Deploy MOSTLY AI to an AWS EKS cluster

Overview

To run MOSTLY AI in AWS, you need to create an Elastic Kubernetes Service (EKS) cluster. MOSTLY AI provides a set of automated scripts and configuration files that can help you create and configure an EKS cluster as well as create and mount the required EFS storage, and create and configure an AWS Application Load Balancer (ALB) for the application.

This page contains step-by-step tasks that guide you through the process of deploying MOSTLY AI in an AWS EKS cluster. The tasks are grouped into four categories.

Pre-deployment
Deployment
Post-deployment
Troubleshooting

Use the tasks on this page as a reference for what you might need to complete to reach the point in which MOSTLY AI runs in an EKS cluster and you can successfully generate synthetic datasets.

Some of the tasks describe configurations that you might have already completed in AWS. In such cases, use the tasks on this page as a reference for all required configurations.

Prerequisites

Make sure that you have the tools and commands listed below.
- Install AWS CLI.
- Install Helm.
- Install kubectl.
- Install jq (a command-line JSON parser)
- Verify that you have the grep and awk commands.
Decide in which AWS region you want to deploy MOSTLY AI. The page documents the steps in detail to deploy to eu-central-1. If you need to deploy to another region, read the information about the Region-specific EKS images and how to configure for that.

Pre-deployment

Before you make any configurations in your AWS account, subscribe to the MOSTLY AI Synthetic Data Platform from the AWS Marketplace.

💡

The MOSTLY AI offering on the AWS Marketplace will soon be updated. Stay tuned!

Steps

Go the MOSTLY AI page on the AWS Marketplace.
Click Continue to Subscribe.
Review the terms and, if you agree, click Accept Terms.
Click Continue to Configuration.
On the Configure this software page, select fulfillment and software version.
1. For Fulfillment option, select MOSTLY AI EKS installation bootstrap image.
2. For Software version, select the latest available version.
3. Click Continue to Launch.
On the Launch this software page, you can review the configuration details and usage instructions.
⚠️
The command under Container images is already integrated into the MOSTLY AI deployment scripts that you download in Task 10 and you do not need to run the command to deploy MOSTLY AI.

Result

You can now complete the next tasks in AWS to prepare the necessary configurations (if you do not already have them) before you run the AWS deployment script.

Task 2: Create a key pair in EC2

When you create a key pair in EC2, you can use the generated security credentials to use ssh and log in to the EC2 instances that the MOSTLY AI deployment script creates.

Prerequisites

Log in to the AWS Management Console. You can do the steps here with your root AWS account.
Select the zone in which you want to create your Kubernetes cluster.

Steps

From AWS Services, search and open EC2.
In EC2, select Key Pairs under Network & Security from the sidebar.
Click Create key pair.
Enter a name for the new key pair and click Create key pair.
💡
Leave the default options:
- Key pair type: RSA
- Private key file format: .pem

Result

The new key pair appears in the list. The generated .pem file that contains the certificate and access keys download automatically.

What’s next

You can now create a non-ROOT user which is a requirement to run the deployment script in Task 11.

Also, later in Task 10, you define the key pair name in the eks-cluster.yaml deployment configuration file which is a requirement before you run the deployment. You can also use the downloaded certificate to log in to the Kubernetes pods that MOSTLY AI deploys.

Task 3: Create a user group

As a best practice, create a user group to which you will assign the required policies and add the user that will run the deployment script.

Steps

From AWS Services, search and open Identity and Access Management (IAM).
In IAM, select User groups from the sidebar.
Click Create group.
Name the group eksctl-group and click Create group.

Result

The user group eksctl-group is now listed under User groups.

Task 4: Assign an administrator policy to the user group

Allow the user group to act as an administrator which will grant the user that runs the deployment script the privileges required to create an EKS cluster and all related resources.

Steps

From User groups, click the eksctl-group to open its settings.
Select the Permissions tab.
Click Add permissions and select Attach policies from the drop-down menu.
Select the AdministratorAccess policy.
Click Add permissions.

