Contents x
    AWS Setup
    • 19 Sep 2024
    • 3 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    Contents

    AWS Setup

    • Updated on 19 Sep 2024
    • 3 Minutes to read
    • Contributors
    • Print
    • Dark
      Light
    Article summary

    This document describes the process and components for setting up a self-hosted environment of Unleash in AWS. It also outlines the requirements and actions needed by the customer to prepare for the deployment.

    Overview

    Unleash self-hosted deployment is for customers who want to host the entire Unleash platform within their own AWS cloud infrastructure. With this setup, all customer data, cloud services, and encryption/application keys stay within the customer's infrastructure. No customer data leaves the self-hosted cloud tenant's secured network boundary. Unleash personnel can only access the environment for maintenance and upgrades. Please find the Architecture Diagram below -

    Step 1 - Creating the AWS Account

    The customer should provide Unleash with full access to a dedicated AWS account created solely for hosting Unleash platform services and data. The customer should also provide Unleash with admin login credentials. Unleash will be deployed in a single AWS region, within multiple availability zones. The customer should determine which region they would like Unleash to be deployed in.

    Step 2 - Setting Up Secured Network

    We will implement a VPC network following best practices:

    • Create 3 public and 3 private subnets, each in a different availability zone.

    • Ensure high availability with NAT gateways and internet gateways for outbound access.

    • Set up a secure OpenVPN server to access the environment.

    Step 3 - Setting Up AWS Services

    We will deploy the following AWS services within the account:

    • S3 - The following private buckets will be deployed:

      • search_logs - Stores search log BLOBs for troubleshooting

      • text_extraction - Stores textual data from indexed documents

      • synonyms - Maintains the list of synonym terms to fine-tune search

      • blobs - Contains raw binaries uploaded into Unleash (e.g., files in wikis)

    • Route53 - Creates a subdomain for Unleash

    • Secret Manager - Stores all the secured configurations consumed by services

    • KMS - Encrypts the Pulumi states

    Step 4 - Setting Up Kubernetes Cluster

    We will deploy a private Kubernetes EKS Cluster within the private subnets, with multiple node groups tailored to the environment's size and scale. We'll use Pulumi to provision these cloud resources.

    Once the cluster is created, the next step is to set up essential infrastructure components on Kubernetes:

    • Nginx Ingress Controller, including NLB

    • External DNS

    • Cert Manager

    • External Secrets

    • Kubernetes Cluster Autoscaler

    • Kubernetes Operators for managing Stateful Apps deployment

    Following this, we will provision stateful applications critical for our system:

    • MongoDB

    • Elasticsearch

    • RabbitMQ

    Step 5 - Deploying The Application

    With the infrastructure in place, we'll deploy our services using the GitOps pattern with ArgoCD. ArgoCD, set up within the cluster, will connect to a Git repository containing our environment definitions. We'll synchronize to deploy services to the cluster, fetching images from our hosted ECR Docker registry.

    Step 6 - Deploying the Connectors

    We will deploy connectors for different SaaS applications (e.g., Slack, GSuite, Salesforce) based on customer requirements. Setting up a connector requires the customer to create a designated OAuth application on the third-party vendor site. Once created, the customer should provide us with the Client ID and Client Secret of that app, which will be securely stored in AWS Secrets Manager. We will provide detailed guidance to the customer on how to create an OAuth application for each SaaS application.

    Step 7 - Finalizing

    The final step involves conducting a post-deployment review to ensure the best user experience for the customer. We'll thoroughly validate that the environment is functioning as expected, without any issues or misconfigurations. Additionally, we'll set up comprehensive monitoring and logging, directing logs to an Elasticsearch cluster hosted within the environment. This setup allows for easy monitoring and troubleshooting as needed.

    Requirements

    • An AWS account with admin credentials:

      • Ensure there are no significant quotas that will prevent setting up a production environment.

    • Determine the AWS region where the deployment should take place.

    • Provide an SSH key pair for accessing the instances (if preferred, we can create one ourselves).

    • Determine the DNS name for Unleash (e.g., ai.acme.com, unleash.acme.com) and add it to the root domain.

    • Determine the SaaS connectors to be deployed (e.g., Slack, GSuite, Salesforce).

    • Provide the API Key and endpoints for Azure OpenAI or an OpenAI key.

      • No significant quotas which will prevent us from setting up a production environment

    Security

    • The app is deployed in a secure private network, ensuring that your organization's data never leaves this environment.

    • All customer data is saved on encrypted disks using an AWS KMS key managed by Unleash.

    • Secrets will be stored in the AWS Secrets Manager service.

    • Unleash is responsible for patching and upgrading the application components regularly, including urgent security patches.

    • In addition to Unleash's security procedures, the Customer will have access to the AWS account and will be able to implement any security tools necessary to regulate the environment.

    • All Saas integrations are based on the OAuth flow, so Unleash never stores user names and passwords

    Was this article helpful?
    What's Next