...
| Info |
|---|
This project supports multi-availability zone deployment. For more details please take a look at System architecture and Multi-Availability zone deployment. In addition, the monitoring and logging will also explain in more detail. |
Installation of Key Tools
Panintelligence
We host the container images for panintelligence at github container registry (GHCR). In order to access our images, please create a support request with our team at support@panintelligence.com providing your github username or email. The team will respond with a list of images to which you have been granted access.
It’s highly recommended and endorsed that you pull our images and push to your own private image repository so you can maintain service continuity without relying on a third party.
Terraform
Please review the documentation provided by Hashicorp for the most comprehensive and up to date documentation pertaining to installation of Terraform on your chosen platform https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli
System Architecture
Diagram
...
Resources
...
Resource
...
Description
...
How is it used?
...
Route 53
...
Amazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) web service. For more information, please see Setting up Amazon Route 53 documentation
...
You can attach your domain name to the AWS Application Load Balancer to point to the Panintelligence dashboardAWS ACM
...
AWS ACM
...
AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources. For more information, please see Setting up - AWS Certificate Manager documentation
...
In order to use port 443/HTTPS in the AWS Application Load Balancer, you will need an SSL certificate.
...
AWS S3 Bucket
...
Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. For more information, please see AWS S3 Bucket documentation
...
The architecture requires the user to upload a lambda zip provided in the Git repository and another s3 bucket is created to store images, themes and excel-data.
...
AWS Internet gateway
...
An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet. For more information, please see Internet Gateways documentation
...
The Panintelligence dashboard requires web browser access.
...
AWS IAM
...
AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources. For more information, please see AWS IAM documentation
...
IAM permissions allows you to have fine grain control on who and what has access to resources.
...
AWS Security groups
...
Why this approach?
At Panintelligence, we believe in scripting as much as we possibility can and lean heavily on the community to supply us with open source tooling to facilitate this goal. Hashicorp has long been one of the biggest players in the devops scene and they Infrastructure as code tool “Terraform” offers an idempotent and platform agnostic method to deliver change across an estate. The software is light and portable. Since we already had a great many of the scripts written in terraform to deploy our software in an idempotent manner, it seemed appropriate to share these scripts with partners.
The architecture is driven chiefly by ECS within the deployment in AWS. ECS represents a free way to orchestrate and manage fleets of containers. Backed by fargate, it offers a low complexity method to create a compute layer. There are other container management options available such as kubernetes and docker swarm where we can assist with the installation of our software onto these platforms, but for AWS, nothing pleases a Yorkshireman more than the prospect of a freebie!
We encourage our partners to fork our code and change it for their own purposes, but we make one request. if you stumble across something that’s not quite right, please do raise a merge request with a fix for our base code as you would be helping out a great number of people, and we treasure our community.
Installation of Key Tools
Panintelligence
We host the container images for panintelligence at github container registry (GHCR). In order to access our images, please create a support request with our team at support@panintelligence.com providing your github username or email. The team will respond with a list of images to which you have been granted access.
It’s highly recommended and endorsed that you pull our images and push to your own private image repository so you can maintain service continuity without relying on a third party.
Terraform
Please review the documentation provided by Hashicorp for the most comprehensive and up to date documentation pertaining to installation of Terraform on your chosen platform https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli
AWS
You will need a target AWS account with the scope to provision resources defined in the service quotas explained later in this document.
