Skip to content

deployment-guide.md

Latest commit

 

History

History
361 lines (334 loc) · 10 KB

deployment-guide.md

File metadata and controls

361 lines (334 loc) · 10 KB

Deployment Guide

The Analytics account offers two deployment options. Following V1.xx customer feedback, we introduced an EC2 & SSM agent receiver option for processing large datasets that exceed Lambda's 15-minute execution limit.

Below are comprehensive details for both options:

Table of Contents

Pre-requisites

# Item Description
1 Repository Link https://github.com/aws-samples/sample-aws-multi-account-observability
2 Download Download sample-aws-multi-account-observability the folder as a zip from AWS Samples repository
3 Extract Extract all and place it in a folder of your choice
4 Verify Check that you have all the files
5 QuickSuite Account MUST DO - Please make sure to have an Amazon Quick Suite account created.
• Login to AWS Console > Search for Amazon Quick Suite
• Create Account & Log in to Amazon Quick Suite and ensure its working.

Option A : Serverless Deployment

Using a Serverless approach with only Lambda functions handling the transactions.

Architecture

A360-Option1-Lambda
Step Component Action Description
1 EventBridge (Daily Schedule) Triggers Daily trigger at 01:00 AM activates sender function
2 Sender Function (Lambda) Executes Collects data from AWS services (10GB/15min capacity)
3 KMS Key Encrypts Provides encryption for data security
4 S3 Data Bucket Receives Stores encrypted JSON data from sender accounts
5 Receiver Function (Lambda) Processes Triggered by S3 PUT events, processes JSON data (10GB/15min)
6 Aurora Primary Stores Primary database instance (Serverless v2 - Postgres)
7 QuickSight / QuickSuite Visualizes Connects via VPC endpoint for dashboard access

ℹ️ Information

  • a - Secrets Manager (Credentials): Stores Aurora database credentials securely
  • b - Aurora Replica (High Availability): Read replica in Private Subnet 2 (10.0.5.0/24) - AZ 2
  • c - Multi-AZ Standby (Disaster Recovery): Standby instance in Private Subnet 3 (10.0.6.0/24) - AZ 3
  • d - QuickSight Endpoint (Secure Access): VPC endpoint for QuickSight connectivity
  • DLQ (SQS) - Error Handling: Dead Letter Queue for failed message processing

🔒 Security Groups & Network

  • RDS Security Group: Controls database access in Private Subnet 1 (10.0.4.0/24) - AZ 1
  • RDS Security Group: Controls database access in Private Subnet 2 (10.0.5.0/24) - AZ 2
  • RDS Security Group: Controls database access in Private Subnet 3 (10.0.6.0/24) - AZ 3
  • QuickSight Security Group: Controls analytics access in Private Subnet 3 (10.0.6.0/24) - AZ 3

Process Flow

A360-Option1-Flow-Lambda
Step Component Action Description
1 S3 Event (ObjectCreated) Triggers New JSON file uploaded to S3 data/ folder
2 Lambda Function (a360-receiver) Receives S3 event notification triggers receiver function
3 Lambda Function (a360-receiver) Fetches Downloads receiver.py script from S3 bucket
4 Lambda Function (a360-receiver) Processes Reads and processes JSON data from uploaded file
5 Lambda Function (a360-receiver) Updates/Inserts Writes processed data to Aurora PostgreSQL database
6 Lambda Function (a360-receiver) Moves Transfers processed JSON file to loaded/ folder in S3
7 S3 Bucket (Analytics Account) Stores Maintains processed files in loaded/ACCOUNT/REGION/YYYY-MM-DD_DAILY.json structure

Option B : Lambda + EC2 + SSM Deployment

Using a EC2 & SSM agent in the Receiver with a Lambda Function to invoke based on events.

Architecture

A360-Option2-EC2
Step Component Action Description
1 EventBridge (Daily Schedule) Triggers Daily trigger at 01:00 AM activates sender function
2 Sender Function (Lambda) Executes Collects data from AWS services (10GB/15min capacity)
3 KMS Key Encrypts Provides encryption for data security
4 S3 Data Bucket Receives Stores encrypted JSON data from sender accounts
5 Receiver Function (Lambda) Processes Triggered by S3 PUT events, processes JSON data (10GB/15min)
6 SSM Endpoint & EC2 Receiver Connects & Processes Downloads receiver.py script from S3 bucket, Reads and processes JSON data from uploaded file
7 RDS Data Endpoint Connects Enables secure database connectivity
8 Aurora Primary Stores Primary database instance (Serverless v2 - Postgres)
9 QuickSight Visualizes Connects via VPC endpoint for dashboard access

ℹ️ Information

  • a - Secrets Manager (Credentials): Stores Aurora database credentials securely
  • c - EC2 Receiver (Alternative Processing): EC2-based receiver (t4g.small) for compliance scenarios
  • d - Aurora Replica (High Availability): Read replica in separate AZ (Postgres)
  • d - Multi-AZ Standby (Disaster Recovery): Standby instance in third AZ (Postgres)
  • e - QuickSight Endpoint (Secure Access): VPC endpoint for QuickSight connectivity

🔒 Security Groups & Network

  • EC2 Security Group: Controls EC2 access in Private Subnet 1 (10.0.4.0/24)
  • Lambda Security Group: Controls Lambda VPC access in Private Subnet 1 (10.0.4.0/24)
  • RDS Security Group: Controls database access in Private Subnets 1-3
  • QuickSight Security Group: Controls analytics access in Private Subnet 3 (10.0.6.0/24)

Process Flow

A360-Option2-Flow-EC2
Step Component Action Description
1 S3 Event (ObjectCreated) Triggers New JSON file uploaded to S3 data/ folder
2 Lambda Function (a360-ec2-trigger) Receives S3 event notification triggers EC2-trigger function
3 Lambda Function (a360-ec2-trigger) Invokes Calls SSM agent to execute receiver function
4 SSM (a360-ssm) Triggers SSM agent triggers EC2 instance to run receiver
5 EC2 Instance (a360-ec2) Fetches Downloads receiver.py script from S3 bucket
6 EC2 Instance (a360-ec2) Processes Reads and processes JSON data from uploaded file
7 EC2 Instance (a360-ec2) Updates/Inserts Writes processed data to Aurora PostgreSQL database
8 EC2 Instance (a360-ec2) Moves Transfers processed JSON file to loaded/ folder in S3
9 S3 Bucket (Analytics Account) Stores Maintains processed files in loaded/ACCOUNT/REGION/YYYY-MM-DD_DAILY.json structure