From 34f0dbfba2dc65a755a1aca5a011f6f5b6d58da3 Mon Sep 17 00:00:00 2001 From: Dorota Wojcik Date: Thu, 26 Sep 2024 17:22:29 +0200 Subject: [PATCH] info arch updated --- .../create-aws-custom-cloud.md} | 661 +----------------- .../create-custom-cloud.md | 70 ++ .../create-google-custom-cloud.md | 519 ++++++++++++++ .../howto/byoc/manage-byoc-service.md | 72 ++ sidebars.ts | 14 +- 5 files changed, 692 insertions(+), 644 deletions(-) rename docs/platform/howto/byoc/{create-custom-cloud.md => create-custom-cloud/create-aws-custom-cloud.md} (52%) create mode 100644 docs/platform/howto/byoc/create-custom-cloud/create-custom-cloud.md create mode 100644 docs/platform/howto/byoc/create-custom-cloud/create-google-custom-cloud.md create mode 100644 docs/platform/howto/byoc/manage-byoc-service.md diff --git a/docs/platform/howto/byoc/create-custom-cloud.md b/docs/platform/howto/byoc/create-custom-cloud/create-aws-custom-cloud.md similarity index 52% rename from docs/platform/howto/byoc/create-custom-cloud.md rename to docs/platform/howto/byoc/create-custom-cloud/create-aws-custom-cloud.md index d010b6fc..65b6ceb7 100644 --- a/docs/platform/howto/byoc/create-custom-cloud.md +++ b/docs/platform/howto/byoc/create-custom-cloud/create-aws-custom-cloud.md @@ -1,7 +1,7 @@ --- -title: Create a custom cloud -sidebar_label: Create custom clouds -keywords: [AWS, Amazon Web Services, Microsoft Azure, GCP, Google Cloud Platform, byoc, bring your own cloud, custom cloud, OCI, Oracle Cloud Infrastructure] +title: Create an AWS-integrated custom cloud +sidebar_label: AWS +keywords: [AWS, Amazon Web Services, byoc, bring your own cloud, custom cloud] --- import ConsoleLabel from "@site/src/components/ConsoleIcons"; @@ -10,28 +10,7 @@ import TabItem from '@theme/TabItem'; Create a [custom cloud](/docs/platform/concepts/byoc) for BYOC in your Aiven organization to better address your specific business needs or project requirements. -:::note - -- Creating and using custom clouds in your Aiven organization requires - enabling - [the _bring your own cloud (BYOC)_ feature](/docs/platform/concepts/byoc). Check - [who is eligible for BYOC](/docs/platform/concepts/byoc#eligible-for-byoc). To - use the feature, - [enable BYOC in your Aiven organization](/docs/platform/howto/byoc/enable-byoc). -- Enabling - [the BYOC feature](/docs/platform/concepts/byoc) or creating custom clouds in your - Aiven environment does not affect the configuration of your existing organizations, - projects, or services. This only makes the new BYOC capabilities available in your - environment. - -::: - -The process of creating a custom cloud in Aiven differs depending on the -cloud provider to integrate with. - - - -You configure a custom cloud in your Aiven organization and prepare your AWS +To configure a custom cloud in your Aiven organization and prepare your AWS account so that Aiven can access it: 1. In the Aiven Console or with the Aiven CLI client, you specify new cloud details to @@ -45,68 +24,10 @@ account so that Aiven can access it: 1. You add contact details for individuals from your organization that Aiven can reach out to in case of technical issues with the new cloud. - - -You configure a custom cloud in your Aiven organization and prepare your Google Cloud -account so that Aiven can access it: - -1. In the Aiven Console or with the Aiven CLI client, you specify new cloud details to - generate a Terraform infrastructure-as-code template. -1. You download the generated template and deploy it in your Google Cloud account to acquire - a privilege-bearing service account, which Aiven needs for accessing your Google - Cloud account only with permissions that are required. - - :::note - Privilege-bearing service account is an - [identifier](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account#id) - of the [service account](https://cloud.google.com/iam/docs/service-account-types#user-managed) - created when running the infrastructure template in your Google Cloud account. Aiven - [impersonates this service account](https://cloud.google.com/iam/docs/create-short-lived-credentials-direct) - and runs operations, such as creating VMs for service nodes, in your BYOC account. - ::: - -1. You deploy your custom cloud resources supplying the generated privilege-bearing service - account to the Aiven platform, which gives Aiven the permissions - to securely access your Google Cloud account, create resources, and manage them onward. -1. You select projects that can use your new custom clouds for creating services. -1. You add contact details for individuals from your organization that Aiven can reach out - to in case of technical issues with the new cloud. - - - -If you use Azure or OCI as a cloud provider, you'll have your -custom cloud created by the Aiven team. Just -[enable the BYOC feature](/docs/platform/howto/byoc/enable-byoc) and specify your -requirements. The Aiven team will build your custom cloud according to the specification -you provide. There are no further actions required from you to create your custom cloud. -The Aiven team might reach out to you for more details and will follow up with you to keep -you informed on the progress. - - - -## Limitations {#byoc-limitations} - -- You need at least the Advanced tier of Aiven support services to be - eligible for activating BYOC. - - :::note - See [Aiven support tiers](https://aiven.io/support-services) and - [Aiven responsibility matrix](https://aiven.io/responsibility-matrix) for BYOC. - Contact your account team to learn more or upgrade your support tier. - ::: - -- You can create custom clouds yourself in the [Aiven Console](https://console.aiven.io/) - or using the [Aiven CLI client](/docs/tools/cli) if your cloud provider is AWS or Google Cloud. - For Azure & OCI, [request creating a custom cloud](/docs/platform/howto/byoc/enable-byoc) - from the Aiven team. -- Only [super admins](/docs/platform/howto/make-super-admin) can create custom clouds. - ## Before you start -### Prerequisites {#byoc-prerequisites} +### Prerequisites - - - You have [enabled the BYOC feature](/docs/platform/howto/byoc/enable-byoc). - You have an active account with your cloud provider. - Depending on the tool to use for creating a custom cloud: @@ -118,37 +39,15 @@ you informed on the progress. - You have the [super admin](/docs/platform/howto/make-super-admin) role in your Aiven organization. - You have Terraform installed. -- You have required [IAM permissions](#iam-permissions). - - -- You have [enabled the BYOC feature](/docs/platform/howto/byoc/enable-byoc). -- You have an active account with your cloud provider. -- Depending on the tool to use for creating a custom cloud: - - Access to the [Aiven Console](https://console.aiven.io/) or - - [Aiven CLI client](/docs/tools/cli) installed and your Aiven organization ID - retrieved from the output of the `avn organization list` command or from the - [Aiven Console](https://console.aiven.io/) > - \> . -- You have the [super admin](/docs/platform/howto/make-super-admin) role in your Aiven - organization. -- You have Terraform installed. -- You have required [IAM permissions](#iam-permissions). - - - -You have access to the [Aiven Console](https://console.aiven.io/) to -[enable the BYOC feature](/docs/platform/howto/byoc/enable-byoc). - - +- You have required + [IAM permissions](/docs/platform/howto/byoc/create-custom-cloud/create-aws-custom-cloud#iam-permissions). ### IAM permissions You need cloud account credentials set up on your machine so that your user or role has required Terraform permissions -[to integrate with your cloud provider](/docs/platform/howto/byoc/create-custom-cloud#create-cloud). +[to integrate with your cloud provider](/docs/platform/howto/byoc/create-custom-cloud/create-aws-custom-cloud#create-a-custom-cloud). - -
