Examine critical components of Cloud computing with Intel® software experts
112 Discussions

Improve Latency of NGINX in AWS using Intel’s QAT Engine for OpenSSL - Part 2 of a 5 Part Series

0 0 1,856

This is Part 2 of a 5 Part Series

Welcome to the 2nd installment of our series. In this post, we will show you how to:

  • Set up the AWS infrastructure,
  • Install the pre-requisite libraries that are needed for software acceleration support.

If you missed out on Part 1, you can get caught up now. Let's get started.

Setting up the AWS Infrastructure

The instructions below assume you are familiar with setting up and configuring EC2 instances and hosted zones in Route 53 within AWS. If you need help, refer to the AWS documentation below. These resources provide guidance on creating AWS infrastructure from the console. In our example, we have used the AWS Console to setup the infrastructure.

Create an EC2 instance on AWS Console

Create and associate Security Group for EC2 instance

Create key pairs for EC2 instance

Create a public hosted zone on Route 53

The networking setup needed for the EC2 security groups for the Test_Client, Machine-1 and Machine-2 are provided in the diagram below. As indicated in the architecture diagram above, the EC2 instances need to be created within public subnet inside the VPC within the AWS environment.



Follow the steps below to set up your AWS infrastructure.

  1. Set up an EC2 key pair in the region you will create your EC2 instances. All the EC2 instances should be in the same AWS region and in the VPC in that region. Make sure to place the EC2 instances in a public subnet so that those EC2 instances will have a public IP.
  2. The security group on all the three EC2 instances should allow SSH from the machine that you will use to connect.
  3.  Machine-1 and Machine-2 should allow http (on port 80) and https (port 443) traffic from the Test Client EC2 instance.
  4.  Set up Test Client EC2 according to the specifications provided in the architecture.
  5.  Set up Machine-1 EC2 according to the specifications provided in the architecture.
  6.  Set up Machine-2 EC2 according to the specifications provided in the architecture.
  7. Set up a hosted zone on Route 53. Call it your domain name. In our example the domain is (Please note that our domain may have expired when you are viewing this blog.) Just remember that Route 53 hosted zone should match your domain name.
  8.  Set up an A record inside this hosted zone. Configure the A record to point to the public IP address of the Machine-1. Save the changes.

Screenshot of creating a hosted zone record within Amazon Route 53 service:



Screenshot of creating A record with the Amazon Route 53 Hosted Zone. The Value should be the public IP address of the NGINX web server.



Build Pre-requisite Software Libraries for Software Acceleration Support

Here we will install the pre-requisite software libraries and verify that our system supports AVX-512 and necessary instruction set extensions.

Build Steps

Follow the steps below in sequence.

Step 01

SSH into the Intel Optimized NGINX server, we are calling this Machine-2 in our example. You can use any SSH client of your choice or just use your terminal.

Step 02

Update the OS packages and system libraries.

sudo apt-get update
sudo apt-get upgrade -y


Step 03

To build the Intel QAT Engine for OpenSSL you'll need to ensure that your distribution's default version of OpenSSL is 1.1.1e or later, as the engine is not compatible with earlier releases. You can check your distribution's OpenSSL version by running:

openssl version


Step 04

You'll also need some prerequisite software packages to build both the engine and its dependencies. For Ubuntu 20.04 LTS, to build the QAT engine and its dependencies on Ubuntu, you’ll need to install the following packages from apt:

sudo apt install autoconf build-essential libtool cmake cpuid libssl-dev pkg-config


The libssl-dev package provides the header files for OpenSSL and ensures that the OpenSSL libraries are present.

You’ll also need to install version 2.15 or later of nasm,* which is not provided by default for the Ubuntu 20.04 distribution. You must fetch and install this package manually:


sudo dpkg -i nasm_2.15.05-1_amd64.deb


Step 05

Now set up runtime requirements.

To make use of the software acceleration features in the Intel QAT Engine for OpenSSL, you'll need a system that supports Intel AVX-512 with the following instruction set extensions:

The latter two extensions were introduced with certain 10th Generation Intel® Core™ processors and 3rd Generation Intel® Xeon® Scalable processors. A quick way to verify that your system supports the necessary features is to run the cpuid command. Run the following and check that the output matches.

cpuid -1 | egrep 'VAES|VPCLM|GFNI|AVX512F|AVX512iFMA'
# Results look like below
# AVX512F: AVX-512 foundation instructions = true
# AVX512IFMA: fused multiply add = true
# VAES instructions = true
# VPCLMULQDQ instruction = true


All features must be present. These output fields are only present in cpuid version 20200211 or later. This is the default version provided in Ubuntu 20.04.

Now that we have set up the AWS infrastructure and installed the pre-requisite software libraries, we are ready to move to Part 3: Building the Intel QAT Engine for OpenSSL for software acceleration only <crypto-ni> and testing the QAT Enginefor software acceleration only <crypto-ni>.