Result

The required AdministratorAccess policy is now added to the user group eksctl-group.

AWS IAM User group - Group with added permissions

Task 5: Create a user

Create a non-ROOT user that should be part of the new user group and will have permissions to run the MOSTLY AI deployment script.

Steps

Open Identity and Access Management (IAM).
Select Users from the sidebar.
Click Create user.
Name the user eksctl and click Next.
On the Set permissions step, select the eksctl-group and click Next.
On the Review and create step, click Create user.

Result

The user is now created and appears in the Users table.

Task 6: Create an access key for the user

Create an access key for the created user. You use the access key to configure and use the AWS CLI and run automated commands or scripts.

Step

In IAM > Users, select the eksctl user.
Click Create access key.
Select Comand Line Interface.
Select the I understand the above recommendation… checkbox.
Click Next.
Click Create access key.
(Optional) View the Access key and Secret access key values.
Click Download .csv file to download the access key locally.

Result

The file eksctl_accessKeys.csv is saved locally and contains the Access key and Secret access key values.

Task 7: Configure AWS CLI

With the user created specifically for the creation and deployment of MOSTLY AI, you can use it configure AWS CLI so that the user performs all scripted tasks.

Prerequisites

AWS CLI. See Install or update the latest version of the AWS CLI in the AWS Documentation.
Prepare your Access key and Secret access key from the previous task.

Steps

Open a command-line application.
Create an AWS CLI named profile for the eksctl user with the aws configure command.
```
aws configure --profile eksctl
```
Complete the prompts for the aws configure command.
1. For AWS Access Key ID [None], paste your access key.
2. For AWS Secret Access Key [None], paste your secret access key.
3. For Default region name [None], type the default AWS region you want to use. For example, eu-central-1.
4. For Default output format [None], type json.

Result

You AWS CLI profile for the eksctl user is now created.

You can verify the configuration from your home folder. If you did not have a previously configured profile, the following commands should produce results similar to the ones below.

View the contents of .aws/config in your home folder to see the configured profiles.
```
cat ~/.aws/config
```
Without any previously configured profiles, the result should be similar to the following:
```
[profile eksctl]
region = eu-central-1
output = json
```
View the contents of .aws/credentials in your home folder to see the saved access key and secret access key for the profile.
```
cat ~/.aws/credentials
```
Without any previously configured profiles, the result should be similar to the following (actual secret values are obfuscated with asterisks):
```
[eksctl]
aws_access_key_id = AK******************
aws_secret_access_key = ******************
```
Finally, you can use the aws sts-caller-identity command to check if the previous configurations were correct:
```
aws sts get-caller-identity --profile eksctl
```
The result should be similar to the following (actual secret values are obfuscated with asterisks):
```
{
    "UserId": "AI*******************",
    "Account": "74**********",
    "Arn": "arn:aws:iam::74**********:user/eksctl"
}
```

Task 8: Create a hosted zone in Route 53

You need to have a fully-qualified domain name (FQDN) for your MOSTLY AI application. If you need to register a new FQDN, you can do so from any domain name registrar (such as GoDaddy, Namecheap, or any other) or use AWS Route 53. You can also use a subdomain.

If you register an FQDN with Route 53, you already have your hosted zone available in AWS under Route 53 > Hosted zones.

If you register an FQDN from another domain registrar, you need to create a hosted zone in Route 53 with your registered domain. In this case, follow the steps below.

Steps

From AWS Services, search and open Route 53.
Select Hosted zones from the sidebar.
Click Create hosted zone.
For Domain name, type your FQDN.
Click Create hosted zone.

Step result: Your FQDN appears in the Records tabe.
From the Records table, copy the name servers for the hosted zone you created.
Go to your domain registrar and add the copied name servers as custom nameservers for your domain.

The propagation of the updated name servers across the DNS network might take several hours.
For more information, contact your domain registrar.

Result

You now have a configured hosted zone in Route 53 for your FQDN.

Depending on your domain name provider, it might take some time (sometimes up to a few days) before the new nameservers are updated and propagated across the global DNS network.

