A diagram illustrating the various elements of the network architecture in the Customer’s Cloud Account into which CDP data services will be launched.
This diagram illustrates the configuration for a ‘Fully Private’ network that can be configured by the customer. This configuration can be provided by the CDP Admins when they are setting up CDP Environments or workloads which will get launched into this configuration.
Note the following points about the architecture:
- The configuration is a ‘Fully Private’ configuration - that is, the workloads are launched on nodes that do not have public IP addresses into a private subnet.
- They connect outbound to the CDP Control Plane over a fixed IP and port range.
- For users to be able to connect from the customer on-prem network to the CDP workloads in the private subnet, some network connectivity setup is required. In this case, a customer’s VPN server peered to an AWS virtual private gateway is shown.
Some of the CDP data services are based on AWS EKS clusters. Amazon EKS manages the Kubernetes Control Plane while the worker nodes that make up the cluster get provisioned in the customer’s VPC. The EKS Control Plane has an API endpoint for administrative purposes which is commonly referred to as "cluster endpoint". The CDP data service itself is accessible through a service endpoint ELB.