TCE-4760 feat(byoc): initial version of BYOC docs.

.vscode/settings.json

@@ -0,0 +1 @@
+{}

modules/savanna/antora.yml

@@ -11,5 +11,6 @@ nav:
   - modules/graph-development/nav.adoc
   - modules/rest-api/nav.adoc
   - modules/integrations/nav.adoc
+  - modules/byoc/nav.adoc
   - modules/administration/nav.adoc
   - modules/resources/nav.adoc

modules/savanna/modules/administration/nav.adoc

@@ -1,7 +1,7 @@
 * xref:index.adoc[Administration]
 ** xref:administration:how2-invite-users.adoc[]
 ** xref:administration:how2-access-mgnt.adoc[]
-** xref:administration:security/index.adoc[]
+** xref:administration:security/index.adoc[Security]
 *** xref:administration:security/idp.adoc[]
 *** xref:administration:security/password-policy.adoc[]
 ** xref:administration:billing/index.adoc[Billing]

modules/savanna/modules/byoc/nav.adoc

@@ -0,0 +1,6 @@
+* xref:index.adoc[Bring Your Own Cloud]
+** xref:workspaces.adoc[Workgroups and Workspaces]
+** xref:cloudprovider.adoc[Cloud Provider]
+// Hide the following pages since we haven't enabled these features yet.
+// *** xref:secure-connection.adoc[Secure Connection]
+// *** xref:byo-vpc.adoc[Use Existing VPC]

modules/savanna/modules/byoc/pages/byo-vpc.adoc

@@ -0,0 +1,63 @@
+= Bring Your Own VPC (BYO VPC) with TigerGraph
+:experimental:
+
+When creating a Cloud Provider in TigerGraph BYOC, you have the option to use an existing VPC from your AWS account instead of having TigerGraph create a new one. This option is called Bring Your Own VPC (BYO VPC).
+
+== What is BYO VPC?
+
+BYO VPC allows you to specify an existing Virtual Private Cloud (VPC) in your AWS account for TigerGraph to use when deploying resources. This gives you more control over your network configuration and allows for better integration with your existing AWS infrastructure.
+
+=== Benefits of BYO VPC
+
+1. **Integration with Existing Resources**: Use the same VPC as your other AWS services for easier data transfer and communication.
+2. **Custom Network Configuration**: Leverage your custom-designed network architecture.
+3. **Enhanced Security**: Maintain your existing security groups and network ACLs.
+4. **Compliance**: Ensure TigerGraph deployments adhere to your organization's networking policies and compliance requirements.
+
+== Using BYO VPC When Creating a Cloud Provider
+
+When creating a new Cloud Provider, follow these steps to use your own VPC:
+
+1. Start the Cloud Provider creation process as described xref:byoc:cloudprovider.adoc[here].
+2. In the "Advanced Settings" section, you'll see an option to "Use Existing VPC".
+3. Select this option to enable BYO VPC.
+4. Provide the following information:
+   - VPC ID: The ID of your existing VPC
+   - Subnet IDs: Select one or more subnets within your VPC for TigerGraph resources
+   - Security Group IDs: Specify existing security groups or create new ones
+
+5. TigerGraph will validate that the provided VPC and associated resources meet the necessary requirements. Please check the section below for these requirements.
+
+
+== Requirements for BYO VPC
+
+To use your own VPC with TigerGraph BYOC, ensure it meets these requirements:
+
+1. **VPC Size**: The VPC should have a sufficiently large CIDR block to accommodate TigerGraph resources.
+2. **Subnets**: Provide at least two subnets in different Availability Zones for high availability.
+3. **Internet Connectivity**: The VPC must have internet access (via Internet Gateway or NAT Gateway) for TigerGraph to function properly.
+4. **DNS Settings**: Ensure DNS hostnames and DNS resolution are enabled in the VPC.
+5. **Security Groups**: The specified security groups must allow necessary inbound and outbound traffic for TigerGraph services.
+
+== Considerations When Using BYO VPC
+
+1. **Responsibility**: You are responsible for managing and maintaining the VPC, including any changes to its configuration.
+2. **Compatibility**: Ensure your VPC settings are compatible with TigerGraph's requirements. Incompatibilities may cause deployment issues.
+3. **Resource Limits**: Be aware of AWS service limits within your VPC, such as the number of ENIs (Elastic Network Interfaces) or IP addresses.
+4. **Networking Costs**: Understand that data transfer between TigerGraph resources and other services in your VPC may incur AWS networking costs.
+
+== Modifying VPC Settings
+
+After creating a Cloud Provider with BYO VPC:
+
+- You can modify certain VPC settings through your AWS console, but exercise caution to avoid disrupting TigerGraph services.
+- Some changes, like adding new subnets for TigerGraph use, may require coordination with TigerGraph support.
+
+By leveraging the BYO VPC option, you can maintain greater control over your network environment while benefiting from TigerGraph's powerful graph database capabilities in your own cloud infrastructure.
+
+== Next Steps
+
+Now learn about xref:byoc:index.adoc[BYOC] feature in TigerGraph Savanna.
+
+Or return to the xref:cloudBeta:overview:index.adoc[Overview] page for a different topic.
+

