TCE-4760 feat(byoc): initial version of BYOC docs.

.vscode/settings.json

@@ -0,0 +1 @@
+{}

modules/cloudbeta/antora.yml

@@ -9,6 +9,7 @@ nav:
   - modules/release-notes/nav.adoc
   - modules/get-started/nav.adoc
   - modules/resource-manager/nav.adoc
+  - modules/byoc/nav.adoc
   - modules/load-data/nav.adoc
   - modules/schema-designer/nav.adoc
   - modules/gsql-editor/nav.adoc

modules/cloudbeta/modules/byoc/nav.adoc

@@ -0,0 +1,5 @@
+* xref:index.adoc[Bring Your Own Cloud]
+** xref:workspaces.adoc[Workgroups and Workspaces]
+** xref:cloudprovider.adoc[Cloud Provider]
+*** xref:secure-connection.adoc[Secure Connection]
+*** xref:byo-vpc.adoc[Use Existing VPC]

modules/cloudbeta/modules/byoc/pages/byo-vpc.adoc

@@ -0,0 +1,63 @@
+= Bring Your Own VPC (BYO VPC) with TigerGraph
+:experimental:
+
+When creating a Cloud Provider in TigerGraph BYOC, you have the option to use an existing VPC from your AWS account instead of having TigerGraph create a new one. This option is called Bring Your Own VPC (BYO VPC).
+
+== What is BYO VPC?
+
+BYO VPC allows you to specify an existing Virtual Private Cloud (VPC) in your AWS account for TigerGraph to use when deploying resources. This gives you more control over your network configuration and allows for better integration with your existing AWS infrastructure.
+
+=== Benefits of BYO VPC
+
+1. **Integration with Existing Resources**: Use the same VPC as your other AWS services for easier data transfer and communication.
+2. **Custom Network Configuration**: Leverage your custom-designed network architecture.
+3. **Enhanced Security**: Maintain your existing security groups and network ACLs.
+4. **Compliance**: Ensure TigerGraph deployments adhere to your organization's networking policies and compliance requirements.
+
+== Using BYO VPC When Creating a Cloud Provider
+
+When creating a new Cloud Provider, follow these steps to use your own VPC:
+
+1. Start the Cloud Provider creation process as described xref:byoc:cloudprovider.adoc[here].
+2. In the "Advanced Settings" section, you'll see an option to "Use Existing VPC".
+3. Select this option to enable BYO VPC.
+4. Provide the following information:
+   - VPC ID: The ID of your existing VPC
+   - Subnet IDs: Select one or more subnets within your VPC for TigerGraph resources
+   - Security Group IDs: Specify existing security groups or create new ones
+
+5. TigerGraph will validate that the provided VPC and associated resources meet the necessary requirements. Please check the section below for these requirements.
+
+
+== Requirements for BYO VPC
+
+To use your own VPC with TigerGraph BYOC, ensure it meets these requirements:
+
+1. **VPC Size**: The VPC should have a sufficiently large CIDR block to accommodate TigerGraph resources.
+2. **Subnets**: Provide at least two subnets in different Availability Zones for high availability.
+3. **Internet Connectivity**: The VPC must have internet access (via Internet Gateway or NAT Gateway) for TigerGraph to function properly.
+4. **DNS Settings**: Ensure DNS hostnames and DNS resolution are enabled in the VPC.
+5. **Security Groups**: The specified security groups must allow necessary inbound and outbound traffic for TigerGraph services.
+
+== Considerations When Using BYO VPC
+
+1. **Responsibility**: You are responsible for managing and maintaining the VPC, including any changes to its configuration.
+2. **Compatibility**: Ensure your VPC settings are compatible with TigerGraph's requirements. Incompatibilities may cause deployment issues.
+3. **Resource Limits**: Be aware of AWS service limits within your VPC, such as the number of ENIs (Elastic Network Interfaces) or IP addresses.
+4. **Networking Costs**: Understand that data transfer between TigerGraph resources and other services in your VPC may incur AWS networking costs.
+
+== Modifying VPC Settings
+
+After creating a Cloud Provider with BYO VPC:
+
+- You can modify certain VPC settings through your AWS console, but exercise caution to avoid disrupting TigerGraph services.
+- Some changes, like adding new subnets for TigerGraph use, may require coordination with TigerGraph support.
+
+By leveraging the BYO VPC option, you can maintain greater control over your network environment while benefiting from TigerGraph's powerful graph database capabilities in your own cloud infrastructure.
+
+== Next Steps
+
+Now learn about xref:byoc:index.adoc[BYOC] feature in TigerGraph Cloud 4.0.
+
+Or return to the xref:cloudBeta:overview:index.adoc[Overview] page for a different topic.
+

