Prerequisites
This topic details the prerequisites required for activating the Zilliz Cloud Bring Your Own Cloud (BYOC) license. It's essential to ensure these initial steps are completed before proceeding to the detailed activation steps provided in Activate Your License. The prerequisites outlined here are foundational for a successful and efficient activation process.
Architecture
The following diagram shows the architecture for BYOC deployment. The control plane is hosted within Zilliz Cloud. With necessary authorization, Zilliz Cloud establishes a secure connection via Private Link to access the customer's VPC. It then creates cloud resources and deploys the BYOC components under the customer's cloud account.
Verify subscription via welcome email
Upon subscribing to a BYOC license, you will receive a welcome email with your subscription details, including your license ID, core size, and validity period. Verify these details for accuracy before proceeding.
Set up your environment
-
Operating System Compatibility: Ensure that your machine operates on one of the following systems:
-
Linux
-
macOS
-
Windows
-
-
Terraform Installation: Zilliz Cloud utilizes Terraform for managing the cloud infrastructure required for BYOC deployment.
-
macOS
brew tap hashicorp/tap
brew install hashicorp/tap/terraform -
CentOS/RHEL
sudo yum install -y yum-utils
sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo
sudo yum -y install terraform
If you use Windows or other Linux distributions, refer to Terraform official documentation for installation.
-
Prepare your accounts
Activation requires two accounts:
-
AWS Account: Your Zilliz Cloud BYOC deployment will be hosted within your AWS account. If you do not have an AWS account, create one following the AWS Account Creation Guide. The Zilliz Cloud BYOC solution currently supports the AWS us-west-2 region. For other cloud providers or regions, contact our sales team.
-
Zilliz Cloud Account: Use the account you provided to Zilliz Cloud technical support during the contract signing process.
Create temporary security credentials
To activate your BYOC license using Terraform scripts, you'll need to provide temporary security credentials. These include an access key and a secret key, for AWS cloud resources. It's advisable to create these credentials solely for the activation process and deactivate them afterward.
Here's how to create temporary security credentials:
-
Sign in to the IAM console using your AWS account ID and password.
-
Go to the Access keys section and click Create access key.
-
On the Retrieve access keys page, choose either Show to reveal the value of your user's secret access key, or Download .csv file. This is your only opportunity to save your secret access key. After you've saved your secret access key in a secure location, choose Done.
For detailed instructions, refer to AWS official documentation.
Understand required resources and permissions
Deploying Zilliz Cloud BYOC requires specific cloud resources and permissions within your AWS account.
Resource quotas
Refer to the table below for the necessary cloud resources and services for Zilliz Cloud BYOC activation. If the cloud resources in your current account are insufficient, contact your cloud account administrator to increase quotas.
Cloud administrators can monitor resource usage and quotas in the cloud quota dashboard. For details, refer to AWS service quotas.
As your cluster is set up across different Availability Zones (AZs) within your Virtual Private Cloud (VPC), you may have to pay for some internal network traffic. For details, refer to AWS EC2 pricing page.
Resource Type | Instance | Min. Config |
|---|---|---|
Virtual Machine | EC2 |
|
Object Storage | S3 | 0 |
Block Storage | EBS | 550 GB |
Public IP | EIP | 1 |
Private Network | VPC | 2 |
Network Channel | PrivateLink | 1 |
Load Balance | AWS LB | 1 |
DNS | DNS Zone | 2 |
IAM permissions
Terraform scripts used in activating Zilliz Cloud BYOC require specific AWS policies and permissions.
The table below summarizes the policies and roles Terraform will create for BYOC license activation.
In the table, the Terraform Resource Identifier column lists the internal names used in Terraform scripts, while the IAM Policy / Role column shows the actual names as they will appear in your AWS account.
Terraform Resource Identifier | IAM Policy / Role | Description |
|---|---|---|
aws_iam_policy.aws_lb_irsa_policy | zilliz-aws-lb-irsa-policy | Manages various aspects of ELB, including creation, modification, and deletion of load balancers and target groups, as well as associated security and tagging permissions, with specific conditions applied to certain actions. |
aws_iam_policy.bootstrap_policy | zilliz-bootstrap-policy | Grants permissions for managing AWS resources including EKS, EC2, S3, and Route 53, with specific restrictions and conditions. |
aws_iam_policy.cluster_autoscaler_irsa_policy | zilliz-ca-irsa-policy | Allows for managing auto-scaling and EC2 instance operations in AWS, specifically for scaling and termination actions. |
aws_iam_policy.ebs_csi_irsa_policy | zilliz-ebs-csi-irsa-policy | Manages EC2 volumes and snapshots, including creation, attachment, detachment, and deletion, with specific conditions for tagging and cluster association. |
aws_iam_policy.management_policy | zilliz-management-policy | Allows for managing S3 buckets and objects, creating and tagging IAM policies, scaling EKS node groups, and handling various Elastic Load Balancing (ELB) resources, with restrictions based on specific resource tags and paths. |
aws_iam_policy.permission_boundary | zilliz-permission-boundary-policy | Allows actions across various AWS services like ACM, AutoScaling, EC2, EKS, ELB, IAM, Logs, Route 53, S3, and SSM. |
aws_iam_policy.zilliz_business_irsa_policy | zilliz-business-irsa-policy | Allows specific S3 actions, such as reading, writing, listing, and deleting objects in buckets prefixed with zilliz-byoc, reflecting targeted S3 access for business-related operations. |
aws_iam_role.bootstrap_role | zilliz-bootstrap-role | Secures role assumption with specific conditions, including external ID verification, primarily intended for controlled access within the zilliz-byoc framework. |
aws_iam_role.management_role | zilliz-management-role | Secures role assumption, featuring conditions like external ID verification, and is specifically geared for management tasks within the zilliz-byoc framework. |
aws_iam_role_policy_attachment.bootstrap_attachment | zilliz-bootstrap-role | Attaches a specific policy to the role zilliz-bootstrap-role, enabling the assignment of predefined permissions to this role. |
aws_iam_role_policy_attachment.management_attachment | zilliz-management-role | Attaches a specific policy to the role zilliz-management-role, facilitating the application of predefined permissions to this role. |
For a comprehensive understanding of AWS policies and permissions, visit Policies and Permissions in IAM.
Next steps: Activating your BYOC license
Once you have met all the prerequisites outlined above, you are ready to proceed with the steps detailed in Activate Your License to begin your activation process. This will guide you through the specific actions required to activate and utilize your BYOC license on the Zilliz Cloud platform.