AWS Subscription Onboarding
This document guides you through the process of setting up your AWS account as the data plane. Following these steps ensures that resources are provisioned and managed securely in an isolated environment, leading to a smooth and efficient onboarding experience.
Prerequisites
Before starting the onboarding process, ensure the following requirements are met:
Ensure to complete your Landing Zone design documentation.
Ensure you have the necessary AWS user permissions to execute CloudFormation template and to create the resources mentioned in the template.
Accessing the AWS Subscription Creation Flow
In the left navigation pane, hover over the Governance App icon.
A pop-up menu with a list of apps opens.
From the pop-up menu, select Subscriptions.
Click Add a New Subscription button in the top-right corner.
Select the Amazon Web Services option.
STEP 1 OF 5:
Configure Subscription
Configure your Tessell subscription by providing the following details:
Specify a name for your subscription in the Subscription Name field. (minimum 4 characters).
Optionally, add a brief summary or purpose for your subscription in the Description field.
This helps with organization, especially if managing multiple subscriptions.
From the Region dropdown list, select the primary region for your subscription’s resources.
Note: All the regions may not be enabled by default. If you want to enable a specific region, contact Tessell support.
After above details are filled, do one of the following:
Skip to last step: This option can be used if the CloudFormation Template generated from Step 5 is already executed.
If the CloudFormation template is not generated, click Next to proceed to the Network section.
STEP 2 OF 5:
Network Configuration
When creating a network infrastructure, multiple approaches can be considered. Tessell design supports only single AWS account resources on a single Tessell subscription. A separate Tessell subscription is necessary to use resources in a different AWS subscription. Each Tessell subscription maps to resources in multiple regions of a single AWS account.
This is applicable for the resources like VPC, subnet, private endpoints and so on.
Private CP-DP communication flag enabled
This flag should be enabled for private communication between Tessell Control Plane and AWS Data Plane.
If this option is disabled, communication between the Tessell control plane and the AWS data plane occurs over a public network. See Public CP-DP communication section.
Note: CP and DP cloud accounts must be the same for a private CP-DP communication.
For a private CP-DP configuration, you can either create a new VPC or register an existing VPC:
Create a new VPC.
Subnets must be created along with VPC, a public subnet is not required.
The private endpoints (interface/gateway) are created along with the VPC.
The security group and its rules are also added.
Register an existing VPC.
You must have a subnet already created, it does not create automatically with register workflow. A public subnet is not required.
The private endpoints have two options:
Add new: This creates a private endpoint and security group for the endpoint and the security rules in it.
Register existing: This consumes existing endpoints and security groups. The security rules need to be added manually.
Gateway endpoints for S3 have to be created manually, if not already available for the existing VPC.
Add a new VPC
This workflow lets you add a new VPC, subnets, endpoints, and security groups for private CP-DP configuration.
Virtual Network Details: Provide the following information.
Virtual Network Name: Name of the new VPC.
Virtual Network CIDR: IP address range (CIDR) for the new VPC.
List of Availability Zones: Displays the list of added availability zones in the selected region. You can add more availability zones if they are available.
Availability Zone: Select an availability zone for the new subnets from the dropdown list.
Private Subnet Name: Name of the new private subnet.
Private Subnet CIDR: IP address range (CIDR) for the private subnet.
Endpoint Configuration
AWS Account ID: Specify a valid AWS account ID that Tessell should allow access to its control plane endpoint services. See Appendix - How to find the account ID?.
Click Authorize ID to authorize the account ID.
Tessell Control Plane Endpoint: Name of the AWS endpoint attached to the Tessell control plane endpoint service for CP-DP communication.
Tessell Control Plane Security Group: Name of the security group attached to the Tessell control plane endpoint.
Additional Endpoints
SQS Endpoint: Name of the SQS endpoint required to push the Tessell related logs to SQS.
SQS Security Group: Name of the security group attached to SQS endpoint.
