Amazon Web Services resource prerequisites

Create a new VPC (guide) with the following resources:

1. At least two /20 subnets (guide) covering at least two availability zones, configured to auto-assign public IP addresses (guide)
2. An Internet Gateway attached (guide)
  - You also need to add a route to the VPC’s Route Table that allows all inbound traffic to this Internet Gateway (guide)
3. DNS resolution and DNS hostnames enabled (guide)
Create a new security group (guide) with the following Inbound rules, all with source Anywhere
1. HTTP
2. HTTPS
3. SSH
4. PostgreSQL
5. Custom TCP rule: Port 6379
6. Custom TCP rule: Port 3022
7. Custom TCP rule: Port 8800
Create one IAM Access Management Policy (guide) with the below sets of permissions:
1. Service: Elastic Container Registry; Actions: All Elastic Container Registry; Resources: Any for repository
2. Service: EKS; Actions: All EKS actions; Resources: Any for cluster
3. Service: Systems Manager; Actions: all GetParameter; Resources: Any
Create three IAM Service Roles (guide):
1. One “registry manager” role with the EC2 use case and the new policy from Step 3 attached
2. One “cluster manager” role created with the EKS - Cluster use case and AmazonEKSClusterPolicy
  - After this role is created, click on its name, then Attach Policy and select AmazonEKSServicePolicy
3. One “worker node” role with the EC2 use case and these policies:
  - AmazonEKSWorkerNodePolicy
  - AmazonEC2ContainerRegistryReadOnly
  - AmazonEKS_CNI_POLICY
Create an EC2 instance provisioned with the Plotly AMI according to Installation on Amazon Web Services (This instance will act as the Replicated Management Node), with these Instance Details changed from the default:
1. Set the Network to the VPC from Step 1 and select a Subnet from that VPC
2. Set Auto-assign public IP to Disable
3. Set the IAM role to the “registry manager” EC2 service account from Step 4a
4. Select an existing security group and assign the group you created in Step 2
  - Depending on your network, you may need to assign additional security groups; please consult your cloud infrastructure administrator if unsure
SSH into your EC2 instance and:
1. Install Python 3
2. Install aws-cli v2 (guide) and configure it with at least your AWS Access Key IS and AWS Secret Access Key (guide)
3. Install kubectl (guide)
In the Amazon RDS dashboard, create a new DB subnet group in your VPC (guide)
Create a single RDS Postgres (version 11) instance with Standard Create (guide)
1. During configuration:
  - Choose the Production template
  - Leave the Master username as postgres and record the password for use in the next step
  - Under Availability & Durability, ensure Create a standby instance is selected
  - Under Connectivity, select the VPC you created in Step 1 and its associated VPC subnet group
  - Expand Additional Configuration and set the Initial database name to dashauth
2. After the RDS instance is ready, SSH into the EC2 instance you created and connect to the database (guide), then:
  - Create a second database named dash_deployment_server
  - Assign all privileges to the postgres user for the dashauth and dash_deployment_server databases
In the ElastiCache dashboard, create a new DB subnet group
1. Use your VPC ID from Step 1
2. In the Availability Zone or outpost drop-down, select each availability zone you created in Step 1a and Add their Subnet IDs, then click Create
Create an ElastiCache cluster using the Redis cluster engine, with cluster mode disabled (guide)
1. In the Advanced Redis settings, ensure Multi-AZ with Auto-Failover is selected
2. Select the Subnet group you just created
Create an Elastic Kubernetes Service cluster (guide) with the following settings changed from default:
1. Kubernetes version: choose the latest supported version from supported Kubernetes versions.
2. Cluster Service Role: the “cluster manager” IAM Role created in Step 4b
3. VPC: the VPC you created in Step 1
4. Security groups: all groups suggested by the wizard
5. Cluster endpoint access: private
Click on the cluster name, then click the Cluster security group (under the Networking tab) and add an Inbound rule allowing traffic on port 443 from your EC2 instance’s subnet
From your EC2 instance’s command line, add your new cluster’s configuration to your kubeconfig (guide)
Create an EKS node group (guide):
1. Node group compute configuration
  - If using a GPU node pool:
    AMI: Amazon Linux 2 GPU Enabled (AL2_x86_64_GPU)
    Managed node instance type: any of G2, G3, G3S, G4DN, P2, P3, P3DN, or others that support GPU processing (reference)
    Once the node group has been created, install the NVIDIA GPU device plugin for Kubernetes (this can take up to 10 minutes)
  - If not using a GPU node pool:
    AMI: Amazon Linux 2 (AL2_x86_64)
    Managed node instance type: t3.xlarge
2. Node IAM Role Name: the “worker node” IAM Role created in Step 4c
3. Allow remote access to nodes from selected security groups and choose the group you created in Step 2
4. Disk size: 200 GiB
5. At least 4 nodes

From your EC2 instance’s command line, add the Roles you created in Step 4 to the cluster configmap (guide) with the below example 1. Replace WORKER_NODE_ROLE_ARN with the ARN of the role you created in Step 4c 2. Replace REGISTRY_MANAGER_ROLE_ARN with the ARN of the role you created in Step 4a 3. You can retrieve each role’s ARN by visiting its Summary page in the IAM Management Console

apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - rolearn: WORKER_NODE_ROLE_ARN
      username: system:node:{{EC2PrivateDNSName}}
      groups:
        - system:bootstrappers
        - system:nodes
    - rolearn: REGISTRY_MANAGER_ROLE_ARN
      username: kubectl-access-user
      groups:
        - system:masters

Create an Elastic Container Registry repository (guide) to contain the images for your Dash apps

PreviousDash Enterprise Kubernetes NextGoogle Cloud Platform resource prerequisites

Last updated 3 years ago