Private DDN: Bring Your Own Cloud (BYOC)

Introduction

Private DDN BYOC allows you to deploy the Data Plane component in your own cloud environment. This approach is useful if you have specific requirements or constraints which prevent you from using the dedicated Data Plane on Hasura's cloud.

BYOC is currently supported on AWS, GCP and Azure.

If you would like access to Private DDN BYOC, please contact sales.

Architecture

In the BYOC mode, the Data Plane is running on the customer's cloud account, while the Control Plane is running on Hasura's cloud. The Data Plane is managed by Hasura's Control Plane, ensuing timely updates and maintenance. Uptime and reliability of the Data Plane is a shared responsibility of the customer's infrastrucure team and Hasura's automated systems.

Data Plane stability

While essential for managing and updating the Data Plane, the Control Plane is not on the critical path for serving API requests. Even if the Control Plane becomes unavailable, the Data Plane continues to operate without interruption.

Data Flow and security

All critical data operations occur exclusively within the customer infrastructure. When an API user sends a GraphQL query, it's received by Hasura in the Data Plane. Hasura then directly accesses the necessary data sources within the customer infrastructure to fulfill the request. This direct access ensures that sensitive data never leaves the customer's controlled environment, maintaining data residency and security.

While the Control Plane, situated in the Hasura infrastructure, does communicate with the Data Plane, this communication is strictly limited to configuration and management purposes. Importantly, this communication does not involve customer data or API responses, further enhancing data security.

The distinction between the Control and Data Planes creates well-defined security boundaries. By keeping the Data Plane and all data sources within the customer's security perimeter, the architecture ensures that sensitive information remains under the customer's control at all times.

Interactions with the Control Plane

The Data Plane running on your infrastructure communicates with the Control Plane only in very specific scenarios:

1. Metadata Storage: The Data Plane accesses a metadata storage bucket to retrieve build artifacts; these artifacts are required to process API requests.
2. Build Metadata: The Data Plane accesses the Control Plane APIs to retrieve information about (applied) builds for the purposes of routing.
3. Connector Metadata: The Data Plane gets information about the connectors that needs to be deployed so that controller within the Data Plane can deploy them.
4. OTEL Gateway: (Optional) The Data Plane sends observability data to the Control Plane so you can visualize it on the console; it does not contain any API response data or variables.
5. BYOC Controller: The Control Plane interacts with the Kubernetes cluster to manage the Data Plane workloads.

Onboarding Process

To get started with BYOC, customers are required to have one of the following:

• A dedicated project on Google Cloud
• A dedicated AWS Account
• A dedicated Resource Group on Microsoft Azure

Azure

1. Account details

Get the following details from your Azure Portal and pass them along to the Hasura team.

• (Required) Subscription ID
• (Required) Tenant ID
• (Required) Resource Group Name
  1. Create a resource group if you do not already have one
• (Required) Region to deploy
• (Required) Availability zones to deploy
• (Optional) Preferred VPC CIDR (/16)
  1. f you have a specific CIDR in mind for the VPC setup, please pass it along.

2. Create App Entities for BYOC

For infra provisioning:

• Replace $(customer_tenant_id) with your Azure Tenant ID in the URL below:
  https://login.microsoftonline.com/$(customer_tenant_id)/oauth2/authorize?client_id=4f7f1f59-f0b0-4adb-8603-2afacc50552b&response_type=code
• Then open the URL in your browser to create the app entity named PrivateDdnInfra in your Azure account.
  1. If you encounter a redirect error ("No reply address is registered for the application") after clicking on Approve, ignore this. The actual app will still be created behind the scenes successfully.

For workload provisioning:

• Replace $(customer_tenant_id) with your Azure Tenant ID in the URL below:
  https://login.microsoftonline.com/$(customer_tenant_id)/oauth2/authorize?client_id=ce413986-b5c3-4e49-b45e-093f07776c14&response_type=code
• Then open the URL in your browser to create the app entity named ArgoCDDeployer in your Azure account.
  1. If you encounter a redirect error ("No reply address is registered for the application) after clicking on Approve, ignore this. The actual app will still be created behind the scenes successfully.

3. Grant Required Roles

Assign the following roles at the resource group level:

• For PrivateDdnInfra:
  • Contributor
  • Role Based Access Control (RBAC) Administrator
    1. Allow user to assign all roles except the roles you select
    2. Configure the constrained roles by adding Owner to exclude roles
• For ArgoCDDeployer:
  • Azure Kubernetes Service RBAC Cluster Admin

4. Additional requirements

• Register the EnableAPIServerVnetIntegrationPreview feature flag using the az feature register command:
  1. az feature register --namespace "Microsoft.ContainerService" --name "EnableAPIServerVnetIntegrationPreview"

Hasura provisioning requires that various node pools be created in order to support DDN workloads. Hasura will be provisioning 2 vCPU/8GB RAM instance types for this purpose (Using x64 VM Architecture). We therefore require that CPU related quotas are set accordingly by the customer on a desired instance family type in order to allow Hasura the ability to provision nodes without any issues. A base configuration of worker nodes will consume 20 vCPU. We however recommend setting an appropriate threshold in order to accommodate workers scaling up and down.

AWS

1. Account Details

• AWS Account ID
• Preferred VPC CIDR (optional, if you have a specific CIDR for the VPC setup).

2. Create Role

• Create an IAM role for Hasura with the following permissions:
  • EC2 Full Access
  • S3 Full Access
  • IAM Full Access

Share the IAM role with Hasura team.

3. Networking

• Ensure the VPC has appropriate routing and security group configurations to allow Data Plane traffic.
• Provide CIDR ranges for ingress/egress rules to be applied during deployment.

GCP

1. Create a New GCP Project

• Log in to your Google Cloud Console.
• Create a new project specifically for the Data Plane deployment.

2. Grant Access

• Give the following service account Owner access to the project: [email protected]

• Pass along the following information to Hasura team:

  • Project ID
  • Preferred VPC CIDR (optional, if you have a specific CIDR in mind for the VPC setup).

Upgrade Process

Regular software upgrades are rolled out to the Data Plane automatically. This incudes

• Hasura Engine version upgrades
• Other components on the Data Plane
• Kubernetes and other dependencies

Upgrades are typically seamless, utilizing rolling restarts. However, some upgrades (e.g., Kubernetes node upgrades) may require customer-specified maintenance windows to minimize disruption.

FAQ

What cloud providers are supported for BYOC deployment?

AWS, GCP and Azure are supported.

Which regions are supported for BYOC deployment?

Any region on AWS, GCP, Azure are supported, provided there is enough quota available for the workloads.

Get started

To get started with Hasura DDN in your own cloud, contact sales.