Secret Manager Endpoint: Name of the Secret Manager endpoint required to access the database related secrets.
Secret Manager Security Group: Name of the security group attached to Secret Manager.
Cloudwatch Endpoint: Name of the Cloudwatch endpoint required to push database engine logs to the Cloudwatch.
Cloudwatch Security Group: Name of the security group attached to Cloudwatch.
EC2 Endpoint: Name of the EC2 service endpoint required to perform some EC2 operations required to run the SQS Server.
EC2 Security Group: Name of the security group attached to EC2 service.
S3 Gateway Endpoint: Name of the S3 gateway endpoint required to connect to the S3 service to push snapshots, PITR logs, and so on.
Register an existing VPC
This workflow lets you register an existing VPC and subnets. Endpoints and security groups can be either newly added or registered the existing ones for private CP-DP configuration.
Virtual Network Details: Provide the following information.
Virtual Network ID: Specify the VPC ID of the existing VPC. See Appendix - How to find a VPC ID?.
Virtual Network Name: Specify the name of the VPC in Tessell for reference.
List of Availability Zones: Displays the list of added availability zones in the selected region. You can add more availability zones if they are available.
Availability Zone: From the existing VPC, select an availability zone from the dropdown list.
Private Subnet ID: Specify the private subnet ID of the existing subnet. See Appendix - How to find subnet ID?.
Endpoint Configuration
AWS Account ID: Specify a valid AWS account ID that Tessell should allow access to its control plane endpoint services.
Click Authorize ID to authorize the account ID.
Tessell Control Plane Endpoint:
Add: Name of the AWS endpoint attached to the Tessell control plane endpoint service for CP-DP communication.
Tessell Control Plane Security Group: Name of the security group attached to the Tessell control plane endpoint.
Register: Specify endpoint ID or endpoint IP or endpoint domain name of the existing endpoint from the data plane VPC to the control plane. See Appendix - How to find Endpoint ID?.
Additional endpoints:
SQS Endpoint:
Add: Name of the SQS endpoint required to push the Tessell related logs to SQS.
SQS Security Group: Name of the security group attached to SQS endpoint.
Register: Specify the existing SQS endpoint ID or endpoint IP or the endpoint domain name.
Secret Manager Endpoint:
Add: Name of the Secret Manager endpoint required to access the database related secrets.
Secret Manager Security Group: Name of the security group attached to Secret Manager.
Register: Specify the existing Secret Manager endpoint ID or endpoint IP or the endpoint domain name.
Cloudwatch Endpoint:
Add: Name of the Cloudwatch endpoint required to push database engine logs to the Cloudwatch.
Cloudwatch Security Group: Name of the security group attached to Cloudwatch.
Register: Specify the existing Cloudwatch endpoint ID or endpoint IP or the endpoint domain name.
EC2 Endpoint:
Add: Name of the EC2 service endpoint required to perform some EC2 operations required to run the SQS Server.
EC2 Security Group: Name of the security group attached to EC2 service.
Register: Specify the existing EC2 service endpoint ID or endpoint IP or the endpoint domain name.
S3 gateway endpoint has to be created separately in the database subnet/VPC, in case private connectivity from the database VM to the S3 service is needed.
Security Group (SG) Configuration
Tessell Control Plane Endpoint:
Allow port 8352-8370 inbound connectivity from the database VM to the Tessell control plane endpoint.
Additional Endpoints:
Allow port 443 inbound connectivity from the database VM to the following AWS services:
AWS SQS
AWS Secret Manager
Cloudwatch
EC2 Service
Private CP-DP Communication Disabled
If the option is disabled, communication between the Tessell control plane and the AWS data plane occurs over a public network.
For a public CP-DP configuration, you can either create a new VPC or register an existing VPC:
Create a new VPC.
Subnets must be created along with VPC.
A public subnet is required to enable outbound internet access for the VMs.
Register an existing VPC.
