AWS Cloud Resources¶
Overview¶
Before installing the Privacera Manager software, the following AWS Cloud resources need to be created:
Prerequisite | Description |
---|---|
AWS EC2 instance | EC2 instance to run the Privacera Manager software. Refer here for more details. For self-managed: Required. PrivaceraCloud Data plane: Required. PrivaceraCloud Data plane + Privacera Discovery: Required. |
AWS EKS cluster | EKS cluster to run the Privacera software. Refer here for more details. For self-managed: Required. PrivaceraCloud Data plane: Required. PrivaceraCloud Data plane + Privacera Discovery: Required. |
AWS RDS AuroraDB | RDS AuroraDB instance for the Privacera database. Refer here for more details. For self-managed: Required. PrivaceraCloud Data plane: Not Required. PrivaceraCloud Data plane + Privacera Discovery: Required. |
AWS ACM certificate | ACM certificate for the domain name used for the Privacera service endpoints. Refer here for more details. For self-managed: Required. PrivaceraCloud Data plane: Required. PrivaceraCloud Data plane + Privacera Discovery: Required. |
Appendix¶
AWS EC2 instance for running Privacera Manager¶
EC2 instance
Privacera Manager runs on an EC2 instance that has access to the Kubernetes cluster and has an IAM role that allows it to create and manage cloud resources.
Tip
The Privacera Manager installation on this EC2 instance will contain self-signed certificates and terraform state which are needed for subsequent upgrades. Therefore, it is recommended that this EC2 instance is not deleted and is protected from termination. It is also strongly recommended to backup the contents of the Privacera Manager folder on regular basis.
You don't need to run this instance 24x7. You can stop the instance when it is not in use.
EC2 configuration
An AWS EC2 instance needs to be provisioned to run the Privacera Manager software. At a minimum, the instance should have the following specifications:
- AWS Linux 2 AMI
- Minimum 1 vCPUs
- Minimum 4 GB RAM
- Minimum 50 GB disk space
- SELinux should be disabled
Permissions to access the EKS cluster for running kubectl commands
In addition to the following IAM policy, you will need to take additional steps to authorize your EC2 instance to access the EKS cluster.
Permissions to write to the S3 bucket (optional)
You will need an S3 bucket policy if you are going to configure the Privacera Discovery module.
Replace the following placeholders
BUCKET_NAME: The name of the S3 bucket where the Privacera Manager will write the data.
PATH: The path in the S3 bucket where the Privacera Manager will write the data.
privacera-manager-s3-policy | |
---|---|
Permissions to update the Route53 DNS entries (optional)
Privacera Manager can optionally add the DNS records using Route53 for the Privacera service endpoints. Update the hosted-zone-id in the policy below. You can find the hosted zone ID in the Route53 console.
Replace the following placeholders
HOSTED_ZONE_ID: The hosted zone id of your domain present in Route53.
Permissions to run eksctl to create IAM role for Service Account (optional)
You can use the IAM role from this link.
Following software should be installed on the EC2 instance:
docker
Bash | |
---|---|
kubectl
Follow the instructions on this link.
helm
Follow the instructions on this link.
AWS EKS cluster for running Privacera Software¶
AWS EKS
AWS EKS cluster with the following specifications:
- Kubernetes version - For supported version check Privacera release notes
- Node type - r5.2xlarge or similar
- Auto-scaling node group - min 3 to max 10 nodes
- EFS is recommended for multi-availability zone setup, follow these instructions
- AWS load balancer for the EKS cluster follow these instructions
AWS RDS AuroraDB¶
AWS RDS AuroraDB
AWS RDS AuroraDB instance with the following specifications:
- RDS AuroraDB (MySQL 5.7) 2.11.2 (MySQL 8 is also fine)
- Minimum db.r6g.2xlarge = 8 cpu, 64 gb
- Only password authentication is supported
- Set default charset to latin1, collation latin1_swedish_ci
- create privacera_db as the database by following these commands
SQL
IAM Authentication for AWS RDS
For using IAM roles to connect to AWS RDS refer to IAM Authentication for AWS RDS.
AWS ACM certificate¶
AWS ACM certificate ARN
AWS ACM certificate ARN for the key and certificate that you will use for the Privacera service endpoints.
- The certificate requirements are given in TLS Certificate.
- The process of importing the certificate is given in Importing AWS Certificate Manager.
- Prev Prerequisites
- Next AWS Setup