-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Self Hosted Deployment Doc additions/clarifications (#751)
- Loading branch information
Showing
5 changed files
with
217 additions
and
124 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| { | ||
| "label": "Self-Hosted (BYOC)", | ||
| "position": 7 | ||
| } |
148 changes: 74 additions & 74 deletions
148
docs/deployment/private/self-hosted.mdx → .../deployment/private/self-hosted/index.mdx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,74 +1,74 @@ | ||
| --- | ||
| sidebar_position: 3 | ||
| sidebar_label: Self-Hosted (BYOC) | ||
| description: "Learn how to self-host your own instance of Hasura DDN." | ||
| keywords: | ||
| - hasura ddn | ||
| - enterprise ddn | ||
| - private ddn | ||
| --- | ||
|
|
||
| import Thumbnail from "@site/src/components/Thumbnail"; | ||
|
|
||
| # Self-Hosted (BYOC) | ||
|
|
||
| ## Introduction | ||
|
|
||
| Hasura DDN is also available to self-host if you need to have complete control over the infrastructure. | ||
|
|
||
| There are two models of deployment with Self-Hosted DDN. | ||
|
|
||
| 1. Hasura manages the data plane on the customer's cloud account. | ||
|
|
||
| The [data plane](/deployment/architecture.mdx#data-plane) will run on a Kubernetes cluster of your choice and Hasura | ||
| manages the uptime, upgrades, etc. The Hasura Control Plane will need to be given sufficient privileges to install, | ||
| configure and manage the workloads and associated infrastructure components. The experience is exactly like using | ||
| Hasura Hosted DDN, but running on your infrastructure. All API traffic stays within your network and does not leave | ||
| the boundaries of your system. | ||
|
|
||
| 2. Customer manages the data plane on their cloud account themselves. | ||
|
|
||
| The [data plane](/deployment/architecture.mdx#data-plane) can be installed on a Kubernetes cluster of your choice and | ||
| you control the uptime, upgrades, etc. All API traffic stays within your network and does not leave the boundaries of | ||
| your system. | ||
|
|
||
| Installation docs related to deployment of a self hosted, customer managed data plane are located [here](/deployment/private/self-hosted-deployment.mdx) | ||
|
|
||
| In both cases, the [control plane](/deployment/architecture.mdx#control-plane) is always hosted by Hasura. | ||
|
|
||
| <Thumbnail src="/img/deployment/private_ddn_customer_hosted.png" alt="Private DDN Architecture Customer Hosted" /> | ||
|
|
||
| ## Data Flow and security | ||
|
|
||
| All critical data operations occur exclusively within the customer infrastructure. When an API user sends a GraphQL | ||
| query, it's received by Hasura in the Data Plane. Hasura then directly accesses the necessary data sources within the | ||
| customer infrastructure to fulfill the request. This direct access ensures that sensitive data never leaves the | ||
| customer's controlled environment, maintaining data residency and security. | ||
|
|
||
| While the Control Plane, situated in the Hasura infrastructure, does communicate with the Data Plane, this communication | ||
| is strictly limited to configuration and management purposes. Importantly, this communication does not involve customer | ||
| data or API responses, further enhancing data security. | ||
|
|
||
| The distinction between the Control and Planes creates well-defined security boundaries. By keeping the Data Plane and | ||
| all data sources within the customer's security perimeter, the architecture ensures that sensitive information remains | ||
| under the customer's control at all times. | ||
|
|
||
| ## Interactions with the control plane | ||
|
|
||
| In Self-Hosted Hasura DDN, the Data Plane running on your infrastructure communicates with the control plane only in | ||
| very specific scenarios: | ||
|
|
||
| 1. The Data Plane accesses a metadata storage bucket to retrieve build artifacts; these artifacts are required to | ||
| process API requests. | ||
| 2. The data plane accesses the control plane APIs to retrieve information about (applied) builds for the purposes of | ||
| routing. | ||
| 3. (Optional) The data plane sends observability data to the Control Plane so you can visualize it on the console; it | ||
| does not contain any API response data or variables. | ||
| 4. The Control Plane interacts with the Kubernetes cluster to manage Data Plane workloads (only in a Hasura-Managed Data | ||
| Plane). | ||
|
|
||
