Bring Your Own Cloud (BYOC): Create a Data Plane
Introductionβ
Private DDN BYOC allows you to deploy the Data Plane component in your own cloud environment. This approach is useful if you have specific requirements or constraints which prevent you from using the dedicated Data Plane on Hasura's cloud.
BYOC is currently supported on AWS, GCP and Azure.
If you would like access to Private DDN BYOC, please contact sales.
π Onboarding Processβ
To get started with BYOC, customers are required to have one of the following:
- A dedicated AWS Account
- A dedicated project on Google Cloud
- A dedicated Resource Group on Microsoft Azure
Instructionsβ
AWSβ
The setup involves creating an IAM role in your AWS account that establishes a trust relationship with Hasura's AWS automation role (PulumiDDNCli). This role will be used to deploy and manage workloads necessary for Hasura DDN.
Pre-requisitesβ
- Dedicated AWS Account with administrative access
- AWS CLI installed and configured
AWS_REGIONenvironment variable set to your desired region (e.g.,export AWS_REGION=us-east-1)- Ensure the AWS region where you plan to deploy is enabled in your account
aws account get-regions --region-opt-status-contains ENABLED --query 'Regions[*].RegionName'
Setup Instructionsβ
- Copy the following template and save it as
cloudformation.yaml
cloudformation.yaml
Resources:
BootstrapRole:
Type: AWS::IAM::Role
Properties:
RoleName: HasuraCloudBYOC
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: arn:aws:iam::760537944023:role/PulumiDDNCli
Action: sts:AssumeRole
Condition:
StringEquals:
sts:ExternalId: hasura-cloud
BootstrapPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: HasuraCloudBYOC
Roles:
- !Ref BootstrapRole
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- ec2:DescribeAddresses
- ec2:DescribeAddressesAttribute
- ec2:DescribeAvailabilityZones
- ec2:DescribeInternetGateways
- ec2:DescribeNatGateways
- ec2:DescribeNetworkInterfaces
- ec2:DescribeRegions
- ec2:DescribeRouteTables
- ec2:DescribeSecurityGroupRules
- ec2:DescribeSecurityGroups
- ec2:DescribeSubnets
- ec2:DescribeTags
- ec2:DescribeVpcAttribute
- ec2:DescribeVpcs
- eks:DeleteAddon
- eks:DescribeAddon
- eks:DescribeCluster
- eks:DescribeNodegroup
- eks:ListClusters
- iam:GetRole
- iam:GetServiceLinkedRoleDeletionStatus
- sqs:GetQueueAttributes
Resource: '*'
- Effect: Allow
Action:
- ec2:AllocateAddress
- ec2:AssociateAddress
- ec2:AssociateRouteTable
- ec2:CreateInternetGateway
- ec2:CreateNatGateway
- ec2:CreateRoute
- ec2:CreateRouteTable
- ec2:CreateSubnet
- ec2:CreateTags
- ec2:CreateVpc
- eks:CreateCluster
- eks:CreateNodegroup
- globalaccelerator:CreateAccelerator
- globalaccelerator:CreateEndpointGroup
- globalaccelerator:CreateListener
- globalaccelerator:TagResource
- sqs:CreateQueue
- sqs:TagQueue
- acm:RequestCertificate
- events:PutRule
- events:TagResource
- iam:CreateOpenIDConnectProvider
- iam:TagOpenIDConnectProvider
Resource: '*'
Condition:
StringEquals:
aws:RequestTag/Created-By: HasuraCloud
- Effect: Allow
Action:
- ec2:CreateTags
Resource:
- !Sub arn:aws:ec2:*:${AWS::AccountId}:security-group/*
Condition:
StringEquals:
aws:RequestTag/karpenter.sh/discovery: dataplane
- Effect: Allow
Action:
- ec2:DeleteTags
Resource:
- !Sub arn:aws:ec2:*:${AWS::AccountId}:security-group/*
Condition:
StringEquals:
aws:ResourceTag/karpenter.sh/discovery: dataplane
- Effect: Allow
Action:
- eks:AssociateAccessPolicy
- eks:DisassociateAccessPolicy
Resource:
- !Sub arn:aws:eks:*:${AWS::AccountId}:access-entry/dataplane/*
- Effect: Allow
Action:
- iam:AttachRolePolicy
- iam:CreateInstanceProfile
- iam:CreatePolicy
- iam:CreateRole
- iam:DeleteInstanceProfile
- iam:DeleteOpenIDConnectProvider
- iam:DeletePolicy
- iam:DeleteRole