modules/cloudbeta/modules/byoc/pages/cloudprovider.adoc

@@ -0,0 +1,191 @@
+= Cloud Provider
+:experimental:
+
+== Overview
+In TigerGraph's xref:byoc:index.adoc[BYOC] context, a "Cloud Provider" represents resources in customer cloud account in a cloud vendor and a specific region. It serves as a bridge between TigerGraph's main control plane and your cloud infrastructure, enabling you to manage multiple TigerGraph workspaces within your own cloud environment.
+
+This page provides an overview of Cloud Providers in TigerGraph BYOC, explains their significance, and outlines the process of creating and managing them.
+
+== Creating a Cloud Provider
+
+Creating a Cloud Provider is a crucial step in setting up BYOC. Here's the process:
+
+1. **Prepare AWS Account**:
+   - Ensure you have the necessary permissions in your AWS account.
+   - Create an IAM role with the required policy permissions. This step is your responsibility and must be completed in the AWS console before proceeding.
+
+[source, json]
+----
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+				"ec2:AllocateAddress",
+				"ec2:AssociateRouteTable",
+				"ec2:AttachInternetGateway",
+				"ec2:AuthorizeSecurityGroupEgress",
+				"ec2:AuthorizeSecurityGroupIngress",
+				"ec2:CreateInternetGateway",
+				"ec2:CreateNatGateway",
+				"ec2:CreateNetworkAclEntry",
+				"ec2:CreateRoute",
+				"ec2:CreateRouteTable",
+				"ec2:CreateSecurityGroup",
+				"ec2:CreateSubnet",
+				"ec2:CreateTags",
+				"ec2:CreateVpc",
+				"ec2:DeleteInternetGateway",
+				"ec2:DeleteNatGateway",
+				"ec2:DeleteNetworkAclEntry",
+				"ec2:DeleteRoute",
+				"ec2:DeleteRouteTable",
+				"ec2:DeleteSecurityGroup",
+				"ec2:DeleteSubnet",
+				"ec2:DeleteVpc",
+				"ec2:DescribeAddresses",
+				"ec2:DescribeAvailabilityZones",
+				"ec2:DescribeInternetGateways",
+				"ec2:DescribeNatGateways",
+				"ec2:DescribeNetworkAcls",
+				"ec2:DescribeNetworkInterfaces",
+				"ec2:DescribeRouteTables",
+				"ec2:DescribeSecurityGroupRules",
+				"ec2:DescribeSecurityGroups",
+				"ec2:DescribeSubnets",
+				"ec2:DescribeVpcAttribute",
+				"ec2:DescribeVpcs",
+				"ec2:DetachInternetGateway",
+				"ec2:DisassociateAddress",
+				"ec2:DisassociateRouteTable",
+				"ec2:ModifyVpcAttribute",
+				"ec2:ReleaseAddress",
+				"ec2:RevokeSecurityGroupEgress",
+				"ec2:RevokeSecurityGroupIngress",
+				"eks:AssociateAccessPolicy",
+				"eks:CreateAccessEntry",
+				"eks:CreateAddon",
+				"eks:CreateCluster",
+				"eks:CreateNodegroup",
+				"eks:DeleteAccessEntry",
+				"eks:DeleteAddon",
+				"eks:DeleteCluster",
+				"eks:DeleteNodegroup",
+				"eks:DescribeAccessEntry",
+				"eks:DescribeAddon",
+				"eks:DescribeCluster",
+				"eks:DescribeNodegroup",
+				"eks:DisassociateAccessPolicy",
+				"eks:ListAssociatedAccessPolicies",
+				"eks:TagResource",
+				"elasticfilesystem:CreateFileSystem",
+				"elasticfilesystem:CreateMountTarget",
+				"elasticfilesystem:DeleteFileSystem",
+				"elasticfilesystem:DeleteMountTarget",
+				"elasticfilesystem:DescribeBackupPolicy",
+				"elasticfilesystem:DescribeFileSystems",
+				"elasticfilesystem:DescribeLifecycleConfiguration",
+				"elasticfilesystem:DescribeMountTargets",
+				"elasticfilesystem:DescribeMountTargetSecurityGroups",
+				"elasticfilesystem:PutBackupPolicy",
+				"elasticfilesystem:PutLifecycleConfiguration",
+				"elasticfilesystem:TagResource",
+				"iam:AttachRolePolicy",
+				"iam:CreateOpenIDConnectProvider",
+				"iam:CreatePolicy",
+				"iam:CreateRole",
+				"iam:DeleteOpenIDConnectProvider",
+				"iam:DeletePolicy",
+				"iam:DeleteRole",
+				"iam:DeleteRolePolicy",
+				"iam:DetachRolePolicy",
+				"iam:GetOpenIDConnectProvider",
+				"iam:GetPolicy",
+				"iam:GetPolicyVersion",
