1. The very first step is to create Security Group so that PAM nodes can communicate each other as per cluster network requirements, i.e. we need to allow communication on TCP/443, TCP/3306 (MySQL), TCP/5900 (Hazelcast), TCP/7900 (JGroups), TCP/7901 (JGroups heartbeat). Refer to https://docops.ca.com/ca-privileged-access-manager/2-8-3/EN/deploying/set-up-a-cluster/cluster-deployment-requirements/#ClusterDeploymentRequirements-NetworkRequirements for more details.
 

Login to AWS Console using your account and go to EC2 Console and select NETWORK & SECURITY > Security Groups and then click [Create Security Group] button and create Security Group in the same VPC. See example Security Group setup below. In this example both PAM nodes are in 10.0.0.0/24 subnet.
 

You may want to adjust the Security Group rules based on your business requirements, as long as both PAM nodes using their Private IPs can communicate to each other for cluster communications.

2. Assign the Security Group to both PAM nodes. From EC2 Console select INSTANCES > Instances and select the 1st PAM node instance and select [Actions] > Networking > Change Security Groups. Change Security Groups dialog appears. Select created Security Group at step 1 above and click [Assign Security Groups] button. Redo this for the 2nd PAM node instance.

3. Assign Secondary Private IP to the 1st PAM node.  From EC2 Console select INSTANCES > Instances and select the 1st PAM node instance and select [Actions] > Networking > Manage IP Addresses. Manage IP Addresses dialog appears. Click the Assign new IP blue link and then the [Yes, Update] button. A new Private IP will be auto-assigned. Note down both primary and secondary private IPs.

4. Create 3 Elastic IPs, i.e. one for each PAM node and the 3rd one for VIP. From EC2 Console select NETWORK & SECURITY > Elastic IPs and then click [Allocate new address] button. Click [Allocate] button then new Elastic IP is allocated. Click [Close] button. Redo the steps until you create 3 Elastic IPs.

5. Assign the 1st Elastic IP to the 1st PAM node instance and assign the 2nd Elastic IP to the 2nd PAM node instance. Select the 1st Elastic IP and then select [Actions] > Associate address. Select Instance as resource type and select the 1st PAM node instance from the Instance drop down. Select primary private IP from the Private IP drop down. Click [Associate]. Once it is associated successfully click [Close] button. Redo similar steps to assign the 2nd Elastic IP to the 2nd PAM node instance.

6. Assign the 3rd Elastic IP to the 1st PAM node instance's secondary private IP. Select the 3rd Elastic IP and then [Actions] > Associate address. Select Instance as resource type and select the 1st PAM node instance from the Instance drop down. Select secondary private IP from the Private IP drop down. Click [Associate]. Once it is associated successfully click [Close] button.

7. Note down all the Public IP address (Elastic IP address) and its Private IP address pairs as per below table. They are needed in the next PAM cluster configuration steps below.

Public IP & Private IP Pairs

	1st PAM node	2nd PAM node	VIP Address
Private IP	10.0.0.186	10.0.0.107	10.0.088
Public IP	A.A.A.A	B.B.B.B	V.V.V.V

8. If the PAM nodes are stopped, start them.

9. Now, we need to create an AWS connection before we can setup cluster. Access the 1st PAM node (https://A.A.A.A) from your enterprise network (network that is allowed in Security Group) using Internet browser. Login as super user. Go to Targets > Accounts page, click [Add] button and click the magnifying glass icon beside Application Name field and select AWS Access Credential Accounts as application. Host Name and Device Name will be defaulted to xceedium.aws.amazon.com. Select Access Key as AWS Access Credential Type and key in your AWS account's Access Key ID and Secret Access Key along with appropriate User Friendly Account Name (arbitrary name that you can remember). You should use the same AWS account you have used to create/configure PAM instances. Click the [Save] button.

Go to Config > 3rd Party page, and in Add AWS Connection section select Access Key Alias, i.e. User Friendly Account Name of previously configured AWS account, select Active check box if you want to import AWS instances as devices into PAM and select AWS Region where you have the PAM nodes run. The new AWS Connection will be shown in AWS Configuration section, click [Test] button and confirm the connection is successful.


10. Now we are ready to configure cluster. Go to Config > Clustering page, put a passphrase and click [Generate Key] to generate Shared Key. Select created AWS connection from AWS Provision drop down. In the Virtual Management (VIP) section, key in the VIP address pair, i.e. in the IP Address field key in both Private IP and Public IP separated by comma without any space character after comma (In PAM version 3.x, key in single IP address in each field and put Public IP to NAT IP field). Add the Cluster Members so that the 1st PAM Node's IP pair is on top. See below.

Click [Save Config Locally].
Copy the Shared Key and access the 2nd PAM node, go to Config > Clustering page, paste the Shared Key and click [Save Config Locally]. 
Now, go back to the 1st PAM node's Config > Clustering page and click [Save To Cluster]. You should see "Successfully saved cluster configuration to all members" message.

11. The last step is to start cluster by clicking [Turn Cluster ON]. Once cluster is up, click [View Cluster Logs] and verify there is no error. Try to access using VIP and verify VIP works as expected.