You must have a subnet already created, it does not create automatically with register workflow.
Add a new VPC
A new VPC is created as part of subscription onboarding based on the configuration provided in this section.
Virtual Network Details: Provide the following information.
Virtual Network Name: Name of the new VPC.
Virtual Network CIDR: IP address range (CIDR) for the new VPC.
List of Availability Zones: Displays the list of added availability zones in the selected region. You can add more availability zones if they are available.
Availability Zone: Select an availability zone for the new subnets from the dropdown list.
Private Subnet Name: Name of the new private subnet.
Private Subnet CIDR: IP address range (CIDR) for the private subnet.
Enable Public Subnet
Toggle this option to create a DB Service with public access in the VPC.
Additionally, provide the following details for the subnet:
Public Subnet Name: Name of the public subnet.
Public Subnet CIDR: Address block (CIDR) for the public subnet.
If the Enable Public Subnet is toggled off
One Public Subnet is essential to enable outbound internet access for the VMs. Database services hosted in this network are not accessible from the public internet until public access is turned on.
Availability Zone for the Public Subnet: Select the availability zone for the public subnet from the dropdown list.
Public Subnet Name: Name of the new public subnet.
Public Subnet CIDR: IP address range (CIDR) for the public subnet.
Note: A NAT Gateway is placed in a public subnet of the VPC for outbound internet access.
Register an existing VPC
An existing VPC and subnet can be used for hosting databases by registering the network details:
Virtual Network Details: Provide the following information.
Virtual Network ID: Specify the VPC ID of the existing VPC.
Virtual Network Name: Specify the name of the VPC in Tessell for reference.
List of Availability Zones: Displays the list of added availability zones in the selected region. You can add more availability zones if they are available.
Availability Zone: Select an availability zone for the existing VPC.
Private Subnet ID: Specify the private subnet ID of the existing subnet.
Enable Public Subnet
Toggle this option to create a DB Service with public access in the VPC.
Additionally, provide the following details for the subnet:
Public Subnet ID: Specify the public subnet ID of the existing subnet.
Click Next to proceed to the Resources section.
Network Configuration
Tessell Control Plane Outbound
For Subnet: Open outbound for port 8352-8370 for control plane IP.
For Firewall: Open outbound for port 8352-8370 for control plane DNS and IP.
AWS Services Outbound
For Subnet: Open outbound for port 443 for the following AWS Services:
AWS SQS
AWS Storage Manager
AWS Cloudwatch
AWS EC2 services
For Firewall: Open outbound for port 443.
STEP 3 OF 5:
Setup Resources
Storage Bucket
A Storage Bucket is created/registered with the following properties:
Located in the primary region of the Tessell Subscription.
Use Case
Storage Buckets store log backups from database instances, ensuring changes and transactions are recorded for recovery and auditing.
Configuration Options
Add New
Creates a new storage bucket during subscription onboarding.
S3 Bucket Name: Specify the new name.
Register
Registers an existing storage bucket.
S3 Bucket ARN: Provide the AWS ARN of the existing S3 bucket. See Appendix - How to find the S3 Bucket ARN?.
Ensure the policy granting Tessell permissions to access the bucket is in place.
Network Configuration (Database VM VPC → Storage Bucket)
S3 Gateway endpoint
Make sure the S3 gateway endpoint's route table is associated with the database VM subnet. AWS automatically generates route rules in that route table to direct traffic from the database subnet to the S3 service.
Encryption Key
A Encryption Key is created/registered with:
Located in the primary region of the Tessell Subscription
Configuration Options
Add New
Creates a new encryption key during subscription onboarding.
Key Name: Provide Key Name, new resource is created with the provided name.
Register
Registers an existing encryption key and KMS resources.
Key Name: Provide a name for your encryption key in Tessell for reference.
KMS ARN: Provide the AWS ARN of the existing key. See Appendix - How to find the KMS ARN?.
Set Up Later
Allows configuration at a later stage.
