AWS (EKS)

After completing the pre-deployment preparations, follow the instructions below to set up the necessary infrastructure and deploy the Plixer ML Engine in AWS.

Additional prerequisites for AWS

  • AWS IAM user secret access key ID and secret access key

  • A VPC with two subnets for the deployment

Note

  • The Plixer ML VM (the deployment host) deployed as part of the pre-deployment preparations will have all software prerequisites (Docker, Terraform, etc.) preinstalled.

  • The setup scripts include an option to automatically set up a new VPC and will prompt the user to enter the necessary information.

  • For existing VPCs, the following requirements must be met:

    • The VPC must have a DHCP option set with the option to use AmazonProvidedDNS for its domain name servers.

    • The VPC must have two private subnets on separate Availability Zones (AZs).

    • If the subnets cannot access the Internet (no NAT gateway attached), set airgap_install in /home/plixer/common/kubernetes/aws.tfvars to TRUE.

  • For additional information on Amazon EKS VPC and subnet requirements and considerations, see this article.

Hybrid cloud deployments

When pairing a Plixer ML Engine in AWS with an on-prem Plixer Scrutinizer environment, one of the following methods should be used to enable connectivity between the two before starting the deployment process.

AWS Site-to-Site VPN

Follow these instructions to create an AWS Site-to-Site VPN connection to allow communication between the two deployments.

Direct access via public IP

A public IP address can be used to allow external access to the on-prem Plixer Scrutinizer deployment. However, this will expose the Plixer Scrutinizer environment to the Internet via ports 5432, 22, and 443.

The public IP address must be entered when prompted by the setup scripts. The Internet gateway IP must also be manually added to the Plixer Scrutinizer pg_hba.conf file to allow access to Postgres.

After the file has been modified, run the the following command on the Plixer Scrutinizer server to reload the configuration:

psql -c "SELECT pg_reload_conf()"

Deploying the Plixer ML Engine

Follow these instructions to set up the necessary infrastructure and deploy the Plixer ML Engine:

  1. Log in to the Plixer ML VM image using plixer:plixer.

  2. Accept the EULA, and then configure network settings for the host.

  3. SSH to the Plixer ML VM image using the plixer credentials set in step 2, and then wait for the setup wizard/scripts to start automatically.

  4. Enter the infrastructure deployment parameters as prompted.

    Note

    The requested details are automatically saved to /home/plixer/common/kubernetes/aws.tfvars, which also contains other default parameters for deploying the Plixer ML Engine Kubernetes cluster. If there are issues with the infrastructure deployment, contact Plixer Technical Support for assistance before making changes to the file.

  5. Wait as the Kubernetes cluster is deployed (may take several minutes), and then enter the Plixer Scrutinizer SSH credentials when prompted.

After the scripts complete running, navigate to Admin > Resources > ML Engines and wait for the engine to show as Deployed under its Deploy Status. Refresh the page if the status has not updated after a few minutes.

Terraform configuration

The following table lists all required and optional variables in /home/plixer/common/kubernetes/aws.tfvars, which are used when deploying the Kubernetes infrastructure for the Plixer ML Engine.

Note

Contact Plixer Technical Support before making changes to this file.

Field name

Description

creator

REQUIRED: This is the name of the person creating these AWS resources, used as a tag in AWS to track utilization.

cost_center

REQUIRED: This is the cost center to use for these AWS resources, used as a tag in AWS to track utilization.

aws_certificate_name

REQUIRED: This is the name of an existing SSH certificate configured in your AWS environment. You can see a list of these in your AWS Console by navigating to EC2 > Network > Security > Key Pairs.

instance_type

REQUIRED: This is the AWS instance type to create for EKS worker nodes (i.e. t2.large).

fargate

REQUIRED: Use fargate instead of EKS nodes for applicable workloads. Setting the value to TRUE will allow using a smaller instance_type.

aws_region

REQUIRED: The AWS region to deploy infrastructure in.

public_load_balancer

REQUIRED: Whether or not to deploy a public load balancer for external access.

airgap_install

OPTIONAL: If this is an airgapped install (i.e. the vpc_private_subnets don’t have a route to a NAT gateway), then set this to TRUE.

create_ec2_endpoint

OPTIONAL: If airgap_install = TRUE, this bool controls whether or not to create an EC2 endpoint in the VPC.

create_s3_endpoint

OPTIONAL: If airgap_install = TRUE, this bool controls whether or not to create an S3 endpoint in the VPC.

create_ecr_endpoint

OPTIONAL: If airgap_install = TRUE, this bool controls whether or not to create an ECR endpoint in the VPC.

create_ssm_endpoint

OPTIONAL: If airgap_install = TRUE, this bool controls whether or not to create an SSM endpoint in the VPC.

new_vpc_cidr

OPTIONAL: If you want to create a new VPC, then specify the IP address range in this field.

new_vpc_public_cidr

OPTIONAL: If you want to create a new VPC, then specify the IP address range for the public subnet in the new VPC.

new_vpc_private_cidr

OPTIONAL: If you want to create a new VPC, then specify the IP address range for the private subnet in the new VPC.

azs

OPTIONAL: Availability zones corresponding to the subnets you want created in new_vpc_public_cidr and new_vpc_private_cidr.

vpc_name

OPTIONAL: Existing vpc_name to create the EKS resources in.

vpc_private_subnets

OPTIONAL: List of private subnet names to create the EKS resources in.

vpc_public_subnets

OPTIONAL: List of public subnet names to create the EKS resources in.