From f8692ecfc484f691f8bed8cb1a2c074bb4707e01 Mon Sep 17 00:00:00 2001 From: monica-unstructured Date: Wed, 18 Mar 2026 22:08:13 -0400 Subject: [PATCH 01/29] Edit pass for Dedicated Instance overview. --- business/dedicated-instances/architecture.mdx | 87 ++++++++++++ .../deployment/aws/in-vpc.mdx | 36 +++++ .../deployment/aws/index.mdx | 36 +++++ .../deployment/aws/privatelink.mdx | 41 ++++++ .../deployment/azure/dns.mdx | 27 ++++ .../deployment/azure/index.mdx | 25 ++++ .../deployment/azure/private-endpoint.mdx | 31 +++++ .../deployment/gcp/index.mdx | 18 +++ .../deployment/gcp/psc.mdx | 33 +++++ .../identity/idp-integration.mdx | 19 +++ business/dedicated-instances/index.mdx | 19 +++ business/dedicated-instances/preparing.mdx | 100 ++++++++++++++ business/dedicated-instances/requirements.mdx | 82 +++++++++++ business/dedicated-instances/security.mdx | 128 ++++++++++++++++++ docs.json | 44 ++++++ 15 files changed, 726 insertions(+) create mode 100644 business/dedicated-instances/architecture.mdx create mode 100644 business/dedicated-instances/deployment/aws/in-vpc.mdx create mode 100644 business/dedicated-instances/deployment/aws/index.mdx create mode 100644 business/dedicated-instances/deployment/aws/privatelink.mdx create mode 100644 business/dedicated-instances/deployment/azure/dns.mdx create mode 100644 business/dedicated-instances/deployment/azure/index.mdx create mode 100644 business/dedicated-instances/deployment/azure/private-endpoint.mdx create mode 100644 business/dedicated-instances/deployment/gcp/index.mdx create mode 100644 business/dedicated-instances/deployment/gcp/psc.mdx create mode 100644 business/dedicated-instances/identity/idp-integration.mdx create mode 100644 business/dedicated-instances/index.mdx create mode 100644 business/dedicated-instances/preparing.mdx create mode 100644 business/dedicated-instances/requirements.mdx create mode 100644 business/dedicated-instances/security.mdx diff --git a/business/dedicated-instances/architecture.mdx b/business/dedicated-instances/architecture.mdx new file mode 100644 index 00000000..e4ab06ad --- /dev/null +++ b/business/dedicated-instances/architecture.mdx @@ -0,0 +1,87 @@ +--- +title: Architecture +description: Core components, network model, and data flow for Dedicated Instances +--- + +## Architecture + +### Overview + +Dedicated Instances provide a secure, isolated deployment model for processing unstructured data within a customer-controlled environment. The architecture is designed to ensure that data remains within private network boundaries while enabling managed ingestion, transformation, and indexing services. + +The system leverages cloud-native infrastructure and private networking, such as AWS PrivateLink, Azure Private Endpoint, or GCP Private Service Connect, to integrate with customer environments without exposing data to the public internet. + +### Key Components + +A Dedicated Instance deployment consists of the following core components: + +- **Customer Environment** + The customer cloud environment where source data resides and where network connectivity is established. This may include storage systems, SaaS connectors, and internal services that act as data sources. + +- **Dedicated Instance Environment** + A managed, single-tenant environment provisioned specifically for the customer. This environment contains the ingestion, processing, and indexing services required to support the deployment. + +- **Ingestion Services** + Services responsible for retrieving data from customer sources. These may include connector-based ingestion, API-driven ingestion, or event-driven workflows. + +- **Streaming and Messaging Layer** + A distributed streaming platform, such as Amazon MSK, used to buffer, decouple, and scale ingestion workflows. + +- **Processing Services** + Compute services that transform raw data into structured or enriched formats suitable for downstream use. This may include parsing, chunking, metadata extraction, and enrichment. + +- **Indexing and Storage Layer** + Systems used to store and index processed data. For example: + - OpenSearch for search and retrieval + - Object storage for intermediate or raw data + +- **Networking Layer** + Private connectivity mechanisms that securely connect the customer environment to the Dedicated Instance. + +### Network Model + +The architecture is built around private, network-level isolation: + +- All communication between the customer environment and the Dedicated Instance occurs over private endpoints +- Public internet exposure is minimized or eliminated +- Access is restricted using network controls such as: + - VPC/VNet endpoints + - Security groups, NSGs, or firewall rules + - Private DNS resolution for service endpoints + +This model ensures that data transfer occurs entirely within trusted network boundaries and aligns with enterprise security expectations. + +### Data Flow + +At a high level, data flows through the system as follows: + +1. Data originates in the customer environment, such as object storage, databases, or SaaS platforms +2. Ingestion services retrieve data using configured connectors or APIs +3. Data is transmitted through private networking endpoints into the Dedicated Instance +4. The streaming layer buffers and distributes data for processing +5. Processing services transform and enrich the data +6. Processed data is indexed or stored for downstream applications such as search or AI pipelines + +This architecture enables scalable, fault-tolerant ingestion while maintaining strict data isolation. + +### Cloud-Specific Variations + +While the core architecture is consistent, implementation details vary by cloud provider: + +- **AWS** + - Uses PrivateLink for private connectivity + - Supports Dedicated Instance and In-VPC deployment options + - Common services may include Amazon MSK and OpenSearch Service + +- **Azure** + - Uses Private Endpoint and VNet integration + - Requires explicit DNS configuration for private endpoint routing + - Networking and routing patterns differ from AWS VPC constructs + +- **GCP** + - Uses Private Service Connect or equivalent private connectivity + - Service exposure and endpoint configuration differ from AWS and Azure + +Detailed setup instructions are provided in the deployment sections for each cloud provider. + +See [Security](./security) for more information about isolation, encryption, and access controls. diff --git a/business/dedicated-instances/deployment/aws/in-vpc.mdx b/business/dedicated-instances/deployment/aws/in-vpc.mdx new file mode 100644 index 00000000..382ca652 --- /dev/null +++ b/business/dedicated-instances/deployment/aws/in-vpc.mdx @@ -0,0 +1,36 @@ +--- +title: In-VPC Setup +description: Deploy Dedicated Instance components inside your AWS VPC +--- + +## In-VPC Setup + +This section describes the In-VPC deployment model, where components run within your AWS environment. + +### Step 1: Provision Core Services + +Deploy required services within your VPC, such as: + +- Streaming layer +- Processing services +- Indexing services + +### Step 2: Configure Networking + +- Ensure routing between subnets is properly configured +- Allow internal communication between services + +### Step 3: Configure IAM and Security + +- Create IAM roles and policies +- Apply least privilege access controls + +### Step 4: Integrate Data Sources + +- Configure connectors or APIs to access customer data sources +- Validate connectivity and access permissions + +### Step 5: Validate Deployment + +- Confirm all services are operational +- Verify ingestion, processing, and indexing workflows diff --git a/business/dedicated-instances/deployment/aws/index.mdx b/business/dedicated-instances/deployment/aws/index.mdx new file mode 100644 index 00000000..ad7297d2 --- /dev/null +++ b/business/dedicated-instances/deployment/aws/index.mdx @@ -0,0 +1,36 @@ +--- +title: AWS Deployment +description: Deploy Dedicated Instances on AWS +--- + +## AWS + +### Overview + +Dedicated Instances on AWS provide a secure, private deployment model for ingesting, processing, and indexing data within a customer-controlled environment. AWS deployments support multiple models depending on the level of control, isolation, and integration required. + +### Deployment Models + +#### Dedicated Instance (PrivateLink) + +In this model: + +- The Dedicated Instance is deployed in a managed, single-tenant environment +- The customer connects to the instance using AWS PrivateLink +- All communication occurs over private endpoints within the AWS network + +Use this model if you want a managed deployment with minimal operational overhead and strong network isolation. + +#### In-VPC Deployment + +In this model: + +- Components of the Dedicated Instance are deployed within the customer VPC +- The customer manages networking, routing, and some infrastructure components + +Use this model if you require deeper integration with existing VPC resources and more control over networking and infrastructure. + +### Next Steps + +- [PrivateLink Setup](./privatelink) +- [In-VPC Setup](./in-vpc) diff --git a/business/dedicated-instances/deployment/aws/privatelink.mdx b/business/dedicated-instances/deployment/aws/privatelink.mdx new file mode 100644 index 00000000..fb5d6f0e --- /dev/null +++ b/business/dedicated-instances/deployment/aws/privatelink.mdx @@ -0,0 +1,41 @@ +--- +title: PrivateLink Setup +description: Configure AWS PrivateLink for Dedicated Instances +--- + +## PrivateLink Setup + +This section describes how to configure the Dedicated Instance deployment model using AWS PrivateLink. + +### Prerequisites + +- A configured VPC with appropriate subnets +- Permissions to create and manage interface endpoints +- Security group and route table access +- Private DNS enabled + +### Step 1: Create Interface Endpoints + +- Create interface VPC endpoints for the required services +- Use the service names provided during onboarding +- Place endpoints in the correct subnets + +### Step 2: Configure Security Groups + +- Allow inbound and outbound traffic for required ports and protocols +- Restrict access to only necessary resources + +### Step 3: Configure Private DNS + +- Enable private DNS resolution for the endpoints +- Verify that service domains resolve to private IP addresses + +### Step 4: Approve Endpoint Connections + +- Accept endpoint connection requests if required +- Confirm connectivity between the customer VPC and the Dedicated Instance + +### Step 5: Validate Connectivity + +- Verify services are reachable through the private endpoints +- Confirm that no traffic is routed through public internet paths diff --git a/business/dedicated-instances/deployment/azure/dns.mdx b/business/dedicated-instances/deployment/azure/dns.mdx new file mode 100644 index 00000000..12cbfec4 --- /dev/null +++ b/business/dedicated-instances/deployment/azure/dns.mdx @@ -0,0 +1,27 @@ +--- +title: DNS Configuration +description: Configure DNS for Azure Private Endpoints +--- + +## DNS Configuration + +Azure Private Endpoint connectivity depends on correct DNS configuration. + +> ⚠️ Misconfigured DNS is one of the most common causes of onboarding issues. + +### Step 1: Create Private DNS Zones + +- Create Private DNS Zones for required service domains + +### Step 2: Link DNS Zones to the VNet + +- Link the DNS zones to the appropriate VNet + +### Step 3: Configure DNS Records + +- Ensure service domains resolve to private IP addresses + +### Step 4: Validate DNS Resolution + +- Use `nslookup` or equivalent tools +- Confirm that no public endpoints are being used diff --git a/business/dedicated-instances/deployment/azure/index.mdx b/business/dedicated-instances/deployment/azure/index.mdx new file mode 100644 index 00000000..28d21ed7 --- /dev/null +++ b/business/dedicated-instances/deployment/azure/index.mdx @@ -0,0 +1,25 @@ +--- +title: Azure Deployment +description: Deploy Dedicated Instances on Azure +--- + +## Azure + +### Overview + +Dedicated Instances on Azure provide a secure, private deployment model using Private Endpoints and VNet integration. DNS configuration plays a critical role in successful Azure connectivity. + +### Deployment Model + +Azure deployments use a Private Endpoint-based model for secure connectivity. + +Use this model if: + +- You want a managed deployment with strong network isolation +- Your organization requires private connectivity with no public exposure +- You can configure DNS within your Azure environment + +### Next Steps + +- [Private Endpoint Setup](./private-endpoint) +- [DNS Configuration](./dns) diff --git a/business/dedicated-instances/deployment/azure/private-endpoint.mdx b/business/dedicated-instances/deployment/azure/private-endpoint.mdx new file mode 100644 index 00000000..ad4b4470 --- /dev/null +++ b/business/dedicated-instances/deployment/azure/private-endpoint.mdx @@ -0,0 +1,31 @@ +--- +title: Private Endpoint Setup +description: Configure Azure Private Endpoints for Dedicated Instances +--- + +## Private Endpoint Setup + +This section describes how to configure connectivity using Azure Private Endpoint. + +### Prerequisites + +- Azure subscription access +- VNet and subnet configuration +- Permissions to create Private Endpoints +- Network Security Group access +- Private DNS capability + +### Step 1: Create Private Endpoints + +- Create a Private Endpoint for each required service +- Associate each endpoint with the correct VNet and subnet + +### Step 2: Configure Network Security Groups + +- Allow traffic between your resources and the Private Endpoints +- Restrict access to trusted sources only + +### Step 3: Validate Connectivity + +- Confirm resources within the VNet can access the Dedicated Instance services +- Confirm that traffic flows through Private Endpoints only diff --git a/business/dedicated-instances/deployment/gcp/index.mdx b/business/dedicated-instances/deployment/gcp/index.mdx new file mode 100644 index 00000000..a2b5729d --- /dev/null +++ b/business/dedicated-instances/deployment/gcp/index.mdx @@ -0,0 +1,18 @@ +--- +title: GCP Deployment +description: Deploy Dedicated Instances on GCP +--- + +## GCP + +### Overview + +Dedicated Instances on GCP provide a secure, private deployment model using Private Service Connect. + +### Deployment Model + +GCP deployments use a Private Service Connect-based model for internal service exposure without requiring public internet access. + +### Next Steps + +- [Private Service Connect Setup](./psc) diff --git a/business/dedicated-instances/deployment/gcp/psc.mdx b/business/dedicated-instances/deployment/gcp/psc.mdx new file mode 100644 index 00000000..85818dfc --- /dev/null +++ b/business/dedicated-instances/deployment/gcp/psc.mdx @@ -0,0 +1,33 @@ +--- +title: Private Service Connect Setup +description: Configure Private Service Connect for Dedicated Instances +--- + +## Private Service Connect Setup + +This section describes how to configure connectivity using Private Service Connect. + +### Prerequisites + +- GCP project access +- VPC network configuration +- Permissions to create PSC endpoints +- Firewall rule and DNS configuration access + +### Step 1: Create PSC Endpoints + +- Create PSC endpoints that connect to the service attachments provided during onboarding + +### Step 2: Configure Firewall Rules + +- Allow internal traffic between workloads and PSC endpoints +- Restrict access to trusted sources only + +### Step 3: Configure DNS + +- Create DNS entries that map service domains to PSC endpoint IP addresses + +### Step 4: Validate Connectivity + +- Confirm services are reachable through PSC endpoints +- Confirm traffic remains on internal network paths diff --git a/business/dedicated-instances/identity/idp-integration.mdx b/business/dedicated-instances/identity/idp-integration.mdx new file mode 100644 index 00000000..36c6a277 --- /dev/null +++ b/business/dedicated-instances/identity/idp-integration.mdx @@ -0,0 +1,19 @@ +--- +title: IdP Integration +description: Configure identity provider integration for Dedicated Instances +--- + +## IdP Integration + +### Overview + +Dedicated Instances support SAML- and OIDC-based identity providers. + +### Typical Steps + +1. Configure your identity provider +2. Exchange metadata or connection details +3. Map roles for RBAC +4. Validate the login flow + +See [Security](../security) for more information about access controls. diff --git a/business/dedicated-instances/index.mdx b/business/dedicated-instances/index.mdx new file mode 100644 index 00000000..3a9d1256 --- /dev/null +++ b/business/dedicated-instances/index.mdx @@ -0,0 +1,19 @@ +--- +title: Dedicated Instance +sidebarTitle: Overview +--- + +A Dedicated Instance is a privately isolated deployment hosted by Unstructured, intended for customers who need increased network isolation, data isolation, and strict compliance controls. By leveraging cloud-native infrastructure and private networking, Dedicated Instances enable Unstructured to connect to your data sources and process your data while keeping it within trusted boundaries. + +With AWS or Azure PrivateLink, you get private IP connectivity between your VPC/VNet and Unstructured without traversing the public internet. Network filtering lets you fully block incoming and outgoing traffic to the public internet or limit it to specific IP addresses or CIDR ranges. + +**Benefits:** + +- **Eliminates public exposure:** Traffic between your VPC/VNet and Unstructured can avoid the public internet and instead traverse cloud-provider private networking. +- **Stronger network isolation for sensitive workloads:** Helps customers meet internal security requirements and compliance where *private network access* is preferred or mandated. +- **Simpler enterprise network integration:** Works well with existing private connectivity patterns (VPC/VNet isolation, VPN/DirectConnect/ExpressRoute to corporate on-prem networks). +- **Control and visibility:** Private endpoints and private DNS enable you to manage where traffic flows, enforce access policies at the network level, and give you visibility into traffic paths and access patterns. + + + A Dedicated Instance is a **regional service** deployed in a single cloud region. Everything runs in one region, so plan for data residency, failover design, and latency. Unstructured supports cross-region PrivateLink, but we do not recommend it because it incurs additional data transfer costs. + \ No newline at end of file diff --git a/business/dedicated-instances/preparing.mdx b/business/dedicated-instances/preparing.mdx new file mode 100644 index 00000000..b17f6f22 --- /dev/null +++ b/business/dedicated-instances/preparing.mdx @@ -0,0 +1,100 @@ +--- +title: Preparing for a Dedicated Instance +description: Pre-deployment planning and readiness checklist +--- + +## Preparing for a Dedicated Instance + +### Overview + +Before deploying a Dedicated Instance, ensure that network, identity, and operational requirements are in place. This preparation phase helps align internal teams, validate prerequisites, and reduce delays during onboarding. + +### Who Should Be Involved + +Dedicated Instance onboarding typically requires coordination across multiple teams: + +- **Security and Compliance Teams** + - Review network isolation and data protection requirements + - Approve private connectivity and access controls + +- **Platform and Infrastructure Teams** + - Configure cloud networking, DNS, and firewall rules + - Manage deployment and connectivity + +- **Application and Data Owners** + - Identify data sources + - Provide access requirements and integration details + +### Pre-Deployment Checklist + +- Cloud environment is identified +- VPC or VNet is configured with required subnets +- Private connectivity approach is selected +- DNS configuration approach is defined +- Firewall and security rules are planned +- Identity provider requirements are defined +- Data sources and access methods are identified +- Required permissions and approvals are in place + +### Choose a Deployment Model + +Before starting setup, determine the appropriate deployment model for your environment. + +- **AWS** + - PrivateLink + - In-VPC deployment + +- **Azure** + - Private Endpoint + +- **GCP** + - Private Service Connect + +Choosing the correct model early helps guide networking and implementation decisions. + +### Plan Your Network Configuration + +Networking is the most critical part of deployment. Ensure the following are defined: + +- Which VPC or VNet will be used +- Which subnets will host endpoints or services +- How private connectivity will be established +- How data will move from your environment to the Dedicated Instance + +### Plan DNS Configuration + +DNS configuration is required to ensure that service endpoints resolve to private IP addresses. + +- Define how DNS will be managed +- Ensure private DNS zones are created where required +- Confirm that service records resolve to private endpoints + +Misconfigured DNS is one of the most common causes of onboarding issues. + +### Identify Data Sources + +Determine which data sources will be ingested, such as object storage, databases, SaaS platforms, or internal services. + +For each data source, confirm: + +- Access method +- Required permissions +- Network accessibility + +### Validate Permissions and Approvals + +Before beginning deployment, confirm that: + +- Required cloud permissions are granted +- Network changes are approved +- Security reviews are completed if required + +### Next Steps + +Proceed to the appropriate deployment section: + +- [AWS](./deployment/aws/index) +- [Azure](./deployment/azure/index) +- [GCP](./deployment/gcp/index) + +After deployment, configure [IdP Integration](./identity/idp-integration) and set up monitoring and observability. diff --git a/business/dedicated-instances/requirements.mdx b/business/dedicated-instances/requirements.mdx new file mode 100644 index 00000000..ce04baa5 --- /dev/null +++ b/business/dedicated-instances/requirements.mdx @@ -0,0 +1,82 @@ +--- +title: Requirements and Limitations +description: Prerequisites and constraints for Dedicated Instance deployments +--- + +## Requirements and Limitations + +### Overview + +Dedicated Instances require specific network, infrastructure, and operational prerequisites to ensure a secure and successful deployment. This section outlines the key requirements customers must meet, as well as known limitations that may affect implementation decisions. + +Understanding these constraints early helps reduce onboarding delays and ensures alignment across security, platform, and engineering teams. + +### General Requirements + +The following requirements apply to all Dedicated Instance deployments: + +- **Cloud environment access** + Customers must have administrative or delegated access to their cloud environment to configure networking, DNS, and access controls. + +- **Private networking configuration** + The deployment requires the ability to configure private connectivity, such as: + - AWS PrivateLink + - Azure Private Endpoint + - GCP Private Service Connect + +- **DNS configuration** + Customers must be able to configure private DNS resolution to route service endpoints correctly within their network. + +- **Identity readiness** + If SSO is required, customers must support integration with a compatible identity provider. + +### Networking Requirements + +Dedicated Instances rely heavily on correct network configuration: + +- VPC or VNet configuration +- Private endpoint or equivalent setup +- Firewall and security rules allowing required traffic +- Private DNS resolution for service endpoints + +### Service and Data Requirements + +- **Supported data sources** + Data sources must be accessible from the customer environment and compatible with supported ingestion methods. + +- **Data volume and throughput** + Customers should consider expected data volume, ingestion rate, and processing requirements, because these factors may affect sizing and performance decisions. + +- **Data format considerations** + Data should be in formats supported by ingestion and processing pipelines. Additional transformation may be required for unsupported formats. + +### Operational Requirements + +- Cross-team coordination between security, infrastructure, and application teams +- Internal approval processes for network and identity changes +- Monitoring and observability planning + +### Cloud-Specific Considerations + +- **AWS** + - Requires PrivateLink endpoint configuration or In-VPC deployment planning + - May involve additional setup for service endpoints and private routing + +- **Azure** + - Requires Private Endpoint configuration and DNS setup + - DNS configuration is often a critical dependency + +- **GCP** + - Uses Private Service Connect or equivalent + - Endpoint configuration and service exposure differ from AWS and Azure + +### Limitations + +The following limitations should be considered when planning a deployment: + +- No public endpoint access +- Cloud provider and regional constraints may apply +- DNS misconfiguration can prevent connectivity +- Managed service customization boundaries may apply + +Next, review [Preparing for a Dedicated Instance](./preparing). diff --git a/business/dedicated-instances/security.mdx b/business/dedicated-instances/security.mdx new file mode 100644 index 00000000..d8da1ff9 --- /dev/null +++ b/business/dedicated-instances/security.mdx @@ -0,0 +1,128 @@ +--- +title: Security +description: Security model for Dedicated Instances, including isolation, encryption, and identity controls +--- + +## Security + +### Overview + +Dedicated Instances are designed with a defense-in-depth security model that protects customer data across network, infrastructure, and service layers. The architecture prioritizes data isolation, private connectivity, and controlled access, ensuring that sensitive data remains within trusted boundaries at all times. + +Security controls are implemented across multiple layers, including network isolation, encryption, identity and access management, and service-level protections. + +### Core Principles + +The security model is based on the following principles: + +- **Isolation by design** + Each Dedicated Instance is provisioned as a single-tenant environment, ensuring that customer data and resources are isolated from other customers. + +- **Private connectivity only** + Data is transmitted exclusively over private network paths, avoiding exposure to the public internet. + +- **Least privilege access** + Access to services and resources is restricted using fine-grained permissions and role-based access controls. + +- **End-to-end encryption** + Data is encrypted both in transit and at rest using industry-standard encryption mechanisms. + +- **Controlled data flow** + Data movement is explicitly defined and restricted to approved ingestion and processing paths. + +### Network Isolation + +Dedicated Instances enforce strict network isolation: + +- All service endpoints are exposed via private endpoints only +- No inbound public access is required +- Network access is restricted using: + - VPC/VNet-level controls + - Security groups, NSGs, or firewall rules + - Private DNS resolution + +In most deployments: +- The customer initiates connections to the Dedicated Instance +- The Dedicated Instance does not require unsolicited inbound access + +This model reduces the attack surface and aligns with zero-trust networking principles. + +### Data Protection + +#### Encryption in Transit + +- All data transferred between the customer environment and the Dedicated Instance is encrypted using TLS +- Private endpoints help ensure that encrypted traffic remains within the cloud provider network + +#### Encryption at Rest + +- Data stored within the Dedicated Instance is encrypted using provider-managed or customer-managed keys where supported +- Encryption may apply to: + - Indexed data + - Intermediate processing data + - Logs and metadata + +### Identity and Access Control + +Access to the Dedicated Instance is controlled through a combination of: + +- **Role-based access control (RBAC)** + Permissions are assigned based on roles, limiting access to only what is required + +- **Identity provider integration** + Customers can integrate with their existing identity providers, such as SAML or OIDC providers, to enforce centralized authentication and policy management + +- **Service-level authentication and authorization** + Internal services authenticate securely when communicating with each other + +For identity configuration details, see [IdP Integration](./identity/idp-integration). + +### Service-Level Security + +Security controls are also enforced at the service layer: + +- **Streaming layer** + - Encrypted communication between producers and consumers + - Authentication and authorization for topic or stream access + +- **Processing services** + - Restricted execution environments + - Controlled access to input and output data + +- **Indexing layer** + - Access policies to restrict query and indexing operations + - Encryption and audit capabilities where supported + +### Data Residency and Control + +Dedicated Instances are deployed within a specific cloud region, allowing customers to control where their data is processed and stored. + +- Data does not leave the configured region unless explicitly configured to do so +- Regional deployment supports data residency and sovereignty requirements + +### Shared Responsibility Model + +Security is a shared responsibility between the platform and the customer. + +**Platform responsibilities:** + +- Infrastructure provisioning and isolation +- Managed services security and hardening +- Default encryption and secure configurations + +**Customer responsibilities:** + +- Configuring network access +- Managing identity provider integration +- Controlling access to data sources and connectors +- Defining internal access policies + +### Audit and Monitoring + +The platform supports observability and security monitoring through: + +- Logging of system and service activity +- Monitoring of ingestion and processing workflows +- Integration with cloud-native monitoring tools, depending on provider capabilities + +Customers can use these capabilities to track access and activity, detect anomalies, and support compliance and auditing requirements. diff --git a/docs.json b/docs.json index 6f8763a9..a4736698 100644 --- a/docs.json +++ b/docs.json @@ -326,6 +326,50 @@ "business/ai-providers" ] }, + { + "group": "Dedicated Instances", + "pages": [ + "business/dedicated-instances/index", + "business/dedicated-instances/architecture", + "business/dedicated-instances/security", + "business/dedicated-instances/requirements", + "business/dedicated-instances/preparing", + { + "group": "Deployment", + "pages": [ + { + "group": "AWS", + "pages": [ + "business/dedicated-instances/deployment/aws/index", + "business/dedicated-instances/deployment/aws/privatelink", + "business/dedicated-instances/deployment/aws/in-vpc" + ] + }, + { + "group": "Azure", + "pages": [ + "business/dedicated-instances/deployment/azure/index", + "business/dedicated-instances/deployment/azure/private-endpoint", + "business/dedicated-instances/deployment/azure/dns" + ] + }, + { + "group": "GCP", + "pages": [ + "business/dedicated-instances/deployment/gcp/index", + "business/dedicated-instances/deployment/gcp/psc" + ] + } + ] + }, + { + "group": "Identity and Access", + "pages": [ + "business/dedicated-instances/identity/idp-integration" + ] + } + ] + }, { "group": "Security and compliance", "pages": [ From b544ead61697fae3351acceb916573c38e7e5e66 Mon Sep 17 00:00:00 2001 From: monica-unstructured Date: Wed, 18 Mar 2026 22:37:39 -0400 Subject: [PATCH 02/29] Revise Architecture content. --- business/azure/onboard.mdx | 6 +- business/dedicated-instances/architecture.mdx | 80 +++---------------- business/dedicated-instances/security.mdx | 2 +- 3 files changed, 14 insertions(+), 74 deletions(-) diff --git a/business/azure/onboard.mdx b/business/azure/onboard.mdx index 3ad35c30..0fee2f40 100644 --- a/business/azure/onboard.mdx +++ b/business/azure/onboard.mdx @@ -42,8 +42,8 @@ the access credentials for a Microsoft Entra ID user or service principal in you - `Microsoft.Network/natGateways/read` (to read the NAT Gateway) - `Microsoft.Network/routeTables/write` (to create the route tables) - `Microsoft.Network/routeTables/read` (to read the route tables) -- `Microsoft.Network/networkSecurityGroups/write` (to create the NSGs) -- `Microsoft.Network/networkSecurityGroups/read` (to read the NSGs) +- `Microsoft.Network/networkSecurityGroups/write` (to create the Network Security Groups) +- `Microsoft.Network/networkSecurityGroups/read` (to read the Network Security Groups) ### AKS cluster @@ -170,7 +170,7 @@ Unstructured UI and API into. - SSH: Enabled via key pair - SSH key exported in PEM format -- **NSGs (Network Security Groups)** +- **Network Security Groups** - Allow intra-cluster traffic (`10.0.0.0/16`) - Allow all egress diff --git a/business/dedicated-instances/architecture.mdx b/business/dedicated-instances/architecture.mdx index e4ab06ad..a6b1e598 100644 --- a/business/dedicated-instances/architecture.mdx +++ b/business/dedicated-instances/architecture.mdx @@ -1,86 +1,26 @@ --- title: Architecture -description: Core components, network model, and data flow for Dedicated Instances --- -## Architecture -### Overview +Dedicated Instances provide a secure, isolated deployment for processing unstructured data from your environment. Data stays within private network boundaries, with managed ingestion and processing handled in that same isolated deployment. -Dedicated Instances provide a secure, isolated deployment model for processing unstructured data within a customer-controlled environment. The architecture is designed to ensure that data remains within private network boundaries while enabling managed ingestion, transformation, and indexing services. +The system leverages cloud-native infrastructure and private networking without exposing data to the public internet. -The system leverages cloud-native infrastructure and private networking, such as AWS PrivateLink, Azure Private Endpoint, or GCP Private Service Connect, to integrate with customer environments without exposing data to the public internet. +**AWS private connectivity** uses AWS PrivateLink interface endpoints to connect customer VPCs to the Unstructured VPC without traversing the public internet. -### Key Components +**Azure private connectivity** uses Azure Private Link so access occurs through a private IP and traffic stays on the Microsoft backbone. -A Dedicated Instance deployment consists of the following core components: +There are two directions of connectivity: -- **Customer Environment** - The customer cloud environment where source data resides and where network connectivity is established. This may include storage systems, SaaS connectors, and internal services that act as data sources. +| Direction | Description | +| --- | --- | +| **Customer → Unstructured** | Customer applications access the Unstructured UI and API via a private endpoint in the customer’s VPC/VNet. | +| **Unstructured → Customer** | Unstructured accesses customer data sources (S3 buckets, databases, vector stores, etc.) via private endpoints created in the Unstructured VPC/VNet. | -- **Dedicated Instance Environment** - A managed, single-tenant environment provisioned specifically for the customer. This environment contains the ingestion, processing, and indexing services required to support the deployment. +Both directions can be established independently. Customers with strict egress controls should configure both. -- **Ingestion Services** - Services responsible for retrieving data from customer sources. These may include connector-based ingestion, API-driven ingestion, or event-driven workflows. -- **Streaming and Messaging Layer** - A distributed streaming platform, such as Amazon MSK, used to buffer, decouple, and scale ingestion workflows. - -- **Processing Services** - Compute services that transform raw data into structured or enriched formats suitable for downstream use. This may include parsing, chunking, metadata extraction, and enrichment. - -- **Indexing and Storage Layer** - Systems used to store and index processed data. For example: - - OpenSearch for search and retrieval - - Object storage for intermediate or raw data - -- **Networking Layer** - Private connectivity mechanisms that securely connect the customer environment to the Dedicated Instance. - -### Network Model - -The architecture is built around private, network-level isolation: - -- All communication between the customer environment and the Dedicated Instance occurs over private endpoints -- Public internet exposure is minimized or eliminated -- Access is restricted using network controls such as: - - VPC/VNet endpoints - - Security groups, NSGs, or firewall rules - - Private DNS resolution for service endpoints - -This model ensures that data transfer occurs entirely within trusted network boundaries and aligns with enterprise security expectations. - -### Data Flow - -At a high level, data flows through the system as follows: - -1. Data originates in the customer environment, such as object storage, databases, or SaaS platforms -2. Ingestion services retrieve data using configured connectors or APIs -3. Data is transmitted through private networking endpoints into the Dedicated Instance -4. The streaming layer buffers and distributes data for processing -5. Processing services transform and enrich the data -6. Processed data is indexed or stored for downstream applications such as search or AI pipelines - -This architecture enables scalable, fault-tolerant ingestion while maintaining strict data isolation. - -### Cloud-Specific Variations - -While the core architecture is consistent, implementation details vary by cloud provider: - -- **AWS** - - Uses PrivateLink for private connectivity - - Supports Dedicated Instance and In-VPC deployment options - - Common services may include Amazon MSK and OpenSearch Service - -- **Azure** - - Uses Private Endpoint and VNet integration - - Requires explicit DNS configuration for private endpoint routing - - Networking and routing patterns differ from AWS VPC constructs - -- **GCP** - - Uses Private Service Connect or equivalent private connectivity - - Service exposure and endpoint configuration differ from AWS and Azure Detailed setup instructions are provided in the deployment sections for each cloud provider. diff --git a/business/dedicated-instances/security.mdx b/business/dedicated-instances/security.mdx index d8da1ff9..c9ae43fd 100644 --- a/business/dedicated-instances/security.mdx +++ b/business/dedicated-instances/security.mdx @@ -38,7 +38,7 @@ Dedicated Instances enforce strict network isolation: - No inbound public access is required - Network access is restricted using: - VPC/VNet-level controls - - Security groups, NSGs, or firewall rules + - Security groups, Network Security Groups, or firewall rules - Private DNS resolution In most deployments: From 10a59d35ed855047d6c25c9fed17e29562756bf6 Mon Sep 17 00:00:00 2001 From: monica-unstructured Date: Thu, 19 Mar 2026 00:12:43 -0400 Subject: [PATCH 03/29] Update Security and Security FAQ. --- business/dedicated-instances/security-faq.mdx | 36 ++++ business/dedicated-instances/security.mdx | 155 +++++++----------- docs.json | 1 + 3 files changed, 95 insertions(+), 97 deletions(-) create mode 100644 business/dedicated-instances/security-faq.mdx diff --git a/business/dedicated-instances/security-faq.mdx b/business/dedicated-instances/security-faq.mdx new file mode 100644 index 00000000..e9f24274 --- /dev/null +++ b/business/dedicated-instances/security-faq.mdx @@ -0,0 +1,36 @@ +--- +title: Security FAQ +--- + +**Is my Dedicated Instance single-tenant?** +Yes. Each Dedicated Instance is logically isolated and single-tenant. Your instance is not shared with other customers at the application or network level. + +**Does traffic ever traverse the public internet?** +By default, Dedicated Instances are configured with strict network controls to block public ingress and egress. When PrivateLink is enabled, traffic between your environment and Unstructured flows entirely over cloud-provider private networking. Public ingress/egress can be enabled on request for specific use cases — see [Network Access Controls](about:blank#network-access-controls). + +**Is data encrypted?** +Yes. +- **In transit:** All traffic uses TLS 1.2 or higher. +- **Internally:** Mutual TLS (mTLS) is used between platform services. +- **Cloud storage:** Encryption policies are enforced at the storage layer. +- **At rest:** Optional customer-managed KMS keys are available on request. + +**Can Unstructured access my data?** +Unstructured personnel do not access customer data as part of normal operations. Access to customer data sources is explicitly configured, limited to the minimum permissions required, and governed by customer-controlled IAM, RBAC, and resource policies. Any exceptional access (e.g., for troubleshooting) follows strict internal controls and auditing. + +**Is customer data used to train models?** +No. Customer data processed within a Dedicated Instance is not used to train models. + +**How is access to the platform controlled?** +- Customers manage user access to the Unstructured UI and APIs. +- Network access is restricted using private endpoints, security groups, and firewall rules. +- DNS resolution is private and scoped to customer networks. + +**What does PrivateLink protect against?** +PrivateLink helps protect against exposure to the public internet, unintended inbound network access, and DNS-based traffic interception. PrivateLink does not protect against application-layer vulnerabilities, misconfigured IAM or RBAC policies, or compromised credentials. + +**How long is customer data retained?** +Unstructured does not store customer data long-term. Customer artifacts are used ephemerally during workflow execution and removed upon completion or failure. Transformed data is written to the configured destination. The only data that persists in the Unstructured platform is connector and workflow configuration metadata, connector keys (stored in a secret store), and workflow execution telemetry (which does not contain file data). + +**What compliance standards does Unstructured support?** +Unstructured maintains industry-standard security and compliance programs including HIPAA compliance architecture, ITAR-readiness with geo-blocking via AWS WAF, and SOC 2 controls. Detailed compliance artifacts are available from our trust center. diff --git a/business/dedicated-instances/security.mdx b/business/dedicated-instances/security.mdx index c9ae43fd..0b45170a 100644 --- a/business/dedicated-instances/security.mdx +++ b/business/dedicated-instances/security.mdx @@ -1,128 +1,89 @@ --- -title: Security -description: Security model for Dedicated Instances, including isolation, encryption, and identity controls +title: Security model --- +Dedicated Instances use a defense-in-depth security model that protects your data across network, infrastructure, and service layers. The architecture prioritizes data isolation, private connectivity, and controlled access so your data stays within trusted boundaries. -## Security +This page covers PrivateLink, encryption, and network access controls for Dedicated Instances. For more information about security across the Unstructured platform, see [Security and compliance](business/security-compliance/overview). -### Overview -Dedicated Instances are designed with a defense-in-depth security model that protects customer data across network, infrastructure, and service layers. The architecture prioritizes data isolation, private connectivity, and controlled access, ensuring that sensitive data remains within trusted boundaries at all times. +### Encryption -Security controls are implemented across multiple layers, including network isolation, encryption, identity and access management, and service-level protections. +All connections to Dedicated Instances use TLS 1.2 or higher for encryption in transit. -### Core Principles +| Layer | Encryption | +| --- | --- | +| API Endpoints | TLS 1.2+ with certificate validation | +| Cloud Storage Connections (S3, Blob Storage) | TLS encryption with bucket/container policies enforcing encryption | +| Internal Service Mesh | mTLS between microservices | -The security model is based on the following principles: +### Security without PrivateLink (internet-facing mode) -- **Isolation by design** - Each Dedicated Instance is provisioned as a single-tenant environment, ensuring that customer data and resources are isolated from other customers. +Customers who deploy a Dedicated Instance without PrivateLink access the platform over the public internet via HTTPS. The following controls apply: -- **Private connectivity only** - Data is transmitted exclusively over private network paths, avoiding exposure to the public internet. +- **TLS 1.2+** for all traffic in transit. +- **AWS WAF** (Web Application Firewall) provides DDoS protection, rate limiting, and optional geo-blocking for ITAR compliance. +- **IP Allowlisting** — Access to the platform can be restricted to specific source IP addresses or CIDR ranges. Submit a support ticket with your IP list to enable this. +- **No data egress change** — Unstructured can still access customer data sources via PrivateLink even if the customer accesses the platform UI/API over the internet. The two directions are configured independently. -- **Least privilege access** - Access to services and resources is restricted using fine-grained permissions and role-based access controls. +### Security with PrivateLink -- **End-to-end encryption** - Data is encrypted both in transit and at rest using industry-standard encryption mechanisms. +When PrivateLink is enabled, traffic between your environment and Unstructured flows entirely over cloud-provider private networking. Service endpoints resolve to private IP addresses, and no inbound access from the public internet is permitted. -- **Controlled data flow** - Data movement is explicitly defined and restricted to approved ingestion and processing paths. +### What PrivateLink does and does not protect -### Network Isolation +**Protected** +* Network traffic from public internet exposure +* Data in-transit between VPCs/VNets +* DNS resolution of service endpoints -Dedicated Instances enforce strict network isolation: +**Not Protected** +* Application-layer vulnerabilities +* Misconfigured IAM/RBAC policies +* Compromised credentials -- All service endpoints are exposed via private endpoints only -- No inbound public access is required -- Network access is restricted using: - - VPC/VNet-level controls - - Security groups, Network Security Groups, or firewall rules - - Private DNS resolution +### Optional: Customer-managed encryption keys -In most deployments: -- The customer initiates connections to the Dedicated Instance -- The Dedicated Instance does not require unsolicited inbound access +By default, Unstructured manages encryption keys using the cloud provider’s key management service (AWS KMS or Azure Key Vault). Customers with strict key custody requirements can optionally bring their own KMS Customer Managed Keys (CMK). Contact your account representative to enable this. -This model reduces the attack surface and aligns with zero-trust networking principles. -### Data Protection +### Network access controls -#### Encryption in Transit +**Default configuration:** -- All data transferred between the customer environment and the Dedicated Instance is encrypted using TLS -- Private endpoints help ensure that encrypted traffic remains within the cloud provider network +| Traffic Direction | Default State | +| --- | --- | +| Public Ingress | **Blocked** — All inbound traffic from the public internet is denied. Access is only available via PrivateLink. | +| Public Egress | **Blocked** — All outbound traffic to the public internet is denied. The platform can only communicate with resources accessible via PrivateLink or within the Unstructured VPC/VNet. | -#### Encryption at Rest +This default configuration provides maximum network isolation and is recommended for customers with strict compliance requirements. -- Data stored within the Dedicated Instance is encrypted using provider-managed or customer-managed keys where supported -- Encryption may apply to: - - Indexed data - - Intermediate processing data - - Logs and metadata +**Optional: Enabling public egress** -### Identity and Access Control +Some integrations require outbound internet access. Examples include: +- Third-party AI/ML APIs (e.g., OpenAI, Anthropic, Gemini) not hosted in your cloud environment. +- External webhooks or callback URLs. +- Public SaaS services without PrivateLink support (see [connector coverage](about:blank#aws-privatelink-connector-coverage) below). -Access to the Dedicated Instance is controlled through a combination of: +If your use case requires public egress, Unstructured can enable outbound internet access with the following options: -- **Role-based access control (RBAC)** - Permissions are assigned based on roles, limiting access to only what is required +| Option | Description | +| --- | --- | +| Full Egress | All outbound internet traffic is permitted (not recommended) | +| Specific IPs/CIDRs | Outbound traffic is permitted only to specified IP addresses or CIDR ranges | -- **Identity provider integration** - Customers can integrate with their existing identity providers, such as SAML or OIDC providers, to enforce centralized authentication and policy management +To request egress configuration changes, log a support ticket and provide: +- Application/use-case requirements for the access change. +- List of IPs or CIDR ranges to allowlist. +- Expected traffic patterns (e.g., VLM API calls, SSO integration). -- **Service-level authentication and authorization** - Internal services authenticate securely when communicating with each other +**Optional: Enabling public ingress** -For identity configuration details, see [IdP Integration](./identity/idp-integration). +In rare cases, customers may require public ingress (e.g., for users who cannot access via PrivateLink). Access will be restricted to specified IP addresses or CIDR ranges, and all traffic remains encrypted via TLS 1.2+. -### Service-Level Security +To request ingress configuration changes, log a support ticket and provide: +- Application/use-case requirements. +- List of source IP addresses or CIDR ranges to allowlist. +- Expected access patterns. -Security controls are also enforced at the service layer: - -- **Streaming layer** - - Encrypted communication between producers and consumers - - Authentication and authorization for topic or stream access - -- **Processing services** - - Restricted execution environments - - Controlled access to input and output data - -- **Indexing layer** - - Access policies to restrict query and indexing operations - - Encryption and audit capabilities where supported - -### Data Residency and Control - -Dedicated Instances are deployed within a specific cloud region, allowing customers to control where their data is processed and stored. - -- Data does not leave the configured region unless explicitly configured to do so -- Regional deployment supports data residency and sovereignty requirements - -### Shared Responsibility Model - -Security is a shared responsibility between the platform and the customer. - -**Platform responsibilities:** - -- Infrastructure provisioning and isolation -- Managed services security and hardening -- Default encryption and secure configurations - -**Customer responsibilities:** - -- Configuring network access -- Managing identity provider integration -- Controlling access to data sources and connectors -- Defining internal access policies - -### Audit and Monitoring - -The platform supports observability and security monitoring through: - -- Logging of system and service activity -- Monitoring of ingestion and processing workflows -- Integration with cloud-native monitoring tools, depending on provider capabilities - -Customers can use these capabilities to track access and activity, detect anomalies, and support compliance and auditing requirements. +> **Note:** Enabling public ingress or egress reduces the network isolation benefits of a Dedicated Instance. Unstructured recommends using PrivateLink for all connectivity where possible. +> \ No newline at end of file diff --git a/docs.json b/docs.json index a4736698..53d3bfc3 100644 --- a/docs.json +++ b/docs.json @@ -332,6 +332,7 @@ "business/dedicated-instances/index", "business/dedicated-instances/architecture", "business/dedicated-instances/security", + "business/dedicated-instances/security-faq", "business/dedicated-instances/requirements", "business/dedicated-instances/preparing", { From 1406e30f9ae264d56926122d217f0b3318a6762c Mon Sep 17 00:00:00 2001 From: monica-unstructured Date: Thu, 19 Mar 2026 00:16:19 -0400 Subject: [PATCH 04/29] Rename overview file to follow naming conventions. --- business/dedicated-instances/{index.mdx => overview.mdx} | 0 docs.json | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename business/dedicated-instances/{index.mdx => overview.mdx} (100%) diff --git a/business/dedicated-instances/index.mdx b/business/dedicated-instances/overview.mdx similarity index 100% rename from business/dedicated-instances/index.mdx rename to business/dedicated-instances/overview.mdx diff --git a/docs.json b/docs.json index 53d3bfc3..1c915279 100644 --- a/docs.json +++ b/docs.json @@ -329,7 +329,7 @@ { "group": "Dedicated Instances", "pages": [ - "business/dedicated-instances/index", + "business/dedicated-instances/overview", "business/dedicated-instances/architecture", "business/dedicated-instances/security", "business/dedicated-instances/security-faq", From 7b7b432eb9673f5bc2df17d6a3731b38de574e85 Mon Sep 17 00:00:00 2001 From: monica-unstructured Date: Thu, 19 Mar 2026 00:44:08 -0400 Subject: [PATCH 05/29] Edit security info futher. --- business/dedicated-instances/overview.mdx | 9 ++++++--- business/dedicated-instances/security.mdx | 8 ++++---- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/business/dedicated-instances/overview.mdx b/business/dedicated-instances/overview.mdx index 3a9d1256..343a6309 100644 --- a/business/dedicated-instances/overview.mdx +++ b/business/dedicated-instances/overview.mdx @@ -5,11 +5,14 @@ sidebarTitle: Overview A Dedicated Instance is a privately isolated deployment hosted by Unstructured, intended for customers who need increased network isolation, data isolation, and strict compliance controls. By leveraging cloud-native infrastructure and private networking, Dedicated Instances enable Unstructured to connect to your data sources and process your data while keeping it within trusted boundaries. -With AWS or Azure PrivateLink, you get private IP connectivity between your VPC/VNet and Unstructured without traversing the public internet. Network filtering lets you fully block incoming and outgoing traffic to the public internet or limit it to specific IP addresses or CIDR ranges. +**AWS PrivateLink and Azure Private Link** -**Benefits:** +Both AWS and Azure allow you to privately connect your Virtual Private Cloud (VPC in AWS) or Virtual Network (Vnet in Azure) to your Dedicate Intance on the Unsturctured platform without traversing the public internet. +Network filtering lets you fully block incoming and outgoing traffic to the public internet or limit it to specific IP addresses or CIDR ranges. -- **Eliminates public exposure:** Traffic between your VPC/VNet and Unstructured can avoid the public internet and instead traverse cloud-provider private networking. +**Benefits** + +- **Eliminate public exposure:** Traffic between your VPC/VNet and Unstructured can avoid the public internet and instead traverse cloud-provider private networking. - **Stronger network isolation for sensitive workloads:** Helps customers meet internal security requirements and compliance where *private network access* is preferred or mandated. - **Simpler enterprise network integration:** Works well with existing private connectivity patterns (VPC/VNet isolation, VPN/DirectConnect/ExpressRoute to corporate on-prem networks). - **Control and visibility:** Private endpoints and private DNS enable you to manage where traffic flows, enforce access policies at the network level, and give you visibility into traffic paths and access patterns. diff --git a/business/dedicated-instances/security.mdx b/business/dedicated-instances/security.mdx index 0b45170a..00fa900d 100644 --- a/business/dedicated-instances/security.mdx +++ b/business/dedicated-instances/security.mdx @@ -1,7 +1,7 @@ --- title: Security model --- -Dedicated Instances use a defense-in-depth security model that protects your data across network, infrastructure, and service layers. The architecture prioritizes data isolation, private connectivity, and controlled access so your data stays within trusted boundaries. +Dedicated Instances use a security model that protects your data across network, infrastructure, and service layers. The architecture prioritizes data isolation, private connectivity, and controlled access so your data stays within trusted boundaries. This page covers PrivateLink, encryption, and network access controls for Dedicated Instances. For more information about security across the Unstructured platform, see [Security and compliance](business/security-compliance/overview). @@ -18,12 +18,12 @@ All connections to Dedicated Instances use TLS 1.2 or higher for encryption in t ### Security without PrivateLink (internet-facing mode) -Customers who deploy a Dedicated Instance without PrivateLink access the platform over the public internet via HTTPS. The following controls apply: +Customers who deploy a Dedicated Instance without PrivateLink access the platform over the public internet via HTTPS. The following controls apply. - **TLS 1.2+** for all traffic in transit. - **AWS WAF** (Web Application Firewall) provides DDoS protection, rate limiting, and optional geo-blocking for ITAR compliance. -- **IP Allowlisting** — Access to the platform can be restricted to specific source IP addresses or CIDR ranges. Submit a support ticket with your IP list to enable this. -- **No data egress change** — Unstructured can still access customer data sources via PrivateLink even if the customer accesses the platform UI/API over the internet. The two directions are configured independently. +- **IP Allowlisting** restricts Unstructured platform access to specific source IP addresses or CIDR ranges. Submit a support ticket with your IP list to enable this. [**?? check standard wording and links for submitting support ticket ??