- iam:DeleteServiceLinkedRole
- iam:DetachRolePolicy
- iam:GetInstanceProfile
- iam:GetOpenIDConnectProvider
- iam:GetPolicy
- iam:GetPolicyVersion
- iam:GetRolePolicy
- iam:ListAttachedRolePolicies
- iam:ListInstanceProfilesForRole
- iam:ListOpenIDConnectProviderTags
- iam:ListPolicyVersions
- iam:ListRolePolicies
- iam:PassRole
- iam:PutRolePolicy
- iam:RemoveRoleFromInstanceProfile
- iam:TagInstanceProfile
- iam:TagOpenIDConnectProvider
- iam:TagPolicy
- iam:TagRole
Resource:
# Roles
- !Sub arn:aws:iam::${AWS::AccountId}:role/KarpenterNodeRole
- !Sub arn:aws:iam::${AWS::AccountId}:role/eksClusterRole-*
- !Sub arn:aws:iam::${AWS::AccountId}:role/lb-controller-*
- !Sub arn:aws:iam::${AWS::AccountId}:role/autoscaler-controller-*
- !Sub arn:aws:iam::${AWS::AccountId}:role/global-accelerator-operator-*
- !Sub arn:aws:iam::${AWS::AccountId}:role/karpenter-controller-*
- !Sub arn:aws:iam::${AWS::AccountId}:role/HasuraWorkloadAutomationRole-*
- !Sub arn:aws:iam::${AWS::AccountId}:role/vpc-cni-*
- !Sub arn:aws:iam::${AWS::AccountId}:role/ebsCsiDriverRole-*
# Instance Profiles
- !Sub arn:aws:iam::${AWS::AccountId}:instance-profile/dataplane_*
# Policies
- !Sub arn:aws:iam::${AWS::AccountId}:policy/lb-controller-*
- !Sub arn:aws:iam::${AWS::AccountId}:policy/autoscaler-controller-*
- !Sub arn:aws:iam::${AWS::AccountId}:policy/global-accelerator-operator-*
- !Sub arn:aws:iam::${AWS::AccountId}:policy/karpenter-controller-*
# OIDC Providers
- !Sub arn:aws:iam::${AWS::AccountId}:oidc-provider/oidc.eks.*
# Service Roles
- !Sub arn:aws:iam::${AWS::AccountId}:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot
- Effect: Allow
Action:
- iam:CreateServiceLinkedRole
Resource: '*'
Condition:
StringEquals:
iam:AWSServiceName:
- spot.amazonaws.com
- globalaccelerator.amazonaws.com
- eks.amazonaws.com
- eks-nodegroup.amazonaws.com
- Effect: Allow
Action:
- eks:*
- globalaccelerator:*
- sqs:*
- acm:*
- events:*
Resource: '*'
Condition:
StringEquals:
aws:ResourceTag/Created-By: HasuraCloud
- Effect: Allow
Action:
- ec2:*
Resource: '*'
Condition:
StringEquals:
ec2:ResourceTag/Created-By: HasuraCloud
Outputs:
RoleArn:
Description: "ARN of the HasuraCloudBYOC IAM Role"
Value: !GetAtt BootstrapRole.Arn
-
Deploy the CloudFormation stack:
First, check if the stack already exists:
aws cloudformation describe-stacks --stack-name hasura-cloud-byocThen, based on the result:
-
If you see an error "Stack with id hasura-cloud-byoc does not exist":
# Create new stack
aws cloudformation create-stack \
--stack-name hasura-cloud-byoc \
--template-body file://cloudformation.yaml \
--capabilities CAPABILITY_NAMED_IAM
# Wait for creation to complete
aws cloudformation wait stack-create-complete \
--stack-name hasura-cloud-byoc -
If the stack exists:
# Update existing stack
aws cloudformation update-stack \
--stack-name hasura-cloud-byoc \
--template-body file://cloudformation.yaml \
--capabilities CAPABILITY_NAMED_IAM
# Wait for update to complete
aws cloudformation wait stack-update-complete \
--stack-name hasura-cloud-byoc
-
-
Monitor stack status:
aws cloudformation describe-stacks \
--stack-name hasura-cloud-byoc \
--query 'Stacks[0].StackStatus' -
Once complete, retrieve the Role ARN:
aws cloudformation describe-stacks \
--stack-name hasura-cloud-byoc \
--query 'Stacks[0].Outputs[?OutputKey==`RoleArn`].OutputValue' \
--output text
Required Informationβ
Share the following with the Hasura team:
- (Required) Role ARN (From output above)
- (Required) AWS Region
- (Optional) Preferred Availability Zones
- Use AZ IDs (e.g., use1-az1, use1-az2) instead of AZ names (us-east-1a, us-east-1b)
- You can get the AZ IDs by running:
aws ec2 describe-availability-zones \
--region <region> \
--output table \
