Designer Cloud in GCP
Follow this guide to deploy the Designer Cloud module for Google Cloud Platform (GCP) private data processing.
Prerequisite
Before you deploy the Designer Cloud module, you must complete these steps on the Set Up GCP Project and VPC for Private Data page...
Configured a VPC dedicated to AACAAC as mentioned in the Configure Virtual Private Network section.
Service account and base IAM roles attached to the service account as mentioned in the Configure IAM section.
Successfully triggered private data processing provisioning as mentioned in the Trigger Private Data Handling Provisioning section.
Project Setup
Step 1: Configure IAM
Step 1a: IAM Binding to the Service Account
Assign these additional roles to the aac-automation-sa
service account that you created during Set Up GCP Project and VPC for Private Data:
Compute Load Balancer Admin:
roles/compute.loadBalancerAdmin
Compute Instance Admin (v1):
roles/compute.instanceAdmin.v1
Compute Storage Admin:
roles/compute.storageAdmin
Kubernetes Engine Cluster Admin:
roles/container.clusterAdmin
Storage Admin:
roles/storage.admin
Cloud Memorystore Redis Admin:
roles/redis.admin
Step 2: Configure Subnet
注記
Designer Cloud shares a subnet configuration with Machine Learning, Auto Insights, and App Builder. If you are deploying more than one of those applications, you only need to configure the subnets once.
Designer Cloud in a private data processing environment requires 3 subnets. You created the aac-private subnet earlier when creating the VPC. You do not need to create it again, but it is included here for completeness.
aac-gke-node (required): The GKE cluster uses this subnet to execute Alteryx software jobs (connectivity, conversion, processing, publishing).
aac-public (required): This group doesn’t run any services, but the
aac-gke-node
group uses it for egress out of the cluster.aac-private (required) - This group runs services private to the PDP.
Step 2a: Create Subnets in the VPC
Configure subnets in the aac-vpc
VPC.
Create subnets following the example below. You can adjust the subnet size and secondary subnet size to match your network architecture.
The address spaces are designed to accommodate a fully scaled-out data processing environment. You can choose a smaller address space if required, but you could run into scaling issues under heavy processing loads.
重要
The Subnet Name is not a flexible field, it must match the table below.
You may select any region from the Supported Regions list. However, you must use the same region for the Subnet Region now and when you reach the Trigger Provisioning step later.
Subnet Name | Subnet | Secondary Subnet Name | Secondary Subnet Size | Notes |
---|---|---|---|---|
aac-gke-node | 10.0.0.0/22 | aac-gke-pod | 10.4.0.0/14 | GKE cluster, GKE pod and, GKE service subnets. |
| aac-gke-service | 10.64.0.0/20 |
| |
aac-public | 10.10.1.0/25 | N/A | N/A | Public egress. |
Step 2b: Subnet Route Table
Create the route table for your subnets.
重要
You must configure the Vnet with a network connection to the internet in your subscription.
注記
This route table is an example.
Address Prefix | Next Hop Type |
---|---|
/22 CIDR Block (aac-gke-node) | aac-vpc |
/24 CIDR Block (aac-private) | aac-vpc |
/25 CIDR Block (aac-public) | aac-vpc |
0.0.0.0/0 | <gateway_ID> |
注記
Your <gateway id>
can be either a NAT gateway or an internet gateway, depending on your network architecture.
Step 3: Update the IAM Role for the Kubernetes Service Account
Once Private Data Processing is successfully set up, a Kubernetes service account called credential-pod-sa
is created. This account allows the Kubernetes credential service to access private data credentials stored in the key vault.
注記
Replace <project number>
and <project id>
with project’s project number and project id.
Go to Key Management and select key ring with key created in the Step 5: Create Key Ring and Key.
Select PERMISSIONS, then select GRANT ACCESS.
In the New Principal field, enter:
principal://iam.googleapis.com/projects/<project-number>/locations/global/workloadIdentityPools/<project-id>.svc.id.goog/subject/ns/credential/sa/credential-pod-sa
Provide Cloud KMS CryptoKey Encrypter/Decrypter and Secret Manager Admin roles.
Select Save.
Private Data Processing
注意
プライベートデータ処理を設定した後に、AACをプロビジョニングされたパブリッククラウドリソースを変更または削除すると、不整合が生じる可能性があります。これらの不整合により、ジョブの実行中またはプライベートデータ処理設定のプロビジョニング解除時にエラーが発生する可能性があります。
Step 1: Trigger Designer Cloud Deployment
Data processing provisioning triggers from the Admin Console inside AACAAC. You need Workspace Admin privileges within a workspace in order to see it.
From the AACAAC landing page, select the Profile menu and then select Workspace Admin.
From the Admin Console, select Private Data Handling and then select Processing.
Select the Designer Cloud checkbox and then select Update.
Selecting Update triggers the deployment of the cluster and resources in the GCP project. This runs a set of validation checks to verify the correct configuration of the GCP project.
注記
The provisioning process takes approximately 35–40 minutes to complete.
After the provisioning completes, you can view the created resources (for example, VM instances and node groups) through the GCP console. It is very important that you don't modify them on your own. Manual changes might cause issues with the function of the private data processing environment.
Step 2: Assign Key Vault Permission to User-Managed Identity
After the successful creation of Private Data Handling, AACAAC creates a user-managed identity called aac-k8s-user-identity
in your Azure subscription. The user-managed identity allows the Kubernetes service account to retrieve private data storage access credentials from the key vault.
Sign in to the Azure subscription in which you provisioned private data storage and private data handling.
In the Resource menu, select the key vault where you stored the private data storage credential.
Select Access policies and then select Create.
Select Get under Secret Management Operations (Secret permissions) and then select Next.
Under the Principal tab, search for
aac-k8s-user-identity
and then select it.Select Next.
Under Application (optional), select Next.
Select Create.
Step 3: Assign a Role to Credential Service User-Managed Identity
Once Private Data Handling is successfully created, a user-managed identity aac-<id>-credentials-service-managed-identity
is created in the subscription. This identity allows the Kubernetes credential service account to retrieve private data access credentials from the key vault. Assign a role to the managed identity:
Sign in to the subscription in which private data storage and private data handling is provisioned.
In the Resource menu, select the key vault created in Step 6: Create a Key Vault and select Access control (IAM).
Role assignment:
Select Add > Add role assignment.
For Job function roles, select Key Vault Secrets Officer and Next.
For Assign access to, select Managed identity.
For Select members, select
aac-<id>-credentials-service-managed-identity
and Select.Select Review + assign.
Policy permissions:
Select Access policies.
Under Key permissions select Get.
Under Secret Management Operations (Secret permissions) select Get, Set, List, Delete and Next.
Under Principal tab, search for
aac-<id>-credentials-service-managed-identity
. After selecting it, hit Next.Under Application (optional), select Next.
Select Create.