**] +- **Independent ingress and outbound** means you can access the platform over the internet with the UI or API, while Unstructured uses PrivateLink to reach your data sources. The two paths are configured separately. ### Security with PrivateLink From 2a758eb9f19a7d302e11ced9e6ed92a576aa5b6a Mon Sep 17 00:00:00 2001 From: monica-unstructured Date: Thu, 19 Mar 2026 02:26:13 -0400 Subject: [PATCH 06/29] Removed some topics from Dedicated Instance section. --- business/dedicated-instances/architecture.mdx | 2 +- .../deployment/aws/in-vpc.mdx | 36 ------ .../deployment/aws/index.mdx | 36 ------ .../deployment/aws/privatelink.mdx | 41 ------- .../deployment/azure/dns.mdx | 27 ----- .../deployment/azure/index.mdx | 25 ---- .../deployment/azure/private-endpoint.mdx | 31 ----- .../deployment/gcp/index.mdx | 18 --- .../deployment/gcp/psc.mdx | 33 ------ .../identity/idp-integration.mdx | 19 --- business/dedicated-instances/overview.mdx | 18 ++- business/dedicated-instances/preparing.mdx | 111 ++++-------------- business/dedicated-instances/requirements.mdx | 104 +++++++--------- business/dedicated-instances/security.mdx | 20 +++- .../shared-responsibility-model.mdx | 42 +++++++ docs.json | 57 ++------- 16 files changed, 149 insertions(+), 471 deletions(-) delete mode 100644 business/dedicated-instances/deployment/aws/in-vpc.mdx delete mode 100644 business/dedicated-instances/deployment/aws/index.mdx delete mode 100644 business/dedicated-instances/deployment/aws/privatelink.mdx delete mode 100644 business/dedicated-instances/deployment/azure/dns.mdx delete mode 100644 business/dedicated-instances/deployment/azure/index.mdx delete mode 100644 business/dedicated-instances/deployment/azure/private-endpoint.mdx delete mode 100644 business/dedicated-instances/deployment/gcp/index.mdx delete mode 100644 business/dedicated-instances/deployment/gcp/psc.mdx delete mode 100644 business/dedicated-instances/identity/idp-integration.mdx create mode 100644 business/dedicated-instances/shared-responsibility-model.mdx diff --git a/business/dedicated-instances/architecture.mdx b/business/dedicated-instances/architecture.mdx index a6b1e598..999cc577 100644 --- a/business/dedicated-instances/architecture.mdx +++ b/business/dedicated-instances/architecture.mdx @@ -18,7 +18,7 @@ There are two directions of connectivity: | **Customer → Unstructured** | Customer applications access the Unstructured UI and API via a private endpoint in the customer’s VPC/VNet. | | **Unstructured → Customer** | Unstructured accesses customer data sources (S3 buckets, databases, vector stores, etc.) via private endpoints created in the Unstructured VPC/VNet. | -Both directions can be established independently. Customers with strict egress controls should configure both. +Both directions can be established independently. Customers with strict outbound traffic controls should configure both. diff --git a/business/dedicated-instances/deployment/aws/in-vpc.mdx b/business/dedicated-instances/deployment/aws/in-vpc.mdx deleted file mode 100644 index 382ca652..00000000 --- a/business/dedicated-instances/deployment/aws/in-vpc.mdx +++ /dev/null @@ -1,36 +0,0 @@ ---- -title: In-VPC Setup -description: Deploy Dedicated Instance components inside your AWS VPC ---- - -## In-VPC Setup - -This section describes the In-VPC deployment model, where components run within your AWS environment. - -### Step 1: Provision Core Services - -Deploy required services within your VPC, such as: - -- Streaming layer -- Processing services -- Indexing services - -### Step 2: Configure Networking - -- Ensure routing between subnets is properly configured -- Allow internal communication between services - -### Step 3: Configure IAM and Security - -- Create IAM roles and policies -- Apply least privilege access controls - -### Step 4: Integrate Data Sources - -- Configure connectors or APIs to access customer data sources -- Validate connectivity and access permissions - -### Step 5: Validate Deployment - -- Confirm all services are operational -- Verify ingestion, processing, and indexing workflows diff --git a/business/dedicated-instances/deployment/aws/index.mdx b/business/dedicated-instances/deployment/aws/index.mdx deleted file mode 100644 index ad7297d2..00000000 --- a/business/dedicated-instances/deployment/aws/index.mdx +++ /dev/null @@ -1,36 +0,0 @@ ---- -title: AWS Deployment -description: Deploy Dedicated Instances on AWS ---- - -## AWS - -### Overview - -Dedicated Instances on AWS provide a secure, private deployment model for ingesting, processing, and indexing data within a customer-controlled environment. AWS deployments support multiple models depending on the level of control, isolation, and integration required. - -### Deployment Models - -#### Dedicated Instance (PrivateLink) - -In this model: - -- The Dedicated Instance is deployed in a managed, single-tenant environment -- The customer connects to the instance using AWS PrivateLink -- All communication occurs over private endpoints within the AWS network - -Use this model if you want a managed deployment with minimal operational overhead and strong network isolation. - -#### In-VPC Deployment - -In this model: - -- Components of the Dedicated Instance are deployed within the customer VPC -- The customer manages networking, routing, and some infrastructure components - -Use this model if you require deeper integration with existing VPC resources and more control over networking and infrastructure. - -### Next Steps - -- [PrivateLink Setup](./privatelink) -- [In-VPC Setup](./in-vpc) diff --git a/business/dedicated-instances/deployment/aws/privatelink.mdx b/business/dedicated-instances/deployment/aws/privatelink.mdx deleted file mode 100644 index fb5d6f0e..00000000 --- a/business/dedicated-instances/deployment/aws/privatelink.mdx +++ /dev/null @@ -1,41 +0,0 @@ ---- -title: PrivateLink Setup -description: Configure AWS PrivateLink for Dedicated Instances ---- - -## PrivateLink Setup - -This section describes how to configure the Dedicated Instance deployment model using AWS PrivateLink. - -### Prerequisites - -- A configured VPC with appropriate subnets -- Permissions to create and manage interface endpoints -- Security group and route table access -- Private DNS enabled - -### Step 1: Create Interface Endpoints - -- Create interface VPC endpoints for the required services -- Use the service names provided during onboarding -- Place endpoints in the correct subnets - -### Step 2: Configure Security Groups - -- Allow inbound and outbound traffic for required ports and protocols -- Restrict access to only necessary resources - -### Step 3: Configure Private DNS - -- Enable private DNS resolution for the endpoints -- Verify that service domains resolve to private IP addresses - -### Step 4: Approve Endpoint Connections - -- Accept endpoint connection requests if required -- Confirm connectivity between the customer VPC and the Dedicated Instance - -### Step 5: Validate Connectivity - -- Verify services are reachable through the private endpoints -- Confirm that no traffic is routed through public internet paths diff --git a/business/dedicated-instances/deployment/azure/dns.mdx b/business/dedicated-instances/deployment/azure/dns.mdx deleted file mode 100644 index 12cbfec4..00000000 --- a/business/dedicated-instances/deployment/azure/dns.mdx +++ /dev/null @@ -1,27 +0,0 @@ ---- -title: DNS Configuration -description: Configure DNS for Azure Private Endpoints ---- - -## DNS Configuration - -Azure Private Endpoint connectivity depends on correct DNS configuration. - -> ⚠️ Misconfigured DNS is one of the most common causes of onboarding issues. - -### Step 1: Create Private DNS Zones - -- Create Private DNS Zones for required service domains - -### Step 2: Link DNS Zones to the VNet - -- Link the DNS zones to the appropriate VNet - -### Step 3: Configure DNS Records - -- Ensure service domains resolve to private IP addresses - -### Step 4: Validate DNS Resolution - -- Use `nslookup` or equivalent tools -- Confirm that no public endpoints are being used diff --git a/business/dedicated-instances/deployment/azure/index.mdx b/business/dedicated-instances/deployment/azure/index.mdx deleted file mode 100644 index 28d21ed7..00000000 --- a/business/dedicated-instances/deployment/azure/index.mdx +++ /dev/null @@ -1,25 +0,0 @@ ---- -title: Azure Deployment -description: Deploy Dedicated Instances on Azure ---- - -## Azure - -### Overview - -Dedicated Instances on Azure provide a secure, private deployment model using Private Endpoints and VNet integration. DNS configuration plays a critical role in successful Azure connectivity. - -### Deployment Model - -Azure deployments use a Private Endpoint-based model for secure connectivity. - -Use this model if: - -- You want a managed deployment with strong network isolation -- Your organization requires private connectivity with no public exposure -- You can configure DNS within your Azure environment - -### Next Steps - -- [Private Endpoint Setup](./private-endpoint) -- [DNS Configuration](./dns) diff --git a/business/dedicated-instances/deployment/azure/private-endpoint.mdx b/business/dedicated-instances/deployment/azure/private-endpoint.mdx deleted file mode 100644 index ad4b4470..00000000 --- a/business/dedicated-instances/deployment/azure/private-endpoint.mdx +++ /dev/null @@ -1,31 +0,0 @@ ---- -title: Private Endpoint Setup -description: Configure Azure Private Endpoints for Dedicated Instances ---- - -## Private Endpoint Setup - -This section describes how to configure connectivity using Azure Private Endpoint. - -### Prerequisites - -- Azure subscription access -- VNet and subnet configuration -- Permissions to create Private Endpoints -- Network Security Group access -- Private DNS capability - -### Step 1: Create Private Endpoints - -- Create a Private Endpoint for each required service -- Associate each endpoint with the correct VNet and subnet - -### Step 2: Configure Network Security Groups - -- Allow traffic between your resources and the Private Endpoints -- Restrict access to trusted sources only - -### Step 3: Validate Connectivity - -- Confirm resources within the VNet can access the Dedicated Instance services -- Confirm that traffic flows through Private Endpoints only diff --git a/business/dedicated-instances/deployment/gcp/index.mdx b/business/dedicated-instances/deployment/gcp/index.mdx deleted file mode 100644 index a2b5729d..00000000 --- a/business/dedicated-instances/deployment/gcp/index.mdx +++ /dev/null @@ -1,18 +0,0 @@ ---- -title: GCP Deployment -description: Deploy Dedicated Instances on GCP ---- - -## GCP - -### Overview - -Dedicated Instances on GCP provide a secure, private deployment model using Private Service Connect. - -### Deployment Model - -GCP deployments use a Private Service Connect-based model for internal service exposure without requiring public internet access. - -### Next Steps - -- [Private Service Connect Setup](./psc) diff --git a/business/dedicated-instances/deployment/gcp/psc.mdx b/business/dedicated-instances/deployment/gcp/psc.mdx deleted file mode 100644 index 85818dfc..00000000 --- a/business/dedicated-instances/deployment/gcp/psc.mdx +++ /dev/null @@ -1,33 +0,0 @@ ---- -title: Private Service Connect Setup -description: Configure Private Service Connect for Dedicated Instances ---- - -## Private Service Connect Setup - -This section describes how to configure connectivity using Private Service Connect. - -### Prerequisites - -- GCP project access -- VPC network configuration -- Permissions to create PSC endpoints -- Firewall rule and DNS configuration access - -### Step 1: Create PSC Endpoints - -- Create PSC endpoints that connect to the service attachments provided during onboarding - -### Step 2: Configure Firewall Rules - -- Allow internal traffic between workloads and PSC endpoints -- Restrict access to trusted sources only - -### Step 3: Configure DNS - -- Create DNS entries that map service domains to PSC endpoint IP addresses - -### Step 4: Validate Connectivity - -- Confirm services are reachable through PSC endpoints -- Confirm traffic remains on internal network paths diff --git a/business/dedicated-instances/identity/idp-integration.mdx b/business/dedicated-instances/identity/idp-integration.mdx deleted file mode 100644 index 36c6a277..00000000 --- a/business/dedicated-instances/identity/idp-integration.mdx +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: IdP Integration -description: Configure identity provider integration for Dedicated Instances ---- - -## IdP Integration - -### Overview - -Dedicated Instances support SAML- and OIDC-based identity providers. - -### Typical Steps - -1. Configure your identity provider -2. Exchange metadata or connection details -3. Map roles for RBAC -4. Validate the login flow - -See [Security](../security) for more information about access controls. diff --git a/business/dedicated-instances/overview.mdx b/business/dedicated-instances/overview.mdx index 343a6309..b3eecfdf 100644 --- a/business/dedicated-instances/overview.mdx +++ b/business/dedicated-instances/overview.mdx @@ -7,16 +7,22 @@ A Dedicated Instance is a privately isolated deployment hosted by Unstructured, **AWS PrivateLink and Azure Private Link** -Both AWS and Azure allow you to privately connect your Virtual Private Cloud (VPC in AWS) or Virtual Network (Vnet in Azure) to your Dedicate Intance on the Unsturctured platform without traversing the public internet. +Both AWS and Azure allow you to privately connect your Virtual Private Cloud (VPC in AWS) or Virtual Network (Vnet in Azure) to your Dedicated Instance on the Unstructured platform without traversing the public internet. Network filtering lets you fully block incoming and outgoing traffic to the public internet or limit it to specific IP addresses or CIDR ranges. **Benefits** -- **Eliminate public exposure:** Traffic between your VPC/VNet and Unstructured can avoid the public internet and instead traverse cloud-provider private networking. -- **Stronger network isolation for sensitive workloads:** Helps customers meet internal security requirements and compliance where *private network access* is preferred or mandated. -- **Simpler enterprise network integration:** Works well with existing private connectivity patterns (VPC/VNet isolation, VPN/DirectConnect/ExpressRoute to corporate on-prem networks). -- **Control and visibility:** Private endpoints and private DNS enable you to manage where traffic flows, enforce access policies at the network level, and give you visibility into traffic paths and access patterns. +- **Eliminate public exposure** - Traffic between your VPC/VNet and Unstructured can avoid the public internet and instead traverse cloud-provider private networking. +- **Stronger network isolation for sensitive workloads** - Helps customers meet internal security requirements and compliance where *private network access* is preferred or mandated. +- **Simpler enterprise network integration** - Works well with existing private connectivity patterns (VPC/VNet isolation, VPN/DirectConnect/ExpressRoute to corporate on-prem networks). +- **Control and visibility** - Private endpoints and private DNS enable you to manage where traffic flows, enforce access policies at the network level, and give you visibility into traffic paths and access patterns. A Dedicated Instance is a **regional service** deployed in a single cloud region. Everything runs in one region, so plan for data residency, failover design, and latency. Unstructured supports cross-region PrivateLink, but we do not recommend it because it incurs additional data transfer costs. - \ No newline at end of file + + + +!! WRITER QUESTION: Is the above statement correct? +Do we not recommend it BECAUSE it incurs additional data transfer costs? (I added that supposition to the text here. +If additional costs are **not** why we recommend against it, we should state why we don't recommend it. Or it would be nice to. :-) !! + \ No newline at end of file diff --git a/business/dedicated-instances/preparing.mdx b/business/dedicated-instances/preparing.mdx index b17f6f22..30357e58 100644 --- a/business/dedicated-instances/preparing.mdx +++ b/business/dedicated-instances/preparing.mdx @@ -1,100 +1,37 @@ --- title: Preparing for a Dedicated Instance -description: Pre-deployment planning and readiness checklist --- -## Preparing for a Dedicated Instance +Once you’ve decided to proceed with a Dedicated Instance, the next steps involve provisioning the environment and establishing private connectivity. The deployment process is conducted remotely and can typically be completed within the following timeframes: -### Overview +| Cloud Provider | Without PrivateLink | With PrivateLink | +| --- | --- | --- | +| AWS | 2–3 Days | 4–5 Days | +| Azure | 2–3 Days | 4–5 Days | -Before deploying a Dedicated Instance, ensure that network, identity, and operational requirements are in place. This preparation phase helps align internal teams, validate prerequisites, and reduce delays during onboarding. +> Times are subject to Customer infrastructure team availability. More complex integrations (multiple connectors, custom models, etc.) will extend the deployment timeline. +> -### Who Should Be Involved +### Information Required for Provisioning -Dedicated Instance onboarding typically requires coordination across multiple teams: +Before deployment can begin, please provide the following: -- **Security and Compliance Teams** - - Review network isolation and data protection requirements - - Approve private connectivity and access controls +| Information Required | Description | +| --- | --- | +| Name of Administrator | Primary administrator of the account (others can be added after) | +| Admin Email Address | Email address of the primary admin | +| Cloud Provider | AWS or Azure | +| Cloud Region | Please see [list of supported regions](about:blank#supported-cloud-providers-and-regions) | +| Desired URL | Without PrivateLink: `.unstructuredapp.io` / With PrivateLink: `.privatelink.unstructuredapp.io` | +| VLM Provider | Anthropic, Bedrock, OpenAI, Azure OpenAI, etc. | +| VLM Models | e.g., Claude Sonnet 4.5, GPT-4o, Gemini 2.0 Flash | +| Embedding Models | e.g., Titan, Granite (ensure you select correct dimensions) | -- **Platform and Infrastructure Teams** - - Configure cloud networking, DNS, and firewall rules - - Manage deployment and connectivity +> **Do not send API keys by email or any collaboration tool.** Unstructured has a secure method of capturing these. +> -- **Application and Data Owners** - - Identify data sources - - Provide access requirements and integration details +### Information Exchange -### Pre-Deployment Checklist +All PrivateLink configuration data exchanges between Customer and Unstructured must be conducted via support tickets. This ensures a documented audit trail of all shared information, including Account IDs, VPC Endpoint Service Names, IAM Role ARNs, Service Principal IDs, and other sensitive configuration details. -- Cloud environment is identified -- VPC or VNet is configured with required subnets -- Private connectivity approach is selected -- DNS configuration approach is defined -- Firewall and security rules are planned -- Identity provider requirements are defined -- Data sources and access methods are identified -- Required permissions and approvals are in place - -### Choose a Deployment Model - -Before starting setup, determine the appropriate deployment model for your environment. - -- **AWS** - - PrivateLink - - In-VPC deployment - -- **Azure** - - Private Endpoint - -- **GCP** - - Private Service Connect - -Choosing the correct model early helps guide networking and implementation decisions. - -### Plan Your Network Configuration - -Networking is the most critical part of deployment. Ensure the following are defined: - -- Which VPC or VNet will be used -- Which subnets will host endpoints or services -- How private connectivity will be established -- How data will move from your environment to the Dedicated Instance - -### Plan DNS Configuration - -DNS configuration is required to ensure that service endpoints resolve to private IP addresses. - -- Define how DNS will be managed -- Ensure private DNS zones are created where required -- Confirm that service records resolve to private endpoints - -Misconfigured DNS is one of the most common causes of onboarding issues. - -### Identify Data Sources - -Determine which data sources will be ingested, such as object storage, databases, SaaS platforms, or internal services. - -For each data source, confirm: - -- Access method -- Required permissions -- Network accessibility - -### Validate Permissions and Approvals - -Before beginning deployment, confirm that: - -- Required cloud permissions are granted -- Network changes are approved -- Security reviews are completed if required - -### Next Steps - -Proceed to the appropriate deployment section: - -- [AWS](./deployment/aws/index) -- [Azure](./deployment/azure/index) -- [GCP](./deployment/gcp/index) - -After deployment, configure [IdP Integration](./identity/idp-integration) and set up monitoring and observability. +To initiate a PrivateLink configuration, log a ticket via the [Unstructured Support Portal](https://support.unstructured.io/) with the subject line: **“PrivateLink Configuration Request — [Your Company Name]”**. A technical enablement engineer will respond to guide you through the exchange. diff --git a/business/dedicated-instances/requirements.mdx b/business/dedicated-instances/requirements.mdx index ce04baa5..2d15b963 100644 --- a/business/dedicated-instances/requirements.mdx +++ b/business/dedicated-instances/requirements.mdx @@ -1,82 +1,64 @@ --- title: Requirements and Limitations -description: Prerequisites and constraints for Dedicated Instance deployments --- -## Requirements and Limitations +Dedicated Instances rely on cloud-provider private networking features and therefore require certain baseline infrastructure components to ensure a secure and successful deployment. This section outlines the key requirements customers must meet, as well as known limitations that may affect implementation decisions. Understanding these constraints early helps reduce onboarding delays and ensures alignment across security, platform, and engineering teams. -### Overview +### Supported Cloud Providers and Regions -Dedicated Instances require specific network, infrastructure, and operational prerequisites to ensure a secure and successful deployment. This section outlines the key requirements customers must meet, as well as known limitations that may affect implementation decisions. +| Cloud Provider | Availability | +| --- | --- | +| AWS | General Availability | +| Azure | General Availability | +| GCP | Not currently supported | -Understanding these constraints early helps reduce onboarding delays and ensures alignment across security, platform, and engineering teams. +**AWS Supported Regions** -### General Requirements +| Region Name | Region Code | +| --- | --- | +| US East (N. Virginia) | `us-east-1` | +| US East (Ohio) | `us-east-2` | +| US West (Oregon) | `us-west-2` | +| Europe (Ireland) | `eu-west-1` | +| Europe (Stockholm) | `eu-north-1` | +| Europe (Frankfurt) | `eu-central-1` | +| Asia Pacific (Sydney) | `ap-southeast-2` | +| Asia Pacific (Mumbai) | `ap-south-1` | +| Asia Pacific (Seoul) | `ap-northeast-2` | -The following requirements apply to all Dedicated Instance deployments: +If your required region is not listed above, contact your Unstructured account representative. -- **Cloud environment access** - Customers must have administrative or delegated access to their cloud environment to configure networking, DNS, and access controls. -- **Private networking configuration** - The deployment requires the ability to configure private connectivity, such as: - - AWS PrivateLink - - Azure Private Endpoint - - GCP Private Service Connect +**Azure Supported Regions** -- **DNS configuration** - Customers must be able to configure private DNS resolution to route service endpoints correctly within their network. +Contact your Unstructured account representative for the current list of supported Azure regions. -- **Identity readiness** - If SSO is required, customers must support integration with a compatible identity provider. +### Prerequisites -### Networking Requirements +**AWS Requirements:** +- VPC with private subnets +- Network Load Balancer (for connections into Customer environment) +- IAM permissions to create VPC endpoints, security groups, and Route 53 records -Dedicated Instances rely heavily on correct network configuration: +**Azure Requirements:** +- Virtual Network with subnets configured for private endpoints +- Private endpoint network policies disabled on target subnets +- Standard Load Balancer (for connections into Customer environment) -- VPC or VNet configuration -- Private endpoint or equivalent setup -- Firewall and security rules allowing required traffic -- Private DNS resolution for service endpoints +### DNS Requirements -### Service and Data Requirements +Private connectivity requires DNS configuration to route traffic through private endpoints: +- AWS: Route 53 Private Hosted Zone (and on-premise DNS forwarding if needed) +- Azure: Azure Private DNS Zone linked to your VNet +- CNAME records pointing to the private endpoint -- **Supported data sources** - Data sources must be accessible from the customer environment and compatible with supported ingestion methods. +The DNS name will be provided to you by Unstructured, in the form `.privatelink.unstructuredapp.io`. -- **Data volume and throughput** - Customers should consider expected data volume, ingestion rate, and processing requirements, because these factors may affect sizing and performance decisions. +### Known Limitations -- **Data format considerations** - Data should be in formats supported by ingestion and processing pipelines. Additional transformation may be required for unsupported formats. +| Limitation | Notes | +| --- | --- | +| Cross-Region PrivateLink | Supported but incurs additional data transfer costs; not advised | +| Cross-Cloud PrivateLink | Not supported (e.g., AWS to Azure) | +| VPC Peering | Not supported as an alternative to PrivateLink | -### Operational Requirements - -- Cross-team coordination between security, infrastructure, and application teams -- Internal approval processes for network and identity changes -- Monitoring and observability planning - -### Cloud-Specific Considerations - -- **AWS** - - Requires PrivateLink endpoint configuration or In-VPC deployment planning - - May involve additional setup for service endpoints and private routing - -- **Azure** - - Requires Private Endpoint configuration and DNS setup - - DNS configuration is often a critical dependency - -- **GCP** - - Uses Private Service Connect or equivalent - - Endpoint configuration and service exposure differ from AWS and Azure - -### Limitations - -The following limitations should be considered when planning a deployment: - -- No public endpoint access -- Cloud provider and regional constraints may apply -- DNS misconfiguration can prevent connectivity -- Managed service customization boundaries may apply - -Next, review [Preparing for a Dedicated Instance](./preparing). diff --git a/business/dedicated-instances/security.mdx b/business/dedicated-instances/security.mdx index 00fa900d..13b3adc7 100644 --- a/business/dedicated-instances/security.mdx +++ b/business/dedicated-instances/security.mdx @@ -22,7 +22,8 @@ Customers who deploy a Dedicated Instance without PrivateLink access the platfor - **TLS 1.2+** for all traffic in transit. - **AWS WAF** (Web Application Firewall) provides DDoS protection, rate limiting, and optional geo-blocking for ITAR compliance. -- **IP Allowlisting** restricts Unstructured platform access to specific source IP addresses or CIDR ranges. Submit a support ticket with your IP list to enable this. [**?? check standard wording and links for submitting support ticket ??**] +- **IP Allowlisting** - restricts Unstructured platform access to specific source IP addresses or CIDR ranges. Submit a support ticket with your IP list to enable this. +!! WRITER: check standard wording and links for submitting support ticket !! - **Independent ingress and outbound** means you can access the platform over the internet with the UI or API, while Unstructured uses PrivateLink to reach your data sources. The two paths are configured separately. ### Security with PrivateLink @@ -41,7 +42,11 @@ When PrivateLink is enabled, traffic between your environment and Unstructured f * Misconfigured IAM/RBAC policies * Compromised credentials -### Optional: Customer-managed encryption keys +### (Optional) Customer-managed encryption keys + + +!! WRITER: Check formatting for "Optional" in titles !! + By default, Unstructured manages encryption keys using the cloud provider’s key management service (AWS KMS or Azure Key Vault). Customers with strict key custody requirements can optionally bring their own KMS Customer Managed Keys (CMK). Contact your account representative to enable this. @@ -57,7 +62,11 @@ By default, Unstructured manages encryption keys using the cloud provider’s ke This default configuration provides maximum network isolation and is recommended for customers with strict compliance requirements. -**Optional: Enabling public egress** +**(Optional) Enabling public egress** + + +!! WRITER: Check formatting for "Optional" in titles !! + Some integrations require outbound internet access. Examples include: - Third-party AI/ML APIs (e.g., OpenAI, Anthropic, Gemini) not hosted in your cloud environment. @@ -85,5 +94,6 @@ To request ingress configuration changes, log a support ticket and provide: - List of source IP addresses or CIDR ranges to allowlist. - Expected access patterns. -> **Note:** Enabling public ingress or egress reduces the network isolation benefits of a Dedicated Instance. Unstructured recommends using PrivateLink for all connectivity where possible. -> \ No newline at end of file + +Enabling public ingress or egress reduces the network isolation benefits of a Dedicated Instance. Unstructured recommends using PrivateLink for all connectivity where possible. + \ No newline at end of file diff --git a/business/dedicated-instances/shared-responsibility-model.mdx b/business/dedicated-instances/shared-responsibility-model.mdx new file mode 100644 index 00000000..0db67318 --- /dev/null +++ b/business/dedicated-instances/shared-responsibility-model.mdx @@ -0,0 +1,42 @@ +--- +title: Shared responsibility model +--- + + +!! WRITER: Add intro paras and more context !! + + +**Customer → Unstructured (Accessing Unstructured UI and API)** + +| Responsibility | Customer | Unstructured | +| --- | --- | --- | +| VPC/VNet Configuration | ✔ | | +| VPC Endpoint / Private Endpoint Creation | ✔ | | +| DNS Configuration | ✔ | | +| Security Group / NSG Rules | ✔ | | +| VPC Endpoint Service Creation | | ✔ | +| Endpoint Connection Approval | | ✔ | +| Load Balancer and Target Configuration | | ✔ | +| Platform Security & Certificate Management | | ✔ | + + + +**Unstructured → Customer (Accessing Customer Data Sources)** + +| Responsibility | Customer | Unstructured | +| --- | --- | --- | +| VPC Endpoint Service Creation | ✔ | | +| Load Balancer and Target Configuration | ✔ | | +| Endpoint Connection Approval | ✔ | | +| Security Group / NSG Rules | ✔ | | +| Bucket/Container Policies | ✔ | | +| VPC Endpoint / Private Endpoint Creation | | ✔ | +| DNS Configuration | | ✔ | + + +!! WRITER: Include info from below note in intro para, or leave as note for emphasis? !! + + + +Each party is only responsible for the cloud resources it operates. + \ No newline at end of file diff --git a/docs.json b/docs.json index 1c915279..39fa47f7 100644 --- a/docs.json +++ b/docs.json @@ -326,51 +326,6 @@ "business/ai-providers" ] }, - { - "group": "Dedicated Instances", - "pages": [ - "business/dedicated-instances/overview", - "business/dedicated-instances/architecture", - "business/dedicated-instances/security", - "business/dedicated-instances/security-faq", - "business/dedicated-instances/requirements", - "business/dedicated-instances/preparing", - { - "group": "Deployment", - "pages": [ - { - "group": "AWS", - "pages": [ - "business/dedicated-instances/deployment/aws/index", - "business/dedicated-instances/deployment/aws/privatelink", - "business/dedicated-instances/deployment/aws/in-vpc" - ] - }, - { - "group": "Azure", - "pages": [ - "business/dedicated-instances/deployment/azure/index", - "business/dedicated-instances/deployment/azure/private-endpoint", - "business/dedicated-instances/deployment/azure/dns" - ] - }, - { - "group": "GCP", - "pages": [ - "business/dedicated-instances/deployment/gcp/index", - "business/dedicated-instances/deployment/gcp/psc" - ] - } - ] - }, - { - "group": "Identity and Access", - "pages": [ - "business/dedicated-instances/identity/idp-integration" - ] - } - ] - }, { "group": "Security and compliance", "pages": [ @@ -384,6 +339,18 @@ "business/idp/ui" ] }, + { + "group": "Dedicated Instances", + "pages": [ + "business/dedicated-instances/overview", + "business/dedicated-instances/architecture", + "business/dedicated-instances/security", + "business/dedicated-instances/security-faq", + "business/dedicated-instances/shared-responsibility-model", + "business/dedicated-instances/requirements", + "business/dedicated-instances/preparing" + ] + }, { "group": "AWS", "pages": [ From b26b53c0e06b645581b26ced779a482d69aeb465 Mon Sep 17 00:00:00 2001 From: monica-unstructured Date: Sat, 21 Mar 2026 00:10:03 -0400 Subject: [PATCH 07/29] Add more content for AWS-specific configuration. --- .../aws/aws-customer-managed-services.mdx | 0 .../aws/aws-managed-services/aws-bedrock.mdx | 0 .../aws/aws-managed-services/aws-kafka.mdx | 0 .../aws-managed-services/aws-opensearch.mdx | 0 business/aws/aws-managed-services/aws-s3.mdx | 0 business/aws/aws-native-privatelink.mdx | 0 .../connect-di-to-customer-csp.mdx | 0 .../aws-privatelink/connect-to-platform.mdx | 13 +++++++++ business/aws/aws-privatelink/dns-aws.mdx | 26 ++++++++++++++++++ business/aws/aws-privatelink/overview.md | 5 ++++ business/aws/connector-support-aws.mdx | 22 +++++++++++++++ .../{onboard.mdx => in-vpc-onboarding.mdx} | 0 .../{ => security}/security-faq.mdx | 0 .../security-model.mdx} | 0 .../shared-responsibility-model.mdx | 0 docs.json | 27 ++++++++++++------- 16 files changed, 84 insertions(+), 9 deletions(-) create mode 100644 business/aws/aws-customer-managed-services.mdx create mode 100644 business/aws/aws-managed-services/aws-bedrock.mdx create mode 100644 business/aws/aws-managed-services/aws-kafka.mdx create mode 100644 business/aws/aws-managed-services/aws-opensearch.mdx create mode 100644 business/aws/aws-managed-services/aws-s3.mdx create mode 100644 business/aws/aws-native-privatelink.mdx create mode 100644 business/aws/aws-privatelink/connect-di-to-customer-csp.mdx create mode 100644 business/aws/aws-privatelink/connect-to-platform.mdx create mode 100644 business/aws/aws-privatelink/dns-aws.mdx create mode 100644 business/aws/aws-privatelink/overview.md create mode 100644 business/aws/connector-support-aws.mdx rename business/aws/{onboard.mdx => in-vpc-onboarding.mdx} (100%) rename business/dedicated-instances/{ => security}/security-faq.mdx (100%) rename business/dedicated-instances/{security.mdx => security/security-model.mdx} (100%) rename business/dedicated-instances/{ => security}/shared-responsibility-model.mdx (100%) diff --git a/business/aws/aws-customer-managed-services.mdx b/business/aws/aws-customer-managed-services.mdx new file mode 100644 index 00000000..e69de29b diff --git a/business/aws/aws-managed-services/aws-bedrock.mdx b/business/aws/aws-managed-services/aws-bedrock.mdx new file mode 100644 index 00000000..e69de29b diff --git a/business/aws/aws-managed-services/aws-kafka.mdx b/business/aws/aws-managed-services/aws-kafka.mdx new file mode 100644 index 00000000..e69de29b diff --git a/business/aws/aws-managed-services/aws-opensearch.mdx b/business/aws/aws-managed-services/aws-opensearch.mdx new file mode 100644 index 00000000..e69de29b diff --git a/business/aws/aws-managed-services/aws-s3.mdx b/business/aws/aws-managed-services/aws-s3.mdx new file mode 100644 index 00000000..e69de29b diff --git a/business/aws/aws-native-privatelink.mdx b/business/aws/aws-native-privatelink.mdx new file mode 100644 index 00000000..e69de29b diff --git a/business/aws/aws-privatelink/connect-di-to-customer-csp.mdx b/business/aws/aws-privatelink/connect-di-to-customer-csp.mdx new file mode 100644 index 00000000..e69de29b diff --git a/business/aws/aws-privatelink/connect-to-platform.mdx b/business/aws/aws-privatelink/connect-to-platform.mdx new file mode 100644 index 00000000..0f51d1a8 --- /dev/null +++ b/business/aws/aws-privatelink/connect-to-platform.mdx @@ -0,0 +1,13 @@ +--- +title: Connecting your applications to the Unstructured Platform (UI and API) +sidebarTitle: Connect to your Unstructured Platform +--- +This enables Customer applications to access the Unstructured Platform (UI and API). + +| Order | Information Required | Description | Example | Who | +| --- | --- | --- | --- | --- | +| 1 | VPC Endpoint Service Name | Service name for Unstructured Endpoint | `com.amazonaws.vpce.us-west-2.vpce-svc-0abc123` | Unstructured | +| 1 | Service Region | Region where Unstructured’s service is hosted | `us-east-1` | Unstructured | +| 2 | AWS Account ID | 12-digit AWS Account Identifier | `123456789012` | Customer | +| 2 | AWS Region | Region where VPC Endpoint will be created | `us-east-1` | Customer | +| 2 | VPC ID | VPC where endpoint will be deployed | `vpc-0abc123def456789` | Customer | \ No newline at end of file diff --git a/business/aws/aws-privatelink/dns-aws.mdx b/business/aws/aws-privatelink/dns-aws.mdx new file mode 100644 index 00000000..a6acdd6a --- /dev/null +++ b/business/aws/aws-privatelink/dns-aws.mdx @@ -0,0 +1,26 @@ +--- +title: DNS configuration for PrivateLink access +sidebarTitle: DNS configuration +--- + +To access the Dedicated Instance over PrivateLink, DNS must be configured so the service hostname resolves to the private IPs of the VPC Endpoint. Clients must connect using the exact service hostname provided, because TLS is terminated using a provider-managed certificate. + +**Option 1: Enable Private DNS on the VPC Endpoint (Recommended)** + +If your VPC uses Route 53 for DNS resolution, enable Private DNS on the Interface VPC Endpoint. When Private DNS is enabled: +- Route 53 automatically creates DNS records for the service hostname. +- The hostname resolves to the private IPs of the VPC Endpoint. +- No manual hosted zone or records are required. + +**Option 2: Manually Manage DNS Using a Private Hosted Zone** + +If Private DNS cannot be enabled, configure DNS manually using Route 53: + +1. Create a Route 53 Private Hosted Zone matching the service hostname domain (e.g., `privatelink.unstructuredapp.io`). +2. Create an A record or alias record pointing to the VPC Endpoint: + + ``` + example.privatelink.unstructuredapp.io → vpce-0abc123def456789.elb.us-east-1.vpce.amazonaws.com + ``` + +3. Associate the hosted zone with the VPC(s) where clients will access the service. diff --git a/business/aws/aws-privatelink/overview.md b/business/aws/aws-privatelink/overview.md new file mode 100644 index 00000000..9d7af679 --- /dev/null +++ b/business/aws/aws-privatelink/overview.md @@ -0,0 +1,5 @@ +--- +title: Configure AWS PrivateLink +sidebarTitle: Overview +--- +This section outlines the information required by both parties to establish AWS PrivateLink. For connectivity into the Customer, depending on the service to be accessed there are different data points to capture. If Unstructured is accessing multiple services, we require the information for each one. diff --git a/business/aws/connector-support-aws.mdx b/business/aws/connector-support-aws.mdx new file mode 100644 index 00000000..07a1eb57 --- /dev/null +++ b/business/aws/connector-support-aws.mdx @@ -0,0 +1,22 @@ +--- +title: Connector support for AWS PrivateLink +sidebarTitle: Connector support +--- + +Not all Unstructured platform connectors can be accessed via AWS PrivateLink. The table below summarizes the coverage and configuration approach for each connector in a Dedicated Instance context. + +| Connector | PrivateLink Supported | Approach | Configuration Section | +| --- | --- | --- | --- | +| **Customer → Unstructured (UI/API)** | ✅ | Interface VPC Endpoint | [Link](about:blank#connections-into-unstructured-vpc-aws) | +| **AWS S3** | ✅ | Gateway Endpoint | [Link](about:blank#aws-s3-gateway-endpoint) | +| **AWS Bedrock** (VLM) | ✅ | Interface VPC Endpoint (Unstructured side) | [Link](about:blank#aws-bedrock) | +| **AWS OpenSearch Service** | ✅ | Interface VPC Endpoint | [Link](about:blank#aws-managed-services-with-native-privatelink) | +| **AWS OpenSearch Serverless** | ✅ | VPC Endpoint + Data Access Policy | [Link](about:blank#aws-opensearch-serverless) | +| **AWS MSK (Kafka)** | ✅ | Multi-VPC Connectivity (MSK native) | [Link](about:blank#aws-msk-kafka) | +| **AWS RDS / PostgreSQL** | ✅ | NLB-backed Endpoint Service | [Link](about:blank#customer-managed-services-aws-or-aws-services-with-nlb) | +| **Databricks on AWS** | ✅ | Databricks PrivateLink | [Link](about:blank#aws-databricks) | +| **Elasticsearch (self-hosted on AWS)** | ✅ | NLB-backed Endpoint Service | [Link](about:blank#customer-managed-services-aws-or-aws-services-with-nlb) | +| **MongoDB (self-hosted on AWS)** | ✅ | NLB-backed Endpoint Service | [Link](about:blank#customer-managed-services-aws-or-aws-services-with-nlb) | +| **Box, Confluence, Dropbox, Google Drive, Jira, OneDrive, Outlook, Salesforce, SharePoint, Slack, Zendesk** | ❌ | SaaS — requires public egress | Requires [public egress](about:blank#optional-enabling-public-egress) | +| **Google Cloud Storage** | ❌ | Cross-cloud not supported | Requires public egress | +| **Snowflake (multi-cloud/SaaS)** | Varies | Native if on AWS; public egress otherwise | See Snowflake section | diff --git a/business/aws/onboard.mdx b/business/aws/in-vpc-onboarding.mdx similarity index 100% rename from business/aws/onboard.mdx rename to business/aws/in-vpc-onboarding.mdx diff --git a/business/dedicated-instances/security-faq.mdx b/business/dedicated-instances/security/security-faq.mdx similarity index 100% rename from business/dedicated-instances/security-faq.mdx rename to business/dedicated-instances/security/security-faq.mdx diff --git a/business/dedicated-instances/security.mdx b/business/dedicated-instances/security/security-model.mdx similarity index 100% rename from business/dedicated-instances/security.mdx rename to business/dedicated-instances/security/security-model.mdx diff --git a/business/dedicated-instances/shared-responsibility-model.mdx b/business/dedicated-instances/security/shared-responsibility-model.mdx similarity index 100% rename from business/dedicated-instances/shared-responsibility-model.mdx rename to business/dedicated-instances/security/shared-responsibility-model.mdx diff --git a/docs.json b/docs.json index 39fa47f7..ffa7d80e 100644 --- a/docs.json +++ b/docs.json @@ -344,19 +344,28 @@ "pages": [ "business/dedicated-instances/overview", "business/dedicated-instances/architecture", - "business/dedicated-instances/security", - "business/dedicated-instances/security-faq", - "business/dedicated-instances/shared-responsibility-model", - "business/dedicated-instances/requirements", - "business/dedicated-instances/preparing" - ] - }, + { "group": "Security", + "pages": [ + "business/dedicated-instances/security/security-model", + "business/dedicated-instances/security/shared-responsibility-model", + "business/dedicated-instances/security/security-faq" + ] + }, + "business/dedicated-instances/requirements", + "business/dedicated-instances/preparing" + ] + }, { "group": "AWS", "pages": [ "business/aws/overview", - "business/aws/dedicated-instance-privatelink", - "business/aws/onboard" + { "group": "Dedicated Instance and PrivateLink", + "pages": [ + "business/dedicated-instances/security-model", + "business/dedicated-instances/shared-responsibility-model", + ] + } + "business/aws/in-vpc-onboarding" ] }, { From 3443e27f12f60526058e9e1d4dcf11c851ebe34c Mon Sep 17 00:00:00 2001 From: monica-unstructured Date: Sun, 22 Mar 2026 21:55:58 -0400 Subject: [PATCH 08/29] Complete content add for PriveLink config and refactor content organization. --- .../aws/aws-customer-managed-services.mdx | 0 .../aws/aws-managed-services/aws-bedrock.mdx | 0 .../aws/aws-managed-services/aws-kafka.mdx | 0 .../aws-managed-services/aws-opensearch.mdx | 0 business/aws/aws-managed-services/aws-s3.mdx | 0 business/aws/aws-native-privatelink.mdx | 0 .../connect-di-to-customer-csp.mdx | 0 .../aws-privatelink/connect-to-platform.mdx | 4 +- .../aws-privatelink/connect-to-services.mdx | 447 ++++++++++++++++++ .../connector-support.mdx} | 0 .../{dns-aws.mdx => dns-configuration.mdx} | 0 business/aws/aws-privatelink/overview.md | 2 +- ...-vpc-onboarding.mdx => onboard-in-vpc.mdx} | 0 ...x => x-dedicated-instance-privatelink.mdx} | 4 +- business/aws/{overview.mdx => x-overview.mdx} | 4 +- .../azure-privatelink/connect-to-platform.mdx | 16 + .../azure-privatelink/connect-to-services.mdx | 170 +++++++ .../azure-privatelink/connector-support.mdx | 22 + .../azure-privatelink/dns-configuration.mdx | 13 + business/azure/azure-privatelink/overview.md | 5 + ...-privatelink.mdx => x-dns-privatelink.mdx} | 4 +- business/azure/{onboard.mdx => x-onboard.mdx} | 4 +- .../azure/{overview.mdx => x-overview.mdx} | 4 +- docs.json | 41 +- 24 files changed, 713 insertions(+), 27 deletions(-) delete mode 100644 business/aws/aws-customer-managed-services.mdx delete mode 100644 business/aws/aws-managed-services/aws-bedrock.mdx delete mode 100644 business/aws/aws-managed-services/aws-kafka.mdx delete mode 100644 business/aws/aws-managed-services/aws-opensearch.mdx delete mode 100644 business/aws/aws-managed-services/aws-s3.mdx delete mode 100644 business/aws/aws-native-privatelink.mdx delete mode 100644 business/aws/aws-privatelink/connect-di-to-customer-csp.mdx create mode 100644 business/aws/aws-privatelink/connect-to-services.mdx rename business/aws/{connector-support-aws.mdx => aws-privatelink/connector-support.mdx} (100%) rename business/aws/aws-privatelink/{dns-aws.mdx => dns-configuration.mdx} (100%) rename business/aws/{in-vpc-onboarding.mdx => onboard-in-vpc.mdx} (100%) rename business/aws/{dedicated-instance-privatelink.mdx => x-dedicated-instance-privatelink.mdx} (95%) rename business/aws/{overview.mdx => x-overview.mdx} (92%) create mode 100644 business/azure/azure-privatelink/connect-to-platform.mdx create mode 100644 business/azure/azure-privatelink/connect-to-services.mdx create mode 100644 business/azure/azure-privatelink/connector-support.mdx create mode 100644 business/azure/azure-privatelink/dns-configuration.mdx create mode 100644 business/azure/azure-privatelink/overview.md rename business/azure/{dns-privatelink.mdx => x-dns-privatelink.mdx} (91%) rename business/azure/{onboard.mdx => x-onboard.mdx} (99%) rename business/azure/{overview.mdx => x-overview.mdx} (94%) diff --git a/business/aws/aws-customer-managed-services.mdx b/business/aws/aws-customer-managed-services.mdx deleted file mode 100644 index e69de29b..00000000 diff --git a/business/aws/aws-managed-services/aws-bedrock.mdx b/business/aws/aws-managed-services/aws-bedrock.mdx deleted file mode 100644 index e69de29b..00000000 diff --git a/business/aws/aws-managed-services/aws-kafka.mdx b/business/aws/aws-managed-services/aws-kafka.mdx deleted file mode 100644 index e69de29b..00000000 diff --git a/business/aws/aws-managed-services/aws-opensearch.mdx b/business/aws/aws-managed-services/aws-opensearch.mdx deleted file mode 100644 index e69de29b..00000000 diff --git a/business/aws/aws-managed-services/aws-s3.mdx b/business/aws/aws-managed-services/aws-s3.mdx deleted file mode 100644 index e69de29b..00000000 diff --git a/business/aws/aws-native-privatelink.mdx b/business/aws/aws-native-privatelink.mdx deleted file mode 100644 index e69de29b..00000000 diff --git a/business/aws/aws-privatelink/connect-di-to-customer-csp.mdx b/business/aws/aws-privatelink/connect-di-to-customer-csp.mdx deleted file mode 100644 index e69de29b..00000000 diff --git a/business/aws/aws-privatelink/connect-to-platform.mdx b/business/aws/aws-privatelink/connect-to-platform.mdx index 0f51d1a8..533f352d 100644 --- a/business/aws/aws-privatelink/connect-to-platform.mdx +++ b/business/aws/aws-privatelink/connect-to-platform.mdx @@ -1,6 +1,6 @@ --- -title: Connecting your applications to the Unstructured Platform (UI and API) -sidebarTitle: Connect to your Unstructured Platform +title: Connecting to the Unstructured Platform (UI and API) +sidebarTitle: Connecting to the Unstructured Platform --- This enables Customer applications to access the Unstructured Platform (UI and API). diff --git a/business/aws/aws-privatelink/connect-to-services.mdx b/business/aws/aws-privatelink/connect-to-services.mdx new file mode 100644 index 00000000..27fb505b --- /dev/null +++ b/business/aws/aws-privatelink/connect-to-services.mdx @@ -0,0 +1,447 @@ +--- +title: Connecting to your AWS services +sidebarTitle: Connecting to your AWS services +--- + +This topic covers the required information to enable your Dedicated Instance to connect to AWS services in your VPC. There are multiple situations that may require different configurations. + +* AWS PrivateLink +* Native PrivateLink +* Customer managed AWS services +* AWS services that require a Network Loa Balancer (NLB) front end + +## AWS managed services + +### AWS S3 (Gateway Endpoint) + +| Order | Information Required | Description | Example | Who | +| --- | --- | --- | --- | --- | +| 1 | S3 Bucket Name | Buckets Unstructured needs to access | `my-documents` | Customer | +| 1 | S3 Bucket Region | Region where bucket is located | `us-east-1` | Customer | +| 2 | Unstructured IAM Role ARN | IAM Role ARN that will access S3 | `arn:aws:iam::987654321098:role/unstructured-s3-access` | Unstructured | + +> **Note:** This section also covers **Delta Tables in Amazon S3** — the S3 Gateway Endpoint configuration is the same. +> + +**Example S3 Bucket Policy** + +The customer must create a bucket policy that grants Unstructured’s IAM Role access to the required S3 buckets. + +For read-only access: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowUnstructuredAccess", + "Effect": "Allow", + "Principal": { + "AWS": "" + }, + "Action": [ + "s3:GetObject", + "s3:ListBucket" + ], + "Resource": [ + "arn:aws:s3:::", + "arn:aws:s3:::/*" + ] + } + ] +} +``` + +For write access (e.g., if S3 is a destination), add: + +```json +{ + "Action": [ + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject", + "s3:ListBucket" + ] +} +``` + +Replace: +- `` — Unstructured’s IAM Role ARN (provided during setup). +- `` — Your S3 bucket name. + +--- + +### AWS Bedrock + +Amazon Bedrock is accessed via AWS-provided VPC endpoints. Unstructured configures VPC endpoints in our VPC to ensure all traffic to Bedrock stays off the public internet. Access to customer-specific Bedrock resources is controlled via IAM policies. + +| Order | Information Required | Description | Example | Who | +| --- | --- | --- | --- | --- | +| 1 | Bedrock Region | AWS region where Bedrock resources are located | `us-east-1` | Customer | +| 1 | Model IDs / ARNs | Foundation models or custom models to access | `anthropic.claude-sonnet-4-5`, `arn:aws:bedrock:us-east-1:123456789012:custom-model/my-model` | Customer | +| 2 | Unstructured AWS Account ID | Account ID to allow in IAM/resource policies | `987654321098` | Unstructured | +| 2 | Unstructured IAM Role ARN | IAM Role ARN that will access Bedrock | `arn:aws:iam::987654321098:role/unstructured-bedrock` | Unstructured | + +> Unstructured configures the Bedrock VPC endpoint on our side. The customer must create IAM policies that grant access to Unstructured’s IAM Role. +> + +**Example IAM Policy** + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowBedrockModelInvocation", + "Effect": "Allow", + "Principal": { + "AWS": "" + }, + "Action": [ + "bedrock:InvokeModel", + "bedrock:InvokeModelWithResponseStream" + ], + "Resource": [ + "arn:aws:bedrock:::foundation-model/anthropic.claude-sonnet-4-5-*", + "arn:aws:bedrock:::foundation-model/anthropic.claude-opus-4-5-*", + "arn:aws:bedrock:::custom-model/*" + ] + } + ] +} +``` + +Replace: +- `` — Unstructured’s AWS IAM Role ARN (provided during setup). +- `` — Your AWS Account ID. +- `` — Your Bedrock region. + +--- + +### AWS MSK (Kafka) + +Amazon MSK supports native multi-VPC private connectivity via PrivateLink. This enables Unstructured to connect to the customer’s MSK cluster (as a Kafka source) entirely within the AWS private network. The customer must have an MSK cluster with **Multi-VPC Connectivity** enabled. + +> **Note:** MSK Multi-VPC Connectivity requires MSK cluster type: **provisioned** (not serverless). The cluster must use TLS or SASL/TLS authentication. +> + +| Order | Information Required | Description | Example | Who | +| --- | --- | --- | --- | --- | +| 1 | MSK Cluster ARN | ARN of the MSK cluster | `arn:aws:kafka:us-east-1:123456789012:cluster/my-cluster/abc-123` | Customer | +| 1 | MSK Cluster Region | AWS region where cluster is deployed | `us-east-1` | Customer | +| 1 | Kafka Port | Port the brokers listen on | `9094` (TLS) or `9096` (SASL/TLS) | Customer | +| 1 | Topic Name(s) | Kafka topics Unstructured needs to read | `documents-raw`, `documents-processed` | Customer | +| 2 | Unstructured AWS Account ID | Account ID to add as allowed principal | `987654321098` | Unstructured | +| 3 | VPC Endpoint Service Name | Service name created when Multi-VPC Connectivity is enabled | `com.amazonaws.vpce.us-east-1.vpce-svc-0abc123` | Customer | +| 3 | Bootstrap Broker Endpoints | Private broker DNS names for the cluster | `b-1.mycluster.abc123.kafka.us-east-1.amazonaws.com:9094` | Customer | + +**Enabling MSK Multi-VPC Connectivity** + +Using AWS Console: +1. Navigate to **Amazon MSK** > select your cluster. +2. Choose **Actions** > **Edit cluster connectivity**. +3. Enable **Multi-VPC connectivity**. +4. Confirm — MSK will create a VPC Endpoint Service automatically. + +Using AWS CLI: + +```bash +aws kafka update-connectivity \ + --cluster-arn "" \ + --connectivity-info '{ + "VpcConnectivity": { + "ClientAuthentication": { + "Tls": { "Enabled": true } + } + } + }' +``` + +After enabling, retrieve the VPC Endpoint Service name: + +```bash +aws kafka describe-cluster \ + --cluster-arn "" \ + --query 'ClusterInfo.BrokerNodeGroupInfo.ConnectivityInfo' +``` + +**Adding Unstructured as an Allowed Principal** + +Once Multi-VPC Connectivity is enabled, add Unstructured’s AWS Account ID as an allowed principal on the endpoint service: + +```bash +aws ec2 modify-vpc-endpoint-service-permissions \ + --service-id \ + --add-allowed-principals "arn:aws:iam:::root" +``` + +Replace: +- `` — The endpoint service ID created by MSK Multi-VPC Connectivity. +- `` — Unstructured’s AWS Account ID (provided during setup). + +--- + +### AWS OpenSearch Service + +Amazon OpenSearch Service supports native Interface VPC Endpoints. Unstructured creates a VPC endpoint in our VPC targeting the customer’s OpenSearch domain. + +| Order | Information Required | Description | Example | Who | +| --- | --- | --- | --- | --- | +| 1 | OpenSearch Domain ARN | ARN of the OpenSearch domain | `arn:aws:es:us-east-1:123456789012:domain/my-domain` | Customer | +| 1 | OpenSearch Domain Region | AWS region where domain is deployed | `us-east-1` | Customer | +| 1 | Service Port | Port the service listens on | `443` | Customer | +| 2 | Unstructured AWS Account ID | Account ID to add as allowed principal | `987654321098` | Unstructured | +| 2 | Unstructured IAM Role ARN | IAM Role that will access OpenSearch | `arn:aws:iam::987654321098:role/unstructured-opensearch` | Unstructured | +| 3 | VPC Endpoint DNS | The endpoint DNS name for connection | `vpc-my-domain-xyz.us-east-1.es.amazonaws.com` | Customer | + +**Example Domain Access Policy** + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "" + }, + "Action": [ + "es:ESHttpGet", + "es:ESHttpHead", + "es:ESHttpPost", + "es:ESHttpPut", + "es:ESHttpDelete" + ], + "Resource": "arn:aws:es:::domain//*" + } + ] +} +``` + +Replace: +- `` — Unstructured’s AWS Role ARN (provided during setup). +- `` — Your AWS Account ID. +- `` — Your OpenSearch region. +- `` — Your OpenSearch domain name. + +--- + +### AWS OpenSearch Serverless + +> **Important:** OpenSearch Serverless uses a fundamentally different access model compared to OpenSearch Service. It does not use resource-based access policies. Instead, access is controlled through **data access policies** and **network access policies** tied to VPC endpoints. +> + +| Order | Information Required | Description | Example | Who | +| --- | --- | --- | --- | --- | +| 1 | Collection Name | Name of the OpenSearch Serverless collection | `my-vector-store` | Customer | +| 1 | Collection ARN | Full ARN of the collection | `arn:aws:aoss:us-east-1:123456789012:collection/abc123` | Customer | +| 1 | Collection Endpoint | HTTPS endpoint of the collection | `abc123.us-east-1.aoss.amazonaws.com` | Customer | +| 1 | Collection Region | AWS region where collection is deployed | `us-east-1` | Customer | +| 2 | Unstructured AWS Account ID | Account ID to add to network access policy | `987654321098` | Unstructured | +| 2 | Unstructured IAM Role ARN | IAM Role ARN to grant data access | `arn:aws:iam::987654321098:role/unstructured-aoss` | Unstructured | +| 3 | VPC Endpoint ID | VPC endpoint ID created by Unstructured for `aoss.amazonaws.com` | `vpce-0abc123def456789` | Unstructured | + +**Step 1: Create a Network Access Policy** + +The network access policy must allow Unstructured’s VPC endpoint to access the collection. Create or update the network policy for your collection: + +```json +[ + { + "Rules": [ + { + "Resource": ["collection/my-vector-store"], + "ResourceType": "collection" + } + ], + "AllowFromPublic": false, + "SourceVPCEs": [""] + } +] +``` + +Using AWS CLI: + +```bash +aws opensearchserverless update-security-policy \ + --name "my-network-policy" \ + --type network \ + --policy '[{"Rules":[{"Resource":["collection/my-vector-store"],"ResourceType":"collection"}],"AllowFromPublic":false,"SourceVPCEs":[""]}]' +``` + +**Step 2: Create a Data Access Policy** + +The data access policy grants Unstructured’s IAM Role permissions to read/write the collection’s indexes. + +For a vector store destination (read/write): + +```json +[ + { + "Rules": [ + { + "Resource": ["index/my-vector-store/*"], + "Permission": [ + "aoss:CreateIndex", + "aoss:DeleteIndex", + "aoss:UpdateIndex", + "aoss:DescribeIndex", + "aoss:ReadDocument", + "aoss:WriteDocument" + ], + "ResourceType": "index" + }, + { + "Resource": ["collection/my-vector-store"], + "Permission": ["aoss:DescribeCollectionItems"], + "ResourceType": "collection" + } + ], + "Principal": [""] + } +] +``` + +Using AWS CLI: + +```bash +aws opensearchserverless create-access-policy \ + --name "unstructured-access" \ + --type data \ + --policy '[{"Rules":[{"Resource":["index/my-vector-store/*"],"Permission":["aoss:CreateIndex","aoss:DeleteIndex","aoss:UpdateIndex","aoss:DescribeIndex","aoss:ReadDocument","aoss:WriteDocument"],"ResourceType":"index"},{"Resource":["collection/my-vector-store"],"Permission":["aoss:DescribeCollectionItems"],"ResourceType":"collection"}],"Principal":[""]}]' +``` + +Replace: +- `` — VPC Endpoint ID provided by Unstructured (from Step 2 of the information exchange). +- `` — Unstructured’s IAM Role ARN (provided during setup). +- `my-vector-store` — Your OpenSearch Serverless collection name. + +--- + +### AWS Databricks + +Databricks on AWS supports native PrivateLink connectivity. The customer must have a Databricks Enterprise plan with a customer-managed VPC and PrivateLink enabled on their workspace. + +| Order | Information Required | Description | Example | Who | +| --- | --- | --- | --- | --- | +| 1 | Databricks Workspace URL | The workspace URL | `myworkspace.cloud.databricks.com` | Customer | +| 1 | Databricks Workspace Region | AWS region where workspace is deployed | `us-east-1` | Customer | +| 1 | Private Access Level | Whether access is at ACCOUNT or ENDPOINT level | `ACCOUNT`, `ENDPOINT` | Customer | +| 2 | Unstructured VPC Endpoint ID | VPC Endpoint ID to add to allowed list (if ENDPOINT level) | `vpce-0abc123def456789` | Unstructured | +| 3 | Workspace VPC Endpoint DNS | The private endpoint DNS for the workspace | `myworkspace.privatelink.cloud.databricks.com` | Customer | + +**Example: Databricks Private Access Settings (ENDPOINT level)** + +If using ENDPOINT level access, add Unstructured’s VPC Endpoint ID to the allowed list via the Databricks Account Console or API: + +```json +{ + "private_access_settings_name": "unstructured-access", + "region": "", + "public_access_enabled": false, + "private_access_level": "ENDPOINT", + "allowed_vpc_endpoint_ids": [ + "" + ] +} +``` + +Replace: +- `` — VPC Endpoint ID provided by Unstructured. +- `` — Your Databricks region. + +> For ACCOUNT level access, no explicit endpoint allowlisting is required — any VPC endpoint registered in the Databricks account can connect. +> + +--- + +### ~~Snowflake on AWS~~ + +~~Snowflake supports AWS PrivateLink via Snowflake’s native Private Link feature. This is available for Snowflake accounts hosted on AWS. The customer must have a **Business Critical** or higher Snowflake edition to use Private Link.~~ + +| Order | Information Required | Description | Example | Who | +| --- | --- | --- | --- | --- | +| 1 | Snowflake Account Identifier | The Snowflake account identifier | `myorg-myaccount` | Customer | +| 1 | Snowflake Account Region | AWS region where account is hosted | `us-east-1` | Customer | +| 2 | Unstructured AWS Account ID | AWS Account ID to authorize for Private Link | `987654321098` | Unstructured | +| 3 | Snowflake Private Link URL | Private Link hostname after enablement | `myorg-myaccount.privatelink.snowflakecomputing.com` | Customer | +| 3 | Snowflake VPC Endpoint Service Name | The service name for Snowflake’s endpoint service | `com.amazonaws.vpce.us-east-1.vpce-svc-0abc123` | Customer | + +**~~Enabling Snowflake Private Link~~** + +1. ~~Contact Snowflake Support or your Snowflake account representative to enable Private Link for your account and authorize Unstructured’s AWS Account ID.~~ +2. ~~Once enabled, retrieve the Private Link configuration:~~ + +```sql +SELECT SYSTEM$GET_PRIVATELINK_CONFIG(); +``` + +~~This returns the VPC Endpoint Service name and private hostname that Unstructured will need.~~ + +1. ~~Share the output with Unstructured via a support ticket. Unstructured will create a VPC endpoint and provide the VPC Endpoint ID.~~ +2. ~~Authorize Unstructured’s VPC Endpoint in Snowflake:~~ + +```sql +SELECT SYSTEM$AUTHORIZE_PRIVATELINK('', ''); +``` + +~~Replace: +- `` — Unstructured’s AWS Account ID (provided during setup). +- `` — VPC Endpoint ID provided by Unstructured.~~ + +--- + +## AWS Managed Services with native PrivateLink + +Some AWS managed services support native PrivateLink endpoints. The customer creates a VPC endpoint for their service, and Unstructured connects to it. This pattern applies to services like **Amazon ElastiCache (Redis)** and **AWS Elasticsearch Service (legacy)**. + +| Order | Information Required | Description | Example | Who | +| --- | --- | --- | --- | --- | +| 1 | Service Type | The AWS Service being accessed | `ElastiCache`, `Elasticsearch` | Customer | +| 1 | Service Region | Region where the service is hosted | `us-east-1` | Customer | +| 1 | Service Port | Port the service listens on | `6379` (Redis), `443` (Elasticsearch) | Customer | +| 1 | Resource ARN | ARN of the resource | `arn:aws:elasticache:us-east-1:123456789012:cluster/my-cache` | Customer | +| 2 | Unstructured AWS Account ID | Account ID to add as allowed principal | `987654321098` | Unstructured | +| 2 | Unstructured IAM Role ARN | IAM Role that will access the service | `arn:aws:iam::987654321098:role/unstructured-access` | Unstructured | +| 3 | VPC Endpoint ID | The service-managed VPC endpoint ID | `vpce-0abc123def456789` | Customer | +| 3 | VPC Endpoint DNS | The endpoint DNS name for connection | `vpce-0abc123.us-east-1.es.amazonaws.com` | Customer | + +--- + +## Customer Managed Services (AWS) or AWS Services with NLB + +This applies to: +- Applications the customer is **self-hosting** in their AWS VPC (e.g., Elasticsearch, MongoDB, Couchbase). +- AWS services that do **not** have native PrivateLink support and require an NLB front-end, such as **Amazon RDS, Aurora, Redshift, DocumentDB**. + +| Order | Information Required | Description | Example | Who | +| --- | --- | --- | --- | --- | +| 1 | Service Type | The service being accessed | `PostgreSQL (RDS)`, `MongoDB`, `Elasticsearch` | Customer | +| 1 | Service Region | Region where the service is hosted | `us-east-1` | Customer | +| 1 | Service Port | Port the service listens on | `5432` (PostgreSQL), `27017` (MongoDB), `9200` (Elasticsearch) | Customer | +| 2 | Unstructured AWS Account ID | Account ID to add as allowed principal | `987654321098` | Unstructured | +| 2 | Unstructured IAM Role ARN | IAM Role that will access the service | `arn:aws:iam::987654321098:role/unstructured-access` | Unstructured | +| 3 | VPC Endpoint Service Name | Service name for the endpoint service fronting the NLB | `com.amazonaws.vpce.us-east-1.vpce-svc-0abc123` | Customer | +| 3 | Service Endpoint | The endpoint URL for connection | Custom DNS or endpoint service DNS | Customer | + +> The customer must create: (1) a Network Load Balancer targeting their managed service, and (2) a VPC Endpoint Service pointing to the NLB. +> + +**Example: Allow Unstructured as a Principal on the Endpoint Service** + +Using AWS Console: +1. Navigate to **VPC > Endpoint Services**. +2. Select your endpoint service. +3. Go to the **“Allow principals”** tab and click **“Allow principals”**. +4. Add the Unstructured ARN captured during the setup process. + +Using AWS CLI: + +```bash +aws ec2 modify-vpc-endpoint-service-permissions \ + --service-id vpce-svc-0abc123def456789 \ + --add-allowed-principals "" +``` + +Replace: +- `` — Unstructured’s AWS Role ARN (provided during setup). diff --git a/business/aws/connector-support-aws.mdx b/business/aws/aws-privatelink/connector-support.mdx similarity index 100% rename from business/aws/connector-support-aws.mdx rename to business/aws/aws-privatelink/connector-support.mdx diff --git a/business/aws/aws-privatelink/dns-aws.mdx b/business/aws/aws-privatelink/dns-configuration.mdx similarity index 100% rename from business/aws/aws-privatelink/dns-aws.mdx rename to business/aws/aws-privatelink/dns-configuration.mdx diff --git a/business/aws/aws-privatelink/overview.md b/business/aws/aws-privatelink/overview.md index 9d7af679..652ff7bc 100644 --- a/business/aws/aws-privatelink/overview.md +++ b/business/aws/aws-privatelink/overview.md @@ -1,5 +1,5 @@ --- -title: Configure AWS PrivateLink +title: Configure AWS PrivateLink for your Dedicated Instance sidebarTitle: Overview --- This section outlines the information required by both parties to establish AWS PrivateLink. For connectivity into the Customer, depending on the service to be accessed there are different data points to capture. If Unstructured is accessing multiple services, we require the information for each one. diff --git a/business/aws/in-vpc-onboarding.mdx b/business/aws/onboard-in-vpc.mdx similarity index 100% rename from business/aws/in-vpc-onboarding.mdx rename to business/aws/onboard-in-vpc.mdx diff --git a/business/aws/dedicated-instance-privatelink.mdx b/business/aws/x-dedicated-instance-privatelink.mdx similarity index 95% rename from business/aws/dedicated-instance-privatelink.mdx rename to business/aws/x-dedicated-instance-privatelink.mdx index 9fabf18d..f6ae9be6 100644 --- a/business/aws/dedicated-instance-privatelink.mdx +++ b/business/aws/x-dedicated-instance-privatelink.mdx @@ -1,6 +1,6 @@ --- -title: Unstructured Business dedicated instance on Amazon Web Services (AWS) with PrivateLink - onboarding -sidebarTitle: Dedicated instance + PrivateLink onboarding +title: OLD - Unstructured Business dedicated instance on Amazon Web Services (AWS) with PrivateLink - onboarding +sidebarTitle: x Dedicated instance + PrivateLink onboarding --- diff --git a/business/aws/overview.mdx b/business/aws/x-overview.mdx similarity index 92% rename from business/aws/overview.mdx rename to business/aws/x-overview.mdx index 3d1d77f3..422e420b 100644 --- a/business/aws/overview.mdx +++ b/business/aws/x-overview.mdx @@ -1,6 +1,6 @@ --- -title: Unstructured Business on Amazon Web Services (AWS) - overview -sidebarTitle: Overview +title: OLD - Unstructured Business on Amazon Web Services (AWS) - overview +sidebarTitle: x Overview --- ## Getting started diff --git a/business/azure/azure-privatelink/connect-to-platform.mdx b/business/azure/azure-privatelink/connect-to-platform.mdx new file mode 100644 index 00000000..7e5fd05f --- /dev/null +++ b/business/azure/azure-privatelink/connect-to-platform.mdx @@ -0,0 +1,16 @@ +--- +title: Connecting to the Unstructured Platform (UI and API) +sidebarTitle: Connecting to the Unstructured Platform +--- +This enables Customer applications to access the Unstructured Platform (UI and API). + +| Order | Information Required | Description | Example | Who | +| --- | --- | --- | --- | --- | +| 1 | Private Link Service Resource ID | Resource ID of Unstructured’s Private Link Service | `/subscriptions/…/providers/Microsoft.Network/privateLinkServices/uio-pls` | Unstructured | +| 1 | Private Link Service Alias | Alias for Unstructured’s Private Link Service | `uio-pls.abc123.eastus.azure.privatelinkservice` | Unstructured | +| 1 | Service Region | Region where Unstructured’s service is hosted | `eastus` | Unstructured | +| 2 | Azure Subscription ID | Customer’s Azure Subscription ID (to approve connection) | `a1b2c3d4-e5f6-7890-abcd-ef1234567890` | Customer | +| 2 | Azure Region | Region where Private Endpoint will be created | `eastus` | Customer | +| 2 | Virtual Network Name | VNet where endpoint will be deployed | `customer-vnet` | Customer | +| 2 | Subnet Name | Subnet for the private endpoint | `private-endpoints-subnet` | Customer | +| 2 | Resource Group | Resource group containing the VNet | `customer-network-rg` | Customer | \ No newline at end of file diff --git a/business/azure/azure-privatelink/connect-to-services.mdx b/business/azure/azure-privatelink/connect-to-services.mdx new file mode 100644 index 00000000..f78ac654 --- /dev/null +++ b/business/azure/azure-privatelink/connect-to-services.mdx @@ -0,0 +1,170 @@ +--- +title: Connecting to your Azure services +sidebarTitle: Connecting to your Azure services +--- + +This topic covers the required information to enable your Dedicated Instance to connect to the Azure services in your Azure VNet. There are multiple situations that may require different configurations. + +* AWS PrivateLink +* Native PrivateLink +* Customer managed AWS services +* AWS services that require a Network Loa Balancer (NLB) front end + +## Azure managed services + +### Azure Blob Storage + +This applies to Azure Blob Storage and Azure Data Lake Storage Gen2 (ADLS Gen2). + +| Order | Information Required | Description | Example | Who | +| --- | --- | --- | --- | --- | +| 1 | Storage Account Name | Name of the Azure Storage Account | `customerstorageacct` | Customer | +| 1 | Storage Account Resource ID | Full Azure Resource ID of the storage account | `/subscriptions/…/providers/Microsoft.Storage/storageAccounts/customerstorageacct` | Customer | +| 1 | Container Name(s) | Containers Unstructured needs to access | `documents, processed-data` | Customer | +| 1 | Storage Account Region | Region where storage account is located | `eastus` | Customer | +| 1 | Sub-resource Type | `blob`, `dfs` (for ADLS Gen2), `file`, `table`, `queue` | `blob`, `dfs` | Customer | +| 2 | Unstructured Service Principal ID | Service Principal ID for RBAC role assignment | `b2c3d4e5-f6a7-8901-bcde-f23456789012` | Unstructured | +| 2 | Unstructured Subscription ID | Subscription ID for Private Endpoint approval | `a1b2c3d4-e5f6-7890-abcd-ef1234567890` | Unstructured | + +> For ADLS Gen2, use sub-resource type `dfs` for hierarchical namespace operations. The customer must approve the Private Endpoint connection request in the Storage Account > Networking > Private endpoint connections. +> + +**Example: Azure Role Assignment** + +Using Azure CLI for read-only access: + +```bash +az role assignment create \ + --assignee "" \ + --role "Storage Blob Data Reader" \ + --scope "/subscriptions//resourceGroups//providers/Microsoft.Storage/storageAccounts/" +``` + +For read/write access, replace `"Storage Blob Data Reader"` with `"Storage Blob Data Contributor"`. + +Replace: +- `` — Unstructured’s Service Principal ID (provided during setup). +- `` — Your Azure Subscription ID. +- `` — Your Resource Group name. +- `` — Your Storage Account name. + +--- + +### Azure OpenAI + +Azure OpenAI supports Private Endpoint access. Unstructured creates a Private Endpoint in our VNet to access the customer’s Azure OpenAI resource privately. + +| Order | Information Required | Description | Example | Who | +| --- | --- | --- | --- | --- | +| 1 | Azure OpenAI Resource Name | Name of the Azure OpenAI resource | `customer-openai` | Customer | +| 1 | Azure OpenAI Resource ID | Full Azure Resource ID | `/subscriptions/…/providers/Microsoft.CognitiveServices/accounts/customer-openai` | Customer | +| 1 | Azure OpenAI Region | Region where the resource is deployed | `eastus` | Customer | +| 1 | Deployment Name(s) | Model deployment names to access | `gpt-4-deployment, embedding-deployment` | Customer | +| 1 | Sub-resource Type | Always `account` for Azure OpenAI | `account` | Customer | +| 2 | Unstructured Service Principal ID | Service Principal ID for RBAC role assignment | `b2c3d4e5-f6a7-8901-bcde-f23456789012` | Unstructured | +| 2 | Unstructured Subscription ID | Subscription ID for Private Endpoint approval | `a1b2c3d4-e5f6-7890-abcd-ef1234567890` | Unstructured | + +**Example: Azure Role Assignment for OpenAI** + +```bash +az role assignment create \ + --assignee "" \ + --role "Cognitive Services OpenAI User" \ + --scope "/subscriptions//resourceGroups//providers/Microsoft.CognitiveServices/accounts/" +``` + +After role assignment, configure the firewall to deny public access and approve the pending Private Endpoint connection request in the Azure Portal under the OpenAI resource > Networking > Private endpoint connections. + +--- + +### Azure Databricks + +Azure Databricks supports Private Link for both front-end (user-to-workspace) and back-end (compute-to-control plane) connectivity. The customer must have Private Link enabled on their workspace. + +| Order | Information Required | Description | Example | Who | +| --- | --- | --- | --- | --- | +| 1 | Databricks Workspace URL | The workspace URL | `adb-1234567890123456.12.azuredatabricks.net` | Customer | +| 1 | Databricks Workspace Resource ID | Full Azure Resource ID of the workspace | `/subscriptions/…/providers/Microsoft.Databricks/workspaces/customer-workspace` | Customer | +| 1 | Databricks Workspace Region | Azure region where workspace is deployed | `eastus` | Customer | +| 1 | Sub-resource Type | `databricks_ui_api` for workspace access | `databricks_ui_api` | Customer | +| 2 | Unstructured Subscription ID | Subscription ID for Private Endpoint approval | `a1b2c3d4-e5f6-7890-abcd-ef1234567890` | Unstructured | +| 3 | Private Endpoint DNS | The private endpoint DNS for the workspace | `adb-1234567890123456.12.privatelink.azuredatabricks.net` | Customer | + +After Unstructured creates the Private Endpoint, approve the connection: + +```bash +az network private-endpoint-connection approve \ + --resource-group "" \ + --resource-name "" \ + --name "" \ + --type Microsoft.Databricks/workspaces +``` + + +## Azure Managed Services with private endpoint access + +This applies to Azure-managed services that support Private Endpoint access, including: **Azure AI Search, Azure SQL Database, Azure SQL Managed Instance, Azure Cosmos DB, Azure Database for PostgreSQL, Azure Database for MySQL,** and **Azure Synapse Analytics**. + +| Order | Information Required | Description | Example | Who | +| --- | --- | --- | --- | --- | +| 1 | Service Type | The Azure managed service being accessed | `Azure AI