Deployment models of Conveyor
If you are interested in using Conveyor, you can choose between the following deployment models:
- Shared AWS control plane managed by Conveyor team and an AWS data plane at the client's account
- Shared AWS control plane managed by Conveyor team and an azure data plane at the client's account
- Dedicated AWS control plane and data plane at the client's AWS account
For all AWS data planes, you can choose whether it is connected to the internet or not.
A dedicated control plane and data plane is currently not available for Azure customers. If you want this, reach out to us in order to discuss it further.
Shared AWS control plane and AWS data plane
This is the default setup for installing Conveyor using AWS. The data plane, which runs all the data related operations, runs in the customer account. With this setup you keep full control over your data, no data leaves your account.
The control plane in this case is used as an orchestrator and to store Conveyor related metadata. It hosts the UI and API to perform authentication and authorization before delegating the data operations to the data plane. More details can be found on the architecture page. It also aggregates several metrics from the data plane and allows the Conveyor team to monitor and fix potential issues.
Before we can install the Conveyor data plane in your account you should create the support role, as described here and give us the VPC and CIDR ranges.
A typical network setup for the data plane is described on the AWS networking page.
Setup data plane without internet access
If you want to set up the data plane without internet access, you can use AWS PrivateLink to set up secure communication between the control plane and the data plane. Since the data plane has no internet access, the following VPC endpoints need to be configured:
- sqs
- kms
- aps
- aps-workspaces
- ecr.api
- ecr.dkr
- ecs
- xray
- ssm
- ssmmessages
- logs
- ec2messages
- sts
For the communication between the control plane and the data plane, the data plane needs to validate the jwt tokens issued by cognito. It will thus require access to Cognito:
- cognito-idp.[aws-region].amazonaws.com
Shared AWS control plane and Azure data plane
This is the default setup for installing Conveyor at Azure customers. The data plane, which runs all the data related operations, runs in the customer Azure subscription. A best practice is to create a separate subscription for Conveyor on which you can make the Conveyor team owner. With this setup we have all the necessary access to install the Conveyor data plane without giving us access non-conveyor related data/components.
A common way to give the Conveyor team access is by using access packages and allowing the Conveyor team to request them. This can be achieved by allowing users from another tenant to request these permissions. Contact us for the necessary parameters.
A typical network setup for the data plane is described on the Azure networking.
Dedicated control plane and data plane in the client's AWS account
Some clients want that both the control- and data plane are installed privately in their AWS account without internet access. Setting up Conveyor this way is complex and can be costly as it requires many VPC endpoints to be created. If you have these requirements, reach out to us in order to discuss it further.
Private data plane requirements
The data plane requires the following VPC endpoints:
- sqs
- kms
- aps
- aps-workspaces
- ecr.api
- ecr.dkr
- ecs
- xray
- ssm
- ssmmessages
- logs
- ec2messages
- sts
For the communication between the control plane and the data plane, the data plane needs to validate the JWT tokens issued by Cognito. It will thus require access to Cognito:
- cognito-idp.[aws-region].amazonaws.com
Private control plane requirements
You will have to allow the AWS Cognito domains that are used as authentication mechanism, as AWS does not provide a VPC endpoint for Cognito. These domains are:
- cognito-idp.[aws-region].amazonaws.com
- cognito-identity.[aws-region].amazonaws.com