Show permissions required for creating resources for bastion and workload networks @@ -499,47 +398,13 @@ Show permissions required for creating resources for bastion and workload networ ```
- - -
-Show permissions needed by your service account that will run the Terraform script in your -Google project - -- `roles/iam.serviceAccountAdmin` (sets up impersonation to the privilege-bearing service account) -- `roles/resourcemanager.projectIamAdmin` (provides permissions to the privilege-bearing - service account to use your project) -- `roles/compute.instanceAdmin.v1` (manages networks and instances) -- `roles/compute.securityAdmin` (creates firewall rules) -- Enable [Identity and Access Management (IAM) API](https://cloud.google.com/iam/docs/reference/rest) - to create the privilege-bearing service account -- Enable - [Cloud Resource Manager (CRM) API](https://cloud.google.com/resource-manager/reference/rest) - to set IAM policies to the privilege-bearing service account -- Enable - [Compute Engine API](https://console.cloud.google.com/marketplace/product/google/compute.googleapis.com). -
-For more information on Google Cloud roles, see -[IAM basic and predefined roles reference](https://cloud.google.com/iam/docs/understanding-roles) -in the Goodle Cloud documentation. - - -The Aiven team will talk to you to determine required permissions. - - -## Create a custom cloud {#create-cloud} +## Create a custom cloud -How you create a custom cloud in Aiven depends on what cloud provider you use. +Create a custom cloud either in the Aiven Console or with the Aiven CLI. - - -If your cloud provider is AWS, you can create a custom cloud either in the Aiven -Console or with the Aiven CLI. - -
-Create a custom cloud in the Aiven Console - + #### Launch the BYOC setup @@ -744,440 +609,8 @@ Your new custom cloud is ready to use only after its status changes to **Active**. ::: -
- -
-Create a custom cloud with the Aiven client - -1. Generate an IaC template by running [avn byoc create](/docs/tools/cli/byoc#avn-byoc-create). - - ```bash - avn byoc create \ - --organization-id "ORGANIZATION_ID" \ - --deployment-model "DEPLOYMENT_MODEL_NAME" \ - --cloud-provider "google" \ - --cloud-region "CLOUD_REGION_NAME" \ - --reserved-cidr "CIDR_BLOCK" \ - --display-name "CUSTOM_CLOUD_DISPLAY_NAME" - ``` - - Replace the following: - - - `ORGANIZATION_ID` with the ID of your Aiven organization to - connect with your own cloud account to create the custom cloud, - for example `org123a456b789`. Get your `ORGANIZATION_ID` - [from the Aiven Console or CLI](#byoc-prerequisites). - - `DEPLOYMENT_MODEL_NAME` with the type of [network architecture](/docs/platform/concepts/byoc#byoc-deployment) - your custom cloud uses: - - `standard_public` (public) model: The nodes have public IPs and can be configured - to be publicly accessible for authenticated users. The Aiven control plane can - connect to the service nodes via the public internet. - - `standard` (private) model: The nodes reside in a VPC without public IP addresses - and are by default not accessible from outside. Traffic is routed through a proxy - for additional security utilizing a bastion host physically separated from the - Aiven services. - - `CLOUD_REGION_NAME` with the name of a Google region where to create your custom cloud, - for example `europe-north1`. See all available options in - [Google Cloud regions](/docs/platform/reference/list_of_clouds#google-cloud). - - `CIDR_BLOCK` with a CIDR block defining the IP address range of the VPC that Aiven - creates in your own cloud account, for example: `10.0.0.0/16`, `172.31.0.0/16`, or - `192.168.0.0/20`. - - `CUSTOM_CLOUD_DISPLAY_NAME` with the name of your custom cloud, which you can set - arbitrarily. - -
- Show sample output - - - ```json - { - "custom_cloud_environment": { - "cloud_provider": "google", - "cloud_region": "europe-north1", - "contact_emails": [ - { - "email": "firstname.secondname@domain.com", - "real_name": "Test User", - "role": "Admin" - } - ], - "custom_cloud_environment_id": "018b6442-c602-42bc-b63d-438026133f60", - "deployment_model": "standard", - "display_name": "My BYOC Cloud on Google", - "errors": [], - "reserved_cidr": "10.0.0.0/16", - "state": "draft", - "tags": {}, - "update_time": "2024-05-07T14:24:18Z" - } - } - ``` - -
- -1. Deploy the IaC template. - - 1. Download the template and the variable file: - - - [avn byoc template terraform get-template](/docs/tools/cli/byoc#avn-byoc-template-terraform-get-template) - - ```bash - avn byoc template terraform get-template \ - --organization-id "ORGANIZATION_ID" \ - --byoc-id "CUSTOM_CLOUD_ID" >| "tf_dir/tf_file.tf" - ``` - - Replace the following: - - - `ORGANIZATION_ID` with the ID of your Aiven organization to - connect with your own cloud account to create the custom cloud, - for example `org123a456b789`. Get your `ORGANIZATION_ID` - [from the Aiven Console or CLI](#byoc-prerequisites). - - `CUSTOM_CLOUD_ID` with the identifier of your custom cloud, which you can - extract from the output of the [avn byoc list](/docs/tools/cli/byoc#avn-byoc-list) - command, for example `018b6442-c602-42bc-b63d-438026133f60`. - - - [avn byoc template terraform get-vars](/docs/tools/cli/byoc#avn-byoc-template-terraform-get-vars) - - ```bash - avn byoc template terraform get-vars \ - --organization-id "ORGANIZATION_ID" \ - --byoc-id "CUSTOM_CLOUD_ID" >| "tf_dir/tf_file.vars" - ``` - - Replace the following: - - - `ORGANIZATION_ID` with the ID of your Aiven organization to - connect with your own cloud account to create the custom cloud, - for example `org123a456b789`. Get your `ORGANIZATION_ID` - [from the Aiven Console or CLI](#byoc-prerequisites). - - `CUSTOM_CLOUD_ID` with the identifier of your custom cloud, which you can - extract from the output of the [avn byoc list](/docs/tools/cli/byoc#avn-byoc-list) - command, for example `018b6442-c602-42bc-b63d-438026133f60`. - - 1. Optionally, modify the template as needed. - - :::note - To connect to a custom-cloud service from different security groups - (other than the one dedicated for the custom cloud) or from IP - address ranges, add specific ingress rules before you apply a - Terraform infrastructure template in your Google Cloud account in the process - of creating a custom cloud resources. - - Before adding ingress rules, see the examples provided in the - Terraform template you generated and downloaded from the [Aiven - Console](https://console.aiven.io/). - ::: - - 1. Use Terraform to deploy the infrastructure template with the provided variables in - your Google Cloud account. This will generate a privilege-bearing service account (SA). - - :::important - When running `terraform plan` and `terraform apply`, add `-var-file=FILE_NAME.vars` - as an option. - ::: - - 1. Find `privilege_bearing_service_account_id` in the output script after running - the template. - -1. Provision resources by running [avn byoc provision](/docs/tools/cli/byoc#avn-byoc-provision) - and passing the generated `google-privilege-bearing-service-account-id` as an option. - - ```bash - avn byoc provision \ - --organization-id "ORGANIZATION_ID" \ - --byoc-id "CUSTOM_CLOUD_ID" \ - --google-privilege-bearing-service-account-id "GENERATED_SERVICE_ACCOUNT_ID" - ``` - - Replace the following: - - - `ORGANIZATION_ID` with the ID of your Aiven organization to - connect with your own cloud account to create the custom cloud, - for example `org123a456b789`. Get your `ORGANIZATION_ID` - [from the Aiven Console or CLI](#byoc-prerequisites). - - `CUSTOM_CLOUD_ID` with the identifier of your custom cloud, which you can - extract from the output of the [avn byoc list](/docs/tools/cli/byoc#avn-byoc-list) - command, for example `018b6442-c602-42bc-b63d-438026133f60`. - - `GENERATED_SERVICE_ACCOUNT_ID` with the identifier of the service account - created when running the infrastructure template in your Google Cloud account, - for example - `projects/your-project/serviceAccounts/cce-cce0123456789a@your-project.iam.gserviceaccount.com`. - You can extract `GENERATED_SERVICE_ACCOUNT_ID` from the output of the `terraform apply` - command or `terraform output` command. - -1. Enable your custom cloud in organizations, projects, or units by running - [avn byoc cloud permissions add](/docs/tools/cli/byoc#avn-byoc-cloud-permissions-add). - - ```bash - avn byoc cloud permissions add \ - --organization-id "ORGANIZATION_ID" \ - --byoc-id "CUSTOM_CLOUD_ID" \ - --account "ACCOUNT_ID" - ``` - - Replace the following: - - - `ORGANIZATION_ID` with the ID of your Aiven organization to - connect with your own cloud account to create the custom cloud, - for example `org123a456b789`. Get your `ORGANIZATION_ID` - [from the Aiven Console or CLI](#byoc-prerequisites). - - `CUSTOM_CLOUD_ID` with the identifier of your custom cloud, which you can - extract from the output of the [avn byoc list](/docs/tools/cli/byoc#avn-byoc-list) - command, for example `018b6442-c602-42bc-b63d-438026133f60`. - - `ACCOUNT_ID` with the identifier of your account (organizational unit) in Aiven, - for example `a484338c34d7`. You can extract `ACCOUNT_ID` from the output of - the `avn organization list` command. - -1. Add customer contacts for the new cloud by running - [avn byoc update](/docs/tools/cli/byoc#avn-byoc-update). - - ```bash - avn byoc update \ - --organization-id "ORGANIZATION_ID" \ - --byoc-id "CUSTOM_CLOUD_ID" \ - ' - { - "contact_emails": [ - { - "email": "EMAIL_ADDRESS", - "real_name": "John Doe", - "role": "Admin" - } - ] - } - ' - ``` - - Replace the following: - - - `ORGANIZATION_ID` with the ID of your Aiven organization to - connect with your own cloud account to create the custom cloud, - for example `org123a456b789`. Get your `ORGANIZATION_ID` - [from the Aiven Console or CLI](#byoc-prerequisites). - - `CUSTOM_CLOUD_ID` with the identifier of your custom cloud, which you can - extract from the output of the [avn byoc list](/docs/tools/cli/byoc#avn-byoc-list) - command, for example `018b6442-c602-42bc-b63d-438026133f60`. - -
 - - - -If your cloud provider is Google Cloud, you can create a custom cloud either in the Aiven -Console or with the Aiven CLI. - -
-Create a custom cloud in the Aiven Console - - -#### Launch the BYOC setup - -1. Log in to the [Aiven Console](https://console.aiven.io/), and go to a organization. -1. Click **Admin** in the top navigation, and click - in the sidebar. -1. In the **Bring your own cloud** view, select **Create custom cloud**. - -#### Generate an infrastructure template {#generate-infra-template} - -In this step, an IaC template is generated in the Terraform format. In -[the next step](/docs/platform/howto/byoc/create-custom-cloud#deploy-template), -you'll deploy this template in your Google Cloud account to acquire a privilege-bearing -service account (SA), which Aiven needs for accessing your Google Cloud account. - -In the **Create custom cloud** wizard: - -1. Specify cloud details: - - - Cloud provider - - Region - - Custom cloud name - - [Infrastructure tags](/docs/platform/howto/byoc/tag-custom-cloud-resources) - -1. Click **Next**. - -1. Set up deployment and storage details: - - - [Deployment model](/docs/platform/concepts/byoc#byoc-deployment) - - Choose between: - - Private model, which routes traffic through a proxy for additional security - utilizing a bastion host physically separated from the Aiven services. - - Public model, which allows the Aiven control plane to connect to the service - nodes via the public internet. - - - CIDR - - The **CIDR** block defines the IP address range of the VPC that - Aiven creates in your own cloud account. Any Aiven service created in - the custom cloud will be placed in the VPC and will get an IP - address within this address range. - - In the **CIDR** field, specify an IP address range for the BYOC - VPC using a CIDR block notation, for example: `10.0.0.0/16`, - `172.31.0.0/16`, or `192.168.0.0/20`. - - Make sure that an IP address range you use meets the following - requirements: - - - IP address range is within the private IP address ranges - allowed in [RFC - 1918](https://datatracker.ietf.org/doc/html/rfc1918). - - - CIDR block size is between `/16` (65536 IP addresses) and - `/24` (256 IP addresses). - - - CIDR block is large enough to host the desired number of - services after splitting it into per-availability-zone - subnets. - - For example, the smallest `/24` CIDR block might be enough - for a few services but can pose challenges during node - replacements or maintenance upgrades if running low on - available free IP addresses. - - - CIDR block of your BYOC VCP doesn't overlap with the CIDR - blocks of VPCs you plan to peer your BYOC VPC with. You - cannot change the BYOC VPC CIDR block after your custom - cloud is created. - - - BYOC remote storage (enabled by default) - - - [Tiered storage](/docs/platform/howto/byoc/store-data) using your own - object storage (S3 bucket) as a tier for historical or rarely queried data - - Backups stored in your own cloud account - - :::note - Permissions for S3 bucket management will be included in the Terraform - infrastructure template to be generated upon completing this step. - ::: - -1. Click **Next**. - -Your IaC Terraform template gets generated based on your inputs. You can -view, copy, or download it. Now, you can use the template to -[acquire Role ARN](/docs/platform/howto/byoc/create-custom-cloud#deploy-template). - -#### Deploy the template{#deploy-template} - -Role ARN is an [identifier of the -role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles) -created when running the infrastructure template in your AWS account. -Aiven uses Role ARN to [assume the -role](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole) -and run operations such as creating VMs for service nodes in your BYOC -account. - -Use the Terraform template generated in step -[Generate an infrastructure template](/docs/platform/howto/byoc/create-custom-cloud#generate-infra-template) -to create your Role ARN by deploying the template in your -AWS account. - -Continue working in the **Create custom cloud** wizard: - -1. Copy or download the template and the variables file from the - **Create custom cloud** wizard. - -1. Optionally, modify the template as needed. - - :::note - To connect to a custom-cloud service from different security groups - (other than the one dedicated for the custom cloud) or from IP - address ranges, add specific ingress rules before you apply a - Terraform infrastructure template in your AWS account in the process - of creating a custom cloud resources. - - Before adding ingress rules, see the examples provided in the - Terraform template you generated and downloaded from [Aiven - Console](https://console.aiven.io/). - ::: - -1. Use Terraform to deploy the infrastructure template in your AWS account with the - provided variables. - - :::important - When running `terraform plan` and `terraform apply`, add `-var-file=FILE_NAME.vars` - as an option. - ::: - -1. Find the role identifier (Role ARN) in the output script after - running the template. - -1. Enter Role ARN into the **Role ARN** field in the **Create custom - cloud** wizard. - -1. Click **Next** to proceed or park your cloud setup and save - your current configuration as a draft by selecting **Save draft**. - You can resume creating your cloud later. - -#### Set up your custom cloud's availability - -Select in what projects you'll be able to use your new custom cloud as a hosting cloud for -services. In the projects where you enable your custom cloud, you can create new -services in the custom cloud or migrate your existing services to the custom cloud if your -service and networking configuration allows it. For more information on migrating your -existing services to the custom cloud, contact your account team. - -Your cloud can be available in: - -- All the projects in your organization -- Selected organizational units -- Specific projects only - -To set up your cloud's availability in the **Create custom cloud** wizard > -the **Assign BYOC to projects** section, select one of the two following options: - -- **By default for all projects** to make your custom cloud - available in all existing and future projects in the - organization -- **By selection** to pick specific projects or organizational - units where you want your custom cloud to be available. - -:::note -By selecting an organizational unit, you make your custom cloud -available from all the projects in this unit. -::: - -#### Add customer contacts - -Select at least one person whom Aiven can contact in case of any technical -issues with your custom cloud. - -:::note -**Admin** is a mandatory role, which is required as a primary support contact. -::: - -In the **Create custom cloud** wizard > the **Customer contacts** section: - -1. Select a contact person's role using the **Job title** menu, and provide their email - address in the **Email** field. -1. Use **+ Add another contact** to add as many customer contacts as - needed for your custom cloud. -1. Click **Save and validate**. - -The custom cloud process has been initiated for you, which is -communicated in the the **Create custom cloud** wizard as **Creating -your custom cloud**. - -#### Complete the cloud setup - -Select **Done** to close the **Create custom cloud** wizard. - -The deployment of your new custom cloud might take a few minutes. As -soon as it's over, and your custom cloud is ready to use, you'll be -able to see it on the list of your custom clouds in the **Bring your own -cloud** view. - -:::note -Your new custom cloud is ready to use only after its status changes to -**Active**. -::: - -
- -
-Create a custom cloud with the Aiven client - + 1. Generate an IaC template by running [avn byoc create](/docs/tools/cli/byoc#avn-byoc-create). @@ -1196,7 +629,7 @@ Create a custom cloud with the Aiven client - `ORGANIZATION_ID` with the ID of your Aiven organization to connect with your own cloud account to create the custom cloud, for example `org123a456b789`. Get your `ORGANIZATION_ID` - [from the Aiven Console or CLI](#byoc-prerequisites). + [from the Aiven Console or CLI](/docs/platform/howto/byoc/create-custom-cloud/create-aws-custom-cloud#byoc-prerequisites). - `DEPLOYMENT_MODEL_NAME` with the type of [network architecture](/docs/platform/concepts/byoc#byoc-deployment) your custom cloud uses: - `standard_public` (public) model: The nodes have public IPs and can be configured @@ -1262,7 +695,7 @@ Create a custom cloud with the Aiven client - `ORGANIZATION_ID` with the ID of your Aiven organization to connect with your own cloud account to create the custom cloud, for example `org123a456b789`. Get your `ORGANIZATION_ID` - [from the Aiven Console or CLI](#byoc-prerequisites). + [from the Aiven Console or CLI](/docs/platform/howto/byoc/create-custom-cloud/create-aws-custom-cloud#byoc-prerequisites). - `CUSTOM_CLOUD_ID` with the identifier of your custom cloud, which you can extract from the output of the [avn byoc list](/docs/tools/cli/byoc#avn-byoc-list) command, for example `018b6442-c602-42bc-b63d-438026133f60`. @@ -1280,7 +713,7 @@ Create a custom cloud with the Aiven client - `ORGANIZATION_ID` with the ID of your Aiven organization to connect with your own cloud account to create the custom cloud, for example `org123a456b789`. Get your `ORGANIZATION_ID` - [from the Aiven Console or CLI](#byoc-prerequisites). + [from the Aiven Console or CLI](/docs/platform/howto/byoc/create-custom-cloud/create-aws-custom-cloud#byoc-prerequisites). - `CUSTOM_CLOUD_ID` with the identifier of your custom cloud, which you can extract from the output of the [avn byoc list](/docs/tools/cli/byoc#avn-byoc-list) command, for example `018b6442-c602-42bc-b63d-438026133f60`. @@ -1325,7 +758,7 @@ Create a custom cloud with the Aiven client - `ORGANIZATION_ID` with the ID of your Aiven organization to connect with your own cloud account to create the custom cloud, for example `org123a456b789`. Get your `ORGANIZATION_ID` - [from the Aiven Console or CLI](#byoc-prerequisites). + [from the Aiven Console or CLI](/docs/platform/howto/byoc/create-custom-cloud/create-aws-custom-cloud#byoc-prerequisites). - `CUSTOM_CLOUD_ID` with the identifier of your custom cloud, which you can extract from the output of the [avn byoc list](/docs/tools/cli/byoc#avn-byoc-list) command, for example `018b6442-c602-42bc-b63d-438026133f60`. @@ -1351,7 +784,7 @@ Create a custom cloud with the Aiven client - `ORGANIZATION_ID` with the ID of your Aiven organization to connect with your own cloud account to create the custom cloud, for example `org123a456b789`. Get your `ORGANIZATION_ID` - [from the Aiven Console or CLI](#byoc-prerequisites). + [from the Aiven Console or CLI](/docs/platform/howto/byoc/create-custom-cloud/create-aws-custom-cloud#byoc-prerequisites). - `CUSTOM_CLOUD_ID` with the identifier of your custom cloud, which you can extract from the output of the [avn byoc list](/docs/tools/cli/byoc#avn-byoc-list) command, for example `018b6442-c602-42bc-b63d-438026133f60`. @@ -1384,72 +817,14 @@ Create a custom cloud with the Aiven client - `ORGANIZATION_ID` with the ID of your Aiven organization to connect with your own cloud account to create the custom cloud, for example `org123a456b789`. Get your `ORGANIZATION_ID` - [from the Aiven Console or CLI](#byoc-prerequisites). + [from the Aiven Console or CLI](/docs/platform/howto/byoc/create-custom-cloud/create-aws-custom-cloud#byoc-prerequisites). - `CUSTOM_CLOUD_ID` with the identifier of your custom cloud, which you can extract from the output of the [avn byoc list](/docs/tools/cli/byoc#avn-byoc-list) command, for example `018b6442-c602-42bc-b63d-438026133f60`. -
