AWS Connectivity Guidelines¶
The goal of this guide is to explain how to configure the network infrastructure in AWS to allow connections from the Agora execution plane to your data sources and also how to enable you to connect to and access data at the Agora execution plane from external tools (consumers) like Power BI.
Default Scenario¶
By default, Agora will create network infrastructure in the client account according to the AWS recommendations about enabling instances in a private subnet to send outbound traffic to the internet.
Please check NAT gateway use cases: Access the internet from a private subnet for more information.
The Network Elements¶
A new VPC in the selected region. Please check AWS VPC documentation for further details.
Two subnets, one private to host the Agora servers and one public to host the NAT gateway and public load balancers network interfaces.
The CIDR block will be divided between them leaving only around 25 addresses to be used in the public one, maximizing the addresses to use in the private one.
For example, when indicating 10.2.0.0/24 as the CIDR block for the subnets, the private subnet will be allocated with a CIDR of 10.2.0.0/25 and the public one with a CIDR of 10.2.0.128/27.
Note that each subnet has its own route table to ensure the private subnet is totally isolated from external inbound traffic.
An Internet Gateway to allow communication between your VPC and the internet. Please check AWS internet gateway documentation for further details.
A NAT Gateway to allow outbound connections to the internet from the private subnet. Please check AWS NAT gateways documentation for further details.
The NAT gateway requires an elastic IP.
Southbound Connections¶
How to Connect to Public Data Sources¶
Since the Agora execution plane servers have access to the Internet you need to do nothing when your data sources are accessible through the Internet.
How to Connect to AWS Data Sources¶
Since the data sources are not public you will need to give access them to the Agora Execution Plane servers. You can use a VPC peering to communicate between the Agora Execution Plane servers and the data source. Please check AWS What is VPC peering documentation for further details.
For example, to connect to Amazon Aurora RDBMS follow these steps:
Create a VPC peering between the VPC created by Agora and the VPC where the Aurora RDBMS is running.
Connect to the AWS console to manage the Agora Execution Plane account.
Navigate to the VPC Dashboard.
Select Peering Connections.
Choose create Peering Connection
Select the VPC created by Agora as the VPC requester.
If the Aurora RDBMS is in the same account as the Agora Execution Plane:
Check My Account
Select the region where the Aurora RDBMS is running.
Select the VPC where the Aurora RDBMS is running
If the Aurora RDBMS is in a different account:
Check Another Account
Fill the VPC Accepter account ID with the Aurora RDBMS account ID.
Fill the VPC Accepter ID with the Aurora RDBMS VPC ID.
Press the Create peering connection button and write down the peering connection ID.
Select Peering Connections.
Choose peering created before.
From the Actions menu, select Edit DNS Settings.
Click to enable DNS resolution. If Aurora RDBMS is running in another account/region you should allow requester VPC to resolve DNS of accepter VPC managing the Aurora RDBMS account.
If the Aurora RDBMS is in the same account as the Agora Execution Plane:
Navigate to the VPC Dashboard.
Select Peering Connections.
The peering created before should appear as “Pending acceptance”, so select it and perform the action Accept request.
If the Aurora RDBMS is in a different account than the Agora Execution Plane:
Connect to the AWS console to manage the Aurora RDBMS account.
Navigate to the VPC Dashboard.
Select Peering Connections.
The peering created before should appear as “Pending acceptance”, so select it and perform the action Accept request.
Write down the Requester CIDRs and the Accepter CIDRs. You will need it later, when configuring the routes.
Modify the route tables to enable traffic through VPC peering
Connect to the AWS console to manage the Agora Execution Plane account.
Navigate to the VPC Dashboard.
Select subnets.
Filter by the VPC created by Agora.
Choose the subnet whose name does not begin with aux-denodo-agora-*.
Choose the route table associated with it.
Select it and perform the action Edit routes
Add a new route to the peering created before to the Accepter CIDR.
If the Aurora RDBMS is running in a different account, connect to the AWS console to manage the Aurora RDBMS account. Do nothing if running in the same account
Navigate to the VPC Dashboard.
Select subnets.
Filter by the VPC of the Aurora RDBMS.
