Alibaba Cloud
Referencing Overview▸, using AutoMQ Cloud requires installing the appropriate environment first. This article explains how to use Alibaba Cloud Marketplace to create a BYOC environment with one click.
In this article, the terms AutoMQ product service provider, AutoMQ service provider, and AutoMQ specifically refer to AutoMQ HK Limited.
Prerequisites
Condition 1: Cloud Product Dependencies
To create a BYOC environment on Alibaba Cloud, the user’s Alibaba Cloud account must have the following cloud products enabled in advance; otherwise, it will not be usable.
-
Elastic Compute Service (ECS), AutoMQ Kafka uses Elastic Compute Service (ECS) to deploy computing nodes.
-
Object Storage Service (OSS), AutoMQ Kafka uses Object Storage Service (OSS) to store data.
-
PrivateZone, AutoMQ Kafka uses PrivateZone to provide Kafka cluster endpoint domain name resolution.
Condition 2: Cloud Account Operation Permissions
To create a BYOC environment, the cloud account must be either the primary account or a RAM sub-account that has been granted the necessary operation permissions. If you are using a RAM sub-account on the Alibaba Cloud console, you need to refer to the Alibaba Cloud Compute Nest RAM Authorization Documentation to authorize the account before proceeding with the service activation.
The relevant authorization policies and cloud product lists are divided into two parts:
Authorization Content 1: Access to Compute Nest Products:
To allow a RAM sub-account to access Alibaba Cloud Compute Nest products, the following system permissions must be granted.
-
AliyunMarketplaceFullAccess: Permission to access Alibaba Cloud Marketplace products.
-
AliyunComputeNestUserFullAccess: Permission to manage and use Alibaba Cloud Compute Nest products.
-
AliyunVPCReadOnlyAccess: Permission to read Virtual Private Cloud (VPC).
-
AliyunOSSReadOnlyAccess: Permission to read Object Storage Service (OSS).
-
AliyunROSFullAccess: Permission to manage Resource Orchestration Service (ROS).
-
AliyunCloudMonitorFullAccess: Permission to manage CloudMonitor.
Authorization Content 2: Permissions Required to Install AutoMQ:
To install and deploy AutoMQ using Computing Nest, you also need to grant custom permission policies. Refer to the policy file below:
{
"Statement": [
{
"Action": [
"ecs:AddTags",
"ecs:AllocatePublicIpAddress",
"ecs:AttachKeyPair",
"ecs:AuthorizeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:ConfigureSecurityGroupPermissions",
"ecs:CreateSecurityGroup",
"ecs:DeleteInstance",
"ecs:DeleteSecurityGroup",
"ecs:DescribeAvailableResource",
"ecs:DescribeDedicatedHosts",
"ecs:DescribeDisks",
"ecs:DescribeImageSupportInstanceTypes",
"ecs:DescribeImages",
"ecs:DescribeInstanceAutoRenewAttribute",
"ecs:DescribeInstanceRamRole",
"ecs:DescribeInstances",
"ecs:DescribeKeyPairs",
"ecs:DescribeNetworkInterfaces",
"ecs:DescribePrice",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroups",
"ecs:DescribeSnapshots",
"ecs:DescribeUserData",
"ecs:DetachKeyPair",
"ecs:JoinResourceGroup",
"ecs:ModifyDiskSpec",
"ecs:ModifyInstanceAttribute",
"ecs:ModifySecurityGroupEgressRule",
"ecs:ModifySecurityGroupRule",
"ecs:RemoveTags",
"ecs:ReplaceSystemDisk",
"ecs:ResizeDisk",
"ecs:RunInstances",
"ecs:StartInstance",
"ecs:StopInstance",
"ecs:TagResources",
"ecs:UntagResources"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"pvtz:AddZone",
"pvtz:BindZoneVpc",
"pvtz:DeleteZone",
"pvtz:DescribeZoneInfo",
"pvtz:SetProxyPattern",
"pvtz:TagResources",
"pvtz:UntagResources",
"pvtz:UpdateZoneRemark"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "quotas:ListProductQuotas",
"Effect": "Allow",
"Resource": "acs:quotas:*:*:*"
},
{
"Action": [
"ram:AttachPolicyToRole",
"ram:CreatePolicy",
"ram:CreateRole",
"ram:DeletePolicy",
"ram:DeleteRole",
"ram:DetachPolicyFromRole",
"ram:GetPolicy",
"ram:GetRole",
"ram:ListPoliciesForRole",
"ram:UpdateRole",