Permissions required:
Tessell requires certain permissions to use the encryption keys. To grant these permissions please add ALLOW_IMPORT_TO_TESSELL: true tag on the encryption keys on AWS.
Primary keys must be registered first.
If replica keys are present and the permissions are granted, Tessell automatically registers replica keys on demand.
Global Resources
Global resources are created/registered once for all regions for the Tessell Subscription.
Following are the global resources:
Account Access Role
This IAM role is created in the customer account with a trust relationship with Tessell’s control plane AWS account. This is the role that Infra/DB services use to create cloud resources in a customer's AWS account and it is based on an IAM functionality called AssumeRole (Switch Role). This allows Tessell to use our own AWS account credentials to perform operations in the customer’s account without having them to share their AWS credentials with Tessell. This role enables Tessell services to provision and control resources (such as VPCs, EC2 instances, databases, and S3 buckets) securely across accounts.
DB VM Management Role
The DB VM Management Role is a role used in managing database virtual machines (VMs) within an AWS cloud infrastructure. For example, accessing S3 buckets for backup, uploading logs, or fetching configuration files. These operations must be performed without embedding AWS credentials inside the VM.
To achieve this, Tessell uses a Managed Identity (Instance Role) attached to the VM called the DB VM Management Role. Permissions granted to this role are directly executable from within the VM, eliminating the need for explicit credentials or secrets. This ensures secure, temporary, and automatically rotated credentials, reducing operational risk and management overhead.
Here are some key aspects related to this role:
AWS Secret Manager Access: The DB VM Role can be configured to have access privileges to AWS Secret Manager that is essential for managing secrets securely.
Log Management: The role is involved in managing logs, including exporting logs to an S3 bucket using CloudWatch or Lambda functions. This involves creating policies like ExportLogsPolicy and GeneratePresignedURLPolicy to facilitate log export and download.
CloudFormation and Permissions: The role is part of the Cloud Formation setup, where it is assigned specific policies like InvokeExportLambdaPolicy to manage log exports. It also involves setting up Lambda functions for log management.
Encryption and Security: The DB VM Management Role is part of the security setup, ensuring that data on database VMs is encrypted at rest using KMS keys. This role can be registered with Tessell subscriptions, ensuring that the necessary policies are in place.
Global resource can be configured with 2 options:
Add
Account Access Role
Creates a new account access role during subscription onboarding.
Specify account access role name.
DB VM Management Role
Creates a new DB VM Management role during subscription onboarding.
Specify DB VM management role name.
Register
Account Access Role
Registers an existing account access role.
Account Access Role ARN: Provide the AWS ARN of the account access role. See Appendix - How to find the account access role ARN?.
DB VM Management Role
Registers an existing DB VM management role.
DB VM Management Role ARN: Provide the AWS ARN of the DB VM management role. See Appendix - How to find the DBVM management role ARN?.
Cross account access role permissions:
Click Next to proceed to the Advanced Settings section.
STEP 4 OF 5:
Setup Permissions
This section lists Tessell's permissions across various AWS resources. When the toggle switch is disabled, you see permissions with a green tick and red cross. A green tick indicates full permission and a red cross indicates read-only permissions.
Toggle the switch to enable Tessell to manage networks and keys within the resource group.
Only Available for non private CP-DP.
Click Next to Launch and Deploy resources.
For more information, see AWS permission mapping.
STEP 5 OF 5:
Launch and Deploy
After all the details are filled, click Launch CloudFormation Template to get the JSON output.
Alternatively, select Copy URL to generate a direct link to AWS CloudFormation Template.
Log in to the AWS account with the user who has permission to run the CloudFormation template.
Note: This user must have permissions to create and run CloudFormation templates as mentioned in prerequisites.
This redirects you to the AWS console and provides a CloudFormation template creation page. Provide a stack name.
In the CloudFormation template, select the acknowledgement check box I acknowledge that AWS CloudFormation might create IAM resources with customized names.
