Preparing to Install the InfinStor Service

Admin Permissions, DNS Domain considerations and Certificate creation are some of details that are discussed here.

Required Permissions

You need to create this infinstor root stack as an administrator with the following permissions:

  • Create a domain, or have permissions to add entries to an existing domain hosted in Route 53
  • Permission to create certificates for the above DNS entries, or alternatively have access to a wildcard certificate
  • Permission to create Serverless Applications
  • Permission to create dynamodb tables
  • Permission to create ec2 instances for the mlflow projects functionality

DNS Domain and Certificate considerations

The following subdomains are needed for the operation of Infinstor Service. For example, if the service is being installed at infinstor.yourcompany.com, then the following domains need to be setup.

  • api.infinstor.yourcompany.com
  • mlflow.infinstor.yourcompany.com
  • mlflowui.infinstor.yourcompany.com
  • mlflowstatic.infinstor.yourcompany.com
  • service.infinstor.yourcompany.com

During installation of Infinstor Service, these domains can be created automatically or manually.

In addition, when certificates are automatically created during installation of Infinstor Service or when they are imported into AWS Certificate Manager, DNS entries need to be created under the above domain to prove ownership of the domain. For details, see Easier Certificate Validation Using DNS with AWS Certificate Manager | AWS Security Blog (amazon.com)

Following are the possible installation scenarios. These are described in detail here: Install Root Stack

DNS Certificate Behavior
#1 Domain is hosted in Route 53 and AWS user has permissions to create DNS entries User wants certificates to be auto created in the AWS account by Infinstor CloudFormation Template (CFT) Infinstor CFT will auto create above subdomains under the domain specified using the Hosted Zone ID; Infinstor CFT will auto create the needed certificates in AWS Certificate Manager (ACM)
#2 Domain is hosted in Route 53 and AWS user has permissions to create DNS entries User has a wild card certificate for the domain and has imported it into AWS Certificate Manager Infinstor CFT will auto create above subdomains under the domain specified using the Hosted Zone ID; User supplies the ARN for a wild card certificate for the domain where Infinstor Service is being installed
#3 Domain is not hosted in Route 53 or AWS user does not have permissions to create DNS entries User wants certificates to be auto created in the AWS account by Infinstor CloudFormation Template (CFT) User manually creates DNS entries (for the above subdomains and for certificate's domain verification) using the steps listed below; Infinstor CFT auto creates the needed certificates in AWS Certificate Manager (ACM)
#4 Domain is not hosted in Route 53 or AWS user does not have permissions to create DNS entries User has a wild card certificate for the domain and has imported it into AWS Certificate Manager User manually creates DNS entries (for the above subdomains and for certificate's domain verification) using the steps listed below; User supplies the ARN for a wild card certificate for the domain where Infinstor Service is being installed

Locating the the Hosted Zone ID in AWS Route 53

Shown below is a screen shot showing the Hosted Zone ID for a domain name hosted in AWS Route 53

Manual creation of DNS entries

After the installation of this Infinstor CFT, for scenarios #3 and #4 described above, the administrator will need to manually create DNS entries as described below. To do this, after installation of the CloudFormation Template (CFT) completes, follow the steps below to manually create these subdomains using your DNS management tool.

  • api.infinstor.yourcompany.com
    • Create a CNAME entry that points infinstor:ApiDnsName to infinstor:ApiARecord. This export is from the substack infinstor-dashboard-<something>. For example,
      • if the stack export infinstor:ApiDnsName is set to api
      • and the stack export infinstor:ApiARecord is set to d-blahblah.execute-api.us-east-1.amazonaws.com,
      • and if the domain is isstage8.com,
      • then create a CNAME record that directs api.isstage8.com to d-blahblah.execute-api.us-east-1.amazonaws.com
  • service.infinstor.yourcompany.com
    • Create a CNAME entry that points infinstor:ServiceDnsName to infinstor:ServiceARecord. This export is from the substack infinstor-staticfiles-<something>
  • mlflow.infinstor.yourcompany.com
    • Create a CNAME entry that points to the CloudFormation export name infinstor:MlflowRestApiDnsName to infinstor:MlflowRestApiARecord. This export is from the substack infinstor-mlflow-<something>
  • mlflowstatic.infinstor.yourcompany.com
    • Create a CNAME entry that points to the CloudFormation export name infinstor:MlflowStaticDnsName to infinstor:MlflowStaticARecord. This export is from the substack infinstor-staticfiles-<something>
  • mlflowui.infinstor.yourcompany.com
    • Create a CNAME entry that points to the CloudFormation export name infinstor:MlflowUiDnsName to infinstor:MlflowUiARecord. This export is from the substack infinstor-staticfiles-<something>