Virtual Networks

In this section of resources, learn about modifying the settings in your virtual network, while avoiding the pitfalls of doing so.

Note

For resources on modifying instance templates, see this section of the admin guide.

Reference | Creating or modifying a virtual network

A virtual network defines where Dataiku instances are deployed. A virtual network represents the network context in which instances are launched. It is a reference to the virtual network provided by your cloud provider. It contains configuration information, including how DNS and HTTPS are handled.

You can create a new virtual network or choose to modify an existing one. If creating a new virtual network, Fleet Manager automatically completes the VPC and subnet fields based on the VPC and subnet where the Fleet Manager is currently running.

Note

Instance templates are not tied to a specific virtual network. However, Dataiku instances are tied to a specific virtual network. Once a virtual network is associated with an instance, you cannot change to a different virtual network.

How-to | View or edit a virtual network

To view a virtual network:

  1. Launch Fleet Manager.

  2. Under Settings, choose Virtual networks.

  3. Choose the virtual network you want to modify.

Fleet Manager displays the virtual network’s dashboard.

../../_images/virtual-network-dashboard-aws.png
../../_images/virtual-network-dashboard-azure.png

To modify a virtual network:

  1. Select the Settings tab.

  2. Modify the settings according to the guidelines and then select Save.

How-to | Edit virtual network names

When creating a new virtual network, Fleet manager asks for the virtual network label. When you deploy Dataiku instance(s) from a Fleet Manager blueprint, the virtual network is pre-configured with the fleet’s name.

To edit the virtual network name:

  • In Label, enter a name for the virtual network.

How-to | Assign a public IP address

You can assign a public IP address to all Dataiku instances linked to the virtual network.

To do this:

  • Select the Assign a public IP address checkbox.

How-to | Assign a virtual network ID and subnet name

When creating a new virtual network, you can assign a virtual network ID and subnet name.

To do this:

  1. In Virtual Network Id, enter the ID.

  2. In Subnet Name, enter the name of the subnet.

Reference | Security groups

Default Security Groups

Fleet Manager automatically creates AWS security groups for all Dataiku nodes linked to the virtual network. This is the default configuration.

To automatically create security groups when creating a new virtual network:

  • Toggle Auto-create security groups to On.

The default security group configuration permits the following:

  • DSS nodes to be reached from 0.0.0.0/0 on ports 80, 22, and 443.

  • DSS nodes to communicate with each other.

  • Fleet Manager to communicate with Dataiku nodes if you choose to deploy nodes in another VPC/subnet from Fleet Manager.

Custom Security Groups

If you choose not to automatically create AWS security groups, you can attach your own custom security groups.

To attach your own security groups:

  • Toggle Auto-create security groups to Off.

  • Select Add Security Group.

  • In Security groups Ids, enter the id of each security group, separated by a comma.

When creating a new virtual network, you can configure the Network Security Group to allow communication between Fleet Manager and its DSS instances, and choose the Internet Access Mode.

To do this:

  • Select the Update security groups checkbox.

  • In Internet Access Mode, choose a mode:

  • No internet access

  • Egress only internet

  • Create an internet gateway

Azure Tags

When creating a new virtual network you can tag your Azure resources to help organize them.

How-to | Enable Fleet Management configuration options

You can enable Fleet Management so that all the instances linked to the virtual network know each other. This simplifies the configuration of log centralization and of the deployer.

To enable Fleet Management configuration options:

  • Select the Enable checkbox.

Event server

You can specify the address of the event server. This is a Dataiku node that is enabled to collect audit logs from other Dataiku nodes linked to the same template. This allows you to centralize the logs in a single location.

To do this:

  • In Event Server, enter the name of the node that should act as the centralized event server for logs concentration.

Fleet Manager will send all audit logs for all nodes to this node.

Deployer management

Select a Deployer strategy.

  • Do not manage deployer.

  • Central deployer. Select this strategy if you have more than one Design node or you may have more than one Design node in the future. As a result:

    • The Deployer is deployed as a standalone node and all other nodes are configured to connect to it.