--query "AvailabilityZones[?State=='available'] | [].{ZoneName: ZoneName, ZoneId: ZoneId}" - If you have specific zones which you'd like to use, please pass it along. Otherwise, Hasura will assign accordingly.
- (Optional) VPC CIDR (/16 CIDR)
- If you have a specific CIDR in mind for the VPC setup, please pass it along. If not specified, Hasura will assign 10.0.0.0/16.
- Note: If you are planning to use VPC Peering, this CIDR should not conflict with any networks on your side.
- (Optional) Kubernetes Service CIDR (/16-20 CIDR)
- A /16-/20 CIDR block used for Kubernetes service cluster IP addresses in your Data Plane. If not specified, Hasura will assign 172.20.0.0/16.
- Note: If you are planning to use VPC Peering, this CIDR should not conflict with any networks on your side.
GCPβ
The setup involves enabling APIs & creating IAM policy bindings; The IAM policy bindings establish a trust relationship with Hasuraβs GCP service account which will be used to deploy and manage workloads necessary for Hasura DDN.
Pre-requisitesβ
- Dedicated GCP Project
Setup instructionsβ
- Enable APIs within GCP project:
gcloud services enable \
compute.googleapis.com \
dns.googleapis.com \
gkehub.googleapis.com \
multiclusterservicediscovery.googleapis.com \
trafficdirector.googleapis.com \
multiclusteringress.googleapis.com \
container.googleapis.com \
certificatemanager.googleapis.com --project ${GCP_PROJECT_ID}
- Create following IAM Policy bindings for Hasura's
ddn-automationservice account:
IAM Policy bindings
gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
--member "serviceAccount:[email protected]" \
--role roles/compute.networkAdmin
gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
--member "serviceAccount:[email protected]" \
--role roles/dns.admin
gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
--member "serviceAccount:[email protected]" \
--role roles/gkehub.editor
gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
--member "serviceAccount:[email protected]" \
--role roles/logging.configWriter
gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
--member "serviceAccount:[email protected]" \
--role roles/container.clusterAdmin
gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
--member "serviceAccount:[email protected]" \
--role roles/monitoring.metricsScopesAdmin
gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
--member "serviceAccount:[email protected]" \
--role roles/certificatemanager.editor
gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
--member='serviceAccount:[email protected]' \
--role='roles/resourcemanager.projectIamAdmin' \
--condition='^:^title=Restrict IAM Granting for ddn-automation:description=Restrict ddn-automation to granting specific roles to specific members:expression=api.getAttribute("iam.googleapis.com/modifiedGrantsByRole", []).hasOnly(["roles/container.defaultNodeServiceAccount"]) || api.getAttribute("iam.googleapis.com/modifiedGrantsByRole", []).hasOnly(["roles/container.admin"]) || api.getAttribute("iam.googleapis.com/modifiedGrantsByRole", []).hasOnly(["roles/compute.networkViewer"])'
gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
--member "serviceAccount:[email protected]" \
--role roles/container.admin
gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
--member "serviceAccount:[email protected]" \
--role roles/iam.serviceAccountAdmin
gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
--member "serviceAccount:[email protected]" \
--role roles/iam.workloadIdentityPoolAdmin
Provide Required Informationβ
Share the following with the Hasura team:
- (Required) Project ID
- (Required) GCP Region
- (Optional) Preferred Availability Zones
- If you have specific zones which you'd like to use, please pass it along. Otherwise, Hasura will assign accordingly.