Search`, `Azure SQL` | Customer | +| 1 | Resource Name | Name of the Azure resource | `my-search-service` | Customer | +| 1 | Resource ID | Full Azure Resource ID | `/subscriptions/…/providers/Microsoft.Search/searchServices/my-search` | Customer | +| 1 | Service Region | Region where the service is hosted | `eastus` | Customer | +| 1 | Sub-Resource Type | The sub-resource type for Private Link (see table below) | `searchService`, `sqlServer` | Customer | +| 1 | Service Port | Port the service listens on | `443` (AI Search), `1433` (SQL) | Customer | +| 2 | Unstructured Service Principal ID | Service Principal ID for RBAC role assignment | `b2c3d4e5-f6a7-8901-bcde-f23456789012` | Unstructured | +| 2 | Unstructured Subscription ID | Subscription ID to approve for Private Endpoint | `a1b2c3d4-e5f6-7890-abcd-ef1234567890` | Unstructured | + +**Sub-resource types by service:** + +| Service | Sub-Resource Type | +| --- | --- | +| AI Search | `searchService` | +| Azure SQL Database | `sqlServer` | +| Azure SQL Managed Instance | `managedInstance` | +| Azure Cosmos DB (SQL API) | `Sql` | +| Azure Cosmos DB (MongoDB API) | `MongoDB` | +| Azure Database for PostgreSQL | `postgresqlServer` | +| Azure Database for MySQL | `mysqlServer` | +| Azure Synapse Analytics | `Sql`, `SqlOnDemand`, `Dev` | + +--- + +## Customer Managed Services (Azure) + +This applies to applications the customer is self-hosting in their Azure VNet. The customer must create a Private Link Service in front of their application, backed by an Azure Standard Load Balancer. + +| Order | Information Required | Description | Example | Who | +| --- | --- | --- | --- | --- | +| 1 | Private Link Service Name | Name of the customer’s Private Link Service | `customer-app-pls` | Customer | +| 1 | Private Link Service Resource ID | Full Resource ID of the Private Link Service | `/subscriptions/…/providers/Microsoft.Network/privateLinkServices/customer-app-pls` | Customer | +| 1 | Service Region | Region where the service is hosted | `eastus` | Customer | +| 1 | Service Port | Port(s) the service listens on | `443`, `8080` | Customer | +| 2 | Unstructured Subscription ID | Subscription ID to approve for connection | `a1b2c3d4-e5f6-7890-abcd-ef1234567890` | Unstructured | + +> The customer must create: (1) an Azure Standard Load Balancer fronting their application, and (2) a Private Link Service attached to the Load Balancer’s frontend IP. Unstructured then creates a Private Endpoint targeting the customer’s Private Link Service. +> + +**Example: Creating Private Link Service using Azure CLI** + +```bash +# Create Private Link Service +az network private-link-service create \ + --name "customer-app-pls" \ + --resource-group "" \ + --vnet-name "" \ + --subnet "" \ + --lb-name "" \ + --lb-frontend-ip-configs "" \ + --location "" + +# Approve connection after Unstructured creates Private Endpoint +az network private-link-service connection approve \ + --resource-group "" \ + --service-name "customer-app-pls" \ + --name "" +``` + +> **Private API Gateway Scenario:** If the customer’s application uses Azure API Management in private-only (internal VNet) mode, the API Management service cannot be directly exposed via Private Link Service. In this case, deploy an Azure Standard Load Balancer in front of API Management and create a Private Link Service pointing to the Load Balancer. +> \ No newline at end of file diff --git a/business/azure/azure-privatelink/connector-support.mdx b/business/azure/azure-privatelink/connector-support.mdx new file mode 100644 index 00000000..66837183 --- /dev/null +++ b/business/azure/azure-privatelink/connector-support.mdx @@ -0,0 +1,22 @@ +--- +title: Connector support for Azure Private Link +sidebarTitle: Connector support +--- + +This section outlines the information required by both parties to establish Azure Private Link. For connectivity into the Customer, depending on the service to be accessed there are different data points to capture. If Unstructured is accessing multiple services, we require the information for each one. + +### Azure Connector Coverage + +| Connector | PrivateLink Supported | Approach | Configuration Section | +| --- | --- | --- | --- | +| **Customer → Unstructured (UI/API)** | ✅ | Private Endpoint | [Link](about:blank#connections-into-unstructured-vpc-azure) | +| **Azure Blob Storage / ADLS Gen2** | ✅ | Private Endpoint | [Link](about:blank#azure-blob-storage) | +| **Azure OpenAI** | ✅ | Private Endpoint | [Link](about:blank#azure-openai) | +| **Azure OpenAI via API Management** | ✅ | Private Endpoint + APIM Private mode | Contact Unstructured | +| **Azure AI Search** | ✅ | Private Endpoint | [Link](about:blank#azure-managed-services) | +| **Databricks (Azure)** | ✅ | Private Link | [Link](about:blank#azure-databricks) | +| **Azure SQL / Cosmos DB / PostgreSQL / MySQL / Synapse** | ✅ | Private Endpoint | [Link](about:blank#azure-managed-services) | +| **Customer Managed Services (Azure)** | ✅ | Private Link Service + Standard Load Balancer | [Link](about:blank#customer-managed-services-azure) | +| **OneDrive / SharePoint / Outlook** | ❌ | Microsoft SaaS — requires public egress | Requires public egress | +| **Google Cloud Storage** | ❌ | Cross-cloud not supported | Requires public egress | + diff --git a/business/azure/azure-privatelink/dns-configuration.mdx b/business/azure/azure-privatelink/dns-configuration.mdx new file mode 100644 index 00000000..9e417c40 --- /dev/null +++ b/business/azure/azure-privatelink/dns-configuration.mdx @@ -0,0 +1,13 @@ +--- +title: DNS configuration for Private Link access +sidebarTitle: DNS configuration +--- + +1. Create a Private DNS Zone matching the service hostname domain (e.g., `privatelink.unstructuredapp.io`). +2. Create an A record for the full service hostname pointing to the private IP of your Private Endpoint: + + ``` + example.privatelink.unstructuredapp.io → 10.12.34.56 + ``` + +3. Link the Private DNS Zone to the VNet(s) where clients will access the service. diff --git a/business/azure/azure-privatelink/overview.md b/business/azure/azure-privatelink/overview.md new file mode 100644 index 00000000..b819eb33 --- /dev/null +++ b/business/azure/azure-privatelink/overview.md @@ -0,0 +1,5 @@ +--- +title: Configure Azure PrivateLink for your Dedicated Instance +sidebarTitle: Overview +--- +This section outlines the information required by both parties to establish Azure Private Link. For connectivity into the Customer, depending on the service to be accessed there are different data points to capture. If Unstructured is accessing multiple services, we require the information for each one. diff --git a/business/azure/dns-privatelink.mdx b/business/azure/x-dns-privatelink.mdx similarity index 91% rename from business/azure/dns-privatelink.mdx rename to business/azure/x-dns-privatelink.mdx index bec88ba9..c4994414 100644 --- a/business/azure/dns-privatelink.mdx +++ b/business/azure/x-dns-privatelink.mdx @@ -1,6 +1,6 @@ --- -title: DNS configuration for Private Link access -sidebarTitle: DNS for Private Link +title: OLD - DNS configuration for Private Link access +sidebarTitle: x DNS for Private Link --- To access the dedicated instance over Azure Private Link, you must configure DNS so the service hostname resolves to your diff --git a/business/azure/onboard.mdx b/business/azure/x-onboard.mdx similarity index 99% rename from business/azure/onboard.mdx rename to business/azure/x-onboard.mdx index 0fee2f40..73e1abf8 100644 --- a/business/azure/onboard.mdx +++ b/business/azure/x-onboard.mdx @@ -1,6 +1,6 @@ --- -title: Unstructured Business in-VPC on Azure - onboarding checklist -sidebarTitle: Onboarding +title: OLD - Unstructured Business in-VPC on Azure - onboarding checklist +sidebarTitle: x Onboarding --- diff --git a/business/azure/overview.mdx b/business/azure/x-overview.mdx similarity index 94% rename from business/azure/overview.mdx rename to business/azure/x-overview.mdx index f0d09724..453c849d 100644 --- a/business/azure/overview.mdx +++ b/business/azure/x-overview.mdx @@ -1,6 +1,6 @@ --- -title: Unstructured Business in-VPC on Azure - overview -sidebarTitle: Overview +title: OLD - Unstructured Business in-VPC on Azure - overview +sidebarTitle: x Overview --- diff --git a/docs.json b/docs.json index ffa7d80e..28a5537a 100644 --- a/docs.json +++ b/docs.json @@ -354,30 +354,43 @@ "business/dedicated-instances/requirements", "business/dedicated-instances/preparing" ] - }, + }, { - "group": "AWS", + "group": "Amazon Web Services (AWS)", "pages": [ - "business/aws/overview", - { "group": "Dedicated Instance and PrivateLink", + "business/aws/x-overview", + "business/aws/x-dedicated-instance-privatelink", + { "group": "AWS PrivateLink for your Dedicated Instance", "pages": [ - "business/dedicated-instances/security-model", - "business/dedicated-instances/shared-responsibility-model", - ] - } - "business/aws/in-vpc-onboarding" + "business/aws/aws-privatelink/overview", + "business/aws/aws-privatelink/connector-support", + "business/aws/aws-privatelink/connect-to-platform", + "business/aws/aws-privatelink/dns-configuration", + "business/aws/aws-privatelink/connect-to-services" + ] + }, + "business/aws/onboard-in-vpc" ] }, { - "group": "Azure", + "group": "Microsoft Azure (Azure)", "pages": [ - "business/azure/overview", - "business/azure/onboard", - "business/azure/dns-privatelink" + "business/azure/x-overview", + "business/azure/x-onboard", + "business/azure/x-dns-privatelink", + { "group": "Microsoft Azure Private Link for your Dedicated Instance", + "pages": [ + "business/azure/azure-privatelink/overview", + "business/azure/azure-privatelink/connector-support", + "business/azure/azure-privatelink/connect-to-platform", + "business/azure/azure-privatelink/dns-configuration", + "business/azure/azure-privatelink/connect-to-services" + ] + } ] }, { - "group": "GCP", + "group": "Google Cloud Platform (GCP)", "pages": [ "business/gcp/overview", "business/gcp/onboard" From a2149123577b45baa05ea85d2260f14a87011c6c Mon Sep 17 00:00:00 2001 From: monica-unstructured Date: Mon, 23 Mar 2026 16:58:11 -0400 Subject: [PATCH 09/29] Edit Overview of Dedicated Instance section. --- business/dedicated-instances/overview.mdx | 31 +++++++++++++++-------- 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/business/dedicated-instances/overview.mdx b/business/dedicated-instances/overview.mdx index b3eecfdf..371b4aab 100644 --- a/business/dedicated-instances/overview.mdx +++ b/business/dedicated-instances/overview.mdx @@ -3,9 +3,26 @@ title: Dedicated Instance sidebarTitle: Overview --- -A Dedicated Instance is a privately isolated deployment hosted by Unstructured, intended for customers who need increased network isolation, data isolation, and strict compliance controls. By leveraging cloud-native infrastructure and private networking, Dedicated Instances enable Unstructured to connect to your data sources and process your data while keeping it within trusted boundaries. +A Dedicated Instance is a privately isolated deployment that Unstructured hosts for organizations that need stronger network boundaries, data isolation, and compliance controls. With cloud-native infrastructure and private networking, Unstructured connects to your sources and processes your data while it stays inside your trusted environment. -**AWS PrivateLink and Azure Private Link** +Use this overview to help teams across your organization evaluate, secure, and deploy a Dedicated Instance in your cloud. + +This overview covers: + +* How Dedicated Instances address stricter security requirements +* High-level benefits and trade-offs +* Technical integration requirements for connecting a Dedicated Instance to your cloud + +## Cloud Service Provider support ## +Unstructured supports Dedicated Instances for integration with Amazon Web Services (AWS) and Microsoft Azure (Azure). + +This overview covers pertinent information for both of these cloud service providers. Detailed, service-specific configuration requirements are covered in the following sections: + +* AWS — [AWS PrivateLink overview](/business/aws/aws-privatelink/overview) +* Azure — [Azure Private Link overview](/business/azure/azure-privatelink/overview) + + +## Private connectivity for your Dedicated Instance ## Both AWS and Azure allow you to privately connect your Virtual Private Cloud (VPC in AWS) or Virtual Network (Vnet in Azure) to your Dedicated Instance on the Unstructured platform without traversing the public internet. Network filtering lets you fully block incoming and outgoing traffic to the public internet or limit it to specific IP addresses or CIDR ranges. @@ -13,16 +30,10 @@ Network filtering lets you fully block incoming and outgoing traffic to the publ **Benefits** - **Eliminate public exposure** - Traffic between your VPC/VNet and Unstructured can avoid the public internet and instead traverse cloud-provider private networking. -- **Stronger network isolation for sensitive workloads** - Helps customers meet internal security requirements and compliance where *private network access* is preferred or mandated. +- **Stronger network isolation for sensitive workloads** - Meet your internal security requirements and compliance where *private network access* is preferred or mandated. - **Simpler enterprise network integration** - Works well with existing private connectivity patterns (VPC/VNet isolation, VPN/DirectConnect/ExpressRoute to corporate on-prem networks). - **Control and visibility** - Private endpoints and private DNS enable you to manage where traffic flows, enforce access policies at the network level, and give you visibility into traffic paths and access patterns. - A Dedicated Instance is a **regional service** deployed in a single cloud region. Everything runs in one region, so plan for data residency, failover design, and latency. Unstructured supports cross-region PrivateLink, but we do not recommend it because it incurs additional data transfer costs. + A Dedicated Instance is a **regional service**: it runs entirely in a single cloud region. Plan for data residency, failover design, and latency with that constraint in mind. Unstructured supports cross-region PrivateLink, but we do not recommend it because of the added data transfer costs. - - -!! WRITER QUESTION: Is the above statement correct? -Do we not recommend it BECAUSE it incurs additional data transfer costs? (I added that supposition to the text here. -If additional costs are **not** why we recommend against it, we should state why we don't recommend it. Or it would be nice to. :-) !! - \ No newline at end of file From f84784d75aaed98c81d3dd660cccc3ae84b30798 Mon Sep 17 00:00:00 2001 From: monica-unstructured Date: Mon, 23 Mar 2026 17:28:25 -0400 Subject: [PATCH 10/29] Revise title for Dedicated Instances to Dedicated Instance --- docs.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs.json b/docs.json index 28a5537a..18056a75 100644 --- a/docs.json +++ b/docs.json @@ -340,7 +340,7 @@ ] }, { - "group": "Dedicated Instances", + "group": "Dedicated Instance", "pages": [ "business/dedicated-instances/overview", "business/dedicated-instances/architecture", From edc7d17bf2f7375d334b7f7da72351ce205a5971 Mon Sep 17 00:00:00 2001 From: monica-unstructured Date: Mon, 23 Mar 2026 20:38:19 -0400 Subject: [PATCH 11/29] Revise Architecture section. --- business/dedicated-instances/architecture.mdx | 22 ++++++------------- 1 file changed, 7 insertions(+), 15 deletions(-) diff --git a/business/dedicated-instances/architecture.mdx b/business/dedicated-instances/architecture.mdx index 999cc577..f7e7ec79 100644 --- a/business/dedicated-instances/architecture.mdx +++ b/business/dedicated-instances/architecture.mdx @@ -3,25 +3,17 @@ title: Architecture --- -Dedicated Instances provide a secure, isolated deployment for processing unstructured data from your environment. Data stays within private network boundaries, with managed ingestion and processing handled in that same isolated deployment. +Your **Dedicated Instance** is an isolated Unstructured deployment. You use private connectivity with your cloud provider so traffic between you and Unstructured stays on private network paths, not the public internet. -The system leverages cloud-native infrastructure and private networking without exposing data to the public internet. +**AWS:** **AWS PrivateLink** (with interface VPC endpoints) carries traffic **in both directions** between your VPC and the Unstructured VPC. -**AWS private connectivity** uses AWS PrivateLink interface endpoints to connect customer VPCs to the Unstructured VPC without traversing the public internet. +**Azure:** **Azure Private Link** connects your VNet and Unstructured **in both directions** over private endpoints; traffic stays on the Microsoft backbone instead of the public internet. -**Azure private connectivity** uses Azure Private Link so access occurs through a private IP and traffic stays on the Microsoft backbone. +Traffic can run **in two directions**, and you can configure **either direction on its own**: -There are two directions of connectivity: +- **You → Unstructured** — You access the Unstructured UI and API through a private endpoint in your VPC or VNet. +- **Unstructured → you** — Unstructured reaches your data sources (for example S3 buckets, databases, and vector stores) through private endpoints in the Unstructured VPC or VNet. -| Direction | Description | -| --- | --- | -| **Customer → Unstructured** | Customer applications access the Unstructured UI and API via a private endpoint in the customer’s VPC/VNet. | -| **Unstructured → Customer** | Unstructured accesses customer data sources (S3 buckets, databases, vector stores, etc.) via private endpoints created in the Unstructured VPC/VNet. | +If you use strict outbound controls, configure **both** directions so private access works end to end. -Both directions can be established independently. Customers with strict outbound traffic controls should configure both. - - -Detailed setup instructions are provided in the deployment sections for each cloud provider. - -See [Security](./security) for more information about isolation, encryption, and access controls. From f48a6cfea046b18721680ba00278ce109e735bc2 Mon Sep 17 00:00:00 2001 From: monica-unstructured Date: Tue, 24 Mar 2026 00:12:05 -0400 Subject: [PATCH 12/29] Update Architecture and Security Model. --- business/dedicated-instances/architecture.mdx | 13 ++-- business/dedicated-instances/overview.mdx | 10 ++-- .../security/security-model.mdx | 60 +++++++++---------- 3 files changed, 44 insertions(+), 39 deletions(-) diff --git a/business/dedicated-instances/architecture.mdx b/business/dedicated-instances/architecture.mdx index f7e7ec79..fb6569b7 100644 --- a/business/dedicated-instances/architecture.mdx +++ b/business/dedicated-instances/architecture.mdx @@ -2,18 +2,21 @@ title: Architecture --- +Your **Dedicated Instance** is an isolated Unstructured deployment. You use private connectivity with your cloud provider so traffic between you and Unstructured stays on private network path and not the public internet. -Your **Dedicated Instance** is an isolated Unstructured deployment. You use private connectivity with your cloud provider so traffic between you and Unstructured stays on private network paths, not the public internet. +## Private connectivity by CSP -**AWS:** **AWS PrivateLink** (with interface VPC endpoints) carries traffic **in both directions** between your VPC and the Unstructured VPC. +**AWS private connectivity** uses AWS PrivateLink interface endpoints to connect your VPC to the Unstructured private network without traversing the public internet. -**Azure:** **Azure Private Link** connects your VNet and Unstructured **in both directions** over private endpoints; traffic stays on the Microsoft backbone instead of the public internet. +**Azure private connectivity** uses Azure Private Link to connect your VNet to the Unstructured private network with your traffic staying on the Microsoft backbone instead of the public internet. -Traffic can run **in two directions**, and you can configure **either direction on its own**: +## Traffic directions + +Private connectivity runs **in two directions**, and you can configure **either direction on its own**: - **You → Unstructured** — You access the Unstructured UI and API through a private endpoint in your VPC or VNet. - **Unstructured → you** — Unstructured reaches your data sources (for example S3 buckets, databases, and vector stores) through private endpoints in the Unstructured VPC or VNet. -If you use strict outbound controls, configure **both** directions so private access works end to end. +If you enforce strict outbound controls, configure **both** directions so private access works end to end. diff --git a/business/dedicated-instances/overview.mdx b/business/dedicated-instances/overview.mdx index 371b4aab..5c3750dd 100644 --- a/business/dedicated-instances/overview.mdx +++ b/business/dedicated-instances/overview.mdx @@ -5,13 +5,13 @@ sidebarTitle: Overview A Dedicated Instance is a privately isolated deployment that Unstructured hosts for organizations that need stronger network boundaries, data isolation, and compliance controls. With cloud-native infrastructure and private networking, Unstructured connects to your sources and processes your data while it stays inside your trusted environment. -Use this overview to help teams across your organization evaluate, secure, and deploy a Dedicated Instance in your cloud. +Use this overview to help teams across your organization evaluate, secure, and deploy your own Dedicated Instance in the Unstructured platform. This overview covers: -* How Dedicated Instances address stricter security requirements -* High-level benefits and trade-offs -* Technical integration requirements for connecting a Dedicated Instance to your cloud +* How Dedicated Instances address strict security requirements +* High-level benefits and trade-offs of using a Dedicated Instance +* Technical integration requirements for connecting your Dedicated Instance, hosted on the Unstructured platform, to your cloud ## Cloud Service Provider support ## Unstructured supports Dedicated Instances for integration with Amazon Web Services (AWS) and Microsoft Azure (Azure). @@ -21,6 +21,8 @@ This overview covers pertinent information for both of these cloud service provi * AWS — [AWS PrivateLink overview](/business/aws/aws-privatelink/overview) * Azure — [Azure Private Link overview](/business/azure/azure-privatelink/overview) +In this topic we use _private connectivity_ as a general term for AWS PrivateLink and Azure Private Link collectively. + ## Private connectivity for your Dedicated Instance ## diff --git a/business/dedicated-instances/security/security-model.mdx b/business/dedicated-instances/security/security-model.mdx index 13b3adc7..77c246d7 100644 --- a/business/dedicated-instances/security/security-model.mdx +++ b/business/dedicated-instances/security/security-model.mdx @@ -1,10 +1,13 @@ --- title: Security model --- -Dedicated Instances use a security model that protects your data across network, infrastructure, and service layers. The architecture prioritizes data isolation, private connectivity, and controlled access so your data stays within trusted boundaries. + +This topic uses _private connectivity_ as a collective term for AWS PrivateLink and Azure Private Link. + -This page covers PrivateLink, encryption, and network access controls for Dedicated Instances. For more information about security across the Unstructured platform, see [Security and compliance](business/security-compliance/overview). +Dedicated Instances use a security model that protects your data across network, infrastructure, and service layers. The architecture prioritizes data isolation, private connectivity, and controlled access so your data stays within trusted boundaries. +This page covers private connectivity, encryption, and network access controls for Dedicated Instances. ### Encryption @@ -12,66 +15,63 @@ All connections to Dedicated Instances use TLS 1.2 or higher for encryption in t | Layer | Encryption | | --- | --- | -| API Endpoints | TLS 1.2+ with certificate validation | -| Cloud Storage Connections (S3, Blob Storage) | TLS encryption with bucket/container policies enforcing encryption | +| API endpoints | TLS 1.2+ with certificate validation | +| Cloud storage connections (S3, Blob Storage) | TLS encryption with bucket/container policies enforcing encryption | | Internal Service Mesh | mTLS between microservices | -### Security without PrivateLink (internet-facing mode) +### Security without private connectivity (internet-facing mode) -Customers who deploy a Dedicated Instance without PrivateLink access the platform over the public internet via HTTPS. The following controls apply. +Customers who deploy a Dedicated Instance without private connectivity access the Unstructured platform over the public internet via HTTPS. + +The following security measures and connectivity options apply: - **TLS 1.2+** for all traffic in transit. - **AWS WAF** (Web Application Firewall) provides DDoS protection, rate limiting, and optional geo-blocking for ITAR compliance. - **IP Allowlisting** - restricts Unstructured platform access to specific source IP addresses or CIDR ranges. Submit a support ticket with your IP list to enable this. !! WRITER: check standard wording and links for submitting support ticket !! -- **Independent ingress and outbound** means you can access the platform over the internet with the UI or API, while Unstructured uses PrivateLink to reach your data sources. The two paths are configured separately. -### Security with PrivateLink +- **Independent paths** - allow you to use the UI and API over the public internet while Unstructured uses private connectivity to reach your data sources. The two paths are configured separately. + +### Security with private connectivity -When PrivateLink is enabled, traffic between your environment and Unstructured flows entirely over cloud-provider private networking. Service endpoints resolve to private IP addresses, and no inbound access from the public internet is permitted. +When private connectivity is enabled, traffic between your environment and the Unstructured platform flows entirely over cloud provider private networking. Service endpoints resolve to private IP addresses, and no inbound access from the public internet is permitted. -### What PrivateLink does and does not protect +### What private connectivity does and does not protect -**Protected** +Private connectivity protects: * Network traffic from public internet exposure * Data in-transit between VPCs/VNets * DNS resolution of service endpoints -**Not Protected** +Private connectivity does not protect: * Application-layer vulnerabilities -* Misconfigured IAM/RBAC policies +* Misconfigured Identify and Access Management (IAM) or Role-Based Access Control (RBAC) policies * Compromised credentials ### (Optional) Customer-managed encryption keys - -!! WRITER: Check formatting for "Optional" in titles !! - - -By default, Unstructured manages encryption keys using the cloud provider’s key management service (AWS KMS or Azure Key Vault). Customers with strict key custody requirements can optionally bring their own KMS Customer Managed Keys (CMK). Contact your account representative to enable this. +By default, Unstructured manages encryption keys using the cloud provider’s key management service, AWS Key Management Service (KMS) or Azure Key Vault. Customers with strict key custody requirements can optionally bring their customer-managed keys with their cloud provider services. Contact your account representative to enable this. ### Network access controls +**Network access controls** govern whether traffic may use the **public internet** to enter or exit your Dedicated Instance. This section covers the default configuration settings for inbound and outbound traffic and the available options for any exceptions you'd like to make the defaults. + **Default configuration:** | Traffic Direction | Default State | | --- | --- | -| Public Ingress | **Blocked** — All inbound traffic from the public internet is denied. Access is only available via PrivateLink. | -| Public Egress | **Blocked** — All outbound traffic to the public internet is denied. The platform can only communicate with resources accessible via PrivateLink or within the Unstructured VPC/VNet. | +| Public Ingress | **Blocked** — All inbound traffic from the public internet is denied. Access is only available via private connectivity. | +| Public Egress | **Blocked** — All outbound traffic to the public internet is denied. The platform can only communicate with resources accessible via private connectivity or within the Unstructured VPC/VNet. | This default configuration provides maximum network isolation and is recommended for customers with strict compliance requirements. **(Optional) Enabling public egress** - -!! WRITER: Check formatting for "Optional" in titles !! - - Some integrations require outbound internet access. Examples include: - Third-party AI/ML APIs (e.g., OpenAI, Anthropic, Gemini) not hosted in your cloud environment. - External webhooks or callback URLs. -- Public SaaS services without PrivateLink support (see [connector coverage](about:blank#aws-privatelink-connector-coverage) below). +- Public SaaS services without private connectivity support (see [connector coverage](about:blank#aws-privatelink-connector-coverage) below). If your use case requires public egress, Unstructured can enable outbound internet access with the following options: @@ -80,20 +80,20 @@ If your use case requires public egress, Unstructured can enable outbound intern | Full Egress | All outbound internet traffic is permitted (not recommended) | | Specific IPs/CIDRs | Outbound traffic is permitted only to specified IP addresses or CIDR ranges | -To request egress configuration changes, log a support ticket and provide: +To request egress configuration changes, log a support ticket and provide:!! WRITER: check standard wording and links for submitting support ticket !! - Application/use-case requirements for the access change. - List of IPs or CIDR ranges to allowlist. - Expected traffic patterns (e.g., VLM API calls, SSO integration). -**Optional: Enabling public ingress** +**(Optional) Enabling public ingress** -In rare cases, customers may require public ingress (e.g., for users who cannot access via PrivateLink). Access will be restricted to specified IP addresses or CIDR ranges, and all traffic remains encrypted via TLS 1.2+. +In rare cases, customers may require public ingress (e.g., for users who cannot access via private connectivity). Access will be restricted to specified IP addresses or CIDR ranges, and all traffic remains encrypted via TLS 1.2+. -To request ingress configuration changes, log a support ticket and provide: +To request ingress configuration changes, log a support ticket and provide:!! WRITER: check standard wording and links for submitting support ticket !! - Application/use-case requirements. - List of source IP addresses or CIDR ranges to allowlist. - Expected access patterns. -Enabling public ingress or egress reduces the network isolation benefits of a Dedicated Instance. Unstructured recommends using PrivateLink for all connectivity where possible. +Enabling public ingress or egress reduces the network isolation benefits of a Dedicated Instance. Unstructured recommends using private connectivity for all connectivity where possible. \ No newline at end of file From e96b24912e5d8d532aa5f77592315e70e07460ef Mon Sep 17 00:00:00 2001 From: monica-unstructured Date: Tue, 24 Mar 2026 02:10:20 -0400 Subject: [PATCH 13/29] Add more edits to Dedicated Instance. --- business/dedicated-instances/architecture.mdx | 6 +-- business/dedicated-instances/overview.mdx | 14 +++--- business/dedicated-instances/preparing.mdx | 35 +++++++++------ business/dedicated-instances/requirements.mdx | 28 ++++++------ .../security/security-faq.mdx | 24 +++++++--- .../security/security-model.mdx | 20 +++++---- .../security/shared-responsibility-model.mdx | 45 +++++++++---------- 7 files changed, 98 insertions(+), 74 deletions(-) diff --git a/business/dedicated-instances/architecture.mdx b/business/dedicated-instances/architecture.mdx index fb6569b7..a82d7dd2 100644 --- a/business/dedicated-instances/architecture.mdx +++ b/business/dedicated-instances/architecture.mdx @@ -2,7 +2,7 @@ title: Architecture --- -Your **Dedicated Instance** is an isolated Unstructured deployment. You use private connectivity with your cloud provider so traffic between you and Unstructured stays on private network path and not the public internet. +Your **Dedicated Instance** is an isolated Unstructured deployment. You use private connectivity with your cloud provider so traffic between you and Unstructured stays on private network paths, not the public internet. ## Private connectivity by CSP @@ -12,11 +12,11 @@ Your **Dedicated Instance** is an isolated Unstructured deployment. You use priv ## Traffic directions -Private connectivity runs **in two directions**, and you can configure **either direction on its own**: +Private connectivity runs in two directions, and you can configure either direction on its own: - **You → Unstructured** — You access the Unstructured UI and API through a private endpoint in your VPC or VNet. - **Unstructured → you** — Unstructured reaches your data sources (for example S3 buckets, databases, and vector stores) through private endpoints in the Unstructured VPC or VNet. -If you enforce strict outbound controls, configure **both** directions so private access works end to end. +If you enforce strict outbound controls, configure both directions so private access works end to end. diff --git a/business/dedicated-instances/overview.mdx b/business/dedicated-instances/overview.mdx index 5c3750dd..efb70fa3 100644 --- a/business/dedicated-instances/overview.mdx +++ b/business/dedicated-instances/overview.mdx @@ -9,11 +9,11 @@ Use this overview to help teams across your organization evaluate, secure, and d This overview covers: -* How Dedicated Instances address strict security requirements -* High-level benefits and trade-offs of using a Dedicated Instance -* Technical integration requirements for connecting your Dedicated Instance, hosted on the Unstructured platform, to your cloud +* How Dedicated Instances meet stricter security and compliance expectations. +* High-level benefits and trade-offs. +* Technical requirements for integrating your Dedicated Instance with your cloud platform. -## Cloud Service Provider support ## +## Cloud service provider (CSP) support ## Unstructured supports Dedicated Instances for integration with Amazon Web Services (AWS) and Microsoft Azure (Azure). This overview covers pertinent information for both of these cloud service providers. Detailed, service-specific configuration requirements are covered in the following sections: @@ -21,7 +21,9 @@ This overview covers pertinent information for both of these cloud service provi * AWS — [AWS PrivateLink overview](/business/aws/aws-privatelink/overview) * Azure — [Azure Private Link overview](/business/azure/azure-privatelink/overview) -In this topic we use _private connectivity_ as a general term for AWS PrivateLink and Azure Private Link collectively. + +This topic uses _private connectivity_ as a collective term for AWS PrivateLink and Azure Private Link. + ## Private connectivity for your Dedicated Instance ## @@ -32,7 +34,7 @@ Network filtering lets you fully block incoming and outgoing traffic to the publ **Benefits** - **Eliminate public exposure** - Traffic between your VPC/VNet and Unstructured can avoid the public internet and instead traverse cloud-provider private networking. -- **Stronger network isolation for sensitive workloads** - Meet your internal security requirements and compliance where *private network access* is preferred or mandated. +- **Stronger network isolation for sensitive workloads** - Meet your internal security requirements and compliance where *private network access* is preferred or mandated. - **Simpler enterprise network integration** - Works well with existing private connectivity patterns (VPC/VNet isolation, VPN/DirectConnect/ExpressRoute to corporate on-prem networks). - **Control and visibility** - Private endpoints and private DNS enable you to manage where traffic flows, enforce access policies at the network level, and give you visibility into traffic paths and access patterns. diff --git a/business/dedicated-instances/preparing.mdx b/business/dedicated-instances/preparing.mdx index 30357e58..b430e1d4 100644 --- a/business/dedicated-instances/preparing.mdx +++ b/business/dedicated-instances/preparing.mdx @@ -1,16 +1,21 @@ --- title: Preparing for a Dedicated Instance --- + +This topic uses _private connectivity_ as a collective term for AWS PrivateLink and Azure Private Link. + -Once you’ve decided to proceed with a Dedicated Instance, the next steps involve provisioning the environment and establishing private connectivity. The deployment process is conducted remotely and can typically be completed within the following timeframes: +Once you’ve decided to proceed with a Dedicated Instance, the next steps involve provisioning the required environment resources and establishing private connectivity. The deployment process is conducted remotely and can typically be completed within the following timeframes: -| Cloud Provider | Without PrivateLink | With PrivateLink | +| Cloud Provider | Without private connectivity | With private connectivity | | --- | --- | --- | | AWS | 2–3 Days | 4–5 Days | | Azure | 2–3 Days | 4–5 Days | -> Times are subject to Customer infrastructure team availability. More complex integrations (multiple connectors, custom models, etc.) will extend the deployment timeline. -> + +Times are subject to Customer infrastructure team availability. More complex integrations (multiple connectors, custom models, etc.) will extend the deployment timeline. + + ### Information Required for Provisioning @@ -19,19 +24,21 @@ Before deployment can begin, please provide the following: | Information Required | Description | | --- | --- | | Name of Administrator | Primary administrator of the account (others can be added after) | -| Admin Email Address | Email address of the primary admin | -| Cloud Provider | AWS or Azure | +| Admin email address | Email address of the primary admin | +| Cloud provider | AWS or Azure | | Cloud Region | Please see [list of supported regions](about:blank#supported-cloud-providers-and-regions) | -| Desired URL | Without PrivateLink: `.unstructuredapp.io` / With PrivateLink: `.privatelink.unstructuredapp.io` | -| VLM Provider | Anthropic, Bedrock, OpenAI, Azure OpenAI, etc. | -| VLM Models | e.g., Claude Sonnet 4.5, GPT-4o, Gemini 2.0 Flash | -| Embedding Models | e.g., Titan, Granite (ensure you select correct dimensions) | +| Desired URL | Without private connectivity: `.unstructuredapp.io`
With private connectivity: `.privatelink.unstructuredapp.io` | +| VLM provider | Anthropic, Bedrock, OpenAI, Azure OpenAI, etc. | +| VLM models | e.g., Claude Sonnet 4.5, GPT-4o, Gemini 2.0 Flash | +| Embedding models | e.g., Titan, Granite (ensure you select correct dimensions) | + + +Do not send API keys by email or any collaboration tool. Unstructured has a secure method of capturing these. + -> **Do not send API keys by email or any collaboration tool.** Unstructured has a secure method of capturing these. -> ### Information Exchange -All PrivateLink configuration data exchanges between Customer and Unstructured must be conducted via support tickets. This ensures a documented audit trail of all shared information, including Account IDs, VPC Endpoint Service Names, IAM Role ARNs, Service Principal IDs, and other sensitive configuration details. +All private connectivity configuration data exchanges between Customer and Unstructured must be conducted via support tickets. This ensures a documented audit trail of all shared information, including Account IDs, VPC Endpoint service names, IAM Role ARNs, Service Principal IDs, and other sensitive configuration details. -To initiate a PrivateLink configuration, log a ticket via the [Unstructured Support Portal](https://support.unstructured.io/) with the subject line: **“PrivateLink Configuration Request — [Your Company Name]”**. A technical enablement engineer will respond to guide you through the exchange. +To initiate a private connectivity configuration, log a ticket via the [Unstructured Support Portal](https://support.unstructured.io/) with the subject line: **“PrivateLink Configuration Request — [Your Company Name]”**. A technical enablement engineer will respond to guide you through the exchange. diff --git a/business/dedicated-instances/requirements.mdx b/business/dedicated-instances/requirements.mdx index 2d15b963..0dabf0fa 100644 --- a/business/dedicated-instances/requirements.mdx +++ b/business/dedicated-instances/requirements.mdx @@ -2,15 +2,17 @@ title: Requirements and Limitations --- -Dedicated Instances rely on cloud-provider private networking features and therefore require certain baseline infrastructure components to ensure a secure and successful deployment. This section outlines the key requirements customers must meet, as well as known limitations that may affect implementation decisions. Understanding these constraints early helps reduce onboarding delays and ensures alignment across security, platform, and engineering teams. +Dedicated Instances rely on cloud provider private networking features and therefore require certain baseline infrastructure components to ensure a secure and successful deployment. -### Supported Cloud Providers and Regions +This section outlines the key requirements customers must meet, as well as known limitations that may affect implementation decisions. Understanding these constraints early helps reduce onboarding delays and ensures alignment across security, platform, and engineering teams. + +### Cloud provider and Region support | Cloud Provider | Availability | | --- | --- | -| AWS | General Availability | -| Azure | General Availability | -| GCP | Not currently supported | +| Amazon Web Services (AWS) | General Availability | +| Microsoft Azure (Azure)| General Availability | +| Google Cloud Platform (GCP) | Not currently supported | **AWS Supported Regions** @@ -33,19 +35,19 @@ If your required region is not listed above, contact your Unstructured account r Contact your Unstructured account representative for the current list of supported Azure regions. -### Prerequisites +### Requirements -**AWS Requirements:** +**AWS requirements:** - VPC with private subnets - Network Load Balancer (for connections into Customer environment) - IAM permissions to create VPC endpoints, security groups, and Route 53 records -**Azure Requirements:** +**Azure requirements:** - Virtual Network with subnets configured for private endpoints - Private endpoint network policies disabled on target subnets - Standard Load Balancer (for connections into Customer environment) -### DNS Requirements +### DNS requirements Private connectivity requires DNS configuration to route traffic through private endpoints: - AWS: Route 53 Private Hosted Zone (and on-premise DNS forwarding if needed) @@ -54,11 +56,11 @@ Private connectivity requires DNS configuration to route traffic through private The DNS name will be provided to you by Unstructured, in the form `.privatelink.unstructuredapp.io`. -### Known Limitations +### Known limitations | Limitation | Notes | | --- | --- | -| Cross-Region PrivateLink | Supported but incurs additional data transfer costs; not advised | -| Cross-Cloud PrivateLink | Not supported (e.g., AWS to Azure) | -| VPC Peering | Not supported as an alternative to PrivateLink | +| Cross-Region private connectivity | Supported but incurs additional data transfer costs. Not recommended. | +| Cross-CSP private connectivity | Not supported (e.g., AWS to Azure) | +| VPC Peering | Not supported as an alternative to private connectivity | diff --git a/business/dedicated-instances/security/security-faq.mdx b/business/dedicated-instances/security/security-faq.mdx index e9f24274..d28e58c7 100644 --- a/business/dedicated-instances/security/security-faq.mdx +++ b/business/dedicated-instances/security/security-faq.mdx @@ -2,35 +2,49 @@ title: Security FAQ --- + +This topic uses _private connectivity_ as a collective term for AWS PrivateLink and Azure Private Link. + + + **Is my Dedicated Instance single-tenant?** + Yes. Each Dedicated Instance is logically isolated and single-tenant. Your instance is not shared with other customers at the application or network level. **Does traffic ever traverse the public internet?** -By default, Dedicated Instances are configured with strict network controls to block public ingress and egress. When PrivateLink is enabled, traffic between your environment and Unstructured flows entirely over cloud-provider private networking. Public ingress/egress can be enabled on request for specific use cases — see [Network Access Controls](about:blank#network-access-controls). + +By default, Dedicated Instances are configured with strict network controls to block public ingress and egress. When private connectivity is enabled, traffic between your environment and Unstructured flows entirely over cloud-provider private networking. Public ingress/egress can be enabled on request for specific use cases — see [Network Access Controls](about:blank#network-access-controls). **Is data encrypted?** -Yes. + +Yes. Data is encrypted in the following cases: - **In transit:** All traffic uses TLS 1.2 or higher. - **Internally:** Mutual TLS (mTLS) is used between platform services. - **Cloud storage:** Encryption policies are enforced at the storage layer. - **At rest:** Optional customer-managed KMS keys are available on request. **Can Unstructured access my data?** + Unstructured personnel do not access customer data as part of normal operations. Access to customer data sources is explicitly configured, limited to the minimum permissions required, and governed by customer-controlled IAM, RBAC, and resource policies. Any exceptional access (e.g., for troubleshooting) follows strict internal controls and auditing. **Is customer data used to train models?** + No. Customer data processed within a Dedicated Instance is not used to train models. **How is access to the platform controlled?** + - Customers manage user access to the Unstructured UI and APIs. - Network access is restricted using private endpoints, security groups, and firewall rules. - DNS resolution is private and scoped to customer networks. -**What does PrivateLink protect against?** -PrivateLink helps protect against exposure to the public internet, unintended inbound network access, and DNS-based traffic interception. PrivateLink does not protect against application-layer vulnerabilities, misconfigured IAM or RBAC policies, or compromised credentials. +**What does private connectivity protect against?** + +Private connectivity helps protect against exposure to the public internet, unintended inbound network access, and DNS-based traffic interception. Private connectivity does not protect against application-layer vulnerabilities, misconfigured IAM or RBAC policies, or compromised credentials. **How long is customer data retained?** + Unstructured does not store customer data long-term. Customer artifacts are used ephemerally during workflow execution and removed upon completion or failure. Transformed data is written to the configured destination. The only data that persists in the Unstructured platform is connector and workflow configuration metadata, connector keys (stored in a secret store), and workflow execution telemetry (which does not contain file data). **What compliance standards does Unstructured support?** -Unstructured maintains industry-standard security and compliance programs including HIPAA compliance architecture, ITAR-readiness with geo-blocking via AWS WAF, and SOC 2 controls. Detailed compliance artifacts are available from our trust center. + +Unstructured maintains industry-standard security and compliance programs including HIPAA compliance architecture, ITAR-readiness with geo-blocking via AWS WAF, and SOC 2 controls. Detailed compliance artifacts are available from our trust center. !! Writer: Add link to Turst Center !! diff --git a/business/dedicated-instances/security/security-model.mdx b/business/dedicated-instances/security/security-model.mdx index 77c246d7..81a30c70 100644 --- a/business/dedicated-instances/security/security-model.mdx +++ b/business/dedicated-instances/security/security-model.mdx @@ -27,7 +27,7 @@ The following security measures and connectivity options apply: - **TLS 1.2+** for all traffic in transit. - **AWS WAF** (Web Application Firewall) provides DDoS protection, rate limiting, and optional geo-blocking for ITAR compliance. -- **IP Allowlisting** - restricts Unstructured platform access to specific source IP addresses or CIDR ranges. Submit a support ticket with your IP list to enable this. +- **IP Allowlisting** - restricts Unstructured platform access to specific source IP addresses or CIDR ranges. Submit a support ticket with your IP list to enable this. !! WRITER: check standard wording and links for submitting support ticket !! - **Independent paths** - allow you to use the UI and API over the public internet while Unstructured uses private connectivity to reach your data sources. The two paths are configured separately. @@ -39,14 +39,16 @@ When private connectivity is enabled, traffic between your environment and the U ### What private connectivity does and does not protect Private connectivity protects: -* Network traffic from public internet exposure -* Data in-transit between VPCs/VNets -* DNS resolution of service endpoints + +* Network traffic from public internet exposure. +* Data in transit between VPCs/VNets. +* DNS resolution of service endpoints. Private connectivity does not protect: -* Application-layer vulnerabilities -* Misconfigured Identify and Access Management (IAM) or Role-Based Access Control (RBAC) policies -* Compromised credentials + +* Application-layer vulnerabilities. +* Misconfigured Identity and Access Management (IAM) or Role-Based Access Control (RBAC) policies. +* Compromised credentials. ### (Optional) Customer-managed encryption keys @@ -55,7 +57,7 @@ By default, Unstructured manages encryption keys using the cloud provider’s ke ### Network access controls -**Network access controls** govern whether traffic may use the **public internet** to enter or exit your Dedicated Instance. This section covers the default configuration settings for inbound and outbound traffic and the available options for any exceptions you'd like to make the defaults. +Network access controls govern whether traffic may use the public internet across the boundary between the Unstructured platform and your cloud environment (the VPC or VNet where your data sources and related resources run). This section explains the default rules for inbound and outbound traffic and how you can request changes when a use case requires it. **Default configuration:** @@ -71,7 +73,7 @@ This default configuration provides maximum network isolation and is recommended Some integrations require outbound internet access. Examples include: - Third-party AI/ML APIs (e.g., OpenAI, Anthropic, Gemini) not hosted in your cloud environment. - External webhooks or callback URLs. -- Public SaaS services without private connectivity support (see [connector coverage](about:blank#aws-privatelink-connector-coverage) below). +- Public SaaS services without private connectivity support. If your use case requires public egress, Unstructured can enable outbound internet access with the following options: diff --git a/business/dedicated-instances/security/shared-responsibility-model.mdx b/business/dedicated-instances/security/shared-responsibility-model.mdx index 0db67318..57a4d28b 100644 --- a/business/dedicated-instances/security/shared-responsibility-model.mdx +++ b/business/dedicated-instances/security/shared-responsibility-model.mdx @@ -2,40 +2,37 @@ title: Shared responsibility model --- - -!! WRITER: Add intro paras and more context !! - +A **shared responsibility model** documents how responsibility for security and operations is divided between a service provider and its customers. The provider protects the infrastructure and software it operates; customers protect their accounts, data, identities, access policies, and the network resources they control. Major cloud providers publish similar high-level shared responsibility frameworks for their own platforms. + + +The following tables indicate which responsibilities are assigned to the **Customer** or to **Unstructured**. The first table covers traffic to the Unstructured platform (UI and API access from your environment). The second covers traffic to your data sources (when Unstructured connects into your cloud). **Customer → Unstructured (Accessing Unstructured UI and API)** | Responsibility | Customer | Unstructured | -| --- | --- | --- | -| VPC/VNet Configuration | ✔ | | -| VPC Endpoint / Private Endpoint Creation | ✔ | | -| DNS Configuration | ✔ | | -| Security Group / NSG Rules | ✔ | | -| VPC Endpoint Service Creation | | ✔ | -| Endpoint Connection Approval | | ✔ | -| Load Balancer and Target Configuration | | ✔ | -| Platform Security & Certificate Management | | ✔ | +| --- | :---: | :---: | +| VPC / VNet configuration | ✔ | | +| VPC Endpoint / Private Endpoint creation | ✔ | | +| DNS configuration | ✔ | | +| Security group / Network Security Group rules | ✔ | | +| VPC Endpoint service creation | | ✔ | +| Endpoint connection approval | | ✔ | +| Load balancer and target configuration | | ✔ | +| Platform security & certificate management | | ✔ | **Unstructured → Customer (Accessing Customer Data Sources)** | Responsibility | Customer | Unstructured | -| --- | --- | --- | -| VPC Endpoint Service Creation | ✔ | | -| Load Balancer and Target Configuration | ✔ | | -| Endpoint Connection Approval | ✔ | | -| Security Group / NSG Rules | ✔ | | -| Bucket/Container Policies | ✔ | | -| VPC Endpoint / Private Endpoint Creation | | ✔ | -| DNS Configuration | | ✔ | - - -!! WRITER: Include info from below note in intro para, or leave as note for emphasis? !! - +| --- | :---: | :---: | +| VPC Endpoint service creation | ✔ | | +| Load Balancer and target configuration | ✔ | | +| Endpoint connection approval | ✔ | | +| Security Group / Network Security Group rules | ✔ | | +| Bucket and Container policies | ✔ | | +| VPC endpoint / Private Endpoint creation | | ✔ | +| DNS configuration | | ✔ | Each party is only responsible for the cloud resources it operates. From 92634012c2dcafe122db04bef3463e8754d0c098 Mon Sep 17 00:00:00 2001 From: monica-unstructured Date: Tue, 24 Mar 2026 19:03:14 -0400 Subject: [PATCH 14/29] Edit Azure-specific content. --- .../azure-privatelink/connect-to-platform.mdx | 5 ++-- .../azure-privatelink/connect-to-services.mdx | 14 +++++++++++ .../azure-privatelink/connector-support.mdx | 24 ++++++++++++------- .../azure-privatelink/dns-configuration.mdx | 8 +++++++ business/azure/azure-privatelink/overview.md | 9 ++++++- 5 files changed, 49 insertions(+), 11 deletions(-) diff --git a/business/azure/azure-privatelink/connect-to-platform.mdx b/business/azure/azure-privatelink/connect-to-platform.mdx index 7e5fd05f..b977832c 100644 --- a/business/azure/azure-privatelink/connect-to-platform.mdx +++ b/business/azure/azure-privatelink/connect-to-platform.mdx @@ -2,9 +2,10 @@ title: Connecting to the Unstructured Platform (UI and API) sidebarTitle: Connecting to the Unstructured Platform --- -This enables Customer applications to access the Unstructured Platform (UI and API). -| Order | Information Required | Description | Example | Who | +This section outlines the information required for your applications to access the Unstructured Platform (UI and API). + +| Order | Information Required | Description | Example | Provided by | | --- | --- | --- | --- | --- | | 1 | Private Link Service Resource ID | Resource ID of Unstructured’s Private Link Service | `/subscriptions/…/providers/Microsoft.Network/privateLinkServices/uio-pls` | Unstructured | | 1 | Private Link Service Alias | Alias for Unstructured’s Private Link Service | `uio-pls.abc123.eastus.azure.privatelinkservice` | Unstructured | diff --git a/business/azure/azure-privatelink/connect-to-services.mdx b/business/azure/azure-privatelink/connect-to-services.mdx index f78ac654..cb1214c4 100644 --- a/business/azure/azure-privatelink/connect-to-services.mdx +++ b/business/azure/azure-privatelink/connect-to-services.mdx @@ -10,6 +10,20 @@ This topic covers the required information to enable your Dedicated Instance to * Customer managed AWS services * AWS services that require a Network Loa Balancer (NLB) front end +--- + +### Suggested introduction (for editors) + +This page covers **Unstructured → your Azure services**: what to provide so your Dedicated Instance can reach Azure data sources and APIs over Private Link or private endpoints. The sections below map to **Azure managed services** (Blob/ADLS Gen2, OpenAI, Databricks, AI Search, databases, Synapse, etc.) and **customer-managed workloads** exposed via a Private Link service and Standard Load Balancer. + +**Replace the bullet list above**—it describes AWS, not Azure. Use something like: + +- Azure managed PaaS with **private endpoints** (storage, OpenAI, AI Search, SQL, Cosmos DB, PostgreSQL, MySQL, Synapse, …) +- **Azure Databricks** (Private Link–enabled workspace) +- **Customer-managed** applications via **Private Link service** + Standard Load Balancer (and note API Management internal mode if applicable) + +For whether a connector is supported and the high-level pattern, see [Connector support](/business/azure/azure-privatelink/connector-support). For user access to the platform, see [Connecting to the Unstructured Platform](/business/azure/azure-privatelink/connect-to-platform). + ## Azure managed services ### Azure Blob Storage diff --git a/business/azure/azure-privatelink/connector-support.mdx b/business/azure/azure-privatelink/connector-support.mdx index 66837183..7a60537b 100644 --- a/business/azure/azure-privatelink/connector-support.mdx +++ b/business/azure/azure-privatelink/connector-support.mdx @@ -3,20 +3,28 @@ title: Connector support for Azure Private Link sidebarTitle: Connector support --- -This section outlines the information required by both parties to establish Azure Private Link. For connectivity into the Customer, depending on the service to be accessed there are different data points to capture. If Unstructured is accessing multiple services, we require the information for each one. +This section provides a list of connectors to Azure services. For each connector it summarizes the following: + +- Whether the connector supports Private Link +- Which Azure components are involved +- A reference for detailed setup information + +Review the table first, then follow [Connecting to the Unstructured Platform](/business/azure/azure-privatelink/connect-to-platform) for UI/API access and [Connecting to your Azure services](/business/azure/azure-privatelink/connect-to-services) for data sources and other Azure workloads. + ### Azure Connector Coverage -| Connector | PrivateLink Supported | Approach | Configuration Section | -| --- | --- | --- | --- | +| Connector | Private Link supported | Approach | Configuration information | +| --- | :---: | --- | --- | | **Customer → Unstructured (UI/API)** | ✅ | Private Endpoint | [Link](about:blank#connections-into-unstructured-vpc-azure) | -| **Azure Blob Storage / ADLS Gen2** | ✅ | Private Endpoint | [Link](about:blank#azure-blob-storage) | +| **Azure Blob Storage / ADLS Gen2** | ✅ | Private Endpoint | [Link](business/azure/azure-privatelink/connect-to-services#azure-blob-storage) | | **Azure OpenAI** | ✅ | Private Endpoint | [Link](about:blank#azure-openai) | | **Azure OpenAI via API Management** | ✅ | Private Endpoint + APIM Private mode | Contact Unstructured | -| **Azure AI Search** | ✅ | Private Endpoint | [Link](about:blank#azure-managed-services) | -| **Databricks (Azure)** | ✅ | Private Link | [Link](about:blank#azure-databricks) | -| **Azure SQL / Cosmos DB / PostgreSQL / MySQL / Synapse** | ✅ | Private Endpoint | [Link](about:blank#azure-managed-services) | -| **Customer Managed Services (Azure)** | ✅ | Private Link Service + Standard Load Balancer | [Link](about:blank#customer-managed-services-azure) | +| **Azure AI Search** | ✅ | Private Endpoint | [Link](business/azure/azure-privatelink/connect-to-services#azure-managed-services-with-private-endpoint-access) | +| **Databricks (Azure)** | ✅ | Private Link | [Link](business/azure/azure-privatelink/connect-to-services#azure-databricks) | +| **Azure SQL / Cosmos DB / PostgreSQL / MySQL / Synapse** | ✅ | Private Endpoint | [Link](business/azure/azure-privatelink/connect-to-services#azure-managed-services-with-private-endpoint-access) | +| **Customer Managed Services (Azure)** | ✅ | Private Link Service + Standard Load Balancer | [Link](business/azure/azure-privatelink/connect-to-services#customer-managed-services-azure) | | **OneDrive / SharePoint / Outlook** | ❌ | Microsoft SaaS — requires public egress | Requires public egress | | **Google Cloud Storage** | ❌ | Cross-cloud not supported | Requires public egress | + diff --git a/business/azure/azure-privatelink/dns-configuration.mdx b/business/azure/azure-privatelink/dns-configuration.mdx index 9e417c40..d83c5fc9 100644 --- a/business/azure/azure-privatelink/dns-configuration.mdx +++ b/business/azure/azure-privatelink/dns-configuration.mdx @@ -11,3 +11,11 @@ sidebarTitle: DNS configuration ``` 3. Link the Private DNS Zone to the VNet(s) where clients will access the service. + +--- + +### Suggested introduction (for editors) + +Add a short opening paragraph **above** the numbered steps when you merge this suggestion—for example: *“After you create a private endpoint for the Unstructured platform, clients in your VNet must resolve the service hostname to the private endpoint’s IP. Use an Azure Private DNS zone linked to the VNets where users or apps run.”* + +The steps below apply to **platform (UI/API) access**; similar DNS patterns may apply to other Private Link targets—align zone names and records with the hostname Unstructured provides. Keep this page linked from [Connecting to the Unstructured Platform](/business/azure/azure-privatelink/connect-to-platform) and the [overview](/business/azure/azure-privatelink/overview). diff --git a/business/azure/azure-privatelink/overview.md b/business/azure/azure-privatelink/overview.md index b819eb33..1c84156e 100644 --- a/business/azure/azure-privatelink/overview.md +++ b/business/azure/azure-privatelink/overview.md @@ -2,4 +2,11 @@ title: Configure Azure PrivateLink for your Dedicated Instance sidebarTitle: Overview --- -This section outlines the information required by both parties to establish Azure Private Link. For connectivity into the Customer, depending on the service to be accessed there are different data points to capture. If Unstructured is accessing multiple services, we require the information for each one. + + +This section helps you plan **Azure Private Link** for your Dedicated Instance on the Unstructured platform. You will coordinate two kinds of connectivity: + +1. **Into Unstructured** — Your users and applications reach the Unstructured UI and API over private networking. +2. **Into your Azure environment** — Your Dedicated Instance reaches your Azure data sources and services privately. + +Start with [Connector support](/business/azure/azure-privatelink/connector-support) to see which connectors support Private Link and which need public egress. Then use [Connecting to the Unstructured Platform](/business/azure/azure-privatelink/connect-to-platform), [DNS configuration](/business/azure/azure-privatelink/dns-configuration), and [Connecting to your Azure services](/business/azure/azure-privatelink/connect-to-services) for the details you and Unstructured exchange during setup. From 9f1fef4d0dc3b0e136097e8301070dac5c3cc639 Mon Sep 17 00:00:00 2001 From: monica-unstructured Date: Tue, 24 Mar 2026 21:29:17 -0400 Subject: [PATCH 15/29] Update Azure Connections and DNS sections. --- .../aws-privatelink/connect-to-platform.mdx | 2 +- .../azure-privatelink/connect-to-platform.mdx | 8 +++++-- .../azure-privatelink/connect-to-services.mdx | 19 +---------------- .../azure-privatelink/connector-support.mdx | 2 +- .../azure-privatelink/dns-configuration.mdx | 21 ------------------- .../dns-privatelink.mdx} | 4 ++-- docs.json | 3 +-- 7 files changed, 12 insertions(+), 47 deletions(-) delete mode 100644 business/azure/azure-privatelink/dns-configuration.mdx rename business/azure/{x-dns-privatelink.mdx => azure-privatelink/dns-privatelink.mdx} (91%) diff --git a/business/aws/aws-privatelink/connect-to-platform.mdx b/business/aws/aws-privatelink/connect-to-platform.mdx index 533f352d..d9925047 100644 --- a/business/aws/aws-privatelink/connect-to-platform.mdx +++ b/business/aws/aws-privatelink/connect-to-platform.mdx @@ -4,7 +4,7 @@ sidebarTitle: Connecting to the Unstructured Platform --- This enables Customer applications to access the Unstructured Platform (UI and API). -| Order | Information Required | Description | Example | Who | +| Order | Information Required | Description | Example | Provided by | | --- | --- | --- | --- | --- | | 1 | VPC Endpoint Service Name | Service name for Unstructured Endpoint | `com.amazonaws.vpce.us-west-2.vpce-svc-0abc123` | Unstructured | | 1 | Service Region | Region where Unstructured’s service is hosted | `us-east-1` | Unstructured | diff --git a/business/azure/azure-privatelink/connect-to-platform.mdx b/business/azure/azure-privatelink/connect-to-platform.mdx index b977832c..ef6a00f6 100644 --- a/business/azure/azure-privatelink/connect-to-platform.mdx +++ b/business/azure/azure-privatelink/connect-to-platform.mdx @@ -2,9 +2,12 @@ title: Connecting to the Unstructured Platform (UI and API) sidebarTitle: Connecting to the Unstructured Platform --- - This section outlines the information required for your applications to access the Unstructured Platform (UI and API). + +QUESTION: What does the ORDER column depict? Order in parallel? Please LMK so I can describe it clearly. + + | Order | Information Required | Description | Example | Provided by | | --- | --- | --- | --- | --- | | 1 | Private Link Service Resource ID | Resource ID of Unstructured’s Private Link Service | `/subscriptions/…/providers/Microsoft.Network/privateLinkServices/uio-pls` | Unstructured | @@ -14,4 +17,5 @@ This section outlines the information required for your applications to access t | 2 | Azure Region | Region where Private Endpoint will be created | `eastus` | Customer | | 2 | Virtual Network Name | VNet where endpoint will be deployed | `customer-vnet` | Customer | | 2 | Subnet Name | Subnet for the private endpoint | `private-endpoints-subnet` | Customer | -| 2 | Resource Group | Resource group containing the VNet | `customer-network-rg` | Customer | \ No newline at end of file +| 2 | Resource Group | Resource group containing the VNet | `customer-network-rg` | Customer | + diff --git a/business/azure/azure-privatelink/connect-to-services.mdx b/business/azure/azure-privatelink/connect-to-services.mdx index cb1214c4..80775900 100644 --- a/business/azure/azure-privatelink/connect-to-services.mdx +++ b/business/azure/azure-privatelink/connect-to-services.mdx @@ -3,24 +3,7 @@ title: Connecting to your Azure services sidebarTitle: Connecting to your Azure services --- -This topic covers the required information to enable your Dedicated Instance to connect to the Azure services in your Azure VNet. There are multiple situations that may require different configurations. - -* AWS PrivateLink -* Native PrivateLink -* Customer managed AWS services -* AWS services that require a Network Loa Balancer (NLB) front end - ---- - -### Suggested introduction (for editors) - -This page covers **Unstructured → your Azure services**: what to provide so your Dedicated Instance can reach Azure data sources and APIs over Private Link or private endpoints. The sections below map to **Azure managed services** (Blob/ADLS Gen2, OpenAI, Databricks, AI Search, databases, Synapse, etc.) and **customer-managed workloads** exposed via a Private Link service and Standard Load Balancer. - -**Replace the bullet list above**—it describes AWS, not Azure. Use something like: - -- Azure managed PaaS with **private endpoints** (storage, OpenAI, AI Search, SQL, Cosmos DB, PostgreSQL, MySQL, Synapse, …) -- **Azure Databricks** (Private Link–enabled workspace) -- **Customer-managed** applications via **Private Link service** + Standard Load Balancer (and note API Management internal mode if applicable) +This section covers setting up connectivity from Unstructured to an Azure service, specifically what to provide so your Dedicated Instance can reach Azure data sources and APIs over Private Link or private endpoints. The sections below map to **Azure managed services** and **customer-managed workloads** exposed via a Private Link service and Standard Load Balancer. For whether a connector is supported and the high-level pattern, see [Connector support](/business/azure/azure-privatelink/connector-support). For user access to the platform, see [Connecting to the Unstructured Platform](/business/azure/azure-privatelink/connect-to-platform). diff --git a/business/azure/azure-privatelink/connector-support.mdx b/business/azure/azure-privatelink/connector-support.mdx index 7a60537b..6158809c 100644 --- a/business/azure/azure-privatelink/connector-support.mdx +++ b/business/azure/azure-privatelink/connector-support.mdx @@ -7,7 +7,7 @@ This section provides a list of connectors to Azure services. For each connector - Whether the connector supports Private Link - Which Azure components are involved -- A reference for detailed setup information +- A reference for detailed configuration information Review the table first, then follow [Connecting to the Unstructured Platform](/business/azure/azure-privatelink/connect-to-platform) for UI/API access and [Connecting to your Azure services](/business/azure/azure-privatelink/connect-to-services) for data sources and other Azure workloads. diff --git a/business/azure/azure-privatelink/dns-configuration.mdx b/business/azure/azure-privatelink/dns-configuration.mdx deleted file mode 100644 index d83c5fc9..00000000 --- a/business/azure/azure-privatelink/dns-configuration.mdx +++ /dev/null @@ -1,21 +0,0 @@ ---- -title: DNS configuration for Private Link access -sidebarTitle: DNS configuration ---- - -1. Create a Private DNS Zone matching the service hostname domain (e.g., `privatelink.unstructuredapp.io`). -2. Create an A record for the full service hostname pointing to the private IP of your Private Endpoint: - - ``` - example.privatelink.unstructuredapp.io → 10.12.34.56 - ``` - -3. Link the Private DNS Zone to the VNet(s) where clients will access the service. - ---- - -### Suggested introduction (for editors) - -Add a short opening paragraph **above** the numbered steps when you merge this suggestion—for example: *“After you create a private endpoint for the Unstructured platform, clients in your VNet must resolve the service hostname to the private endpoint’s IP. Use an Azure Private DNS zone linked to the VNets where users or apps run.”