+				"iam:GetRole",
+				"iam:GetRolePolicy",
+				"iam:ListAttachedRolePolicies",
+				"iam:ListInstanceProfilesForRole",
+				"iam:ListPolicyVersions",
+				"iam:ListRolePolicies",
+				"iam:PassRole",
+				"iam:PutRolePolicy",
+				"iam:SimulatePrincipalPolicy",
+				"iam:TagOpenIDConnectProvider",
+				"logs:CreateLogGroup",
+				"logs:DeleteLogGroup",
+				"logs:DescribeLogGroups",
+				"logs:ListTagsLogGroup",
+				"logs:PutRetentionPolicy",
+				"logs:TagResource"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+----
+
+2. **Access TigerGraph Cloud**:
+   - Log in to your TigerGraph Cloud account.
+   - Navigate to the "Cloud Providers" section.
+
+3. **Initiate Cloud Provider Creation**:
+   - Click on "Add New Cloud Provider".
+   - Select AWS as the cloud platform.
+
+   CAUTION:: You can only create AWS Cloud Providers in the current version of TigerGraph Cloud.
+
+4. **Provide AWS Details**:
+   - Enter a name for your Cloud Provider.
+   - Input the ARN of the IAM role you created in step 1.
+   - Specify the VPC ID where you want TigerGraph resources to be deployed.
+   - Enter the Subnet ID(s) for TigerGraph resources.
+
+5. **Configure Network Settings**:
+   - Optionally, you may select the "Secure Connection" option to enable additional security measures for communication between TigerGraph compute plane and your browser. Please check the xref:security:secure-connection.adoc[Secure Connection] page for more details.
+   - Optionally, you may select the "BYO VPC" option in advanced settings to make the cloud provider use existing VPC configurations. Please check the xref:byoc:byo-vpc.adoc[BYO VPC] page for more details. 
+
+6. **Review and Create**:
+   - Review all the information you've entered.
+   - Click "Create Cloud Provider" to initiate the process.
+
+7. **Validation and Deployment**:
+   - TigerGraph Cloud will validate the provided information.
+   - If validation is successful, it will deploy the necessary components in your AWS account.
+
+8. **Confirmation**:
+   - Your new Cloud Provider will appear in the Cloud Providers list in TigerGraph Cloud.
+   - It will be in a "Provisioning" state initially. Once the deployment is complete, the status will change to "Active". This process may take a few minutes.
+   - You can leave the page and return later to check the status.
+
+
+== Managing Cloud Providers
+
+After creation, you can:
+- View details of your Cloud Provider
+- Update certain configurations
+- Monitor the status of the Cloud Provider
+- Create and manage workspaces associated with this Cloud Provider
+
+Remember, a single Cloud Provider can host multiple workspaces, allowing you to efficiently manage your TigerGraph deployments within your own cloud infrastructure.
+
+[Diagram: Cloud Provider Architecture]
+
+Description: This diagram illustrates the relationship between TigerGraph Cloud, your AWS account, and the Cloud Provider:
+- TigerGraph Cloud (Control Plane) at the top
+- Customer AWS Account in the middle, containing:
+  - Cloud Provider (mini control plane)
+  - VPC with associated subnets
+  - IAM Role connected to the Cloud Provider
+- Multiple Workspaces within the VPC, managed by the Cloud Provider
+- Secure connections between TigerGraph Cloud and the Cloud Provider, and between the Cloud Provider and Workspaces
+
+This section provides a comprehensive overview of the Cloud Provider concept in TigerGraph BYOC, its significance, and the process of creating one, emphasizing the customer's role in preparing the AWS environment.
+
+
+== Next Steps
+
+Now learn about xref:byoc:index.adoc[BYOC] feature in TigerGraph Cloud 4.0.
+
+Or return to the xref:cloudBeta:overview:index.adoc[Overview] page for a different topic.