Task 9: Create a SSL certificate for your FQDN

To enable encrypted access with your FQDN, you need an SSL certificate. You can create a SSL certificate through AWS Certificate Manager.

An SSL certificate for your FQDN is required to deploy MOSTLY AI in an EKS cluster.

Steps

From AWS Services, search and open Certificate Manager.
Click List certificates from the sidebar.
Click Request.
Select Request a public certificate and click Next.
Configure and submit a certificate request.
1. For Fully qualified domain name, type your FQDN.
2. Select DNS validation under Validation method.
3. Click Requst.
Step result: A notification indicates that the certificate requires further validation.
Validate you are the owner of your domain.

💡
AWS provides two validation methods: DNS validation and Email validation.
For more information, see Validating domain ownership in the AWS Certificate Manager (ACM) documentation.
The steps below demonstrate the DNS validation method when your domain name provider is not AWS Route 53.
If your domain name provider is AWS Route 53, see DNS validation in the AWS Certificate Manager (ACM) documentation.
1. Select List certificates.
2. Select the Certificate ID in a Pending validation status.
3. Copy the CNAME name and value and add them as a new CNAME record in your DNS provider.
4. Create a new CNAME record for your domain name in your domain name provider web interface.
  ⚠️
  See your domain name provider documentation on how to add a new CNAME record for the DNS validation.

Result

As explained the DNS validation page in the AWS ACM Documentation, the DNS validation can take up to 30 minutes after you add the CNAME record in your domain name provider web interface.

After the DNS validation completes, the Status of your certificate changes to Issued in the certificates list.

AWS Certificate Manager - copy CNAME name and value

Deployment

Task 10: Download and configure deployment files

The MOSTLY AI deployment files include the required configurations to deploy MOSTLY AI in a newly created EKS cluster.

The contents of the deployment files are listed below.

templates/
    ecr-helper.yaml
    job.yaml
Chart.yaml
bootstrap.sh
eks-cluster.yaml
mostly-policy.json
values.yaml

Steps

Download the contents of the MOSTLY AI AWS Marketplace Deployment files.

Edit eks-cluster.yaml, and define your AWS key pair name.

eks-cluster.yaml

...
KeyPairName:
    Type: String
    Description: Name of an existing EC2 key pair (for SSH-a$
    Default: mostly-ai-dep
...

Edit values.yaml to add your domain name and certificate ARN.
1. For domain, define the domain name from which you want to reach the MOSTLY AI application.
  values.yaml
```
domain: 'mostlyai-eks.com'
certificateArn: ''
albScheme: internet-facing
```
2. For certificateArn, paste the certificate ARN from AWS Certificate Manager.
  values.yaml
```
domain: 'mostlyai-eks.com'
certificateArn: 'arn:aws:acm:eu-central-1:74**********::certificate/951a92df-****-****-****-************'
albScheme: internet-facing
```
3. Save the file.

What’s next

You can now start the MOSTLY AI deployment script.

Task 11: Run deployment script

The MOSTLY AI deployment script uses AWS CloudFormation to automate the creation of an EKS cluster and all required resources in your AWS account and then runs the deployment of the MOSTLY AI with a Helm chart that is part of the deployment files.

Steps

Change directory to the downloaded deployment files.
Run the bootstrap.sh script and provide your AWS region as the first argument and the AWS user name from Task 5 as the second argument.
```
./bootstrap.sh eu-central-1 eksctl
```
The deployment script starts and reports progress as it creates the required resources in AWS CloudFormation in order to create your EKS cluster. The output from the script should be similar to the following:
```
{
    "StackId": "arn:aws:cloudformation:eu-central-1:74**********:stack/mostlyai-eks/720db0d0-****-****-****-************"
}
Stack status: CREATE_IN_PROGRESS. Waiting for stack creation to complete...
```
The script creates the resources that are required for your EKS cluster. See the list of the created resources below.
- 6 x EC2 instances
- VPC
- Application Load Balancer (ALB)
- EFS mountpoint
- EBS provisioning
- subnets
- NAT gateways
- routes
- route tables
- security groups
It can take 20-30 min for CloudFormation to create all resources.
(Optional) To track the progress, open CloudFormation in AWS, select your stack and select the Events tab.