- - -To integrate with the Azure or OCI cloud providers, you'll have your custom cloud created -by the Aiven team. [Enable the BYOC feature](/docs/platform/howto/byoc/enable-byoc) and -follow up with the Aiven team from there. -## Check your cloud's status - -1. Log in to [Aiven Console](https://console.aiven.io/) as an - administrator, and go to an organization. -1. From the top navigation bar, select **Admin**. -1. From the left sidebar, select . -1. In the **Bring your own cloud** view, identify your new cloud on the - list of available clouds and check its status in the **Status** - column. - -When your custom cloud's status is **Active**, its deployment has been completed. Your -custom cloud is ready to use and you can see it on the list of your custom clouds in the -**Bring your own cloud** view. Now you can create new services in the custom cloud or -migrate your existing services to the custom cloud if your service and networking -configuration allows it. For more information on migrating your existing services to the -custom cloud, contact your account team. - -## Manage services in custom clouds - -### Create a service in the custom cloud - - - -To create a service in the [Aiven Console](https://console.aiven.io/) in your new -custom cloud, follow the guidelines in -[Create a service](/docs/platform/howto/create_new_service). - -When creating a service in the [Aiven Console](https://console.aiven.io/), at the -**Select service region** step, select **Custom clouds** from the available regions. - - -To create a service hosted in your new custom cloud, run -[avn service create](/docs/tools/cli/service-cli#avn-cli-service-create) passing your new -custom cloud name as an option: - - ```bash - avn service create \ - --project "PROJECT_NAME" \ - --service-type "TYPE_OF_BYOC_SERVICE" \ - --plan "PLAN_OF_BYOC_SERVICE" \ - --cloud "CUSTOM_CLOUD_NAME" \ - "NEW_BYOC_SERVICE_NAME" - ``` - - - - -### Migrate existing services to the custom cloud - -Whether you can migrate existing services to the custom cloud depends on your service and -networking configuration. Contact your account team for more information. - ## Related pages - [About bring your own cloud](/docs/platform/concepts/byoc) diff --git a/docs/platform/howto/byoc/create-custom-cloud/create-custom-cloud.md b/docs/platform/howto/byoc/create-custom-cloud/create-custom-cloud.md new file mode 100644 index 00000000..a19cc3a5 --- /dev/null +++ b/docs/platform/howto/byoc/create-custom-cloud/create-custom-cloud.md @@ -0,0 +1,70 @@ +--- +title: Create a custom cloud +sidebar_label: Create custom clouds +keywords: [AWS, Amazon Web Services, Microsoft Azure, GCP, Google Cloud Platform, byoc, bring your own cloud, custom cloud, OCI, Oracle Cloud Infrastructure] +--- + +import DocCardList from '@theme/DocCardList'; +import ConsoleLabel from "@site/src/components/ConsoleIcons"; + +Create a [custom cloud](/docs/platform/concepts/byoc) for BYOC in your Aiven organization to better address your specific business needs or project requirements. + +:::note + +- Creating and using custom clouds in your Aiven organization requires + enabling + [the _bring your own cloud (BYOC)_ feature](/docs/platform/concepts/byoc). Check + [who is eligible for BYOC](/docs/platform/concepts/byoc#eligible-for-byoc). To + use the feature, + [enable BYOC in your Aiven organization](/docs/platform/howto/byoc/enable-byoc). +- Enabling + [the BYOC feature](/docs/platform/concepts/byoc) or creating custom clouds in your + Aiven environment does not affect the configuration of your existing organizations, + projects, or services. This only makes the new BYOC capabilities available in your + environment. + +::: + +The process of creating a custom cloud in Aiven differs depending on the +cloud provider to integrate with. You can use self-service and create custom clouds on your +own if your cloud provider is AWS or Google Cloud: + + + +:::note[Azure & OCI] +If your cloud provider is Microsoft Azure or OCI, you'll have your custom cloud created by +the Aiven team. Just [enable the BYOC feature](/docs/platform/howto/byoc/enable-byoc) and +specify your requirements. The Aiven team will build your custom cloud according to the +specification you provide. +::: + +#### Limitations + +- You need at least the Advanced tier of Aiven support services to be + eligible for activating BYOC. + + :::tip + See [Aiven support tiers](https://aiven.io/support-services) and + [Aiven responsibility matrix](https://aiven.io/responsibility-matrix) for BYOC. + Contact your account team to learn more or upgrade your support tier. + ::: + +- You can create custom clouds yourself in the [Aiven Console](https://console.aiven.io/) + or using the [Aiven CLI client](/docs/tools/cli) if your cloud provider is AWS or Google Cloud. + For Azure & OCI, [request creating a custom cloud](/docs/platform/howto/byoc/enable-byoc) + from the Aiven team. +- Only [super admins](/docs/platform/howto/make-super-admin) can create custom clouds. + +#### Related pages + +- [About bring your own cloud](/docs/platform/concepts/byoc) +- [Bring your own cloud networking and security](/docs/platform/howto/byoc/networking-security) +- [Enable bring your own cloud (BYOC)](/docs/platform/howto/byoc/enable-byoc) +- [Create a custom cloud in Aiven](/docs/platform/howto/byoc/create-custom-cloud) +- [Assign a project to your custom cloud](/docs/platform/howto/byoc/assign-project-custom-cloud) +- [Add customer's contact information for your custom cloud](/docs/platform/howto/byoc/add-customer-info-custom-cloud) +- [Rename a custom cloud](/docs/platform/howto/byoc/rename-custom-cloud) +- [Download an infrastructure template and a variables file](/docs/platform/howto/byoc/download-infrastructure-template) +- [Tag custom cloud resources](/docs/platform/howto/byoc/tag-custom-cloud-resources) +- [Storing data in custom clouds](/docs/platform/howto/byoc/store-data) +- [Delete a custom cloud](/docs/platform/howto/byoc/delete-custom-cloud) diff --git a/docs/platform/howto/byoc/create-custom-cloud/create-google-custom-cloud.md b/docs/platform/howto/byoc/create-custom-cloud/create-google-custom-cloud.md new file mode 100644 index 00000000..e20acfef --- /dev/null +++ b/docs/platform/howto/byoc/create-custom-cloud/create-google-custom-cloud.md @@ -0,0 +1,519 @@ +--- +title: Create a Google-integrated custom cloud +sidebar_label: Google Cloud +keywords: [Google Cloud, byoc, bring your own cloud, custom cloud] +--- + +import ConsoleLabel from "@site/src/components/ConsoleIcons"; +import Tabs from '@theme/Tabs'; +import TabItem from '@theme/TabItem'; + +Create a [custom cloud](/docs/platform/concepts/byoc) for BYOC in your Aiven organization to better address your specific business needs or project requirements. + +To configure a custom cloud in your Aiven organization and prepare your Google Cloud +account so that Aiven can access it: + +1. In the Aiven Console or with the Aiven CLI client, you specify new cloud details to + generate a Terraform infrastructure-as-code template. +1. You download the generated template and deploy it in your Google Cloud account to acquire + a privilege-bearing service account, which Aiven needs for accessing your Google + Cloud account only with permissions that are required. + + :::note + Privilege-bearing service account is an + [identifier](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account#id) + of the [service account](https://cloud.google.com/iam/docs/service-account-types#user-managed) + created when running the infrastructure template in your Google Cloud account. Aiven + [impersonates this service account](https://cloud.google.com/iam/docs/create-short-lived-credentials-direct) + and runs operations, such as creating VMs for service nodes, in your BYOC account. + ::: + +1. You deploy your custom cloud resources supplying the generated privilege-bearing service + account to the Aiven platform, which gives Aiven the permissions + to securely access your Google Cloud account, create resources, and manage them onward. +1. You select projects that can use your new custom clouds for creating services. +1. You add contact details for individuals from your organization that Aiven can reach out + to in case of technical issues with the new cloud. + +## Before you start + +### Prerequisites + +- You have [enabled the BYOC feature](/docs/platform/howto/byoc/enable-byoc). +- You have an active account with your cloud provider. +- Depending on the tool to use for creating a custom cloud: + - Access to the [Aiven Console](https://console.aiven.io/) or + - [Aiven CLI client](/docs/tools/cli) installed and your Aiven organization ID + retrieved from the output of the `avn organization list` command or from the + [Aiven Console](https://console.aiven.io/) > + \> . +- You have the [super admin](/docs/platform/howto/make-super-admin) role in your Aiven + organization. +- You have Terraform installed. +- You have required + [IAM permissions](/docs/platform/howto/byoc/create-custom-cloud/create-google-custom-cloud#iam-permissions). + +### IAM permissions + +You need cloud account credentials set up on your machine so that your user or role has +required Terraform permissions +[to integrate with your cloud provider](/docs/platform/howto/byoc/create-custom-cloud/create-google-custom-cloud#create-a-custom-cloud). + +