System Architecture
Diagram
| Drawio | ||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Resources
Resource | Description | How is it used? |
|---|---|---|
Route 53 | Amazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) web service. For more information, please see Setting up Amazon Route 53 documentation | You can attach your domain name to the AWS Application Load Balancer to point to the Panintelligence dashboardAWS ACM |
AWS ACM | AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources. For more information, please see Setting up - AWS Certificate Manager documentation | In order to use port 443/HTTPS in the AWS Application Load Balancer, you will need an SSL certificate. |
AWS S3 Bucket | Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. For more information, please see AWS S3 Bucket documentation | The architecture requires the user to upload a lambda zip provided in the Git repository and another s3 bucket is created to store images, themes and excel-data. |
AWS Internet gateway | An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet. For more information, please see Internet Gateways documentation | The Panintelligence dashboard requires web browser access. |
AWS IAM | AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources. For more information, please see AWS IAM documentation | IAM permissions allows you to have fine grain control on who and what has access to resources. |
AWS Security groups | A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. For more information, please AWS Security Groups documentation | Increase protection to your infrastructure. |
AWS Application Load Balancer | Elastic Load Balancing automatically distributes your incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, in one or more Availability Zones. It monitors the health of its registered targets, and routes traffic only to the healthy targets. For more information, please see AWS Application Load Balancer documentation | The ALB directs traffic to the healthy EC2 targets. |
AWS VPC | Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you've defined. This virtual network closely resembles a traditional network that you'd operate in your own data centre, with the benefits of using the scalable infrastructure of AWS. For more information, please see AWS VPC documentation | We use the AWS VPC to launch resources in the virtual network. |
Subnets | You need to specify a logical address to specific resources. For more information, please see Subnets documentation | Configure resources to specific subnet cidr blocks. |
NACL | A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. For more information, please see NACL documentation | Configure additional security. |
AWS Lambda | AWS Lambda is a serverless compute service that lets you run code without provisioning or managing servers, creating workload-aware cluster scaling logic, maintaining event integrations, or managing runtimes. For more information, please see AWS Lambda documentation | The infrastructure uses AWS Lambda to side load S3 objects to AWS EFS |
AWS RDS MariaDB | Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to set up, operate, and scale a relational database in the AWS Cloud. For more information, please see AWS RDS MariaDB documentation | The Panintelligence dashboard uses AWS RDS MariaDB as an external DB. |
AWS EFS | Amazon Elastic File System (Amazon EFS) provides a simple, serverless, set-and-forget elastic file system for use with AWS Cloud services and on-premises resources. For more information, please see AWS EFS documentation | AWS EFS is used to keep persistent data for themes, images, SVG and custom jdbc |
AWS Auto scaling | AWS Auto Scaling monitors your applications and automatically adjusts capacity to maintain steady, predictable performance at the lowest possible cost. For more information, please see AWS Auto scaling documentation | Auto scaling is used to increase or decrease the EC2 instances depending on traffic. |
AWS NAT gateway | A NAT gateway is a Network Address Translation (NAT) service. You can use a NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances. Please see AWS NAT gateway documentation | Allows you to use Panintelligence Automated Lincence Manager |
AWS ECS | Amazon Elastic Container Service (ECS) is a fully managed container orchestration service that simplifies running, scaling, and securing Docker container applications on AWS. It integrates seamlessly with other AWS services. | manages the containers in the microservice modelA |
AWS Cloudwatch | Amazon CloudWatch is a monitoring and observability service designed for DevOps engineers, developers, and IT managers. It provides real-time monitoring, logging, and alarms for AWS resources, applications, and services, ensuring operational health and performance optimization. | stores logs and container metrics and insights for monitoring, logging and scaling purposes. |
...
Service | CPU | Memory | Storage | Notes |
|---|---|---|---|---|
Dashboard | 12 | 2Gb4Gb | 100Gb | |
renderer | 2 | 4gb | The more resource you give, the faster resources render. This is only for ad-hoc request or reports. | |
pirana | 0.5 | 512mb | ||
scheduler | 0.5 | 512mb | ||
...
| Code Block |
|---|
mysqldump \
--add-drop-table \
--add-drop-database \
--databases \
-u<admin_user> \
-p<your password> \
-h<database source host endpoint> \
-P3306 \
dashboard \
--ignore-table=dashboard.mis_user_cat_access_view_pi \
--ignore-table=dashboard.test_user_access \
--ignore-table=dashboard.mis_user_cat_access_view \
> sqldump_dashboard<todays_date>.sql |
backup restore (target database)
| Code Block |
|---|
mysql \
-u<db_user> \
-p<your password> \
-h<database target host endpoint> \
-P3306 < sqldump_dashboard<todays_date>.sql |
AWS EFS Disaster Recovery
EFS is backed up using EFS backup vault. please follow the AWS instructions to effect a restore
https://docs.aws.amazon.com/aws-backup/latest/devguide/restoring-efs.html
Time To Deploy / Restore
The script takes approximately 20 minutes to run.