| <Thumbnail src="/img/deployment/cp_dp_interactions.png" alt="Control Plane - Data Plane interactions" /> | ||
|
|
||
| ## Get started | ||
|
|
||
| To get started with Hasura DDN in your own cloud, [contact sales](https://hasura.io/contact-us). | ||
| --- | ||
| sidebar_position: 1 | ||
| sidebar_label: Overview | ||
| description: "Learn how to self-host your own instance of Hasura DDN." | ||
| keywords: | ||
| - hasura ddn | ||
| - enterprise ddn | ||
| - private ddn | ||
| --- | ||
|
|
||
| import Thumbnail from "@site/src/components/Thumbnail"; | ||
|
|
||
| # Self-Hosted (BYOC) | ||
|
|
||
| ## Introduction | ||
|
|
||
| Hasura DDN is also available to self-host if you need to have complete control over the infrastructure. | ||
|
|
||
| There are two models of deployment with Self-Hosted DDN. | ||
|
|
||
| 1. Hasura manages the data plane on the customer's cloud account. | ||
|
|
||
| The [data plane](/deployment/architecture.mdx#data-plane) will run on a Kubernetes cluster of your choice and Hasura | ||
| manages the uptime, upgrades, etc. The Hasura Control Plane will need to be given sufficient privileges to install, | ||
| configure and manage the workloads and associated infrastructure components. The experience is exactly like using | ||
| Hasura Hosted DDN, but running on your infrastructure. All API traffic stays within your network and does not leave | ||
| the boundaries of your system. | ||
|
|
||
| 2. Customer manages the data plane on their cloud account themselves. | ||
|
|
||
| The [data plane](/deployment/architecture.mdx#data-plane) can be installed on a Kubernetes cluster of your choice and | ||
| you control the uptime, upgrades, etc. All API traffic stays within your network and does not leave the boundaries of | ||
| your system. | ||
|
|
||
| Installation docs related to deployment of a self hosted, customer managed data plane are located [here](/deployment/private/self-hosted/self-hosted-deployment.mdx) | ||
|
|
||
| In both cases, the [control plane](/deployment/architecture.mdx#control-plane) is always hosted by Hasura. | ||
|
|
||
| <Thumbnail src="/img/deployment/private_ddn_customer_hosted.png" alt="Private DDN Architecture Customer Hosted" /> | ||
|
|
||
| ## Data Flow and security | ||
|
|
||
| All critical data operations occur exclusively within the customer infrastructure. When an API user sends a GraphQL | ||
| query, it's received by Hasura in the Data Plane. Hasura then directly accesses the necessary data sources within the | ||
| customer infrastructure to fulfill the request. This direct access ensures that sensitive data never leaves the | ||
| customer's controlled environment, maintaining data residency and security. | ||
|
|
||
| While the Control Plane, situated in the Hasura infrastructure, does communicate with the Data Plane, this communication | ||
| is strictly limited to configuration and management purposes. Importantly, this communication does not involve customer | ||
| data or API responses, further enhancing data security. | ||
|
|
||
| The distinction between the Control and Planes creates well-defined security boundaries. By keeping the Data Plane and | ||
| all data sources within the customer's security perimeter, the architecture ensures that sensitive information remains | ||
| under the customer's control at all times. | ||
|
|
||
| ## Interactions with the control plane | ||
|
|
||
| In Self-Hosted Hasura DDN, the Data Plane running on your infrastructure communicates with the control plane only in | ||
| very specific scenarios: | ||
|
|
||
| 1. The Data Plane accesses a metadata storage bucket to retrieve build artifacts; these artifacts are required to | ||
| process API requests. | ||
| 2. The data plane accesses the control plane APIs to retrieve information about (applied) builds for the purposes of | ||
| routing. | ||
| 3. (Optional) The data plane sends observability data to the Control Plane so you can visualize it on the console; it | ||
| does not contain any API response data or variables. | ||
| 4. The Control Plane interacts with the Kubernetes cluster to manage Data Plane workloads (only in a Hasura-Managed Data | ||
| Plane). | ||
|
|
||
| <Thumbnail src="/img/deployment/cp_dp_interactions.png" alt="Control Plane - Data Plane interactions" /> | ||
|
|
||
| ## Get started | ||
|
|
||
| To get started with Hasura DDN in your own cloud, [contact sales](https://hasura.io/contact-us). |
Oops, something went wrong.