+Show permissions needed by your service account that will run the Terraform script in your +Google project + +- `roles/iam.serviceAccountAdmin` (sets up impersonation to the privilege-bearing service account) +- `roles/resourcemanager.projectIamAdmin` (provides permissions to the privilege-bearing + service account to use your project) +- `roles/compute.instanceAdmin.v1` (manages networks and instances) +- `roles/compute.securityAdmin` (creates firewall rules) +- Enable [Identity and Access Management (IAM) API](https://cloud.google.com/iam/docs/reference/rest) + to create the privilege-bearing service account +- Enable + [Cloud Resource Manager (CRM) API](https://cloud.google.com/resource-manager/reference/rest) + to set IAM policies to the privilege-bearing service account +- Enable + [Compute Engine API](https://console.cloud.google.com/marketplace/product/google/compute.googleapis.com). +
+For more information on Google Cloud roles, see +[IAM basic and predefined roles reference](https://cloud.google.com/iam/docs/understanding-roles) +in the Goodle Cloud documentation. + +## Create a custom cloud + +Create a custom cloud either in the Aiven Console or with the Aiven CLI. + + + + +#### Launch the BYOC setup + +1. Log in to the [Aiven Console](https://console.aiven.io/), and go to a organization. +1. Click **Admin** in the top navigation, and click + in the sidebar. +1. In the **Bring your own cloud** view, select **Create custom cloud**. + +#### Generate an infrastructure template {#generate-infra-template} + +In this step, an IaC template is generated in the Terraform format. In +[the next step](/docs/platform/howto/byoc/create-custom-cloud#deploy-template), +you'll deploy this template in your Google Cloud account to acquire a privilege-bearing +service account (SA), which Aiven needs for accessing your Google Cloud account. + +In the **Create custom cloud** wizard: + +1. Specify cloud details: + + - Cloud provider + - Region + - Custom cloud name + - [Infrastructure tags](/docs/platform/howto/byoc/tag-custom-cloud-resources) + +1. Click **Next**. + +1. Set up deployment and storage details: + + - [Deployment model](/docs/platform/concepts/byoc#byoc-deployment) + + Choose between: + - Private model, which routes traffic through a proxy for additional security + utilizing a bastion host physically separated from the Aiven services. + - Public model, which allows the Aiven control plane to connect to the service + nodes via the public internet. + + - CIDR + + The **CIDR** block defines the IP address range of the VPC that + Aiven creates in your own cloud account. Any Aiven service created in + the custom cloud will be placed in the VPC and will get an IP + address within this address range. + + In the **CIDR** field, specify an IP address range for the BYOC + VPC using a CIDR block notation, for example: `10.0.0.0/16`, + `172.31.0.0/16`, or `192.168.0.0/20`. + + Make sure that an IP address range you use meets the following + requirements: + + - IP address range is within the private IP address ranges + allowed in [RFC + 1918](https://datatracker.ietf.org/doc/html/rfc1918). + + - CIDR block size is between `/16` (65536 IP addresses) and + `/24` (256 IP addresses). + + - CIDR block is large enough to host the desired number of + services after splitting it into per-availability-zone + subnets. + + For example, the smallest `/24` CIDR block might be enough + for a few services but can pose challenges during node + replacements or maintenance upgrades if running low on + available free IP addresses. + + - CIDR block of your BYOC VCP doesn't overlap with the CIDR + blocks of VPCs you plan to peer your BYOC VPC with. You + cannot change the BYOC VPC CIDR block after your custom + cloud is created. + + - BYOC remote storage (enabled by default) + + - [Tiered storage](/docs/platform/howto/byoc/store-data) using your own + object storage (S3 bucket) as a tier for historical or rarely queried data + - Backups stored in your own cloud account + + :::note + Permissions for S3 bucket management will be included in the Terraform + infrastructure template to be generated upon completing this step. + ::: + +1. Click **Next**. + +Your IaC Terraform template gets generated based on your inputs. You can +view, copy, or download it. Now, you can use the template to +[acquire Role ARN](/docs/platform/howto/byoc/create-custom-cloud#deploy-template). + +#### Deploy the template{#deploy-template} + +Role ARN is an [identifier of the +role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles) +created when running the infrastructure template in your AWS account. +Aiven uses Role ARN to [assume the +role](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole) +and run operations such as creating VMs for service nodes in your BYOC +account. + +Use the Terraform template generated in step +[Generate an infrastructure template](/docs/platform/howto/byoc/create-custom-cloud#generate-infra-template) +to create your Role ARN by deploying the template in your +AWS account. + +Continue working in the **Create custom cloud** wizard: + +1. Copy or download the template and the variables file from the + **Create custom cloud** wizard. + +1. Optionally, modify the template as needed. + + :::note + To connect to a custom-cloud service from different security groups + (other than the one dedicated for the custom cloud) or from IP + address ranges, add specific ingress rules before you apply a + Terraform infrastructure template in your AWS account in the process + of creating a custom cloud resources. + + Before adding ingress rules, see the examples provided in the + Terraform template you generated and downloaded from [Aiven + Console](https://console.aiven.io/). + ::: + +1. Use Terraform to deploy the infrastructure template in your AWS account with the + provided variables. + + :::important + When running `terraform plan` and `terraform apply`, add `-var-file=FILE_NAME.vars` + as an option. + ::: + +1. Find the role identifier (Role ARN) in the output script after + running the template. + +1. Enter Role ARN into the **Role ARN** field in the **Create custom + cloud** wizard. + +1. Click **Next** to proceed or park your cloud setup and save + your current configuration as a draft by selecting **Save draft**. + You can resume creating your cloud later. + +#### Set up your custom cloud's availability + +Select in what projects you'll be able to use your new custom cloud as a hosting cloud for +services. In the projects where you enable your custom cloud, you can create new +services in the custom cloud or migrate your existing services to the custom cloud if your +service and networking configuration allows it. For more information on migrating your +existing services to the custom cloud, contact your account team. + +Your cloud can be available in: + +- All the projects in your organization +- Selected organizational units +- Specific projects only + +To set up your cloud's availability in the **Create custom cloud** wizard > +the **Assign BYOC to projects** section, select one of the two following options: + +- **By default for all projects** to make your custom cloud + available in all existing and future projects in the + organization +- **By selection** to pick specific projects or organizational + units where you want your custom cloud to be available. + +:::note +By selecting an organizational unit, you make your custom cloud +available from all the projects in this unit. +::: + +#### Add customer contacts + +Select at least one person whom Aiven can contact in case of any technical +issues with your custom cloud. + +:::note +**Admin** is a mandatory role, which is required as a primary support contact. +::: + +In the **Create custom cloud** wizard > the **Customer contacts** section: + +1. Select a contact person's role using the **Job title** menu, and provide their email + address in the **Email** field. +1. Use **+ Add another contact** to add as many customer contacts as + needed for your custom cloud. +1. Click **Save and validate**. + +The custom cloud process has been initiated for you, which is +communicated in the the **Create custom cloud** wizard as **Creating +your custom cloud**. + +#### Complete the cloud setup + +Select **Done** to close the **Create custom cloud** wizard. + +The deployment of your new custom cloud might take a few minutes. As +soon as it's over, and your custom cloud is ready to use, you'll be +able to see it on the list of your custom clouds in the **Bring your own +cloud** view. + +:::note +Your new custom cloud is ready to use only after its status changes to +**Active**. +::: + + + + +1. Generate an IaC template by running [avn byoc create](/docs/tools/cli/byoc#avn-byoc-create). + + ```bash + avn byoc create \ + --organization-id "ORGANIZATION_ID" \ + --deployment-model "DEPLOYMENT_MODEL_NAME" \ + --cloud-provider "google" \ + --cloud-region "CLOUD_REGION_NAME" \ + --reserved-cidr "CIDR_BLOCK" \ + --display-name "CUSTOM_CLOUD_DISPLAY_NAME" + ``` + + Replace the following: + + - `ORGANIZATION_ID` with the ID of your Aiven organization to + connect with your own cloud account to create the custom cloud, + for example `org123a456b789`. Get your `ORGANIZATION_ID` + [from the Aiven Console or CLI](/docs/platform/howto/byoc/create-custom-cloud/create-google-custom-cloud#byoc-prerequisites). + - `DEPLOYMENT_MODEL_NAME` with the type of [network architecture](/docs/platform/concepts/byoc#byoc-deployment) + your custom cloud uses: + - `standard_public` (public) model: The nodes have public IPs and can be configured + to be publicly accessible for authenticated users. The Aiven control plane can + connect to the service nodes via the public internet. + - `standard` (private) model: The nodes reside in a VPC without public IP addresses + and are by default not accessible from outside. Traffic is routed through a proxy + for additional security utilizing a bastion host physically separated from the + Aiven services. + - `CLOUD_REGION_NAME` with the name of a Google region where to create your custom cloud, + for example `europe-north1`. See all available options in + [Google Cloud regions](/docs/platform/reference/list_of_clouds#google-cloud). + - `CIDR_BLOCK` with a CIDR block defining the IP address range of the VPC that Aiven + creates in your own cloud account, for example: `10.0.0.0/16`, `172.31.0.0/16`, or + `192.168.0.0/20`. + - `CUSTOM_CLOUD_DISPLAY_NAME` with the name of your custom cloud, which you can set + arbitrarily. + +
+ Show sample output + + + ```json + { + "custom_cloud_environment": { + "cloud_provider": "google", + "cloud_region": "europe-north1", + "contact_emails": [ + { + "email": "firstname.secondname@domain.com", + "real_name": "Test User", + "role": "Admin" + } + ], + "custom_cloud_environment_id": "018b6442-c602-42bc-b63d-438026133f60", + "deployment_model": "standard", + "display_name": "My BYOC Cloud on Google", + "errors": [], + "reserved_cidr": "10.0.0.0/16", + "state": "draft", + "tags": {}, + "update_time": "2024-05-07T14:24:18Z" + } + } + ``` + +
+ +1. Deploy the IaC template. + + 1. Download the template and the variable file: + + - [avn byoc template terraform get-template](/docs/tools/cli/byoc#avn-byoc-template-terraform-get-template) + + ```bash + avn byoc template terraform get-template \ + --organization-id "ORGANIZATION_ID" \ + --byoc-id "CUSTOM_CLOUD_ID" >| "tf_dir/tf_file.tf" + ``` + + Replace the following: + + - `ORGANIZATION_ID` with the ID of your Aiven organization to + connect with your own cloud account to create the custom cloud, + for example `org123a456b789`. Get your `ORGANIZATION_ID` + [from the Aiven Console or CLI](/docs/platform/howto/byoc/create-custom-cloud/create-google-custom-cloud#byoc-prerequisites). + - `CUSTOM_CLOUD_ID` with the identifier of your custom cloud, which you can + extract from the output of the [avn byoc list](/docs/tools/cli/byoc#avn-byoc-list) + command, for example `018b6442-c602-42bc-b63d-438026133f60`. + + - [avn byoc template terraform get-vars](/docs/tools/cli/byoc#avn-byoc-template-terraform-get-vars) + + ```bash + avn byoc template terraform get-vars \ + --organization-id "ORGANIZATION_ID" \ + --byoc-id "CUSTOM_CLOUD_ID" >| "tf_dir/tf_file.vars" + ``` + + Replace the following: + + - `ORGANIZATION_ID` with the ID of your Aiven organization to + connect with your own cloud account to create the custom cloud, + for example `org123a456b789`. Get your `ORGANIZATION_ID` + [from the Aiven Console or CLI](/docs/platform/howto/byoc/create-custom-cloud/create-google-custom-cloud#byoc-prerequisites). + - `CUSTOM_CLOUD_ID` with the identifier of your custom cloud, which you can + extract from the output of the [avn byoc list](/docs/tools/cli/byoc#avn-byoc-list) + command, for example `018b6442-c602-42bc-b63d-438026133f60`. + + 1. Optionally, modify the template as needed. + + :::note + To connect to a custom-cloud service from different security groups + (other than the one dedicated for the custom cloud) or from IP + address ranges, add specific ingress rules before you apply a + Terraform infrastructure template in your Google Cloud account in the process + of creating a custom cloud resources. + + Before adding ingress rules, see the examples provided in the + Terraform template you generated and downloaded from the [Aiven + Console](https://console.aiven.io/). + ::: + + 1. Use Terraform to deploy the infrastructure template with the provided variables in + your Google Cloud account. This will generate a privilege-bearing service account (SA). + + :::important + When running `terraform plan` and `terraform apply`, add `-var-file=FILE_NAME.vars` + as an option. + ::: + + 1. Find `privilege_bearing_service_account_id` in the output script after running + the template. + +1. Provision resources by running [avn byoc provision](/docs/tools/cli/byoc#avn-byoc-provision) + and passing the generated `google-privilege-bearing-service-account-id` as an option. + + ```bash + avn byoc provision \ + --organization-id "ORGANIZATION_ID" \ + --byoc-id "CUSTOM_CLOUD_ID" \ + --google-privilege-bearing-service-account-id "GENERATED_SERVICE_ACCOUNT_ID" + ``` + + Replace the following: + + - `ORGANIZATION_ID` with the ID of your Aiven organization to + connect with your own cloud account to create the custom cloud, + for example `org123a456b789`. Get your `ORGANIZATION_ID` + [from the Aiven Console or CLI](/docs/platform/howto/byoc/create-custom-cloud/create-google-custom-cloud#byoc-prerequisites). + - `CUSTOM_CLOUD_ID` with the identifier of your custom cloud, which you can + extract from the output of the [avn byoc list](/docs/tools/cli/byoc#avn-byoc-list) + command, for example `018b6442-c602-42bc-b63d-438026133f60`. + - `GENERATED_SERVICE_ACCOUNT_ID` with