Skip to main content

Deployment models of Conveyor

If you are interested in using Conveyor, you can choose between the following deployment models:

  • Shared AWS control plane managed by Conveyor team and an AWS data plane in the customer account
  • Shared AWS control plane managed by Conveyor team and an Azure data plane in the customer account
  • Dedicated AWS control plane and data plane in the customer AWS account

For all AWS data planes, you can choose whether it is connected to the internet or not.

A dedicated control plane and data plane is currently not available for Azure customers. If you want this, reach out to us in order to discuss it further.

Shared AWS control plane and AWS data plane

This is the default setup for installing Conveyor using AWS. The data plane, which runs all the data related operations, runs in the customer account. With this setup you keep full control over your data, no data leaves your account.

The control plane in this case is used as an orchestrator and to store Conveyor related metadata. It hosts the UI and API to perform authentication and authorization before delegating the data operations to the data plane. More details can be found on the architecture page. It also aggregates several metrics from the data plane and allows the Conveyor team to monitor and fix potential issues.

Before we can install the Conveyor data plane in your account you should create the support role, as described here and give us the VPC and CIDR ranges.

A typical network setup for the data plane is described on the AWS networking page.

Setup data plane without internet access

VPC endpoints

If you want to set up the data plane without internet access, you can use AWS PrivateLink to set up secure communication between the control plane and the data plane. Since the data plane has no internet access, the following VPC endpoints need to be configured:

  • aps
  • aps-workspaces
  • ecr.api
  • ecr.dkr
  • ec2
  • ec2messages
  • eks
  • elasticloadbalancing
  • kms
  • logs
  • monitoring
  • secretsmanager
  • ssm
  • sts
  • sqs
  • xray

Note that the usage of interface VPC endpoints will increase the running cost of your platform, as AWS will add a charge per VPC endpoint.

Cognito domain

For the communication between the control plane and the data plane, the data plane needs to validate the JWT tokens issued by Cognito. It will thus require access to an Amazon Cognito domain. This domain will be created as part of your Conveyor installation and will follow the pattern:

  • <identifier>.auth.<aws-region>.amazoncognito.com

Shared AWS control plane and Azure data plane

This is the default setup for installing Conveyor at Azure customers. The data plane, which runs all the data-related operations, runs inside the customer Azure subscription. A best practice is to create a separate subscription for Conveyor on which you can make the Conveyor team owner. With this setup we have all the necessary access to install the Conveyor data plane without giving us access non-conveyor related data/components.

A common way to give the Conveyor team access is by using access packages and allowing the Conveyor team to request them. This can be achieved by allowing users from another tenant to request these permissions. Contact us for the necessary parameters.

A typical network setup for the data plane is described on the Azure networking page.

Dedicated control plane and data plane in the client's AWS account

Some enterprises require want that both the control- and data plane to be installed privately in their AWS account without internet access. Setting up Conveyor this way is possible, but adds additional complexity and will have higher running costs as it requires many VPC endpoints to be created. If you have these requirements, please reach out to us in order to discuss it further.

Private data plane requirements

VPC endpoints

The data plane requires the following VPC endpoints:

  • aps
  • aps-workspaces
  • ecr.api
  • ecr.dkr
  • ec2
  • ec2messages
  • eks
  • elasticloadbalancing
  • kms
  • logs
  • monitoring
  • secretsmanager
  • ssm
  • sts
  • sqs
  • xray

Cognito domain

For the communication between the control plane and the data plane, the data plane needs to validate the JWT tokens issued by Cognito. It will thus require access to an Amazon Cognito domain. This domain will be created as part of your Conveyor installation and will follow the pattern:

  • <identifier>.auth.<aws-region>.amazoncognito.com

Private control plane requirements

VPC endpoints

The control plane requires the following VPC endpoints:

  • aps
  • aps-workspaces
  • ecr.api
  • ecr.dkr
  • ecs
  • ec2messages
  • kms
  • logs
  • ssm
  • ssmmessages
  • sts
  • sqs
  • xray

It is not strictly necessary to provide interface VPC endpoints for all services in both accounts. To save costs, it is also possible to manage the interface endpoints in a central account, and make sure that requests to these services are routed correctly in other accounts.

Cognito domains

You will also have to allow the Amazon Cognito domains that are used as authentication mechanism, as AWS does not provide a VPC endpoint for its Cognito service.

The following domains need to be resolvable and accessible:

  • cognito-idp.<aws-region>.amazonaws.com
  • cognito-identity.<aws-region>.amazonaws.com