modules/cloudbeta/modules/byoc/pages/index.adoc

@@ -0,0 +1,46 @@
+= Bring Your Own Cloud (BYOC) with TigerGraph
+:experimental:
+
+Bring Your Own Cloud (BYOC) is an advanced deployment option that allows you to run TigerGraph's powerful graph database services within your own cloud account. This feature combines the robustness of TigerGraph's technology with the flexibility and control of your preferred cloud environment.
+
+
+== Why Use BYOC?
+- **Enhanced Data Sovereignty**: Maintain complete control over your data's location and access.
+- **Improved Security**: Integrate TigerGraph with your existing security measures and protocols.
+- **Regulatory Compliance**: Easily adhere to industry-specific regulations and data residency requirements.
+- **Infrastructure Integration**: Seamlessly incorporate TigerGraph into your current cloud ecosystem.
+- **Cost Management**: Using your own cloud resources can provide more predictable and potentially lower costs, as you can take advantage of your existing cloud agreements and discounts.
+
+== When to Use BYOC?
+- **Regulatory Constraints**: When compliance requirements mandate that data must reside within your own cloud environment.
+- **Existing Cloud Investments**: If you have significant investments in cloud infrastructure and wish to leverage those resources.
+- **Specific Performance Needs**: When you need to fine-tune infrastructure for specific performance requirements that a managed service cannot accommodate.
+
+== How It Works
+BYOC involves several key components and steps to integrate your cloud provider with TigerGraph. This section explains the architecture and workflow of BYOC.
+
+=== Architecture
+
+The BYOC architecture consists of the following components:
+
+- **TigerGraph Control Plane**: The centralized management system hosted by TigerGraph that handles orchestration, monitoring, and management of customer deployments.
+- **Customer Cloud Account**: Shows a VPC containing Kubernetes clusters, TigerGraph workspaces, and a Cluster Agent. It is called in the BYOC documentation as the customer’s cloud provider.
+- **Data Plane**: Workgroups and workspaces created in customer account. They host .
+- **Workspaces**: Kubernetes namespaces that contain TigerGraph services and resources.
+- ** Cluster Agent**: A Kubernetes deployment within the customer’s cloud provider that communicates with the TigerGraph control plane to execute commands and send heartbeats.
+- TG Operator: Manages TigerGraph services within the Kubernetes cluster.
+
+image::images/byoc-architecture.png[BYOC Architecture]
+
+=== Workflow
+1.	Account Setup: Customer creates an account in the TigerGraph Cloud portal and navigates to the BYOC setup.
+2.	Cloud Provider Configuration: Customer configures their cloud provider by entering metadata such as provider name, region, and IAM roles.
+3.	Initialization: TigerGraph control plane initializes the cloud provider by provisioning the necessary infrastructure, such as Kubernetes clusters and network configurations.
+4.	Workspace Creation: Customer creates workspaces within their cloud provider, which are managed by the TG Operator.
+5.	Monitoring and Management: The cluster agent sends heartbeats and status updates to the TigerGraph control plane, ensuring continuous monitoring and management.
+
+== Next Steps
+
+Now learn about xref:byoc:cloudprovider.adoc[Cloud Provider] in TigerGraph Cloud 4.0.
+
+Or return to the xref:cloudBeta:overview:index.adoc[Overview] page for a different topic.