Result

When the script finishes, it outputs a long list of valuable information for your EKS cluster. Save the information in a safe location.

NAME: aws-load-balancer-controller
LAST DEPLOYED: Fri Aug 25 21:01:28 2023
NAMESPACE: kube-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
AWS Load Balancer controller installed!
node/ip-10-110-33-152.eu-central-1.compute.internal labeled
node/ip-10-110-35-142.eu-central-1.compute.internal labeled
node/ip-10-110-44-159.eu-central-1.compute.internal labeled
node/ip-10-110-58-31.eu-central-1.compute.internal labeled
node/ip-10-110-59-235.eu-central-1.compute.internal labeled
node/ip-10-110-62-52.eu-central-1.compute.internal labeled
secret/mostly-docker-cfg created
Release "mostly-ai" does not exist. Installing it now.
NAME: mostly-ai
LAST DEPLOYED: Fri Aug 25 21:02:08 2023
NAMESPACE: mostly-ai
STATUS: deployed
REVISION: 1
TEST SUITE: None
#########
Please use below AWS ALB address to point your domain to it with AWS Route 53 or any other provider.
Please don't cancel or close this terminal tab as it will offer some important information at the end!
NAME        CLASS   HOSTS              ADDRESS                                                             PORTS   AGE
mostly-ui   alb     mostlyai-eks.com   k8s-mostlyai-d90957e22b-**********.eu-central-1.elb.amazonaws.com   80      21m
#########

⚠️

If the deployment script fails, go to Troubleshoot deployment issues to learn how to work around deployment issues.

What’s next

Use the information about your ALB to set your FQDN in Task 12.

Post-deployment

Task 12: Set your FQDN to point at your ALB

If the deployment script finishes successfully in Task 11, you now need to configure your FQDN to point to the ALB that is created by the CloudFormation script at the address that is output by the script.

Steps

From the end of the previous task, copy the ALB address that looks similar to the following:
```
k8s-mostlyai-d90957e22b-**********.eu-central-1.elb.amazonaws.com
```
Go to Route 53 > Hosted zones and select the hosted zone for your FQDN.
Click Create record.
Configure the record.
1. For Record type, select A - Route traffic to an IPv4 address and some AWS resources.
2. For Alias, enable the checkbox.
3. Under Route traffic to, select the following options:
  - Alias to an Application and Classic Load Balancer
  - Select your region. In this case, Europe (Frankfurt).
  - From the search box, select the name of your ALB.
Click Create records.

Result

Your FQDN now points to the ALB for the MOSTLY AI app.

What’s next

You can now direct your browser to your FQDN and open your deployed MOSTLY AI app for the first time.

Task 13: Log in to your MOSTLY AI deployment

Prerequisites

Contact MOSTLY AI to obtain the supeadmin credentials as you need them to log in for the first time.

Steps

Open your FQDN in your browser.
Step result: You Sign in page for your MOSTLY AI deployment opens.
Enter the superadmin credentials and click Sign in.
Provide a new password and click Change password.

Result

Your superadmin password is now changed and you can use it to log in again to your MOSTLY AI deployment.

Overview

Prerequisites

Pre-deployment

Task 1: Subscribe for MOSTLY AI from AWS Marketplace

Task 2: Create a key pair in EC2

Task 3: Create a user group

Task 4: Assign an administrator policy to the user group

Task 5: Create a user

Task 6: Create an access key for the user

Task 7: Configure AWS CLI

Task 8: Create a hosted zone in Route 53

Task 9: Create a SSL certificate for your FQDN

Deployment

Task 10: Download and configure deployment files

Task 11: Run deployment script

Post-deployment

Task 12: Set your FQDN to point at your ALB

Task 13: Log in to your MOSTLY AI deployment