BYO AWS Account¶
Bring Your Own AWS Subscription to Frame¶
Xi Frame provides two options for using AWS infrastructure. You can “Bring Your Own” (BYO) Amazon Web Services (AWS) subscription that you own and manage yourself or purchase Nutanix IaaS credits to use Nutanix-managed AWS subscription. When you bring your own (BYO) AWS subscription, you pay AWS directly for infrastructure (your VMs, storage, networking, etc.) and only pay Xi Frame for the platform services.
Common reasons why you would bring your own AWS subscription are:
- You wish to take advantage of existing billing arrangements with AWS for convenience and/or pricing. For example, your organization may already have certain AWS consumption commitments or pre-payments – you can use Frame to consume those resources on your own AWS account.
- You want to have additional administrative control over your Xi Frame workloads for more detailed monitoring and metrics.
- You want to configure other network integrations (VPN gateways, Direct Connects, transit gateways) which you can’t do using Nutanix-managed AWS subscription.
- You must meet industry-specific compliance regimes (e.g., HIPAA) that require you to fully manage and control your cloud resources.
- In order to register your AWS account with Frame, you need to ensure that you have an IAM user who can create the CloudFormation stack with the Frame-provided CloudFormation script. The IAM user must have, at a minimum, the following permissions:
- AWS Console login
Due to the way that CloudFormation Stacks operate, the continuing orchestration of Frame resources on your AWS subscription is not tied to any particular account. The Frame platform does not rely on the IAM user that was used to associate your AWS subscription to the Frame platform, and that IAM user can be deleted or disabled at any time without disabling your integration with Frame. If you do wish to disable your integration with Frame manually, please delete the Nutanix-Frame-High-Cloud-Stack-Prod CloudFormation stack, as well as the FrameGatewayRole, FrameLambdaRole, and FrameWorkloadRole IAM roles.
You will need your Account ID number, which can be found by going to your “My Account” page in your AWS console. Click on the drop down menu next to your account name in the upper right corner of your AWS Console to access this page. See below for all the steps required to add your BYO AWS account.
Some costs may begin to accrue immediately after completing the CloudFormation Stack creation.
You will need to be logged in to the AWS console with your IAM user in a separate tab or window in order to complete the CloudFormation Stack creation. Nutanix Xi Frame will not have access to your AWS user credentials.
Adding your AWS Cloud Account¶
BYO cloud accounts can be created either at the “customer” or “organization” tiers of Frame’s logical hierarchy. More information about Frame’s hierarchy concepts can be referenced here.
A BYO cloud account created at the “customer” (highest) tier will be accessible to all hierarchical children (“organizations” and their accounts). If you choose to add the BYO cloud account at the “organization” tier, the BYO cloud account will only be available to the chosen organization and any accounts underneath it. Customer Administrators can add a BYO cloud account at the Customer or Organization level while Organization Administrators may only add a BYO cloud account at the Organization tier.
A particular cloud subscription can only be associated with a single entity on the Frame platform. If you associate your cloud subscription to one Organization, it cannot be associated with another Organization or Customer. If your use case requires that multiple Organizations will have access to your AWS subscription, you must associate the cloud account to your Customer entity.
AWS Cloud Account Registration Procedure¶
Go to the Frame Admin view.
Navigate to the “Organizations” or “Customers” section (depending on where you wish to add the cloud account).
Click on the ellipsis listed next to the organization or customer you wish to add your cloud account to, click “Cloud Accounts.”
Click the “Add Cloud Account” button on the top-right:
A new window will appear prompting you for the following information:
- Cloud provider: Select the AWS icon.
- Cloud account ID: Enter your AWS Account ID (without dashes) in this field.
- Name: Enter the desired name of your cloud service.
Once you have entered the information, click the “Prepare the account with AWS CloudFormation” button.
- At this point, your browser will be redirected to the AWS console in a new tab. If you are not logged in to AWS with the desired BYO AWS account, you will be prompted for credentials.
- Make sure you are logged in with the correct AWS account you wish to use (if you have multiple AWS accounts).