modules/cloudbeta/modules/byoc/pages/secure-connection.adoc

@@ -0,0 +1,70 @@
+= Secure Connection Option for Cloud Providers
+
+When creating a Cloud Provider in TigerGraph BYOC, you have the option to enable Secure Connection. This feature enhances the security of your TigerGraph deployments by restricting public internet access and requiring private connections.
+
+== What is the Secure Connection Option?
+
+The Secure Connection option is a security feature that, when enabled, disables public internet access for all workspaces within the created Cloud Provider. Instead, it requires the use of AWS PrivateLink to establish secure, private connections to your TigerGraph resources.
+
+== Key Features of Secure Connection
+
+1. **Disabled Public Access**: All workspaces in the Cloud Provider will not have public IP addresses or be directly accessible from the internet.
+2. **Private Connectivity**: Access to TigerGraph resources is only possible through private network connections.
+3. **Enhanced Security**: Reduces the attack surface by eliminating direct exposure to the public internet.
+
+== Enabling Secure Connection
+
+To enable Secure Connection when creating a Cloud Provider:
+
+1. Follow the standard Cloud Provider creation process (as described in Section 4.2).
+2. Look for the "Secure Connection" or "Network Access" section in the creation wizard.
+3. Enable the "Secure Connection" option.
+4. Confirm your choice and proceed with the Cloud Provider creation.
+
+== Implications of Enabling Secure Connection
+
+When you enable Secure Connection:
+
+1. **No Public IP Addresses**: Workspaces will not be assigned public IP addresses.
+2. **Private Access Only**: You'll need to set up AWS PrivateLink to access your TigerGraph resources.
+3. **Additional Setup Required**: You must create and configure PrivateLink endpoints in your VPC to connect to the Cloud Provider.
+
+== Setting Up PrivateLink for Secure Connection
+
+After enabling Secure Connection and creating your Cloud Provider, follow these steps to set up PrivateLink:
+
+1. **Create VPC Endpoints**:
+   - In your AWS console, navigate to VPC > Endpoints.
+   - Create new Interface Endpoints for the TigerGraph services.
+   - Select the VPC and subnets where you want to create the endpoints.
+
+2. **Configure Security Groups**:
+   - Ensure your security groups allow traffic to and from the VPC endpoints.
+
+3. **DNS Configuration**:
+   - Update your DNS settings to resolve TigerGraph service hostnames to the private IP addresses of your VPC endpoints.
+
+4. **Test Connectivity**:
+   - Verify that you can connect to your TigerGraph resources through the private endpoints.
+
+== Considerations When Using Secure Connection
+
+1. **Access Restrictions**: Only resources within your VPC or connected to it via VPN or Direct Connect can access the TigerGraph services.
+2. **Additional AWS Costs**: Using PrivateLink incurs additional AWS charges.
+3. **Setup Complexity**: Implementing PrivateLink requires additional network configuration and expertise.
+4. **Maintenance**: You'll need to manage and maintain the PrivateLink endpoints.
+
+== Best Practices for Secure Connection
+
+1. **Plan Ahead**: Carefully plan your network architecture before enabling Secure Connection.
+2. **Use VPC Peering or Transit Gateway**: If you need to access TigerGraph resources from multiple VPCs, consider using VPC peering or AWS Transit Gateway.
+3. **Implement Least Privilege**: Configure security groups and network ACLs to allow only necessary traffic.
+4. **Monitor and Audit**: Regularly review access logs and perform security audits.
+
+By leveraging the Secure Connection option, you can significantly enhance the security posture of your TigerGraph deployments in AWS, ensuring that your graph database resources are accessible only through private, secure connections.
+
+== Next Steps
+
+Now learn about xref:byoc:index.adoc[BYOC] feature in TigerGraph Cloud 4.0.
+
+Or return to the xref:cloudBeta:overview:index.adoc[Overview] page for a different topic.