Restoring a database using the delta backup routine from aws takes approximately 20 minutes with additional time required to move relevant extracts around. If you have access set up, the whole process should take no longer than 30 minutes.
Healthchecks, Logging, Troubleshooting
How to check if your Panintelligence dashboard is healthy? How can you troubleshoot if there are issues?
| Info |
|---|
Metrics to look out for: You want to see if there is any “unhealthy hosts”, if there is any, that’s a sign there is a problem. Look into that particular EC2 instance to find out. |
Target groups:
Log into AWS Management console → Go into EC2 console → On the left side, click into the ‘Target Groups’ tab
Click into the Panintelligence Target:
The image below shows where to check for any unhealthy targets
If you do see any unhealthy targets, you can check the ‘Monitoring’ tab to look at the metrics for more details at a specific time
| Info |
|---|
If you face a ‘502’ error on the front end, check the target groups. It may be unhealthy or there is no targets registered to the AWS Application Load Balancer. |
AWS Cloudwatch
Accessing your instance for administration
Because of the nature of containerisation, changes to the container should not be performed interactively or directly. You can set most settings using environment variables for which there is a comprehensive list available here.
You are welcome to make changes to the base container by means of a Dockerfile if you wish to add additional software or packages. Please note that changes made to the base container will fall outside of support. having said that, we’re only too happy to help if you have found an issue. You can obtain assistance by reaching out to our support team at support@panintelligence.com
AWS RDS MariaDB to check if the Panintelligence Repo is healthy:
| Info |
|---|
Metrics to look out for:The “CPU Utilization” metric is watch due to how well the database is handling the workload. If it’s near 90%. Look into why there is a huge workload or increase the RDS instance type. In addition, you are limited to “DB Connections”, if it’s near 300 then you’re near the limit. Look into reducing the connections or use RDS proxy to assist. |
AWS RDS MariaDB: To view the logs, please follow these instructions linked here:
Log into AWS Management console → Go into AWS RDS console → Click into ‘Databases’ → Click into ‘dashboard’:
You can check the ‘Monitoring’ tab. This is to see if you are hitting max connections, the CPU Utilisation and memory space :
You can even go further and check the RDS MariaDB Logs, select the logs near the bottom and select ‘View’ as highlighted below:
...
_date>.sql |
backup restore (target database)
| Code Block |
|---|
mysql \
-u<db_user> \
-p<your password> \
-h<database target host endpoint> \
-P3306 < sqldump_dashboard<todays_date>.sql |
AWS EFS Disaster Recovery
EFS is backed up using EFS backup vault. please follow the AWS instructions to effect a restore
https://docs.aws.amazon.com/aws-backup/latest/devguide/restoring-efs.html
Time To Deploy / Restore
The script takes approximately 20 minutes to run.
Restoring a database using the delta backup routine from aws takes approximately 20 minutes with additional time required to move relevant extracts around. If you have access set up, the whole process should take no longer than 30 minutes.
Healthchecks, Logging, Troubleshooting
How to check if your Panintelligence dashboard is healthy? How can you troubleshoot if there are issues?
| Info |
|---|
Metrics to look out for: You want to see if there is any “unhealthy hosts”, if there is any, that’s a sign there is a problem. Look into that particular EC2 instance to find out. |
Target groups:
Log into AWS Management console → Go into EC2 console → On the left side, click into the ‘Target Groups’ tab
Click into the Panintelligence Target:
The image below shows where to check for any unhealthy targets
If you do see any unhealthy targets, you can check the ‘Monitoring’ tab to look at the metrics for more details at a specific time
| Info |
|---|
If you face a ‘502’ error on the front end, check the target groups. It may be unhealthy or there is no targets registered to the AWS Application Load Balancer. |
AWS Cloudwatch
Accessing your instance for administration
Because of the nature of containerisation, changes to the container should not be performed interactively or directly. You can set most settings using environment variables for which there is a comprehensive list available here.
