Skip to content
This repository has been archived by the owner on Jan 29, 2024. It is now read-only.

platfrom: remove ipsec ingress deployment models from BYOC docs #2159

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 10 additions & 31 deletions docs/platform/concepts/byoc.rst
Original file line number Diff line number Diff line change
Expand Up @@ -18,28 +18,28 @@ There a few major reasons to utilize BYOC:
3. **Fine-grained network control**: BYOC requires only some specific network access (for example, service management and troubleshooting), otherwise allowing you to customize your network to meet any internal requirements or requirements of your customers.
4. **Cost optimization**: Depending on your cloud provider, with BYOC you can use cost savings plans, committed use discounts, or other strategies to save on compute and storage infrastructure costs related to Aiven services.

Who is eligible
---------------
Who is eligible for BYOC
------------------------

The BYOC setup is a bespoke service offered on a case-by-case basis, and not all cloud providers support it yet. You need to meet a few requirements to be eligible for BYOC:

- You use one of the following public clouds: Amazon Web Services (AWS), Google Cloud Platform (GCP), or Microsoft Azure (excluding Azure Germany).
- Your total monthly spend is greater than $5,000.
- You have an active enterprise support contract.

When to use a standard Aiven deployment
---------------------------------------
When to use the regular Aiven deployment
----------------------------------------

BYOC deployments are not automated, and they add additional complexity to communicating to the Aiven control plane, service management, key management, and security.

In most cases, you can meet your regulatory and business requirements by utilizing a standard Aiven deployment or :doc:`Enhanced Compliance Environment </docs/platform/concepts/enhanced-compliance-env>`.
In most cases, you can meet your regulatory and business requirements by utilizing a regular Aiven deployment or :doc:`Enhanced Compliance Environment </docs/platform/concepts/enhanced-compliance-env>`.

.. tip::

If you would like to understand BYOC better or are unsure which deployment model is the best fit for you, contact [email protected].

Pricing and billing
-------------------
BYOC pricing and billing
------------------------

Unlike Aiven's standard all-inclusive pricing, the BYOC setup has custom pricing depending on the nature of your requirements. If you enter this arrangement, you are responsible for all cloud infrastructure and network traffic
charges.
Expand All @@ -52,20 +52,15 @@ You receive two separate monthly invoices, one from Aiven for their managed serv

.. _byoc-deployment:

Architecture of BYOC deployments
--------------------------------
Architecture of the standard BYOC deployment
--------------------------------------------

With BYOC, you can use any standard Aiven method (for example, :doc:`CLI </docs/tools/cli>` or :doc:`Terraform </docs/tools/terraform>`) to manage your services and generally have the same user experience as with the regular Aiven deployment model.

.. _byoc-standard:

BYOC standard
'''''''''''''

.. image:: /images/platform/byoc-standard.png
:alt: Overview architecture diagram with VPC set up

A standard BYOC deployment requires you to create a Virtual Private Cloud (VPC) dedicated to Aiven services within each region you want to operate in. Aiven accesses these VPCs via a static IP address and then routes traffic through a proxy for additional security. To accomplish this, Aiven utilizes a bastion host logically separated from the
The standard BYOC deployment requires you to create a Virtual Private Cloud (VPC) dedicated to Aiven services within each region you want to operate in. Aiven accesses these VPCs via a static IP address and then routes traffic through a proxy for additional security. To accomplish this, Aiven utilizes a bastion host logically separated from the
Aiven services you deploy. As the user of these services (for example, Aiven for Apache Kafka®), you are able to utilize them through standard VPC peering techniques. Although the bastion host and the service nodes reside in your managed VPC, they are not accessible (for example, SSH) to anyone outside Aiven.

Depending on the service used, Aiven takes regular backups to enable forking, point in time recovery (PITR), and disaster recovery. These backups by default do not reside in your cloud. If there is a requirement to have all backups
Expand All @@ -75,22 +70,6 @@ in your own cloud, it's still possible. To accomplish this, Aiven needs an objec

All backups are encrypted using Aiven-managed keys, and you are responsible for managing object storage configurations.

BYOC with IPsec ingress
'''''''''''''''''''''''

.. image:: /images/platform/byoc-ipsec-ingress.png
:alt: Overview architecture diagram with IPsec tunnel

A slight variation on a standard BYOC deployment enables Aiven to manage your services through an IPsec tunnel. This deployment can be beneficial if management over the public Internet is infeasible or adds additional complexity.

BYOC with direct IPsec ingress
''''''''''''''''''''''''''''''

.. image:: /images/platform/byoc-ipsec-ingress-direct.png
:alt: Overview architecture diagram with direct IPsec access

A slight variation on a standard BYOC deployment enables Aiven to manage your services through a direct IPsec tunnel. This deployment can be beneficial if there is a desire to reduce the number of Aiven managed components.

What's next
-----------

Expand Down
10 changes: 1 addition & 9 deletions docs/platform/howto/byoc/create-custom-cloud.rst
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ Limitations

* Administrator's role is required for creating custom clouds.
* :doc:`BYOC limited availability version </docs/platform/concepts/beta_services>` supports the AWS cloud provider only.
* You need to use the :ref:`BYOC standard deployment <byoc-standard>` as a deployment model for your custom cloud.
* BYOC is supported with the :ref:`standard deployment <byoc-deployment>` model only.

Prerequisites
-------------
Expand Down Expand Up @@ -72,14 +72,6 @@ In the **Create custom cloud** workflow, proceed as follows:
* To create VPC peerings with that VPC, choose a CIDR block that doesn't overlap with CIDR blocks of peer VPCs.
* Keep in mind that CIDR block needs be large enough so that, after splitting it into per-region subnets, each subnet has enough addresses to fit required services.

* :ref:`Deployment model <byoc-deployment>`

The deployment model determines how resources within your Aiven organization are arranged. It also imposes the method of connectivity between Aiven's control plane and networks under your cloud provider account.

.. important::

**BYOC standard** is the only option supported currently.

2. Select **Next**.

.. topic:: Result
Expand Down
Loading