"ram:PassRole"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "rds:DescribeDBInstances",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "slb:DescribeLoadBalancers",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"tag:TagResources",
"tag:UntagResources"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"vpc:AssociateVpcCidrBlock",
"vpc:CreateVSwitch",
"vpc:CreateVpc",
"vpc:DeleteVSwitch",
"vpc:DeleteVpc",
"vpc:DescribeVSwitches",
"vpc:DescribeVpcs",
"vpc:DescribeVpnGateways",
"vpc:DescribeZones",
"vpc:ModifyVSwitchAttribute",
"vpc:ModifyVpcAttribute",
"vpc:TagResources",
"vpc:UnTagResources"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ros:CreateStack",
"ros:GetStack"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "1"
}
Operation Procedure
AutoMQ Cloud is now available in the Alibaba Cloud Marketplace > Basic Software > Application Development category, providing BYOC private deployment via Alibaba Cloud Compute Nest service.
Currently supports creating BYOC environments in the following Alibaba Cloud regions: North China 1 (Qingdao), North China 2 (Beijing), North China 3 (Zhangjiakou), East China 1 (Hangzhou), East China 2 (Shanghai), South China 1 (Shenzhen), South China 3 (Guangzhou), Hong Kong, Singapore, USA (Silicon Valley), USA (Virginia), and Central Europe (Frankfurt).
- Go to the Alibaba Cloud Marketplace, search for AutoMQ, and find the AutoMQ for Kafka (BYOC Edition) product, or directly visit the service link to enter the service details page.
- Click Create Officially and fill in the necessary information to subscribe for free. At this point, Alibaba Cloud Compute Nest Service will create an AutoMQ BYOC version environment console.
Note:
Each subscription will deploy an environment console. While AutoMQ does not charge for deploying the environment console, running the environment console will consume an ECS machine.
Referencing Glossary▸, it is generally recommended to create a new environment console only when dealing with different networks and distinct business department ownership. Within each environment, multiple Kafka instances (clusters) can be created and managed. For detailed concepts on environments, refer to Overview▸.
- After subscribing, the underlying Compute Nest service will begin deploying the environment console. Users can navigate to Service Instances > My Service Instances > Private Deployment Service to find the instance ID from the previous step and enter the service instance details page to obtain the console access address and initial password.
Note:
When creating an environment, it is recommended by default to access the environment console via a public IP address. If the user's office network is already connected to the Alibaba Cloud VPC via a dedicated line, private network access can be chosen. Users can also add domain name resolution for the AutoMQ Cloud BYOC console.
- Log in using the initial username and password. When you first access the AutoMQ environment console, enter the initial username and password, and then immediately change it to a custom password. The initial username is
admin, and the initial password is the ECS instance ID where the environment console is located.
- Complete the BYOC environment operations authorization. The BYOC environment is deployed in the user’s VPC, ensuring data security and privacy isolation. However, system logs, metrics, and other system data unrelated to the business will be generated within the BYOC environment. After the environment installation is complete, users need to refer to Overview▸ to provide the corresponding operations authorization to AutoMQ service providers to facilitate system stability monitoring and fault self-healing operations by the AutoMQ service providers.
Subsequent Steps
After the environment installation is complete, proceed with the following steps:
- Experience AutoMQ for Kafka Service: After completing the environment setup, you can access the environment console to create instances and explore product features. Experience AutoMQ▸