Product DocumentationAppearance
Prerequisites for Private Network Installs
You can install Yellowbrick using a VPC with a private network that you create prior to, and for the express purpose of, the installation. The VPC must adhere to a number of prerequisites. Your organization may have a hub-and-spoke environment, in which the "hub VPC" is at the corporate level, and a number of "spoke VPCs" are created for individual applications, such as Yellowbrick.
Before installing Yellowbrick into an existing VPC, make sure it meets the following network requirements.
Private Hosted Zone
You must create a private hosted zone for your Yellowbrick deployment, using the AWS Route 53 service, which determines how traffic is routed within an Amazon VPC (as opposed to internet routing).
A Route 53 zone assigns a custom domain name in your VPC, and provides access to that domain, as a subnet within the domain managed by your identity service provider (IDP). Yellowbrick requires the ability to register DNS records for many of the services that are created (CDWM, observability, and so on), so they are reachable by DNS name. When private DNS is defined, it is important to configure DNS forwarding to the appropriate corporate DNS servers so that these services can be resolved by the end user’s network. This also has implications for certificates that are used to encrypt all network communication between components of the Yellowbrick Data Warehouse and terminate with the back end nodes themselves.
See Create a Route 53 Hosted Zone and be sure to specify the private type when you create it. You will also need to identify the existing VPC that it is associated with.
Private Subnets
A pair of private subnets on a minimum of two separate AZs is required for the installation. You may also use three AZs and three subnets.
When configuring a subnet to contain the EKS cluster that Yellowbrick will create, IP availability is key. The base installation requires 79 IP addresses for instances and associated services. For each additional Yellowbrick worker node, 9 IP addresses are required.
The preferred sizing of subnets is /19, which allows for the generation of 8,000 IP addresses. /24 is also sufficient, but /25 is too small.
The subnets must have a special tag to be discovered by the load balancer. This tag is documented by AWS here. The specific tag is as follows:
key: kubernetes.io/role/internal-elb, value: 1VPC Gateway Endpoint
A VPC Gateway Endpoint provides access to the "public" AWS S3 bucket that is used for Yellowbrick data storage. This gateway uses a private data path to access S3; communication does not go over the public internet.
NAT Gateway for Internet Access
This gateway is outbound-only and is currently needed by the installer to download certain required packages from the internet.
Certificate Issuer Name and ARN
The top-level trusted certificate authorities cannot issue an SSL certificate for a domain on a private network. You need to create a certificate by using the Private Certificate Authority (PCA) service via the AWS console. You will need a root certificate with your organization name. For all the other fields, accept the defaults. The installer UI will ask for the issuer name (aws-privateca-issuer) and the ARN value (paste this from the PCA record in the console).
Parent topic:Preparing for a New Installation