  • Deploy from Design nodes. Select this strategy if you have a single Design node and want a simpler setup. As a result:

    • Your Design node is enabled as a Deployer node, and

    • Every Automation node is configured as a deployment infrastructure in the Deployer.

Govern server

You can define your Govern node so that it is automatically configured in all Dataiku nodes linked to the virtual network.

  • In Govern Server, enter the node’s ID (the instance name as defined in Fleet Manager) that should act as the centralized Govern server.

How-to | Choose DNS strategy

If you manage your DNS zone in Route53 in the same AWS account where you deployed Fleet Manager, you can have Fleet Manager create the DNS entries to define the vanity URLs for the Dataiku instances. Fleet Manager will use the instance name (nodeID) that was associated with the Dataiku instance at deploy time to create a DNS entry that associates the IP address of the instance to the DNS name. This requires the role associated with Fleet Manager to have the required policies to manage Route53.

To do this:

  1. In DNS strategy, choose Assign a Route53 domain name that you manage.

  2. Enter the Zone Id in Route53 Zone Id for private IP if available.

  3. Enter the Zone Id in Route53 Zone Id for public IP.

You can assign an Azure DNS domain name that you manage.

To do this:

  1. In DNS strategy, choose Assign a Azure domain name that you manage.

  2. Enter the Azure Dns Zone Id in Azure Dns Zone Id.

How-to | Choose an SSL strategy

You can manage the TLS certificates associated with each Dataiku instance linked to the virtual network.

  1. In HTTPS strategy, choose a strategy:

  • None (HTTP) only. Does not manage TLS at all. The Dataiku instance is only accessible via the HTTP (80) port.

  • Self-signed certificates. Each Dataiku instance will have a self-signed certificate created automatically.

  • Enter a certificate/key for each instance. Select this strategy if you prefer to manage the certificates yourself. You’ll need to specify a certificate and key per each instance in the instance’s settings.

  • Generate certificates using Let’s Encrypt. This strategy leverages “Let’s Encrypt” to generate certificates for each instance. “Let’s Encrypt” needs to be able to complete the DNS challenge to create a certificate. To allow this, you’ll need to configure the Route53 Zone Id for public IP in the DNS strategy. This strategy automatically renews the certificate before it expires.

    • Enter an email address in Contact Mail.

  1. In HTTP strategy, choose a strategy:

  • HTTP port is disabled.

  • HTTP port redirects to HTTPs. This is the recommended option.

When modifying a virtual network template or creating a new network template, Fleet Manager deploys the virtual network in AWS.

You can manage the TLS certificates associated with each Dataiku instance linked to the virtual network.

  1. In HTTPS strategy, choose a strategy:

  • None (HTTP) only. Does not manage TLS at all. The Dataiku instance is only accessible via the HTTP (80) port.

  • Self-signed certificates. Each Dataiku instance will have a self-signed certificate created automatically.

  • Enter a certificate/key for each instance. Select this strategy if you prefer to manage the certificates yourself. You’ll need to specify a certificate and key per each instance in the instance’s settings.

  • Generate certificates using Let’s Encrypt. This strategy leverages “Let’s Encrypt” to generate certificates for each instance. “Let’s Encrypt” needs to be able to complete the DNS challenge to create a certificate. To allow this, you’ll need to configure the Azure Dns Zone Id in the DNS strategy. This strategy automatically renews the certificate before it expires.

    • Enter an email address in Contact Mail.

  1. In HTTP strategy, choose a strategy:

  • HTTP port is disabled.

  • HTTP port redirects to HTTPs. This is the recommended option.

When modifying a virtual network template or creating a new network template, Fleet Manager deploys the virtual network in Azure.

How-to | Reprovision an instance after applying modifications

Fleet Manager lets you know when modifications require reprovisioning before the changes take effect.

To reprovision an instance:

  1. From Instances, choose All and then locate the instance you want to reprovision.

  2. Select Reprovision.

  3. Select Confirm.

Wait while Fleet Manager reprovisions the instance.