You are welcome to make changes to the base container by means of a Dockerfile if you wish to add additional software or packages. Please note that changes made to the base container will fall outside of support. having said that, we’re only too happy to help if you have found an issue. You can obtain assistance by reaching out to our support team at support@panintelligence.com
AWS RDS MariaDB to check if the Panintelligence Repo is healthy:
| Info |
|---|
Metrics to look out for:The “CPU Utilization” metric is watch due to how well the database is handling the workload. If it’s near 90%. Look into why there is a huge workload or increase the RDS instance type. In addition, you are limited to “DB Connections”, if it’s near 300 then you’re near the limit. Look into reducing the connections or use RDS proxy to assist. |
AWS RDS MariaDB: To view the logs, please follow these instructions linked here:
Log into AWS Management console → Go into AWS RDS console → Click into ‘Databases’ → Click into ‘dashboard’:
You can check the ‘Monitoring’ tab. This is to see if you are hitting max connections, the CPU Utilisation and memory space :
You can even go further and check the RDS MariaDB Logs, select the logs near the bottom and select ‘View’ as highlighted below:
Cost Estimates
All costs are in USD unless otherwise stated.
All Services are deployed to the default region of EU-WEST-1 unless otherwise stated.
Description | Service | Monthly Cost (USD) | Configuration Summary |
|---|---|---|---|
Logging / Monitoring | Amazon CloudWatch | 3.4472 | GetMetricData: Number of metrics requested (20), Standard Logs: Data Ingested (3 GB), Logs Delivered to CloudWatch Logs: Data Ingested (3 GB), Logs Delivered to S3: Data Ingested (0 GB) |
adminer | AWS Fargate | 18.03 | Operating system (Linux), CPU Architecture (x86), Average duration (1 days), Number of tasks or pods (1 per day), Amount of ephemeral storage allocated for Amazon ECS (20 GB), Amount of memory allocated (1 GB) |
renderer | AWS Fargate | 36.04 | Operating system (Linux), CPU Architecture (x86), Average duration (1 days), Number of tasks or pods (1 per day), Amount of ephemeral storage allocated for Amazon ECS (20 GB), Amount of memory allocated (2 GB) |
dashboard | AWS Fargate | 36.04 | Operating system (Linux), CPU Architecture (x86), Average duration (1 days), Number of tasks or pods (1 per day), Amount of ephemeral storage allocated for Amazon ECS (20 GB), Amount of memory allocated (2 GB) |
scheduler | AWS Fargate | 36.04 | Operating system (Linux), CPU Architecture (x86), Average duration (1 days), Number of tasks or pods (1 per day), Amount of ephemeral storage allocated for Amazon ECS (20 GB), Amount of memory allocated (2 GB) |
pipredict | AWS Fargate | 36.04 | Operating system (Linux), CPU Architecture (x86), Average duration (1 days), Number of tasks or pods (1 per day), Amount of ephemeral storage allocated for Amazon ECS (20 GB), Amount of memory allocated (2 GB) |
persistent storage | Amazon Elastic File System (EFS) | 0.17 | Desired Storage Capacity (0.5 GB per month), Infrequent Access requests (0 GB per month) |
Ingress | Application Load Balancer | 18.52 | Number of Application Load Balancers (1) |
Egress | Network Address Translation (NAT) Gateway | 35.09 | Number of NAT Gateways (1) |
Public IPv4 Address | 18.25 | Number of In-use public IPv4 addresses (5), Number of Idle public IPv4 addresses (0) | |
Repo Database | Amazon RDS for MariaDB | 112.08 | Storage amount (20 GB), Nodes (1), Instance type (db.t3.medium), Utilization (On-Demand only) (100 %Utilized/Month), Deployment selection (Multi-AZ), Pricing strategy (OnDemand), Storage volume (General Purpose SSD (gp2)), Additional backup storage (20 GB) |
docker credentials secret | AWS Secrets Manager | 0.4 | Number of secrets (1), Average duration of each secret (30 days), Number of API calls (1 per month) |
Cost Summary
Estimated Montly hosting cost (without licence) $350.15
Cost over 12 Months $4201.80
Please be informed that certain services (e.g., adminer, a database administration tool) and modules that are not utilized in accordance with the terms of your Panintelligence license do not require deployment. This situation presents an opportunity for cost savings.
How to Obtain Support assistance
...