One by one, select the route table subnets used by the Aurora RDBMS.
n. Perform the action Edit routes m. Add a new route to the peering created before to the Requester CIDR.
Create and test a new data source in the Design Studio.
How to Connect On-Premises or Privately Running in Other Cloud Providers Data Sources¶
Since the data sources are not public, you must give access to the Denodo servers. This scenario will require a VPN between the VPC of the Denodo servers and the private network of the data sources.
Northbound Connections¶
How to Connect to Agora from the Internet¶
Since the Agora Execution Plane servers are running in a private network you will have no access to them from any client tool running on the Internet.
The only way to connect from the Internet is to open the load balancers to the Internet, as done for the Data Catalog.
In this case, you should create the cluster using the Provisioning manually option and enable the Internet Facing Load Balancer option.
How to Connect from Running in AWS Clients¶
Since the Agora Execution Plane servers are running in a private network you will need to give access to them. You can use a VPC peering to communicate between the Agora Execution Plane servers and the client tool.
Please check AWS What is VPC peering documentation for further details.
For example, to connect from a Tableau Desktop follow these steps:
Create a VPC peering between the VPC created by Denodo Managed services and the VPC where the Tableau Desktop is running.
Connect to the AWS console to manage the Agora Execution Plane account.
Navigate to the VPC Dashboard.
Select Peering Connections.
Choose create Peering Connection
Select the VPC created by Agora as the VPC requester.
If the Aurora RDBMS is in the same account as the Agora Execution Plane:
Check My Account
Select the region where the Tableau Desktop is running.
Select the VPC where the Tableau Desktop is running
If the Tableau Desktop is in a different account than the Agora Execution Plane:
Check Another Account
Fill the VPC Accepter account ID with the Tableau Desktop account ID.
Fill the VPC Accepter ID with the Tableau Desktop VPC ID.
Press the Create peering connection button and write down the peering connection ID.
Select Peering Connections.
Choose peering created before.
From the Actions menu, select Edit DNS Settings.
Click to enable DNS resolution. If Tableau Desktop is running in another account/region you should allow requester VPC to resolve DNS of accepter VPC managing the Tableau Desktop account.
If the Tableau Desktop is in the same account as the Agora Execution Plane:
Navigate to the VPC Dashboard.
Select Peering Connections.
The peering created before should appear as “Pending acceptance”, so select it and perform the action Accept request.
If the Tableau Desktop is in a different account than the Agora Execution Plane:
Connect to the AWS console to manage the Tableau Desktop account.
Navigate to the VPC Dashboard.
Select Peering Connections.
The peering created before should appear as “Pending acceptance”, so select it and perform the action Accept request.
Write down the Requester CIDRs and the Accepter CIDRs. You will need it later when configuring the routes.
Modify the route tables to enable traffic through VPC peering
Connect to the AWS console to manage the Agora Execution Plane account.
Navigate to the VPC Dashboard.
Select subnets.
Filter by the VPC created by Agora.
Choose the subnet whose name does not begin with aux-denodo-agora-*.
Choose the route table associated with it.
Select it and perform the action Edit routes
Add a new route to the peering created before to the Accepter CIDR.
If the Tableau Desktop is running in a different account, connect to the AWS console to manage the Tableau Desktop account. Do nothing if running in the same account
Navigate to the VPC Dashboard.
Select subnets.
Filter by the VPC of the Tableau Desktop.
Select the route table used by the Tableau Desktop subnet.
Perform the action Edit routes
Add a new route to the peering created before to the Requester CIDR.
Connect to the Agora Execution servers from Tableau Desktop.
To obtain the host to connect to you will need to go to the Design Studio.
Configure Tableau Desktop to connect to the Agora Execution Plane server.
Follow the steps of the document How to connect to Denodo from Tableau Desktop
Connect to the Agora Execution Plane server using your Agora credentials.
How to Connect from On-Premises or Privately Running in Other Cloud Providers Clients¶
Since the Agora Execution Plane servers are not accessible from the Internet, you will need to give access to them. This scenario will require a VPN between the VPC of the Agora Execution Plane servers and the private network of the client tools.