Add an external network (BYOA)

DoubleCloud creates external networks based on the CloudFormation stacks. When you start creating a network with your stack, CloudFormation creates a special IAM role with permission boundaries that allows managing resources in your account, such as virtual machines, disks, VPCs, and others.

This approach is called BYOA - Bring Your Own Account, and requires you to provide the infrastructure to be deployed as code. The code should be JSON or YAML. The DoubleCloud service will process this code and automatically create infrastructure with the specified configuration. This infrastructure will be created under your AWS account and belong to you.


See the CloudFormation best practices in the AWS documentation .

Prepare to creating a stack

  1. Go to the VPC service page in console.

  2. Click Add External Network.

  3. In the popup window, perform the following actions:

    1. Select an AWS region.

    2. (Optional) Get familiar with the default CloudFormation stack template located in our public S3 bucket .

    3. Click Launch in AWS.

    The AWS console will open with some pre-filled stack parameters. Log in and specify other parameters there.

Create a stack in AWS

The stack creation process has four steps. In this scenario, we show the way to create a stack based on our template:

Specify template

  1. Under Prerequisite - Prepare template, keep the Template is ready selection.

  2. In the Specify template section, ensure that Amazon S3 URL is selected.

  3. Make sure that the Amazon S3 URL has the correct link to our S3 bucket:
  4. Click Next to proceed to the second step.

Specify stack details

  1. Enter your stack name in the Stack name box.

  2. Specify a CIDR block for your VPC in the Parameters section.

  3. Click Next to proceed.

Configure stack options

  1. In the Tags section, specify tags for your stack if you need to.

  2. Specify an IAM role in the Permissions section.

    This role will define how CloudFormation can create, modify, or delete resources in the stack. If you don't choose a role, CloudFormation uses permissions based on the account under which you logged in.

    The drop-down menu provides two possible options for this:

    • iamRoleName

      Allows you to select a role from a list of roles you created before with the AWS IAM service.

    • iamRoleArn

      Allows you to provide a unique role identifier using Amazon Resource Names (ARNs).

  3. Select the Stack failure options:

    • Roll back all stack resources

      In case of stack provisioning failure, rolls back all resources to the last known stable state.

    • Preserve successfully provisioned resources

      In case of stack provisioning failure, preserves the state of successfully provisioned resources and rolls back only the resources that don't have the last known stable state. Resources not provisioned will be deleted.

  4. Configure Advanced options:

    1. Specify Stack policy in the JSON format. The policy defines the resources that you want to protect from unintentional updates during a stack update. You can select one of the following options to provide a policy:

      • No stack policy to let all the resources update during the stack update.

      • Enter stack policy directly in console.

      • Upload a file with a specified policy.

      For more information on policies, see AWS: prevent updates to stack resources .

    2. Specify the Rollback configuration for your resources (optional).

      • Monitoring time

        Specify as an integer number. This setting defines the number of minutes after the operation completes that CloudFormation should monitor the alarms specified below.

      • CloudWatch alarm

        Specify an Amazon Resource Name (ARN) for an alarm in the CloudWatch service and click Add CloudWatch alarm ARN.

    3. Set Notification options.

    4. Specify Stack creation options.

      • Set the Timeout.

        The timeout defines the maximum period that a stack creation process can take. If this period is exceeded, the service will cancel the stack creation. Specify the timeout as an integer number.

      • Select the Termination protection type:

        • Disabled

          Any account with access to your stack can delete it.

        • Enabled

          The stack can't be deleted. Change this setting's value when you update the stack to allow the stack deletion.

  5. Click Next to proceed to the last step.


  1. Inspect all the settings from previous steps carefully.

  2. If all the settings are correct, check the I acknowledge that AWS CloudFormation might create IAM resources with custom names box under Capabilities.

  3. Click Create stack and wait for several minutes until your stack's status changes from CREATE_IN_PROGRESS to CREATE_COMPLETE.

  4. On the stacks overview page , click your newly created stack name.

  5. On the stack's page, go to the Outputs tab.

  6. Copy the creation output in the Value column. It looks as follows:

    stack creation output

You will need to copy this output to paste it to the DoubleCloud console in the next step.

Copy the CloudFormation output and add the external network

  1. Get back to the DoubleCloud console.

  2. In the popup window from which you went to the AWS console, find the third step - Copy and paste the output information.

  3. Copy the CloudFormation output from the previous step to the text field.

  4. Name your network.

  5. Check the Private network box to block all the inbound connections to the network from the Internet. This capability renders all the infrastructure within the network isolated from the outside, leaving VPC peering on the infrastructure side the only option to connect and rendering the DoubleCloud Visualization service unable to access the data within.

    Allow lists notice

    Keep in mind that the allow lists configured for a specific cluster will affect its availability via VPC when the Public network feature is enabled, and the accessibility from the outside Internet when it's disabled.

  6. Click Add network.

After that, your network will be displayed on the VPC overview page under the Networks tab.

You can select this network when you create a cluster:

select an external network when creating a cluster

If you want to connect your resources located in this network to external resources, use peering connections.

See also