- (Optional) VPC CIDR (/16 CIDR)
- If you have a specific CIDR in mind for the VPC setup, please pass it along. If not specified, Hasura will assign 10.0.0.0/16.
- Note: If you are planning to use VPC Peering, this CIDR should not conflict with any networks on your side.
Azureβ
Pre-requisitesβ
A dedicated resource group. If you do not have one, create it.
Create App Entities for BYOCβ
For infra provisioning:β
- Replace
$(customer_tenant_id)with your Azure Tenant ID in the URL below:https://login.microsoftonline.com/$(customer_tenant_id)/oauth2/authorize?client_id=4f7f1f59-f0b0-4adb-8603-2afacc50552b&response_type=code - Then open the URL in your browser to create the app entity named PrivateDdnInfra in your Azure account.
- If you encounter a redirect error ("No reply address is registered for the application") after clicking on Approve, ignore this. The actual app will still be created behind the scenes successfully.
For workload provisioning:β
- Replace
$(customer_tenant_id)with your Azure Tenant ID in the URL below:https://login.microsoftonline.com/$(customer_tenant_id)/oauth2/authorize?client_id=ce413986-b5c3-4e49-b45e-093f07776c14&response_type=code - Then open the URL in your browser to create the app entity named ArgoCDDeployer in your Azure account.
- If you encounter a redirect error ("No reply address is registered for the application) after clicking on Approve, ignore this. The actual app will still be created behind the scenes successfully.
Grant Required Rolesβ
Assign the following roles at the resource group level:
- For
PrivateDdnInfra:- Contributor
- Role Based Access Control (RBAC) Administrator
- Allow user to assign all roles except the roles you select
- Configure the constrained roles by adding Owner to exclude roles
- For
ArgoCDDeployer:- Azure Kubernetes Service RBAC Cluster Admin
Additional requirementsβ
- Register the
EnableAPIServerVnetIntegrationPreviewfeature flag using the az feature register command:az feature register --namespace "Microsoft.ContainerService" --name "EnableAPIServerVnetIntegrationPreview" - Hasura provisioning requires that various node pools be created in order to support DDN workloads. Hasura will be provisioning 2 vCPU/8GB RAM instance types for this purpose (Using x64 VM Architecture). We therefore require that CPU related quotas are set accordingly by the customer on a desired instance family type in order to allow Hasura the ability to provision nodes without any issues. A base configuration of worker nodes will consume 20 vCPU. We however recommend setting an appropriate threshold in order to accommodate workers scaling up and down.
Provide Required Informationβ
Get the following details from your Azure Portal and pass them along to the Hasura team.
- (Required) Subscription ID
- (Required) Tenant ID
- (Required) Resource Group Name
- (Required) Azure Region
- (Optional) Preferred Availability Zones
- If you have specific zones which you'd like to use, please pass it along. Otherwise, Hasura will assign accordingly.
- (Optional) VPC CIDR (/16-/19 CIDR)
- If you have a specific CIDR in mind for the VPC setup, please pass it along. If not specified, Hasura will assign 10.0.0.0/16.
- Note: If you are planning to use VPC Peering, this CIDR should not conflict with any networks on your side.
