You have the option to use existing network resources with SAS Viya 4 Terraform scripts. The table below summarizes the supported scenarios, requirements, and remaining resources that must still be created using the viya4-iac-aws project.
NOTE: We refer to the use of existing resources as "bring your own" or "BYO" resources.
| Scenario | Description | Required Variables | Optional Variables | Additional Requirements | Resources to be Created |
|---|---|---|---|---|---|
| 0 | No existing network resources | None | Not a BYO network scenario | IaC creates the required network resources | |
| 1 | To work with an existing VPC | vpc_id |
|
Subnets, NAT Gateway and Security Groups | |
| 2 | To configure all components of your VPC network - Subnets, Routes & associations and optionally Internet and NAT Gateways | vpc_id,one private subnet and two control_plane subnets within the subnet_ids map, see Subnet requirements |
nat_id, public and database subnet lists within the subnet_ids map |
|
Security Groups |
| 3 | To configure all components of your VPC network and Security Groups and optionally Internet and NAT Gateways | vpc_id,one private subnet and two control_plane subnets within the subnet_ids map, see Subnet requirements, security_group_id, cluster_security_group_id, and workers_security_group_id |
nat_id, public and database subnet lists within the subnet_ids map |
|
None |
Note: The byo_network_scenario IAC output value is informational only and is intended to convey the BYO network scenario that IAC has selected according to the Use Existing input variable values provided to IAC.
This Security Group is used to set external access to the Jump/NFS VMs and Postgres.
| Protocol | Ports | Source | Destination | |
|---|---|---|---|---|
| Outbound | All | All | 0.0.0.0/0 | |
| Inbound PostgreSQL external | TCP | 5432 | the value you would set for the postgres_public_access_cidrs variable |
|
| Inbound ssh access for JUMP/NFS VMs | TCP | 22 | the value you would set for the vm_public_access_cidrs variable |
Allow communication from Node VMs to Cluster control plane.
| Protocol | Ports | Source | Destination | |
|---|---|---|---|---|
| Outbound | All | All | 0.0.0.0/0 | |
| Inbound from Node VMs to Cluster api | TCP | 443 | workers security group |
Allow communication among Node VMs, from Cluster control plane to Node VMs and between Node VMs, Jump VM, and data sources (efs, nfs, postgres).
| Protocol | Ports | Source | Destination | |
|---|---|---|---|---|
| Outbound | All | All | 0.0.0.0/0 | |
| Inbound allow workers to talk to each other | All | All | self | |
| Inbound from cluster control plane | TCP | 1025 - 65535 | Cluster security group | |
| Inbound from cluster control plane | TCP | 443 | Cluster Security Group |
This security group also needs the following tag:
"kubernetes.io/cluster/<cluster name>" = "owned"
For more information on these Security Groups, please see https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html.
When creating your BYO Network resources you should consult with your Network Administrator and use any of these methods to create a working AWS VPC Network:
- AWS QuickStarts for VPC
- See the "simple-vpc" and "complete-vpc" examples in terraform-aws-vpc module
AWS documentation for reference:
To plan your subnet CIDR blocks for IP address ranges, here are some helpful links: