BYO AWS Account¶
Frame provides Customer and Organization admins with the option to “Bring Your Own” (BYO) Amazon Web Services (AWS) account. Each Frame Platform installation has a default AWS account associated with it. This default AWS account is used for provisioning infrastructure like EC2 instances, EBS volumes, etc. The default account is also used for storing Gold Master Images, known as Amazon Machine Images (AMIs). With the BYO AWS Account option, these components are instead provisioned in your AWS account, rather than in the default AWS account.
Common reasons you may want to go with the BYO option include:
- You wish to take advantage of your existing billing arrangements with AWS for convenience and/or pricing. For example, your organization may already have certain AWS consumption commitments or pre-payments – and you can use Frame to consume those resources on your own AWS account.
- You would prefer to “own” your Frame workloads and therefore have full administrative access.
- You want to configure other network integrations (VPN gateway) on your own within your AWS account.
We allow any new Frame account to be created under a non-default AWS account to leverage “Bring Your Own AWS Account” feature.
- In order to use an AWS account with Frame, you will need to ensure that you have an IAM user or Federated Identity with admin access.
For security reasons, DO NOT use your root AWS account. You will want to use an IAM user, which can be revoked or deleted with no impact on the root user or AWS account.
You will need your Account ID number, which can be found by going to your “My Account” page in your AWS console. Click on the drop down menu next to your account name in the upper right corner of your AWS Console to access this page. See below for all the steps required to add your BYO AWS account.
The account should have at least “AmazonEC2FullAccess” permission.
Some costs may begin to accrue immediately after adding your BYO AWS Cloud Account credentials to the platform.
You will only need to enter your AWS credentials once (when signing into your AWS account from https://aws.amazon.com). Frame does not have access to your AWS credentials.
Add Frame BYO AWS Cloud Account Credentials¶
BYO cloud accounts can be created within one of two different contexts of Frame’s logical hierarchy (the “customer” or the “organization” tier). More information about Frame’s hierarchy concepts can be referenced here.
A BYO cloud account created at the “customer” (highest) tier will be accessible to all hierarchical children (“organizations” and their accounts). If you choose to add the BYO cloud account at the “organization” tier, the BYO cloud account will only be available to the chosen organization and any accounts underneath it.
Once the BYO account is created and accessible, any accounts created from that point forward will have the new BYO account available as an option for the platform. “Organization” admins are authorized to create a new organization with BYO AWS credentials or add BYO credentials to an existing organization. “Customer” admins have the same authorizations as “organization” admins, as well as the authorization to add BYO credentials to existing customers.
Go to the Frame Admin view.
Navigate to the “Organizations” or “Customers” section (depending on where you wish to add the cloud account).
Click on the name of the organization or customer you would like to add your cloud account to.
Select the “Cloud Accounts” tab and then select “Add Cloud Account” in the upper right corner:
A new window will appear prompting you for the following information:
- Cloud provider: Select the AWS icon.
- Cloud account ID: Enter your AWS Account ID (without dashes) in this field.
- Name: Enter the desired name of your cloud service.
Click the “Prepare the Account with AWS CloudFormation” option.
- At this point, your browser will be redirected to the AWS console in a new tab. If you are not logged in to AWS with the desired BYO AWS account, you will be prompted for credentials.
- Make sure you are logged in with the correct AWS account you wish to use (if you have multiple AWS accounts).
- The first page you will be directed to is the CloudFormation Stack creation page.
- You will now be required to select a template to use for all Frame resources. Frame’s template URL should be pre-populated in the “Specify an Amazon S3 template URL”. Make sure to select this option in the list of templates.
The AWS CloudFormation template will create an IAM role that allows Frame to securely orchestrate workloads in your AWS account.
To confirm that the S3 template was properly populated with Frame’s S3 URL, you can optionally click on the “View/Edit template in Designer” link to see what is being imported and inspect policies required by the Frame template.
If you choose to verify the URL, you should see a diagram similar to the following (Notice the references to Frame)
- Once you’ve confirmed the proper template for your stack, press “Next” to confirm your selections and proceed to the Stack details page.
- The stack details page will only include an option for naming your stack. The stack name will automatically be populated as “Frame.” You can edit the name if desired. Click “Next” to the stack options page.
- The stack options page lists many additional configuration options. You can leave these settings in their default state and proceed by clicking “Next” to review all settings/options selected to create the stack.
- Review your options and ensure everything is correct. Proceed by clicking “Next” or “Finish.”
You are required to click the checkbox acknowledging that certain IAM resources may be created by importing this stack.
- Once the above process is complete, you will be directed to the “CloudFormation Stack” page which lists all existing stacks on your account. (Note this may be empty or missing the Frame stack for a few seconds.) A refresh of the browser may be required to see the pending Frame stack creation. Click “Create Stack.”
- Once the stack has been created, navigate back to your Frame tab and select “Verify Cloud account Setup.”
- You should be informed that the cloud account setup has been verified. There will be a small text response below the “Verify Cloud Account Setup” stating “Cloud account setup is verified”. This will indicate everything is working properly.
- Your BYO AWS account is now available to select during the account/organization creation process.
If you create non-Frame related virtual machines in your AWS VPC or Azure VNET that is being managed by Frame, those virtual machines may be identified as potentially orphaned resources by Frame and deleted. We do not support the use of non-Frame resources in a Frame-managed VPC/VNET.
AWS Service Limits¶
By default, a newly created AWS account will impose certain service limits on available resources. Depending on the size of the Frame workload required, you will likely need to adjust the default limits imposed on the AWS account. If these limits are set to values that are lower than what is required by the Frame platform, you can expect certain functions to either fail, or be substantially delayed. The requirements by Frame for these service limits depends on the desired workload and required resources. The recommended service limit increases include the following:
|EC2||Frame recommends setting the EC2 service limit to 2.2x your expected max number of instances. The additional 20% will accommodate any faulty instances that may occur on rare occasion.|
|EBS||Typically, EBS does not need to be modified. If you have any concerns about capacity, we recommend 80 GiB per instance.|
|Elastic IP Addresses||The default number of Elastic IP Addresses should be sufficient for most Frame use cases, however, you may want to designate 1 or 2 additional Elastic IP Addresses for Frame use if you plan on using VPN endpoints.|
|Network Interfaces||By default, you should have 350 network interfaces per region. You will need at least 2 available per instance.|
|VPCs||For most Frame use cases, you will only need one VPC.|
|GPU-backed Instances||We recommend increasing service limits for GPU-backed instances to 2.2x your expected max number of instances. The additional 20% will accommodate any faulty instances that may occur on rare occasion.|
To modify service limits on your AWS account, you will need to click on the “Limits” link in the navigation panel on the left of the AWS console (pictured below):
Service Limits Tips¶
- If possible, group your service limit increases by geographic region. Each geographic region has its own approval team. A limit increase across multiple regions can take 6-8 weeks.
- Approval time can vary by the size of the request. For instance, two or three small service limit increase requests are generally approved more quickly than one large request.
- Since capacity is limited, increasing service limits on GPU-backed instances generally takes longer than general purpose limit increases.
- T2 instance limit increase requests are usually approved and implemented within 24 hours of the request. G2/G3 instance limit increases take longer (especially for larger quantities).
More information about AWS service limits can be found in their official documentation.