Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

Applies to: (tick) Kyvos Enterprise  (tick) Kyvos Cloud (SaaS on AWS) (error) Kyvos AWS Marketplace

(error) Kyvos Azure Marketplace (error) Kyvos GCP Marketplace (error) Kyvos Single Node Installation (Kyvos SNI)


Prerequisites

Before you start the automated installation for Kyvos on AWS, ensure you have the following information.

Important

  • Download the AWS Installation Files folder and keep all the requisite files handy during installation and deployment. 

  • The load balancer will be added by default when creating resources in automated deployment.

  • The CloudFormation deployment templates for both primary and disaster recovery now include automated key pair creation for AWS Managed Services and AWS Marketplace. The key pairs are required for several nodes, such as the bastion host, Kyvos Manager (KM), Query Engine (QE), EMR, and Business Intelligence (BI). For more information, see Step 3, as explained below.

Before starting the deployment for AWS, you must have the following.

Note

If you are using the CloudFormation template for IAM roles and VPC, then you should have the administrative privileges to create IAM roles and VPC.

  1. AWS CloudFormation template. Contact  Kyvos support to get your custom template. Alternatively, you can download the default template file from the AWS Installation Files folder or create a template as per your requirements.

  2. The CloudFormation template can be deployed through the logged-in user or a role. The logged-in user must have the required policies given in the aws-console-user-iam-policy.json file in the AWS Installation Files folder.

  3. Both primary and disaster recovery CloudFormation deployment templates now have automated key pairs creation.

    1. Storage Location: The generated key pairs are stored in the designated Amazon S3 buckets.

    2. The key pairs are stored in the following locations:

      • For Primary Deployment: OutputBucketName/user/engine_work/keys/

      • For DR Deployment: CrossRegionDrBucketName/user/engine_work/keys/

    3. Key Names: The naming convention for key pairs has been standardized to improve clarity and usability.
      NOTE: The key pair for the bastion host is named bastionhost.pem, while the key pair for other nodes is named kyvos.pem.

  4. Networking requirements:

    1. Use the Network CloudFormation template to automatically create network resources (VPC, Subnet, and Security Group). 

      1. If you want to deploy your network with NAT Gateway, use the NATGateway Template (vpc_nat.json file) provided in the AWS Installation Files folder . 
        OR

    2. If you want to use existing network resources, perform the following steps in your VPC. 

      1. You must create VPC Endpoints within your VPC to connect with the AWS services. Else, you must have the internet and NAT Gateway in the subnet.

        List of VPC Endpoints for AWS services required by Kyvos:

        AWS Service Name

        Description/Purpose

        VPC Endpoint Name

        CloudWatch logs

        Used to send bootstrap logs of the EC2 machines to CloudWatch Logs.

        com.amazonaws.{AWS-REGION}.logs

        EMR

        Used to connect to EMR from the Kyvos BI Server for creating on-demand EMR and other EMR related activities

        com.amazonaws.{AWS-REGION}.elasticmapreduce

        Glue

        Used to connect to Glue from the Kyvos BI Server and fetch metadata of the tables stored.

        com.amazonaws.{AWS-REGION}.glue

        Cloudformation

        Used by Kyvos Manager at the time of deployment to validate and get details from the AWS stack in Cloudformation.

        com.amazonaws.{AWS-REGION}.cloudformation

        CloudWatch Event

        Used to schedule events on CloudWatch Event for scheduled starting of the Kyvos BI Server.

        com.amazonaws.{AWS-REGION}.events

        S3

        Used to connect to an S3 bucket for reading raw data and writing metadata.

        com.amazonaws.{AWS-REGION}.s3

        RDS

        Used for scheduled start/stop of the Kyvos cluster along with RDS.

        com.amazonaws.{AWS-REGION}.rds

        EC2

        Used by Kyvos Manager to describe EC2 and Kyvos BI Server for scheduled start/stop of Query Engines.

        com.amazonaws.{AWS-REGION}.ec2

        Secrets Manager

        Used by the Kyvos BI Server to get the passwords stored in AWS Secrets Manager.

        com.amazonaws.${AWS-REGION}.secretsmanager

Note

In the table above, change the {AWS-REGION} according to the region in which you are deploying Kyvos.
AWS does not provide a VPC endpoint for the Cost explorer service, so the Kyvos Resource Usage feature will not work without internet access.

Important

If you are using an existing EMR in another VPC, then you must enable peering between the Kyvos VPC and the EMR VPC.

Permission requirements

  1. Verify that the EMR default roles exist in your AWS account. If they do not exist, you must execute the following command: 
    aws emr create-default-roles

    1. You can create IAM roles using the CloudFormation template (automated_deployment_iam_role.json file) provided in the AWS Installation Files folder.
      OR

    2. Create IAM Role for:
      Refer to the section Creating IAM Roles for EC2 and Lambda to create new roles. 

      1. EC2 that will be attached to all Kyvos instances. This role contains all the permissions required by Kyvos Services and Kyvos Manager.
        Details for permissions required for EC2.

      2. Lambda that will be attached to the Kyvos created Lambda functions. This role contains all the permissions required by lambda functions to run.