modules/savanna/modules/byoc/pages/cloud-provider.adoc

@@ -0,0 +1,266 @@
+= Cloud Provider
+:experimental:
+
+== Overview
+In TigerGraph's xref:byoc:index.adoc[BYOC] context, a "Cloud Provider" represents resources in customer cloud account in a cloud vendor and a specific region. It serves as a bridge between TigerGraph's main control plane and your cloud infrastructure, enabling you to manage multiple TigerGraph workspaces within your own cloud environment.
+
+This page provides an overview of Cloud Providers in TigerGraph BYOC, explains their significance, and outlines the process of creating and managing them.
+
+== Creating a Cloud Provider
+
+Creating a Cloud Provider is a crucial step in setting up BYOC. Here's the process:
+
+1. **Prepare AWS Account**:
+   - Ensure you have the necessary permissions in your AWS account.
+   - Create an IAM role with the required policy permissions. This step is your responsibility and must be completed in the AWS console before proceeding.
+
+[source, json]
+----
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "acm:DeleteCertificate",
+                "acm:DescribeCertificate",
+                "acm:ListTagsForCertificate",
+                "acm:RequestCertificate",
+                "autoscaling:CreateOrUpdateTags",
+                "autoscaling:DeleteTags",
+                "autoscaling:DescribeTags",
+                "ec2:AllocateAddress",
+                "ec2:AssociateRouteTable",
+                "ec2:AttachInternetGateway",
+                "ec2:AuthorizeSecurityGroupEgress",
+                "ec2:AuthorizeSecurityGroupIngress",
+                "ec2:CreateInternetGateway",
+                "ec2:CreateLaunchTemplate",
+                "ec2:CreateLaunchTemplateVersion",
+                "ec2:CreateNatGateway",
+                "ec2:CreateNetworkAclEntry",
+                "ec2:CreateVpcEndpoint",
+                "ec2:CreateRoute",
+                "ec2:CreateRouteTable",
+                "ec2:CreateSecurityGroup",
+                "ec2:CreateSubnet",
+                "ec2:CreateTags",
+                "ec2:CreateVpc",
+                "ec2:CreateVpcEndpointServiceConfiguration",
+                "ec2:DeleteInternetGateway",
+                "ec2:DeleteLaunchTemplate",
+                "ec2:DeleteLaunchTemplateVersions",
+                "ec2:DeleteNatGateway",
+                "ec2:DeleteNetworkAclEntry",
+                "ec2:DeleteRoute",
+                "ec2:DeleteRouteTable",
+                "ec2:DeleteSecurityGroup",
+                "ec2:DeleteSubnet",
+                "ec2:DeleteTags",
+                "ec2:DeleteVpc",
+                "ec2:DeleteVpcEndpoints",
+                "ec2:DeleteVpcEndpointServiceConfigurations",
+                "ec2:DescribeAddresses",
+                "ec2:DescribeVpcEndpoints",
+                "ec2:DescribePrefixLists",
+                "ec2:DescribeAvailabilityZones",
+                "ec2:DescribeInternetGateways",
+                "ec2:DescribeInstances",
+                "ec2:DescribeLaunchTemplateVersions",
+                "ec2:DescribeLaunchTemplates",
+                "ec2:DescribeNatGateways",
+                "ec2:DescribeNetworkAcls",
+                "ec2:DescribeNetworkInterfaces",
+                "ec2:DescribeRouteTables",
+                "ec2:DescribeSecurityGroupRules",
+                "ec2:DescribeSecurityGroups",
+                "ec2:DescribeSubnets",
+                "ec2:DescribeTags",
+                "ec2:DescribeVpcAttribute",
+                "ec2:DescribeVpcEndpointConnectionNotifications",
+                "ec2:DescribeVpcEndpointServiceConfigurations",
+                "ec2:DescribeVpcEndpointServicePermissions",
+                "ec2:DescribeVpcEndpointServices",
+                "ec2:DescribeVpcs",
+                "ec2:DetachInternetGateway",
+                "ec2:DisassociateAddress",
+                "ec2:DisassociateRouteTable",
+                "ec2:GetLaunchTemplateData",
+                "ec2:ModifyVpcEndpoint",
+                "ec2:ModifyLaunchTemplate",
+                "ec2:ModifySubnetAttribute",
+                "ec2:ModifyVpcAttribute",
