External networks in DoubleCloud (BYOA)
Overview
External networks in DoubleCloud are used to transmit information between cloud resources, such as clusters, and connect them to the internet via peering connections in the same way as internal networks. The main difference is that the network will be created under your own AWS account and will belong to you.
Each network has its own CIDR blocks for both IPv4 and IPv6. You can find these addresses on the VPC overview
DoubleCloud creates external networks based on the CloudFormation
This technique is called BYOA that reads "Bring Your Own Account."
DoubleCloud stack template
You can find the DoubleCloud stack template in our S3 bucket
DoubleCloud Transfer service supports BYOA to make your data migration more intuitive and straightforward.
Why use BYOA
This feature useful when you need to keep your data within your AWS network without providing any access to third parties, especially if you have strict compliance and security requirements or want to configure all the network elements by yourself.
The following diagram shows the allocation of your resources when using BYOA:
When you use external networks, you manage computational resources, storage, and data on the AWS side. DoubleCloud handles backups, monitoring, logs, and everything else to make the resource management convenient.
When you decide to use BYOA, you're the only one responsible for your network management in AWS. This includes all the network elements - VPC, subnets, security groups, ALBs, and other elements. You will also have to manage the costs on the AWS side.
Security
Clusters in external networks have two levels of protection:
-
AWS VPC security measures
When you add an external network, DoubleCloud creates several entities under your AWS account. The entities include VPC, security groups, ACLs, route tables, and others, depending on your network configuration. The predefined parameters prevent unauthorized access to your network.
-
Allow lists in DoubleCloud
The main manually configurable access management measure is using allow lists for each separate cluster. The allow list prohibits access to the cluster from each IP address except the ones explicitly specified as allow lists entries.
Tip
DoubleCloud has no access to your data. For more information on our data privacy agreements, see Data privacy.
Pricing
Unlike DoubleCloud standard pricing, the BYOA approach has custom pricing depending on the network parameters.
In this case, you are responsible for all underlying costs for traffic, storage and AWS resources that make the most part of the price. DoubleCloud receives fees for managed infrastructure.
You can see the pricing when creating a cluster in an external network.