AWS Architecture Notes

Describes architectural considerations for the HPE Ezmeral Data Fabric software-as-a-service (SaaS) platform when deployed on Amazon AWS.

Deployment Topology

To take advantage of the benefits of cloud computing, you can provision an HPE Ezmeral Data Fabric in Amazon AWS and in other public clouds. A single instance of the Data Fabric is referred to as a fabric. The fabric provides a high-performance file system for files, objects, tables, and streaming files and can be deployed quickly and easily. The HPE Ezmeral Data Fabric is designed so that many fabrics deployed in different public clouds or on premises can communicate with each other seamlessly in a global namespace (GNS).

The following diagram shows the high-level architecture for a single cloud-based fabric on AWS:

Deployment Prerequisites

At a minimum, the user who deploys the Data Fabric on AWS must have AmazonEBSCSIDriverPolicy and AmazonEC2FullAccess permissions and must provide information such as the:
  • Fabric name
  • Access key
  • Secret key
  • Region
  • Virtual private cloud (VPC) ID
  • Public subnet ID
For more information, see AWS Fabric Configuration Parameters.

Public and Private Subnets

To enable a global namespace consisting of many fabrics accessible over the internet, the user must provide a public subnet. The global namespace cannot currently be implemented with private subnets. The Data Fabric architecture does not prevent the use of private subnets, but some code changes are required before private subnets can be supported. Note that air-gapped, on-premises installations are fully supported.

Regions and Availability Zones

The Data Fabric can be deployed into the following AWS regions:
  • US East (Ohio)
  • US East (N. Virginia)
  • US West (N. California)
  • US West (Oregon)
  • Asia Pacific (Mumbai)
  • Asia Pacific (Hyderabad)
  • Asia Pacific (Singapore)
  • Asia Pacific (Sydney)
  • Asia Pacific (Melbourne)
In the current architecture, all fabric instances reside in a specific subnet, which is contained within a single availability zone (the default availability zone).

Amazon Machine Images (AMIs)

Users of the HPE Ezmeral Data Fabric do not need to create or manage the AMIs needed to support the Data Fabric on AWS. HPE provides a set of publicly available AMIs that facilitate installation and upgrade of the fabric without the need for user interaction.

Security Groups

During fabric creation, a security group is created for each fabric. The security group is configured with predefined in-bound and out-bound rules to support the list of ports required for fabric-to-fabric communication.

STS Support for AWS S3 Object Stores

With release 7.7.0 and later, Data Fabric provides a new option for gaining access to AWS S3 object stores. You can import an external AWS S3 server by using the maprcli clustergroup addexternal command and specifying an Amazon Resource Name (ARN) to enable STS authentication. For more information, see Integrating the AWS Security Token Service (STS) with Data Fabric.

Using STS simplifies the process of accessing AWS services by using STS tokens for authentication. With STS tokens, the Data Fabric user can assume an AWS role and get temporary credentials to perform S3 actions. Once the external S3 object store is imported into the global namespace, all S3 operations automatically use STS.

Instance, Disk, and Memory Information

See AWS Cloud Instance Specifications.

Upgrades

When a new software version is available, the user is notified. At the user’s discretion, the platform can perform a non-disruptive, rolling upgrade from one major software version to another. However, upgrade capability is currently limited to on-premises deployments. See Upgrading a Data Fabric.

Scaling

Adding nodes to a fabric can be done using a rolling upgrade process. Note that adding nodes is currently supported only for on-premises deployments. See Adding Nodes (On-premises Deployment).

Administrative Interface

The Data Fabric UI provides a browser-based graphical user interface for monitoring and managing all fabrics in a global namespace.

SSO and Predefined Roles

The Data Fabric leverages the Keycloak identity and access management (IAM) solution to ensure that all the fabrics in a global namespace have access to the same user information. Keycloak can be used as a passthrough with other popular IAM solutions.

SSO-configured fabrics support the following predefined roles:
  • Infrastructure Admin
  • Fabric Manager
  • Fabric User
For more information about the permissions granted to each role, see Pre-defined Roles and Associated Permissions.