* - -The steps below apply to **platform (UI/API) access**; similar DNS patterns may apply to other Private Link targets—align zone names and records with the hostname Unstructured provides. Keep this page linked from [Connecting to the Unstructured Platform](/business/azure/azure-privatelink/connect-to-platform) and the [overview](/business/azure/azure-privatelink/overview). diff --git a/business/azure/x-dns-privatelink.mdx b/business/azure/azure-privatelink/dns-privatelink.mdx similarity index 91% rename from business/azure/x-dns-privatelink.mdx rename to business/azure/azure-privatelink/dns-privatelink.mdx index c4994414..bec88ba9 100644 --- a/business/azure/x-dns-privatelink.mdx +++ b/business/azure/azure-privatelink/dns-privatelink.mdx @@ -1,6 +1,6 @@ --- -title: OLD - DNS configuration for Private Link access -sidebarTitle: x DNS for Private Link +title: DNS configuration for Private Link access +sidebarTitle: DNS for Private Link --- To access the dedicated instance over Azure Private Link, you must configure DNS so the service hostname resolves to your diff --git a/docs.json b/docs.json index 18056a75..8b61509a 100644 --- a/docs.json +++ b/docs.json @@ -377,13 +377,12 @@ "pages": [ "business/azure/x-overview", "business/azure/x-onboard", - "business/azure/x-dns-privatelink", { "group": "Microsoft Azure Private Link for your Dedicated Instance", "pages": [ "business/azure/azure-privatelink/overview", "business/azure/azure-privatelink/connector-support", "business/azure/azure-privatelink/connect-to-platform", - "business/azure/azure-privatelink/dns-configuration", + "business/azure/azure-privatelink/dns-privatelink", "business/azure/azure-privatelink/connect-to-services" ] } From 0f8dea393e422c38feece1569b047a869552b35b Mon Sep 17 00:00:00 2001 From: monica-unstructured Date: Wed, 25 Mar 2026 00:06:06 -0400 Subject: [PATCH 16/29] More edits to Azure Private Link topics --- .../aws-privatelink/connect-to-platform.mdx | 2 + .../aws-privatelink/connect-to-services.mdx | 2 + .../azure-privatelink/connect-to-platform.mdx | 4 +- .../azure-privatelink/connect-to-services.mdx | 118 ++++++++++++------ .../azure-privatelink/connector-support.mdx | 16 +-- business/azure/azure-privatelink/overview.md | 2 +- 6 files changed, 95 insertions(+), 49 deletions(-) diff --git a/business/aws/aws-privatelink/connect-to-platform.mdx b/business/aws/aws-privatelink/connect-to-platform.mdx index d9925047..be315f98 100644 --- a/business/aws/aws-privatelink/connect-to-platform.mdx +++ b/business/aws/aws-privatelink/connect-to-platform.mdx @@ -4,6 +4,8 @@ sidebarTitle: Connecting to the Unstructured Platform --- This enables Customer applications to access the Unstructured Platform (UI and API). +QUESTION: What does the ORDER column depict? What does this convey to the customer?. + | Order | Information Required | Description | Example | Provided by | | --- | --- | --- | --- | --- | | 1 | VPC Endpoint Service Name | Service name for Unstructured Endpoint | `com.amazonaws.vpce.us-west-2.vpce-svc-0abc123` | Unstructured | diff --git a/business/aws/aws-privatelink/connect-to-services.mdx b/business/aws/aws-privatelink/connect-to-services.mdx index 27fb505b..460dad05 100644 --- a/business/aws/aws-privatelink/connect-to-services.mdx +++ b/business/aws/aws-privatelink/connect-to-services.mdx @@ -14,6 +14,8 @@ This topic covers the required information to enable your Dedicated Instance to ### AWS S3 (Gateway Endpoint) +QUESTION: What does the ORDER column depict? What does this convey to the customer?. + | Order | Information Required | Description | Example | Who | | --- | --- | --- | --- | --- | | 1 | S3 Bucket Name | Buckets Unstructured needs to access | `my-documents` | Customer | diff --git a/business/azure/azure-privatelink/connect-to-platform.mdx b/business/azure/azure-privatelink/connect-to-platform.mdx index ef6a00f6..2dc61b40 100644 --- a/business/azure/azure-privatelink/connect-to-platform.mdx +++ b/business/azure/azure-privatelink/connect-to-platform.mdx @@ -5,7 +5,7 @@ sidebarTitle: Connecting to the Unstructured Platform This section outlines the information required for your applications to access the Unstructured Platform (UI and API). -QUESTION: What does the ORDER column depict? Order in parallel? Please LMK so I can describe it clearly. +QUESTION: What does the ORDER column depict? What does this convey to the customer?. | Order | Information Required | Description | Example | Provided by | @@ -14,7 +14,7 @@ This section outlines the information required for your applications to access t | 1 | Private Link Service Alias | Alias for Unstructured’s Private Link Service | `uio-pls.abc123.eastus.azure.privatelinkservice` | Unstructured | | 1 | Service Region | Region where Unstructured’s service is hosted | `eastus` | Unstructured | | 2 | Azure Subscription ID | Customer’s Azure Subscription ID (to approve connection) | `a1b2c3d4-e5f6-7890-abcd-ef1234567890` | Customer | -| 2 | Azure Region | Region where Private Endpoint will be created | `eastus` | Customer | +| 2 | Azure Region | Region where private endpoint will be created | `eastus` | Customer | | 2 | Virtual Network Name | VNet where endpoint will be deployed | `customer-vnet` | Customer | | 2 | Subnet Name | Subnet for the private endpoint | `private-endpoints-subnet` | Customer | | 2 | Resource Group | Resource group containing the VNet | `customer-network-rg` | Customer | diff --git a/business/azure/azure-privatelink/connect-to-services.mdx b/business/azure/azure-privatelink/connect-to-services.mdx index 80775900..d7fd28dc 100644 --- a/business/azure/azure-privatelink/connect-to-services.mdx +++ b/business/azure/azure-privatelink/connect-to-services.mdx @@ -5,7 +5,6 @@ sidebarTitle: Connecting to your Azure services This section covers setting up connectivity from Unstructured to an Azure service, specifically what to provide so your Dedicated Instance can reach Azure data sources and APIs over Private Link or private endpoints. The sections below map to **Azure managed services** and **customer-managed workloads** exposed via a Private Link service and Standard Load Balancer. -For whether a connector is supported and the high-level pattern, see [Connector support](/business/azure/azure-privatelink/connector-support). For user access to the platform, see [Connecting to the Unstructured Platform](/business/azure/azure-privatelink/connect-to-platform). ## Azure managed services @@ -13,7 +12,9 @@ For whether a connector is supported and the high-level pattern, see [Connector This applies to Azure Blob Storage and Azure Data Lake Storage Gen2 (ADLS Gen2). -| Order | Information Required | Description | Example | Who | +This is a custom callout + +| Order | Information Required | Description | Example | Owner | | --- | --- | --- | --- | --- | | 1 | Storage Account Name | Name of the Azure Storage Account | `customerstorageacct` | Customer | | 1 | Storage Account Resource ID | Full Azure Resource ID of the storage account | `/subscriptions/…/providers/Microsoft.Storage/storageAccounts/customerstorageacct` | Customer | @@ -21,14 +22,13 @@ This applies to Azure Blob Storage and Azure Data Lake Storage Gen2 (ADLS Gen2). | 1 | Storage Account Region | Region where storage account is located | `eastus` | Customer | | 1 | Sub-resource Type | `blob`, `dfs` (for ADLS Gen2), `file`, `table`, `queue` | `blob`, `dfs` | Customer | | 2 | Unstructured Service Principal ID | Service Principal ID for RBAC role assignment | `b2c3d4e5-f6a7-8901-bcde-f23456789012` | Unstructured | -| 2 | Unstructured Subscription ID | Subscription ID for Private Endpoint approval | `a1b2c3d4-e5f6-7890-abcd-ef1234567890` | Unstructured | - -> For ADLS Gen2, use sub-resource type `dfs` for hierarchical namespace operations. The customer must approve the Private Endpoint connection request in the Storage Account > Networking > Private endpoint connections. -> +| 2 | Unstructured Subscription ID | Subscription ID for private endpoint approval | `a1b2c3d4-e5f6-7890-abcd-ef1234567890` | Unstructured | -**Example: Azure Role Assignment** +For ADLS Gen2, use sub-resource type `dfs` for hierarchical namespace operations. You must approve the private endpoint connection request. To do so, navigate to **Storage Account > Networking > Private endpoint connections**. + +**Example: Azure role assignment** -Using Azure CLI for read-only access: +The following Azure CLI command assigns the **Storage Blob Data Reader** role to Unstructured’s service principal so the platform can read blobs in your storage account. ```bash az role assignment create \ @@ -37,21 +37,23 @@ az role assignment create \ --scope "/subscriptions//resourceGroups//providers/Microsoft.Storage/storageAccounts/" ``` -For read/write access, replace `"Storage Blob Data Reader"` with `"Storage Blob Data Contributor"`. +For **read/write** access, use the **Storage Blob Data Contributor** role instead of **Storage Blob Data Reader**. + +Replace the placeholders as follows: + +- `` — Service principal ID for Unstructured (provided during onboarding) +- `` — Your Azure subscription ID +- `` — Resource group that contains the storage account +- `` — Storage account name -Replace: -- `` — Unstructured’s Service Principal ID (provided during setup). -- `` — Your Azure Subscription ID. -- `` — Your Resource Group name. -- `` — Your Storage Account name. --- ### Azure OpenAI -Azure OpenAI supports Private Endpoint access. Unstructured creates a Private Endpoint in our VNet to access the customer’s Azure OpenAI resource privately. +Azure OpenAI supports private endpoint access. Unstructured creates a private endpoint in our VNet to access the your Azure OpenAI resource privately. -| Order | Information Required | Description | Example | Who | +| Order | Information Required | Description | Example | Owner | | --- | --- | --- | --- | --- | | 1 | Azure OpenAI Resource Name | Name of the Azure OpenAI resource | `customer-openai` | Customer | | 1 | Azure OpenAI Resource ID | Full Azure Resource ID | `/subscriptions/…/providers/Microsoft.CognitiveServices/accounts/customer-openai` | Customer | @@ -59,9 +61,11 @@ Azure OpenAI supports Private Endpoint access. Unstructured creates a Private En | 1 | Deployment Name(s) | Model deployment names to access | `gpt-4-deployment, embedding-deployment` | Customer | | 1 | Sub-resource Type | Always `account` for Azure OpenAI | `account` | Customer | | 2 | Unstructured Service Principal ID | Service Principal ID for RBAC role assignment | `b2c3d4e5-f6a7-8901-bcde-f23456789012` | Unstructured | -| 2 | Unstructured Subscription ID | Subscription ID for Private Endpoint approval | `a1b2c3d4-e5f6-7890-abcd-ef1234567890` | Unstructured | +| 2 | Unstructured Subscription ID | Subscription ID for private endpoint approval | `a1b2c3d4-e5f6-7890-abcd-ef1234567890` | Unstructured | + +**Example: Azure role assignment for OpenAI** -**Example: Azure Role Assignment for OpenAI** +Use Azure CLI to assign the **Cognitive Services OpenAI User** role to Unstructured’s service principal for your Azure OpenAI resource: ```bash az role assignment create \ @@ -69,25 +73,36 @@ az role assignment create \ --role "Cognitive Services OpenAI User" \ --scope "/subscriptions//resourceGroups//providers/Microsoft.CognitiveServices/accounts/" ``` +Replace the placeholders as follows: -After role assignment, configure the firewall to deny public access and approve the pending Private Endpoint connection request in the Azure Portal under the OpenAI resource > Networking > Private endpoint connections. +- `` — Service principal ID for Unstructured (provided during onboarding) +- `` — Your Azure subscription ID +- `` — Resource group that contains the storage account +- `` — Your Azure OpenAI Resource ID + +After the role assignment: + +1. **Firewall:** On the Azure OpenAI resource, configure networking so **public access is disabled** and traffic is allowed only as required for your private endpoint design. +2. **Approve the connection:** In the Azure portal, go to the OpenAI resource > **Networking** > **Private endpoint connections**, then approve the pending private endpoint connection from Unstructured. --- ### Azure Databricks -Azure Databricks supports Private Link for both front-end (user-to-workspace) and back-end (compute-to-control plane) connectivity. The customer must have Private Link enabled on their workspace. +Azure Databricks supports Private Link for both front-end (user-to-workspace) and back-end (compute-to-control plane) connectivity. You must have Private Link enabled on your workspace. -| Order | Information Required | Description | Example | Who | +| Order | Information Required | Description | Example | Owner | | --- | --- | --- | --- | --- | | 1 | Databricks Workspace URL | The workspace URL | `adb-1234567890123456.12.azuredatabricks.net` | Customer | | 1 | Databricks Workspace Resource ID | Full Azure Resource ID of the workspace | `/subscriptions/…/providers/Microsoft.Databricks/workspaces/customer-workspace` | Customer | | 1 | Databricks Workspace Region | Azure region where workspace is deployed | `eastus` | Customer | | 1 | Sub-resource Type | `databricks_ui_api` for workspace access | `databricks_ui_api` | Customer | -| 2 | Unstructured Subscription ID | Subscription ID for Private Endpoint approval | `a1b2c3d4-e5f6-7890-abcd-ef1234567890` | Unstructured | -| 3 | Private Endpoint DNS | The private endpoint DNS for the workspace | `adb-1234567890123456.12.privatelink.azuredatabricks.net` | Customer | +| 2 | Unstructured Subscription ID | Subscription ID for private endpoint approval | `a1b2c3d4-e5f6-7890-abcd-ef1234567890` | Unstructured | +| 3 | Private endpoint DNS | The private endpoint DNS for the workspace | `adb-1234567890123456.12.privatelink.azuredatabricks.net` | Customer | + +**Example: Approve the Databricks private endpoint connection** -After Unstructured creates the Private Endpoint, approve the connection: +After Unstructured creates the private endpoint toward your workspace, approve the pending connection using Azure CLI: ```bash az network private-endpoint-connection approve \ @@ -97,12 +112,21 @@ az network private-endpoint-connection approve \ --type Microsoft.Databricks/workspaces ``` +You can also approve the same request in the **Azure portal**: open the Databricks workspace resource > **Networking** > **Private endpoint connections**, then approve the pending connection from Unstructured. + +Replace the placeholders as follows: + +- `` — Resource group that contains the Databricks workspace +- `` — Name of the Databricks workspace resource +- `` — Name of the private endpoint connection (shown in the portal or provided by Unstructured) + +--- ## Azure Managed Services with private endpoint access -This applies to Azure-managed services that support Private Endpoint access, including: **Azure AI Search, Azure SQL Database, Azure SQL Managed Instance, Azure Cosmos DB, Azure Database for PostgreSQL, Azure Database for MySQL,** and **Azure Synapse Analytics**. +This section applies to Azure Managed Services that support private endpoint access, including: **Azure AI Search, Azure SQL Database, Azure SQL Managed Instance, Azure Cosmos DB, Azure Database for PostgreSQL, Azure Database for MySQL,** and **Azure Synapse Analytics**. -| Order | Information Required | Description | Example | Who | +| Order | Information Required | Description | Example | Owner | | --- | --- | --- | --- | --- | | 1 | Service Type | The Azure managed service being accessed | `Azure AI Search`, `Azure SQL` | Customer | | 1 | Resource Name | Name of the Azure resource | `my-search-service` | Customer | @@ -111,7 +135,7 @@ This applies to Azure-managed services that support Private Endpoint access, inc | 1 | Sub-Resource Type | The sub-resource type for Private Link (see table below) | `searchService`, `sqlServer` | Customer | | 1 | Service Port | Port the service listens on | `443` (AI Search), `1433` (SQL) | Customer | | 2 | Unstructured Service Principal ID | Service Principal ID for RBAC role assignment | `b2c3d4e5-f6a7-8901-bcde-f23456789012` | Unstructured | -| 2 | Unstructured Subscription ID | Subscription ID to approve for Private Endpoint | `a1b2c3d4-e5f6-7890-abcd-ef1234567890` | Unstructured | +| 2 | Unstructured Subscription ID | Subscription ID to approve for private endpoint | `a1b2c3d4-e5f6-7890-abcd-ef1234567890` | Unstructured | **Sub-resource types by service:** @@ -130,23 +154,29 @@ This applies to Azure-managed services that support Private Endpoint access, inc ## Customer Managed Services (Azure) -This applies to applications the customer is self-hosting in their Azure VNet. The customer must create a Private Link Service in front of their application, backed by an Azure Standard Load Balancer. +This section applies to applications that your organization hosts in your Azure virtual network. Create a **Private Link service** in front of your application, backed by an Azure Standard Load Balancer. -| Order | Information Required | Description | Example | Who | +| Order | Information Required | Description | Example | Owner | | --- | --- | --- | --- | --- | -| 1 | Private Link Service Name | Name of the customer’s Private Link Service | `customer-app-pls` | Customer | -| 1 | Private Link Service Resource ID | Full Resource ID of the Private Link Service | `/subscriptions/…/providers/Microsoft.Network/privateLinkServices/customer-app-pls` | Customer | +| 1 | Private Link Service Name | Name of your Private Link service | `customer-app-pls` | Customer | +| 1 | Private Link Service Resource ID | Full resource ID of the Private Link service | `/subscriptions/…/providers/Microsoft.Network/privateLinkServices/customer-app-pls` | Customer | | 1 | Service Region | Region where the service is hosted | `eastus` | Customer | | 1 | Service Port | Port(s) the service listens on | `443`, `8080` | Customer | | 2 | Unstructured Subscription ID | Subscription ID to approve for connection | `a1b2c3d4-e5f6-7890-abcd-ef1234567890` | Unstructured | -> The customer must create: (1) an Azure Standard Load Balancer fronting their application, and (2) a Private Link Service attached to the Load Balancer’s frontend IP. Unstructured then creates a Private Endpoint targeting the customer’s Private Link Service. -> +You must: + +1. **Load balancer:** Deploy an **Azure Standard Load Balancer** in front of your application. +2. **Private Link service:** Create a **Private Link service** attached to the load balancer’s frontend IP configuration. + +Unstructured then creates a **private endpoint** that targets your Private Link service. Approve the pending connection after Unstructured creates the private endpoint (using Azure CLI below or the Azure portal). + +**Example: Create a Private Link service with Azure CLI** -**Example: Creating Private Link Service using Azure CLI** +Use Azure CLI to create the Private Link service. After Unstructured creates a private endpoint to your service, run the second command to approve that connection. ```bash -# Create Private Link Service +# Create Private Link service az network private-link-service create \ --name "customer-app-pls" \ --resource-group "" \ @@ -156,12 +186,24 @@ az network private-link-service create \ --lb-frontend-ip-configs "" \ --location "" -# Approve connection after Unstructured creates Private Endpoint +# Approve the private endpoint connection from Unstructured az network private-link-service connection approve \ --resource-group "" \ --service-name "customer-app-pls" \ --name "" ``` -> **Private API Gateway Scenario:** If the customer’s application uses Azure API Management in private-only (internal VNet) mode, the API Management service cannot be directly exposed via Private Link Service. In this case, deploy an Azure Standard Load Balancer in front of API Management and create a Private Link Service pointing to the Load Balancer. -> \ No newline at end of file +Replace the placeholders as follows: + +- `` — Resource group for the Private Link service and related resources +- `` — Virtual network name +- `` — Subnet used for the Private Link service (must meet Azure subnet requirements for Private Link) +- `` — Name of the Standard Load Balancer fronting your application +- `` — Frontend IP configuration name on the load balancer +- `` — Azure region (for example `eastus`) +- `` — Name of the private endpoint connection request (shown in the portal or provided by Unstructured) + + +#### Private API Gateway use case + +If your application uses Azure API Management in private-only (internal VNet) mode, you cannot target the API Management resource directly with a Private Link service. In this case, deploy an Azure Standard Load Balancer in front of API Management and create a Private Link service that points to the Load Balancer. \ No newline at end of file diff --git a/business/azure/azure-privatelink/connector-support.mdx b/business/azure/azure-privatelink/connector-support.mdx index 6158809c..4129a2b1 100644 --- a/business/azure/azure-privatelink/connector-support.mdx +++ b/business/azure/azure-privatelink/connector-support.mdx @@ -16,14 +16,14 @@ Review the table first, then follow [Connecting to the Unstructured Platform](/b | Connector | Private Link supported | Approach | Configuration information | | --- | :---: | --- | --- | -| **Customer → Unstructured (UI/API)** | ✅ | Private Endpoint | [Link](about:blank#connections-into-unstructured-vpc-azure) | -| **Azure Blob Storage / ADLS Gen2** | ✅ | Private Endpoint | [Link](business/azure/azure-privatelink/connect-to-services#azure-blob-storage) | -| **Azure OpenAI** | ✅ | Private Endpoint | [Link](about:blank#azure-openai) | -| **Azure OpenAI via API Management** | ✅ | Private Endpoint + APIM Private mode | Contact Unstructured | -| **Azure AI Search** | ✅ | Private Endpoint | [Link](business/azure/azure-privatelink/connect-to-services#azure-managed-services-with-private-endpoint-access) | -| **Databricks (Azure)** | ✅ | Private Link | [Link](business/azure/azure-privatelink/connect-to-services#azure-databricks) | -| **Azure SQL / Cosmos DB / PostgreSQL / MySQL / Synapse** | ✅ | Private Endpoint | [Link](business/azure/azure-privatelink/connect-to-services#azure-managed-services-with-private-endpoint-access) | -| **Customer Managed Services (Azure)** | ✅ | Private Link Service + Standard Load Balancer | [Link](business/azure/azure-privatelink/connect-to-services#customer-managed-services-azure) | +| **Customer → Unstructured (UI/API)** | ✅ | Private endpoint | [Link](/business/azure/azure-privatelink/connect-to-platform) | +| **Azure Blob Storage / ADLS Gen2** | ✅ | Private endpoint | [Link](/business/azure/azure-privatelink/connect-to-services#azure-blob-storage) | +| **Azure OpenAI** | ✅ | Private endpoint | [Link](/business/azure/azure-privatelink/connect-to-services#azure-openai) | +| **Azure OpenAI via API Management** | ✅ | Private endpoint + APIM Private mode | Contact Unstructured | +| **Azure AI Search** | ✅ | Private endpoint | [Link](/business/azure/azure-privatelink/connect-to-services#azure-managed-services-with-private-endpoint-access) | +| **Databricks (Azure)** | ✅ | Private Link | [Link](/business/azure/azure-privatelink/connect-to-services#azure-databricks) | +| **Azure SQL / Cosmos DB / PostgreSQL / MySQL / Synapse** | ✅ | Private endpoint | [Link](/business/azure/azure-privatelink/connect-to-services#azure-managed-services-with-private-endpoint-access) | +| **Customer Managed Services (Azure)** | ✅ | Private Link Service + Standard Load Balancer | [Link](/business/azure/azure-privatelink/connect-to-services#customer-managed-services-azure) | | **OneDrive / SharePoint / Outlook** | ❌ | Microsoft SaaS — requires public egress | Requires public egress | | **Google Cloud Storage** | ❌ | Cross-cloud not supported | Requires public egress | diff --git a/business/azure/azure-privatelink/overview.md b/business/azure/azure-privatelink/overview.md index 1c84156e..02633597 100644 --- a/business/azure/azure-privatelink/overview.md +++ b/business/azure/azure-privatelink/overview.md @@ -4,7 +4,7 @@ sidebarTitle: Overview --- -This section helps you plan **Azure Private Link** for your Dedicated Instance on the Unstructured platform. You will coordinate two kinds of connectivity: +This section helps you plan **Azure Private Link** for your Dedicated Instance on the Unstructured platform. You coordinate two kinds of connectivity: 1. **Into Unstructured** — Your users and applications reach the Unstructured UI and API over private networking. 2. **Into your Azure environment** — Your Dedicated Instance reaches your Azure data sources and services privately. From 9560152d3a49e9a1bdddfc901d3f4853eb9ec093 Mon Sep 17 00:00:00 2001 From: monica-unstructured Date: Wed, 25 Mar 2026 00:57:59 -0400 Subject: [PATCH 17/29] Update headings under Business for consistency --- business/aws/aws-privatelink/overview.md | 2 +- business/aws/onboard-in-vpc.mdx | 4 ++-- business/aws/{x-overview.mdx => overview.mdx} | 4 ++-- .../azure-privatelink/connect-to-platform.mdx | 2 +- .../azure-privatelink/connect-to-services.mdx | 2 -- business/azure/azure-privatelink/overview.md | 4 ++-- .../azure/{x-onboard.mdx => onboard-in-vpc.mdx} | 4 ++-- business/azure/{x-overview.mdx => overview.mdx} | 0 docs.json | 14 +++++++------- 9 files changed, 17 insertions(+), 19 deletions(-) rename business/aws/{x-overview.mdx => overview.mdx} (92%) rename business/azure/{x-onboard.mdx => onboard-in-vpc.mdx} (99%) rename business/azure/{x-overview.mdx => overview.mdx} (100%) diff --git a/business/aws/aws-privatelink/overview.md b/business/aws/aws-privatelink/overview.md index 652ff7bc..7472869c 100644 --- a/business/aws/aws-privatelink/overview.md +++ b/business/aws/aws-privatelink/overview.md @@ -1,5 +1,5 @@ --- -title: Configure AWS PrivateLink for your Dedicated Instance +title: Onboarding your Dedicated Instance + AWS PrivateLink sidebarTitle: Overview --- This section outlines the information required by both parties to establish AWS PrivateLink. For connectivity into the Customer, depending on the service to be accessed there are different data points to capture. If Unstructured is accessing multiple services, we require the information for each one. diff --git a/business/aws/onboard-in-vpc.mdx b/business/aws/onboard-in-vpc.mdx index 1ebf5b35..50c790a1 100644 --- a/business/aws/onboard-in-vpc.mdx +++ b/business/aws/onboard-in-vpc.mdx @@ -1,6 +1,6 @@ --- -title: Unstructured Business in-VPC on Amazon Web Services (AWS) - onboarding checklist -sidebarTitle: In-VPC onboarding +title: Onboarding in-VPC on your AWS platform +sidebarTitle: Onboarding in-VPC --- diff --git a/business/aws/x-overview.mdx b/business/aws/overview.mdx similarity index 92% rename from business/aws/x-overview.mdx rename to business/aws/overview.mdx index 422e420b..ecf2637c 100644 --- a/business/aws/x-overview.mdx +++ b/business/aws/overview.mdx @@ -1,6 +1,6 @@ --- -title: OLD - Unstructured Business on Amazon Web Services (AWS) - overview -sidebarTitle: x Overview +title: Unstructured Business on Amazon Web Services (AWS) +sidebarTitle: Overview --- ## Getting started diff --git a/business/azure/azure-privatelink/connect-to-platform.mdx b/business/azure/azure-privatelink/connect-to-platform.mdx index 2dc61b40..d3a9e685 100644 --- a/business/azure/azure-privatelink/connect-to-platform.mdx +++ b/business/azure/azure-privatelink/connect-to-platform.mdx @@ -5,7 +5,7 @@ sidebarTitle: Connecting to the Unstructured Platform This section outlines the information required for your applications to access the Unstructured Platform (UI and API). -QUESTION: What does the ORDER column depict? What does this convey to the customer?. +QUESTION: What exactly does the ORDER column indicate? I need to understand and maybe describe it or qualify it. | Order | Information Required | Description | Example | Provided by | diff --git a/business/azure/azure-privatelink/connect-to-services.mdx b/business/azure/azure-privatelink/connect-to-services.mdx index d7fd28dc..4cfe3fc5 100644 --- a/business/azure/azure-privatelink/connect-to-services.mdx +++ b/business/azure/azure-privatelink/connect-to-services.mdx @@ -12,8 +12,6 @@ This section covers setting up connectivity from Unstructured to an Azure servic This applies to Azure Blob Storage and Azure Data Lake Storage Gen2 (ADLS Gen2). -This is a custom callout - | Order | Information Required | Description | Example | Owner | | --- | --- | --- | --- | --- | | 1 | Storage Account Name | Name of the Azure Storage Account | `customerstorageacct` | Customer | diff --git a/business/azure/azure-privatelink/overview.md b/business/azure/azure-privatelink/overview.md index 02633597..07207f9b 100644 --- a/business/azure/azure-privatelink/overview.md +++ b/business/azure/azure-privatelink/overview.md @@ -1,10 +1,10 @@ --- -title: Configure Azure PrivateLink for your Dedicated Instance +title: Onboarding your Dedicated Instance + Azure Private Link sidebarTitle: Overview --- -This section helps you plan **Azure Private Link** for your Dedicated Instance on the Unstructured platform. You coordinate two kinds of connectivity: +This section helps you onboard **Azure Private Link** for your Dedicated Instance on the Unstructured platform. You coordinate two kinds of connectivity: 1. **Into Unstructured** — Your users and applications reach the Unstructured UI and API over private networking. 2. **Into your Azure environment** — Your Dedicated Instance reaches your Azure data sources and services privately. diff --git a/business/azure/x-onboard.mdx b/business/azure/onboard-in-vpc.mdx similarity index 99% rename from business/azure/x-onboard.mdx rename to business/azure/onboard-in-vpc.mdx index 73e1abf8..6a84871d 100644 --- a/business/azure/x-onboard.mdx +++ b/business/azure/onboard-in-vpc.mdx @@ -1,6 +1,6 @@ --- -title: OLD - Unstructured Business in-VPC on Azure - onboarding checklist -sidebarTitle: x Onboarding +title: Onboarding in-VPC on your Microsoft Azure platform +sidebarTitle: Onboarding in-VPC --- diff --git a/business/azure/x-overview.mdx b/business/azure/overview.mdx similarity index 100% rename from business/azure/x-overview.mdx rename to business/azure/overview.mdx diff --git a/docs.json b/docs.json index 8b61509a..6308908b 100644 --- a/docs.json +++ b/docs.json @@ -356,11 +356,11 @@ ] }, { - "group": "Amazon Web Services (AWS)", + "group": "Amazon Web Services", "pages": [ - "business/aws/x-overview", + "business/aws/overview", "business/aws/x-dedicated-instance-privatelink", - { "group": "AWS PrivateLink for your Dedicated Instance", + { "group": "Onboarding Dedicated Instance + AWS PrivateLink", "pages": [ "business/aws/aws-privatelink/overview", "business/aws/aws-privatelink/connector-support", @@ -373,11 +373,11 @@ ] }, { - "group": "Microsoft Azure (Azure)", + "group": "Microsoft Azure", "pages": [ - "business/azure/x-overview", - "business/azure/x-onboard", - { "group": "Microsoft Azure Private Link for your Dedicated Instance", + "business/azure/overview", + "business/azure/onboard-in-vpc", + { "group": "Onboarding Dedicated Instance + Azure Private Link", "pages": [ "business/azure/azure-privatelink/overview", "business/azure/azure-privatelink/connector-support", From bccf13f1b1b46a53774c978773a846eb5ae6a02f Mon Sep 17 00:00:00 2001 From: monica-unstructured Date: Wed, 25 Mar 2026 02:53:20 -0400 Subject: [PATCH 18/29] Interim commit --- .vscode/settings.json | 5 +++ .../aws-privatelink/connect-to-platform.mdx | 5 +-- .../aws-privatelink/connect-to-services.mdx | 2 +- .../aws/aws-privatelink/connector-support.mdx | 35 +++++++++++-------- business/aws/aws-privatelink/overview.md | 7 +++- .../azure-privatelink/connect-to-platform.mdx | 2 +- .../azure-privatelink/connector-support.mdx | 2 +- business/azure/azure-privatelink/overview.md | 6 ++-- business/dedicated-instances/architecture.mdx | 4 +++ business/dedicated-instances/overview.mdx | 14 ++++---- business/dedicated-instances/preparing.mdx | 2 +- business/dedicated-instances/requirements.mdx | 4 +++ .../security/security-faq.mdx | 2 +- .../security/security-model.mdx | 2 +- docs.json | 2 +- 15 files changed, 59 insertions(+), 35 deletions(-) create mode 100644 .vscode/settings.json diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 00000000..766f97d6 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,5 @@ +{ + "files.associations": { + "*.mdx": "markdown" + } +} diff --git a/business/aws/aws-privatelink/connect-to-platform.mdx b/business/aws/aws-privatelink/connect-to-platform.mdx index be315f98..ffbfb77d 100644 --- a/business/aws/aws-privatelink/connect-to-platform.mdx +++ b/business/aws/aws-privatelink/connect-to-platform.mdx @@ -2,9 +2,10 @@ title: Connecting to the Unstructured Platform (UI and API) sidebarTitle: Connecting to the Unstructured Platform --- -This enables Customer applications to access the Unstructured Platform (UI and API). +This section outlines the information required for your applications to access the Unstructured Platform (UI and API). -QUESTION: What does the ORDER column depict? What does this convey to the customer?. + +??QUESTION: What exactly does the ORDER column indicate? Looks like two sets of rows, and within those order can be simultaneous. Would like to understand context in case I need to clarify in the doc. Thanks! | Order | Information Required | Description | Example | Provided by | | --- | --- | --- | --- | --- | diff --git a/business/aws/aws-privatelink/connect-to-services.mdx b/business/aws/aws-privatelink/connect-to-services.mdx index 460dad05..708f9e9d 100644 --- a/business/aws/aws-privatelink/connect-to-services.mdx +++ b/business/aws/aws-privatelink/connect-to-services.mdx @@ -357,7 +357,7 @@ Replace: --- -### ~~Snowflake on AWS~~ +### ~~Snowflake on AWS~~ {#snowflake-on-aws} ~~Snowflake supports AWS PrivateLink via Snowflake’s native Private Link feature. This is available for Snowflake accounts hosted on AWS. The customer must have a **Business Critical** or higher Snowflake edition to use Private Link.~~ diff --git a/business/aws/aws-privatelink/connector-support.mdx b/business/aws/aws-privatelink/connector-support.mdx index 07a1eb57..0ff664c3 100644 --- a/business/aws/aws-privatelink/connector-support.mdx +++ b/business/aws/aws-privatelink/connector-support.mdx @@ -3,20 +3,27 @@ title: Connector support for AWS PrivateLink sidebarTitle: Connector support --- -Not all Unstructured platform connectors can be accessed via AWS PrivateLink. The table below summarizes the coverage and configuration approach for each connector in a Dedicated Instance context. +This section provides a list of connectors to AWS services. For each connector it summarizes the following: + +- Whether the connector supports AWS PrivateLink +- Which AWS components are involved +- A reference for detailed configuration information + +Review the table first, then follow [Connecting to the Unstructured Platform](/business/aws/aws-privatelink/connect-to-platform) for UI/API access and [Connecting to your AWS services](/business/aws/aws-privatelink/connect-to-services) for data sources and other AWS workloads. + | Connector | PrivateLink Supported | Approach | Configuration Section | | --- | --- | --- | --- | -| **Customer → Unstructured (UI/API)** | ✅ | Interface VPC Endpoint | [Link](about:blank#connections-into-unstructured-vpc-aws) | -| **AWS S3** | ✅ | Gateway Endpoint | [Link](about:blank#aws-s3-gateway-endpoint) | -| **AWS Bedrock** (VLM) | ✅ | Interface VPC Endpoint (Unstructured side) | [Link](about:blank#aws-bedrock) | -| **AWS OpenSearch Service** | ✅ | Interface VPC Endpoint | [Link](about:blank#aws-managed-services-with-native-privatelink) | -| **AWS OpenSearch Serverless** | ✅ | VPC Endpoint + Data Access Policy | [Link](about:blank#aws-opensearch-serverless) | -| **AWS MSK (Kafka)** | ✅ | Multi-VPC Connectivity (MSK native) | [Link](about:blank#aws-msk-kafka) | -| **AWS RDS / PostgreSQL** | ✅ | NLB-backed Endpoint Service | [Link](about:blank#customer-managed-services-aws-or-aws-services-with-nlb) | -| **Databricks on AWS** | ✅ | Databricks PrivateLink | [Link](about:blank#aws-databricks) | -| **Elasticsearch (self-hosted on AWS)** | ✅ | NLB-backed Endpoint Service | [Link](about:blank#customer-managed-services-aws-or-aws-services-with-nlb) | -| **MongoDB (self-hosted on AWS)** | ✅ | NLB-backed Endpoint Service | [Link](about:blank#customer-managed-services-aws-or-aws-services-with-nlb) | -| **Box, Confluence, Dropbox, Google Drive, Jira, OneDrive, Outlook, Salesforce, SharePoint, Slack, Zendesk** | ❌ | SaaS — requires public egress | Requires [public egress](about:blank#optional-enabling-public-egress) | -| **Google Cloud Storage** | ❌ | Cross-cloud not supported | Requires public egress | -| **Snowflake (multi-cloud/SaaS)** | Varies | Native if on AWS; public egress otherwise | See Snowflake section | +| **Customer → Unstructured (UI/API)** | ✅ | Interface VPC Endpoint | [Link](/business/aws/aws-privatelink/connect-to-platform) | +| **AWS S3** | ✅ | Gateway Endpoint | [Link](/business/aws/aws-privatelink/connect-to-services#aws-s3-gateway-endpoint) | +| **AWS Bedrock** (VLM) | ✅ | Interface VPC Endpoint (Unstructured side) | [Link](/business/aws/aws-privatelink/connect-to-services#aws-bedrock) | +| **AWS OpenSearch Service** | ✅ | Interface VPC Endpoint | [Link](/business/aws/aws-privatelink/connect-to-services#aws-opensearch-service) | +| **AWS OpenSearch Serverless** | ✅ | VPC Endpoint + Data Access Policy | [Link](/business/aws/aws-privatelink/connect-to-services#aws-opensearch-serverless) | +| **AWS MSK (Kafka)** | ✅ | Multi-VPC Connectivity (MSK native) | [Link](/business/aws/aws-privatelink/connect-to-services#aws-msk-kafka) | +| **AWS RDS / PostgreSQL** | ✅ | NLB-backed Endpoint Service | [Link](/business/aws/aws-privatelink/connect-to-services#customer-managed-services-aws-or-aws-services-with-nlb) | +| **Databricks on AWS** | ✅ | Databricks PrivateLink | [Link](/business/aws/aws-privatelink/connect-to-services#aws-databricks) | +| **Elasticsearch (self-hosted on AWS)** | ✅ | NLB-backed Endpoint Service | [Link](/business/aws/aws-privatelink/connect-to-services#customer-managed-services-aws-or-aws-services-with-nlb) | +| **MongoDB (self-hosted on AWS)** | ✅ | NLB-backed Endpoint Service | [Link](/business/aws/aws-privatelink/connect-to-services#customer-managed-services-aws-or-aws-services-with-nlb) | +| **Box, Confluence, Dropbox, Google Drive, Jira, OneDrive, Outlook, Salesforce, SharePoint, Slack, Zendesk** | ❌ | SaaS — requires public egress | Requires [public egress](/business/dedicated-instances/security/security-model#network-access-controls) | +| **Google Cloud Storage** | ❌ | Cross-cloud not supported | Requires [public egress](/business/dedicated-instances/security/security-model#network-access-controls) | +| **Snowflake (multi-cloud/SaaS)** | Varies | Native if on AWS; public egress otherwise | See [Snowflake section](/business/aws/aws-privatelink/connect-to-services#snowflake-on-aws) | diff --git a/business/aws/aws-privatelink/overview.md b/business/aws/aws-privatelink/overview.md index 7472869c..5c22cdb1 100644 --- a/business/aws/aws-privatelink/overview.md +++ b/business/aws/aws-privatelink/overview.md @@ -2,4 +2,9 @@ title: Onboarding your Dedicated Instance + AWS PrivateLink sidebarTitle: Overview --- -This section outlines the information required by both parties to establish AWS PrivateLink. For connectivity into the Customer, depending on the service to be accessed there are different data points to capture. If Unstructured is accessing multiple services, we require the information for each one. +This section helps you onboard **AWS PrivateLink** for your Dedicated Instance on the Unstructured platform. You coordinate two kinds of connectivity: + +1. **Into Unstructured** — Your users and applications connect to the Unstructured UI and API over private networking. +2. **Into your AWS environment** — Your Dedicated Instance connect to your AWS data sources and services privately. + +Start with [Connector support](/business/aws/aws-privatelink/connector-support) to see which connectors support PrivateLink and which need public egress. Then use [Connecting to the Unstructured Platform](/business/aws/aws-privatelink/connect-to-platform), [DNS configuration](/business/aws/aws-privatelink/dns-configuration), and [Connecting to your AWS services](/business/aws/aws-privatelink/connect-to-services) for the details you and Unstructured exchange during setup. diff --git a/business/azure/azure-privatelink/connect-to-platform.mdx b/business/azure/azure-privatelink/connect-to-platform.mdx index d3a9e685..b62c4e7d 100644 --- a/business/azure/azure-privatelink/connect-to-platform.mdx +++ b/business/azure/azure-privatelink/connect-to-platform.mdx @@ -5,7 +5,7 @@ sidebarTitle: Connecting to the Unstructured Platform This section outlines the information required for your applications to access the Unstructured Platform (UI and API). -QUESTION: What exactly does the ORDER column indicate? I need to understand and maybe describe it or qualify it. +??QUESTION: What exactly does the ORDER column indicate? Looks like two sets of rows, and within those order can be simultaneous. Would like to understand context in case I need to clarify in the doc. Thanks! | Order | Information Required | Description | Example | Provided by | diff --git a/business/azure/azure-privatelink/connector-support.mdx b/business/azure/azure-privatelink/connector-support.mdx index 4129a2b1..fbc3b5f3 100644 --- a/business/azure/azure-privatelink/connector-support.mdx +++ b/business/azure/azure-privatelink/connector-support.mdx @@ -5,7 +5,7 @@ sidebarTitle: Connector support This section provides a list of connectors to Azure services. For each connector it summarizes the following: -- Whether the connector supports Private Link +- Whether the connector supports Azure Private Link - Which Azure components are involved - A reference for detailed configuration information diff --git a/business/azure/azure-privatelink/overview.md b/business/azure/azure-privatelink/overview.md index 07207f9b..863d06a2 100644 --- a/business/azure/azure-privatelink/overview.md +++ b/business/azure/azure-privatelink/overview.md @@ -6,7 +6,7 @@ sidebarTitle: Overview This section helps you onboard **Azure Private Link** for your Dedicated Instance on the Unstructured platform. You coordinate two kinds of connectivity: -1. **Into Unstructured** — Your users and applications reach the Unstructured UI and API over private networking. -2. **Into your Azure environment** — Your Dedicated Instance reaches your Azure data sources and services privately. +1. **Into Unstructured** — Your users and applications connect to the Unstructured UI and API over private networking. +2. **Into your Azure environment** — Your Dedicated Instance connect to your Azure data sources and services privately. -Start with [Connector support](/business/azure/azure-privatelink/connector-support) to see which connectors support Private Link and which need public egress. Then use [Connecting to the Unstructured Platform](/business/azure/azure-privatelink/connect-to-platform), [DNS configuration](/business/azure/azure-privatelink/dns-configuration), and [Connecting to your Azure services](/business/azure/azure-privatelink/connect-to-services) for the details you and Unstructured exchange during setup. +Start with [Connector support](/business/azure/azure-privatelink/connector-support) to see which connectors support Private Link and which need public egress. Then use [Connecting to the Unstructured Platform](/business/azure/azure-privatelink/connect-to-platform), [DNS configuration](/business/azure/azure-privatelink/dns-privatelink), and [Connecting to your Azure services](/business/azure/azure-privatelink/connect-to-services) for the details you and Unstructured exchange during setup. \ No newline at end of file diff --git a/business/dedicated-instances/architecture.mdx b/business/dedicated-instances/architecture.mdx index a82d7dd2..536d63c7 100644 --- a/business/dedicated-instances/architecture.mdx +++ b/business/dedicated-instances/architecture.mdx @@ -2,6 +2,10 @@ title: Architecture --- + +This topic uses **private connectivity** as a general term for AWS PrivateLink and Azure Private Link. + + Your **Dedicated Instance** is an isolated Unstructured deployment. You use private connectivity with your cloud provider so traffic between you and Unstructured stays on private network paths, not the public internet. ## Private connectivity by CSP diff --git a/business/dedicated-instances/overview.mdx b/business/dedicated-instances/overview.mdx index efb70fa3..6619bc40 100644 --- a/business/dedicated-instances/overview.mdx +++ b/business/dedicated-instances/overview.mdx @@ -13,16 +13,14 @@ This overview covers: * High-level benefits and trade-offs. * Technical requirements for integrating your Dedicated Instance with your cloud platform. -## Cloud service provider (CSP) support ## -Unstructured supports Dedicated Instances for integration with Amazon Web Services (AWS) and Microsoft Azure (Azure). +## Cloud service provider (CSP) support +Unstructured supports Dedicated Instances for integration with Amazon Web Services (AWS) and Microsoft Azure (Azure). This topic provides information for both of these cloud service providers. For specific and detailed onboarding information about each provider see: -This overview covers pertinent information for both of these cloud service providers. Detailed, service-specific configuration requirements are covered in the following sections: - -* AWS — [AWS PrivateLink overview](/business/aws/aws-privatelink/overview) -* Azure — [Azure Private Link overview](/business/azure/azure-privatelink/overview) +* AWS — [Onboarding your Dedicated Instance + AWS PrivateLink](/business/aws/aws-privatelink/overview) +* Azure — [Onboarding your Dedicated Instance + Azure Private Link](/business/azure/azure-privatelink/overview) -This topic uses _private connectivity_ as a collective term for AWS PrivateLink and Azure Private Link. +This topic uses **private connectivity** as a general term for AWS PrivateLink and Azure Private Link. @@ -39,5 +37,5 @@ Network filtering lets you fully block incoming and outgoing traffic to the publ - **Control and visibility** - Private endpoints and private DNS enable you to manage where traffic flows, enforce access policies at the network level, and give you visibility into traffic paths and access patterns. - A Dedicated Instance is a **regional service**: it runs entirely in a single cloud region. Plan for data residency, failover design, and latency with that constraint in mind. Unstructured supports cross-region PrivateLink, but we do not recommend it because of the added data transfer costs. + A Dedicated Instance is a **regional service**. It runs entirely in a single cloud region. Plan for data residency, failover design, and latency with that constraint in mind. Unstructured supports cross-region PrivateLink, but we do not recommend it because of the added data transfer costs. diff --git a/business/dedicated-instances/preparing.mdx b/business/dedicated-instances/preparing.mdx index b430e1d4..3971775f 100644 --- a/business/dedicated-instances/preparing.mdx +++ b/business/dedicated-instances/preparing.mdx @@ -2,7 +2,7 @@ title: Preparing for a Dedicated Instance --- -This topic uses _private connectivity_ as a collective term for AWS PrivateLink and Azure Private Link. +This topic uses **private connectivity** as a general term for AWS PrivateLink and Azure Private Link. Once you’ve decided to proceed with a Dedicated Instance, the next steps involve provisioning the required environment resources and establishing private connectivity. The deployment process is conducted remotely and can typically be completed within the following timeframes: diff --git a/business/dedicated-instances/requirements.mdx b/business/dedicated-instances/requirements.mdx index 0dabf0fa..e6afa3a8 100644 --- a/business/dedicated-instances/requirements.mdx +++ b/business/dedicated-instances/requirements.mdx @@ -2,6 +2,10 @@ title: Requirements and Limitations --- + +This topic uses **private connectivity** as a general term for AWS PrivateLink and Azure Private Link. + + Dedicated Instances rely on cloud provider private networking features and therefore require certain baseline infrastructure components to ensure a secure and successful deployment. This section outlines the key requirements customers must meet, as well as known limitations that may affect implementation decisions. Understanding these constraints early helps reduce onboarding delays and ensures alignment across security, platform, and engineering teams. diff --git a/business/dedicated-instances/security/security-faq.mdx b/business/dedicated-instances/security/security-faq.mdx index d28e58c7..827aa399 100644 --- a/business/dedicated-instances/security/security-faq.mdx +++ b/business/dedicated-instances/security/security-faq.mdx @@ -3,7 +3,7 @@ title: Security FAQ --- -This topic uses _private connectivity_ as a collective term for AWS PrivateLink and Azure Private Link. +This topic uses **private connectivity** as a general term for AWS PrivateLink and Azure Private Link. diff --git a/business/dedicated-instances/security/security-model.mdx b/business/dedicated-instances/security/security-model.mdx index 81a30c70..d3514488 100644 --- a/business/dedicated-instances/security/security-model.mdx +++ b/business/dedicated-instances/security/security-model.mdx @@ -2,7 +2,7 @@ title: Security model --- -This topic uses _private connectivity_ as a collective term for AWS PrivateLink and Azure Private Link. +This topic uses **private connectivity** as a general term for AWS PrivateLink and Azure Private Link. Dedicated Instances use a security model that protects your data across network, infrastructure, and service layers. The architecture prioritizes data isolation, private connectivity, and controlled access so your data stays within trusted boundaries. diff --git a/docs.json b/docs.json index 6308908b..84a3d617 100644 --- a/docs.json +++ b/docs.json @@ -376,7 +376,6 @@ "group": "Microsoft Azure", "pages": [ "business/azure/overview", - "business/azure/onboard-in-vpc", { "group": "Onboarding Dedicated Instance + Azure Private Link", "pages": [ "business/azure/azure-privatelink/overview", @@ -386,6 +385,7 @@ "business/azure/azure-privatelink/connect-to-services" ] } + "business/azure/onboard-in-vpc" ] }, { From 8435cec142d7307f6ee58224714de10c4e5d4fb1 Mon Sep 17 00:00:00 2001 From: monica-unstructured Date: Wed, 25 Mar 2026 03:01:31 -0400 Subject: [PATCH 19/29] Fixed syntax in docs.json --- docs.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs.json b/docs.json index 84a3d617..7f1e4684 100644 --- a/docs.json +++ b/docs.json @@ -384,7 +384,7 @@ "business/azure/azure-privatelink/dns-privatelink", "business/azure/azure-privatelink/connect-to-services" ] - } + }, "business/azure/onboard-in-vpc" ] }, From dea4a8137327e23d296cbe466053674c23b143a0 Mon Sep 17 00:00:00 2001 From: monica-unstructured Date: Wed, 25 Mar 2026 08:11:46 -0400 Subject: [PATCH 20/29] Consolidated Onboarding processes for Business and AWS --- .../{overview.md => DNU-overview.mdx} | 0 .../aws-privatelink/connect-to-services.mdx | 71 +++++++++------- .../aws/aws-privatelink/connector-support.mdx | 13 ++- .../aws-privatelink/preparing-NOT-USED.mdx | 67 +++++++++++++++ business/aws/aws-privatelink/preparing.mdx | 85 +++++++++++++++++++ business/aws/overview.mdx | 10 ++- .../{overview.md => DNU-overview.md} | 0 .../azure-privatelink/connect-to-services.mdx | 8 +- .../azure-privatelink/connector-support.mdx | 5 +- .../azure-privatelink}/preparing.mdx | 18 ++-- business/dedicated-instances/architecture.mdx | 2 +- business/dedicated-instances/overview.mdx | 6 +- business/dedicated-instances/requirements.mdx | 2 +- .../security/security-faq.mdx | 4 +- .../security/security-model.mdx | 10 ++- business/overview.mdx | 5 +- docs.json | 9 +- 17 files changed, 236 insertions(+), 79 deletions(-) rename business/aws/aws-privatelink/{overview.md => DNU-overview.mdx} (100%) create mode 100644 business/aws/aws-privatelink/preparing-NOT-USED.mdx create mode 100644 business/aws/aws-privatelink/preparing.mdx rename business/azure/azure-privatelink/{overview.md => DNU-overview.md} (100%) rename business/{dedicated-instances => azure/azure-privatelink}/preparing.mdx (70%) diff --git a/business/aws/aws-privatelink/overview.md b/business/aws/aws-privatelink/DNU-overview.mdx similarity index 100% rename from business/aws/aws-privatelink/overview.md rename to business/aws/aws-privatelink/DNU-overview.mdx diff --git a/business/aws/aws-privatelink/connect-to-services.mdx b/business/aws/aws-privatelink/connect-to-services.mdx index 708f9e9d..0f546f3b 100644 --- a/business/aws/aws-privatelink/connect-to-services.mdx +++ b/business/aws/aws-privatelink/connect-to-services.mdx @@ -8,26 +8,25 @@ This topic covers the required information to enable your Dedicated Instance to * AWS PrivateLink * Native PrivateLink * Customer managed AWS services -* AWS services that require a Network Loa Balancer (NLB) front end +* AWS services that require a Network Load Balancer (NLB) front end ## AWS managed services ### AWS S3 (Gateway Endpoint) -QUESTION: What does the ORDER column depict? What does this convey to the customer?. -| Order | Information Required | Description | Example | Who | +| Order | Information Required | Description | Example | Owner | | --- | --- | --- | --- | --- | | 1 | S3 Bucket Name | Buckets Unstructured needs to access | `my-documents` | Customer | | 1 | S3 Bucket Region | Region where bucket is located | `us-east-1` | Customer | | 2 | Unstructured IAM Role ARN | IAM Role ARN that will access S3 | `arn:aws:iam::987654321098:role/unstructured-s3-access` | Unstructured | -> **Note:** This section also covers **Delta Tables in Amazon S3** — the S3 Gateway Endpoint configuration is the same. -> +This section also covers **Delta Tables in Amazon S3** — the S3 Gateway Endpoint configuration is the same. + **Example S3 Bucket Policy** -The customer must create a bucket policy that grants Unstructured’s IAM Role access to the required S3 buckets. +You must create a bucket policy that grants Unstructured’s IAM Role access to the required S3 buckets. For read-only access: @@ -54,7 +53,7 @@ For read-only access: } ``` -For write access (e.g., if S3 is a destination), add: +Use this Action clause for write access (e.g., if S3 is a destination): ```json { @@ -77,15 +76,15 @@ Replace: Amazon Bedrock is accessed via AWS-provided VPC endpoints. Unstructured configures VPC endpoints in our VPC to ensure all traffic to Bedrock stays off the public internet. Access to customer-specific Bedrock resources is controlled via IAM policies. -| Order | Information Required | Description | Example | Who | +| Order | Information Required | Description | Example | Owner | | --- | --- | --- | --- | --- | | 1 | Bedrock Region | AWS region where Bedrock resources are located | `us-east-1` | Customer | | 1 | Model IDs / ARNs | Foundation models or custom models to access | `anthropic.claude-sonnet-4-5`, `arn:aws:bedrock:us-east-1:123456789012:custom-model/my-model` | Customer | | 2 | Unstructured AWS Account ID | Account ID to allow in IAM/resource policies | `987654321098` | Unstructured | | 2 | Unstructured IAM Role ARN | IAM Role ARN that will access Bedrock | `arn:aws:iam::987654321098:role/unstructured-bedrock` | Unstructured | -> Unstructured configures the Bedrock VPC endpoint on our side. The customer must create IAM policies that grant access to Unstructured’s IAM Role. -> +Unstructured configures the Bedrock VPC endpoint on the Unstructured platform. You must create IAM policies that grant access to Unstructured’s IAM Role. + **Example IAM Policy** @@ -122,12 +121,12 @@ Replace: ### AWS MSK (Kafka) -Amazon MSK supports native multi-VPC private connectivity via PrivateLink. This enables Unstructured to connect to the customer’s MSK cluster (as a Kafka source) entirely within the AWS private network. The customer must have an MSK cluster with **Multi-VPC Connectivity** enabled. +Amazon MSK supports native multi-VPC private connectivity via PrivateLink. This enables Unstructured to connect to the customer’s MSK cluster (as a Kafka source) entirely within the AWS private network. You must have an MSK cluster with **Multi-VPC Connectivity** enabled. + +MSK Multi-VPC Connectivity requires MSK cluster type **provisioned** (not serverless). The cluster must use TLS or SASL/TLS authentication. -> **Note:** MSK Multi-VPC Connectivity requires MSK cluster type: **provisioned** (not serverless). The cluster must use TLS or SASL/TLS authentication. -> -| Order | Information Required | Description | Example | Who | +| Order | Information Required | Description | Example | Owner | | --- | --- | --- | --- | --- | | 1 | MSK Cluster ARN | ARN of the MSK cluster | `arn:aws:kafka:us-east-1:123456789012:cluster/my-cluster/abc-123` | Customer | | 1 | MSK Cluster Region | AWS region where cluster is deployed | `us-east-1` | Customer | @@ -139,13 +138,13 @@ Amazon MSK supports native multi-VPC private connectivity via PrivateLink. This **Enabling MSK Multi-VPC Connectivity** -Using AWS Console: +Use the AWS Console: 1. Navigate to **Amazon MSK** > select your cluster. 2. Choose **Actions** > **Edit cluster connectivity**. 3. Enable **Multi-VPC connectivity**. 4. Confirm — MSK will create a VPC Endpoint Service automatically. -Using AWS CLI: +Use the AWS CLI: ```bash aws kafka update-connectivity \ @@ -169,7 +168,7 @@ aws kafka describe-cluster \ **Adding Unstructured as an Allowed Principal** -Once Multi-VPC Connectivity is enabled, add Unstructured’s AWS Account ID as an allowed principal on the endpoint service: +Once Multi-VPC Connectivity is enabled, use the AWS CLI to add Unstructured’s AWS Account ID as an allowed principal on the endpoint service: ```bash aws ec2 modify-vpc-endpoint-service-permissions \ @@ -187,7 +186,7 @@ Replace: Amazon OpenSearch Service supports native Interface VPC Endpoints. Unstructured creates a VPC endpoint in our VPC targeting the customer’s OpenSearch domain. -| Order | Information Required | Description | Example | Who | +| Order | Information Required | Description | Example | Owner | | --- | --- | --- | --- | --- | | 1 | OpenSearch Domain ARN | ARN of the OpenSearch domain | `arn:aws:es:us-east-1:123456789012:domain/my-domain` | Customer | | 1 | OpenSearch Domain Region | AWS region where domain is deployed | `us-east-1` | Customer | @@ -230,10 +229,12 @@ Replace: ### AWS OpenSearch Serverless -> **Important:** OpenSearch Serverless uses a fundamentally different access model compared to OpenSearch Service. It does not use resource-based access policies. Instead, access is controlled through **data access policies** and **network access policies** tied to VPC endpoints. -> + +OpenSearch Serverless uses a fundamentally different access model compared to OpenSearch Service. It does not use resource-based access policies. Instead, access is controlled through **data access policies** and **network access policies** tied to VPC endpoints. + -| Order | Information Required | Description | Example | Who | + +| Order | Information Required | Description | Example | Owner | | --- | --- | --- | --- | --- | | 1 | Collection Name | Name of the OpenSearch Serverless collection | `my-vector-store` | Customer | | 1 | Collection ARN | Full ARN of the collection | `arn:aws:aoss:us-east-1:123456789012:collection/abc123` | Customer | @@ -324,7 +325,7 @@ Replace: Databricks on AWS supports native PrivateLink connectivity. The customer must have a Databricks Enterprise plan with a customer-managed VPC and PrivateLink enabled on their workspace. -| Order | Information Required | Description | Example | Who | +| Order | Information Required | Description | Example | Owner | | --- | --- | --- | --- | --- | | 1 | Databricks Workspace URL | The workspace URL | `myworkspace.cloud.databricks.com` | Customer | | 1 | Databricks Workspace Region | AWS region where workspace is deployed | `us-east-1` | Customer | @@ -352,16 +353,18 @@ Replace: - `` — VPC Endpoint ID provided by Unstructured. - `` — Your Databricks region. -> For ACCOUNT level access, no explicit endpoint allowlisting is required — any VPC endpoint registered in the Databricks account can connect. -> +For ACCOUNT level access, no explicit endpoint allowlisting is required — any VPC endpoint registered in the Databricks account can connect. + --- -### ~~Snowflake on AWS~~ {#snowflake-on-aws} +??Question: Do we ommmit all of the Snowflake section or mention any limitations? + +### ~~Snowflake on AWS~~ ~~Snowflake supports AWS PrivateLink via Snowflake’s native Private Link feature. This is available for Snowflake accounts hosted on AWS. The customer must have a **Business Critical** or higher Snowflake edition to use Private Link.~~ -| Order | Information Required | Description | Example | Who | +| Order | Information Required | Description | Example | Owner | | --- | --- | --- | --- | --- | | 1 | Snowflake Account Identifier | The Snowflake account identifier | `myorg-myaccount` | Customer | | 1 | Snowflake Account Region | AWS region where account is hosted | `us-east-1` | Customer | @@ -395,9 +398,9 @@ SELECT SYSTEM$AUTHORIZE_PRIVATELINK('', ' The customer must create: (1) a Network Load Balancer targeting their managed service, and (2) a VPC Endpoint Service pointing to the NLB. -> +You must create both of the following: +* Network Load Balancer targeting their managed service +* VPC Endpoint Service pointing to the NLB. + **Example: Allow Unstructured as a Principal on the Endpoint Service** diff --git a/business/aws/aws-privatelink/connector-support.mdx b/business/aws/aws-privatelink/connector-support.mdx index 0ff664c3..44fbbf6d 100644 --- a/business/aws/aws-privatelink/connector-support.mdx +++ b/business/aws/aws-privatelink/connector-support.mdx @@ -3,17 +3,14 @@ title: Connector support for AWS PrivateLink sidebarTitle: Connector support --- -This section provides a list of connectors to AWS services. For each connector it summarizes the following: +The following table provides a list of connectors to AWS services and includes the following information for each: - Whether the connector supports AWS PrivateLink - Which AWS components are involved - A reference for detailed configuration information -Review the table first, then follow [Connecting to the Unstructured Platform](/business/aws/aws-privatelink/connect-to-platform) for UI/API access and [Connecting to your AWS services](/business/aws/aws-privatelink/connect-to-services) for data sources and other AWS workloads. - - -| Connector | PrivateLink Supported | Approach | Configuration Section | -| --- | --- | --- | --- | +| Connector | PrivateLink Supported | Approach | Configuration information | +| --- | :---: | --- | --- | | **Customer → Unstructured (UI/API)** | ✅ | Interface VPC Endpoint | [Link](/business/aws/aws-privatelink/connect-to-platform) | | **AWS S3** | ✅ | Gateway Endpoint | [Link](/business/aws/aws-privatelink/connect-to-services#aws-s3-gateway-endpoint) | | **AWS Bedrock** (VLM) | ✅ | Interface VPC Endpoint (Unstructured side) | [Link](/business/aws/aws-privatelink/connect-to-services#aws-bedrock) | @@ -26,4 +23,6 @@ Review the table first, then follow [Connecting to the Unstructured Platform](/b | **MongoDB (self-hosted on AWS)** | ✅ | NLB-backed Endpoint Service | [Link](/business/aws/aws-privatelink/connect-to-services#customer-managed-services-aws-or-aws-services-with-nlb) | | **Box, Confluence, Dropbox, Google Drive, Jira, OneDrive, Outlook, Salesforce, SharePoint, Slack, Zendesk** | ❌ | SaaS — requires public egress | Requires [public egress](/business/dedicated-instances/security/security-model#network-access-controls) | | **Google Cloud Storage** | ❌ | Cross-cloud not supported | Requires [public egress](/business/dedicated-instances/security/security-model#network-access-controls) | -| **Snowflake (multi-cloud/SaaS)** | Varies | Native if on AWS; public egress otherwise | See [Snowflake section](/business/aws/aws-privatelink/connect-to-services#snowflake-on-aws) | +| **Snowflake (multi-cloud/SaaS)** | Varies | Native if on AWS; public egress otherwise | [Link](/business/aws/aws-privatelink/connect-to-services#snowflake-on-aws) | + +??Question: Do we omit all of the Snowflake section or mention any limitations? \ No newline at end of file diff --git a/business/aws/aws-privatelink/preparing-NOT-USED.mdx b/business/aws/aws-privatelink/preparing-NOT-USED.mdx new file mode 100644 index 00000000..401b55d0 --- /dev/null +++ b/business/aws/aws-privatelink/preparing-NOT-USED.mdx @@ -0,0 +1,67 @@ +--- +title: Preparing for a Dedicated Instance +--- + + + The following information applies only to dedicated instance deployments with PrivateLink for [Unstructured Business](/business/overview) on AWS. + + For dedicated instance deployments of Unstructured Business to AWS _without_ PrivateLink, contact your Unstructured sales representative, + or email Unstructured Sales at [sales@unstructured.io](mailto:sales@unstructured.io). + + +??QUESTION: In the NOTE above, is the last point about AWS _without_ PrivateLink, correct? + +After you decide to proceed with a Dedicated Instance, the next steps are provisioning the required environment resources and, optionally, establishing private connectivity with AWS PrivateLink. Deployment is conducted remotely and can usually be completed within the following timeframes: + +- **With AWS PrivateLink** - 4–5 days +- **Without AWS PrivateLink** - 2–3 days + + + +Times are subject to Customer infrastructure team availability. More complex integrations (multiple connectors, custom models, etc.) will extend the deployment timeline. + + + +### Information Required for Provisioning + +Before deployment can begin, please provide your Unstructured sales representative or technical enablement contact the following information: + +| Information Required | Description | +| --- | --- | +| Name of Administrator | Primary administrator of the account (others can be added after) | +| Admin email address | Email address of the primary admin | +| Cloud provider | AWS | +| Cloud Region | See the expandable list of **AWS Supported Regions** on this page| +| Desired URL | Without private connectivity: `.unstructuredapp.io`
