Skip to main content

Set Up AWS Account and VPC for Private Data

AWS private data processing involves running a data processing cluster for Alteryx Analytics Cloud (AAC) inside of your AWS account and VPC. This combination of software, your infrastructure, and AWS resources managed by Alteryx, is referred to as a private data plane. This page focuses on how to set up your AWS account and VPC for AAC to create a private data plane there.

Note

The AWS Account and VPC setup requires access and permissions to the AWS Console. If you don’t have this access, contact your IT team to complete this step.

Warning

Never delete resources provisioned for Private Data Processing.

Setup Steps

Step 1: Select the AWS Account

Select the account where you want to run your private data plane.

Because IAM credentials are scoped to the entire account, the most secure way to run a private data plane is in a dedicated AWS account. This is not required but recommended.

You probably want this account to be in the same region as the S3 bucket you selected for private data storage, as well as any data sources you want to connect to AAC. This improves performance and reduces egress costs.

The VPC created in the AWS account should be dedicated to AAC. You can set up connectivity to private data sources using VPC peering, transit gateways, PrivateLink, or others.

Step 2: Configure IAM

With your AWS account in place, the next step is to set up the IAM user account and access keys.

Step 2a: Create a IAM User (Service Account)
  1. Create an IAM user with the name aac_automation_sa. Ensure that this user doesn't have console access.

  2. On Set Permissions, select Next.

  3. Tag the IAM user:

    Key Name

    Value

    AACResource

    aac_iam_user

  4. Select Create User.

  5. Generate an Access Key...

    1. Select the new IAM user and then select the Security credentials tab.

    2. Select Create access key.

    3. Select Other under Access key best practices & alternatives and then select Next.

    4. Select Create access key.

Note

You need the IAM user access key and secret key later when you provision the cloud resources and deploy software.

Step 2b: Create the IAM Policy and Bind to the Service Account

You need to create a custom IAM policy. Name it AAC_Base_SA_Policy and use the following policy document. We recommend using the JSON tab instead of the visual editor. AAC requires some * permissions to run. Expect some security warnings when you create the policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "iam:GetOpenIDConnectProvider",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:GetUser",
                "iam:GetUserPolicy",
                "iam:ListAttachedRolePolicies",
                "iam:ListAttachedUserPolicies",
                "iam:ListGroupsForUser",
                "iam:ListInstanceProfilesForRole",
                "iam:ListPolicyTags",
                "iam:ListPolicyVersions",
                "iam:ListRolePolicies",
            ],
            "Resource": [
                "arn:aws:iam::*:policy/*",
                "arn:aws:iam::*:oidc-provider/*",
                "arn:aws:iam::*:user/*",
                "arn:aws:iam::*:role/*"
            ]
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:*",
                "iam:GetAccountName",
                "iam:ListAccountAliases",
                "iam:ListRoles",
                "networkmanager:Describe*",
                "networkmanager:Get*",
                "networkmanager:List*",
                "s3:GetBucketAcl",
                "s3:GetBucketCORS",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketObjectLockConfiguration",
                "s3:GetBucketOwnershipControls",
                "s3:GetBucketPolicy",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetBucketRequestPayment",
                "s3:GetBucketTagging",
                "s3:GetBucketVersioning",
                "s3:GetBucketWebsite",
                "s3:GetEncryptionConfiguration",
                "s3:GetLifecycleConfiguration",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:GetObjectVersion",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectVersionAttributes",
                "s3:GetObjectVersionForReplication",
                "s3:GetObjectVersionTagging",
                "s3:GetObjectVersionTorrent",
                "s3:GetReplicationConfiguration",
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:ListBucketVersions",
                "sts:GetCallerIdentity",
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor4",
            "Effect": "Allow",
            "Action": "secretsmanager:*",
            "Resource": "arn:aws:secretsmanager:*:*:secret:*"
        }
    ]
}
Step 2c: Tag the IAM Policy
  1. Tag the custom IAM policy created in Step 2b.

    Key Name

    Value

    AACResource

    aac_sa_custom_policy

  2. Attach the AAC_Base_SA_Policy IAM policy to the aac_automation_sa service account created in Step 2a.

    Note

    AAC_Base_SA_Policy is an example policy name. You can choose any name for the policy, but the name must start with AAC_Base.

Step 3: Create a VPC

Create the VPC after you create the IAM policy...

  1. Create a new VPC in 1 of the supported regions. For information on supported regions, go to Private Data Processing.

  2. Select VPC and more.

  3. Configure CIDR blocks in the VPC. You might need to create the VPC with a single CIDR and then select Edit CIDRs to add the second.

    1. For Designer Cloud and Machine Learning, add /18 and /21 CIDRs.

    2. For Cloud Execution for Desktop, add /21 CIDR.

  4. Select 3 in the Number of Availability Zones (AZs) section.

  5. Select 0 in the Number of public subnets section.

  6. Select 0 in the Number of private subnets section.

  7. Select None in the NAT gateways section.

  8. Enable the S3 Gateway VPC endpoint within the VPC.

  9. Enable DNS hostnames and resolution.

  10. Tag the VPC.

Tag Name

Value

AACResource

aac_vpc

Note

Connections to private data sources require network paths between the VPC and the data source. As defined in the shared responsibility matrix, you set up these network paths in accordance with your own network policies and preferences.

Step 4: Tag Transit Gateway and Internet Gateway

If your network setup requires usage of a transit gateway or internet gateway, set up and tag them now.

Tag Name

Value

AACResource

aac

Step 5: Trigger Private Data Handling provisioning

Data processing environment provisioning triggers from the Admin Console inside AAC. You need Workspace Admin privileges within a workspace in order to see it.

  1. From the AAC landing page, select the Profile menu and then select Workspace Admin.

  2. From the Admin Console, select Private Data Handling and then select Processing.

Caution

If you modify or remove any of the AAC-provisioned public cloud resources once private data handling is provisioned, it leads to an inconsistent state. This inconsistency triggers errors during the job execution or deprovisioning of the private data handling setup.

Make sure that Private Data Storage shows Successfully Configured before you proceed. If the status is Not Configured, go to AWS S3 as Private Data Storage first, then return to this step.

Under the Private Data Processing section, you need to fill out 5 fields. These values come from the AWS account and VPC setup steps you just completed.

Select Create to trigger the deployment of the cluster and resources in your AWS account. This runs a set of validation checks to verify the correct configuration of the AWS account. If there are incorrectly configured permissions, or the creation or tagging of the VPC resources is incorrect, you’ll receive an error message with a description that should point you in the right direction.