+                "ec2:ModifyVpcEndpointServiceConfiguration",
+                "ec2:ModifyVpcEndpointServicePayerResponsibility",
+                "ec2:ModifyVpcEndpointServicePermissions",
+                "ec2:ReleaseAddress",
+                "ec2:RevokeSecurityGroupEgress",
+                "ec2:RevokeSecurityGroupIngress",
+                "ec2:RunInstances",
+                "ec2:StartVpcEndpointServicePrivateDnsVerification",
+                "eks:AssociateAccessPolicy",
+                "eks:CreateAccessEntry",
+                "eks:CreateAddon",
+                "eks:CreateCluster",
+                "eks:CreateNodegroup",
+                "eks:DeleteAccessEntry",
+                "eks:DeleteAddon",
+                "eks:DeleteCluster",
+                "eks:DeleteNodegroup",
+                "eks:DescribeAccessEntry",
+                "eks:DescribeAddon",
+                "eks:DescribeCluster",
+                "eks:DescribeNodegroup",
+                "eks:DisassociateAccessPolicy",
+                "eks:ListAssociatedAccessPolicies",
+                "eks:TagResource",
+                "eks:UpdateAddon",
+                "eks:UpdateNodegroupConfig",
+                "eks:UpdateClusterVersion",
+                "eks:UpdateClusterConfig",
+                "eks:UpdateNodegroupVersion",
+                "eks:DescribeUpdate",
+                "elasticfilesystem:CreateFileSystem",
+                "elasticfilesystem:CreateMountTarget",
+                "elasticfilesystem:DeleteFileSystem",
+                "elasticfilesystem:DeleteMountTarget",
+                "elasticfilesystem:DescribeBackupPolicy",
+                "elasticfilesystem:DescribeFileSystems",
+                "elasticfilesystem:DescribeLifecycleConfiguration",
+                "elasticfilesystem:DescribeMountTargetSecurityGroups",
+                "elasticfilesystem:DescribeMountTargets",
+                "elasticfilesystem:PutBackupPolicy",
+                "elasticfilesystem:PutLifecycleConfiguration",
+                "elasticfilesystem:TagResource",
+                "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
+                "elasticloadbalancing:AttachLoadBalancerToSubnets",
+                "elasticloadbalancing:CreateLoadBalancer",
+                "elasticloadbalancing:CreateTargetGroup",
+                "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
+                "elasticloadbalancing:DescribeInstanceHealth",
+                "elasticloadbalancing:DescribeLoadBalancerAttributes",
+                "elasticloadbalancing:DescribeLoadBalancers",
+                "elasticloadbalancing:DescribeTags",
+                "elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer",
+                "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
+                "elasticloadbalancing:RegisterTargets",
+                "elasticloadbalancing:SetIpAddressType",
+                "elasticloadbalancing:SetSubnets",
+                "iam:AttachRolePolicy",
+                "iam:CreateOpenIDConnectProvider",
+                "iam:CreatePolicy",
+                "iam:CreateRole",
+                "iam:CreatePolicyVersion",
+                "iam:DeleteOpenIDConnectProvider",
+                "iam:DeletePolicy",
+                "iam:DeleteRole",
+                "iam:DeleteRolePolicy",
+                "iam:DetachRolePolicy",
+                "iam:DeletePolicyVersion",
+                "iam:GetOpenIDConnectProvider",
+                "iam:GetPolicy",
+                "iam:GetPolicyVersion",
+                "iam:GetRole",
+                "iam:GetRolePolicy",
+                "iam:ListAttachedRolePolicies",
+                "iam:ListInstanceProfilesForRole",
+                "iam:ListPolicyVersions",
+                "iam:ListRolePolicies",
+                "iam:PassRole",
+                "iam:PutRolePolicy",
+                "iam:SimulatePrincipalPolicy",
+                "iam:SetDefaultPolicyVersion",
+                "iam:TagOpenIDConnectProvider",
+                "logs:CreateLogGroup",
+                "logs:DeleteLogGroup",
+                "logs:DescribeLogGroups",
