Deploy in AWS
Create an AWS sub-account (optional but recommended). This will both help monitor costs and be more secure, as it will not interfere with production or other workloads running in the existing AWS accounts.
Create a user with the following IAM permissions:
β
β
π Note: You can either create a new IAM user or enable an existing user with the above permissions. After stack creation is complete, you can remove these permissions from the IAM user.
Go to the CloudFormation AWS console, and select the option to "Create a New Stack". For the template source, select Amazon S3 URL.
Here is the Atlan CloudFormation S3 template URL: https://atlan.s3.ap-south-1.amazonaws.com/deploy/marketplace/cloudformation/templates/main.yamlβ
Fill in the parameters needed by the CloudFormation template to create the resources:
Deployment Method: The deployment method for installing the product.
Online (recommended): The stack will be launched with Internet Gateway and NAT Gateway. The product will be accessible via Internet without using a VPN.
Airgapped: The stack will be launched without any Internet Gateway, NAT Gateway, or public endpoints. The cluster won't have any kind of internet access and will be only accessible via VPN. Some of the features won't be available, such as:
Slack notifications
Chat feature
Email notifications (you'll need to configure AWS SES separately)
If you are going with the Airgapped method, follow these steps.
License URL: Enter the License URL that was shared by the Atlan team. The deployment will fail without a License URL.
VPC Configuration: Create network resources like VPC, InternetGateway, NatGateway, Subnets, and Security Groups. The default options are already filled in.
π Note:
VPC CIDR: This creates a new VPC CIDR block. Ensure that the CIDR range is different from your existing VPC, which might need to be peered with Atlan's VPC. Also, do not overlap the range with any CIDR block assigned to the IP CIDR to be used by the EKS cluster.
VPC CIDR IP addresses used:
Public Subnets: 30 IP addresses
Private Subnets: 250 IP addresses
EKS Configuration: Configuration of the EKS control plane deployed with the stack.
Launch EKS in Private Subnet: When this is set to "True", the EKS control plane will be deployed in private subnets.
The cluster endpoint is only accessible through your VPC. Worker node traffic to the endpoint will stay within your VPC.
The product will be only accessible via VPN after VPC peering or transit gateway is set up.
The load balancer will be internal, and it will only be accessible with VPC or via VPN after VPC peering is done.
EKS Cluster IP CIDR: This is the CIDR block to assign Kubernetes service IP addresses. If you don't specify a block, Kubernetes assigns the addresses 172.20.0.0/16 CIDR. We recommend that you specify a block that does not overlap with resources in other networks peered or connected to your VPC. The block must meet the following requirements:
Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 100.64.0.0/10 or 198.19.0.0/16
Does not overlap with any CIDR block assigned to the VPC that you selected.
Netmask between /24 and /12.
10.0.0.0/8 and 192.168.0.0/12 wonβt work. Make sure the netmask and CIDR block is between the mentioned ranges.
Recommended CIDR range: /16
AWS IAM User/Role ARN to Access the EKS Cluster through Kubectl: Enter the ARN value of the IAM user or role to get access to the EKS cluster via kubectl. The user/role deploying the stack will have access to the EKS cluster. Use this to provide access to any other user. Refer to this page for more information.
Nodes Configuration: Configurations for the nodes being launched. The nodes are divided into a 70-30 ratio of spot and on-demand capacity.
EC2 Instance Type: The instance type for Atlan nodes.
t3a.2xlargeis recommended for normal workloads. For large workloads, you can increase this tom5a.4xlargeorm5.4xlarge.Launch Spark Nodes: This sets whether to launch Spark nodes. Set this to "True" if you have Azure ADLS. This is set to "False" by default.
Additional Userscript: You can add a Bash script that needs to be executed on every node whenever a new node is added. For this, put the public link to the script in the "Link to additional script to run on nodes while bootstrapping" field. However, this is completely optional and can be left blank.
π Note: While passing the script link, make sure it is public and accessible over the internet. You can use a signed URL with timeout. Once the stack is created, the script will be copied to the S3 bucket launched via CloudFormation, and it will only be fetched by nodes from S3 instead of the internet.
Transit Gateway Configuration: These are the configurations to set up the Transit Gateway with the Atlan VPC. Read this documentation for detailed steps.
Termination Protection (recommended): On the "Specify" stack options page of the "Create Stack" wizard, go to Advanced options, expand the Termination Protection section, and select "Enable".
βLearn more about how to enable termination protection on existing stacks.β
β
β
After entering the parameters above, click on "Next". You can define optional tags as per your IT or Security compliance guidelines, then click the "Next" button.
Click on the two checkboxes, and then click on "Create stack".
If you face any issues, recheck the parameters. Otherwise, reach out to the Atlan support team with the CloudFormation error logs.
Your CloudFormation template is now successful π
After deployment, you will need to set up the organization. Just follow these instructures π
Access the Atlan Product URL, which is displayed as output in the CloudFormation stack.
Fill out the setup page:
Log in with the email and password entered on the setup page.
Looking to configure DNS and SSL/TLS? Here are additional steps to set them up:
βHow to configure DNS with ACMβ
βHow to configure DNS with wildcard private certsβ
Now you are ready to invite new users to Atlan π