With private connectivity: `.privatelink.unstructuredapp.io` | +| VLM provider | Anthropic, Bedrock, OpenAI, Azure OpenAI, etc. | +| VLM models | e.g., Claude Sonnet 4.5, GPT-4o, Gemini 2.0 Flash | +| Embedding models | e.g., Titan, Granite (ensure you select correct dimensions) | + + +Do not send API keys by email or any collaboration tool. Unstructured has a secure method of capturing these. + + + +| Region Name | Region Code | +| --- | --- | +| US East (N. Virginia) | `us-east-1` | +| US East (Ohio) | `us-east-2` | +| US West (Oregon) | `us-west-2` | +| Europe (Ireland) | `eu-west-1` | +| Europe (Stockholm) | `eu-north-1` | +| Europe (Frankfurt) | `eu-central-1` | +| Asia Pacific (Sydney) | `ap-southeast-2` | +| Asia Pacific (Mumbai) | `ap-south-1` | +| Asia Pacific (Seoul) | `ap-northeast-2` | + +If your required region is not listed above, contact your Unstructured account representative. + + +### Information Exchange + +All private connectivity configuration data exchanges between Customer and Unstructured must be conducted via support tickets. This ensures a documented audit trail of all shared information, including Account IDs, VPC Endpoint service names, IAM Role ARNs, Service Principal IDs, and other sensitive configuration details. + +To initiate a private connectivity configuration, log a ticket via the [Unstructured Support Portal](https://support.unstructured.io/) with the subject line: **“PrivateLink Configuration Request — [Your Company Name]”**. A technical enablement engineer will respond to guide you through the exchange. +??QUESTION: Is the Customer Portal site available? + + diff --git a/business/aws/aws-privatelink/preparing.mdx b/business/aws/aws-privatelink/preparing.mdx new file mode 100644 index 00000000..11ba69c4 --- /dev/null +++ b/business/aws/aws-privatelink/preparing.mdx @@ -0,0 +1,85 @@ +--- +title: Preparing for a Dedicated Instance +sidebarTitle: Preparing for a Dedicated Instance +--- + + + The following information applies only to dedicated instance deployments with PrivateLink for [Unstructured Business](/business/overview) on AWS. + + For dedicated instance deployments of Unstructured Business to AWS _without_ PrivateLink, contact your Unstructured sales representative, + or email Unstructured Sales at [sales@unstructured.io](mailto:sales@unstructured.io). + + +After your organization has signed the **Business** account agreement with Unstructured, a member of the Unstructured technical enablement team will reach out to you to begin the **deployment onboarding process**. + +The next steps are provisioning the required environment resources and, optionally, establishing private connectivity with AWS PrivateLink. Deployment is conducted remotely and can usually be completed within the following timeframes: + +- **With AWS PrivateLink** - 4–5 days +- **Without AWS PrivateLink** - 2–3 days + + + +Times are subject to Customer infrastructure team availability. More complex integrations (multiple connectors, custom models, etc.) will extend the deployment timeline. + + +While you wait for a member of the Unstructured technical enablement team to reach out to you to begin the deployment onboarding process, you can get started by following the onboarding process: + +1. Provide your Unstructured sales representative or technical enablement contact with the following information. Unstructured will begin creating the dedicated instance deployment in that AWS Region. + + +| Information Required | Description | +| --- | --- | +| Name of Administrator | Primary administrator of the account (others can be added after) | +| Admin email address | Email address of the primary admin | +| Cloud provider | AWS | +| Cloud Region | See the expandable list of **AWS Supported Regions** on this page| +| Desired URL | Without private connectivity: `.unstructuredapp.io`
With private connectivity: `.privatelink.unstructuredapp.io` | +| VLM provider | Anthropic, Bedrock, OpenAI, Azure OpenAI, etc. | +| VLM models | e.g., Claude Sonnet 4.5, GPT-4o, Gemini 2.0 Flash | +| Embedding models | e.g., Titan, Granite (ensure you select correct dimensions) | + + + +Do not send API keys by email or any collaboration tool. Unstructured has a secure method of capturing these. + + + +| Region Name | Region Code | +| --- | --- | +| US East (N. Virginia) | `us-east-1` | +| US East (Ohio) | `us-east-2` | +| US West (Oregon) | `us-west-2` | +| Europe (Ireland) | `eu-west-1` | +| Europe (Stockholm) | `eu-north-1` | +| Europe (Frankfurt) | `eu-central-1` | +| Asia Pacific (Sydney) | `ap-southeast-2` | +| Asia Pacific (Mumbai) | `ap-south-1` | +| Asia Pacific (Seoul) | `ap-northeast-2` | + +If your required region is not listed above, contact your Unstructured account representative. + + + +All private connectivity configuration data exchanges between the Customer and Unstructured must be conducted via support tickets. This ensures a documented audit trail of all shared information, including Account IDs, VPC Endpoint service names, IAM Role ARNs, Service Principal IDs, and other sensitive configuration details. + +To initiate a private connectivity configuration, log a ticket via the [Unstructured Support Portal](https://support.unstructured.io/) with the subject line: **“PrivateLink Configuration Request — [Your Company Name]”**. A technical enablement engineer will respond to guide you through the exchange. +??QUESTION: Is the Customer Portal site available? + + + +2. In your AWS account, create an endpoint service powered by AWS PrivateLink. Be sure when creating the endpoint service to use the same AWS Region name that you provided to Unstructured. + [Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html). (In AWS terminology, this makes you the _service provider_ and + Unstructured the _service consumer_.) +3. As the service provider, you must provide your Unstructured sales representative or technical enablement contact (as the service consumer) with the name of your endpoint service + (for example, `com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc`) and the supported Availability Zones for that endpoint service, for the AWS Region + name that you provided to Unstructured earlier. [Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html#share-endpoint-service). +4. As the service consumer, Unstructured will create a related endpoint service in its own AWS account in the same AWS Region as your AWS account. Unstructured will then send you an endpoint connection request to + complete the connection between its endpoint service (as the service consumer) and your endpoint service (as the service provider). + You must accept Unstructured's endpoint connection request as soon as possible, to avoid delays in the deployment process. + [Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#accept-reject-connection-requests). + +## Questions? Need help? + +If you have questions or need help as you go, contact your Unstructured sales representative or technical enablement contact. If you do not know who they are, +email Unstructured Sales at [sales@unstructured.io](mailto:sales@unstructured.io), and a member of the Unstructured sales or technical enablement teams +will get back to you as soon as possible. \ No newline at end of file diff --git a/business/aws/overview.mdx b/business/aws/overview.mdx index ecf2637c..10d2f50a 100644 --- a/business/aws/overview.mdx +++ b/business/aws/overview.mdx @@ -11,11 +11,17 @@ This agreement outlines the terms and conditions for your organization to use Un To begin the **Business** account agreement process, contact your Unstructured sales representative, or email Unstructured Sales at [sales@unstructured.io](mailto:sales@unstructured.io). After your organization has signed the **Business** account agreement, a member of the Unstructured technical enablement team will reach out to you to begin the -deployment onboarding process. While you wait, you can get started by following the onboarding checkist for your deployment type, if it applies to you: +deployment onboarding process. + +While you wait, you can get started by following the onboarding checklist for your deployment type, if it applies to you: -- For dedicated instance deployments with AWS PrivateLink, follow the [onboarding checkist for AWS PrivateLink](/business/aws/dedicated-instance-privatelink). - For in-VPC deployents, follow the [onboarding checkist for in-VPC on AWS](/business/aws/onboard). +??QUESTION: This bullet point for AWS PrivateLink is in the current **Getting Started** section. Do we continue to instruct customers to proceed with these steps? + +- For dedicated instance deployments with AWS PrivateLink, follow the [onboarding checkist for AWS PrivateLink](/business/aws/dedicated-instance-privatelink). + + ## Questions? Need help? Contact your Unstructured sales representative, or email Unstructured Sales at [sales@unstructured.io](mailto:sales@unstructured.io), and a member of the Unstructured sales or support teams diff --git a/business/azure/azure-privatelink/overview.md b/business/azure/azure-privatelink/DNU-overview.md similarity index 100% rename from business/azure/azure-privatelink/overview.md rename to business/azure/azure-privatelink/DNU-overview.md diff --git a/business/azure/azure-privatelink/connect-to-services.mdx b/business/azure/azure-privatelink/connect-to-services.mdx index 4cfe3fc5..e4d855c5 100644 --- a/business/azure/azure-privatelink/connect-to-services.mdx +++ b/business/azure/azure-privatelink/connect-to-services.mdx @@ -37,7 +37,7 @@ az role assignment create \ For **read/write** access, use the **Storage Blob Data Contributor** role instead of **Storage Blob Data Reader**. -Replace the placeholders as follows: +Replace: - `` — Service principal ID for Unstructured (provided during onboarding) - `` — Your Azure subscription ID @@ -71,7 +71,7 @@ az role assignment create \ --role "Cognitive Services OpenAI User" \ --scope "/subscriptions//resourceGroups//providers/Microsoft.CognitiveServices/accounts/" ``` -Replace the placeholders as follows: +Replace: - `` — Service principal ID for Unstructured (provided during onboarding) - `` — Your Azure subscription ID @@ -112,7 +112,7 @@ az network private-endpoint-connection approve \ You can also approve the same request in the **Azure portal**: open the Databricks workspace resource > **Networking** > **Private endpoint connections**, then approve the pending connection from Unstructured. -Replace the placeholders as follows: +Replace: - `` — Resource group that contains the Databricks workspace - `` — Name of the Databricks workspace resource @@ -191,7 +191,7 @@ az network private-link-service connection approve \ --name "" ``` -Replace the placeholders as follows: +Replace: - `` — Resource group for the Private Link service and related resources - `` — Virtual network name diff --git a/business/azure/azure-privatelink/connector-support.mdx b/business/azure/azure-privatelink/connector-support.mdx index fbc3b5f3..4631cda2 100644 --- a/business/azure/azure-privatelink/connector-support.mdx +++ b/business/azure/azure-privatelink/connector-support.mdx @@ -3,15 +3,12 @@ title: Connector support for Azure Private Link sidebarTitle: Connector support --- -This section provides a list of connectors to Azure services. For each connector it summarizes the following: +The following table provides a list of connectors to AWS services and includes the following information for each: - Whether the connector supports Azure Private Link - Which Azure components are involved - A reference for detailed configuration information -Review the table first, then follow [Connecting to the Unstructured Platform](/business/azure/azure-privatelink/connect-to-platform) for UI/API access and [Connecting to your Azure services](/business/azure/azure-privatelink/connect-to-services) for data sources and other Azure workloads. - - ### Azure Connector Coverage | Connector | Private Link supported | Approach | Configuration information | diff --git a/business/dedicated-instances/preparing.mdx b/business/azure/azure-privatelink/preparing.mdx similarity index 70% rename from business/dedicated-instances/preparing.mdx rename to business/azure/azure-privatelink/preparing.mdx index 3971775f..9913fac4 100644 --- a/business/dedicated-instances/preparing.mdx +++ b/business/azure/azure-privatelink/preparing.mdx @@ -1,16 +1,12 @@ --- title: Preparing for a Dedicated Instance --- - -This topic uses **private connectivity** as a general term for AWS PrivateLink and Azure Private Link. - -Once you’ve decided to proceed with a Dedicated Instance, the next steps involve provisioning the required environment resources and establishing private connectivity. The deployment process is conducted remotely and can typically be completed within the following timeframes: +After you decide to proceed with a Dedicated Instance, the next steps are provisioning the required environment resources and, optionally, establishing private connectivity with Azure Private Link. Deployment is conducted remotely and can usually be completed within the following timeframes: + +- **With AWS PrivateLink** - 4–5 days +- **Without AWS PrivateLink** - 2–3 days -| Cloud Provider | Without private connectivity | With private connectivity | -| --- | --- | --- | -| AWS | 2–3 Days | 4–5 Days | -| Azure | 2–3 Days | 4–5 Days | Times are subject to Customer infrastructure team availability. More complex integrations (multiple connectors, custom models, etc.) will extend the deployment timeline. @@ -25,8 +21,8 @@ Before deployment can begin, please provide the following: | --- | --- | | Name of Administrator | Primary administrator of the account (others can be added after) | | Admin email address | Email address of the primary admin | -| Cloud provider | AWS or Azure | -| Cloud Region | Please see [list of supported regions](about:blank#supported-cloud-providers-and-regions) | +| Cloud provider | Azure | +| Cloud Region | Contact your Unstructured account representative for the current list of supported Azure regions.| | Desired URL | Without private connectivity: `.unstructuredapp.io`
With private connectivity: `.privatelink.unstructuredapp.io` | | VLM provider | Anthropic, Bedrock, OpenAI, Azure OpenAI, etc. | | VLM models | e.g., Claude Sonnet 4.5, GPT-4o, Gemini 2.0 Flash | @@ -42,3 +38,5 @@ Do not send API keys by email or any collaboration tool. Unstructured has a secu All private connectivity configuration data exchanges between Customer and Unstructured must be conducted via support tickets. This ensures a documented audit trail of all shared information, including Account IDs, VPC Endpoint service names, IAM Role ARNs, Service Principal IDs, and other sensitive configuration details. To initiate a private connectivity configuration, log a ticket via the [Unstructured Support Portal](https://support.unstructured.io/) with the subject line: **“PrivateLink Configuration Request — [Your Company Name]”**. A technical enablement engineer will respond to guide you through the exchange. +??QUESTION: Is the Customer Portal site available? + diff --git a/business/dedicated-instances/architecture.mdx b/business/dedicated-instances/architecture.mdx index 536d63c7..e7852f48 100644 --- a/business/dedicated-instances/architecture.mdx +++ b/business/dedicated-instances/architecture.mdx @@ -3,7 +3,7 @@ title: Architecture --- -This topic uses **private connectivity** as a general term for AWS PrivateLink and Azure Private Link. +This topic uses *private connectivity* as a general term for AWS PrivateLink and Azure Private Link. Your **Dedicated Instance** is an isolated Unstructured deployment. You use private connectivity with your cloud provider so traffic between you and Unstructured stays on private network paths, not the public internet. diff --git a/business/dedicated-instances/overview.mdx b/business/dedicated-instances/overview.mdx index 6619bc40..7d14ea1f 100644 --- a/business/dedicated-instances/overview.mdx +++ b/business/dedicated-instances/overview.mdx @@ -1,11 +1,11 @@ --- -title: Dedicated Instance +title: Dedicated Instance Concepts sidebarTitle: Overview --- A Dedicated Instance is a privately isolated deployment that Unstructured hosts for organizations that need stronger network boundaries, data isolation, and compliance controls. With cloud-native infrastructure and private networking, Unstructured connects to your sources and processes your data while it stays inside your trusted environment. -Use this overview to help teams across your organization evaluate, secure, and deploy your own Dedicated Instance in the Unstructured platform. +Use this overview to help teams across your organization evaluate, secure, and implement your own Dedicated Instance in the Unstructured platform. This overview covers: @@ -20,7 +20,7 @@ Unstructured supports Dedicated Instances for integration with Amazon Web Servic * Azure — [Onboarding your Dedicated Instance + Azure Private Link](/business/azure/azure-privatelink/overview) -This topic uses **private connectivity** as a general term for AWS PrivateLink and Azure Private Link. +This topic uses *private connectivity* as a general term for AWS PrivateLink and Azure Private Link. diff --git a/business/dedicated-instances/requirements.mdx b/business/dedicated-instances/requirements.mdx index e6afa3a8..304c6e39 100644 --- a/business/dedicated-instances/requirements.mdx +++ b/business/dedicated-instances/requirements.mdx @@ -3,7 +3,7 @@ title: Requirements and Limitations --- -This topic uses **private connectivity** as a general term for AWS PrivateLink and Azure Private Link. +This topic uses *private connectivity* as a general term for AWS PrivateLink and Azure Private Link. Dedicated Instances rely on cloud provider private networking features and therefore require certain baseline infrastructure components to ensure a secure and successful deployment. diff --git a/business/dedicated-instances/security/security-faq.mdx b/business/dedicated-instances/security/security-faq.mdx index 827aa399..e563b0e6 100644 --- a/business/dedicated-instances/security/security-faq.mdx +++ b/business/dedicated-instances/security/security-faq.mdx @@ -3,7 +3,7 @@ title: Security FAQ --- -This topic uses **private connectivity** as a general term for AWS PrivateLink and Azure Private Link. +This topic uses *private connectivity* as a general term for AWS PrivateLink and Azure Private Link. @@ -47,4 +47,4 @@ Unstructured does not store customer data long-term. Customer artifacts are used **What compliance standards does Unstructured support?** -Unstructured maintains industry-standard security and compliance programs including HIPAA compliance architecture, ITAR-readiness with geo-blocking via AWS WAF, and SOC 2 controls. Detailed compliance artifacts are available from our trust center. !! Writer: Add link to Turst Center !! +Unstructured maintains industry-standard security and compliance programs including HIPAA compliance architecture, ITAR-readiness with geo-blocking via AWS WAF, and SOC 2 controls. Detailed compliance artifacts are available from our [trust portal](https://trust.unstructured.io/). diff --git a/business/dedicated-instances/security/security-model.mdx b/business/dedicated-instances/security/security-model.mdx index d3514488..42ceb8d7 100644 --- a/business/dedicated-instances/security/security-model.mdx +++ b/business/dedicated-instances/security/security-model.mdx @@ -2,7 +2,7 @@ title: Security model --- -This topic uses **private connectivity** as a general term for AWS PrivateLink and Azure Private Link. +This topic uses *private connectivity* as a general term for AWS PrivateLink and Azure Private Link. Dedicated Instances use a security model that protects your data across network, infrastructure, and service layers. The architecture prioritizes data isolation, private connectivity, and controlled access so your data stays within trusted boundaries. @@ -28,7 +28,7 @@ The following security measures and connectivity options apply: - **TLS 1.2+** for all traffic in transit. - **AWS WAF** (Web Application Firewall) provides DDoS protection, rate limiting, and optional geo-blocking for ITAR compliance. - **IP Allowlisting** - restricts Unstructured platform access to specific source IP addresses or CIDR ranges. Submit a support ticket with your IP list to enable this. -!! WRITER: check standard wording and links for submitting support ticket !! +!!WRITER: check standard wording and links for submitting support ticket or reference to Customer Portal. - **Independent paths** - allow you to use the UI and API over the public internet while Unstructured uses private connectivity to reach your data sources. The two paths are configured separately. @@ -82,7 +82,8 @@ If your use case requires public egress, Unstructured can enable outbound intern | Full Egress | All outbound internet traffic is permitted (not recommended) | | Specific IPs/CIDRs | Outbound traffic is permitted only to specified IP addresses or CIDR ranges | -To request egress configuration changes, log a support ticket and provide:!! WRITER: check standard wording and links for submitting support ticket !! +To request egress configuration changes, log a support ticket and provide: +!!WRITER: check standard wording and links for submitting support ticket or reference to Customer Portal. - Application/use-case requirements for the access change. - List of IPs or CIDR ranges to allowlist. - Expected traffic patterns (e.g., VLM API calls, SSO integration). @@ -91,7 +92,8 @@ To request egress configuration changes, log a support ticket and provide:!! WRITER: check standard wording and links for submitting support ticket !! +To request ingress configuration changes, log a support ticket and provide: +!!WRITER: check standard wording and links for submitting support ticket or reference to Customer Portal. - Application/use-case requirements. - List of source IP addresses or CIDR ranges to allowlist. - Expected access patterns. diff --git a/business/overview.mdx b/business/overview.mdx index 198ca190..c511ccb6 100644 --- a/business/overview.mdx +++ b/business/overview.mdx @@ -7,7 +7,7 @@ Unstructured offers _business_ deployments, which allow you to use an Unstructur and the [Unstructured API](/api-reference/overview) as follows: -   Within a **Business SaaS** deployment - Hosted alongside other accounts on Unstructured's cloud infrastructure. --   Within a **dedicated instance** deployment - Hosted within a virtual private cloud (VPC) running inside Unstructured's cloud infrastructure. Dedicated instances are isolated from all other accounts, for additional security and control. +-   Within a **dedicated instance** deployment - Hosted within a virtual private cloud (VPC) running inside Unstructured's cloud infrastructure. Dedicated instances are isolated from all other accounts, for additional security and control. To learn more about dedicated instances see [Dedicated instance concepts](/business/dedicated-instances/overview). -   Within an **in-VPC** deployment - Hosted within your own VPC on your own cloud infrastructure. Unstructured **Business** accounts allow for multiple users and offer multiple workspaces. The **dedicated instance** and **in-VPC** account deployment types isolate your Unstructured **Business** account @@ -34,8 +34,7 @@ After your organization has signed the **Business** account agreement, the next - For a **Business SaaS** deployment, you can start using Unstructured by logging in to the Unstructured UI at [https://platform.unstructured.io](https://platform.unstructured.io). - For a **dedicated instance** deployment, a member of the Unstructured technical enablement team will reach out to you with the unique URL to log in to - the Unstructured UI, along with any next steps that you need to take. For dedicated instance deployments to AWS that also use PrivateLink, see - the [onboarding process for AWS PrivateLink](/business/aws/dedicated-instance-privatelink). + the Unstructured UI, along with any next steps that you need to take. To learn more about dedicated instances see [Dedicated instance concepts](/business/dedicated-instances/overview). - For an **in-VPC** deployment, your organization will work with a member of the Unstructured technical enablement team to deploy Unstructured into your own cloud instrastructure. You are encouraged to begin setting up your target environment as soon as possible. To do this, see the onboarding requirements for your [AWS](/business/aws/onboard), [Azure](/business/azure/onboard), or diff --git a/docs.json b/docs.json index 7f1e4684..c06c6193 100644 --- a/docs.json +++ b/docs.json @@ -340,7 +340,7 @@ ] }, { - "group": "Dedicated Instance", + "group": "Dedicated Instance concepts", "pages": [ "business/dedicated-instances/overview", "business/dedicated-instances/architecture", @@ -351,8 +351,7 @@ "business/dedicated-instances/security/security-faq" ] }, - "business/dedicated-instances/requirements", - "business/dedicated-instances/preparing" + "business/dedicated-instances/requirements" ] }, { @@ -362,7 +361,7 @@ "business/aws/x-dedicated-instance-privatelink", { "group": "Onboarding Dedicated Instance + AWS PrivateLink", "pages": [ - "business/aws/aws-privatelink/overview", + "business/aws/aws-privatelink/preparing", "business/aws/aws-privatelink/connector-support", "business/aws/aws-privatelink/connect-to-platform", "business/aws/aws-privatelink/dns-configuration", @@ -378,7 +377,7 @@ "business/azure/overview", { "group": "Onboarding Dedicated Instance + Azure Private Link", "pages": [ - "business/azure/azure-privatelink/overview", + "business/azure/azure-privatelink/preparing", "business/azure/azure-privatelink/connector-support", "business/azure/azure-privatelink/connect-to-platform", "business/azure/azure-privatelink/dns-privatelink", From 5def2b37c04369854ea9d0bdd2d999d2b67f55f5 Mon Sep 17 00:00:00 2001 From: monica-unstructured Date: Wed, 25 Mar 2026 09:54:30 -0400 Subject: [PATCH 21/29] Update some links and some comments/questions in the docs for review. --- .../{preparing.mdx => onboarding-preparing.mdx} | 13 ++++++++----- business/aws/overview.mdx | 5 +---- business/aws/x-dedicated-instance-privatelink.mdx | 6 ++++-- business/dedicated-instances/overview.mdx | 2 +- business/overview.mdx | 1 + docs.json | 6 +++--- 6 files changed, 18 insertions(+), 15 deletions(-) rename business/aws/aws-privatelink/{preparing.mdx => onboarding-preparing.mdx} (82%) diff --git a/business/aws/aws-privatelink/preparing.mdx b/business/aws/aws-privatelink/onboarding-preparing.mdx similarity index 82% rename from business/aws/aws-privatelink/preparing.mdx rename to business/aws/aws-privatelink/onboarding-preparing.mdx index 11ba69c4..2afe2fe8 100644 --- a/business/aws/aws-privatelink/preparing.mdx +++ b/business/aws/aws-privatelink/onboarding-preparing.mdx @@ -1,6 +1,6 @@ --- -title: Preparing for a Dedicated Instance -sidebarTitle: Preparing for a Dedicated Instance +title: Onboarding checklist - Preparing for a Dedicated Instance +sidebarTitle: Onboarding checklist --- @@ -10,6 +10,9 @@ sidebarTitle: Preparing for a Dedicated Instance or email Unstructured Sales at [sales@unstructured.io](mailto:sales@unstructured.io). +??Question: Integrated the "Preparing for a Dedicated Instance" from the new [DI internal doc](https://www.notion.so/dedicated-instances-documentation-30d2c3765a0a80709acef67a48caacc6) into the public Onboarding steps into this new version. +(Old version is in TOC, temporary for reference, with suffix [(TO BE ARCHIVED)-](/business/aws/aws-privatelink/onboarding-preparing).) (1) Is this the information that's been merged in here from the "old" content is still valid? (2) Does this combined content align correctly with our current onboarding process? + After your organization has signed the **Business** account agreement with Unstructured, a member of the Unstructured technical enablement team will reach out to you to begin the **deployment onboarding process**. The next steps are provisioning the required environment resources and, optionally, establishing private connectivity with AWS PrivateLink. Deployment is conducted remotely and can usually be completed within the following timeframes: @@ -67,15 +70,15 @@ To initiate a private connectivity configuration, log a ticket via the [Unstruct -2. In your AWS account, create an endpoint service powered by AWS PrivateLink. Be sure when creating the endpoint service to use the same AWS Region name that you provided to Unstructured. +2. In your AWS account, **create an endpoint service** powered by AWS PrivateLink. Be sure when creating the endpoint service to use the same AWS Region name that you provided to Unstructured. [Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html). (In AWS terminology, this makes you the _service provider_ and Unstructured the _service consumer_.) -3. As the service provider, you must provide your Unstructured sales representative or technical enablement contact (as the service consumer) with the name of your endpoint service +3. As the service provider, you must provide your Unstructured sales representative or technical enablement contact (as the service consumer) with the **name of your endpoint service** (for example, `com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc`) and the supported Availability Zones for that endpoint service, for the AWS Region name that you provided to Unstructured earlier. [Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html#share-endpoint-service). 4. As the service consumer, Unstructured will create a related endpoint service in its own AWS account in the same AWS Region as your AWS account. Unstructured will then send you an endpoint connection request to complete the connection between its endpoint service (as the service consumer) and your endpoint service (as the service provider). - You must accept Unstructured's endpoint connection request as soon as possible, to avoid delays in the deployment process. + You must **accept Unstructured's endpoint connection request** as soon as possible, to avoid delays in the deployment process. [Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#accept-reject-connection-requests). ## Questions? Need help? diff --git a/business/aws/overview.mdx b/business/aws/overview.mdx index 10d2f50a..09206c2a 100644 --- a/business/aws/overview.mdx +++ b/business/aws/overview.mdx @@ -17,10 +17,7 @@ While you wait, you can get started by following the onboarding checklist for yo - For in-VPC deployents, follow the [onboarding checkist for in-VPC on AWS](/business/aws/onboard). -??QUESTION: This bullet point for AWS PrivateLink is in the current **Getting Started** section. Do we continue to instruct customers to proceed with these steps? - -- For dedicated instance deployments with AWS PrivateLink, follow the [onboarding checkist for AWS PrivateLink](/business/aws/dedicated-instance-privatelink). - +- For dedicated instance deployments with AWS PrivateLink, follow the [onboarding checklist for a dedicated instance](/business/aws/aws-privatelink/onboarding-preparing). ## Questions? Need help? diff --git a/business/aws/x-dedicated-instance-privatelink.mdx b/business/aws/x-dedicated-instance-privatelink.mdx index f6ae9be6..f21bc0b8 100644 --- a/business/aws/x-dedicated-instance-privatelink.mdx +++ b/business/aws/x-dedicated-instance-privatelink.mdx @@ -1,8 +1,10 @@ --- -title: OLD - Unstructured Business dedicated instance on Amazon Web Services (AWS) with PrivateLink - onboarding -sidebarTitle: x Dedicated instance + PrivateLink onboarding +title: (TO BE ARCHIVED)- Unstructured Business dedicated instance on Amazon Web Services (AWS) with PrivateLink - onboarding +sidebarTitle: (TO BE ARCHIVED) Dedicated instance + PrivateLink onboarding --- +!!WRITER COMMENT: This content will be removed before publish. Keeping it around for Review reference. + The following information applies only to dedicated instance deployments with PrivateLink for [Unstructured Business](/business/overview) on AWS. diff --git a/business/dedicated-instances/overview.mdx b/business/dedicated-instances/overview.mdx index 7d14ea1f..c6470435 100644 --- a/business/dedicated-instances/overview.mdx +++ b/business/dedicated-instances/overview.mdx @@ -16,7 +16,7 @@ This overview covers: ## Cloud service provider (CSP) support Unstructured supports Dedicated Instances for integration with Amazon Web Services (AWS) and Microsoft Azure (Azure). This topic provides information for both of these cloud service providers. For specific and detailed onboarding information about each provider see: -* AWS — [Onboarding your Dedicated Instance + AWS PrivateLink](/business/aws/aws-privatelink/overview) +* AWS — [Onboarding your Dedicated Instance + AWS PrivateLink](/business/aws/aws-privatelink/onboarding-preparing) * Azure — [Onboarding your Dedicated Instance + Azure Private Link](/business/azure/azure-privatelink/overview) diff --git a/business/overview.mdx b/business/overview.mdx index c511ccb6..68db46a8 100644 --- a/business/overview.mdx +++ b/business/overview.mdx @@ -35,6 +35,7 @@ After your organization has signed the **Business** account agreement, the next - For a **Business SaaS** deployment, you can start using Unstructured by logging in to the Unstructured UI at [https://platform.unstructured.io](https://platform.unstructured.io). - For a **dedicated instance** deployment, a member of the Unstructured technical enablement team will reach out to you with the unique URL to log in to the Unstructured UI, along with any next steps that you need to take. To learn more about dedicated instances see [Dedicated instance concepts](/business/dedicated-instances/overview). + !!COMMENT: Link in above bullet point was previously [DI + PrivateLink onboarding checklist](/business/aws/x-dedicated-instance-privatelink), now ARCHIVED. We point to this DI Concepts section now, which will direct reader to the revised [DI + PL Onboarding checklist](http://localhost:3000/business/aws/aws-privatelink/onboarding-preparing). - For an **in-VPC** deployment, your organization will work with a member of the Unstructured technical enablement team to deploy Unstructured into your own cloud instrastructure. You are encouraged to begin setting up your target environment as soon as possible. To do this, see the onboarding requirements for your [AWS](/business/aws/onboard), [Azure](/business/azure/onboard), or diff --git a/docs.json b/docs.json index c06c6193..4b4be124 100644 --- a/docs.json +++ b/docs.json @@ -358,17 +358,17 @@ "group": "Amazon Web Services", "pages": [ "business/aws/overview", - "business/aws/x-dedicated-instance-privatelink", { "group": "Onboarding Dedicated Instance + AWS PrivateLink", "pages": [ - "business/aws/aws-privatelink/preparing", + "business/aws/aws-privatelink/onboarding-preparing", "business/aws/aws-privatelink/connector-support", "business/aws/aws-privatelink/connect-to-platform", "business/aws/aws-privatelink/dns-configuration", "business/aws/aws-privatelink/connect-to-services" ] }, - "business/aws/onboard-in-vpc" + "business/aws/onboard-in-vpc", + "business/aws/x-dedicated-instance-privatelink" ] }, { From 9abe68096fb81ad3d7977326a1f0a486582a8ce1 Mon Sep 17 00:00:00 2001 From: monica-unstructured Date: Wed, 25 Mar 2026 15:47:59 -0400 Subject: [PATCH 22/29] Trying some different things to improve content. Interim commit. --- .../aws-privatelink/dns-configuration-v2.mdx | 45 +++++++++++++++++++ .../aws-privatelink/onboarding-preparing.mdx | 35 +++++++++++++-- business/dedicated-instances/overview.mdx | 2 +- 3 files changed, 77 insertions(+), 5 deletions(-) create mode 100644 business/aws/aws-privatelink/dns-configuration-v2.mdx diff --git a/business/aws/aws-privatelink/dns-configuration-v2.mdx b/business/aws/aws-privatelink/dns-configuration-v2.mdx new file mode 100644 index 00000000..21d978f3 --- /dev/null +++ b/business/aws/aws-privatelink/dns-configuration-v2.mdx @@ -0,0 +1,45 @@ +--- +title: DNS configuration for PrivateLink access +sidebarTitle: DNS configuration +--- + +dd +## DNS Configuration for PrivateLink Access + +### Why this matters +PrivateLink establishes a private network path between VPCs, but DNS determines how clients resolve and reach that path. Configuring DNS correctly ensures that service requests resolve to the private endpoint, remain within your network boundaries, and successfully complete TLS validation using the expected hostname. Misconfigured DNS can result in failed connections or traffic being routed outside the intended private path. + + +PrivateLink connectivity may be correctly configured, but if DNS still resolves the service hostname to a public endpoint, traffic will bypass PrivateLink. This can lead to failed connections (for private-only services) or unintended public network access. + + + +From within your VPC, use tools such as nslookup or dig to resolve the service hostname and confirm it returns private IP addresses associated with your Interface VPC Endpoint. + + +--- + +### How PrivateLink and DNS Work Together + +```mermaid +flowchart LR + subgraph Customer_VPC[Customer VPC] + A[Client Application] + D[Route 53 / VPC DNS Resolver] + E[Interface VPC Endpoint ENI
Private IP] + end + + subgraph PrivateLink[AWS PrivateLink] + B[Interface VPC Endpoint] + end + + subgraph Vendor_VPC[Vendor VPC] + C[Network Load Balancer] + F[Service Application] + end + + A -->|1. Resolve service hostname| D + D -->|2. Return private IP for endpoint| E + A -->|3. Connect using service hostname
TLS hostname validation / SNI| B + B --> C + C --> F diff --git a/business/aws/aws-privatelink/onboarding-preparing.mdx b/business/aws/aws-privatelink/onboarding-preparing.mdx index 2afe2fe8..85a95807 100644 --- a/business/aws/aws-privatelink/onboarding-preparing.mdx +++ b/business/aws/aws-privatelink/onboarding-preparing.mdx @@ -1,6 +1,6 @@ --- title: Onboarding checklist - Preparing for a Dedicated Instance -sidebarTitle: Onboarding checklist +sidebarTitle: Onboarding steps --- @@ -10,8 +10,8 @@ sidebarTitle: Onboarding checklist or email Unstructured Sales at [sales@unstructured.io](mailto:sales@unstructured.io). -??Question: Integrated the "Preparing for a Dedicated Instance" from the new [DI internal doc](https://www.notion.so/dedicated-instances-documentation-30d2c3765a0a80709acef67a48caacc6) into the public Onboarding steps into this new version. -(Old version is in TOC, temporary for reference, with suffix [(TO BE ARCHIVED)-](/business/aws/aws-privatelink/onboarding-preparing).) (1) Is this the information that's been merged in here from the "old" content is still valid? (2) Does this combined content align correctly with our current onboarding process? +?!!COMMENT: Integrated the *_Preparing for a Dedicated Instance_" from new DI Internal Doc into the public Onboarding steps. +(Old version is in TOC, temporary for reference: [(TO BE ARCHIVED)-](/business/aws/aws-privatelink/onboarding-preparing).) After your organization has signed the **Business** account agreement with Unstructured, a member of the Unstructured technical enablement team will reach out to you to begin the **deployment onboarding process**. @@ -20,11 +20,35 @@ The next steps are provisioning the required environment resources and, optional - **With AWS PrivateLink** - 4–5 days - **Without AWS PrivateLink** - 2–3 days - Times are subject to Customer infrastructure team availability. More complex integrations (multiple connectors, custom models, etc.) will extend the deployment timeline. +## References to help you onboard +The following refences can provide background or more detail to help you onboard: +* [Dedicated instance concepts](/business/dedicated-instances/overview) - +* [Create an endpoint service powered by AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html) +* [Configure an AWS PrivateLink endpoint service](https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html) + +## High level onboarding process +| ID | Owner | Action | +| :---: | --- | --- | +| 1 | Customer | Provides Unstructured information for provisioning | +| 2 | Customer | Creates an **AWS PrivateLink endpoint service**.
Provides infromation to Unstructured via Support ticket.
Prerequisites: **AWS VPC** with a **Network Load Balancer** | +| 4 | Unstructured | Creates a **related endpoint service** in its own AWS account in the **same region** that Customer provided in previous step.
Prerequisites: 3 ; New AWS VPC with a Network Load Balancer allocated | +|5 | Unstructured | Sends Customer an endpoint connection request to complete the connection between its endpoint service (as the service consumer) and your endpoint service (as the service provider).
Prerequisites: 4 | +| 6 | Customer | Accepts Unstructured's **endpoint connection request**. This step is a prerequisite to establish Unstructured as a Service Consumer to the Customer's AWS services and applications.
Prerequisites: 5 | +| 7 | Unstructured | Creates your Dedicated Instance on the Unstructured platform in the unique VPC associated with (4).
Prerequisites: 1 | +| 8 | Unstructured | Grants your applications on your AWS account access to the Unstructured platform (UI/API).
Prerequisites: 7 | + + + + +Unstructured provides your applications access to the Unstructured Platform (UI and API). +You:In your AWS account, create an endpoint service powered by AWS PrivateLink. + + +## Next steps in onboarding While you wait for a member of the Unstructured technical enablement team to reach out to you to begin the deployment onboarding process, you can get started by following the onboarding process: 1. Provide your Unstructured sales representative or technical enablement contact with the following information. Unstructured will begin creating the dedicated instance deployment in that AWS Region. @@ -66,10 +90,13 @@ If your required region is not listed above, contact your Unstructured account r All private connectivity configuration data exchanges between the Customer and Unstructured must be conducted via support tickets. This ensures a documented audit trail of all shared information, including Account IDs, VPC Endpoint service names, IAM Role ARNs, Service Principal IDs, and other sensitive configuration details. To initiate a private connectivity configuration, log a ticket via the [Unstructured Support Portal](https://support.unstructured.io/) with the subject line: **“PrivateLink Configuration Request — [Your Company Name]”**. A technical enablement engineer will respond to guide you through the exchange. + ??QUESTION: Is the Customer Portal site available? + + 2. In your AWS account, **create an endpoint service** powered by AWS PrivateLink. Be sure when creating the endpoint service to use the same AWS Region name that you provided to Unstructured. [Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html). (In AWS terminology, this makes you the _service provider_ and Unstructured the _service consumer_.) diff --git a/business/dedicated-instances/overview.mdx b/business/dedicated-instances/overview.mdx index c6470435..f6280cbe 100644 --- a/business/dedicated-instances/overview.mdx +++ b/business/dedicated-instances/overview.mdx @@ -1,5 +1,5 @@ --- -title: Dedicated Instance Concepts +title: Dedicated Instance concepts sidebarTitle: Overview --- From bf8859a55024a7411d6f8adf44a02390f7e49ed7 Mon Sep 17 00:00:00 2001 From: monica-unstructured Date: Wed, 25 Mar 2026 22:26:43 -0400 Subject: [PATCH 23/29] AI enrichment of some pages - specifically the DI Onboarding steps pages for AWS and Azure. --- .../aws/aws-privatelink/onboarding-di-pl.mdx | 119 ++++++++++++++++++ ...preparing.mdx => onboarding-di-pl_bak.mdx} | 40 ++---- ...board-in-vpc.mdx => onboarding-in-vpc.mdx} | 0 business/aws/overview.mdx | 4 +- .../azure-privatelink/onboarding-di-pl.mdx | 102 +++++++++++++++ .../azure/azure-privatelink/preparing.mdx | 42 ------- ...board-in-vpc.mdx => onboarding-in-vpc.mdx} | 0 business/azure/overview.mdx | 6 +- business/dedicated-instances/overview.mdx | 4 +- .../security/shared-responsibility-model.mdx | 11 +- .../{onboard.mdx => onboarding-in-vpc.mdx} | 2 +- business/overview.mdx | 7 +- docs.json | 10 +- 13 files changed, 253 insertions(+), 94 deletions(-) create mode 100644 business/aws/aws-privatelink/onboarding-di-pl.mdx rename business/aws/aws-privatelink/{onboarding-preparing.mdx => onboarding-di-pl_bak.mdx} (70%) rename business/aws/{onboard-in-vpc.mdx => onboarding-in-vpc.mdx} (100%) create mode 100644 business/azure/azure-privatelink/onboarding-di-pl.mdx delete mode 100644 business/azure/azure-privatelink/preparing.mdx rename business/azure/{onboard-in-vpc.mdx => onboarding-in-vpc.mdx} (100%) rename business/gcp/{onboard.mdx => onboarding-in-vpc.mdx} (99%) diff --git a/business/aws/aws-privatelink/onboarding-di-pl.mdx b/business/aws/aws-privatelink/onboarding-di-pl.mdx new file mode 100644 index 00000000..df1afdad --- /dev/null +++ b/business/aws/aws-privatelink/onboarding-di-pl.mdx @@ -0,0 +1,119 @@ +--- +title: Onboarding Dedicated Instance + AWS PrivateLink +sidebarTitle: Onboarding +--- + + + The following information applies only to dedicated instance deployments with PrivateLink for [Unstructured Business](/business/overview) on AWS. + + For dedicated instance deployments of Unstructured Business to AWS _without_ PrivateLink, contact your Unstructured sales representative, + or email Unstructured Sales at [sales@unstructured.io](mailto:sales@unstructured.io). + + +After your organization has signed the **Business** account agreement with Unstructured, a member of the Unstructured technical enablement team will reach out to you to begin the **deployment onboarding process**. + +The next steps are to provision the required environment resources and, optionally, establish private connectivity with AWS PrivateLink. Deployment is conducted remotely and can usually be completed within the following timeframes: + +- **With AWS PrivateLink:** 4–5 days +- **Without AWS PrivateLink:** 2–3 days + + +Times are subject to Customer infrastructure team availability. More complex integrations (multiple connectors, custom models, etc.) will extend the deployment timeline. + + +## References to help you onboard +The following references can provide background or more detail to help you onboard: +* [Dedicated instance concepts](/business/dedicated-instances/overview) +* [Create an endpoint service powered by AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html) +* [Configure an AWS PrivateLink endpoint service](https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html) + +## High-level onboarding process +This onboarding workflow covers two connectivity paths: + +- Customer access to the Unstructured platform UI and API +- Unstructured access to supported Customer-managed AWS services over AWS PrivateLink + +| Step | Owner | Action | +| :---: | --- | --- | +| 1 | Customer | Provide the information required to provision the Dedicated Instance in AWS. | +| 2 | Customer | Confirm that the selected AWS Region is supported. | +| 3 | Customer and Unstructured | Exchange private connectivity details through a support ticket. | +| 4 | Customer | Create an AWS PrivateLink endpoint service for supported Customer-managed AWS services. | +| 5 | Customer | Share the endpoint service name and supported Availability Zones with Unstructured. | +| 6 | Unstructured | Configure connectivity from the Unstructured-managed environment to the Customer-managed AWS service. | +| 7 | Customer | Accept the endpoint connection request from Unstructured. | +| 8 | Unstructured | Complete the Dedicated Instance deployment and enable customer access to the Unstructured platform. | + +## Detailed onboarding steps +Use the following steps to prepare the deployment and configure AWS PrivateLink connectivity. + +### Step 1: Provide provisioning information +Provide your Unstructured sales representative or technical enablement contact with the following information. Unstructured uses this information to begin provisioning your Dedicated Instance in the selected AWS Region. + + +| Information Required | Description | +| --- | --- | +| Name of Administrator | Primary administrator of the account (others can be added later) | +| Admin email address | Email address of the primary administrator | +| Cloud provider | AWS | +| Cloud Region | See the expandable list of **AWS Supported Regions** on this page | +| Desired URL | `.privatelink.unstructuredapp.io` | +| VLM provider | Anthropic, Bedrock, OpenAI, Azure OpenAI, etc. | +| VLM models | For example, Claude Sonnet 4.5, GPT-4o, or Gemini 2.0 Flash | +| Embedding models | For example, Titan or Granite. Ensure that you select the correct dimensions. | + + + +Do not send API keys by email or through collaboration tools. Unstructured provides a secure method for sharing secrets. + + +### Step 2: Confirm the AWS Region +Review the supported AWS Regions for Dedicated Instance deployments. + + +| Region Name | Region Code | +| --- | --- | +| US East (N. Virginia) | `us-east-1` | +| US East (Ohio) | `us-east-2` | +| US West (Oregon) | `us-west-2` | +| Europe (Ireland) | `eu-west-1` | +| Europe (Stockholm) | `eu-north-1` | +| Europe (Frankfurt) | `eu-central-1` | +| Asia Pacific (Sydney) | `ap-southeast-2` | +| Asia Pacific (Mumbai) | `ap-south-1` | +| Asia Pacific (Seoul) | `ap-northeast-2` | + +If your required Region is not listed above, contact your Unstructured account representative. + + +### Step 3: Exchange private connectivity information +All private connectivity configuration data exchanges between the Customer and Unstructured must be conducted through support tickets. This provides a documented audit trail for account IDs, VPC endpoint service names, IAM role ARNs, and other sensitive configuration details. + + +To start the private connectivity process, open a ticket in the [Unstructured Support Portal](https://support.unstructured.io/) with the subject line **`PrivateLink Configuration Request — [Your Company Name]`**. A technical enablement engineer will guide you through the remaining steps. + + +### Step 4: Create an AWS PrivateLink endpoint service +In your AWS account, create an endpoint service powered by AWS PrivateLink in the same AWS Region that you provided to Unstructured. + +[Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html) + +In AWS terminology, you are the _service provider_ and Unstructured is the _service consumer_. + +### Step 5: Share the endpoint service details +Provide Unstructured with the endpoint service name and the supported Availability Zones for that service in the selected AWS Region. + +For example: `com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc` + +[Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html#share-endpoint-service) + +### Step 6: Accept the endpoint connection request +After Unstructured configures connectivity from the Unstructured-managed environment to your AWS-hosted service, Unstructured sends an endpoint connection request. + +Accept the endpoint connection request as soon as possible to avoid delays in the deployment process. + +[Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#accept-reject-connection-requests) + +## Questions? Need help? + +If you have questions or need help as you go, contact your Unstructured sales representative or technical enablement contact. If you do not know who they are, email Unstructured Sales at [sales@unstructured.io](mailto:sales@unstructured.io), and a member of the Unstructured sales or technical enablement teams will get back to you as soon as possible. \ No newline at end of file diff --git a/business/aws/aws-privatelink/onboarding-preparing.mdx b/business/aws/aws-privatelink/onboarding-di-pl_bak.mdx similarity index 70% rename from business/aws/aws-privatelink/onboarding-preparing.mdx rename to business/aws/aws-privatelink/onboarding-di-pl_bak.mdx index 85a95807..d68ba54d 100644 --- a/business/aws/aws-privatelink/onboarding-preparing.mdx +++ b/business/aws/aws-privatelink/onboarding-di-pl_bak.mdx @@ -1,6 +1,6 @@ --- -title: Onboarding checklist - Preparing for a Dedicated Instance -sidebarTitle: Onboarding steps +title: Onboarding Dedicated Instance + AWS PrivateLink +sidebarTitle: Onboarding --- @@ -10,9 +10,6 @@ sidebarTitle: Onboarding steps or email Unstructured Sales at [sales@unstructured.io](mailto:sales@unstructured.io). -?!!COMMENT: Integrated the *_Preparing for a Dedicated Instance_" from new DI Internal Doc into the public Onboarding steps. -(Old version is in TOC, temporary for reference: [(TO BE ARCHIVED)-](/business/aws/aws-privatelink/onboarding-preparing).) - After your organization has signed the **Business** account agreement with Unstructured, a member of the Unstructured technical enablement team will reach out to you to begin the **deployment onboarding process**. The next steps are provisioning the required environment resources and, optionally, establishing private connectivity with AWS PrivateLink. Deployment is conducted remotely and can usually be completed within the following timeframes: @@ -25,29 +22,11 @@ Times are subject to Customer infrastructure team availability. More complex int ## References to help you onboard -The following refences can provide background or more detail to help you onboard: -* [Dedicated instance concepts](/business/dedicated-instances/overview) - +The following references can provide background or more detail to help you onboard: +* [Dedicated instance concepts](/business/dedicated-instances/overview) * [Create an endpoint service powered by AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html) * [Configure an AWS PrivateLink endpoint service](https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html) -## High level onboarding process -| ID | Owner | Action | -| :---: | --- | --- | -| 1 | Customer | Provides Unstructured information for provisioning | -| 2 | Customer | Creates an **AWS PrivateLink endpoint service**.
Provides infromation to Unstructured via Support ticket.
Prerequisites: **AWS VPC** with a **Network Load Balancer** | -| 4 | Unstructured | Creates a **related endpoint service** in its own AWS account in the **same region** that Customer provided in previous step.
Prerequisites: 3 ; New AWS VPC with a Network Load Balancer allocated | -|5 | Unstructured | Sends Customer an endpoint connection request to complete the connection between its endpoint service (as the service consumer) and your endpoint service (as the service provider).
Prerequisites: 4 | -| 6 | Customer | Accepts Unstructured's **endpoint connection request**. This step is a prerequisite to establish Unstructured as a Service Consumer to the Customer's AWS services and applications.
Prerequisites: 5 | -| 7 | Unstructured | Creates your Dedicated Instance on the Unstructured platform in the unique VPC associated with (4).
Prerequisites: 1 | -| 8 | Unstructured | Grants your applications on your AWS account access to the Unstructured platform (UI/API).
Prerequisites: 7 | - - - - -Unstructured provides your applications access to the Unstructured Platform (UI and API). -You:In your AWS account, create an endpoint service powered by AWS PrivateLink. - - ## Next steps in onboarding While you wait for a member of the Unstructured technical enablement team to reach out to you to begin the deployment onboarding process, you can get started by following the onboarding process: @@ -59,7 +38,7 @@ While you wait for a member of the Unstructured technical enablement team to rea | Name of Administrator | Primary administrator of the account (others can be added after) | | Admin email address | Email address of the primary admin | | Cloud provider | AWS | -| Cloud Region | See the expandable list of **AWS Supported Regions** on this page| +| Cloud Region | See the expandable list of **AWS Supported Regions** on this page | | Desired URL | Without private connectivity: `.unstructuredapp.io`
With private connectivity: `.privatelink.unstructuredapp.io` | | VLM provider | Anthropic, Bedrock, OpenAI, Azure OpenAI, etc. | | VLM models | e.g., Claude Sonnet 4.5, GPT-4o, Gemini 2.0 Flash | @@ -89,14 +68,9 @@ If your required region is not listed above, contact your Unstructured account r All private connectivity configuration data exchanges between the Customer and Unstructured must be conducted via support tickets. This ensures a documented audit trail of all shared information, including Account IDs, VPC Endpoint service names, IAM Role ARNs, Service Principal IDs, and other sensitive configuration details. -To initiate a private connectivity configuration, log a ticket via the [Unstructured Support Portal](https://support.unstructured.io/) with the subject line: **“PrivateLink Configuration Request — [Your Company Name]”**. A technical enablement engineer will respond to guide you through the exchange. - -??QUESTION: Is the Customer Portal site available? +To initiate a private connectivity configuration, log a ticket via the [Unstructured Support Portal](https://support.unstructured.io/) with the subject line: **`PrivateLink Configuration Request — [Your Company Name]`**. A technical enablement engineer will respond to guide you through the exchange. - - - 2. In your AWS account, **create an endpoint service** powered by AWS PrivateLink. Be sure when creating the endpoint service to use the same AWS Region name that you provided to Unstructured. [Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html). (In AWS terminology, this makes you the _service provider_ and Unstructured the _service consumer_.) @@ -112,4 +86,4 @@ To initiate a private connectivity configuration, log a ticket via the [Unstruct If you have questions or need help as you go, contact your Unstructured sales representative or technical enablement contact. If you do not know who they are, email Unstructured Sales at [sales@unstructured.io](mailto:sales@unstructured.io), and a member of the Unstructured sales or technical enablement teams -will get back to you as soon as possible. \ No newline at end of file +will get back to you as soon as possible. diff --git a/business/aws/onboard-in-vpc.mdx b/business/aws/onboarding-in-vpc.mdx similarity index 100% rename from business/aws/onboard-in-vpc.mdx rename to business/aws/onboarding-in-vpc.mdx diff --git a/business/aws/overview.mdx b/business/aws/overview.mdx index 09206c2a..aa50eddb 100644 --- a/business/aws/overview.mdx +++ b/business/aws/overview.mdx @@ -15,9 +15,9 @@ deployment onboarding process. While you wait, you can get started by following the onboarding checklist for your deployment type, if it applies to you: -- For in-VPC deployents, follow the [onboarding checkist for in-VPC on AWS](/business/aws/onboard). +- For in-VPC deployents, follow [onboarding in-VPC on AWS](/business/aws/onboarding-in-vpc). -- For dedicated instance deployments with AWS PrivateLink, follow the [onboarding checklist for a dedicated instance](/business/aws/aws-privatelink/onboarding-preparing). +- For dedicated instance deployments with AWS PrivateLink, follow [onboarding a dedicated instance](/business/aws/aws-privatelink/onboarding-di-pl). ## Questions? Need help? diff --git a/business/azure/azure-privatelink/onboarding-di-pl.mdx b/business/azure/azure-privatelink/onboarding-di-pl.mdx new file mode 100644 index 00000000..bd5485d0 --- /dev/null +++ b/business/azure/azure-privatelink/onboarding-di-pl.mdx @@ -0,0 +1,102 @@ +--- +title: Onboarding Dedicated Instance + Azure Private Link +sidebarTitle: Onboarding +--- + + + The following information applies only to dedicated instance deployments with Private Link for [Unstructured Business](/business/overview) on Azure. + + For dedicated instance deployments of Unstructured Business to Azure _without_ Private Link, contact your Unstructured sales representative, + or email Unstructured Sales at [sales@unstructured.io](mailto:sales@unstructured.io). + + +After your organization has signed the **Business** account agreement with Unstructured, a member of the Unstructured technical enablement team will reach out to you to begin the **deployment onboarding process**. + +The next steps are to provision the required environment resources and, optionally, establish private connectivity with Azure Private Link. Deployment is conducted remotely and can usually be completed within the following timeframes: + +- **With Azure Private Link:** 4–5 days +- **Without Azure Private Link:** 2–3 days + + +Times are subject to Customer infrastructure team availability. More complex integrations (multiple connectors, custom models, etc.) will extend the deployment timeline. + + +## References to help you onboard +The following references can provide background or more detail to help you onboard: +* [Dedicated instance concepts](/business/dedicated-instances/overview) +* [Quickstart: Create a Private Link service by using the Azure portal](https://learn.microsoft.com/en-us/azure/private-link/create-private-link-service-portal) +* [Manage Azure private endpoints](https://learn.microsoft.com/en-us/azure/private-link/manage-private-endpoint) +* [What is Azure Private Link service?](https://learn.microsoft.com/en-us/azure/private-link/private-link-service-overview) + +## High-level onboarding process +This onboarding workflow covers two connectivity paths: + +- Customer access to the Unstructured platform UI and API +- Unstructured access to supported Customer-managed Azure services over Azure Private Link + +| Step | Owner | Action | +| :---: | --- | --- | +| 1 | Customer | Provide the information required to provision the Dedicated Instance in Azure. | +| 2 | Customer | Confirm that the selected Azure Region is supported. | +| 3 | Customer and Unstructured | Exchange private connectivity details through a support ticket. | +| 4 | Customer | Prepare Azure resources for private connectivity. This can include enabling private endpoint access on Azure managed services or creating a Private Link service for Customer-managed services. | +| 5 | Customer | Share the required Azure resource details with Unstructured. | +| 6 | Unstructured | Create the required private endpoints from the Unstructured-managed environment. | +| 7 | Customer | Approve the pending private endpoint connection requests in Azure. | +| 8 | Unstructured | Complete the Dedicated Instance deployment and enable customer access to the Unstructured platform. | + +## Detailed onboarding steps +Use the following steps to prepare the deployment and configure Azure Private Link connectivity. + +### Step 1: Provide provisioning information +Provide your Unstructured sales representative or technical enablement contact with the following information. Unstructured uses this information to begin provisioning your Dedicated Instance in the selected Azure Region. + + +| Information Required | Description | +| --- | --- | +| Name of Administrator | Primary administrator of the account (others can be added later) | +| Admin email address | Email address of the primary administrator | +| Cloud provider | Azure | +| Cloud Region | Contact your Unstructured account representative for the current list of supported Azure Regions. | +| Desired URL | `.privatelink.unstructuredapp.io` | +| VLM provider | Anthropic, OpenAI, Azure OpenAI, etc. | +| VLM models | For example, Claude Sonnet 4.5, GPT-4o, or Gemini 2.0 Flash | +| Embedding models | For example, Titan or Granite. Ensure that you select the correct dimensions. | + + + +Do not send API keys by email or through collaboration tools. Unstructured provides a secure method for sharing secrets. + + +### Step 2: Confirm the Azure Region +Confirm with your Unstructured account representative that the selected Azure Region is supported for Dedicated Instance deployment. + +### Step 3: Exchange private connectivity information +All private connectivity configuration data exchanges between the Customer and Unstructured must be conducted through support tickets. This provides a documented audit trail for subscription IDs, Private Link service resource IDs, service principal IDs, resource group names, and other sensitive configuration details. + + +To start the private connectivity process, open a ticket in the [Unstructured Support Portal](https://support.unstructured.io/) with the subject line **`PrivateLink Configuration Request — [Your Company Name]`**. A technical enablement engineer will guide you through the remaining steps. + + +### Step 4: Prepare Azure resources for private connectivity +If Unstructured must connect to supported services in your Azure environment, prepare the resources based on the service type: + +- For Azure managed services that support private endpoints, provide the resource IDs, sub-resource types, and other required service details. +- For Customer-managed services in your virtual network, create a **Private Link service** backed by an **Azure Standard Load Balancer**. + +For more information, see [Connecting to the Unstructured Platform (UI and API)](/business/azure/azure-privatelink/connect-to-platform) and [Connecting to your Azure services](/business/azure/azure-privatelink/connect-to-services). + +### Step 5: Share the Azure resource details +Provide Unstructured with the Azure resource details required for the connection. Depending on the service type, this can include subscription IDs, resource group names, resource IDs, Private Link service resource IDs, sub-resource types, and supported regions. + +### Step 6: Approve the private endpoint connection requests +After Unstructured creates the required private endpoints from the Unstructured-managed environment, approve the pending private endpoint connection requests in Azure. + +Approve the requests as soon as possible to avoid delays in the deployment process. + +You can approve the requests in the Azure portal under the target resource's **Networking** settings, or by using Azure CLI where applicable. + +## Questions? Need help? + +If you have questions or need help as you go, contact your Unstructured sales representative or technical enablement contact. If you do not know who they are, email Unstructured Sales at [sales@unstructured.io](mailto:sales@unstructured.io), and a member of the Unstructured sales or technical enablement teams will get back to you as soon as possible. + diff --git a/business/azure/azure-privatelink/preparing.mdx b/business/azure/azure-privatelink/preparing.mdx deleted file mode 100644 index 9913fac4..00000000 --- a/business/azure/azure-privatelink/preparing.mdx +++ /dev/null @@ -1,42 +0,0 @@ ---- -title: Preparing for a Dedicated Instance ---- - -After you decide to proceed with a Dedicated Instance, the next steps are provisioning the required environment resources and, optionally, establishing private connectivity with Azure Private Link. Deployment is conducted remotely and can usually be completed within the following timeframes: - -- **With AWS PrivateLink** - 4–5 days -- **Without AWS PrivateLink** - 2–3 days - - - -Times are subject to Customer infrastructure team availability. More complex integrations (multiple connectors, custom models, etc.) will extend the deployment timeline. - - - -### Information Required for Provisioning - -Before deployment can begin, please provide the following: - -| Information Required | Description | -| --- | --- | -| Name of Administrator | Primary administrator of the account (others can be added after) | -| Admin email address | Email address of the primary admin | -| Cloud provider | Azure | -| Cloud Region | Contact your Unstructured account representative for the current list of supported Azure regions.| -| Desired URL | Without private connectivity: `.unstructuredapp.io`
