Links

Deploy

Prerequisites

AWS Account Id

Choose an AWS account and note down its Id where Borneo will be deployed and share it with the Borneo team along with the AWS region. We will whitelist the account to provide access to the Docker images and other deployment artifacts that will be used during deployment.

Custom Domain Name & TLS Certificate

  • An FQDN for the Borneo dashboard. This domain is managed by the customer
  • An ACM certificate corresponding to the domain in the same region where Borneo will be deployed

VPC ID & CIDR Range

  • Will you deploy Borneo in an existing VPC?
  • VPC CIDR Range to be used while creating a new VPC during deployment.

Deployment

  1. 1.
    Create IAM service-linked roles for ES, ECS, and ELB using templates in the SLR folder
  2. 2.
    Use the DDS.yaml template to deploy Borneo
  3. 3.
    The name of the parent stack must have sz- prefix because of the IAM permissions that the services will have. The parent stack name is used by nested stacks which then gets prefixed to some of the resources created in microservice stacks. This is a limitation and will be resolved in the future.
  4. 4.
    Make sure to inputs all the Required Parameters while creating the stack in the CloudFormation console.
  5. 5.
    The template makes it possible to deploy Borneo in an existing VPC too and in that case, you will have to supply the correct Conditional Parameters too.
  6. 6.
    Once the deployment completes, check the output of the parent stack and use the load balancer endpoint and create a CNAME in the client AWS account’s Route53 as shown.
Could not load image

Post Deployment

  • Add more users that can access the Borneo dashboard. Find the walkthrough video on the Borneo landing page
  • Connect your first AWS account to the Borneo dashboard. Find the walkthrough video on the Borneo landing page

Cost of ownership

It will cost you approximately 500-700 USD per month to run the POC version of Borneo in your AWS account. Please contact the Borneo team to get access to the detailed AWS cost estimation.
Purpose of each IAM role/policy

AWS Permissions Boundary

  • An IAM policy that acts as an outer boundary of permissions that Borneo ECS services can possibly have. Read more about this advanced IAM concept here

ECS IAM Role

  • Enables EC2 instances in the Auto-scaling group to register themselves to the ECS cluster
  • Gives access to Borneo’s ECR repository

Default ECS Task Role

  • Allows ECS services to pull container images from Borneo’s AWS ECR repository
  • Allows ECS services to put logs into customer’s AWS Cloudwatch.

ECS Service Task Roles

  • In addition to default task role permissions, allow microservices to access AWS resources needed for the usual operation of Borneo. The permissions are restricted to only the AWS resources in the Borneo stack such as SQS queues, Dynamodb tables, S3 buckets, and SNS topics.

Deployment Assets

Count
Count
1
ECS Cluster
2
c5.large.elasticsearch instances
1
ECS IAM role
1
Security group for ES
1
Autoscaling group
1
Cloudwatch log resource policy for elasticsearch
2
c5.2xlarge instances
17
Dynamodb tables
1
Instance profile
4
S3 buckets
1
Security group
5
SQS Queues
1
launch configuration
3
SSM Parameters. 2 for ECS images and 1 to store cognito JWKS
19
ECS services
1
Cloudwatch event bus
19
ECS task definitions
4
Cloudwatch event rules
10
ECS task role policies
1
Cognito user pool
11
ECS task roles
1
SNS topic
1
Default ECS task role
1
SNS topic policy
1
AWS IAM policy used as permissions
boundary for ECS
2
task roles
1
ALB
2
HTTPS Listener
2
HTTP Listeners
21
Security Groups for ALB
22
Target groups
22
ALB Listener rules
21
Cloudwatch log groups