- The first page you will be taken to is the CloudFormation Stack Quick Stack Creation page. All information should be automatically filled out for you. Simply scroll to the bottom and check the box to allow CloudFormation to create IAM resources for you, then click “Create stack”
The AWS CloudFormation template will create an IAM role that allows Frame to securely orchestrate workloads in your AWS account.
- Once the above process is complete, you will be directed to a page which lists the events for this CloudFormation Stack. The creation process will proceed automatically. You may need to refresh the page to see new events. Once an event appears named “Nutanix-Frame-High-Cloud-Stack-Prod” and is marked as status “CREATE_COMPLETE”, the stack creation has completed. This typically takes less than two minutes.
- Once the stack has been created, navigate back to your Frame tab and select “Verify.”
- You will be informed that the cloud account setup has been verified. There will be a small text response below the Cloud account ID field stating “Cloud account setup is verified”. This indicates everything is working properly.
- Now you can select the data centers (AWS regions) for your Frame accounts. You may add additional data centers in the future.
- Check the box at the bottom informing you of possible resource usage on your AWS cloud infrastructure and then click “Create.”
Now that your AWS Cloud Account is created and accessible within Frame, you will be able to create Frame accounts using this BYO cloud account.
Resources Created During BYO AWS Cloud Account Creation¶
During the creation of a BYO AWS Cloud Account, the Cloud Formation template creates three IAM Roles.
- FrameGatewayRole allows Frame Platform to provision and deprovision AWS resources for Frame-managed workloads.
- FrameLambdaRole allows log entries to be captured by Frame Platform.
- FrameWorkloadRole enables Frame Platform to store and retrieve Nutanix-provided OS images in an S3 bucket in each of the AWS regions where you create Frame accounts.
AWS Service Limits¶
By default, a newly created AWS account will impose certain service limits on available resources. Depending on the size of the Frame workload required, you will likely need to adjust the default limits imposed on the AWS account. If these limits are set to values that are lower than what is required by the Frame platform, you can expect certain functions to either fail, or be substantially delayed. The requirements by Frame for these service limits depends on the desired workload and required resources. The recommended service limit increases include the following:
|EC2||Frame recommends setting the EC2 service limit to 2.2x your expected max number of instances. The additional 20% will accommodate any additional resources such as Sandboxes, Utility servers, etc.|
|EBS||Typically, EBS does not need to be modified. If you have any concerns about capacity, we recommend 80 GiB per instance.|
|Elastic IP Addresses||The default number of Elastic IP Addresses should be sufficient for most Frame use cases, however, you may want to designate 1 or 2 additional Elastic IP Addresses for Frame use if you plan on using VPN endpoints.|
|Network Interfaces||By default, you should have 350 network interfaces per region. You will need at least 2 available per instance.|
|VPCs||For most Frame use cases, you will only need one VPC.|
|GPU-backed Instances||We recommend increasing service limits for GPU-backed instances to 2.2x your expected max number of instances. The additional 20% will accommodate any additional resources such as Sandboxes, Utility servers, etc.|
To modify service limits on your AWS account, you will need to click on the “Limits” link in the navigation panel on the left of the AWS console (pictured below):
Service Limits Tips¶
- If possible, group your service limit increases by geographic region. Each geographic region has its own approval team. A limit increase across multiple regions can take 6-8 weeks.
- Approval time can vary by the size of the request. For instance, two or three small service limit increase requests are generally approved more quickly than one large request.
- Since capacity is limited, increasing service limits on GPU-backed instances generally takes longer than general purpose limit increases.
- T2 instance limit increase requests are usually approved and implemented within 24 hours of the request. G2/G3 instance limit increases take longer (especially for larger quantities).
More information about AWS service limits can be found in their official documentation.
AWS Instance Types¶
Each IaaS provider has a unique naming scheme for their instance types. AWS categorizes their “Elastic Cloud Compute instances” (a.k.a. “EC2 instances”) based on compute, memory, and GPU configuration. More information about Amazon EC2 instances can be found in their official AWS documentation.
For the latest AWS instances supported by Xi Frame, refer to Nutanix Xi Frame Pricing Page. Note that since you are bringing your own AWS account, your pricing may be different from that shown in the table.