With private connectivity: `.privatelink.unstructuredapp.io` | -| VLM provider | Anthropic, Bedrock, OpenAI, Azure OpenAI, etc. | -| VLM models | e.g., Claude Sonnet 4.5, GPT-4o, Gemini 2.0 Flash | -| Embedding models | e.g., Titan, Granite (ensure you select correct dimensions) | - - -Do not send API keys by email or any collaboration tool. Unstructured has a secure method of capturing these. - - - -### Information Exchange - -All private connectivity configuration data exchanges between Customer and Unstructured must be conducted via support tickets. This ensures a documented audit trail of all shared information, including Account IDs, VPC Endpoint service names, IAM Role ARNs, Service Principal IDs, and other sensitive configuration details. - -To initiate a private connectivity configuration, log a ticket via the [Unstructured Support Portal](https://support.unstructured.io/) with the subject line: **“PrivateLink Configuration Request — [Your Company Name]”**. A technical enablement engineer will respond to guide you through the exchange. -??QUESTION: Is the Customer Portal site available? - diff --git a/business/azure/onboard-in-vpc.mdx b/business/azure/onboarding-in-vpc.mdx similarity index 100% rename from business/azure/onboard-in-vpc.mdx rename to business/azure/onboarding-in-vpc.mdx diff --git a/business/azure/overview.mdx b/business/azure/overview.mdx index 453c849d..5117a471 100644 --- a/business/azure/overview.mdx +++ b/business/azure/overview.mdx @@ -1,6 +1,6 @@ --- -title: OLD - Unstructured Business in-VPC on Azure - overview -sidebarTitle: x Overview +title: Unstructured Business in-VPC on Azure - overview +sidebarTitle: Overview --- @@ -19,7 +19,7 @@ To begin the **Business** account agreement process, contact your Unstructured s After your organization has signed the **Business** account agreement, a member of the Unstructured technical enablement team will reach out to you to begin the deployment onboarding process. To streamline this process, you are encouraged to begin setting up your target environment as soon as possible. To do this, -see the [onboarding checkist](/business/azure/onboard). +see the [onboarding checklist](/business/azure/onboarding-in-vpc). ## Questions? Need help? diff --git a/business/dedicated-instances/overview.mdx b/business/dedicated-instances/overview.mdx index f6280cbe..9cf59fea 100644 --- a/business/dedicated-instances/overview.mdx +++ b/business/dedicated-instances/overview.mdx @@ -16,8 +16,8 @@ This overview covers: ## Cloud service provider (CSP) support Unstructured supports Dedicated Instances for integration with Amazon Web Services (AWS) and Microsoft Azure (Azure). This topic provides information for both of these cloud service providers. For specific and detailed onboarding information about each provider see: -* AWS — [Onboarding your Dedicated Instance + AWS PrivateLink](/business/aws/aws-privatelink/onboarding-preparing) -* Azure — [Onboarding your Dedicated Instance + Azure Private Link](/business/azure/azure-privatelink/overview) +* AWS — [Onboarding your Dedicated Instance + AWS PrivateLink](/business/aws/aws-privatelink/onboarding-di-pl) +* Azure — [Onboarding your Dedicated Instance + Azure Private Link](/business/azure/azure-privatelink/onboarding-di-pl) This topic uses *private connectivity* as a general term for AWS PrivateLink and Azure Private Link. diff --git a/business/dedicated-instances/security/shared-responsibility-model.mdx b/business/dedicated-instances/security/shared-responsibility-model.mdx index 57a4d28b..404151d7 100644 --- a/business/dedicated-instances/security/shared-responsibility-model.mdx +++ b/business/dedicated-instances/security/shared-responsibility-model.mdx @@ -2,10 +2,17 @@ title: Shared responsibility model --- -A **shared responsibility model** documents how responsibility for security and operations is divided between a service provider and its customers. The provider protects the infrastructure and software it operates; customers protect their accounts, data, identities, access policies, and the network resources they control. Major cloud providers publish similar high-level shared responsibility frameworks for their own platforms. +## What the shared responsibility model means +A shared responsibility model defines how security and operational responsibilities are divided between Unstructured and the customer. +Unstructured is responsible for the infrastructure and software it operates. Customers are responsible for their accounts, data, identities, access policies, and the network resources they control. -The following tables indicate which responsibilities are assigned to the **Customer** or to **Unstructured**. The first table covers traffic to the Unstructured platform (UI and API access from your environment). The second covers traffic to your data sources (when Unstructured connects into your cloud). +Major cloud providers use similar shared responsibility models for their own services. + +## How to use these tables +The following tables show which responsibilities belong to the Customer and which belong to Unstructured. + +The first table covers traffic to the Unstructured platform, including UI and API access from your environment. The second table covers traffic to your data sources, when Unstructured connects to resources in your cloud environment. **Customer → Unstructured (Accessing Unstructured UI and API)** diff --git a/business/gcp/onboard.mdx b/business/gcp/onboarding-in-vpc.mdx similarity index 99% rename from business/gcp/onboard.mdx rename to business/gcp/onboarding-in-vpc.mdx index 6003a3ef..178cf1ff 100644 --- a/business/gcp/onboard.mdx +++ b/business/gcp/onboarding-in-vpc.mdx @@ -1,5 +1,5 @@ --- -title: Unstructured Business in-VPC on Google Cloud Platform (GCP) - onboarding checklist +title: Onboarding in-VPC on your Google Cloud Platform (GCP) sidebarTitle: Onboarding --- diff --git a/business/overview.mdx b/business/overview.mdx index 68db46a8..4262c034 100644 --- a/business/overview.mdx +++ b/business/overview.mdx @@ -34,12 +34,11 @@ After your organization has signed the **Business** account agreement, the next - For a **Business SaaS** deployment, you can start using Unstructured by logging in to the Unstructured UI at [https://platform.unstructured.io](https://platform.unstructured.io). - For a **dedicated instance** deployment, a member of the Unstructured technical enablement team will reach out to you with the unique URL to log in to - the Unstructured UI, along with any next steps that you need to take. To learn more about dedicated instances see [Dedicated instance concepts](/business/dedicated-instances/overview). - !!COMMENT: Link in above bullet point was previously [DI + PrivateLink onboarding checklist](/business/aws/x-dedicated-instance-privatelink), now ARCHIVED. We point to this DI Concepts section now, which will direct reader to the revised [DI + PL Onboarding checklist](http://localhost:3000/business/aws/aws-privatelink/onboarding-preparing). + the Unstructured UI, along with any next steps that you need to take. To learn more about dedicated instances see [dedicated instance concepts](/business/dedicated-instances/overview). - For an **in-VPC** deployment, your organization will work with a member of the Unstructured technical enablement team to deploy Unstructured into your own cloud instrastructure. You are encouraged to begin setting up your target environment as soon as possible. To do this, - see the onboarding requirements for your [AWS](/business/aws/onboard), [Azure](/business/azure/onboard), or - [GCP](/business/gcp/onboard) account. + see the onboarding requirements for your [AWS](/business/aws/onboarding-in-vpc), [Azure](/business/azure/onboarding-in-vpc), or + [GCP](/business/gcp/onboarding-in-vpc) account. ## Questions? Need help? diff --git a/docs.json b/docs.json index 4b4be124..b37dd29d 100644 --- a/docs.json +++ b/docs.json @@ -360,14 +360,14 @@ "business/aws/overview", { "group": "Onboarding Dedicated Instance + AWS PrivateLink", "pages": [ - "business/aws/aws-privatelink/onboarding-preparing", + "business/aws/aws-privatelink/onboarding-di-pl", "business/aws/aws-privatelink/connector-support", "business/aws/aws-privatelink/connect-to-platform", "business/aws/aws-privatelink/dns-configuration", "business/aws/aws-privatelink/connect-to-services" ] }, - "business/aws/onboard-in-vpc", + "business/aws/onboarding-in-vpc", "business/aws/x-dedicated-instance-privatelink" ] }, @@ -377,21 +377,21 @@ "business/azure/overview", { "group": "Onboarding Dedicated Instance + Azure Private Link", "pages": [ - "business/azure/azure-privatelink/preparing", + "business/azure/azure-privatelink/onboarding-di-pl", "business/azure/azure-privatelink/connector-support", "business/azure/azure-privatelink/connect-to-platform", "business/azure/azure-privatelink/dns-privatelink", "business/azure/azure-privatelink/connect-to-services" ] }, - "business/azure/onboard-in-vpc" + "business/azure/onboarding-in-vpc" ] }, { "group": "Google Cloud Platform (GCP)", "pages": [ "business/gcp/overview", - "business/gcp/onboard" + "business/gcp/onboarding-in-vpc" ] } ] From 842349208ddc7b7d8eb16e12147fb34a33a04b5d Mon Sep 17 00:00:00 2001 From: monica-unstructured Date: Thu, 26 Mar 2026 00:43:30 -0400 Subject: [PATCH 24/29] More AI improvements added. --- .../aws-privatelink/connect-to-platform.mdx | 21 ++++++++- .../aws-privatelink/connect-to-services.mdx | 9 ++-- .../aws-privatelink/dns-configuration-v2.mdx | 45 ------------------- .../aws/aws-privatelink/dns-configuration.mdx | 18 +++++++- .../aws/aws-privatelink/onboarding-di-pl.mdx | 2 +- .../azure-privatelink/connect-to-platform.mdx | 23 +++++++++- .../azure-privatelink/connect-to-services.mdx | 5 ++- .../azure-privatelink/dns-privatelink.mdx | 15 +++++++ business/azure/overview.mdx | 16 +++---- 9 files changed, 87 insertions(+), 67 deletions(-) delete mode 100644 business/aws/aws-privatelink/dns-configuration-v2.mdx diff --git a/business/aws/aws-privatelink/connect-to-platform.mdx b/business/aws/aws-privatelink/connect-to-platform.mdx index ffbfb77d..d028f62a 100644 --- a/business/aws/aws-privatelink/connect-to-platform.mdx +++ b/business/aws/aws-privatelink/connect-to-platform.mdx @@ -4,8 +4,27 @@ sidebarTitle: Connecting to the Unstructured Platform --- This section outlines the information required for your applications to access the Unstructured Platform (UI and API). +### Goal -??QUESTION: What exactly does the ORDER column indicate? Looks like two sets of rows, and within those order can be simultaneous. Would like to understand context in case I need to clarify in the doc. Thanks! +Create and configure the AWS networking components required for Customer applications to access the Unstructured Platform (UI and API) over AWS PrivateLink. + +### To complete this task + +- **Unstructured** provides the VPC endpoint service name and the AWS Region where the service is hosted. +- **Customer** provides the AWS account, Region, and VPC details needed for setup, and creates the interface VPC endpoint in the Customer VPC. + +### References + +- [Access an AWS service using an interface VPC endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html) - Use this to create the interface VPC endpoint that connects your VPC to the Unstructured endpoint service. +- [Configure an interface endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/interface-endpoints.html) - Use this to review endpoint configuration details, including private DNS behavior and endpoint settings. + +### Required AWS identifier information + +The following table lists the information required to configure access to the Unstructured Platform over AWS PrivateLink. + + +The **Order** column indicates the general sequence for the information exchange. Items with the same order value can usually be provided at the same stage. + | Order | Information Required | Description | Example | Provided by | | --- | --- | --- | --- | --- | diff --git a/business/aws/aws-privatelink/connect-to-services.mdx b/business/aws/aws-privatelink/connect-to-services.mdx index 0f546f3b..7b31bf23 100644 --- a/business/aws/aws-privatelink/connect-to-services.mdx +++ b/business/aws/aws-privatelink/connect-to-services.mdx @@ -3,15 +3,12 @@ title: Connecting to your AWS services sidebarTitle: Connecting to your AWS services --- -This topic covers the required information to enable your Dedicated Instance to connect to AWS services in your VPC. There are multiple situations that may require different configurations. - -* AWS PrivateLink -* Native PrivateLink -* Customer managed AWS services -* AWS services that require a Network Load Balancer (NLB) front end +This section describes the AWS service information required for your Dedicated Instance to reach AWS services in your VPC. The sections below cover **AWS managed services**, **AWS Managed Services with native PrivateLink**, and **Customer Managed Services (AWS) or AWS Services with NLB**. ## AWS managed services +This section covers AWS-managed services that Unstructured can access using AWS-native private networking features, without requiring you to create a customer-managed endpoint service or Network Load Balancer. + ### AWS S3 (Gateway Endpoint) diff --git a/business/aws/aws-privatelink/dns-configuration-v2.mdx b/business/aws/aws-privatelink/dns-configuration-v2.mdx deleted file mode 100644 index 21d978f3..00000000 --- a/business/aws/aws-privatelink/dns-configuration-v2.mdx +++ /dev/null @@ -1,45 +0,0 @@ ---- -title: DNS configuration for PrivateLink access -sidebarTitle: DNS configuration ---- - -dd -## DNS Configuration for PrivateLink Access - -### Why this matters -PrivateLink establishes a private network path between VPCs, but DNS determines how clients resolve and reach that path. Configuring DNS correctly ensures that service requests resolve to the private endpoint, remain within your network boundaries, and successfully complete TLS validation using the expected hostname. Misconfigured DNS can result in failed connections or traffic being routed outside the intended private path. - - -PrivateLink connectivity may be correctly configured, but if DNS still resolves the service hostname to a public endpoint, traffic will bypass PrivateLink. This can lead to failed connections (for private-only services) or unintended public network access. - - - -From within your VPC, use tools such as nslookup or dig to resolve the service hostname and confirm it returns private IP addresses associated with your Interface VPC Endpoint. - - ---- - -### How PrivateLink and DNS Work Together - -```mermaid -flowchart LR - subgraph Customer_VPC[Customer VPC] - A[Client Application] - D[Route 53 / VPC DNS Resolver] - E[Interface VPC Endpoint ENI
Private IP] - end - - subgraph PrivateLink[AWS PrivateLink] - B[Interface VPC Endpoint] - end - - subgraph Vendor_VPC[Vendor VPC] - C[Network Load Balancer] - F[Service Application] - end - - A -->|1. Resolve service hostname| D - D -->|2. Return private IP for endpoint| E - A -->|3. Connect using service hostname
TLS hostname validation / SNI| B - B --> C - C --> F diff --git a/business/aws/aws-privatelink/dns-configuration.mdx b/business/aws/aws-privatelink/dns-configuration.mdx index a6acdd6a..5ac22d69 100644 --- a/business/aws/aws-privatelink/dns-configuration.mdx +++ b/business/aws/aws-privatelink/dns-configuration.mdx @@ -5,14 +5,28 @@ sidebarTitle: DNS configuration To access the Dedicated Instance over PrivateLink, DNS must be configured so the service hostname resolves to the private IPs of the VPC Endpoint. Clients must connect using the exact service hostname provided, because TLS is terminated using a provider-managed certificate. -**Option 1: Enable Private DNS on the VPC Endpoint (Recommended)** +### Goal + +Configure AWS DNS so the Unstructured service hostname resolves to the private IP addresses of your interface VPC endpoint. + +### To complete this task + +- **Unstructured** provides the service hostname for the Unstructured Platform. +- **Customer** configures DNS in AWS so that the service hostname resolves to the private IP addresses of the interface VPC endpoint. + +### References + +- [Configure an interface endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/interface-endpoints.html) - Use this to review how private DNS works on interface VPC endpoints and when to enable it. +- [Working with private hosted zones](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-private.html) - Use this to manually configure Route 53 private hosted zones and records when private DNS is not enabled on the endpoint. + +### Option 1: Enable Private DNS on the VPC Endpoint (Recommended) If your VPC uses Route 53 for DNS resolution, enable Private DNS on the Interface VPC Endpoint. When Private DNS is enabled: - Route 53 automatically creates DNS records for the service hostname. - The hostname resolves to the private IPs of the VPC Endpoint. - No manual hosted zone or records are required. -**Option 2: Manually Manage DNS Using a Private Hosted Zone** +### Option 2: Manually Manage DNS Using a Private Hosted Zone If Private DNS cannot be enabled, configure DNS manually using Route 53: diff --git a/business/aws/aws-privatelink/onboarding-di-pl.mdx b/business/aws/aws-privatelink/onboarding-di-pl.mdx index df1afdad..ea47dd63 100644 --- a/business/aws/aws-privatelink/onboarding-di-pl.mdx +++ b/business/aws/aws-privatelink/onboarding-di-pl.mdx @@ -42,7 +42,7 @@ This onboarding workflow covers two connectivity paths: | 5 | Customer | Share the endpoint service name and supported Availability Zones with Unstructured. | | 6 | Unstructured | Configure connectivity from the Unstructured-managed environment to the Customer-managed AWS service. | | 7 | Customer | Accept the endpoint connection request from Unstructured. | -| 8 | Unstructured | Complete the Dedicated Instance deployment and enable customer access to the Unstructured platform. | +| 8 | Unstructured | Complete the Dedicated Instance deployment and enable customer access to the Unstructured platform. See [Connecting to the Unstructured Platform (UI and API)](/business/aws/aws-privatelink/connect-to-platform) for the required platform access details. | ## Detailed onboarding steps Use the following steps to prepare the deployment and configure AWS PrivateLink connectivity. diff --git a/business/azure/azure-privatelink/connect-to-platform.mdx b/business/azure/azure-privatelink/connect-to-platform.mdx index b62c4e7d..0f4f9bb5 100644 --- a/business/azure/azure-privatelink/connect-to-platform.mdx +++ b/business/azure/azure-privatelink/connect-to-platform.mdx @@ -4,8 +4,29 @@ sidebarTitle: Connecting to the Unstructured Platform --- This section outlines the information required for your applications to access the Unstructured Platform (UI and API). +### Goal -??QUESTION: What exactly does the ORDER column indicate? Looks like two sets of rows, and within those order can be simultaneous. Would like to understand context in case I need to clarify in the doc. Thanks! +Create and configure the Azure networking components required for Customer applications to access the Unstructured Platform (UI and API) over Azure Private Link. + +### To complete this task + +- **Unstructured** provides the Private Link service resource ID, alias, and Azure Region where the service is hosted. +- **Customer** provides the Azure subscription, Region, virtual network, subnet, and resource group details needed for setup, and creates the private endpoint in the Customer virtual network (VNet). + +### References + +- [Quickstart: Create a private endpoint - Azure portal](https://learn.microsoft.com/en-us/azure/private-link/create-private-endpoint-portal?tabs=dynamic-ip) - Use this to create the private endpoint in your virtual network for access to the Unstructured Private Link service. +- [Manage Azure private endpoints](https://learn.microsoft.com/en-us/azure/private-link/manage-private-endpoint) - Use this to review private endpoint connection states and management options, including approval workflows. +- [Approve private endpoint connections across subscriptions](https://learn.microsoft.com/en-us/azure/private-link/how-to-approve-private-link-cross-subscription) - Use this if the private endpoint approval flow spans separate Azure subscriptions. + + +### Required Azure identifier information + +The following table lists the information required to configure access to the Unstructured Platform over Azure Private Link. + + +The **Order** column indicates the general sequence for the information exchange. Items with the same order value can usually be provided at the same stage. + | Order | Information Required | Description | Example | Provided by | diff --git a/business/azure/azure-privatelink/connect-to-services.mdx b/business/azure/azure-privatelink/connect-to-services.mdx index e4d855c5..2e6b220a 100644 --- a/business/azure/azure-privatelink/connect-to-services.mdx +++ b/business/azure/azure-privatelink/connect-to-services.mdx @@ -3,11 +3,12 @@ title: Connecting to your Azure services sidebarTitle: Connecting to your Azure services --- -This section covers setting up connectivity from Unstructured to an Azure service, specifically what to provide so your Dedicated Instance can reach Azure data sources and APIs over Private Link or private endpoints. The sections below map to **Azure managed services** and **customer-managed workloads** exposed via a Private Link service and Standard Load Balancer. - +This section describes the Azure service information required for your Dedicated Instance to reach Azure data sources and APIs over Private Link or private endpoints. The sections below cover **Azure managed services** and **customer-managed workloads** exposed through a **Private Link service** and **Azure Standard Load Balancer**. ## Azure managed services +This section covers Azure-managed services that have service-specific private connectivity requirements. Unlike the later **Azure Managed Services** with **private endpoint access** section, these services require service-specific configuration details or additional access controls. It does not cover **Customer-managed services** exposed through a **Private Link service**. + ### Azure Blob Storage This applies to Azure Blob Storage and Azure Data Lake Storage Gen2 (ADLS Gen2). diff --git a/business/azure/azure-privatelink/dns-privatelink.mdx b/business/azure/azure-privatelink/dns-privatelink.mdx index bec88ba9..ec55b234 100644 --- a/business/azure/azure-privatelink/dns-privatelink.mdx +++ b/business/azure/azure-privatelink/dns-privatelink.mdx @@ -6,6 +6,21 @@ sidebarTitle: DNS for Private Link To access the dedicated instance over Azure Private Link, you must configure DNS so the service hostname resolves to your private endpoint's private IP address. +### Goal + +Configure Azure DNS so the Unstructured service hostname resolves to the private IP address of your private endpoint. + +### To complete this task + +- **Unstructured** provides the service hostname for the Unstructured Platform. +- **Customer** configures Azure DNS so that the service hostname resolves to the private IP address of the private endpoint. + +### References + +- [Azure Private Endpoint private DNS zone values](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) - Use this to identify the recommended private DNS zone pattern for private endpoint name resolution. +- [Azure Private Endpoint DNS Integration Scenarios](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns-integration) - Use this to understand how private DNS resolution works across VNets, peered networks, and hybrid environments. +- [What is a virtual network link subresource of Azure DNS private zones](https://learn.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links) - Use this to link your private DNS zone to the VNets that need to resolve the service hostname. + Because TLS is terminated using a provider-managed certificate, clients must connect using the exact service hostname provided. However, DNS resolution must direct that hostname to a private IP inside your network, as follows: diff --git a/business/azure/overview.mdx b/business/azure/overview.mdx index 5117a471..9a6e6248 100644 --- a/business/azure/overview.mdx +++ b/business/azure/overview.mdx @@ -3,13 +3,6 @@ title: Unstructured Business in-VPC on Azure - overview sidebarTitle: Overview --- - - The following information applies only to in-VPC deployments of [Unstructured Business](/business/overview). - - For dedicated instance deployments of Unstructured Business, contact your Unstructured sales representative, - or email Unstructured Sales at [sales@unstructured.io](mailto:sales@unstructured.io). - - ## Getting started To get started with a **Business** account deployment, your organization must first sign a **Business** account agreement with Unstructured. @@ -18,8 +11,13 @@ This agreement outlines the terms and conditions for your organization to use Un To begin the **Business** account agreement process, contact your Unstructured sales representative, or email Unstructured Sales at [sales@unstructured.io](mailto:sales@unstructured.io). After your organization has signed the **Business** account agreement, a member of the Unstructured technical enablement team will reach out to you to begin the -deployment onboarding process. To streamline this process, you are encouraged to begin setting up your target environment as soon as possible. To do this, -see the [onboarding checklist](/business/azure/onboarding-in-vpc). +deployment onboarding process. + +While you wait, you can get started by following the onboarding checklist for your deployment type, if it applies to you: + +- For in-VPC deployments, follow [onboarding in-VPC on Azure](/business/azure/onboarding-in-vpc). + +- For dedicated instance deployments with Azure Private Link, follow [onboarding a dedicated instance](/business/azure/azure-privatelink/onboarding-di-pl). ## Questions? Need help? From 6bd7d95418cd4e8dacc61c31e9768ff70b235fdb Mon Sep 17 00:00:00 2001 From: monica-unstructured Date: Thu, 26 Mar 2026 02:53:55 -0400 Subject: [PATCH 25/29] Add image in architecture. More AI edits. --- .../aws/aws-privatelink/connector-support.mdx | 31 +++--- .../aws/aws-privatelink/onboarding-di-pl.mdx | 27 +++-- business/aws/overview.mdx | 11 +- .../aws/x-dedicated-instance-privatelink.mdx | 58 ----------- business/dedicated-instances/architecture.mdx | 20 ++-- business/dedicated-instances/overview.mdx | 35 ++++--- business/dedicated-instances/requirements.mdx | 41 ++++---- .../security/security-faq.mdx | 96 ++++++++++-------- .../security/security-model.mdx | 59 +++++------ .../security/shared-responsibility-model.mdx | 40 ++++---- docs.json | 3 +- .../components-in-pl-cusomter-unstruc.png | Bin 0 -> 29039 bytes 12 files changed, 191 insertions(+), 230 deletions(-) delete mode 100644 business/aws/x-dedicated-instance-privatelink.mdx create mode 100644 img/architecture/components-in-pl-cusomter-unstruc.png diff --git a/business/aws/aws-privatelink/connector-support.mdx b/business/aws/aws-privatelink/connector-support.mdx index 44fbbf6d..5dfb0864 100644 --- a/business/aws/aws-privatelink/connector-support.mdx +++ b/business/aws/aws-privatelink/connector-support.mdx @@ -3,26 +3,23 @@ title: Connector support for AWS PrivateLink sidebarTitle: Connector support --- -The following table provides a list of connectors to AWS services and includes the following information for each: +The following table summarizes connector support for private connectivity on AWS. For each connector, it shows: -- Whether the connector supports AWS PrivateLink +- Whether private connectivity is supported - Which AWS components are involved -- A reference for detailed configuration information +- Where to find detailed configuration information -| Connector | PrivateLink Supported | Approach | Configuration information | +| Connector | Private connectivity supported | Approach | Configuration details | | --- | :---: | --- | --- | -| **Customer → Unstructured (UI/API)** | ✅ | Interface VPC Endpoint | [Link](/business/aws/aws-privatelink/connect-to-platform) | -| **AWS S3** | ✅ | Gateway Endpoint | [Link](/business/aws/aws-privatelink/connect-to-services#aws-s3-gateway-endpoint) | -| **AWS Bedrock** (VLM) | ✅ | Interface VPC Endpoint (Unstructured side) | [Link](/business/aws/aws-privatelink/connect-to-services#aws-bedrock) | -| **AWS OpenSearch Service** | ✅ | Interface VPC Endpoint | [Link](/business/aws/aws-privatelink/connect-to-services#aws-opensearch-service) | +| **Customer → Unstructured (UI/API)** | ✅ | Interface VPC endpoint | [Link](/business/aws/aws-privatelink/connect-to-platform) | +| **AWS S3** | ✅ | Gateway endpoint | [Link](/business/aws/aws-privatelink/connect-to-services#aws-s3-gateway-endpoint) | +| **AWS Bedrock** (VLM) | ✅ | Interface VPC endpoint on the Unstructured side | [Link](/business/aws/aws-privatelink/connect-to-services#aws-bedrock) | +| **AWS OpenSearch Service** | ✅ | Interface VPC endpoint | [Link](/business/aws/aws-privatelink/connect-to-services#aws-opensearch-service) | | **AWS OpenSearch Serverless** | ✅ | VPC Endpoint + Data Access Policy | [Link](/business/aws/aws-privatelink/connect-to-services#aws-opensearch-serverless) | -| **AWS MSK (Kafka)** | ✅ | Multi-VPC Connectivity (MSK native) | [Link](/business/aws/aws-privatelink/connect-to-services#aws-msk-kafka) | -| **AWS RDS / PostgreSQL** | ✅ | NLB-backed Endpoint Service | [Link](/business/aws/aws-privatelink/connect-to-services#customer-managed-services-aws-or-aws-services-with-nlb) | +| **AWS MSK (Kafka)** | ✅ | Multi-VPC Connectivity (native MSK support) | [Link](/business/aws/aws-privatelink/connect-to-services#aws-msk-kafka) | +| **AWS RDS / PostgreSQL** | ✅ | NLB-backed endpoint service | [Link](/business/aws/aws-privatelink/connect-to-services#customer-managed-services-aws-or-aws-services-with-nlb) | | **Databricks on AWS** | ✅ | Databricks PrivateLink | [Link](/business/aws/aws-privatelink/connect-to-services#aws-databricks) | -| **Elasticsearch (self-hosted on AWS)** | ✅ | NLB-backed Endpoint Service | [Link](/business/aws/aws-privatelink/connect-to-services#customer-managed-services-aws-or-aws-services-with-nlb) | -| **MongoDB (self-hosted on AWS)** | ✅ | NLB-backed Endpoint Service | [Link](/business/aws/aws-privatelink/connect-to-services#customer-managed-services-aws-or-aws-services-with-nlb) | -| **Box, Confluence, Dropbox, Google Drive, Jira, OneDrive, Outlook, Salesforce, SharePoint, Slack, Zendesk** | ❌ | SaaS — requires public egress | Requires [public egress](/business/dedicated-instances/security/security-model#network-access-controls) | -| **Google Cloud Storage** | ❌ | Cross-cloud not supported | Requires [public egress](/business/dedicated-instances/security/security-model#network-access-controls) | -| **Snowflake (multi-cloud/SaaS)** | Varies | Native if on AWS; public egress otherwise | [Link](/business/aws/aws-privatelink/connect-to-services#snowflake-on-aws) | - -??Question: Do we omit all of the Snowflake section or mention any limitations? \ No newline at end of file +| **Elasticsearch (self-hosted on AWS)** | ✅ | NLB-backed endpoint service | [Link](/business/aws/aws-privatelink/connect-to-services#customer-managed-services-aws-or-aws-services-with-nlb) | +| **MongoDB (self-hosted on AWS)** | ✅ | NLB-backed endpoint service | [Link](/business/aws/aws-privatelink/connect-to-services#customer-managed-services-aws-or-aws-services-with-nlb) | +| **Box, Confluence, Dropbox, Google Drive, Jira, OneDrive, Outlook, Salesforce, SharePoint, Slack, Zendesk** | ❌ | SaaS application; requires public egress | Requires [public egress](/business/dedicated-instances/security/security-model#network-access-controls) | +| **Google Cloud Storage** | ❌ | Cross-cloud access is not supported through AWS private connectivity | Requires [public egress](/business/dedicated-instances/security/security-model#network-access-controls) | \ No newline at end of file diff --git a/business/aws/aws-privatelink/onboarding-di-pl.mdx b/business/aws/aws-privatelink/onboarding-di-pl.mdx index ea47dd63..c141f3e0 100644 --- a/business/aws/aws-privatelink/onboarding-di-pl.mdx +++ b/business/aws/aws-privatelink/onboarding-di-pl.mdx @@ -4,13 +4,13 @@ sidebarTitle: Onboarding --- - The following information applies only to dedicated instance deployments with PrivateLink for [Unstructured Business](/business/overview) on AWS. + The following information applies only to dedicated instance deployments with AWS PrivateLink for [Unstructured Business](/business/overview) on AWS. - For dedicated instance deployments of Unstructured Business to AWS _without_ PrivateLink, contact your Unstructured sales representative, + For dedicated instance deployments of Unstructured Business to AWS _without_ PrivateLink, contact your Unstructured sales representative, or email Unstructured Sales at [sales@unstructured.io](mailto:sales@unstructured.io). -After your organization has signed the **Business** account agreement with Unstructured, a member of the Unstructured technical enablement team will reach out to you to begin the **deployment onboarding process**. +After your organization signs the **Business** account agreement with Unstructured, a member of the Unstructured technical enablement team will reach out to begin the **deployment onboarding process**. The next steps are to provision the required environment resources and, optionally, establish private connectivity with AWS PrivateLink. Deployment is conducted remotely and can usually be completed within the following timeframes: @@ -23,9 +23,10 @@ Times are subject to Customer infrastructure team availability. More complex int ## References to help you onboard The following references can provide background or more detail to help you onboard: -* [Dedicated instance concepts](/business/dedicated-instances/overview) -* [Create an endpoint service powered by AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html) -* [Configure an AWS PrivateLink endpoint service](https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html) + +- [Dedicated instance concepts](/business/dedicated-instances/overview) +- [Create an endpoint service powered by AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html) +- [Configure an AWS PrivateLink endpoint service](https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html) ## High-level onboarding process This onboarding workflow covers two connectivity paths: @@ -107,13 +108,23 @@ For example: `com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc` [Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html#share-endpoint-service) -### Step 6: Accept the endpoint connection request -After Unstructured configures connectivity from the Unstructured-managed environment to your AWS-hosted service, Unstructured sends an endpoint connection request. +### Step 6: Unstructured configures connectivity to the Customer-managed service +After you share the endpoint service details, Unstructured configures connectivity from the Unstructured-managed environment to the Customer-managed AWS service. + +No action is required from the Customer during this step unless Unstructured requests clarification. + +### Step 7: Accept the endpoint connection request +After Unstructured completes the configuration, Unstructured sends an endpoint connection request. Accept the endpoint connection request as soon as possible to avoid delays in the deployment process. [Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#accept-reject-connection-requests) +### Step 8: Complete deployment and enable platform access +After the private connectivity steps are complete, Unstructured finishes the Dedicated Instance deployment and enables Customer access to the Unstructured platform UI and API. + +For the required platform access details, see [Connecting to the Unstructured Platform (UI and API)](/business/aws/aws-privatelink/connect-to-platform). + ## Questions? Need help? If you have questions or need help as you go, contact your Unstructured sales representative or technical enablement contact. If you do not know who they are, email Unstructured Sales at [sales@unstructured.io](mailto:sales@unstructured.io), and a member of the Unstructured sales or technical enablement teams will get back to you as soon as possible. \ No newline at end of file diff --git a/business/aws/overview.mdx b/business/aws/overview.mdx index aa50eddb..dfea3e6f 100644 --- a/business/aws/overview.mdx +++ b/business/aws/overview.mdx @@ -5,21 +5,18 @@ sidebarTitle: Overview ## Getting started -To get started with a **Business** account deployment, your organization must first sign a **Business** account agreement with Unstructured. -This agreement outlines the terms and conditions for your organization to use Unstructured. +To get started with a **Business** account deployment, your organization must first sign a **Business** account agreement with Unstructured. This agreement outlines the terms and conditions for your organization's use of Unstructured. To begin the **Business** account agreement process, contact your Unstructured sales representative, or email Unstructured Sales at [sales@unstructured.io](mailto:sales@unstructured.io). -After your organization has signed the **Business** account agreement, a member of the Unstructured technical enablement team will reach out to you to begin the -deployment onboarding process. +After your organization signs the **Business** account agreement, a member of the Unstructured technical enablement team will reach out to begin the deployment onboarding process. While you wait, you can get started by following the onboarding checklist for your deployment type, if it applies to you: -- For in-VPC deployents, follow [onboarding in-VPC on AWS](/business/aws/onboarding-in-vpc). +- For in-VPC deployments, follow [onboarding in-VPC on AWS](/business/aws/onboarding-in-vpc). - For dedicated instance deployments with AWS PrivateLink, follow [onboarding a dedicated instance](/business/aws/aws-privatelink/onboarding-di-pl). ## Questions? Need help? -Contact your Unstructured sales representative, or email Unstructured Sales at [sales@unstructured.io](mailto:sales@unstructured.io), and a member of the Unstructured sales or support teams -will get back to you as soon as possible. \ No newline at end of file +Contact your Unstructured sales representative, or email Unstructured Sales at [sales@unstructured.io](mailto:sales@unstructured.io), and a member of the Unstructured sales or support team will get back to you as soon as possible. \ No newline at end of file diff --git a/business/aws/x-dedicated-instance-privatelink.mdx b/business/aws/x-dedicated-instance-privatelink.mdx deleted file mode 100644 index f21bc0b8..00000000 --- a/business/aws/x-dedicated-instance-privatelink.mdx +++ /dev/null @@ -1,58 +0,0 @@ ---- -title: (TO BE ARCHIVED)- Unstructured Business dedicated instance on Amazon Web Services (AWS) with PrivateLink - onboarding -sidebarTitle: (TO BE ARCHIVED) Dedicated instance + PrivateLink onboarding ---- - -!!WRITER COMMENT: This content will be removed before publish. Keeping it around for Review reference. - - - The following information applies only to dedicated instance deployments with PrivateLink for [Unstructured Business](/business/overview) on AWS. - - For dedicated instance deployments of Unstructured Business to AWS _without_ PrivateLink, contact your Unstructured sales representative, - or email Unstructured Sales at [sales@unstructured.io](mailto:sales@unstructured.io). - - For in-VPC deployments of Unstructured Business to AWS instead, see the [AWS in-VPC onboarding](/business/aws/onboard) checklist. - - -After your organization has signed the **Business** account agreement with Unstructured, a member of the Unstructured technical enablement team will reach out to you to begin the -deployment onboarding process. While you wait, you can get started by following the onboarding process: - -1. Provide your Unstructured sales representative or technical enablement contact with the AWS Region name - where you want the dedicated instance deployment to be created. Unstructured will begin creating the dedicated instance deployment in that AWS Region. - - - If you do not know who your Unstructured sales representative or technical enablement contact is, - email Unstructured Sales at [sales@unstructured.io](mailto:sales@unstructured.io), and a member of the Unstructured sales or technical enablement teams - will get back to you as soon as possible. - - - Unstructured supports only the following AWS Regions for dedicated instance deployments: - - | Name | Code | - | --- | --- | - | `us-east-1` | US East (N. Virginia) | - | `us-east-2` | US East(Ohio) | - | `us-west-2` | US West(Oregon) | - | `eu-west-1` | Europoe (Ireland) | - | `eu-north-1` | Europe (Stockholm) | - | `eu-central-1` | Europe (Frankfurt) | - | `ap-southeast-2` | Asia Pacific (Sydney) | - | `ap-south-1` | Asia Pacific (Mumbai) | - | `ap-northeast-2` |Asia Pacific (Seoul) | - -2. In your AWS account, create an endpoint service powered by AWS PrivateLink. Be sure when creating the endpoint service to use the same AWS Region name that you provided to Unstructured. - [Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html). (In AWS terminology, this makes you the _service provider_ and - Unstructured the _service consumer_.) -3. As the service provider, you must provide your Unstructured sales representative or technical enablement contact (as the service consumer) with the name of your endpoint service - (for example, `com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc`) and the supported Availability Zones for that endpoint service, for the AWS Region - name that you provided to Unstructured earlier. [Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html#share-endpoint-service). -4. As the service consumer, Unstructured will create a related endpoint service in its own AWS account in the same AWS Region as your AWS account. Unstructured will then send you an endpoint connection request to - complete the connection between its endpoint service (as the service consumer) and your endpoint service (as the service provider). - You must accept Unstructured's endpoint connection request as soon as possible, to avoid delays in the deployment process. - [Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#accept-reject-connection-requests). - -## Questions? Need help? - -If you have questions or need help as you go, contact your Unstructured sales representative or technical enablement contact. If you do not know who they are, -email Unstructured Sales at [sales@unstructured.io](mailto:sales@unstructured.io), and a member of the Unstructured sales or technical enablement teams -will get back to you as soon as possible. \ No newline at end of file diff --git a/business/dedicated-instances/architecture.mdx b/business/dedicated-instances/architecture.mdx index e7852f48..0902c779 100644 --- a/business/dedicated-instances/architecture.mdx +++ b/business/dedicated-instances/architecture.mdx @@ -6,21 +6,21 @@ title: Architecture This topic uses *private connectivity* as a general term for AWS PrivateLink and Azure Private Link. -Your **Dedicated Instance** is an isolated Unstructured deployment. You use private connectivity with your cloud provider so traffic between you and Unstructured stays on private network paths, not the public internet. +A **Dedicated Instance** is an isolated Unstructured deployment. When private connectivity is enabled, traffic between the Customer environment and Unstructured stays on private network paths instead of traversing the public internet. -## Private connectivity by CSP +![Private connectivity traffic directions](/img/architecture/components-in-pl-cusomter-unstruc.png) -**AWS private connectivity** uses AWS PrivateLink interface endpoints to connect your VPC to the Unstructured private network without traversing the public internet. +## Private connectivity by cloud provider -**Azure private connectivity** uses Azure Private Link to connect your VNet to the Unstructured private network with your traffic staying on the Microsoft backbone instead of the public internet. +**AWS private connectivity** uses AWS PrivateLink interface endpoints to connect the Customer VPC to the Unstructured private network without traversing the public internet. -## Traffic directions - -Private connectivity runs in two directions, and you can configure either direction on its own: +**Azure private connectivity** uses Azure Private Link to connect the Customer VNet to the Unstructured private network while keeping traffic on the Microsoft backbone instead of the public internet. -- **You → Unstructured** — You access the Unstructured UI and API through a private endpoint in your VPC or VNet. -- **Unstructured → you** — Unstructured reaches your data sources (for example S3 buckets, databases, and vector stores) through private endpoints in the Unstructured VPC or VNet. +## Traffic directions -If you enforce strict outbound controls, configure both directions so private access works end to end. +Private connectivity can be configured in one or both directions: +- **Customer → Unstructured** — Customer users and applications access the Unstructured UI and API through private endpoints in the Customer VPC or VNet. +- **Unstructured → Customer** — Unstructured accesses Customer data sources, such as S3 buckets, databases, and vector stores, through private endpoints in the Unstructured VPC or VNet. +If you enforce strict outbound controls, configure both directions so traffic remains private end to end. diff --git a/business/dedicated-instances/overview.mdx b/business/dedicated-instances/overview.mdx index 9cf59fea..16a1cffd 100644 --- a/business/dedicated-instances/overview.mdx +++ b/business/dedicated-instances/overview.mdx @@ -3,39 +3,42 @@ title: Dedicated Instance concepts sidebarTitle: Overview --- -A Dedicated Instance is a privately isolated deployment that Unstructured hosts for organizations that need stronger network boundaries, data isolation, and compliance controls. With cloud-native infrastructure and private networking, Unstructured connects to your sources and processes your data while it stays inside your trusted environment. +A Dedicated Instance is a private, isolated deployment hosted by Unstructured for organizations that require stronger network boundaries, data isolation, and compliance controls. Using cloud-native infrastructure and private networking, Unstructured connects to your sources and processes your data within your trusted environment. -Use this overview to help teams across your organization evaluate, secure, and implement your own Dedicated Instance in the Unstructured platform. +Use this section to help your teams evaluate, secure, and implement a Dedicated Instance in the Unstructured platform. -This overview covers: +This section covers: -* How Dedicated Instances meet stricter security and compliance expectations. -* High-level benefits and trade-offs. -* Technical requirements for integrating your Dedicated Instance with your cloud platform. +* How Dedicated Instances support stricter security and compliance requirements. +* Key benefits and trade-offs. +* Technical requirements for integrating with your cloud platform. ## Cloud service provider (CSP) support -Unstructured supports Dedicated Instances for integration with Amazon Web Services (AWS) and Microsoft Azure (Azure). This topic provides information for both of these cloud service providers. For specific and detailed onboarding information about each provider see: +Unstructured supports Dedicated Instances on Amazon Web Services (AWS) and Microsoft Azure (Azure). This section includes information for both cloud providers. + +For provider-specific onboarding guidance, see: * AWS — [Onboarding your Dedicated Instance + AWS PrivateLink](/business/aws/aws-privatelink/onboarding-di-pl) * Azure — [Onboarding your Dedicated Instance + Azure Private Link](/business/azure/azure-privatelink/onboarding-di-pl) -This topic uses *private connectivity* as a general term for AWS PrivateLink and Azure Private Link. +This section uses *private connectivity* as a general term for AWS PrivateLink and Azure Private Link. -## Private connectivity for your Dedicated Instance ## +## Private connectivity for your Dedicated Instance + +Both AWS and Azure let you privately connect your Virtual Private Cloud (VPC) or Virtual Network (VNet) to your Dedicated Instance on the Unstructured platform without traversing the public internet. -Both AWS and Azure allow you to privately connect your Virtual Private Cloud (VPC in AWS) or Virtual Network (Vnet in Azure) to your Dedicated Instance on the Unstructured platform without traversing the public internet. -Network filtering lets you fully block incoming and outgoing traffic to the public internet or limit it to specific IP addresses or CIDR ranges. +Network filtering lets you block inbound and outbound internet traffic entirely or restrict it to specific IP addresses or CIDR ranges. **Benefits** -- **Eliminate public exposure** - Traffic between your VPC/VNet and Unstructured can avoid the public internet and instead traverse cloud-provider private networking. -- **Stronger network isolation for sensitive workloads** - Meet your internal security requirements and compliance where *private network access* is preferred or mandated. -- **Simpler enterprise network integration** - Works well with existing private connectivity patterns (VPC/VNet isolation, VPN/DirectConnect/ExpressRoute to corporate on-prem networks). -- **Control and visibility** - Private endpoints and private DNS enable you to manage where traffic flows, enforce access policies at the network level, and give you visibility into traffic paths and access patterns. +- **Eliminate public exposure** - Traffic between your VPC or VNet and Unstructured stays on cloud-provider private networking instead of the public internet. +- **Stronger network isolation for sensitive workloads** - Support internal security and compliance requirements where private network access is preferred or required. +- **Simpler enterprise network integration** - Align with existing private connectivity patterns, including VPC or VNet isolation and private connectivity to on-premises networks. +- **Control and visibility** - Use private endpoints and private DNS to control traffic flow, enforce network-level access policies, and improve visibility into traffic paths and access patterns. - A Dedicated Instance is a **regional service**. It runs entirely in a single cloud region. Plan for data residency, failover design, and latency with that constraint in mind. Unstructured supports cross-region PrivateLink, but we do not recommend it because of the added data transfer costs. +A Dedicated Instance is a regional service. It runs entirely in a single cloud region. Plan for data residency, failover design, and latency accordingly. Unstructured supports cross-region PrivateLink, but does not recommend it because of the additional data transfer costs. diff --git a/business/dedicated-instances/requirements.mdx b/business/dedicated-instances/requirements.mdx index 304c6e39..1c1e5f7a 100644 --- a/business/dedicated-instances/requirements.mdx +++ b/business/dedicated-instances/requirements.mdx @@ -6,21 +6,21 @@ title: Requirements and Limitations This topic uses *private connectivity* as a general term for AWS PrivateLink and Azure Private Link. -Dedicated Instances rely on cloud provider private networking features and therefore require certain baseline infrastructure components to ensure a secure and successful deployment. +Dedicated Instances rely on cloud-provider private networking features and require baseline infrastructure components for a secure and successful deployment. -This section outlines the key requirements customers must meet, as well as known limitations that may affect implementation decisions. Understanding these constraints early helps reduce onboarding delays and ensures alignment across security, platform, and engineering teams. +This page outlines the key requirements that Customers must meet, along with known limitations that can affect implementation decisions. Understanding these constraints early helps reduce onboarding delays and align security, platform, and engineering teams. -### Cloud provider and Region support +### Cloud provider and region support -| Cloud Provider | Availability | +| Cloud provider | Availability | | --- | --- | -| Amazon Web Services (AWS) | General Availability | -| Microsoft Azure (Azure)| General Availability | +| Amazon Web Services (AWS) | General availability | +| Microsoft Azure | General availability | | Google Cloud Platform (GCP) | Not currently supported | -**AWS Supported Regions** +**Supported AWS Regions** -| Region Name | Region Code | +| Region name | Region code | | --- | --- | | US East (N. Virginia) | `us-east-1` | | US East (Ohio) | `us-east-2` | @@ -32,39 +32,40 @@ This section outlines the key requirements customers must meet, as well as known | Asia Pacific (Mumbai) | `ap-south-1` | | Asia Pacific (Seoul) | `ap-northeast-2` | -If your required region is not listed above, contact your Unstructured account representative. +If your required AWS Region is not listed, contact your Unstructured account representative. -**Azure Supported Regions** +**Supported Azure Regions** -Contact your Unstructured account representative for the current list of supported Azure regions. +Contact your Unstructured account representative for the current list of supported Azure Regions. ### Requirements **AWS requirements:** - VPC with private subnets -- Network Load Balancer (for connections into Customer environment) +- Network Load Balancer for connections into the Customer environment - IAM permissions to create VPC endpoints, security groups, and Route 53 records **Azure requirements:** -- Virtual Network with subnets configured for private endpoints +- Virtual network with subnets configured for private endpoints - Private endpoint network policies disabled on target subnets -- Standard Load Balancer (for connections into Customer environment) +- Standard Load Balancer for connections into the Customer environment ### DNS requirements Private connectivity requires DNS configuration to route traffic through private endpoints: -- AWS: Route 53 Private Hosted Zone (and on-premise DNS forwarding if needed) -- Azure: Azure Private DNS Zone linked to your VNet -- CNAME records pointing to the private endpoint -The DNS name will be provided to you by Unstructured, in the form `.privatelink.unstructuredapp.io`. +- **AWS:** Route 53 Private Hosted Zone, and on-premises DNS forwarding if needed +- **Azure:** Azure Private DNS Zone linked to the Customer VNet +- **Both:** CNAME records that point to the private endpoint + +Unstructured provides the DNS name in the format `.privatelink.unstructuredapp.io`. ### Known limitations | Limitation | Notes | | --- | --- | -| Cross-Region private connectivity | Supported but incurs additional data transfer costs. Not recommended. | -| Cross-CSP private connectivity | Not supported (e.g., AWS to Azure) | +| Cross-Region private connectivity | Supported but incurs additional data transfer costs. Not recommended. | +| Cross-CSP private connectivity | Not supported, for example AWS to Azure | | VPC Peering | Not supported as an alternative to private connectivity | diff --git a/business/dedicated-instances/security/security-faq.mdx b/business/dedicated-instances/security/security-faq.mdx index e563b0e6..bc8fe5f9 100644 --- a/business/dedicated-instances/security/security-faq.mdx +++ b/business/dedicated-instances/security/security-faq.mdx @@ -6,45 +6,57 @@ title: Security FAQ This topic uses *private connectivity* as a general term for AWS PrivateLink and Azure Private Link. - -**Is my Dedicated Instance single-tenant?** - -Yes. Each Dedicated Instance is logically isolated and single-tenant. Your instance is not shared with other customers at the application or network level. - -**Does traffic ever traverse the public internet?** - -By default, Dedicated Instances are configured with strict network controls to block public ingress and egress. When private connectivity is enabled, traffic between your environment and Unstructured flows entirely over cloud-provider private networking. Public ingress/egress can be enabled on request for specific use cases — see [Network Access Controls](about:blank#network-access-controls). - -**Is data encrypted?** - -Yes. Data is encrypted in the following cases: -- **In transit:** All traffic uses TLS 1.2 or higher. -- **Internally:** Mutual TLS (mTLS) is used between platform services. -- **Cloud storage:** Encryption policies are enforced at the storage layer. -- **At rest:** Optional customer-managed KMS keys are available on request. - -**Can Unstructured access my data?** - -Unstructured personnel do not access customer data as part of normal operations. Access to customer data sources is explicitly configured, limited to the minimum permissions required, and governed by customer-controlled IAM, RBAC, and resource policies. Any exceptional access (e.g., for troubleshooting) follows strict internal controls and auditing. - -**Is customer data used to train models?** - -No. Customer data processed within a Dedicated Instance is not used to train models. - -**How is access to the platform controlled?** - -- Customers manage user access to the Unstructured UI and APIs. -- Network access is restricted using private endpoints, security groups, and firewall rules. -- DNS resolution is private and scoped to customer networks. - -**What does private connectivity protect against?** - -Private connectivity helps protect against exposure to the public internet, unintended inbound network access, and DNS-based traffic interception. Private connectivity does not protect against application-layer vulnerabilities, misconfigured IAM or RBAC policies, or compromised credentials. - -**How long is customer data retained?** - -Unstructured does not store customer data long-term. Customer artifacts are used ephemerally during workflow execution and removed upon completion or failure. Transformed data is written to the configured destination. The only data that persists in the Unstructured platform is connector and workflow configuration metadata, connector keys (stored in a secret store), and workflow execution telemetry (which does not contain file data). - -**What compliance standards does Unstructured support?