Set Up AWS Account and VPC for Private Data
AWS private data processing involves running a data processing cluster for Alteryx Analytics Cloud (AAC) inside of your AWS account and VPC. This combination of software, your infrastructure, and AWS resources managed by Alteryx, is referred to as a private data plane. This page focuses on how to set up your AWS account and VPC for AAC to create a private data plane there.
Note
The AWS Account and VPC setup requires access and permissions to the AWS Console. If you don’t have this access, contact your IT team to complete this step.
Warning
Never delete resources provisioned for Private Data Processing.
Step 1: Select the AWS Account
Select the account where you want to run your private data plane.
Because IAM credentials are scoped to the entire account, the most secure way to run a private data plane is in a dedicated AWS account. This is not required but recommended.
You probably want this account to be in the same region as the S3 bucket you selected for private data storage, as well as any data sources you want to connect to AAC. This improves performance and reduces egress costs.
The VPC created in the AWS account should be dedicated to AAC. You can set up connectivity to private data sources using VPC peering, transit gateways,
Step 2: Configure IAM
With your AWS account in place, the next step is to set up the IAM user account and access keys
Step 2a: Create a IAM User (Service Account)
Key Name | Value |
---|---|
AACResource | aac_iam_user |
Select the new IAM user and then select the Security credentials tab.
Select Create access key.
Select Other under Access key best practices & alternatives and then select Next.
Select Create access key.
Note
You need the IAM user access key and secret key later when you provision the cloud resources and deploy software.
Create an IAM user with the name
aac_automation_sa
. Ensure that this user doesn't have console access.On Set Permissions, select Next.
Tag the IAM user:
Select Create User.
Generate an Access Key...
Step 2b: Create the IAM Policy and Bind to the Service Account
You need to create a custom IAM policy. Name it AAC_Base_SA_Policy
and use the following policy document. We recommend using the JSON tab instead of the visual editor. AAC requires some * permissions to run. Expect some security warnings when you create the policy.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "iam:GetOpenIDConnectProvider", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:GetUser", "iam:GetUserPolicy", "iam:ListAttachedRolePolicies", "iam:ListAttachedUserPolicies", "iam:ListGroupsForUser", "iam:ListInstanceProfilesForRole", "iam:ListPolicyTags", "iam:ListPolicyVersions", "iam:ListRolePolicies", ], "Resource": [ "arn:aws:iam::*:policy/*", "arn:aws:iam::*:oidc-provider/*", "arn:aws:iam::*:user/*", "arn:aws:iam::*:role/*" ] }, { "Sid": "VisualEditor3", "Effect": "Allow", "Action": [ "elasticloadbalancing:*", "iam:GetAccountName", "iam:ListAccountAliases", "iam:ListRoles", "networkmanager:Describe*", "networkmanager:Get*", "networkmanager:List*", "s3:GetBucketAcl", "s3:GetBucketCORS", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketObjectLockConfiguration", "s3:GetBucketOwnershipControls", "s3:GetBucketPolicy", "s3:GetBucketPolicyStatus", "s3:GetBucketPublicAccessBlock", "s3:GetBucketRequestPayment", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetBucketWebsite", "s3:GetEncryptionConfiguration", "s3:GetLifecycleConfiguration", "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectVersion", "s3:GetObjectVersionAcl", "s3:GetObjectVersionAttributes", "s3:GetObjectVersionForReplication", "s3:GetObjectVersionTagging", "s3:GetObjectVersionTorrent", "s3:GetReplicationConfiguration", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:ListBucketVersions", "sts:GetCallerIdentity", ], "Resource": "*" }, { "Sid": "VisualEditor4", "Effect": "Allow", "Action": "secretsmanager:*", "Resource": "arn:aws:secretsmanager:*:*:secret:*" } ] }
Step 2c: Tag the IAM Policy
Tag the custom IAM policy created in Step 2b.
Key Name
Value
AACResource
aac_sa_custom_policy
Attach the
AAC_Base_SA_Policy
IAM policy to theaac_automation_sa
service account created in Step 2a.Note
AAC_Base_SA_Policy
is an example policy name. You can choose any name for the policy, but the name must start withAAC_Base
.
Step 3: Create a VPC
Create the VPC after you create the IAM policy...
Create a new VPC in 1 of the supported regions. For information on supported regions, go to Private Data Processing.
Select VPC and more.
Configure CIDR blocks in the VPC. You might need to create the VPC with a single CIDR and then select Edit CIDRs to add the second.
For Designer Cloud and Machine Learning, add
/18
and/21
CIDRs.For Cloud Execution for Desktop, add
/21
CIDR.
Select 3 in the Number of Availability Zones (AZs) section.
Select 0 in the Number of public subnets section.
Select 0 in the Number of private subnets section.
Select None in the NAT gateways section.
Enable the S3 Gateway VPC endpoint within the VPC.
Enable DNS hostnames and resolution.
Tag the VPC.
Tag Name | Value |
---|---|
AACResource | aac_vpc |
Note
Connections to private data sources require network paths between the VPC and the data source. As defined in the shared responsibility matrix, you set up these network paths in accordance with your own network policies and preferences.
Step 4: Tag Transit Gateway and Internet Gateway
If your network setup requires usage of a transit gateway or internet gateway, set up and tag them now.
Tag Name | Value |
---|---|
AACResource | aac |
Step 5: Trigger Private Data Handling provisioning
Data processing environment provisioning triggers from the Admin Console inside AAC. You need Workspace Admin privileges within a workspace in order to see it.
From the AAC landing page, select the Profile menu and then select Workspace Admin.
From the Admin Console, select Private Data Handling and then select Processing.
Caution
If you modify or remove any of the AAC-provisioned public cloud resources once private data handling is provisioned, it leads to an inconsistent state. This inconsistency triggers errors during the job execution or deprovisioning of the private data handling setup.
Make sure that Private Data Storage shows Successfully Configured
before you proceed. If the status is Not Configured
, go to AWS S3 as Private Data Storage first, then return to this step.
Under the Private Data Processing section, you need to fill out 5 fields. These values come from the AWS account and VPC setup steps you just completed.
Select Create to trigger the deployment of the cluster and resources in your AWS account. This runs a set of validation checks to verify the correct configuration of the AWS account. If there are incorrectly configured permissions, or the creation or tagging of the VPC resources is incorrect, you’ll receive an error message with a description that should point you in the right direction.