+                "logs:ListTagsLogGroup",
+                "logs:PutRetentionPolicy",
+                "logs:TagResource",
+                "s3:CreateBucket",
+                "s3:DeleteBucket",
+                "s3:DeleteObject",
+                "s3:GetLifecycleConfiguration",
+                "s3:ListBucket",
+                "s3:PutLifecycleConfiguration",
+                "s3:PutObject",
+                "sqs:SendMessage",
+                "kms:CreateKey",
+                "kms:GenerateDataKeyWithoutPlaintext",
+                "kms:ScheduleKeyDeletion",
+                "kms:Encrypt",
+                "kms:Decrypt",
+                "secretsmanager:CreateSecret",
+                "secretsmanager:DeleteSecret",
+                "secretsmanager:UpdateSecret",
+                "secretsmanager:GetSecretValue",
+                "servicequotas:ListServiceQuotas"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+----
+
+2. **Access TigerGraph Savanna**:
+   - Log in to your TigerGraph Savanna account.
+   - Navigate to the "Cloud Providers" section.
+
+3. **Initiate Cloud Provider Creation**:
+   - Click on "Add New Cloud Provider".
+   - Select AWS as the cloud platform.
+
+   CAUTION:: You can only create AWS Cloud Providers in the current version of TigerGraph Savanna.
+
+4. **Provide AWS Details**:
+   - Enter a name for your Cloud Provider.
+   - Input the ARN of the IAM role you created in step 1.
+//   - Specify the VPC ID where you want TigerGraph resources to be deployed.
+//   - Enter the Subnet ID(s) for TigerGraph resources.
+
+// 5. **Configure Network Settings**:
+//    - Optionally, you may select the "Secure Connection" option to enable additional security measures for communication between TigerGraph compute plane and your browser. Please check the xref:security:secure-connection.adoc[Secure Connection] page for more details.
+//    - Optionally, you may select the "BYO VPC" option in advanced settings to make the cloud provider use existing VPC configurations. Please check the xref:byoc:byo-vpc.adoc[BYO VPC] page for more details. 
+
+6. **Review and Create**:
+   - Review all the information you've entered.
+   - Click "Create Cloud Provider" to initiate the process.
+
+7. **Validation and Deployment**:
+   - TigerGraph Savanna will validate the provided information.
+   - If validation is successful, it will deploy the necessary components in your AWS account.
+
+8. **Confirmation**:
+   - Your new Cloud Provider will appear in the Cloud Providers list in TigerGraph Savanna.
+   - It will be in a "Provisioning" state initially. Once the deployment is complete, the status will change to "Active". This process may take a few minutes.
+   - You can leave the page and return later to check the status.
+
+
+== Managing Cloud Providers
+
+After creation, you can:
+- View details of your Cloud Provider
+- Monitor the status of the Cloud Provider
+- Create and manage workspaces associated with this Cloud Provider
+
+Remember, a single Cloud Provider can host multiple workspaces, allowing you to efficiently manage your TigerGraph deployments within your own cloud infrastructure.
+
+[Diagram: Cloud Provider Architecture]
+
+Description: This diagram illustrates the relationship between TigerGraph Savanna, your AWS account, and the Cloud Provider:
+- TigerGraph Savanna (Control Plane) at the top
+- Customer AWS Account in the middle, containing:
+  - Cloud Provider (mini control plane)
+  - VPC with associated subnets
+  - IAM Role connected to the Cloud Provider
+- Multiple Workspaces within the VPC, managed by the Cloud Provider
+- Secure connections between TigerGraph Savanna and the Cloud Provider, and between the Cloud Provider and Workspaces
+
+This section provides a comprehensive overview of the Cloud Provider concept in TigerGraph BYOC, its significance, and the process of creating one, emphasizing the customer's role in preparing the AWS environment.
+
+
+== Next Steps
+
+Now learn about xref:byoc:index.adoc[BYOC] feature in TigerGraph Savanna 4.0.
+
+Or return to the xref:cloudBeta:overview:index.adoc[Overview] page for a different topic.