** - -Unstructured maintains industry-standard security and compliance programs including HIPAA compliance architecture, ITAR-readiness with geo-blocking via AWS WAF, and SOC 2 controls. Detailed compliance artifacts are available from our [trust portal](https://trust.unstructured.io/). + + + Yes. Each Dedicated Instance is single-tenant and logically isolated. It is not shared with other customers at the application or network level. + + + + By default, Dedicated Instances block public ingress and egress. When private connectivity is enabled, traffic between the Customer environment and Unstructured stays on cloud-provider private networking. Public ingress or egress can be enabled on request for specific use cases. For more information, see [Network access controls](/business/dedicated-instances/security/security-model#network-access-controls). + + + + Yes. Data is encrypted in the following ways: + + - **In transit:** All traffic uses TLS 1.2 or higher. + - **Internally:** Mutual TLS (mTLS) is used between platform services. + - **In cloud storage:** Encryption policies are enforced at the storage layer. + - **At rest:** Customer-managed KMS keys are available as an option on request. + + + + Unstructured personnel do not access Customer data as part of normal operations. Access to Customer data sources is explicitly configured, limited to the minimum permissions required, and governed by Customer-controlled IAM, RBAC, and resource policies. Any exceptional access, such as for troubleshooting, is controlled and audited. + + + + No. Customer data processed within a Dedicated Instance is not used to train models. + + + + - Customers manage user access to the Unstructured UI and APIs. + - Network access can be restricted by using private endpoints, security groups, and firewall rules. + - DNS resolution can be kept private and scoped to Customer networks. + + + + Private connectivity helps protect against: + + - Exposure to the public internet + - Unintended inbound network access + - DNS-based traffic interception + + Private connectivity does not protect against: + + - Application-layer vulnerabilities + - Misconfigured IAM or RBAC policies + - Compromised credentials + + + + Unstructured does not store Customer data long-term. Customer artifacts are used ephemerally during workflow execution and removed upon completion or failure. Transformed data is written to the configured destination. The data that persists in the Unstructured platform is limited to connector and workflow configuration metadata, connector keys stored in a secret store, and workflow execution telemetry, which does not contain file data. + + + + Unstructured maintains industry-standard security and compliance programs, including HIPAA compliance architecture, ITAR readiness with geo-blocking through AWS WAF, and SOC 2 controls. Detailed compliance artifacts are available in the [trust portal](https://trust.unstructured.io/). + + diff --git a/business/dedicated-instances/security/security-model.mdx b/business/dedicated-instances/security/security-model.mdx index 42ceb8d7..68a60f98 100644 --- a/business/dedicated-instances/security/security-model.mdx +++ b/business/dedicated-instances/security/security-model.mdx @@ -5,19 +5,19 @@ title: Security model This topic uses *private connectivity* as a general term for AWS PrivateLink and Azure Private Link. -Dedicated Instances use a security model that protects your data across network, infrastructure, and service layers. The architecture prioritizes data isolation, private connectivity, and controlled access so your data stays within trusted boundaries. +Dedicated Instances use a security model designed to protect your data across the network, infrastructure, and service layers. The architecture emphasizes data isolation, private connectivity, and controlled access to keep your data within trusted boundaries. This page covers private connectivity, encryption, and network access controls for Dedicated Instances. ### Encryption -All connections to Dedicated Instances use TLS 1.2 or higher for encryption in transit. +Dedicated Instances use encryption in transit across external and internal service boundaries. All supported connections use TLS 1.2 or higher. | Layer | Encryption | | --- | --- | -| API endpoints | TLS 1.2+ with certificate validation | -| Cloud storage connections (S3, Blob Storage) | TLS encryption with bucket/container policies enforcing encryption | -| Internal Service Mesh | mTLS between microservices | +| API endpoints | TLS 1.2 or higher with certificate validation | +| Cloud storage connections (S3, Blob Storage) | TLS 1.2 or higher, with bucket or container policies used to enforce encryption requirements | +| Internal service mesh | mTLS between microservices | ### Security without private connectivity (internet-facing mode) @@ -28,23 +28,22 @@ The following security measures and connectivity options apply: - **TLS 1.2+** for all traffic in transit. - **AWS WAF** (Web Application Firewall) provides DDoS protection, rate limiting, and optional geo-blocking for ITAR compliance. - **IP Allowlisting** - restricts Unstructured platform access to specific source IP addresses or CIDR ranges. Submit a support ticket with your IP list to enable this. -!!WRITER: check standard wording and links for submitting support ticket or reference to Customer Portal. - **Independent paths** - allow you to use the UI and API over the public internet while Unstructured uses private connectivity to reach your data sources. The two paths are configured separately. ### Security with private connectivity -When private connectivity is enabled, traffic between your environment and the Unstructured platform flows entirely over cloud provider private networking. Service endpoints resolve to private IP addresses, and no inbound access from the public internet is permitted. +When private connectivity is enabled, traffic between your environment and the Unstructured platform stays on cloud-provider private networking. Service endpoints resolve to private IP addresses, and inbound access from the public internet is blocked. ### What private connectivity does and does not protect -Private connectivity protects: +Private connectivity helps protect: * Network traffic from public internet exposure. -* Data in transit between VPCs/VNets. +* Data in transit between VPCs and VNets. * DNS resolution of service endpoints. -Private connectivity does not protect: +Private connectivity does not protect against: * Application-layer vulnerabilities. * Misconfigured Identity and Access Management (IAM) or Role-Based Access Control (RBAC) policies. @@ -52,12 +51,12 @@ Private connectivity does not protect: ### (Optional) Customer-managed encryption keys -By default, Unstructured manages encryption keys using the cloud provider’s key management service, AWS Key Management Service (KMS) or Azure Key Vault. Customers with strict key custody requirements can optionally bring their customer-managed keys with their cloud provider services. Contact your account representative to enable this. +By default, Unstructured manages encryption keys by using the cloud provider's native key management service: AWS Key Management Service (KMS) on AWS and Azure Key Vault on Azure. Customers with strict key custody requirements can use customer-managed keys for supported cloud services. Contact your account representative to enable this option. ### Network access controls -Network access controls govern whether traffic may use the public internet across the boundary between the Unstructured platform and your cloud environment (the VPC or VNet where your data sources and related resources run). This section explains the default rules for inbound and outbound traffic and how you can request changes when a use case requires it. +Network access controls determine whether traffic between the Unstructured platform and your cloud environment may traverse the public internet. Your cloud environment is the VPC or VNet that hosts your data sources and related resources. This section describes the default inbound and outbound traffic rules and how to request exceptions when a use case requires them. **Default configuration:** @@ -68,36 +67,34 @@ Network access controls govern whether traffic may use the public internet acros This default configuration provides maximum network isolation and is recommended for customers with strict compliance requirements. -**(Optional) Enabling public egress** +### (Optional) Enabling public egress -Some integrations require outbound internet access. Examples include: +Some integrations require outbound internet access, for example: - Third-party AI/ML APIs (e.g., OpenAI, Anthropic, Gemini) not hosted in your cloud environment. - External webhooks or callback URLs. - Public SaaS services without private connectivity support. -If your use case requires public egress, Unstructured can enable outbound internet access with the following options: +If your use case requires public egress, Unstructured can enable one of the following configurations: | Option | Description | | --- | --- | -| Full Egress | All outbound internet traffic is permitted (not recommended) | -| Specific IPs/CIDRs | Outbound traffic is permitted only to specified IP addresses or CIDR ranges | +| Full egress | Permits all outbound internet traffic (not recommended) | +| Specific IPs/CIDRs | Permits outbound traffic only to specified IP addresses or CIDR ranges | -To request egress configuration changes, log a support ticket and provide: -!!WRITER: check standard wording and links for submitting support ticket or reference to Customer Portal. -- Application/use-case requirements for the access change. -- List of IPs or CIDR ranges to allowlist. -- Expected traffic patterns (e.g., VLM API calls, SSO integration). +To request a public egress configuration change, log a support ticket and provide: +- Application or use-case requirements for the access change. +- The IP addresses or CIDR ranges to allowlist. +- Expected traffic patterns, such as VLM API calls or SSO integration. -**(Optional) Enabling public ingress** +### (Optional) Enabling public ingress -In rare cases, customers may require public ingress (e.g., for users who cannot access via private connectivity). Access will be restricted to specified IP addresses or CIDR ranges, and all traffic remains encrypted via TLS 1.2+. +In rare cases, customers may require public ingress, for example for users who cannot access the platform through private connectivity. When enabled, access is restricted to specified IP addresses or CIDR ranges, and all traffic remains encrypted with TLS 1.2 or higher. -To request ingress configuration changes, log a support ticket and provide: -!!WRITER: check standard wording and links for submitting support ticket or reference to Customer Portal. -- Application/use-case requirements. -- List of source IP addresses or CIDR ranges to allowlist. +To request a public ingress configuration change, log a support ticket and provide: +- Application or use-case requirements. +- The source IP addresses or CIDR ranges to allowlist. - Expected access patterns. - -Enabling public ingress or egress reduces the network isolation benefits of a Dedicated Instance. Unstructured recommends using private connectivity for all connectivity where possible. - \ No newline at end of file + +Enabling public ingress or egress reduces the network isolation benefits of a Dedicated Instance. Unstructured recommends using private connectivity wherever possible. + \ No newline at end of file diff --git a/business/dedicated-instances/security/shared-responsibility-model.mdx b/business/dedicated-instances/security/shared-responsibility-model.mdx index 404151d7..a85cf175 100644 --- a/business/dedicated-instances/security/shared-responsibility-model.mdx +++ b/business/dedicated-instances/security/shared-responsibility-model.mdx @@ -2,45 +2,47 @@ title: Shared responsibility model --- -## What the shared responsibility model means -A shared responsibility model defines how security and operational responsibilities are divided between Unstructured and the customer. +## What shared responsibility means +A shared responsibility model explains how security and operational responsibilities are divided between Unstructured and the Customer. -Unstructured is responsible for the infrastructure and software it operates. Customers are responsible for their accounts, data, identities, access policies, and the network resources they control. +Unstructured is responsible for the infrastructure and software that it operates. The Customer is responsible for its accounts, data, identities, access policies, and the network resources that it controls. -Major cloud providers use similar shared responsibility models for their own services. +This approach aligns with the shared responsibility models used by major cloud providers. -## How to use these tables +## Using these tables The following tables show which responsibilities belong to the Customer and which belong to Unstructured. -The first table covers traffic to the Unstructured platform, including UI and API access from your environment. The second table covers traffic to your data sources, when Unstructured connects to resources in your cloud environment. +The first table covers traffic from the Customer environment to the Unstructured Platform, including access to the UI and API. -**Customer → Unstructured (Accessing Unstructured UI and API)** +The second table covers traffic from Unstructured to Customer-managed data sources in the Customer cloud environment. + +**Customer → Unstructured (Access to the Unstructured UI and API)** | Responsibility | Customer | Unstructured | | --- | :---: | :---: | -| VPC / VNet configuration | ✔ | | -| VPC Endpoint / Private Endpoint creation | ✔ | | +| VPC or VNet configuration | ✔ | | +| VPC endpoint or private endpoint creation | ✔ | | | DNS configuration | ✔ | | -| Security group / Network Security Group rules | ✔ | | -| VPC Endpoint service creation | | ✔ | +| Security group or Network Security Group rules | ✔ | | +| VPC endpoint service creation | | ✔ | | Endpoint connection approval | | ✔ | | Load balancer and target configuration | | ✔ | -| Platform security & certificate management | | ✔ | +| Platform security and certificate management | | ✔ | -**Unstructured → Customer (Accessing Customer Data Sources)** +**Unstructured → Customer (Access to Customer-managed data sources)** | Responsibility | Customer | Unstructured | | --- | :---: | :---: | -| VPC Endpoint service creation | ✔ | | -| Load Balancer and target configuration | ✔ | | +| VPC endpoint service creation | ✔ | | +| Load balancer and target configuration | ✔ | | | Endpoint connection approval | ✔ | | -| Security Group / Network Security Group rules | ✔ | | -| Bucket and Container policies | ✔ | | -| VPC endpoint / Private Endpoint creation | | ✔ | +| Security group or Network Security Group rules | ✔ | | +| Bucket and container policies | ✔ | | +| VPC endpoint or private endpoint creation | | ✔ | | DNS configuration | | ✔ | -Each party is only responsible for the cloud resources it operates. +Each party is responsible only for the cloud resources that it owns and operates. \ No newline at end of file diff --git a/docs.json b/docs.json index b37dd29d..22c1286e 100644 --- a/docs.json +++ b/docs.json @@ -367,8 +367,7 @@ "business/aws/aws-privatelink/connect-to-services" ] }, - "business/aws/onboarding-in-vpc", - "business/aws/x-dedicated-instance-privatelink" + "business/aws/onboarding-in-vpc" ] }, { diff --git a/img/architecture/components-in-pl-cusomter-unstruc.png b/img/architecture/components-in-pl-cusomter-unstruc.png new file mode 100644 index 0000000000000000000000000000000000000000..87bee9c8009c5ee962b8efdf7f25d1f2777849f5 GIT binary patch literal 29039 zcmdSARX`ly_NZA6!8Hl4!QBZi9Xt>$Sb`JWgF7?Kv`uDAJ} zGv|Nqoq3qYnU|uPqPlj~-nI5x-?s@>QIf?%CqV}Q0PC%s)O!FxfWh}WQIX->nrH$6 z0C3=YEA>X*U4JhX$sJFN@M~x=Z6MLx&&r?O+=5qL=wcv+5okBM`>$xveQCf8YtX@{ zibX&QQ&8|{ZrDse44f7pU=Ku_ElW%}69oTjLRa9w{ss7q0Q>!ms~kCz+|W3V*V*8K3X?6JB$BwQ-jXcZ(MXN{fHd{U?MPY-VHJlo*M5r64EMWXn4RV3{_eYv*@H9EPpuA#MbQOWeCsWz1K3^=OCrFizp2u~cLf`tL8YmU zM@ujI>#;6re@%~!S?eDotAmI7rCX_SuK=O367yK2d6z#P-L}z;s~ZiP*JOIc zd<&WHgwu{3HV_}*-@Kk=9OG}f7awjToUn9&VkX-?whSfMhOpZ{Ofsz}=)|RuVHG-$ z==5&^dX5_WjtV={{fE?!$Ie+2l`|jLJyPXMw%`1g<*ksfO#q55v`R9tt{PV!+PoKz z`g98$UF?){FxeDT?`12COSVNRq1pb!lTodO?Y=AhWYhoSwj z;-tHVz@D7$pmNPgOj^*EJG9vN&LB}zk;U`77%DRi8@9>62gRU(kok17Xms2mgnbzwDHMbpdmMDHOIUjv0Jaea^L39r2 zsqFhZ+kudelvhJ-j>BKz>dGrg2oNj<8N2&n3~#sg{0`>No)K53f1I=I<)LN5Pn`AN znNNK)eKVdNVf*KOkSOABku|pR732P?dfpEEg>prvA_da|FE1f4lT&4jp=$-!!~W~a zv;1xslYKp!0v`_0%=BPT0U6~3I#^3gD1y71Lsk%ZJj3(S?0x)!#Y@5tf9^+yhGl_+FQ&opTscCV?)*GL*%d4Ip(L|NgQ$j(K;Ue8wU$eBX@9v9 z-h%@^g+g|rt;{2*(#Lv@Wk(*jf?k)*JDd`w73XGG2Qq^mcLIZnIB_mBq`cZ?hqwBI zwTi>_Z)gE>oNNSM==D|vAf_)m9<8nM_T4FdS?YZ#2W6>e;)RV4=lsWni0IN{)Jz9T zy5&_tAMb7RbrBsQEqU_2_E$dEirhQ%z2Rado6_c+$TQC@<|qXj(d$*UqLKA^%Yyj5 z3N;`yzl#g$b1^U$u~(#BwZ0&4;n7U0R16st3EYz~T5nF=#%?DY5dZWktj)zUurVyn zS9sxfGN2hkMG`|OWC#lK<_kW}*6~aeox|+gEm6CPONgte|8CGU6l>QNjW^|rI*gS* z>T>k}AxL*1eeYeK_C<{B4O5R@CNzqM32G`X->}6Rbe8z`t#wrf%pXILvR~?BU%g@( z8Z0y=mFa$`FeP3oc5@U7s3wY+v^ z@#rQ9^EUDFUeSL)_`6@$0p5(C7~L*+{OPZItbOt5cI-r^j;{uF>2-D(&@pxaTjE3K zKh2v$-*F83(k(Yqmu@9c*ut0_7Ioz(e5h+d`{*`2ArfM#gW?Q#@8B2D$*!JJ+abOc z6rV}=o(jw77LQh+xl72gCu-nziaP$8i9_7tE0=ir*dcBnAssfdo7s%$BEEux9UI=9 zlj;{XCo%TjtG=k*_k-slH#az8aXPx?1Mqii8?eZxd6#i_0P@y7NFMI(`y158Ynzpc z`Q?|@I>X}8n)-IDp}Zz_%6F}Sw}L2>#!E;rI!DLMaToN8+W0qmAgx2^KE_6C)1l3D z1~$ojS#AU7%3u5*IoKwQ!~D&HwUS6%cp8psqc%*x=A!a1GHqfL4*!_N))+l6sf7*H zco(gfkOKYd8MiO(6jk8E?CnwN8Hf|Hik0`~WabEmMOaf5?SVvflG5*{x zjP}GYfhwIB%3lrh2R4)$_p-w70RIzF$$KK#fUqEkMPNaRedvzUpD%wkq#XRXv_HI1 z%9oQLpRn6*fB;L|OZNf4k>);jC(wg^(|yt4UeiQ%4Rw7gJPUp8$bdKru{Ql9<{y6T^acve%c+7o`uus$qACu%W|D(>hgFGVVQ zt@_@c;o;ebJT!-l^Zx4k91)8_PVtiq=gi+eKEK|-aqIul7Z){%32jW&`=waj$y-#6 zgLEY{_Q0eHp&*AA5?ny_(M={9citqb{f32Hi0Kj-k^u9?&4layTk`X9%C@u84!O^; zU;v*vrTAC2+O=&Wb*f=jB%+JPlY}gFHP>&}pP5gJ=VIS0&JQj+rN6HxhJZ>TY^_YA zYQsWOCH{TH8{a3adQ7z&+vUlRKG)|Bw%Y<97>4w|P|ftwa9#6n_w73>rzT3Ea8OOg zjPGG7rW6XWY-Mru_6^RXLz_k&|{+uWGyjf$fpjR9FG-b+M4p5Zky0GKIOY9d`mn1ozvUe8d`olp#SsD zRNr6+I@Cvgq9QiIYKLOu<=OLd(EAbg=m^1Uic4N2UCN>BH&jj(N*zBl4lN`NXWQnY zo&Rt+TrYGLoDQRlBZ}m|Vtbo|dcyubD5c5AL-)9{wIjw)%08!9`l=1ZI1mN>Zf*oc zx1$Mg8)m)!?Xw-PUv`7tg+WXV)u=0YG$cspzxI0GbEzrF^<^vzk$1Fd>=}1e+aK-S zywF%e#lqM~I6XJPe)u^235CSErlY3&p7IdDKo^-p&eBbTjF*8#i+l&dmX{wfKj zuPdz*#J~4C`|j&(8O7^N1Wb2z!f&4)3XjGRnj-3E1?vG&(Ey)cy?0SXR-4U+5G4&B zN`oFrB#{Xu`s$^6;BUsdlgi*>&&M0ca8g1y4^hLd*Qt;DmCEhfM)J=wm{|H*p8#d| z3(H@-1S`Qnpvfz73cRDfvf>D=JSLabmkU1b52`3pe{ZrL_ps=nGJq{Ava|!GJTk-rND=8l?=c_&aWrQ{vfA zsF5y{tX@JvO>&5M2os<#b`aH`k>c8(M4xQY%I<+>doe&l@d4lvDcwT6L4+XF(laf_ zh_s(Lis3&jV|~pd?Ex&@lbbNKHn=(IahE7vuJ{kyj=~%qu;knJS5TfIwR6c3v8j(8_LMsfrfP1YCVsTH`DpT zYh$IEqnYA$?-qN~Et`b~R{eu<)?^!gOgzN=aZyP8HjDFFX7&h;gRgPhio7>E_~+JQ zsyiJ#g~>8M?W18t3wQ+xZbIwHaP-bi@Zf>_Z@O`c17<0Q1Y$uNMOT^%nD+#QV4!uG z9MA;F+IfIpNE_1Kv|i)azi>A*nJ496Ia<2% zO^;P2k{1KaVkk<|eQ?&p-?p~C-KlTY z%F#G6#TnulJ%GA27>J4#iVdqHJO}k^KsS1JqvdgdRI>}!2VaD2P{olQ z0v`wlVO|3XIQ;C&CXcl`QNp$b8mT)G0Az3#a5j^EO#!Bb;22TJnU_|b+)}op{yb$? zA3=bjS^{^!X|dKK9pSkrfThgdkH|?w-owOTv#Npu;cYAh-a+yRpvR#X4&>oO9|4lf zw$)U#1BYfa(AIi_0A*Bwm-4DNV7X|;mbLT|^n0F&6sR(oSBn2&9f2c3t1CIG z0zOq1-0SG#Z$*cy`Tp*z2vsQ--h+m|kI?>e4_@f>P~h<{G?hiMILP}>xy<8!)LXWV zE%@8(WH{h93*gx4E=PizQyN9LAVL3(n?kyWK~zF=l2h0e)Bp_Pk^O7k!FSypdjHT# z3J-`GVYkSt-v=`85CejVDU88{jd`eV5E#<7sR2?Sn=SGd$5T$$N#cGfR5*dX0p{nFPVT(w9r3(A@3a!Ie} z-I)lbGs8atlGQL3To+94Y8GoWhc^#f>r~H>w~vMjjjcJ+z&(iDAd5y(nyJOa)s$~y zg|!^l*8-{;MRu4Iz}8^aeQ(ELs3+gq3MZz4Jp=lgi`kUewT3!sZ~=4BobfY@PB3K( z3Alt^)fQG`fX4tICs?5PRFN#cqgCZgcZ^^*h)hILxF075FLhVJ6?(1D(Yan<#=x-+cH)PU} z2+%_&Pdnpd_*sX_9C)JY&dN_LA-3z<9|0!Lls@?n-Z&FGk8ll+<=+J?O#OW`x0?TT zWo7bAQX|+JAJ}%D8+mD6AK$%WJy0Ab!-o*ObkcqK zwEg_Qos$n#{rtI_^t25~PP_hP?m+PJWw_TEk1P_jtCMW<+0%CJY(QBwyz=MI4|B+;`_=N>^v+%EH-zD#(J1tLOF87KLB*RBd>Lm7bp9GS@r`9ULAi zSOV|=P{F$G#B@&rb1ts(I(|_nbwK;wfP>=GwoP&PZoE<;JT$bcX*)6N=_aDA|G#r9 zMUz`5=o~XI-}_$#)!>Cj6vjAKF{I{Q+}d;e_rqElCmA`3=)bfr%5(}#W6X3fS;W_~ z_!M@>yt0^MT76#~EWPy;{s1;>UkfGn4p#A-1irsGgkwH=z*Fk>i`R2H$BCg}x7U?X zf;R>r=UmBHt~<_1jehaGtx)P0p_us$@WEA-={tQH6YWaTSQs=-3JvY`h~GZC%Gj{C zbK@(%t*y2UA`n=K(@u;}7W%0vYGN{nFS z??Tm%y)=JvGBpFs>UW7*H=T*ODsL5?vHn|y0ftgPWw$MQQNBRmY_F=eyM2!N0a9O^ z2kMiug~PY+2r`VH`hT(8!YicK!=Se>po-nY&;)6J0i6iA!oVYXxuv#rUqBB#_(x;D9R{* zm)FmUN3s6KAFhdh*@b5?biS1=ShV8Csb38rTgz+;LC)mGY&=#5IbD77g!t>34^opz z^@`zxc_sY(Yz+_H4pfd-#@gkd@;!P=wYK~<1Z74wPrGLO-RIm_-M4uE8Kif7xv{lF z=$ulS&uGV*mx5+Ij@ixN&D}?b^&c+Z^;p`@pPo7I^H{@hLnDg%F1LqMdbaGYxGH96 zZ1^E|Z&(zZxr-m1O0O&M)rq8M2Nxe_C#p_TY7Vun-&)HP`>`AXt?F-~j zv{%_Ishsk+ER;EvKCkZbKDMhQ{1au-Lsj#ym&urWhE!J;<0ZAK1l~SINp>n_`O|2y zQicrq#C~Nyy0iI#Rfik;;)~2;j-MlCR^`m^=Q@=bVE&9=C|@rArShl?%TLavo5b3O zg|kJ|^=e}%Nq43#0&)1(%~a!Z5B;M|{8*IiGqyoU8CI58TJ?_6g8SbI_s;Hr-g2jR zxv?&q7%!+*5&k;t--Q$>x(uj#ft;s6{V|(FqA!Lk88Zq`1aH{xaHmaeYv7sKB~GfT z*j*(7bwqygM)=t`k9nbeqWrJrSN+~=xffzt7+kGWa^}V&-RxZH^|^!g&bGYieumZ} zpN#(rQP+wx4G3z?rir$YK)KkXDvr)~w~{|BH{aR}6d6a&U_i@_%7$G$i-OR;F=kk< z*=Bk(Sp0U4>g?V_fT1&{h$`2nTT-=$)JwVjO0`_K?!hp2@V9%+X&T;o-`zDgfajqq zOwsSQJ9p{4iDT=Vg|YZ!Be(akdi6Q!zXG8>_YC3tKj_r(?q{7L)z%PJ{$y-M?li6s zq^@(OCSV0nKOgDOllmP!hP6)?8aa&wb!Z`Y6;U*iyRKYi4AoW}8=alGtKs$NW3_@Y zw`Xp%Y)l?}e|zh=fJee*%j&Yf7_RNMZ|E}IAP3qK zE+@yKktdFBm^luK{3kkY@+Ts|Y^wpP7jz~}PMMLeX`S5zLL2$>zzypB-!JgTq!PDE zbYGB4Q_j@@I7aS*poi`Tf>hF4N>+L+{WJ^-l z?|?lB6kLBYNiO7ad#lwibaEJ^m7 zdLI^j8-1N3p+=vF-@vbOPZ0UbBJl<0{A<#Q4WZB25O#y67aFAo;bUP5ET%{>4~)$` z(hXT%KdD;+^$H0~3|>NZjdy@he8p>ua;|^HBYOBe9jYG(Plrq}(ZDUT(-=@t!^jv= zMtQ#9y-X^vO7@A%VFVK$U5Q}b|3a}H+Tb`W)4Z^;ibD+j%Net*)}!)}i8L)7dGgfs zFLYrl4F{c^g! zRi_P-n%l6F(_q2IH^~nMfAj&YtH|b1PI`#U7V-(g=gQ5#w>ruPW*n~R&k^%K6&GMO zO_7Cs*k(^ZUs48~FW>m|igUJpCwK|Y5@{7`oI&0HtPYX!8xKZ8C8Zr<@UFSaFQ&Vn zX}O#xT|E9#5?_@y*|J{sW>xk>oHfUPk3u>;h?p1)q<_t!Hs3U^Q`4hLdt98!=L5@z zcR~H+WhOzKXz?gj>-KlhTZ6ZSnw)j5GJj*WgVYr>yc+xV9kGK!A0R?A$6dxg|QPSLjO?T0iE{Q;JGL zRa&U;#UVxP#$FE&dSif{7o?-9viJ@0nxwyNR#5%$G{?Nr}D zJ}`)_A^SBz6tbiiSb?}*&JUrjcg z5$;P@8b+(K+N@46ePcnoqb52;IeD77Bb^D{9n|OFiL*xai&sdF3*=vt=)p&d>Y;~1 z?<_x)Q*W%XIotM+sFYl;2JF$B#fOd4>gdPpk=e`9svnCVPX=z6%}J_laf<71Nz-XK z4v1?nQEff#HmW{uvO7?KOFa$N22s{lHLK-hT(Ne$dho_)=8;-;Z}(rF z3wCLFIPWK-H6ccT{&jLU2K5zQ+R_`eWUH6C8(qXAEG^}9aRFrxvu3eEKH3YsJ;|$h z5LZ`MGi7R#B8}aNwX5Z|U++1=bZ>Y5fUl;v+V66Xd+t?RJ+cA#$|~kR($dm-#z+Q+{R# zY-e9EgZ)|rV(5KR0>9j+{!-E8m)~2Kx=->Lqd*dy*L}$qVo2Tzv-LIFj$8(|x|1xd2aV7~(1^sbxP?B=GxjHE?RG_vp zSbe0h#fPfVIb{@C>M_ZBYJJ^vp}Av}vLxIIBy3a_RPIk3igPq~&cVU^u)sHw-qcl> zH--|*woddCqcSE_AvmXUm^}he%cjbN1RXFZ+A))>GnjR^TKJT5!>5qg` z4i_TfZ`xR-gSKcaDj{d zGaS6Ib%1*9TcucL)|96Gtzh&kG`+6~7VaNFHAh4pEa->kpGrIL^4tT7)JybIPuq+| zY^TXCxDiqS7~|$yDy0CXlqEWOo%i<);stepTYnaLYABI|-@aML%aFy(aQU1<*qmF^ zqo4Oz(aaS+F*%f~k@#8p1d+~u^<*Cb=fmWxYKDv{wkR>T11%B*&a&2H6E^e~^Kcl) zpZZE46+BxLhz!edk`4L{gn?j|61r1`vvBepH?Xd>U%-%C;W2-mMuFAH3ShmG zo{6=4OT^kRalTR!gA7H6%Ai<``&+vxc&O|agj()@7C+Gd^LZv`BJ$3B5ioY+XP6P_ zk51A$$=1|(QHesb|CNwvzx8-e**k7AICQJ6+e8-|+UW2*ANE}2)xhI;f;^Kg;*ncX z+)vTzx*E@X$^Vx=P8kyXpncBBW2^<5IU=|2yob9hh~;9)07Z@w-{h+ zf(9m){9`A&(jwz4;)DHncRE;NG$#+=&6m!ckdUO@l))>2<_5IpP7XczegnGcF@{3s<^A*P{QruDm=M1aY zOvY*6;|_Ot7vHUSmGZgqz=gQaj{0I>M<6Q`wdtGR(ct1kpKAiqRD5kll4Sb7b3LKY z5B%K?bC}5Lmk5`X(=m5@aFM`Y^IpV6)hf7qc&Q#{q?eoHr)i=-j!VsU^D|Ka&NlFg z<#G48br{>Px^=kTwl*r|LI|Sob!6R-8~<&!;dt2O8PvcY4Ga1>eg4P`wytq5@fLv# z14&M(2GWo+iI)x_WE{o_NgEkU0O1*G|29-_ei&?;?jR$Fx6a=hFzVFlc?N^%XSXRd z`gT5ow1Xx`C~r8A5YilQ8mFxUnZY!yhzp;qYAvOenTx7^6`z2iU(H_atuBoNLjfqj zxF8%C21Bzk9XE{E0tkH}qYUnC$Dfb(@4$A55;B>!i}^1gd|&I|rAn6^9N>NDBgbIn zHo4b)kjh7F=L34#f}=hOAZHH=_KOrHC`C+4zch1n)=CtC+87UU}-ndQ0Hc~0Xxi#CXN z^fS59tJh+C13h%R{F&U5)T}_{QIyilyz-eeO^`L3KkHl_&G?P zAm>6<{L?Vcry|hw6eI-pJkZx-_KLoX4!mlFuo|dnZ>60lM(H$D?RW5TJ-S50i(mD( z6+S#Evq{_Ksw>sFY3L>3obeK=lDHFYW|7yZTJGgf`Fe=+irDzspngM0X{m5kBxUvy z?)m+XT?CkY8T{QYKp|1FhF6SKILqi*{q7Z$AK}#BZk%C z@fj?{Nah}5Tdio1u+{v0VGm!X7ik8Qs6?+lphKQ7;;a%4HpPgB!zaOyo8<2W45D6w ziBM;LpPXjz`Cu#Tx9_)i0H3nTGoCNM3OSY`Eu-SL4Z-NK>v$RYP{_3+lK@n4#TGh$ zycjLmOgzPhYNs}+9t)jM7e?$}JtJbklJDk3huKZ#QMx2^C3FZD)ZE7y=LZ+fwo}+Z zINND~kz&~hBM!&?64BnV+1ZtAq!8mV>ULgSJ5b1>h$(%KU=}Nwed+hxmN$GLlJZI5 zvyE5;Hq3{RZ4-tC;d$jTm1_?VV^gy3Xe%WngzhudtKV?(OF=hRgQo?!8ADeTBOMgT_20i5|#W&c`XDjJv;rZGKA5TwSYK z4nDA9DjunHsG;RA_$;GNBE9NLzwa4HGno#&s0mYmbkEYpe)1S29Xd8ZJ>F!w8(&*7M5$`5Bt55?OSy(kvxVm1w&9I}^=ulQ) z_WGg>=6Sfrl<<$iSw!;gsal^_sOhHR`xhixG(kgxmLFr6Hx`U523~c#fNA;ASBP-Y zqPav$rp{0x-N}qVeh8Xo)6|p=>X8ON0d*%x-_SjBxmtP#zR-%5EK9$&bcVi_jc*Us zZC@IR-qSk!)YF5IkU}wG{+NfE=L6?5%w>_aCQy!}7lrGFm6UvJD@4ge3E1!YZH2EL zJE%*tQX%dsG$u$6;~2MeIi!V|jr{`1y@=nRQ%2qGkV@d<6mQzn9zUgiFhb#rvG#P| z@)Y9^O1?d+@lUXwNV1N`y9?vyueBy;New^67LTgw#QE0S5R2_tpT)K(-%XEdRBbFf zDFrZ)dZ^nwIU7}`U(93{)(TR1u1z*vr|>_g5bNp*sZ8^{BcqI7^ozJ**FTmg2^mOSF5=V}ybG%S>>Z3xR8?urzAiYskha=?E6e;23NUGs?Gh0Pamg!@dy_O*Us9sqrQiII;CrYRw_XM7HMI5hn)w6M#ja%Th7T zRWRd}#dL*}Flb94rue_m4ZLnY`&X6Rn*sN9EUkv42!X0Oz?uCFm&!gJXHxZLr>1-5 zGrrzsB2uJsw1d5S%IV|?POQ#1tM?OE<_tT2A3HY$Y+lXXb~rSD<+aJ~=vKJfgc~l@ zo^ByqpF?USqC<b!(76z`&xM{tz?K>8IVSS?TQ|H@naB8=UF#mwzQ!7eQ3yf%9 z5`FAP!9ws;V3xVSO9- zdDXZ^Qns%Ryhr-0K83nss&{;N$3rQQ2Pbw(Mq+1(H+I${^of_0lNR@U@D+Q(V&n0~qx`KndRB5rdZ_DTo0D`BVM}w0%9E{Q8_w!@i@4ZWCMK#@+VoFNS)iO>d~;=a`x|#1SjNIEXPT|q ztXMV0cy~TX5#CHKRGo0$6p^F+{ahSr*(FL>x=hK;NpUsZVkvT#^bc%{>a*~(;6oyN z;0$Nbj{R)fP1gF~&FQEh%l+gLHPR7!S=1&$%U#b0r^js`^~AnE>8&i?q zy}a>_+i88%u@9?y2F{iO&gsoPxj~Ud{=WUYiIuKV95L?F`2`tbt*i)?o6)XDJK1o; zKRXt;);QrXt|zT#Z(YUVp_wzMXm%_W{vzr~Z!z$&8SW+u|3Tu2RaSygs;Sg@7P4u^ z&f>ezZxnt7OHpT`E$+kpfa^q7731BjuCV0=6Qf5YxcLg59{!g`)6bHmYO4~i657YG zWqLuZc@@R7=(2ygs1FxqCkSlx^cyk%|C4JEFChnapEOp}Hn4(clHt7|B+>~u7RGggV&V(C&?auNqz$pkM0t*VUIKE7nG;p zbfdT46>FTS^*pZW!QlM*u+U30K4ZL9yNz3yAD|Lv7zSYH1A8BO@Hxb;-r z*@=GS$C%VGdze)B-&G%zhjRYJ=(YQVlE{PX)R%`=|LEI`inz7!`>2Xcu3;3>jpXMX zQPqzZA85Ig;>DYma}wHVKiEnT$n|LQ;lN z3P!zW-=7O9hFcN*52#i~+ODUxdi<9D?Q#fGZoI`0`-;nCMB(wdrY(%dMiUG6>PEWS z$?=P2uh~@>BjvpLO+-Ff{?iIU`m9wCh4Rho?b?aY@aX=GOKQ{ajX0)K#*_aNebO=H zt|92mN1v?&S}Per7`UmIMDvwe0`TQ*+Q0p_@J{_JwPQFlH-1JZ&L&SpOuz#>QMlzs zz@p_LPd$Aij;`gWuswS(5$u#P_`E`&jH6%qAL35-BQZK|YS@TWJ0I>XVsMAvnD5$- zKE?GkK`Rajw)i`z;CqP{OMmzjYO!o?luS^n&9Ob_7LEksE_I+d~J?ew7{PPTWC~&H;BiVC?ANgLhiDvz07LDo~2(EmPQI669 z1dndmM5ZYC(ub2OnCQYq<639=e4;%V6^;7RDt$^XKrf>QA z9z!$_rh8|cZ5Z^fccV1YuAu)GQ%MMlwbj=z!;%uIpRxtp7E+nm|4CDR4tT%X<6!v- zzhCG8O2^~GzwcHS;tNH3GHvLmZ-iw(8M}hEYJ<8D({&l>gyC2v1G;2__meebf_%m- zj-%wY(Xuo1$BZhCn_XJKRtKGPA@2C9<$r8Kj|qIqhHC7JFxXsJ9_OEFTfNH~qF?EU zkzRW^63T6gwYqwYk*gYdlJm>+Ub|}Z);NXF;trKrJNMaN`;nhRb4^m@;@k3BW>K5g z&-Zm;Ri;k)9(jD@=A8hu-fyz=n>#fU0Xw3_%Bx)s=Z?D&F;dZ=!#dvM@$3&5JT8>u z!Sxr1(s9;Wc}bBwuyWEx)tdogrgE)MJ2Rzu8p*bAfteZ`P*y}w!@m|kM8WlkbSC3J z8SFPIz_a6<{gsGgkC3B-Lq?y1nd-b57L&q|4X;m^$dk1?kujtue20h{jhN+%lqYhZ~NU6@_g;4q*y^6 zfkC~Nz^0|%#Tp%1`8dAU`*#O1|1X+0G7-17aiAngAC(CiPb`wk9mRr7hufElA!ZO>kx|q!2*3Nl z-doHT;bzg^Ws-d_Unw{W&Zf=@ANy`w*vAk${0Q>w1d;))QfGK(z70oxQ>3C!f4?w7 z4#vOE2E;rE&U%Rr-dpsq>3*#ltT`(IA_spsO|a#LhMU3qbO;6ax6bW$+gi>S57C;F`%F6jF~3}is=!T;lfl@Rk2GvE<(4HHX_px+i?(^D7~LO-E^Q4= zELShEDvM7j7x3Ti>+qM!M;E8f3!nGbfmsNZ%lh;FrdW35OLwB2{TO{n{PFeZ_$)La zUpcx)(<71^v~~5%v_&MlWXxQx=U8p4(B7}A-j3t^$_m6*@0sj5q%Rj4n(lktovo+{4VL1b#x`V}y?Ty%tmi&ef z#cg=N0f*z_2ga`rqz5-PHd$PkoRhu(68vS$V}!la#`=$Ys?gcafW!LEHQXV87Cma- zgxlMuyL`&DtG1UiALbuR{^=sw9Gn7&kSNczJQXqQ$&ro99FTGFD2n3F$D9@=@q3Tp z$58;E`C}|4OzF;XIqon}^nZ#rL3$o^@Nk+?Y-6LyFO5o}A`aQ}@_u7wjnel?p02j0 zaV398J&YL{VT+Cn*>7C>e~P_+ZL1yt=dVcf!nN*n;t$YSi7ep>llTja zR$o|-@bCKHAEAOzrm#iJpzs#DQoXBMeUVx;dTue7)}i_hz)9E9Q(z2B0BrG^Fu*i( z&t7?LPjh%#zK8YTQWe18&7LHYHRy&fDYJ3@{^Uji0z1KO=VUjf7_e-f5{p@!BWh{>u5u$BS zh4e4y&@a4x8>r1KCgpd$)+e~~34C-e7Gp7omeW;ywja16jmUvU_aQ=F`)<_!6fQQ? z;iS+~(H6fXD-8|>%du?eSC_&MAm_^N*Vpc6urxf97oBAW#g0tiki9Giw%>c`Ohvwl}v|{xusE~QKHmxFf-m7-yTmbKWr#k zIp~?n6J(}y98}$Sbjre)sEYsHnTs6V9IyrbMQ#$$33-sTXj@N?&C^9fmyb&d^HE9A zoV$;d=eLnqr%qDqA27lk{DGZLeVFZwIqy<`p7}+iz$s1LXqne)mZCp~1&0of`bjRf zdrYlCo~>anu|f)(@^A^@lKwhZ1M|+w-Ru+{4Qgg2eyMUoNqOY^Gl^VNmsLb&cm{|o^6hOF4%P?W4W^TZ)~xJ z1AD1iUWx8we}i(qTqI8ZMUQB4_t4f02%N|eLXZcHva&s+6u*Di!mWYM4FM?jjPQSA z39b!zr8y_g33*fT3!!GcP;2GN&ON?1ZAKDF0WV{ulK!(hI+*ZtWW}-r(iTVsgMee8 zETjdY^-uKebBcia=Q1EL%7-lWDq~ne2eA|=p?5N0QSIWw`u5+W{p$Fd?V?>7F0;kb zdBZ3H7=zn7A)&qlDvk(1>Bj_c+Kc{9W}YZ&$DzK$Kx%!Q3;1&fhLw0Rgx#63U7}rP zQa%arV1#j(`Lh@+*>Q6ml2^nT!ugcOf$3<5(>&!2!9<{?=bC|T@mVQ$h~mpAFYiQf z&AzD6+-XS8rvLm8<22@`0r57!1m2*QP42EvczZ9e(SO}?E#6T}CU7B+SpJAKS7IO* z_x*<6h+}`&zUis!id-XF(4ut zAtpFjShUIQyQ9gUf$c3CFcF2-cxW)lPuw6$$QSU+P-U1w<#4*@mewau-vT1bu*rQbb(KQZ_zG-+Sb}KSzZCC7ND8a=eiJuT;81#2cIhA3t_0`SMpFYg^ z#FLG@-eer2cc+^9QfkWH3jR#*-v=m*Wuc)cAI+eDj>3lB#}^yHq=}n0*y*)Q$+!88 z+5Mtsy#n8eeM5$V1_51g3pxymStI9#3+ZRkw*lWBrjSN~6;#FJlk;^UM2R0xK59{^ zbPT4pyQ21JlSt97O=&(v*$x~t=%|#9t~`?lC6*ZdDJ`#xea?da5)s3p@1g1;0_;dY z)^C%ymGCnr4(}4CWpec43Wva_-`^$R6MUbst81+p0;(n|1UCSZLinr!^GPR6wv zQjSc7pv2Yp+&tVJl_{j4Xj_gbGNxzjGj8 z!i;8FB90-u*9Xp$df$3`Zyaf#TqwO;mGN!&Fc7&OLikY^B?MGjp$4Pp=7bR%+Ov+A z>(MaBaG-1&T>WKafyfXaxw_rv3(nU!CV)sTmv6rRHYS1&Dsz;fkm4ZN*_AjyZU*SG zi_GU^xU|14`ue#wd@oBRyTDeZX|liu#0w!eZM{upQ;_LTU?4T^kNN6*?SNy@;%-&B z4nioyR2BqCaIlZ|WH}a5p9U1dt9GZNwCHIMh>UMjaytfrnZ<_4^TA*00o|Ce$eRmz zKRM2-uIi&LgSB^`8w>1FJ)hV};QDjK=$6KPiVu-#e0^fVq#o!P&)iXPKGKsycnN%R z5ETM%vKf5a(5-7%!GxfI8HRs`imq4@H*IqG&;@3FKG&Y}buT&9$REH#1|Hy^jf4QSeunf|~CkU#R?B>Svo7TKSBdbfl3_LF19 z(!_$TocG!@$bo6d8dLuK7Kbf@bD>cd6RoXKlE;RZk~NPbtATPd8%lunuwXdR&*kk% zY*>J%J#C9g8yWi-7+Rpst0II2Blj=M8cHUJP=|<%WfFkI5GR^Pg7b(I;;Et;^*zUf zh8j$M-ew&swnVgGYa=h!vV4!Mo>iK!g#kmA_Rk~P{~MJ$Vrl{D-r&DuqT~!AG6a(~ zehCTQzq52JymKga16f$W*ORFiy#E+giS$hWc9X(BM#`JVkc8qBc>PZC539aqV<`z0 zX&ufI1`bm@GwuRxuS1ip1k@^-kGzuNfU^QwZjz}(2>f7_y^8f}sx$O6R$~UD5iZ24 zm3|3-6}y!81mT6MeIoO^V4&1&!WKNYx96dl+6(nHa$=l`;03cwC@#f)B_!s8?MNcF zvmKFxj@l6;Ys;YX>jfHXT;zg2DRjs}H>6^(L}IDV5Uz14zW8P?%5?-hqj;sl;EU`I zQ89*=zr}}-Yi2%^O#QooDxXmH|GjeaJgfl9rHYjGzn_2(i+w8P;9L3yMB+v<<14^AxzZidBpc$nr>M=`hbJ+nXs~=L z9k3I9#fMFo$Xr~n%YNn9fCX0yvTDhXqTDUW5UrLIySV@YAJs+1FZIupKmsy1;w`=k z;bzeroVbDMuc{DR7xMKrZk7k)wRXTE$Omuy9z31nqd{E)hx5g+HA+;z{6WGLe^_TU zXt^H~^Za~|OS#zK8dFpJ7-mFyPkQcwLm?S4|3kRP;1^4?JRszYuA)<=NsheFfwb@@0f-$3CpV)hvt(++nNNNAC=Ds>Cs_pNW5CthEq(QnH zBnJkN?p9Ke9_bny1Obr_=`Lw$Bo&Yp7#ivB?&j`M&wI}Kz4t!%{&DZ~-2d3m%wBuX zTHm$zTAyN`^sVdlFfFry0`fthh50aII=7uNzg?vM zYSW(RpNC95?cWyrh<%$QE?t%!zfwMnu-t+YG%+K?|lHLZREYUq?W;+)~% zgFI;<&L9n4J#KvYXpISs99``u*#Y+nnUE3@XO#ae5-UQzCHbta(6z ze2@=qEI`UcIahC}zrbAcg}m`@OP^U7eCMjE+u6WSia>lL1$}#(l-&d93n0Ra+5ddY zA;HQXCa*rCLu6;|fBYddGEzwURCfiRNFMGzvNy5ty?;(MOJMZyyiyQMd?zf4xd47s ztj5|RL7d!bS8Q{NWI?U*ZK`vs;-`GW#kM{^0RkC?DLSF4@a)Vl^xshdPCZJ>!d1rM z7yub7`+fD9FNZ#G1P7_|AR%31Dn~LTkj`u0`nNTOv+!I_@I2kF0W)s zAC9!u_^Ng+&HQ%E`~lhEy4tVuY zX$zxo9{31;H=>w$6WBN*6EvPa`sPLQsh+Tv=52!v0EpqeYNTE|@cBdI!aG|456s6Y znFdmJO|wD-wDt;T1!0!C_zZ=C<#piNyOCLQC;beeRaEt50o^70G#k<1++9XqUYG6P zN_)=43%eTn<90$@)kp7*SxvDLu-Bl4fAHOK1TX7RZb&2mNG5S$lVcvQ z3c%LM_K*|iam5(7xl-PD{dt*1sb z`uRa4GgS+2>N;vFLiY=4W6Oitj;l*7zat;(cSw*$#9;%x;U5)sr-@UA741>EG5b1z zXRE;RY{ogSqXT0)LG_|~7w`5lII0eqDkzy=EYr+P?N1XkJkJWC^1MS&&uB=%o)o|# z0W2MDIsZQ z&E1~yANCFy|Bu^$qsc5>M%*n^PGwrZO%Txnv~t zG!J<|6mH2DCG7w+=erN;Jk!6J746OTyyL{KQm3vl)ArS}F5H+8rd+ia1x!&l`EizC zWEs-|_t0sC0_1kv{Pt4Ac2Y-aYM{2Jjf(=FZY+E>Ioa|U03s_!V z(wkZwf``L?xFo7B{m{24?-{O`qx&GEfwWJG&n>`=Qcpl zK+qu!`mvw4G&l9ZDF@uaqwVW$`4dY$Q_bAM)erZWr&HBEb3}|P>hZfhSHGoWkAmSU z=7!YPXIZ)vK8SED-zoPmBIz#|-T&w0;H1w(Sf8b;-4a1>A)i-yPOglJ3GW48g&uR# zUO_7IDaWrL1Ni7vWH@%PN|dg|bpb9+Q$}DiW>++^m*X!t;EpKbx>S`gB*1NhE?3VH zAQ44?>eYwzXLS*vGe(4i4Ti-x2E0PONue>`kv=P|a;Q3&0iSkE>l2pls7gKo78^YrlfpUWkLo(7qzBP@PFp#z>1pFo+0 zQ^UA$Pu&h0T=@`CVZPDTv34wuPDB+o$a{g97#r02;55ME3aQGido}(MCbjaI9CYVRboQU5wJ1pQeyAq$YKm^+A%4*8|t1aN&V+eP=iEEB!AA{kv*Xh0WQynPKZaoKkm7`?Y zAJZlu(GI3%*?$+{npMDdrENb+}@SjdCFz0HL1KNtOed1-zn zjRA&c+zevjG)3P2h;lgsfzm%8O`hxQFJS^GGrP6BSw;O5k`k}$e9g%zi;b`=IBJ*V zaloV~=-IPb58^Q!7t?V&d#~v(4i{gkTo0NMxUhFreAt=u zc6cfhh`s4`3$b$h!a}c2@USaBypWXSRPNUJgJ>2IJyO!+mg?YTkZxr_Y#T?ezk53y z>!_kHayvh1QrdFqIu<#5KJYHq(GCPee-)1Mf_g?Wg>wrGCzxj7%GNwj9HGI(Z?Yvr zC#Y?W*2SU}w!}M~Ymt?XR8|`OF$x~Vdx^*PI6WWxN161G=j0J4?MLieHQ+*Wz#k(I z5F=Fd^z@qo9+ZZ?01AX(ra!Qmww?s&+y;1k3zME*T`MoIE{F-p$7RZuOsaKXh86F6 z=$`1-1R?=Q4H@Oe(D1tLDLmXvYtBbb#QQdu)78N0;zEXLxUN7mZNh53!x}D%7m*Tu zP&V@>j-C>TX$v2n9~W5OU6WkUXC8i_O{ex^O>Q~rM?BLu`71<=oHe4EfQNln(qU$&a8@G~YW0Aydc}Qd1)9 zL#a&*`uPK^4v5Vqfnj+I$*wB#1(g=lv(%pKrD50Zd~m{Vt<(Q`{`+CL{bs~`fy;&+ z>~>Hs1b24GB?^R!)wfN&-<~lz+7}RwANoGY?g9h{0y-=y9A|I)7H@@^RN5$`6mGakdSC13l)u{dq5N2lzhxtH07E#ho z48P;eMcXt(gF}hA1pBG6EybEL?*})Pg<_kO)!ZuVN2w!IvIX>oKiq+!Et3ZnaAVO9 zgyxB_xBtBiGWmkmN{+8u7PBFT0K6>5sLuJQl>~GElRZ3Dlv_!z&S7~MqOx1DvQe2^ zMEC|>yX^ZJV_R$5V!Leg=O99ao$bZe$Py%;c_CTwQ{L_22;rutg0t(~<#?8aJ?5Fu zXyet(m!MLTSK%&{*o{lRZYjvIYu-L#W@#5`TV-R-xVgPiALPa$GO6?f^NpHQ-d$-{ zu|JKwP;GQ~B0RW80`VE1gVtD#_n`i>>1rVgiEtAJ#@CICwPis#Snd$V);s^fr4kaWONsx^Jk+L1PA3Pc48C1D;&%Caq;l;IN4c$i&H8EjYBL;pS6>->zasFr>KZL z@MQcB-rQ_W8(!at!;*Su_mmWw<6+sGi_{y2D6aB{0~@bUU_dNjrU`AU04DisRxq+t zlNw57QM^#xi=SbLf>oYa%~&!h;PEd4aSL^u-H(^IS6kC|<$^@=SwMxVDuX|!m6khs zp`RCM18apPde!h=a3K2^>CjK=IT_KzBeT>-e{^~=a@8XHaeTBy zt_3tfywSb=e5H({Ecc%DbY-MfoAaI~nQy7b^xkL4w>5}HBp#2vZ`Xm0*pa__wq!sg zPc4TqnJ|RpR2h;+>f*PA*w;kl${}QL!T7^)0XEDu#kz7+bHqmspH&V2P7SJjZT?t82boktcK_I#KM#N z3JqWAvbfx)8O`r&?>;~fRHj2ie=my!3#Ub(d&SS7X_aI*&kvZkUfHsXQ_RN!JAI1z z7eq*#05{RbJb8*qZi8T&DD_yQ0fJphV24il zz)ot`^Xr8QU*r5IdUubhh(s{JzwO)Ktw4wr7R2s%QDKrpVjsYyrk>m$qkCjW1=bI0 zFZ*ksD)->fWop zGJpel($+AwJV%?7hho7Ski8J|CFMR~N+AS(&=P-+!n6D8KzJt9k+QMromow8Yvoi6 zkcX6y@QJ>gRIb`PscY5(Iy@?f2>brgX;qNuOw)pMrMEA2{~)_TcxGp_<6oITI0RV^umH_v|zwmi!(NONw{vm{)vUV6g= ze+TOL?&kS&We{~L;wO|EwEKsw*=3hHH?40TJ`G%we2B4x`xzs+g9Cy{+zI59QoEvr zG>jY=Pk^3r`!>M_5$h`*N{kU*>&uyfx$^AF5snGSvJnLRqwnuIWt4Hx`KyGDY2prt zrZsO{2l9EIJ@>iqg5Z={tZGfr1SH#p(*`{G%1ja|jMB#R^@+;lCtDxlDl=RP_LiFj z35t0?$pnEBoVij>~<|Y8ZPne7(n`^wrqDTDEdWC`g`5|l{BbyCcXixDKpWOb0 z556Ypf(@4whB~(|x1lUTB*D*eZ(KFd{4={K&DSLia3`m@^!~nYoo#ynwHB!_ z#-~zyqhfq;8+V_VrM86P^iW;t9;6NOt_Qw7K^JH770(%KDjt$X#PRvUph&7=x35^JxD)i-T) zD*lP*6MP+{NU5$4L!q}nAz_Z96!fPr(7`RK@V5qn^j8XTY`bt6T5i#`%li}M+f1am zLWgsd!>{rf93x0P#^G>QD9sG2SB-#ar$8JV+SG?Sj4+M#=5akDq2}xI$BU1fthaYg zPs1;7GO7?Maf>K~v)@R5;N~xaUDhCkL019p9;42J8G-l$;SL&%zyp-&!BDfG7-u zG!ip9@|}tA)8wo;FV-%)t7zGm?bLD?8sKtIB|ZvqminH=2FBS9Vv>bM|wB=XTr0WuC(tfNZ_tX6k9zWLh;@ z_H2xZ-daP)o!5NbK;~Q&ZT~H#Z5?#_jjMm}&U?Sn~_#w}c7fN*K#W*2v2kLP>atr#;Ab|^&45C#YRFov6MQS{Y!1odVyJLRU zjJ2s1Kci{#k#|j63J1g^`Lb)*)?K^T7cPFU2>BlH8kNP^S#W(C{DkI|>S-2_8fXvM z$CmR53y|PJaTgBAthd*V(WfHpus#?^+-x;q&VyoZ4(B-DK3g8WKKPF|EYO_B1qIGO zxLbbyaIdY7Rf~)#i+r0G2TK)q-RkE@+v;J9l}LR$!j5-hz$a|m)y5&?86t{;Yqk;w z{k^r5R#o!AX*^+{&^%HDBx1zEq~tS7T*&n*tJ+Ewy5=zFsyj2keamn zciq6V7o$c3#sm)o?d8)zEOQxHD)3W-)*n`lXuY%^)fHHTcf?D(xux4O>0j4tynkXj zB;Z4Es3R6fixpI2N0Vf4?s?`7vifE~u`pz!l0ArHq4Gs}48u$PR9ODKnI2&m_pZ-~ zU(>Tz+Cn7EMoisK_Xx!$Uxg_Yf1^b%-mvQ1tD8rgUkykW7I{A@$Mj#AM9!eRE_sH1 z5s)>%_2}EHggS+J1JMBD&*PFbJVYZFJSg?waidMDUCkqq5Bozzdv%pZ<+Js<2tGa|gm@>6Or#{uc|THV|Z?;}hFc#%AlJY8MuE`4iX(eR3` zt=-x#Lieox<~HI99d98S4`q8)ikcr?!1Hif_=p8WPP|sj#HoOVQRoJ8_)#l|51|; zawtinuRH5lUYm7i=bj1%C{-Au9iM&lXiE^%Y9>FRg(NUbbAtR_0J3 zeQ4zAj*Xa4YJ%{sgAf?-Kvrkya1LP>O-rk|RvJR^w1oCPt#S7yq1DDKVrcJTjK3d1f8Tt2r8ZkduY_YJ zn7cGY6Mlk(pIL%B!9yNO8p0UjQ7l36R{V8*X05I&%V8R7YKcH>3O2}iX`E(}maMUH z79Ih?)|G0u)W&IndVbI0N-rbq#|G|0o;H3Vpe|)N;Fa$b5Wo!U{m2^A9YZhg?p}Yq zHLkqkcCtCj1pE2(C({pHdZiK5h)!y+tJ7RCcfK<4R#@5wN}cjs!pJ8V*khbh@Y(K+ zZck4S4I`uMWR)c~3JS_lHAGuhMkaD(M1x4cAqNj1U)I5)!ouEAx8;nz(ZpT($p zl*WaiQ0E-IYcn}V@0F-YXD}~LqFQl$uw}pYCV_nvu;KrtPtjnz&a9bQsW>wET66cv zR>HbVq^p>nue)8e6tv*tV|Kkox#2d$V_i9pIc$0fL#pX&}cVz;^cs3vZXX6KuNM(FcbQ_B&%QABs% zFXDr2TGZ|Uhg*y7_!(1!&tWx5FzvX&4JdlFM8#c?TXQl^mB!7#o)j{08Oo2<`)G@i zVyG&w!AE}HCBR5-Jj4C z6&IH~rKYAv!^fvBoyUn3cH-vd7LLCjE$v-49t(oJ4}plQRXDlt`<5~{+m`JPyLINP z9SpU2UfEuj*f7_d$H%_$l!!ly7tJunJP6c#EnqkO!BFPnG$Qxt=nkgQc>YDB(LttG zVix3)j5MzH**Ke~rYCY*elIfgTMSKg4&;^Y#juaa7~7=#?q1TN`JELI1GqJ4b1_V@ zDT*ZbtfgR!$<=42AunT~c>Lh7C8A_%c>PM+&-v!t)t6_$XyrqD1c>iE2C`I{QoQz( zs7vG>X|q|hKkRIKtOb#x`*j4feWaXslc<-?w-k-60fo>~a*FlOK;P%An8~`U3dLy! z(@pk}O-M>MLDdXF(&B1a7@pS^;D$%*x78n<+?I=qoUUS9O0{1O6nDjsY>y4u9*K98 z%^%zZmDqj>b-y775j+re2a$VMGP85TyEitYWcXF4*C6$|1=f zNle3vHb^KLkAQ%u_{rzG6ZmX~tm{^vX})t0A4{E-cPUefHkcM!zIxyJ?-5&~Y&B{N zl-1Emij9x&jii(~&J;)G&2wPUt5cy_WD|&34=8KmfO?7X4Z1@UO&W1T= zd{u}+y>c=dfm~941dUl$T+XwdYW)=StMfA2wdmyHqvgUBiHSj}@60Ddh2u{_hH5Tp zcrz!_;qLh#o#O+R@w$m`s3BkEA_hvE#fJt+^TsF4hQ1GN_z7BLkEiKODoQroT&Hhd zl$Xw=+{ISV&y8;>7j2h}8&s^6MDBGtXM#IL1lF`<&Wh+!X3zBbly%~lKY?q1^bS2< z?~#|1Yo_hYKAX!pd>`s{wE7j5M=C^}OIL1SE58W*+E8JwYga$Z7__)jyM9_L+YE6o(}8 z+t9}wMg#gQB$A>`%l_V9+L?i!8Pis>TU&qb1hdzt0UAF1I>-J)*k=!zfDlT`_%%g-o zG9c6U-bA)E^4g2E4tBadyh26_JE~2r14}1Rj+5Cy^>k?Htdb{`<4eW^s*coxL(^n6`UwfTRUdjFMM6S}@>eKHg?S$_Ur{i8Z z>kCVn3cSeRbO={R5Gx>&eHxOU&CqBLEO(~ zG`l5yJ*%&HkT+VOrwD1vW_Pq63n`V;sgUh84^eB#V;j=FbS1y2wZ-(k!If)M5)HdS zGY2JUOP_^mVj13h#L?S#7$xplk=se8(UH+isfOp~;0(^o)XMq$b8FM*fp{fe-_BkZ z#owP~p1Xa&tZyF?p0`ASjlxWhb@6)?{4LSCiC8tWI9rnvl33ad>+4_o)liTKziUf> zS$kbDh)(?E@6sP>J zpD6OHJFb$64m~z+0aHgp6`FkcC7||UxN|M?(qB0*!v}3siUj;l(V^*6jYC&?iGt#o z7ab#5p*HFnegCoWgfCE{I^H9dsPl)H9sy=u;e$ePP2} z-=j~s_1!=fthjE_bt02;r3`t|;U6dp<9czV2+L%O_&L%`JT9YMnofe02hwerKuU$ z@3%YG(sEnfI=_@k1H-_@`JXI*zxni#`0$v{)H_$a`i4a2#m2}O)tAh-MQVB7uCJ&V zR{XLu5UDRk1XzcMR{qB$+WW>m5#&+xkcXUHufe4RgG^8ZrCvQ>>5`cY8Zj4SP+{_Z z+UM>D&tml$Soa&Hko|k{E(5ISNy&oHjy)TMIYOuW>pzc&FdF#(z4fd1507NKGVu-; z<^fjjOL-Y=I?sdYLy$nT|Lc82jzfBA?eBeq&BM(s$pB~;Eo`)cbt1gAQj|J)|Rm-A{hhKD6C#0?|eMh(yJJ!p~C`|O}TGPJQU7m(s_)O*Rv37ec6nYD{1eUid#lHEDjzqh)f5+KW&%JdkLT7ML7U$Us2Aqn=Yf%J+s4Wx zgUoW?8ZCkpr46w&v9_xpv;9Yh;iQ4M#;o>Ws)-g4qtFB2pN+h{3$FSNZ@jMo`zId0 z;Ikbb+Yu87w!1R8yB^bbr%A#0{$slq)g!oJR{doL7@=wW>AflYyD112j&Qzs#?6n9 ztZtRWLR`N aX=&Z~P**po2>c^O1X)R?=cVGW-u@4X;D0v& literal 0 HcmV?d00001 From 3838232cc33f90165e36ec0392c630843c7adb18 Mon Sep 17 00:00:00 2001 From: monica-unstructured Date: Thu, 26 Mar 2026 04:09:36 -0400 Subject: [PATCH 26/29] Final edits complete. --- business/aws/aws-privatelink/DNU-overview.mdx | 10 --- .../aws-privatelink/connect-to-platform.mdx | 14 --- .../aws/aws-privatelink/dns-configuration.mdx | 14 --- .../aws/aws-privatelink/onboarding-di-pl.mdx | 10 +-- .../aws-privatelink/onboarding-di-pl_bak.mdx | 89 ------------------- .../aws-privatelink/preparing-NOT-USED.mdx | 67 -------------- .../azure/azure-privatelink/DNU-overview.md | 12 --- .../azure-privatelink/connect-to-platform.mdx | 16 ---- .../azure-privatelink/dns-privatelink.mdx | 15 ---- .../azure-privatelink/onboarding-di-pl.mdx | 13 ++- business/azure/overview.mdx | 2 +- 11 files changed, 15 insertions(+), 247 deletions(-) delete mode 100644 business/aws/aws-privatelink/DNU-overview.mdx delete mode 100644 business/aws/aws-privatelink/onboarding-di-pl_bak.mdx delete mode 100644 business/aws/aws-privatelink/preparing-NOT-USED.mdx delete mode 100644 business/azure/azure-privatelink/DNU-overview.md diff --git a/business/aws/aws-privatelink/DNU-overview.mdx b/business/aws/aws-privatelink/DNU-overview.mdx deleted file mode 100644 index 5c22cdb1..00000000 --- a/business/aws/aws-privatelink/DNU-overview.mdx +++ /dev/null @@ -1,10 +0,0 @@ ---- -title: Onboarding your Dedicated Instance + AWS PrivateLink -sidebarTitle: Overview ---- -This section helps you onboard **AWS PrivateLink** for your Dedicated Instance on the Unstructured platform. You coordinate two kinds of connectivity: - -1. **Into Unstructured** — Your users and applications connect to the Unstructured UI and API over private networking. -2. **Into your AWS environment** — Your Dedicated Instance connect to your AWS data sources and services privately. - -Start with [Connector support](/business/aws/aws-privatelink/connector-support) to see which connectors support PrivateLink and which need public egress. Then use [Connecting to the Unstructured Platform](/business/aws/aws-privatelink/connect-to-platform), [DNS configuration](/business/aws/aws-privatelink/dns-configuration), and [Connecting to your AWS services](/business/aws/aws-privatelink/connect-to-services) for the details you and Unstructured exchange during setup. diff --git a/business/aws/aws-privatelink/connect-to-platform.mdx b/business/aws/aws-privatelink/connect-to-platform.mdx index d028f62a..aeddb98b 100644 --- a/business/aws/aws-privatelink/connect-to-platform.mdx +++ b/business/aws/aws-privatelink/connect-to-platform.mdx @@ -4,20 +4,6 @@ sidebarTitle: Connecting to the Unstructured Platform --- This section outlines the information required for your applications to access the Unstructured Platform (UI and API). -### Goal - -Create and configure the AWS networking components required for Customer applications to access the Unstructured Platform (UI and API) over AWS PrivateLink. - -### To complete this task - -- **Unstructured** provides the VPC endpoint service name and the AWS Region where the service is hosted. -- **Customer** provides the AWS account, Region, and VPC details needed for setup, and creates the interface VPC endpoint in the Customer VPC. - -### References - -- [Access an AWS service using an interface VPC endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html) - Use this to create the interface VPC endpoint that connects your VPC to the Unstructured endpoint service. -- [Configure an interface endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/interface-endpoints.html) - Use this to review endpoint configuration details, including private DNS behavior and endpoint settings. - ### Required AWS identifier information The following table lists the information required to configure access to the Unstructured Platform over AWS PrivateLink. diff --git a/business/aws/aws-privatelink/dns-configuration.mdx b/business/aws/aws-privatelink/dns-configuration.mdx index 5ac22d69..f293f6f3 100644 --- a/business/aws/aws-privatelink/dns-configuration.mdx +++ b/business/aws/aws-privatelink/dns-configuration.mdx @@ -5,20 +5,6 @@ sidebarTitle: DNS configuration To access the Dedicated Instance over PrivateLink, DNS must be configured so the service hostname resolves to the private IPs of the VPC Endpoint. Clients must connect using the exact service hostname provided, because TLS is terminated using a provider-managed certificate. -### Goal - -Configure AWS DNS so the Unstructured service hostname resolves to the private IP addresses of your interface VPC endpoint. - -### To complete this task - -- **Unstructured** provides the service hostname for the Unstructured Platform. -- **Customer** configures DNS in AWS so that the service hostname resolves to the private IP addresses of the interface VPC endpoint. - -### References - -- [Configure an interface endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/interface-endpoints.html) - Use this to review how private DNS works on interface VPC endpoints and when to enable it. -- [Working with private hosted zones](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-private.html) - Use this to manually configure Route 53 private hosted zones and records when private DNS is not enabled on the endpoint. - ### Option 1: Enable Private DNS on the VPC Endpoint (Recommended) If your VPC uses Route 53 for DNS resolution, enable Private DNS on the Interface VPC Endpoint. When Private DNS is enabled: diff --git a/business/aws/aws-privatelink/onboarding-di-pl.mdx b/business/aws/aws-privatelink/onboarding-di-pl.mdx index c141f3e0..4a28a1b3 100644 --- a/business/aws/aws-privatelink/onboarding-di-pl.mdx +++ b/business/aws/aws-privatelink/onboarding-di-pl.mdx @@ -43,7 +43,7 @@ This onboarding workflow covers two connectivity paths: | 5 | Customer | Share the endpoint service name and supported Availability Zones with Unstructured. | | 6 | Unstructured | Configure connectivity from the Unstructured-managed environment to the Customer-managed AWS service. | | 7 | Customer | Accept the endpoint connection request from Unstructured. | -| 8 | Unstructured | Complete the Dedicated Instance deployment and enable customer access to the Unstructured platform. See [Connecting to the Unstructured Platform (UI and API)](/business/aws/aws-privatelink/connect-to-platform) for the required platform access details. | +| 8 | Unstructured | Complete the Dedicated Instance deployment and enable customer access to the Unstructured platform.
See [Connecting to the Unstructured Platform (UI and API)](/business/aws/aws-privatelink/connect-to-platform) for the required platform access details. | ## Detailed onboarding steps Use the following steps to prepare the deployment and configure AWS PrivateLink connectivity. @@ -95,19 +95,15 @@ To start the private connectivity process, open a ticket in the [Unstructured Su ### Step 4: Create an AWS PrivateLink endpoint service -In your AWS account, create an endpoint service powered by AWS PrivateLink in the same AWS Region that you provided to Unstructured. - -[Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html) +In your AWS account, create an endpoint service powered by AWS PrivateLink in the same AWS Region that you provided to Unstructured. [Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html) In AWS terminology, you are the _service provider_ and Unstructured is the _service consumer_. ### Step 5: Share the endpoint service details -Provide Unstructured with the endpoint service name and the supported Availability Zones for that service in the selected AWS Region. +Provide Unstructured with the endpoint service name and the supported Availability Zones for that service in the selected AWS Region. [Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html#share-endpoint-service) For example: `com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc` -[Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html#share-endpoint-service) - ### Step 6: Unstructured configures connectivity to the Customer-managed service After you share the endpoint service details, Unstructured configures connectivity from the Unstructured-managed environment to the Customer-managed AWS service. diff --git a/business/aws/aws-privatelink/onboarding-di-pl_bak.mdx b/business/aws/aws-privatelink/onboarding-di-pl_bak.mdx deleted file mode 100644 index d68ba54d..00000000 --- a/business/aws/aws-privatelink/onboarding-di-pl_bak.mdx +++ /dev/null @@ -1,89 +0,0 @@ ---- -title: Onboarding Dedicated Instance + AWS PrivateLink -sidebarTitle: Onboarding ---- - - - The following information applies only to dedicated instance deployments with PrivateLink for [Unstructured Business](/business/overview) on AWS. - - For dedicated instance deployments of Unstructured Business to AWS _without_ PrivateLink, contact your Unstructured sales representative, - or email Unstructured Sales at [sales@unstructured.io](mailto:sales@unstructured.io). - - -After your organization has signed the **Business** account agreement with Unstructured, a member of the Unstructured technical enablement team will reach out to you to begin the **deployment onboarding process**. - -The next steps are provisioning the required environment resources and, optionally, establishing private connectivity with AWS PrivateLink. Deployment is conducted remotely and can usually be completed within the following timeframes: - -- **With AWS PrivateLink** - 4–5 days -- **Without AWS PrivateLink** - 2–3 days - - -Times are subject to Customer infrastructure team availability. More complex integrations (multiple connectors, custom models, etc.) will extend the deployment timeline. - - -## References to help you onboard -The following references can provide background or more detail to help you onboard: -* [Dedicated instance concepts](/business/dedicated-instances/overview) -* [Create an endpoint service powered by AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html) -* [Configure an AWS PrivateLink endpoint service](https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html) - -## Next steps in onboarding -While you wait for a member of the Unstructured technical enablement team to reach out to you to begin the deployment onboarding process, you can get started by following the onboarding process: - -1. Provide your Unstructured sales representative or technical enablement contact with the following information. Unstructured will begin creating the dedicated instance deployment in that AWS Region. - - -| Information Required | Description | -| --- | --- | -| Name of Administrator | Primary administrator of the account (others can be added after) | -| Admin email address | Email address of the primary admin | -| Cloud provider | AWS | -| Cloud Region | See the expandable list of **AWS Supported Regions** on this page | -| Desired URL | Without private connectivity: `.unstructuredapp.io`
With private connectivity: `.privatelink.unstructuredapp.io` | -| VLM provider | Anthropic, Bedrock, OpenAI, Azure OpenAI, etc. | -| VLM models | e.g., Claude Sonnet 4.5, GPT-4o, Gemini 2.0 Flash | -| Embedding models | e.g., Titan, Granite (ensure you select correct dimensions) | - - - -Do not send API keys by email or any collaboration tool. Unstructured has a secure method of capturing these. - - - -| Region Name | Region Code | -| --- | --- | -| US East (N. Virginia) | `us-east-1` | -| US East (Ohio) | `us-east-2` | -| US West (Oregon) | `us-west-2` | -| Europe (Ireland) | `eu-west-1` | -| Europe (Stockholm) | `eu-north-1` | -| Europe (Frankfurt) | `eu-central-1` | -| Asia Pacific (Sydney) | `ap-southeast-2` | -| Asia Pacific (Mumbai) | `ap-south-1` | -| Asia Pacific (Seoul) | `ap-northeast-2` | - -If your required region is not listed above, contact your Unstructured account representative. - - - -All private connectivity configuration data exchanges between the Customer and Unstructured must be conducted via support tickets. This ensures a documented audit trail of all shared information, including Account IDs, VPC Endpoint service names, IAM Role ARNs, Service Principal IDs, and other sensitive configuration details. - -To initiate a private connectivity configuration, log a ticket via the [Unstructured Support Portal](https://support.unstructured.io/) with the subject line: **`PrivateLink Configuration Request — [Your Company Name]`**. A technical enablement engineer will respond to guide you through the exchange. - - -2. In your AWS account, **create an endpoint service** powered by AWS PrivateLink. Be sure when creating the endpoint service to use the same AWS Region name that you provided to Unstructured. - [Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html). (In AWS terminology, this makes you the _service provider_ and - Unstructured the _service consumer_.) -3. As the service provider, you must provide your Unstructured sales representative or technical enablement contact (as the service consumer) with the **name of your endpoint service** - (for example, `com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc`) and the supported Availability Zones for that endpoint service, for the AWS Region - name that you provided to Unstructured earlier. [Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html#share-endpoint-service). -4. As the service consumer, Unstructured will create a related endpoint service in its own AWS account in the same AWS Region as your AWS account. Unstructured will then send you an endpoint connection request to - complete the connection between its endpoint service (as the service consumer) and your endpoint service (as the service provider). - You must **accept Unstructured's endpoint connection request** as soon as possible, to avoid delays in the deployment process. - [Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#accept-reject-connection-requests). - -## Questions? Need help? - -If you have questions or need help as you go, contact your Unstructured sales representative or technical enablement contact. If you do not know who they are, -email Unstructured Sales at [sales@unstructured.io](mailto:sales@unstructured.io), and a member of the Unstructured sales or technical enablement teams -will get back to you as soon as possible. diff --git a/business/aws/aws-privatelink/preparing-NOT-USED.mdx b/business/aws/aws-privatelink/preparing-NOT-USED.mdx deleted file mode 100644 index 401b55d0..00000000 --- a/business/aws/aws-privatelink/preparing-NOT-USED.mdx +++ /dev/null @@ -1,67 +0,0 @@ ---- -title: Preparing for a Dedicated Instance ---- - - - The following information applies only to dedicated instance deployments with PrivateLink for [Unstructured Business](/business/overview) on AWS. - - For dedicated instance deployments of Unstructured Business to AWS _without_ PrivateLink, contact your Unstructured sales representative, - or email Unstructured Sales at [sales@unstructured.io](mailto:sales@unstructured.io). - - -??QUESTION: In the NOTE above, is the last point about AWS _without_ PrivateLink, correct? - -After you decide to proceed with a Dedicated Instance, the next steps are provisioning the required environment resources and, optionally, establishing private connectivity with AWS PrivateLink. Deployment is conducted remotely and can usually be completed within the following timeframes: - -- **With AWS PrivateLink** - 4–5 days -- **Without AWS PrivateLink** - 2–3 days - - - -Times are subject to Customer infrastructure team availability. More complex integrations (multiple connectors, custom models, etc.) will extend the deployment timeline. - - - -### Information Required for Provisioning - -Before deployment can begin, please provide your Unstructured sales representative or technical enablement contact the following information: - -| Information Required | Description | -| --- | --- | -| Name of Administrator | Primary administrator of the account (others can be added after) | -| Admin email address | Email address of the primary admin | -| Cloud provider | AWS | -| Cloud Region | See the expandable list of **AWS Supported Regions** on this page| -| Desired URL | Without private connectivity: `.unstructuredapp.io`
With private connectivity: `.privatelink.unstructuredapp.io` | -| VLM provider | Anthropic, Bedrock, OpenAI, Azure OpenAI, etc. | -| VLM models | e.g., Claude Sonnet 4.5, GPT-4o, Gemini 2.0 Flash | -| Embedding models | e.g., Titan, Granite (ensure you select correct dimensions) | - - -Do not send API keys by email or any collaboration tool. Unstructured has a secure method of capturing these. - - - -| Region Name | Region Code | -| --- | --- | -| US East (N. Virginia) | `us-east-1` | -| US East (Ohio) | `us-east-2` | -| US West (Oregon) | `us-west-2` | -| Europe (Ireland) | `eu-west-1` | -| Europe (Stockholm) | `eu-north-1` | -| Europe (Frankfurt) | `eu-central-1` | -| Asia Pacific (Sydney) | `ap-southeast-2` | -| Asia Pacific (Mumbai) | `ap-south-1` | -| Asia Pacific (Seoul) | `ap-northeast-2` | - -If your required region is not listed above, contact your Unstructured account representative. - - -### Information Exchange - -All private connectivity configuration data exchanges between Customer and Unstructured must be conducted via support tickets. This ensures a documented audit trail of all shared information, including Account IDs, VPC Endpoint service names, IAM Role ARNs, Service Principal IDs, and other sensitive configuration details. - -To initiate a private connectivity configuration, log a ticket via the [Unstructured Support Portal](https://support.unstructured.io/) with the subject line: **“PrivateLink Configuration Request — [Your Company Name]”**. A technical enablement engineer will respond to guide you through the exchange. -??QUESTION: Is the Customer Portal site available? - - diff --git a/business/azure/azure-privatelink/DNU-overview.md b/business/azure/azure-privatelink/DNU-overview.md deleted file mode 100644 index 863d06a2..00000000 --- a/business/azure/azure-privatelink/DNU-overview.md +++ /dev/null @@ -1,12 +0,0 @@ ---- -title: Onboarding your Dedicated Instance + Azure Private Link -sidebarTitle: Overview ---- - - -This section helps you onboard **Azure Private Link** for your Dedicated Instance on the Unstructured platform. You coordinate two kinds of connectivity: - -1. **Into Unstructured** — Your users and applications connect to the Unstructured UI and API over private networking. -2. **Into your Azure environment** — Your Dedicated Instance connect to your Azure data sources and services privately. - -Start with [Connector support](/business/azure/azure-privatelink/connector-support) to see which connectors support Private Link and which need public egress. Then use [Connecting to the Unstructured Platform](/business/azure/azure-privatelink/connect-to-platform), [DNS configuration](/business/azure/azure-privatelink/dns-privatelink), and [Connecting to your Azure services](/business/azure/azure-privatelink/connect-to-services) for the details you and Unstructured exchange during setup. \ No newline at end of file diff --git a/business/azure/azure-privatelink/connect-to-platform.mdx b/business/azure/azure-privatelink/connect-to-platform.mdx index 0f4f9bb5..3a803744 100644 --- a/business/azure/azure-privatelink/connect-to-platform.mdx +++ b/business/azure/azure-privatelink/connect-to-platform.mdx @@ -4,22 +4,6 @@ sidebarTitle: Connecting to the Unstructured Platform --- This section outlines the information required for your applications to access the Unstructured Platform (UI and API). -### Goal - -Create and configure the Azure networking components required for Customer applications to access the Unstructured Platform (UI and API) over Azure Private Link. - -### To complete this task - -- **Unstructured** provides the Private Link service resource ID, alias, and Azure Region where the service is hosted. -- **Customer** provides the Azure subscription, Region, virtual network, subnet, and resource group details needed for setup, and creates the private endpoint in the Customer virtual network (VNet). - -### References - -- [Quickstart: Create a private endpoint - Azure portal](https://learn.microsoft.com/en-us/azure/private-link/create-private-endpoint-portal?tabs=dynamic-ip) - Use this to create the private endpoint in your virtual network for access to the Unstructured Private Link service. -- [Manage Azure private endpoints](https://learn.microsoft.com/en-us/azure/private-link/manage-private-endpoint) - Use this to review private endpoint connection states and management options, including approval workflows. -- [Approve private endpoint connections across subscriptions](https://learn.microsoft.com/en-us/azure/private-link/how-to-approve-private-link-cross-subscription) - Use this if the private endpoint approval flow spans separate Azure subscriptions. - - ### Required Azure identifier information The following table lists the information required to configure access to the Unstructured Platform over Azure Private Link. diff --git a/business/azure/azure-privatelink/dns-privatelink.mdx b/business/azure/azure-privatelink/dns-privatelink.mdx index ec55b234..bec88ba9 100644 --- a/business/azure/azure-privatelink/dns-privatelink.mdx +++ b/business/azure/azure-privatelink/dns-privatelink.mdx @@ -6,21 +6,6 @@ sidebarTitle: DNS for Private Link To access the dedicated instance over Azure Private Link, you must configure DNS so the service hostname resolves to your private endpoint's private IP address. -### Goal - -Configure Azure DNS so the Unstructured service hostname resolves to the private IP address of your private endpoint. - -### To complete this task - -- **Unstructured** provides the service hostname for the Unstructured Platform. -- **Customer** configures Azure DNS so that the service hostname resolves to the private IP address of the private endpoint. - -### References - -- [Azure Private Endpoint private DNS zone values](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns) - Use this to identify the recommended private DNS zone pattern for private endpoint name resolution. -- [Azure Private Endpoint DNS Integration Scenarios](https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns-integration) - Use this to understand how private DNS resolution works across VNets, peered networks, and hybrid environments. -- [What is a virtual network link subresource of Azure DNS private zones](https://learn.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links) - Use this to link your private DNS zone to the VNets that need to resolve the service hostname. - Because TLS is terminated using a provider-managed certificate, clients must connect using the exact service hostname provided. However, DNS resolution must direct that hostname to a private IP inside your network, as follows: diff --git a/business/azure/azure-privatelink/onboarding-di-pl.mdx b/business/azure/azure-privatelink/onboarding-di-pl.mdx index bd5485d0..a5eec34e 100644 --- a/business/azure/azure-privatelink/onboarding-di-pl.mdx +++ b/business/azure/azure-privatelink/onboarding-di-pl.mdx @@ -43,7 +43,7 @@ This onboarding workflow covers two connectivity paths: | 5 | Customer | Share the required Azure resource details with Unstructured. | | 6 | Unstructured | Create the required private endpoints from the Unstructured-managed environment. | | 7 | Customer | Approve the pending private endpoint connection requests in Azure. | -| 8 | Unstructured | Complete the Dedicated Instance deployment and enable customer access to the Unstructured platform. | +| 8 | Unstructured | Complete the Dedicated Instance deployment and enable customer access to the Unstructured platform.
See [Connecting to the Unstructured Platform (UI and API)](/business/azure/azure-privatelink/connect-to-platform) for the required platform access details. | ## Detailed onboarding steps Use the following steps to prepare the deployment and configure Azure Private Link connectivity. @@ -90,12 +90,21 @@ For more information, see [Connecting to the Unstructured Platform (UI and API)] Provide Unstructured with the Azure resource details required for the connection. Depending on the service type, this can include subscription IDs, resource group names, resource IDs, Private Link service resource IDs, sub-resource types, and supported regions. ### Step 6: Approve the private endpoint connection requests -After Unstructured creates the required private endpoints from the Unstructured-managed environment, approve the pending private endpoint connection requests in Azure. +After you share the resource details, Unstructured creates the required private endpoints from the Unstructured-managed environment. + + +### Step 7: Approve the pending private endpoint connection requests in Azure. +After Unstructured creates the required private endpoints, it sends a connection request. Approve the requests as soon as possible to avoid delays in the deployment process. You can approve the requests in the Azure portal under the target resource's **Networking** settings, or by using Azure CLI where applicable. +### Step 8: Complete deployment and enable platform access +After the private connectivity steps are complete, Unstructured finishes the Dedicated Instance deployment and enables Customer access to the Unstructured platform UI and API. + +For the required platform access details, see [Connecting to the Unstructured Platform (UI and API)](/business/azure/azure-privatelink/connect-to-platform). + ## Questions? Need help? If you have questions or need help as you go, contact your Unstructured sales representative or technical enablement contact. If you do not know who they are, email Unstructured Sales at [sales@unstructured.io](mailto:sales@unstructured.io), and a member of the Unstructured sales or technical enablement teams will get back to you as soon as possible. diff --git a/business/azure/overview.mdx b/business/azure/overview.mdx index 9a6e6248..c050540d 100644 --- a/business/azure/overview.mdx +++ b/business/azure/overview.mdx @@ -1,5 +1,5 @@ --- -title: Unstructured Business in-VPC on Azure - overview +title: Unstructured Business on Microsoft Azure (Azure) sidebarTitle: Overview --- From ef80176559870a7ebbfcd8b7992794fe0c510412 Mon Sep 17 00:00:00 2001 From: monica-unstructured Date: Sat, 28 Mar 2026 03:12:47 -0400 Subject: [PATCH 27/29] Revised Onboarding steps for AWS and Azure. Also checked formatting consistencies. --- .../aws-privatelink/connect-to-services.mdx | 64 ++++-------- .../aws/aws-privatelink/connector-support.mdx | 6 +- .../aws/aws-privatelink/dns-configuration.mdx | 2 +- .../aws/aws-privatelink/onboarding-di-pl.mdx | 97 ++++++++++--------- business/aws/onboarding-in-vpc.mdx | 2 +- .../azure-privatelink/connect-to-services.mdx | 16 ++- .../azure-privatelink/connector-support.mdx | 6 +- .../azure-privatelink/dns-privatelink.mdx | 14 +-- .../azure-privatelink/onboarding-di-pl.mdx | 85 ++++++++-------- business/azure/onboarding-in-vpc.mdx | 3 + business/dedicated-instances/architecture.mdx | 2 +- business/dedicated-instances/overview.mdx | 20 ++-- business/dedicated-instances/requirements.mdx | 2 +- .../security/security-faq.mdx | 8 +- .../security/security-model.mdx | 6 +- .../security/shared-responsibility-model.mdx | 38 ++++---- docs.json | 8 +- 17 files changed, 180 insertions(+), 199 deletions(-) diff --git a/business/aws/aws-privatelink/connect-to-services.mdx b/business/aws/aws-privatelink/connect-to-services.mdx index 7b31bf23..ab78dd36 100644 --- a/business/aws/aws-privatelink/connect-to-services.mdx +++ b/business/aws/aws-privatelink/connect-to-services.mdx @@ -3,13 +3,17 @@ title: Connecting to your AWS services sidebarTitle: Connecting to your AWS services --- -This section describes the AWS service information required for your Dedicated Instance to reach AWS services in your VPC. The sections below cover **AWS managed services**, **AWS Managed Services with native PrivateLink**, and **Customer Managed Services (AWS) or AWS Services with NLB**. +This section describes the AWS service information required for your dedicated instance to reach AWS services in your VPC. The sections below cover **AWS managed services**, **AWS Managed Services with native PrivateLink**, and **Customer Managed Services (AWS) or AWS Services with NLB**. ## AWS managed services This section covers AWS-managed services that Unstructured can access using AWS-native private networking features, without requiring you to create a customer-managed endpoint service or Network Load Balancer. -### AWS S3 (Gateway Endpoint) + +The **Order** column indicates the general sequence for the information exchange. Items with the same order value can usually be provided at the same stage. + + +### AWS S3 (gateway endpoint) | Order | Information Required | Description | Example | Owner | @@ -116,7 +120,7 @@ Replace: --- -### AWS MSK (Kafka) +### Amazon Managed Streaming for Apache Kafka (MSK) Amazon MSK supports native multi-VPC private connectivity via PrivateLink. This enables Unstructured to connect to the customer’s MSK cluster (as a Kafka source) entirely within the AWS private network. You must have an MSK cluster with **Multi-VPC Connectivity** enabled. @@ -179,7 +183,7 @@ Replace: --- -### AWS OpenSearch Service +### Amazon OpenSearch Service Amazon OpenSearch Service supports native Interface VPC Endpoints. Unstructured creates a VPC endpoint in our VPC targeting the customer’s OpenSearch domain. @@ -226,9 +230,9 @@ Replace: ### AWS OpenSearch Serverless - + OpenSearch Serverless uses a fundamentally different access model compared to OpenSearch Service. It does not use resource-based access policies. Instead, access is controlled through **data access policies** and **network access policies** tied to VPC endpoints. - + | Order | Information Required | Description | Example | Owner | @@ -353,50 +357,17 @@ Replace: For ACCOUNT level access, no explicit endpoint allowlisting is required — any VPC endpoint registered in the Databricks account can connect. ---- - -??Question: Do we ommmit all of the Snowflake section or mention any limitations? - -### ~~Snowflake on AWS~~ - -~~Snowflake supports AWS PrivateLink via Snowflake’s native Private Link feature. This is available for Snowflake accounts hosted on AWS. The customer must have a **Business Critical** or higher Snowflake edition to use Private Link.~~ - -| Order | Information Required | Description | Example | Owner | -| --- | --- | --- | --- | --- | -| 1 | Snowflake Account Identifier | The Snowflake account identifier | `myorg-myaccount` | Customer | -| 1 | Snowflake Account Region | AWS region where account is hosted | `us-east-1` | Customer | -| 2 | Unstructured AWS Account ID | AWS Account ID to authorize for Private Link | `987654321098` | Unstructured | -| 3 | Snowflake Private Link URL | Private Link hostname after enablement | `myorg-myaccount.privatelink.snowflakecomputing.com` | Customer | -| 3 | Snowflake VPC Endpoint Service Name | The service name for Snowflake’s endpoint service | `com.amazonaws.vpce.us-east-1.vpce-svc-0abc123` | Customer | - -**~~Enabling Snowflake Private Link~~** - -1. ~~Contact Snowflake Support or your Snowflake account representative to enable Private Link for your account and authorize Unstructured’s AWS Account ID.~~ -2. ~~Once enabled, retrieve the Private Link configuration:~~ - -```sql -SELECT SYSTEM$GET_PRIVATELINK_CONFIG(); -``` - -~~This returns the VPC Endpoint Service name and private hostname that Unstructured will need.~~ - -1. ~~Share the output with Unstructured via a support ticket. Unstructured will create a VPC endpoint and provide the VPC Endpoint ID.~~ -2. ~~Authorize Unstructured’s VPC Endpoint in Snowflake:~~ - -```sql -SELECT SYSTEM$AUTHORIZE_PRIVATELINK('', ''); -``` - -~~Replace: -- `` — Unstructured’s AWS Account ID (provided during setup). -- `` — VPC Endpoint ID provided by Unstructured.~~ - --- ## AWS Managed Services with native PrivateLink Some AWS managed services support native PrivateLink endpoints. You must first create a VPC endpoint for the service. Unstructured then connects to it. This pattern applies to services like **Amazon ElastiCache (Redis)** and **AWS Elasticsearch Service (legacy)**. + +The **Order** column indicates the general sequence for the information exchange. Items with the same order value can usually be provided at the same stage. + + + | Order | Information Required | Description | Example | Owner | | --- | --- | --- | --- | --- | | 1 | Service Type | The AWS Service being accessed | `ElastiCache`, `Elasticsearch` | Customer | @@ -416,6 +387,11 @@ This information applies to: - Applications that your organization is **self-hosting** in your AWS VPC (e.g., Elasticsearch, MongoDB, Couchbase). - AWS services that do **not** have native PrivateLink support and require an NLB front-end, such as **Amazon RDS, Aurora, Redshift, DocumentDB**. + +The **Order** column indicates the general sequence for the information exchange. Items with the same order value can usually be provided at the same stage. + + + | Order | Information Required | Description | Example | Owner | | --- | --- | --- | --- | --- | | 1 | Service Type | The service being accessed | `PostgreSQL (RDS)`, `MongoDB`, `Elasticsearch` | Customer | diff --git a/business/aws/aws-privatelink/connector-support.mdx b/business/aws/aws-privatelink/connector-support.mdx index 5dfb0864..ccff53fd 100644 --- a/business/aws/aws-privatelink/connector-support.mdx +++ b/business/aws/aws-privatelink/connector-support.mdx @@ -3,11 +3,7 @@ title: Connector support for AWS PrivateLink sidebarTitle: Connector support --- -The following table summarizes connector support for private connectivity on AWS. For each connector, it shows: - -- Whether private connectivity is supported -- Which AWS components are involved -- Where to find detailed configuration information +Not all Unstructured platform connectors support AWS PrivateLink. The following table summarizes support and configuration for each connector in a dedicated instance deployment. | Connector | Private connectivity supported | Approach | Configuration details | | --- | :---: | --- | --- | diff --git a/business/aws/aws-privatelink/dns-configuration.mdx b/business/aws/aws-privatelink/dns-configuration.mdx index f293f6f3..b1dd1e82 100644 --- a/business/aws/aws-privatelink/dns-configuration.mdx +++ b/business/aws/aws-privatelink/dns-configuration.mdx @@ -3,7 +3,7 @@ title: DNS configuration for PrivateLink access sidebarTitle: DNS configuration --- -To access the Dedicated Instance over PrivateLink, DNS must be configured so the service hostname resolves to the private IPs of the VPC Endpoint. Clients must connect using the exact service hostname provided, because TLS is terminated using a provider-managed certificate. +To access the dedicated instance over PrivateLink, DNS must be configured so the service hostname resolves to the private IPs of the VPC Endpoint. Clients must connect using the exact service hostname provided, because TLS is terminated using a provider-managed certificate. ### Option 1: Enable Private DNS on the VPC Endpoint (Recommended) diff --git a/business/aws/aws-privatelink/onboarding-di-pl.mdx b/business/aws/aws-privatelink/onboarding-di-pl.mdx index 4a28a1b3..5ba98968 100644 --- a/business/aws/aws-privatelink/onboarding-di-pl.mdx +++ b/business/aws/aws-privatelink/onboarding-di-pl.mdx @@ -1,5 +1,5 @@ --- -title: Onboarding Dedicated Instance + AWS PrivateLink +title: Onboarding your dedicated instance + AWS PrivateLink sidebarTitle: Onboarding --- @@ -18,58 +18,56 @@ The next steps are to provision the required environment resources and, optional - **Without AWS PrivateLink:** 2–3 days -Times are subject to Customer infrastructure team availability. More complex integrations (multiple connectors, custom models, etc.) will extend the deployment timeline. +Times are subject to customer infrastructure team availability. More complex integrations (multiple connectors, custom models, etc.) will extend the deployment timeline. -## References to help you onboard -The following references can provide background or more detail to help you onboard: - -- [Dedicated instance concepts](/business/dedicated-instances/overview) -- [Create an endpoint service powered by AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html) -- [Configure an AWS PrivateLink endpoint service](https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html) - ## High-level onboarding process This onboarding workflow covers two connectivity paths: - Customer access to the Unstructured platform UI and API -- Unstructured access to supported Customer-managed AWS services over AWS PrivateLink +- Unstructured access to supported customer-managed AWS services over AWS PrivateLink | Step | Owner | Action | | :---: | --- | --- | -| 1 | Customer | Provide the information required to provision the Dedicated Instance in AWS. | -| 2 | Customer | Confirm that the selected AWS Region is supported. | -| 3 | Customer and Unstructured | Exchange private connectivity details through a support ticket. | -| 4 | Customer | Create an AWS PrivateLink endpoint service for supported Customer-managed AWS services. | -| 5 | Customer | Share the endpoint service name and supported Availability Zones with Unstructured. | -| 6 | Unstructured | Configure connectivity from the Unstructured-managed environment to the Customer-managed AWS service. | -| 7 | Customer | Accept the endpoint connection request from Unstructured. | -| 8 | Unstructured | Complete the Dedicated Instance deployment and enable customer access to the Unstructured platform.
