This document instructs you on how to use the Scylla Cloud Bring Your Own Account (BYOA) wizard to set-up a Scylla Cloud managed cluster on your AWS account. Scylla Cloud BYOA enables Scylla Cloud customers to have cloud resources allocated by their own AWS accounts (as opposed to allocating it in a Scylla account). The wizard requires you to interact with and collect information from your AWS account and to paste information from the AWS screens into the Scylla Cloud wizard.
By the end of this procedure, you will be able to use Scylla Cloud to create ScyllaDB clusters using the resources from your AWS account.
You can choose to have a dedicated AWS sub-account for Scylla Cloud by using AWS Organizations and following the procedure using this dedicated account. If you choose not to use an AWS Organization and a dedicated account, you can follow this procedure in your main AWS account.
Caution
Deploying Scylla Cloud Bring Your Own Account grants access to your database resources. We strongly recommend not to change/remove any of the resources that you create for the Scylla Cloud role, or in its policies, to make sure that the database services are all properly set and functioning according to your company security policy.
Before you begin:
Confirm you have filled in the registration page and signed up for Scylla Cloud service.
Confirm that your AWS account has the correct account limits (Instances, VPCs, Elastic IPs, Cloudformation Stacks, etc). See AWS Account Limits and AWS Credentials below.
Add AWS Account Details Add your AWS account details and start cluster creation process.
Define a Boundary Policy for Scylla Cloud on your AWS account
Create a Scylla Cloud policy for your AWS account
Create a Scylla Cloud Role and give it specific privileges
Create the cluster and set it to run Scylla Cloud from your AWS account
From the My Clusters Screen, click Add New Cluster.
In the Deployment drop-down, select Deploy the cluster in your own AWS account.
If BYOA is already defined, you can simply continue to choose your Scylla version and instance type. If BYOA is not defined, a wizard popup will guide you through setting up BYOA. #. Enter your AWS Account ID where indicated and click Get Started.
Define a policy to limit Scylla Cloud permissions in your AWS account.
Use this policy file to define a new policy named ScyllaCloudBoundary.
This policy will restrict Scylla Cloud’s permissions on your AWS account and will be used in further steps.
From the AWS console, navigate to IAM Services > Policies and click Create Policy.
Click the JSON tab.
From the Scylla Cloud wizard, copy the json file by clicking the copy button.
Paste the contents into the AWS json editor. From the AWS editor, click next.
Click Review Policy.
Navigate to the Policies main window, search for the ScyllaCloudBoundary policy and click on it to open the policy details.
Copy the Policy ARN (output should be similar to the following example: arn:aws:iam::734708892259:policy/ScyllaCloudBoundary).
In the Scylla Cloud wizard Boundary Policy ARN field, paste the Policy ARN you copied in the previous step.
Confirm the details are correct in the Summary screen. Your screen should be similar to:
Click Next: Create Cloud Policy.
Create a new policy ScyllaCloud to manage Scylla Cloud role and resources
From the AWS console, navigate to IAM Services > Policies and click Create Policy
Click the JSON tab.
From the Scylla Cloud wizard, copy the json file by clicking the copy button.
Paste the contents into the AWS json editor. From the AWS editor, click next.
Click Review Policy.
Where indicated name the policy ScyllaCloud (no other name can be used).
Click Create Policy.
Navigate to the Policies main window, search for the ScyllaCloud policy and click on it to open the policy details.
Copy the Policy ARN (output should be similar to the following example: arn:aws:iam::734708892259:policy/ScyllaCloud).
In the Scylla Cloud wizard Cloud Policy ARN field, paste the Policy ARN you copied in the previous step.
Confirm the details are correct in the Summary screen. Your screen should be similar to:
Click Next: Create Role.
From the AWS console, navigate to IAM > Roles and click on Create Role.
When asked for a type of trusted entity, select Another AWS account and enter the Scylla Production Account ID - from the Scylla Cloud Wizard.
Check Require external ID and fill in the following:
From the Scylla Cloud Wizard, copy the External ID by clicking the copy button and paste it into the AWS External ID field.
This string should be treated as a password and kept secure
Save the string as you will need to use it later
Note
Require MFA should NOT be checked
From the AWS Create Role Screen, click Next: Permissions.
Search for the policy ScyllaCloud and check it.
Click Next: Add Tags and any other tags you want or you can just skip this step.
Click Next: Review and fill in the following fields:
In Role Name Enter ScyllaCloud
Role Description is optional. Enter any description that makes sense to you, as this is only for your usage.
Click Create Role. Make sure the ScyllaCloud role is listed in the new role ARN list.
Navigate to the Roles main window, search for the ScyllaCloud role and click on it to open the policy details.
Copy the Role ARN (example: arn:aws:iam::734708892259:role/ScyllaCloud).
In the Scylla Cloud wizard Cloud Role ARN field, paste the Role ARN you copied in the previous step.
Click Next: Complete the Cloud Account Setup.
Confirm the details are correct in the Summary screen. Your screen should be similar to:
Confirm you receive a success message or else you can restart the Scylla Cloud Wizard.
Click Next: Complete the Cloud Account Setup.
From the Create Cluster screen, in the Deployment field, confirm Deploy the cluster in your own AWS account is selected and launch a new cluster. The cluster will run on your AWS account.
Validate from your AWS console that the instances are listed. Search for the tag Scylla Cloud to identify managed Scylla Cloud instances.
Congratulations! You are done! You can now proceed to run a Scylla Cluster on your own Account. When the cluster is up and running, you will be able to see the running cluster from your EC2 console. Search for the tag Scylla Cloud to identify managed Scylla Cloud instances including ScyllaDB nodes, Scylla Monitor, and Scylla Manager.
Note
The sections that follow are for reference purposes only. There is no need to execute them once the setup is complete.
Make sure you add the following limits to your AWS account for the resources Scylla Cloud will use. Please make sure that you repeat the resource allocation for each region you plan to use. Note that the following numbers should be in addition to your existing resource allocation.
Use AWS Service Quotas to increase the following resources limits:
Service Name |
Additional Requested Value |
Quota Name |
|---|---|---|
Amazon Virtual Private Cloud (Amazon VPC) |
50 |
VPCs per region |
Amazon Virtual Private Cloud (Amazon VPC) |
96 |
Inbound or outbound rules per security group |
Amazon Elastic Compute Cloud (Amazon EC2) |
200 |
EC2-VPC Elastic IPs |
Amazon Elastic Compute Cloud (Amazon EC2) |
1000 (see note) |
Running On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances |
Amazon Simple Storage Service (Amazon S3) |
50 |
Buckets |
AWS CloudFormation |
100 |
Stack count |
Note
You can use this helper script to
quickly list relevant quotas for your account.
Note
1000 doesn’t represent the limit for the number of instances, but the limit for vCPUs. Any launched instance of any of the listed instance types (A, C, D, H, I, M, R, T, Z) contributes its vCPU count towards this quota. See more in this AWS blog.
Scylla Cloud requires the following credentials to manage its service while being deployed on your AWS account.
Purpose |
Action |
|---|---|
Scylla cloud will use this to restrict itself for only creating a new policy with access to its S3 backup and with no access to any other policy |
|
Create/Expand clusters |
|
Delete clusters |
|
Create a backup bucket on S3 |
|
Grant each Scylla instance access to its S3 backup bucket |
|
Validate that security policy is complete and up-to-date |
|
Operation activities |
|