Note: Acknowledgement is required only when creating Cross-account and DBVM management roles.
After all the configurations are completed in the CloudFormation template, click Create Stack.
This creates resources in AWS, then copy the output (JSON) from the Outputs tab.
In the Tessell portal, select the check box I have generated the CloudFormation output (JSON).
Paste the output generated from executing CloudFormation template in the box.
Click Review to review the resources.
Click Edit subscription if you want to edit some details.
Click Create.
As an alternate method, use the code to deploy resources.
Use the Code button at the top-right corner to view the code in different languages like Shell, Python, Go, Java, Javascript, and PowerShell.
You can copy or download the code using the respective buttons in the top-right corner.
Use the Close button at the bottom-left corner to return back to the main window.
Managing subscriptions in the dashboard
The Subscriptions dashboard displays all the available subscriptions across various cloud providers.
Specify a subscription name in the Search bar to find and display details of a specific subscription.
Click the ellipsis icon (︙) at the top-right corner of an AWS subscription. Following options are displayed:
Edit Regions
This option allows you to change regions. To edit regions, select the regions from the check boxes where you want to restrict your data center and click Save.
Users
This option allows you to view users and their assigned roles within this subscription. You can also add new users and assign them either the 'member' or 'co-owner' role.
Note: Account Owner can view all the subscriptions without sharing.
Edit Name
Select this option to edit the name of the subscription.
Disable
Select this option to disable the subscription. Upon confirmation, subscription is disabled.
If you disable a subscription, members can not create new services in this subscription.
Delete Subscription
Select this option to delete a subscription. Deleting the subscription impacts all associated resources, permissions granted during its creation. Tessell performs all the necessary checks before deleting.
You have to follow certain prerequisites before deleting a subscription.
For example,
Delete any associated Availability Machines.
If an availability machine is retained for a service, snapshots and backups are retained.
Terminate the database services running in this subscription. As a result, resources like NIC1, security groups, snapshots, backups are deleted along with database service.
Delete the associated servers in the subscription.
Appendix
How to find the account ID?
Log in to the AWS portal with your credentials.
Your account ID can be found in the top-right corner of the home page.
How to find a VPC ID?
From the AWS home page, navigate to the VPC dashboard.
On the side navigation pane, select Your VPCs.
A table with a list of your VPCs is displayed.
The VPC ID column in the table gives you the VPC ID of a specific VPC.
How to find subnet ID?
From the AWS home page, navigate to the VPC dashboard.
On the side navigation pane, select Subnets.
A table with a list of your subnets is displayed.
The Subnet ID column in the table gives you the subnet ID of a specific subnet.
How to find an Endpoint ID?
From the AWS home page, navigate to the VPC dashboard.
On the side navigation pane, select Endpoints.
A table with a list of your endpoints is displayed.
The VPC endpoint ID column in the table gives you the endpoint ID of a specific endpoint.
How to find the S3 Bucket ARN?
From the AWS home page, navigate to the S3 Buckets application.
On the side navigation pane, select a type of Bucket.
Your buckets for the chosen type are listed.
From the provided list, choose a bucket and then click the 'Copy ARN' button at the top of the page to copy its ARN.
How to find the KMS ARN?
From the AWS home page, navigate to the KMS application.
On the side navigation pane, choose between AWS managed keys and customer managed keys.
Your keys for the chosen type are listed.
From the provided list, click on a key to view ARN on top of the page.
How to find the account access role ARN?
From the AWS home page, navigate to the IAM application.
On the side navigation pane, select Roles.
All the assigned roles are listed.
From the provided list, click on an account access role to view ARN on top of the page.
How to find the DB VM Management Role ARN?
From the AWS home page, navigate to the IAM application.
On the side navigation pane, select Roles.
All the assigned roles are listed.
From the provided list, click on a DBVM management role to view ARN on top of the page.
Last updated
Was this helpful?