  2. S3 Bucket permissions

    If you want to use an existing S3 bucket and IAM role, or if you want to read data from an S3 bucket other than where Kyvos is deployed, then the IAM role must have the following permissions on the S3 bucket.

    Here, replace:

    <Bucket Name>  with the name of your bucket name.

    <Lambda Role>  with the name of your Lambda Role.

    <EC2 Role>  with the name of your EC2 Role.

    {​​
    "Version": "2008-10-17",
    "Statement": [
    {​​
    "Sid": "Ec2LambdaRoleBucketPolicy",
    "Effect": "Allow",
    "Principal": {​​
    "AWS": [
    "arn:aws:iam::<AWS Accout ID>:role/EMR_EC2_DefaultRole",
    "arn:aws:iam::<AWS Accout ID>:role/<Lambda Role>",
    "arn:aws:iam::<AWS Accout ID>:role/<EC2 Role>"
    ]
    }​​,
    "Action": [
    "s3:PutAnalyticsConfiguration",
    "s3:GetObjectVersionTagging",
    "s3:ReplicateObject",
    "s3:GetObjectAcl",
    "s3:GetBucketObjectLockConfiguration",
    "s3:DeleteBucketWebsite",
    "s3:PutLifecycleConfiguration",
    "s3:GetObjectVersionAcl",
    "s3:DeleteObject",
    "s3:GetBucketPolicyStatus",
    "s3:GetObjectRetention",
    "s3:GetBucketWebsite",
    "s3:PutReplicationConfiguration",
    "s3:PutObjectLegalHold",
    "s3:GetObjectLegalHold",
    "s3:GetBucketNotification",
    "s3:PutBucketCORS",
    "s3:GetReplicationConfiguration",
    "s3:ListMultipartUploadParts",
    "s3:PutObject",
    "s3:GetObject",
    "s3:PutBucketNotification",
    "s3:PutBucketLogging",
    "s3:GetAnalyticsConfiguration",
    "s3:PutBucketObjectLockConfiguration",
    "s3:GetObjectVersionForReplication",
    "s3:GetLifecycleConfiguration",
    "s3:GetInventoryConfiguration",
    "s3:GetBucketTagging",
    "s3:PutAccelerateConfiguration",
    "s3:DeleteObjectVersion",
    "s3:GetBucketLogging",
    "s3:ListBucketVersions",
    "s3:RestoreObject",
    "s3:ListBucket",
    "s3:GetAccelerateConfiguration",
    "s3:GetBucketPolicy",
    "s3:PutEncryptionConfiguration",
    "s3:GetEncryptionConfiguration",
    "s3:GetObjectVersionTorrent",
    "s3:AbortMultipartUpload",
    "s3:GetBucketRequestPayment",
    "s3:GetObjectTagging",
    "s3:GetMetricsConfiguration",
    "s3:DeleteBucket",
    "s3:PutBucketVersioning",
    "s3:GetBucketPublicAccessBlock",
    "s3:ListBucketMultipartUploads",
    "s3:PutMetricsConfiguration",
    "s3:GetBucketVersioning",
    "s3:GetBucketAcl",
    "s3:PutInventoryConfiguration",
    "s3:GetObjectTorrent",
    "s3:PutBucketWebsite",
    "s3:PutBucketRequestPayment",
    "s3:PutObjectRetention",
    "s3:GetBucketCORS",
    "s3:GetBucketLocation",
    "s3:ReplicateDelete",
    "s3:GetObjectVersion",
    "s3:PutBucketTagging"
    ],
    "Resource": [
                 "arn:aws:s3:::bucket_name/*",
                 "arn:aws:s3:::bucket_name"
                ]
            }
        ]
    }
  3. You must have the Access Key and Secret Key to access the Kyvos bundle. Contact Kyvos Support for details.

  4. Valid Kyvos license file.

Creating CloudFormation template

The Kyvos CloudFormation template can create the following resources:

  • EC2 instances for Kyvos services - BI Server, Query Engines, Kyvos Manager, Kyvos Web Portal, and Postgres.

  • EMR cluster for semantic model processing and processing aggregations.

  • S3 for storing Kyvos semantic models.

  • RDS for use as a Kyvos repository if you don't want to use the default Postgres database provided in the Kyvos package.

  • Lambda to use the scheduling (cluster ON) features.

  • API Gateway to get the Rest URL on the Lambda function.

  • CloudWatch event for scheduling the Kyvos BI Server.

  • Load Balancer to access Kyvos.

  • Secrets Manager for storing passwords, like Kyvos DB password, Active Directory password, and SMTP password (if configured).

  • SecurityGroup for Kyvos Instances and EMR. 

Notes

The Security Group created by the template is allowed with all the requisite ports. To know more about specific inbound rules, see Port requirements.
You must ensure proper connectivity between the Security group being used by EMR and the Kyvos instances.

Important

Kyvos uses Lambda to start the BI Server instances. The CloudFormation template will create three Lambda functions for:

  1. Scheduled start of the BI Server

  2. Forced start of the BI Server

  3. Display cluster status on the Kyvos Web UI.

Next: Deploy Kyvos using CloudFormation Template


  • No labels