the identifier of the service account + created when running the infrastructure template in your Google Cloud account, + for example + `projects/your-project/serviceAccounts/cce-cce0123456789a@your-project.iam.gserviceaccount.com`. + You can extract `GENERATED_SERVICE_ACCOUNT_ID` from the output of the `terraform apply` + command or `terraform output` command. + +1. Enable your custom cloud in organizations, projects, or units by running + [avn byoc cloud permissions add](/docs/tools/cli/byoc#avn-byoc-cloud-permissions-add). + + ```bash + avn byoc cloud permissions add \ + --organization-id "ORGANIZATION_ID" \ + --byoc-id "CUSTOM_CLOUD_ID" \ + --account "ACCOUNT_ID" + ``` + + Replace the following: + + - `ORGANIZATION_ID` with the ID of your Aiven organization to + connect with your own cloud account to create the custom cloud, + for example `org123a456b789`. Get your `ORGANIZATION_ID` + [from the Aiven Console or CLI](/docs/platform/howto/byoc/create-custom-cloud/create-google-custom-cloud#byoc-prerequisites). + - `CUSTOM_CLOUD_ID` with the identifier of your custom cloud, which you can + extract from the output of the [avn byoc list](/docs/tools/cli/byoc#avn-byoc-list) + command, for example `018b6442-c602-42bc-b63d-438026133f60`. + - `ACCOUNT_ID` with the identifier of your account (organizational unit) in Aiven, + for example `a484338c34d7`. You can extract `ACCOUNT_ID` from the output of + the `avn organization list` command. + +1. Add customer contacts for the new cloud by running + [avn byoc update](/docs/tools/cli/byoc#avn-byoc-update). + + ```bash + avn byoc update \ + --organization-id "ORGANIZATION_ID" \ + --byoc-id "CUSTOM_CLOUD_ID" \ + ' + { + "contact_emails": [ + { + "email": "EMAIL_ADDRESS", + "real_name": "John Doe", + "role": "Admin" + } + ] + } + ' + ``` + + Replace the following: + + - `ORGANIZATION_ID` with the ID of your Aiven organization to + connect with your own cloud account to create the custom cloud, + for example `org123a456b789`. Get your `ORGANIZATION_ID` + [from the Aiven Console or CLI](/docs/platform/howto/byoc/create-custom-cloud/create-google-custom-cloud#byoc-prerequisites). + - `CUSTOM_CLOUD_ID` with the identifier of your custom cloud, which you can + extract from the output of the [avn byoc list](/docs/tools/cli/byoc#avn-byoc-list) + command, for example `018b6442-c602-42bc-b63d-438026133f60`. + + + + +## Related pages + +- [About bring your own cloud](/docs/platform/concepts/byoc) +- [Bring your own cloud networking and security](/docs/platform/howto/byoc/networking-security) +- [Enable bring your own cloud (BYOC)](/docs/platform/howto/byoc/enable-byoc) +- [Assign a project to your custom cloud](/docs/platform/howto/byoc/assign-project-custom-cloud) +- [Add customer's contact information for your custom cloud](/docs/platform/howto/byoc/add-customer-info-custom-cloud) +- [Rename a custom cloud](/docs/platform/howto/byoc/rename-custom-cloud) +- [Download an infrastructure template and a variables file](/docs/platform/howto/byoc/download-infrastructure-template) +- [Tag custom cloud resources](/docs/platform/howto/byoc/tag-custom-cloud-resources) +- [Storing data in custom clouds](/docs/platform/howto/byoc/store-data) +- [Delete a custom cloud](/docs/platform/howto/byoc/delete-custom-cloud) diff --git a/docs/platform/howto/byoc/manage-byoc-service.md b/docs/platform/howto/byoc/manage-byoc-service.md new file mode 100644 index 00000000..0ef0d90d --- /dev/null +++ b/docs/platform/howto/byoc/manage-byoc-service.md @@ -0,0 +1,72 @@ +--- +title: Manage services hosted in custom clouds +sidebar_label: Manage BYOC services +--- + +import ConsoleLabel from "@site/src/components/ConsoleIcons"; +import Tabs from '@theme/Tabs'; +import TabItem from '@theme/TabItem'; + +## Check your cloud's status + +1. Log in to [Aiven Console](https://console.aiven.io/) as an + administrator, and go to an organization. +1. From the top navigation bar, select **Admin**. +1. From the left sidebar, select . +1. In the **Bring your own cloud** view, identify your new cloud on the + list of available clouds and check its status in the **Status** + column. + +When your custom cloud's status is **Active**, its deployment has been completed. Your +custom cloud is ready to use and you can see it on the list of your custom clouds in the +**Bring your own cloud** view. Now you can create new services in the custom cloud or +migrate your existing services to the custom cloud if your service and networking +configuration allows it. For more information on migrating your existing services to the +custom cloud, contact your account team. + +## Create a service in a custom cloud + + + +To create a service in the [Aiven Console](https://console.aiven.io/) in your new +custom cloud, follow the guidelines in +[Create a service](/docs/platform/howto/create_new_service). + +When creating a service in the [Aiven Console](https://console.aiven.io/), at the +**Select service region** step, select **Custom clouds** from the available regions. + + +To create a service hosted in your new custom cloud, run +[avn service create](/docs/tools/cli/service-cli#avn-cli-service-create) passing your new +custom cloud name as an option: + + ```bash + avn service create \ + --project "PROJECT_NAME" \ + --service-type "TYPE_OF_BYOC_SERVICE" \ + --plan "PLAN_OF_BYOC_SERVICE" \ + --cloud "CUSTOM_CLOUD_NAME" \ + "NEW_BYOC_SERVICE_NAME" + ``` + + + + +## Migrate an existing service to a custom cloud + +Whether you can migrate existing services to the custom cloud depends on your service and +networking configuration. Contact your account team for more information. + +## Related pages + +- [About bring your own cloud](/docs/platform/concepts/byoc) +- [Bring your own cloud networking and security](/docs/platform/howto/byoc/networking-security) +- [Enable bring your own cloud (BYOC)](/docs/platform/howto/byoc/enable-byoc) +- [Create a custom cloud in Aiven](/docs/platform/howto/byoc/create-custom-cloud) +- [Assign a project to your custom cloud](/docs/platform/howto/byoc/assign-project-custom-cloud) +- [Add customer's contact information for your custom cloud](/docs/platform/howto/byoc/add-customer-info-custom-cloud) +- [Rename a custom cloud](/docs/platform/howto/byoc/rename-custom-cloud) +- [Download an infrastructure template and a variables file](/docs/platform/howto/byoc/download-infrastructure-template) +- [Tag custom cloud resources](/docs/platform/howto/byoc/tag-custom-cloud-resources) +- [Storing data in custom clouds](/docs/platform/howto/byoc/store-data) +- [Delete a custom cloud](/docs/platform/howto/byoc/delete-custom-cloud) diff --git a/sidebars.ts b/sidebars.ts index 38517888..07bafc71 100644 --- a/sidebars.ts +++ b/sidebars.ts @@ -308,7 +308,18 @@ const sidebars: SidebarsConfig = { items: [ 'platform/howto/byoc/networking-security', 'platform/howto/byoc/enable-byoc', - 'platform/howto/byoc/create-custom-cloud', + { + type: 'category', + label: 'Create custom clouds', + link: { + type: 'doc', + id: 'platform/howto/byoc/create-custom-cloud/create-custom-cloud', + }, + items: [ + 'platform/howto/byoc/create-custom-cloud/create-aws-custom-cloud', + 'platform/howto/byoc/create-custom-cloud/create-google-custom-cloud', + ], + }, 'platform/howto/byoc/assign-project-custom-cloud', 'platform/howto/byoc/add-customer-info-custom-cloud', 'platform/howto/byoc/tag-custom-cloud-resources', @@ -316,6 +327,7 @@ const sidebars: SidebarsConfig = { 'platform/howto/byoc/rename-custom-cloud', 'platform/howto/byoc/download-infrastructure-template', 'platform/howto/byoc/delete-custom-cloud', + '/platform/howto/byoc/manage-byoc-service', ], }, {