 2399.
To configure a port:
- In the AWS Management Console, select your instance.
- On the Description tab, click the Security groups link.
- Click the Inbound tab.
- Click Edit.
- In the Edit inbound rules dialog box, click Add Rule.
For each port, specify the port type, number, source, and IP address or range in CIDR notation.
- For SSH access, select SSH. Port 22 appears as the number. Select Custom and enter the IP address or range.
- For ODBC or JDBC client access, select Custom TCP Rule and enter port 2399. Select Custom and enter the IP address or range.
- Click Save.
Note: Click the i button for information on accepted values for any column.
FileMaker, Inc., recommends restricting inbound traffic for the remaining ports 80, 443, and 5003. Avoid inbound access from Anywhere.
For secure access from an ODBC or JDBC client, use a Virtual Private Network (VPN) to connect the client to FileMaker Cloud.
Make sure to protect the SSH key pair with a passphrase to limit access to your instance. See Protecting your key pair.
Denial of service attack prevention: FileMaker Cloud implements rules for rate control. If ports 80, 443, or 2399 receive greater than 20 hits per second from the same incoming IP address, subsequent hits are dropped.
FileMaker Cloud security features
This section describes FileMaker Cloud security features and the steps you can take as the root administrator to manage these features in your FileMaker Cloud instance.
Software patching: You receive notifications when patches are available. After you download a patch, FileMaker Cloud applies it. If you ignore a notification, the patch is downloaded and applied during nightly auto-maintenance, when the server restarts.
Non-root credentials: FileMaker Cloud requires that you set up Login with Amazon, an identity provider based on OAuth 2.0. This feature allows authenticated users to sign in to FileMaker Cloud with their Amazon credentials. These users have limited access to FileMaker Cloud; for example, they cannot see the configuration page, where the root user can change their email address or password.
Database encryption: FileMaker Cloud encrypts all the information stored in a database file (also known as Encryption at Rest) before opening it. You are required to create an encryption password for the database, and have the option of saving the password and creating a hint for it.
Session timeouts: Set session timeouts for FileMaker Go and FileMaker Pro clients. The default session timeout for FileMaker WebDirect users is 15 minutes. When client users' idle periods reach the timeout setting, they are disconnected. Setting session timeouts reduces the risk of database files being accessed by an unattended computer or mobile device.
FileMaker Cloud plug-ins: Use plug-ins only from trusted sources. Plug-ins can access and modify your solution and connect to other services over the Internet. If you enable FileMaker Script Engine (FMSE) plug-ins, you can choose whether to allow scripts to install, update, and load plug-ins using the Install Plug-In File script step. Similarly, if you allow WebDirect plug-ins, you can choose whether to allow the Install Plug-In File script step in FileMaker Web Direct.
Log file entries: Frequently, download and review the Event.log file for the keyword SECURITY to see security-related entries.
FileMaker Script Engine (FMSE) access: FileMaker Cloud limits FMSE access for enhanced security in the following ways:
- FMSE cannot query the AWS metadata service.
- FMSE cannot send requests to localhost at ports 1895 and 16002.
- FMSE cannot execute applications from the Data folder, and it can access only the Data/Documents and Data/Database folders.
The following AWS terms appear during purchase or stack creation. For detailed descriptions, see the AWS documentation.
Amazon Elastic Compute Cloud (Amazon EC2) – A scalable computing capacity in the AWS cloud.
Amazon Machine Image (AMI) – A preconfigured template for instance creation.
BYOL – Bring Your Own License. A license model that lets you use an existing software license for a cloud instance.
Identity and Access Management (IAM) – A web service that lets you control access to AWS resources for your users.
Instance – A virtual computing environment.
Instance type – A preset configuration of CPU, memory, storage, and networking capacity.
Key pair – Provides secure login information for your instances. AWS stores the public key, and you store the private key in a secure place.
SKU – stockkeeping unit. An identification, usually alphanumeric, of a specific product that allows it to be tracked for inventory purposes.
Stack – A group of related resources that you manage as a named unit.
Tag – Metadata that you create and assign to your Amazon EC2 resources. Stack tags are key-value pairs that help you manage your instances. For example, you could create a key-value pair using "Owner" and "Stack":
Timeout – Sets the number of minutes before stack creation times out. The default is 15 minutes for initial stack creation and 60 minutes for upgraded stacks.