See [Connecting to the Unstructured Platform (UI and API)](/business/aws/aws-privatelink/connect-to-platform) for the required platform access details. | +| 1 | Customer | Provide Unstructured the AWS region where you want the dedicated instance deployed, along with the other information required to provision it. | +| 2 | Unstructured | Unstructured begins creating the dedicated instance deployment in that AWS Region. | +| 3 | Customer | In your AWS account, create an AWS PrivateLink endpoint service. | +| 4 | Customer | Provide Unstructured the endpoint service name and the supported Availability Zones for that service in the selected AWS Region. | +| 5 | Unstructured | Unstructured configures connectivity from the Unstructured-managed environment to your endpoint service. Unstructured will then send you an endpoint connection request. | +| 6 | Customer | Accept the endpoint connection request from Unstructured. | + + +**Next steps** + +After you complete these steps, Unstructured works with you to complete the remaining configuration for platform access, connectivity, and required permissions. For more information about the overall architecture, see [Dedicated instance concepts](/business/dedicated-instances/overview). + ## Detailed onboarding steps Use the following steps to prepare the deployment and configure AWS PrivateLink connectivity. ### Step 1: Provide provisioning information -Provide your Unstructured sales representative or technical enablement contact with the following information. Unstructured uses this information to begin provisioning your Dedicated Instance in the selected AWS Region. +Provide the following information to Unstructured to begin provisioning the dedicated instance in the selected AWS Region. - + | Information Required | Description | | --- | --- | -| Name of Administrator | Primary administrator of the account (others can be added later) | +| Name of administrator | Primary administrator of the account (others can be added later) | | Admin email address | Email address of the primary administrator | | Cloud provider | AWS | -| Cloud Region | See the expandable list of **AWS Supported Regions** on this page | +| Cloud Region | See the expandable list of AWS Regions on this page | | Desired URL | `.privatelink.unstructuredapp.io` | | VLM provider | Anthropic, Bedrock, OpenAI, Azure OpenAI, etc. | | VLM models | For example, Claude Sonnet 4.5, GPT-4o, or Gemini 2.0 Flash | | Embedding models | For example, Titan or Granite. Ensure that you select the correct dimensions. | - -Do not send API keys by email or through collaboration tools. Unstructured provides a secure method for sharing secrets. - + +Use a support ticket for all private connectivity configuration data exchanges. This provides the required audit trail for sensitive configuration information. + +Open a ticket in the [Unstructured Support Portal](https://support.unstructured.io/) with the subject line **`PrivateLink Configuration Request — [Your Company Name]`**. + -### Step 2: Confirm the AWS Region -Review the supported AWS Regions for Dedicated Instance deployments. +Expand to see the supported AWS Regions for dedicated instance deployments. | Region Name | Region Code | @@ -83,43 +81,46 @@ Review the supported AWS Regions for Dedicated Instance deployments. | Asia Pacific (Sydney) | `ap-southeast-2` | | Asia Pacific (Mumbai) | `ap-south-1` | | Asia Pacific (Seoul) | `ap-northeast-2` | - -If your required Region is not listed above, contact your Unstructured account representative. -### Step 3: Exchange private connectivity information -All private connectivity configuration data exchanges between the Customer and Unstructured must be conducted through support tickets. This provides a documented audit trail for account IDs, VPC endpoint service names, IAM role ARNs, and other sensitive configuration details. +If your required AWS Region is not listed above, contact your Unstructured account representative. - -To start the private connectivity process, open a ticket in the [Unstructured Support Portal](https://support.unstructured.io/) with the subject line **`PrivateLink Configuration Request — [Your Company Name]`**. A technical enablement engineer will guide you through the remaining steps. - +### Step 2: Unstructured begins provisioning the dedicated instance in the selected AWS Region. -### Step 4: Create an AWS PrivateLink endpoint service -In your AWS account, create an endpoint service powered by AWS PrivateLink in the same AWS Region that you provided to Unstructured. [Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html) +### Step 3: Create an AWS PrivateLink endpoint service. +In your AWS account, create an AWS PrivateLink endpoint service in the same AWS Region that you provided to Unstructured. [Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html). In AWS terminology, you are the _service provider_ and Unstructured is the _service consumer_. -### Step 5: Share the endpoint service details -Provide Unstructured with the endpoint service name and the supported Availability Zones for that service in the selected AWS Region. [Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html#share-endpoint-service) + +### Step 4: Provide Unstructured with the endpoint service information. + +As the service provider, you must provide Unstructured with your endpoint service name and the supported Availability Zones for that service in the selected AWS Region. [Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html#share-endpoint-service). For example: `com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc` -### Step 6: Unstructured configures connectivity to the Customer-managed service -After you share the endpoint service details, Unstructured configures connectivity from the Unstructured-managed environment to the Customer-managed AWS service. + +Use a support ticket for all private connectivity configuration data exchanges. This provides the required audit trail for sensitive configuration information. + +Open a ticket in the [Unstructured Support Portal](https://support.unstructured.io/) with the subject line **`PrivateLink Configuration Request — [Your Company Name]`**. + -No action is required from the Customer during this step unless Unstructured requests clarification. +### Step 5: Unstructured configures connectivity to your endpoint service and sends an endpoint connection request. +As the service consumer, Unstructured creates a related endpoint in its own AWS account in the same AWS Region. -### Step 7: Accept the endpoint connection request -After Unstructured completes the configuration, Unstructured sends an endpoint connection request. +Unstructured then sends an endpoint connection request to complete the connection between the Unstructured-managed endpoint and your endpoint service. + +### Step 6: Accept the pending endpoint connection request +Accept the endpoint connection request as soon as possible to avoid delays in the deployment process. [Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#accept-reject-connection-requests). -Accept the endpoint connection request as soon as possible to avoid delays in the deployment process. +## Remaining configuration +After you complete these steps, Unstructured works with you to complete the remaining configuration: -[Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#accept-reject-connection-requests) +* Enable customer access to the Unstructured platform UI and API. +* Establish the connectivity and permissions required for the dedicated instance to access the target data sources. The required configuration depends on the services being accessed. The remaining sections in this topic describe how to complete it. -### Step 8: Complete deployment and enable platform access -After the private connectivity steps are complete, Unstructured finishes the Dedicated Instance deployment and enables Customer access to the Unstructured platform UI and API. +For general architecture information, see [Dedicated instance concepts](/business/dedicated-instances/overview). -For the required platform access details, see [Connecting to the Unstructured Platform (UI and API)](/business/aws/aws-privatelink/connect-to-platform). ## Questions? Need help? diff --git a/business/aws/onboarding-in-vpc.mdx b/business/aws/onboarding-in-vpc.mdx index 50c790a1..ee5f6a5f 100644 --- a/business/aws/onboarding-in-vpc.mdx +++ b/business/aws/onboarding-in-vpc.mdx @@ -10,7 +10,7 @@ sidebarTitle: Onboarding in-VPC or email Unstructured Sales at [sales@unstructured.io](mailto:sales@unstructured.io). For dedicated instance deployments of Unstructured Business that also use PrivateLink, see - the [onboarding process for AWS PrivateLink](/business/aws/dedicated-instance-privatelink). + the [onboarding process for AWS PrivateLink](/business/aws/aws-privatelink/onboarding-di-pl). After your organization has signed the **Business** account agreement with Unstructured, a member of the Unstructured technical enablement team will reach out to you to begin the diff --git a/business/azure/azure-privatelink/connect-to-services.mdx b/business/azure/azure-privatelink/connect-to-services.mdx index 2e6b220a..5f1cb470 100644 --- a/business/azure/azure-privatelink/connect-to-services.mdx +++ b/business/azure/azure-privatelink/connect-to-services.mdx @@ -3,12 +3,16 @@ title: Connecting to your Azure services sidebarTitle: Connecting to your Azure services --- -This section describes the Azure service information required for your Dedicated Instance to reach Azure data sources and APIs over Private Link or private endpoints. The sections below cover **Azure managed services** and **customer-managed workloads** exposed through a **Private Link service** and **Azure Standard Load Balancer**. +This section describes the Azure service information required for your dedicated instance to reach Azure data sources and APIs over Private Link or private endpoints. The sections below cover **Azure managed services** and **customer-managed workloads** exposed through a **Private Link service** and **Azure Standard Load Balancer**. ## Azure managed services This section covers Azure-managed services that have service-specific private connectivity requirements. Unlike the later **Azure Managed Services** with **private endpoint access** section, these services require service-specific configuration details or additional access controls. It does not cover **Customer-managed services** exposed through a **Private Link service**. + +The **Order** column indicates the general sequence for the information exchange. Items with the same order value can usually be provided at the same stage. + + ### Azure Blob Storage This applies to Azure Blob Storage and Azure Data Lake Storage Gen2 (ADLS Gen2). @@ -125,6 +129,10 @@ Replace: This section applies to Azure Managed Services that support private endpoint access, including: **Azure AI Search, Azure SQL Database, Azure SQL Managed Instance, Azure Cosmos DB, Azure Database for PostgreSQL, Azure Database for MySQL,** and **Azure Synapse Analytics**. + +The **Order** column indicates the general sequence for the information exchange. Items with the same order value can usually be provided at the same stage. + + | Order | Information Required | Description | Example | Owner | | --- | --- | --- | --- | --- | | 1 | Service Type | The Azure managed service being accessed | `Azure AI Search`, `Azure SQL` | Customer | @@ -151,10 +159,14 @@ This section applies to Azure Managed Services that support private endpoint acc --- -## Customer Managed Services (Azure) +## Customer Managed Services This section applies to applications that your organization hosts in your Azure virtual network. Create a **Private Link service** in front of your application, backed by an Azure Standard Load Balancer. + +The **Order** column indicates the general sequence for the information exchange. Items with the same order value can usually be provided at the same stage. + + | Order | Information Required | Description | Example | Owner | | --- | --- | --- | --- | --- | | 1 | Private Link Service Name | Name of your Private Link service | `customer-app-pls` | Customer | diff --git a/business/azure/azure-privatelink/connector-support.mdx b/business/azure/azure-privatelink/connector-support.mdx index 4631cda2..e066ab0c 100644 --- a/business/azure/azure-privatelink/connector-support.mdx +++ b/business/azure/azure-privatelink/connector-support.mdx @@ -3,11 +3,7 @@ title: Connector support for Azure Private Link sidebarTitle: Connector support --- -The following table provides a list of connectors to AWS services and includes the following information for each: - -- Whether the connector supports Azure Private Link -- Which Azure components are involved -- A reference for detailed configuration information +The following table summarizes support and configuration for each connector in a dedicated instance deployment. ### Azure Connector Coverage diff --git a/business/azure/azure-privatelink/dns-privatelink.mdx b/business/azure/azure-privatelink/dns-privatelink.mdx index bec88ba9..576f69cc 100644 --- a/business/azure/azure-privatelink/dns-privatelink.mdx +++ b/business/azure/azure-privatelink/dns-privatelink.mdx @@ -3,20 +3,14 @@ title: DNS configuration for Private Link access sidebarTitle: DNS for Private Link --- -To access the dedicated instance over Azure Private Link, you must configure DNS so the service hostname resolves to your -private endpoint's private IP address. - -Because TLS is terminated using a provider-managed certificate, clients must connect using the exact service hostname provided. -However, DNS resolution must direct that hostname to a private IP inside your network, as follows: +To access the dedicated instance over Azure Private Link, you must configure DNS so the service hostname resolves to your private endpoint's private IP address. 1. Create a private DNS zone that matches the service hostname. - For example, if the service hostname is `example.privatelink.unstructuredapp.io`, the private DNS zone would be - `privatelink.unstructuredapp.io`. + For example, if the service hostname is `example.privatelink.unstructuredapp.io`, the private DNS zone would be `privatelink.unstructuredapp.io`. -2. Add a DNS record for the service hostname: create an A record for the full service hostname that points to the private IP address - of your private endpoint. +2. Create an A record for the full service hostname pointing to the private IP of your Private Endpoint: For example, `example.privatelink.unstructuredapp.io` would point to `10.12.34.56`. -3. Link the DNS zone to your Azure Virtual Networks (VNets): ensure the private DNS zone is linked to the VNets where clients will access the service. +3. Link the Private DNS Zone to the VNet(s) where clients will access the service. diff --git a/business/azure/azure-privatelink/onboarding-di-pl.mdx b/business/azure/azure-privatelink/onboarding-di-pl.mdx index a5eec34e..09818e60 100644 --- a/business/azure/azure-privatelink/onboarding-di-pl.mdx +++ b/business/azure/azure-privatelink/onboarding-di-pl.mdx @@ -18,40 +18,37 @@ The next steps are to provision the required environment resources and, optional - **Without Azure Private Link:** 2–3 days -Times are subject to Customer infrastructure team availability. More complex integrations (multiple connectors, custom models, etc.) will extend the deployment timeline. +Times are subject to customer infrastructure team availability. More complex integrations (multiple connectors, custom models, etc.) will extend the deployment timeline. -## References to help you onboard -The following references can provide background or more detail to help you onboard: -* [Dedicated instance concepts](/business/dedicated-instances/overview) -* [Quickstart: Create a Private Link service by using the Azure portal](https://learn.microsoft.com/en-us/azure/private-link/create-private-link-service-portal) -* [Manage Azure private endpoints](https://learn.microsoft.com/en-us/azure/private-link/manage-private-endpoint) -* [What is Azure Private Link service?](https://learn.microsoft.com/en-us/azure/private-link/private-link-service-overview) - ## High-level onboarding process This onboarding workflow covers two connectivity paths: - Customer access to the Unstructured platform UI and API -- Unstructured access to supported Customer-managed Azure services over Azure Private Link +- Unstructured access to supported customer-managed Azure services over Azure Private Link | Step | Owner | Action | | :---: | --- | --- | -| 1 | Customer | Provide the information required to provision the Dedicated Instance in Azure. | -| 2 | Customer | Confirm that the selected Azure Region is supported. | -| 3 | Customer and Unstructured | Exchange private connectivity details through a support ticket. | -| 4 | Customer | Prepare Azure resources for private connectivity. This can include enabling private endpoint access on Azure managed services or creating a Private Link service for Customer-managed services. | -| 5 | Customer | Share the required Azure resource details with Unstructured. | -| 6 | Unstructured | Create the required private endpoints from the Unstructured-managed environment. | -| 7 | Customer | Approve the pending private endpoint connection requests in Azure. | -| 8 | Unstructured | Complete the Dedicated Instance deployment and enable customer access to the Unstructured platform.
See [Connecting to the Unstructured Platform (UI and API)](/business/azure/azure-privatelink/connect-to-platform) for the required platform access details. | +| 1 | Customer | Provide Unstructured the Azure region where you want the dedicated instance deployed, along with the other information required to provision it.| +| 2 | Unstructured | Unstructured begins creating the dedicated instance deployment in that Azure region. | +| 3 | Customer | Prepare Azure resources for private connectivity.| +| 4 | Customer | Provide Unstructured with the Private Link Service connection information. | +| 5 | Unstructured | Unstructured configures connectivity from the Unstructured-managed environment to your endpoint service. Unstructured will then send you an endpoint connection request.| +| 6 | Customer | Approve the pending private endpoint connection requests in Azure.| + + +**Next steps** + +After you complete these steps, Unstructured works with you to complete the remaining configuration for platform access, connectivity, and required permissions. For more information about the overall architecture, see [Dedicated instance concepts](/business/dedicated-instances/overview). + ## Detailed onboarding steps Use the following steps to prepare the deployment and configure Azure Private Link connectivity. ### Step 1: Provide provisioning information -Provide your Unstructured sales representative or technical enablement contact with the following information. Unstructured uses this information to begin provisioning your Dedicated Instance in the selected Azure Region. +Provide the following information to Unstructured to begin provisioning the dedicated instance in the selected Azure region. - + | Information Required | Description | | --- | --- | | Name of Administrator | Primary administrator of the account (others can be added later) | @@ -64,46 +61,46 @@ Provide your Unstructured sales representative or technical enablement contact w | Embedding models | For example, Titan or Granite. Ensure that you select the correct dimensions. | - -Do not send API keys by email or through collaboration tools. Unstructured provides a secure method for sharing secrets. - + +Use a support ticket for all private connectivity configuration data exchanges. This provides the required audit trail for sensitive configuration information. -### Step 2: Confirm the Azure Region -Confirm with your Unstructured account representative that the selected Azure Region is supported for Dedicated Instance deployment. +Open a ticket in the [Unstructured Support Portal](https://support.unstructured.io/) with the subject line **`PrivateLink Configuration Request — [Your Company Name]`**. + -### Step 3: Exchange private connectivity information -All private connectivity configuration data exchanges between the Customer and Unstructured must be conducted through support tickets. This provides a documented audit trail for subscription IDs, Private Link service resource IDs, service principal IDs, resource group names, and other sensitive configuration details. +### Step 2: Unstructured begins creating the dedicated instance deployment in that Azure region. - -To start the private connectivity process, open a ticket in the [Unstructured Support Portal](https://support.unstructured.io/) with the subject line **`PrivateLink Configuration Request — [Your Company Name]`**. A technical enablement engineer will guide you through the remaining steps. - +### Step 3: Prepare Azure resources for private connectivity. +Create a Private Link service for customer-managed services. [Learn how](https://learn.microsoft.com/en-us/azure/private-link/private-link-service-overview). Also see [Azure Private Link FQA](https://learn.microsoft.com/en-us/azure/private-link/private-link-faq) -### Step 4: Prepare Azure resources for private connectivity -If Unstructured must connect to supported services in your Azure environment, prepare the resources based on the service type: +In Azure terminology, you are the _service provider_ and Unstructured is the _service consumer_. -- For Azure managed services that support private endpoints, provide the resource IDs, sub-resource types, and other required service details. -- For Customer-managed services in your virtual network, create a **Private Link service** backed by an **Azure Standard Load Balancer**. +### Step 4: Provide Unstructured with the Private Link Service connection information. +As the service provider, you must provide Unstructured with the Private Link Service ID. [Learn how](https://learn.microsoft.com/en-us/azure/private-link/private-link-service-overview#share-your-service). -For more information, see [Connecting to the Unstructured Platform (UI and API)](/business/azure/azure-privatelink/connect-to-platform) and [Connecting to your Azure services](/business/azure/azure-privatelink/connect-to-services). + +Use a support ticket for all private connectivity configuration data exchanges. This provides the required audit trail for sensitive configuration information. -### Step 5: Share the Azure resource details -Provide Unstructured with the Azure resource details required for the connection. Depending on the service type, this can include subscription IDs, resource group names, resource IDs, Private Link service resource IDs, sub-resource types, and supported regions. +Open a ticket in the [Unstructured Support Portal](https://support.unstructured.io/) with the subject line **`PrivateLink Configuration Request — [Your Company Name]`**. + -### Step 6: Approve the private endpoint connection requests -After you share the resource details, Unstructured creates the required private endpoints from the Unstructured-managed environment. +### Step 5: Unstructured creates the required private endpoints to your Private Link service and sends an endpoint connection request. +As the service consumer, Unstructured creates the required private endpoints in its own Azure account in the same Azure region. +Unstructured then sends an endpoint connection request to complete the connection between the Unstructured-managed endpoint and your endpoint service. -### Step 7: Approve the pending private endpoint connection requests in Azure. -After Unstructured creates the required private endpoints, it sends a connection request. -Approve the requests as soon as possible to avoid delays in the deployment process. +### Step 6: Approve the pending private endpoint connection requests in Azure. +Approve the private endpoint connection as soon as possible to avoid delays in the deployment process. [Learn how](https://learn.microsoft.com/en-us/azure/private-link/how-to-approve-private-link-cross-subscription). You can approve the requests in the Azure portal under the target resource's **Networking** settings, or by using Azure CLI where applicable. -### Step 8: Complete deployment and enable platform access -After the private connectivity steps are complete, Unstructured finishes the Dedicated Instance deployment and enables Customer access to the Unstructured platform UI and API. +## Remaining configuration +After you complete these steps, Unstructured works with you to complete the remaining configuration: + +* Enable customer access to the Unstructured platform UI and API. +* Establish the connectivity and permissions required for the dedicated instance to access the target data sources. The required configuration depends on the services being accessed. The remaining sections in this topic describe how to complete it. -For the required platform access details, see [Connecting to the Unstructured Platform (UI and API)](/business/azure/azure-privatelink/connect-to-platform). +For general architecture information, see [Dedicated instance concepts](/business/dedicated-instances/overview). ## Questions? Need help? diff --git a/business/azure/onboarding-in-vpc.mdx b/business/azure/onboarding-in-vpc.mdx index 6a84871d..84054418 100644 --- a/business/azure/onboarding-in-vpc.mdx +++ b/business/azure/onboarding-in-vpc.mdx @@ -8,6 +8,9 @@ sidebarTitle: Onboarding in-VPC For dedicated instance deployments of Unstructured Business, contact your Unstructured sales representative, or email Unstructured Sales at [sales@unstructured.io](mailto:sales@unstructured.io). + + For dedicated instance deployments of Unstructured Business that also use PrivateLink, see + the [onboarding process for Azure Private Link](/business/azure/azure-privatelink/onboarding-di-pl). After your organization has signed the **Business** account agreement with Unstructured, a member of the Unstructured technical enablement team will reach out to you to begin the diff --git a/business/dedicated-instances/architecture.mdx b/business/dedicated-instances/architecture.mdx index 0902c779..bb9f710c 100644 --- a/business/dedicated-instances/architecture.mdx +++ b/business/dedicated-instances/architecture.mdx @@ -6,7 +6,7 @@ title: Architecture This topic uses *private connectivity* as a general term for AWS PrivateLink and Azure Private Link. -A **Dedicated Instance** is an isolated Unstructured deployment. When private connectivity is enabled, traffic between the Customer environment and Unstructured stays on private network paths instead of traversing the public internet. +A **dedicated instance** is an isolated Unstructured deployment. When private connectivity is enabled, traffic between the Customer environment and Unstructured stays on private network paths instead of traversing the public internet. ![Private connectivity traffic directions](/img/architecture/components-in-pl-cusomter-unstruc.png) diff --git a/business/dedicated-instances/overview.mdx b/business/dedicated-instances/overview.mdx index 16a1cffd..7e9d2395 100644 --- a/business/dedicated-instances/overview.mdx +++ b/business/dedicated-instances/overview.mdx @@ -1,34 +1,34 @@ --- -title: Dedicated Instance concepts +title: Dedicated instance concepts sidebarTitle: Overview --- -A Dedicated Instance is a private, isolated deployment hosted by Unstructured for organizations that require stronger network boundaries, data isolation, and compliance controls. Using cloud-native infrastructure and private networking, Unstructured connects to your sources and processes your data within your trusted environment. +A dedicated instance is a private, isolated deployment hosted by Unstructured for organizations that require stronger network boundaries, data isolation, and compliance controls. Using cloud-native infrastructure and private networking, Unstructured connects to your sources and processes your data within your trusted environment. -Use this section to help your teams evaluate, secure, and implement a Dedicated Instance in the Unstructured platform. +Use this section to help your teams evaluate, secure, and implement a dedicated instance in the Unstructured platform. This section covers: -* How Dedicated Instances support stricter security and compliance requirements. +* How dedicated instances support stricter security and compliance requirements. * Key benefits and trade-offs. * Technical requirements for integrating with your cloud platform. ## Cloud service provider (CSP) support -Unstructured supports Dedicated Instances on Amazon Web Services (AWS) and Microsoft Azure (Azure). This section includes information for both cloud providers. +Unstructured supports dedicated instances on Amazon Web Services (AWS) and Microsoft Azure (Azure). This section includes information for both cloud providers. For provider-specific onboarding guidance, see: -* AWS — [Onboarding your Dedicated Instance + AWS PrivateLink](/business/aws/aws-privatelink/onboarding-di-pl) -* Azure — [Onboarding your Dedicated Instance + Azure Private Link](/business/azure/azure-privatelink/onboarding-di-pl) +* AWS — [Onboarding your dedicated instance + AWS PrivateLink](/business/aws/aws-privatelink/onboarding-di-pl) +* Azure — [Onboarding your dedicated instance + Azure Private Link](/business/azure/azure-privatelink/onboarding-di-pl) This section uses *private connectivity* as a general term for AWS PrivateLink and Azure Private Link. -## Private connectivity for your Dedicated Instance +## Private connectivity for your dedicated instance -Both AWS and Azure let you privately connect your Virtual Private Cloud (VPC) or Virtual Network (VNet) to your Dedicated Instance on the Unstructured platform without traversing the public internet. +Both AWS and Azure let you privately connect your Virtual Private Cloud (VPC) or Virtual Network (VNet) to your dedicated instance on the Unstructured platform without traversing the public internet. Network filtering lets you block inbound and outbound internet traffic entirely or restrict it to specific IP addresses or CIDR ranges. @@ -40,5 +40,5 @@ Network filtering lets you block inbound and outbound internet traffic entirely - **Control and visibility** - Use private endpoints and private DNS to control traffic flow, enforce network-level access policies, and improve visibility into traffic paths and access patterns. -A Dedicated Instance is a regional service. It runs entirely in a single cloud region. Plan for data residency, failover design, and latency accordingly. Unstructured supports cross-region PrivateLink, but does not recommend it because of the additional data transfer costs. +A dedicated instance is a regional service. It runs entirely in a single cloud region. Plan for data residency, failover design, and latency accordingly. Unstructured supports cross-region PrivateLink, but does not recommend it because of the additional data transfer costs. diff --git a/business/dedicated-instances/requirements.mdx b/business/dedicated-instances/requirements.mdx index 1c1e5f7a..b2bf2318 100644 --- a/business/dedicated-instances/requirements.mdx +++ b/business/dedicated-instances/requirements.mdx @@ -1,5 +1,5 @@ --- -title: Requirements and Limitations +title: Requirements and limitations --- diff --git a/business/dedicated-instances/security/security-faq.mdx b/business/dedicated-instances/security/security-faq.mdx index bc8fe5f9..e0196fef 100644 --- a/business/dedicated-instances/security/security-faq.mdx +++ b/business/dedicated-instances/security/security-faq.mdx @@ -7,12 +7,12 @@ This topic uses *private connectivity* as a general term for AWS PrivateLink and - - Yes. Each Dedicated Instance is single-tenant and logically isolated. It is not shared with other customers at the application or network level. + + Yes. Each dedicated instance is single-tenant and logically isolated. It is not shared with other customers at the application or network level. - By default, Dedicated Instances block public ingress and egress. When private connectivity is enabled, traffic between the Customer environment and Unstructured stays on cloud-provider private networking. Public ingress or egress can be enabled on request for specific use cases. For more information, see [Network access controls](/business/dedicated-instances/security/security-model#network-access-controls). + By default, dedicated instances block public ingress and egress. When private connectivity is enabled, traffic between the Customer environment and Unstructured stays on cloud-provider private networking. Public ingress or egress can be enabled on request for specific use cases. For more information, see [Network access controls](/business/dedicated-instances/security/security-model#network-access-controls). @@ -29,7 +29,7 @@ This topic uses *private connectivity* as a general term for AWS PrivateLink and - No. Customer data processed within a Dedicated Instance is not used to train models. + No. Customer data processed within a dedicated instance is not used to train models. diff --git a/business/dedicated-instances/security/security-model.mdx b/business/dedicated-instances/security/security-model.mdx index 68a60f98..390ca62f 100644 --- a/business/dedicated-instances/security/security-model.mdx +++ b/business/dedicated-instances/security/security-model.mdx @@ -7,7 +7,7 @@ This topic uses *private connectivity* as a general term for AWS PrivateLink and Dedicated Instances use a security model designed to protect your data across the network, infrastructure, and service layers. The architecture emphasizes data isolation, private connectivity, and controlled access to keep your data within trusted boundaries. -This page covers private connectivity, encryption, and network access controls for Dedicated Instances. +This page covers private connectivity, encryption, and network access controls for dedicated instances. ### Encryption @@ -21,7 +21,7 @@ Dedicated Instances use encryption in transit across external and internal servi ### Security without private connectivity (internet-facing mode) -Customers who deploy a Dedicated Instance without private connectivity access the Unstructured platform over the public internet via HTTPS. +Customers who deploy a dedicated instance without private connectivity access the Unstructured platform over the public internet via HTTPS. The following security measures and connectivity options apply: @@ -96,5 +96,5 @@ To request a public ingress configuration change, log a support ticket and provi - Expected access patterns. -Enabling public ingress or egress reduces the network isolation benefits of a Dedicated Instance. Unstructured recommends using private connectivity wherever possible. +Enabling public ingress or egress reduces the network isolation benefits of a dedicated instance. Unstructured recommends using private connectivity wherever possible. \ No newline at end of file diff --git a/business/dedicated-instances/security/shared-responsibility-model.mdx b/business/dedicated-instances/security/shared-responsibility-model.mdx index a85cf175..5fbcc14d 100644 --- a/business/dedicated-instances/security/shared-responsibility-model.mdx +++ b/business/dedicated-instances/security/shared-responsibility-model.mdx @@ -19,29 +19,31 @@ The second table covers traffic from Unstructured to Customer-managed data sourc **Customer → Unstructured (Access to the Unstructured UI and API)** | Responsibility | Customer | Unstructured | -| --- | :---: | :---: | -| VPC or VNet configuration | ✔ | | -| VPC endpoint or private endpoint creation | ✔ | | -| DNS configuration | ✔ | | -| Security group or Network Security Group rules | ✔ | | -| VPC endpoint service creation | | ✔ | -| Endpoint connection approval | | ✔ | -| Load balancer and target configuration | | ✔ | -| Platform security and certificate management | | ✔ | - +| --- | --- | --- | +| VPC / VNet Configuration | ✔ | | +| VPC Endpoint / Private Endpoint creation | ✔ | | +| DNS Configuration | ✔ | | +| Security Group / NSG Rules | ✔ | | +| VPC Endpoint Service Creation | | ✔ | +| Endpoint Connection Approval | | ✔ | +| Load Balancer and Target Configuration | | ✔ | +| Platform Security & Certificate Management | | ✔ | **Unstructured → Customer (Access to Customer-managed data sources)** | Responsibility | Customer | Unstructured | -| --- | :---: | :---: | -| VPC endpoint service creation | ✔ | | -| Load balancer and target configuration | ✔ | | -| Endpoint connection approval | ✔ | | -| Security group or Network Security Group rules | ✔ | | -| Bucket and container policies | ✔ | | -| VPC endpoint or private endpoint creation | | ✔ | -| DNS configuration | | ✔ | +| --- | --- | --- | +| VPC Endpoint / Private Endpoint Creation | | ✔ | +| DNS Configuration | | ✔ | +| Security Group / NSG Rules | ✔ | | +| VPC Endpoint Service Creation | ✔ | | +| Load Balancer and Target Configuration | ✔ | | +| Endpoint Connection Approval | ✔ | | +| Bucket / Container Policies | ✔ | | + + + Each party is responsible only for the cloud resources that it owns and operates. diff --git a/docs.json b/docs.json index 22c1286e..c090b4da 100644 --- a/docs.json +++ b/docs.json @@ -340,7 +340,7 @@ ] }, { - "group": "Dedicated Instance concepts", + "group": "Dedicated instance", "pages": [ "business/dedicated-instances/overview", "business/dedicated-instances/architecture", @@ -374,7 +374,7 @@ "group": "Microsoft Azure", "pages": [ "business/azure/overview", - { "group": "Onboarding Dedicated Instance + Azure Private Link", + { "group": "Onboarding Dedicated instance + Azure Private Link", "pages": [ "business/azure/azure-privatelink/onboarding-di-pl", "business/azure/azure-privatelink/connector-support", @@ -730,6 +730,10 @@ } }, "redirects": [ + { + "source": "/business/aws/dedicated-instance-privatelink", + "destination": "/business/aws/aws-privatelink/onboarding-di-pl" + }, { "source": "/api-reference/api-services/accessing-unstructured-api", "destination": "/api-reference/overview" From 8c4354a1d8f93594f1535b4f918fa772b098250a Mon Sep 17 00:00:00 2001 From: monica-unstructured Date: Sat, 28 Mar 2026 05:59:00 -0400 Subject: [PATCH 28/29] One more pass at tighteting wordin, realigned headings under Security, flattended FAQs. --- .../aws-privatelink/connect-to-services.mdx | 2 +- .../aws/aws-privatelink/onboarding-di-pl.mdx | 13 +-- .../azure-privatelink/connect-to-services.mdx | 4 +- .../azure-privatelink/onboarding-di-pl.mdx | 34 +++--- business/dedicated-instances/architecture.mdx | 2 +- business/dedicated-instances/overview.mdx | 2 +- business/dedicated-instances/requirements.mdx | 10 +- .../security/security-faq.mdx | 110 +++++++++++------- .../security/security-model.mdx | 16 ++- .../security/shared-responsibility-model.mdx | 19 +-- business/overview.mdx | 4 +- docs.json | 6 +- 12 files changed, 114 insertions(+), 108 deletions(-) diff --git a/business/aws/aws-privatelink/connect-to-services.mdx b/business/aws/aws-privatelink/connect-to-services.mdx index ab78dd36..24a44f29 100644 --- a/business/aws/aws-privatelink/connect-to-services.mdx +++ b/business/aws/aws-privatelink/connect-to-services.mdx @@ -3,7 +3,7 @@ title: Connecting to your AWS services sidebarTitle: Connecting to your AWS services --- -This section describes the AWS service information required for your dedicated instance to reach AWS services in your VPC. The sections below cover **AWS managed services**, **AWS Managed Services with native PrivateLink**, and **Customer Managed Services (AWS) or AWS Services with NLB**. +This section describes the information required for your dedicated instance to reach AWS services in your VPC. ## AWS managed services diff --git a/business/aws/aws-privatelink/onboarding-di-pl.mdx b/business/aws/aws-privatelink/onboarding-di-pl.mdx index 5ba98968..a79bf68b 100644 --- a/business/aws/aws-privatelink/onboarding-di-pl.mdx +++ b/business/aws/aws-privatelink/onboarding-di-pl.mdx @@ -22,10 +22,8 @@ Times are subject to customer infrastructure team availability. More complex int ## High-level onboarding process -This onboarding workflow covers two connectivity paths: -- Customer access to the Unstructured platform UI and API -- Unstructured access to supported customer-managed AWS services over AWS PrivateLink +Complete these steps with Unstructured to prepare the deployment and configure AWS PrivateLink connectivity in your AWS environment. | Step | Owner | Action | | :---: | --- | --- | @@ -39,7 +37,7 @@ This onboarding workflow covers two connectivity paths: **Next steps** -After you complete these steps, Unstructured works with you to complete the remaining configuration for platform access, connectivity, and required permissions. For more information about the overall architecture, see [Dedicated instance concepts](/business/dedicated-instances/overview). +After you complete these steps, Unstructured works with you to complete the remaining configuration for platform access, connectivity, and required permissions. For more information about the overall architecture, see [dedicated instance](/business/dedicated-instances/overview). ## Detailed onboarding steps @@ -86,6 +84,7 @@ Expand to see the supported AWS Regions for dedicated instance deployments. If your required AWS Region is not listed above, contact your Unstructured account representative. ### Step 2: Unstructured begins provisioning the dedicated instance in the selected AWS Region. +No action is required from you during this step unless Unstructured requests additional information. You can proceed to the next step. ### Step 3: Create an AWS PrivateLink endpoint service. In your AWS account, create an AWS PrivateLink endpoint service in the same AWS Region that you provided to Unstructured. [Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html). @@ -114,12 +113,12 @@ Unstructured then sends an endpoint connection request to complete the connectio Accept the endpoint connection request as soon as possible to avoid delays in the deployment process. [Learn how](https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#accept-reject-connection-requests). ## Remaining configuration -After you complete these steps, Unstructured works with you to complete the remaining configuration: +After the completion of these steps, Unstructured works with you to complete the remaining configuration: * Enable customer access to the Unstructured platform UI and API. -* Establish the connectivity and permissions required for the dedicated instance to access the target data sources. The required configuration depends on the services being accessed. The remaining sections in this topic describe how to complete it. +* Complete the connectivity and permissions required for the dedicated instance to access the target data sources. -For general architecture information, see [Dedicated instance concepts](/business/dedicated-instances/overview). +For general architecture information, see [dedicated instance](/business/dedicated-instances/overview). ## Questions? Need help? diff --git a/business/azure/azure-privatelink/connect-to-services.mdx b/business/azure/azure-privatelink/connect-to-services.mdx index 5f1cb470..de57f4a0 100644 --- a/business/azure/azure-privatelink/connect-to-services.mdx +++ b/business/azure/azure-privatelink/connect-to-services.mdx @@ -3,11 +3,11 @@ title: Connecting to your Azure services sidebarTitle: Connecting to your Azure services --- -This section describes the Azure service information required for your dedicated instance to reach Azure data sources and APIs over Private Link or private endpoints. The sections below cover **Azure managed services** and **customer-managed workloads** exposed through a **Private Link service** and **Azure Standard Load Balancer**. +This section describes the information required for your dedicated instance to reach Azure services in your Virtual Network. ## Azure managed services -This section covers Azure-managed services that have service-specific private connectivity requirements. Unlike the later **Azure Managed Services** with **private endpoint access** section, these services require service-specific configuration details or additional access controls. It does not cover **Customer-managed services** exposed through a **Private Link service**. +This section covers Azure-managed services that have service-specific private connectivity requirements. The **Order** column indicates the general sequence for the information exchange. Items with the same order value can usually be provided at the same stage. diff --git a/business/azure/azure-privatelink/onboarding-di-pl.mdx b/business/azure/azure-privatelink/onboarding-di-pl.mdx index 09818e60..094969e3 100644 --- a/business/azure/azure-privatelink/onboarding-di-pl.mdx +++ b/business/azure/azure-privatelink/onboarding-di-pl.mdx @@ -1,49 +1,46 @@ --- -title: Onboarding Dedicated Instance + Azure Private Link +title: Onboarding Dedicated Instance + Azure PrivateLink sidebarTitle: Onboarding --- - The following information applies only to dedicated instance deployments with Private Link for [Unstructured Business](/business/overview) on Azure. + The following information applies only to dedicated instance deployments with PrivateLink for [Unstructured Business](/business/overview) on Azure. - For dedicated instance deployments of Unstructured Business to Azure _without_ Private Link, contact your Unstructured sales representative, + For dedicated instance deployments of Unstructured Business to Azure _without_ PrivateLink, contact your Unstructured sales representative, or email Unstructured Sales at [sales@unstructured.io](mailto:sales@unstructured.io). After your organization has signed the **Business** account agreement with Unstructured, a member of the Unstructured technical enablement team will reach out to you to begin the **deployment onboarding process**. -The next steps are to provision the required environment resources and, optionally, establish private connectivity with Azure Private Link. Deployment is conducted remotely and can usually be completed within the following timeframes: +The next steps are to provision the required environment resources and, optionally, establish private connectivity with Azure PrivateLink. Deployment is conducted remotely and can usually be completed within the following timeframes: -- **With Azure Private Link:** 4–5 days -- **Without Azure Private Link:** 2–3 days +- **With Azure PrivateLink:** 4–5 days +- **Without Azure PrivateLink:** 2–3 days Times are subject to customer infrastructure team availability. More complex integrations (multiple connectors, custom models, etc.) will extend the deployment timeline. ## High-level onboarding process -This onboarding workflow covers two connectivity paths: - -- Customer access to the Unstructured platform UI and API -- Unstructured access to supported customer-managed Azure services over Azure Private Link +This section provides a high-level summary of the steps required to prepare the deployment and configure private connectivity. | Step | Owner | Action | | :---: | --- | --- | | 1 | Customer | Provide Unstructured the Azure region where you want the dedicated instance deployed, along with the other information required to provision it.| | 2 | Unstructured | Unstructured begins creating the dedicated instance deployment in that Azure region. | | 3 | Customer | Prepare Azure resources for private connectivity.| -| 4 | Customer | Provide Unstructured with the Private Link Service connection information. | +| 4 | Customer | Provide Unstructured with the PrivateLink service connection information. | | 5 | Unstructured | Unstructured configures connectivity from the Unstructured-managed environment to your endpoint service. Unstructured will then send you an endpoint connection request.| | 6 | Customer | Approve the pending private endpoint connection requests in Azure.| **Next steps** -After you complete these steps, Unstructured works with you to complete the remaining configuration for platform access, connectivity, and required permissions. For more information about the overall architecture, see [Dedicated instance concepts](/business/dedicated-instances/overview). +After you complete these steps, Unstructured works with you to complete the remaining configuration for platform access, connectivity, and required permissions. For more information about the overall architecture, see [dedicated instance](/business/dedicated-instances/overview). ## Detailed onboarding steps -Use the following steps to prepare the deployment and configure Azure Private Link connectivity. +Use the following steps to prepare the deployment and configure Azure PrivateLink connectivity. ### Step 1: Provide provisioning information Provide the following information to Unstructured to begin provisioning the dedicated instance in the selected Azure region. @@ -68,14 +65,15 @@ Open a ticket in the [Unstructured Support Portal](https://support.unstructured. ### Step 2: Unstructured begins creating the dedicated instance deployment in that Azure region. +No action is required from you during this step unless Unstructured requests additional information. You can proceed to the next step. ### Step 3: Prepare Azure resources for private connectivity. -Create a Private Link service for customer-managed services. [Learn how](https://learn.microsoft.com/en-us/azure/private-link/private-link-service-overview). Also see [Azure Private Link FQA](https://learn.microsoft.com/en-us/azure/private-link/private-link-faq) +Create a PrivateLink service for customer-managed services. [Learn how](https://learn.microsoft.com/en-us/azure/private-link/private-link-service-overview). Also see [Azure PrivateLink FAQ](https://learn.microsoft.com/en-us/azure/private-link/private-link-faq) In Azure terminology, you are the _service provider_ and Unstructured is the _service consumer_. -### Step 4: Provide Unstructured with the Private Link Service connection information. -As the service provider, you must provide Unstructured with the Private Link Service ID. [Learn how](https://learn.microsoft.com/en-us/azure/private-link/private-link-service-overview#share-your-service). +### Step 4: Provide Unstructured with the PrivateLink service connection information. +As the service provider, you must provide Unstructured with the PrivateLink service ID. [Learn how](https://learn.microsoft.com/en-us/azure/private-link/private-link-service-overview#share-your-service). Use a support ticket for all private connectivity configuration data exchanges. This provides the required audit trail for sensitive configuration information. @@ -83,7 +81,7 @@ Use a support ticket for all private connectivity configuration data exchanges. Open a ticket in the [Unstructured Support Portal](https://support.unstructured.io/) with the subject line **`PrivateLink Configuration Request — [Your Company Name]`**. -### Step 5: Unstructured creates the required private endpoints to your Private Link service and sends an endpoint connection request. +### Step 5: Unstructured creates the required private endpoints to your PrivateLink service and sends an endpoint connection request. As the service consumer, Unstructured creates the required private endpoints in its own Azure account in the same Azure region. Unstructured then sends an endpoint connection request to complete the connection between the Unstructured-managed endpoint and your endpoint service. @@ -100,7 +98,7 @@ After you complete these steps, Unstructured works with you to complete the rema * Enable customer access to the Unstructured platform UI and API. * Establish the connectivity and permissions required for the dedicated instance to access the target data sources. The required configuration depends on the services being accessed. The remaining sections in this topic describe how to complete it. -For general architecture information, see [Dedicated instance concepts](/business/dedicated-instances/overview). +For general architecture information, see [dedicated instance](/business/dedicated-instances/overview). ## Questions? Need help? diff --git a/business/dedicated-instances/architecture.mdx b/business/dedicated-instances/architecture.mdx index bb9f710c..0be0596a 100644 --- a/business/dedicated-instances/architecture.mdx +++ b/business/dedicated-instances/architecture.mdx @@ -1,5 +1,5 @@ --- -title: Architecture +title: Concepts and architecture --- diff --git a/business/dedicated-instances/overview.mdx b/business/dedicated-instances/overview.mdx index 7e9d2395..4e0d0475 100644 --- a/business/dedicated-instances/overview.mdx +++ b/business/dedicated-instances/overview.mdx @@ -1,5 +1,5 @@ --- -title: Dedicated instance concepts +title: Dedicated instance overview sidebarTitle: Overview --- diff --git a/business/dedicated-instances/requirements.mdx b/business/dedicated-instances/requirements.mdx index b2bf2318..f387c20f 100644 --- a/business/dedicated-instances/requirements.mdx +++ b/business/dedicated-instances/requirements.mdx @@ -8,9 +8,7 @@ This topic uses *private connectivity* as a general term for AWS PrivateLink and Dedicated Instances rely on cloud-provider private networking features and require baseline infrastructure components for a secure and successful deployment. -This page outlines the key requirements that Customers must meet, along with known limitations that can affect implementation decisions. Understanding these constraints early helps reduce onboarding delays and align security, platform, and engineering teams. - -### Cloud provider and region support +## Supported cloud provider and regions | Cloud provider | Availability | | --- | --- | @@ -39,7 +37,7 @@ If your required AWS Region is not listed, contact your Unstructured account rep Contact your Unstructured account representative for the current list of supported Azure Regions. -### Requirements +## Prerequisites **AWS requirements:** - VPC with private subnets @@ -51,7 +49,7 @@ Contact your Unstructured account representative for the current list of support - Private endpoint network policies disabled on target subnets - Standard Load Balancer for connections into the Customer environment -### DNS requirements +## DNS requirements Private connectivity requires DNS configuration to route traffic through private endpoints: @@ -61,7 +59,7 @@ Private connectivity requires DNS configuration to route traffic through private Unstructured provides the DNS name in the format `.privatelink.unstructuredapp.io`. -### Known limitations +## Known limitations | Limitation | Notes | | --- | --- | diff --git a/business/dedicated-instances/security/security-faq.mdx b/business/dedicated-instances/security/security-faq.mdx index e0196fef..e07d3ef3 100644 --- a/business/dedicated-instances/security/security-faq.mdx +++ b/business/dedicated-instances/security/security-faq.mdx @@ -3,60 +3,84 @@ title: Security FAQ --- -This topic uses *private connectivity* as a general term for AWS PrivateLink and Azure Private Link. +This topic uses *private connectivity* as a general term for AWS +PrivateLink and Azure Private Link. - - - Yes. Each dedicated instance is single-tenant and logically isolated. It is not shared with other customers at the application or network level. - +**Is my dedicated instance single-tenant?** - - By default, dedicated instances block public ingress and egress. When private connectivity is enabled, traffic between the Customer environment and Unstructured stays on cloud-provider private networking. Public ingress or egress can be enabled on request for specific use cases. For more information, see [Network access controls](/business/dedicated-instances/security/security-model#network-access-controls). - +Yes. Each dedicated instance is single-tenant and logically isolated. +It is not shared with other customers at the application or network +level. - - Yes. Data is encrypted in the following ways: +**Does traffic ever traverse the public internet?** - - **In transit:** All traffic uses TLS 1.2 or higher. - - **Internally:** Mutual TLS (mTLS) is used between platform services. - - **In cloud storage:** Encryption policies are enforced at the storage layer. - - **At rest:** Customer-managed KMS keys are available as an option on request. - +By default, dedicated instances block public ingress and egress. +When private connectivity is enabled, traffic between the Customer +environment and Unstructured stays on cloud-provider private +networking. Public ingress or egress can be enabled on request for +specific use cases. For more information, see [Network access +controls](/business/dedicated-instances/security/security-model#network-access-controls). - - Unstructured personnel do not access Customer data as part of normal operations. Access to Customer data sources is explicitly configured, limited to the minimum permissions required, and governed by Customer-controlled IAM, RBAC, and resource policies. Any exceptional access, such as for troubleshooting, is controlled and audited. - +**Is data encrypted?** - - No. Customer data processed within a dedicated instance is not used to train models. - +Yes. Data is encrypted in the following ways: - - - Customers manage user access to the Unstructured UI and APIs. - - Network access can be restricted by using private endpoints, security groups, and firewall rules. - - DNS resolution can be kept private and scoped to Customer networks. - +- **In transit:** All traffic uses TLS 1.2 or higher. +- **Internally:** Mutual TLS (mTLS) is used between platform services. +- **In cloud storage:** Encryption policies are enforced at the + storage layer. +- **At rest:** Customer-managed KMS keys are available as an option + on request. - - Private connectivity helps protect against: +**Can Unstructured access my data?** - - Exposure to the public internet - - Unintended inbound network access - - DNS-based traffic interception +Unstructured personnel do not access Customer data as part of normal +operations. Access to Customer data sources is explicitly configured, +limited to the minimum permissions required, and governed by +Customer-controlled IAM, RBAC, and resource policies. Any exceptional +access, such as for troubleshooting, is controlled and audited. - Private connectivity does not protect against: +**Is customer data used to train models?** - - Application-layer vulnerabilities - - Misconfigured IAM or RBAC policies - - Compromised credentials - +No. Customer data processed within a dedicated instance is not used to +train models. - - Unstructured does not store Customer data long-term. Customer artifacts are used ephemerally during workflow execution and removed upon completion or failure. Transformed data is written to the configured destination. The data that persists in the Unstructured platform is limited to connector and workflow configuration metadata, connector keys stored in a secret store, and workflow execution telemetry, which does not contain file data. - +**How is access to the platform controlled?** - - Unstructured maintains industry-standard security and compliance programs, including HIPAA compliance architecture, ITAR readiness with geo-blocking through AWS WAF, and SOC 2 controls. Detailed compliance artifacts are available in the [trust portal](https://trust.unstructured.io/). - - +- Customers manage user access to the Unstructured UI and APIs. +- Network access can be restricted by using private endpoints, + security groups, and firewall rules. +- DNS resolution can be kept private and scoped to Customer networks. + +**What does private connectivity protect against?** + +Private connectivity helps protect against: + +- Exposure to the public internet +- Unintended inbound network access +- DNS-based traffic interception + +Private connectivity does not protect against: + +- Application-layer vulnerabilities +- Misconfigured IAM or RBAC policies +- Compromised credentials + +**How long is customer data retained?** + +Unstructured does not store Customer data long-term. Customer +artifacts are used ephemerally during workflow execution and removed +upon completion or failure. Transformed data is written to the +configured destination. The data that persists in the Unstructured +platform is limited to connector and workflow configuration metadata, +connector keys stored in a secret store, and workflow execution +telemetry, which does not contain file data. + +**What compliance standards does Unstructured support?** + +Unstructured maintains industry-standard security and compliance +programs, including HIPAA compliance architecture, ITAR readiness +with geo-blocking through AWS WAF, and SOC 2 controls. Detailed +compliance artifacts are available in the [trust +portal](https://trust.unstructured.io/). \ No newline at end of file diff --git a/business/dedicated-instances/security/security-model.mdx b/business/dedicated-instances/security/security-model.mdx index 390ca62f..c86302d2 100644 --- a/business/dedicated-instances/security/security-model.mdx +++ b/business/dedicated-instances/security/security-model.mdx @@ -5,11 +5,9 @@ title: Security model This topic uses *private connectivity* as a general term for AWS PrivateLink and Azure Private Link. -Dedicated Instances use a security model designed to protect your data across the network, infrastructure, and service layers. The architecture emphasizes data isolation, private connectivity, and controlled access to keep your data within trusted boundaries. +This page explains how dedicated instances protect data through private connectivity, encryption, and network access controls. -This page covers private connectivity, encryption, and network access controls for dedicated instances. - -### Encryption +## Encryption Dedicated Instances use encryption in transit across external and internal service boundaries. All supported connections use TLS 1.2 or higher. @@ -19,7 +17,7 @@ Dedicated Instances use encryption in transit across external and internal servi | Cloud storage connections (S3, Blob Storage) | TLS 1.2 or higher, with bucket or container policies used to enforce encryption requirements | | Internal service mesh | mTLS between microservices | -### Security without private connectivity (internet-facing mode) +## Security without private connectivity (internet-facing mode) Customers who deploy a dedicated instance without private connectivity access the Unstructured platform over the public internet via HTTPS. @@ -31,19 +29,19 @@ The following security measures and connectivity options apply: - **Independent paths** - allow you to use the UI and API over the public internet while Unstructured uses private connectivity to reach your data sources. The two paths are configured separately. -### Security with private connectivity +## Security with private connectivity When private connectivity is enabled, traffic between your environment and the Unstructured platform stays on cloud-provider private networking. Service endpoints resolve to private IP addresses, and inbound access from the public internet is blocked. ### What private connectivity does and does not protect -Private connectivity helps protect: +**Private connectivity helps protect:** * Network traffic from public internet exposure. * Data in transit between VPCs and VNets. * DNS resolution of service endpoints. -Private connectivity does not protect against: +**Private connectivity does not protect against:** * Application-layer vulnerabilities. * Misconfigured Identity and Access Management (IAM) or Role-Based Access Control (RBAC) policies. @@ -54,7 +52,7 @@ Private connectivity does not protect against: By default, Unstructured manages encryption keys by using the cloud provider's native key management service: AWS Key Management Service (KMS) on AWS and Azure Key Vault on Azure. Customers with strict key custody requirements can use customer-managed keys for supported cloud services. Contact your account representative to enable this option. -### Network access controls +## Network access controls Network access controls determine whether traffic between the Unstructured platform and your cloud environment may traverse the public internet. Your cloud environment is the VPC or VNet that hosts your data sources and related resources. This section describes the default inbound and outbound traffic rules and how to request exceptions when a use case requires them. diff --git a/business/dedicated-instances/security/shared-responsibility-model.mdx b/business/dedicated-instances/security/shared-responsibility-model.mdx index 5fbcc14d..fa587b93 100644 --- a/business/dedicated-instances/security/shared-responsibility-model.mdx +++ b/business/dedicated-instances/security/shared-responsibility-model.mdx @@ -2,19 +2,9 @@ title: Shared responsibility model --- -## What shared responsibility means -A shared responsibility model explains how security and operational responsibilities are divided between Unstructured and the Customer. +A shared responsibility model explains how security and operational responsibilities are divided between Unstructured and the customer. Unstructured is responsible for the infrastructure and software that it operates. The customer is responsible for its accounts, data, identities, access policies, and the network resources that it controls. -Unstructured is responsible for the infrastructure and software that it operates. The Customer is responsible for its accounts, data, identities, access policies, and the network resources that it controls. - -This approach aligns with the shared responsibility models used by major cloud providers. - -## Using these tables -The following tables show which responsibilities belong to the Customer and which belong to Unstructured. - -The first table covers traffic from the Customer environment to the Unstructured Platform, including access to the UI and API. - -The second table covers traffic from Unstructured to Customer-managed data sources in the Customer cloud environment. +This table shows responsibilities for traffic from the customer environment to the Unstructured platform, which includes access to the UI and API. **Customer → Unstructured (Access to the Unstructured UI and API)** @@ -29,8 +19,9 @@ The second table covers traffic from Unstructured to Customer-managed data sourc | Load Balancer and Target Configuration | | ✔ | | Platform Security & Certificate Management | | ✔ | +This table shows responsibilities for traffic from Unstructured to customer-managed data sources in the customer cloud environment. -**Unstructured → Customer (Access to Customer-managed data sources)** +**Unstructured → Customer (Access to customer-managed data sources)** | Responsibility | Customer | Unstructured | | --- | --- | --- | @@ -43,8 +34,6 @@ The second table covers traffic from Unstructured to Customer-managed data sourc | Bucket / Container Policies | ✔ | | - - Each party is responsible only for the cloud resources that it owns and operates. \ No newline at end of file diff --git a/business/overview.mdx b/business/overview.mdx index 4262c034..a76e39ce 100644 --- a/business/overview.mdx +++ b/business/overview.mdx @@ -7,7 +7,7 @@ Unstructured offers _business_ deployments, which allow you to use an Unstructur and the [Unstructured API](/api-reference/overview) as follows: -   Within a **Business SaaS** deployment - Hosted alongside other accounts on Unstructured's cloud infrastructure. --   Within a **dedicated instance** deployment - Hosted within a virtual private cloud (VPC) running inside Unstructured's cloud infrastructure. Dedicated instances are isolated from all other accounts, for additional security and control. To learn more about dedicated instances see [Dedicated instance concepts](/business/dedicated-instances/overview). +-   Within a **dedicated instance** deployment - Hosted within a virtual private cloud (VPC) running inside Unstructured's cloud infrastructure. Dedicated instances are isolated from all other accounts, for additional security and control. To learn more see [dedicated instance](/business/dedicated-instances/overview). -   Within an **in-VPC** deployment - Hosted within your own VPC on your own cloud infrastructure. Unstructured **Business** accounts allow for multiple users and offer multiple workspaces. The **dedicated instance** and **in-VPC** account deployment types isolate your Unstructured **Business** account @@ -34,7 +34,7 @@ After your organization has signed the **Business** account agreement, the next - For a **Business SaaS** deployment, you can start using Unstructured by logging in to the Unstructured UI at [https://platform.unstructured.io](https://platform.unstructured.io). - For a **dedicated instance** deployment, a member of the Unstructured technical enablement team will reach out to you with the unique URL to log in to - the Unstructured UI, along with any next steps that you need to take. To learn more about dedicated instances see [dedicated instance concepts](/business/dedicated-instances/overview). + the Unstructured UI, along with any next steps that you need to take. To learn more see [dedicated instance](/business/dedicated-instances/overview). - For an **in-VPC** deployment, your organization will work with a member of the Unstructured technical enablement team to deploy Unstructured into your own cloud instrastructure. You are encouraged to begin setting up your target environment as soon as possible. To do this, see the onboarding requirements for your [AWS](/business/aws/onboarding-in-vpc), [Azure](/business/azure/onboarding-in-vpc), or diff --git a/docs.json b/docs.json index c090b4da..72e0d772 100644 --- a/docs.json +++ b/docs.json @@ -344,14 +344,14 @@ "pages": [ "business/dedicated-instances/overview", "business/dedicated-instances/architecture", + "business/dedicated-instances/requirements", { "group": "Security", "pages": [ "business/dedicated-instances/security/security-model", "business/dedicated-instances/security/shared-responsibility-model", "business/dedicated-instances/security/security-faq" - ] - }, - "business/dedicated-instances/requirements" + ] + } ] }, { From f3db39e5299658bb750e9da8938f353336abc479 Mon Sep 17 00:00:00 2001 From: monica-unstructured Date: Sat, 28 Mar 2026 06:45:08 -0400 Subject: [PATCH 29/29] synched up wording in azure and aws onboarding sections. --- business/aws/aws-privatelink/onboarding-di-pl.mdx | 2 +- business/azure/azure-privatelink/onboarding-di-pl.mdx | 8 +++----- business/dedicated-instances/overview.mdx | 2 +- 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/business/aws/aws-privatelink/onboarding-di-pl.mdx b/business/aws/aws-privatelink/onboarding-di-pl.mdx index a79bf68b..47925d4e 100644 --- a/business/aws/aws-privatelink/onboarding-di-pl.mdx +++ b/business/aws/aws-privatelink/onboarding-di-pl.mdx @@ -23,7 +23,7 @@ Times are subject to customer infrastructure team availability. More complex int ## High-level onboarding process -Complete these steps with Unstructured to prepare the deployment and configure AWS PrivateLink connectivity in your AWS environment. +Review these steps for an overview of the deployment and private connectivity workflow. | Step | Owner | Action | | :---: | --- | --- | diff --git a/business/azure/azure-privatelink/onboarding-di-pl.mdx b/business/azure/azure-privatelink/onboarding-di-pl.mdx index 094969e3..7649498c 100644 --- a/business/azure/azure-privatelink/onboarding-di-pl.mdx +++ b/business/azure/azure-privatelink/onboarding-di-pl.mdx @@ -22,7 +22,7 @@ Times are subject to customer infrastructure team availability. More complex int ## High-level onboarding process -This section provides a high-level summary of the steps required to prepare the deployment and configure private connectivity. +Review these steps for an overview of the deployment and private connectivity workflow. | Step | Owner | Action | | :---: | --- | --- | @@ -90,13 +90,11 @@ Unstructured then sends an endpoint connection request to complete the connectio ### Step 6: Approve the pending private endpoint connection requests in Azure. Approve the private endpoint connection as soon as possible to avoid delays in the deployment process. [Learn how](https://learn.microsoft.com/en-us/azure/private-link/how-to-approve-private-link-cross-subscription). -You can approve the requests in the Azure portal under the target resource's **Networking** settings, or by using Azure CLI where applicable. - ## Remaining configuration -After you complete these steps, Unstructured works with you to complete the remaining configuration: +After the completion of these steps, Unstructured works with you to complete the remaining configuration: * Enable customer access to the Unstructured platform UI and API. -* Establish the connectivity and permissions required for the dedicated instance to access the target data sources. The required configuration depends on the services being accessed. The remaining sections in this topic describe how to complete it. +* Complete the connectivity and permissions required for the dedicated instance to access the target data sources. For general architecture information, see [dedicated instance](/business/dedicated-instances/overview). diff --git a/business/dedicated-instances/overview.mdx b/business/dedicated-instances/overview.mdx index 4e0d0475..315989da 100644 --- a/business/dedicated-instances/overview.mdx +++ b/business/dedicated-instances/overview.mdx @@ -14,7 +14,7 @@ This section covers: * Technical requirements for integrating with your cloud platform. ## Cloud service provider (CSP) support -Unstructured supports dedicated instances on Amazon Web Services (AWS) and Microsoft Azure (Azure). This section includes information for both cloud providers. +Unstructured supports dedicated instances on Amazon Web Services (AWS) and Microsoft Azure (Azure). This section covers architecture and configuration information that generally applies to dedicated instances on both cloud providers. For provider-specific onboarding guidance, see: