Configure Customer Managed Egress
Astro supports Customer Managed Egress for DAG Workloads on dedicated AWS clusters.
Customer Managed Egress for DAG Workloads lets you control egress to ensure compliance with security standards and regulations, and provides a data loss protection architecture to secure against unauthorized data transfer.
Enabling Customer Managed Egress through a Transit Gateway attachment between Astro and your corporate network allows you to manage and have full visibilty into private and public data flows from your Astro Deployments and from Metrics Export configurations.
An icon on Deployments and Deployment details pages indicate when a Deployment is on a cluster with Customer Managed Egress enabled.
Prerequisites
- An existing dedicated AWS cluster. Create a dedicated cluster
- Organization Owner user permissions. See User permissions reference for more information.
Step 1: Create a resource share for Transit Gateway with Astro and submit Transit Gateway ID
-
In the Organization section of the Astro UI, click Clusters. For an existing dedicated AWS cluster, click the cluster you want to edit. Then, navigate to the Customer Managed Egress for DAG Workloads section of the Cluster Details page.
-
Click Configure Customer Managed Egress...
-
Share your Transit Gateway with your Astro cluster account using AWS Resource Access Manager (AWS RAM). Your Astro cluster Account ID is provided to enter into AWS RAM.
-
Retrieve your AWS Transit Gateway ID from your AWS console.
-
Enter your AWS Transit Gateway ID into Transit Gateway ID.
Step 2: Astro accepts resource share and creates Transit Gateway attachment
Monitor the automatically generated Astro support ticket to accept the resource share and confirm Transit Gateway attachment is created. This activity is completed by Astronomer Support, so you do not need to take action during this step.
Step 3: Enable Customer Managed Egress for DAG Workloads
-
Enable Customer Managed Egress for DAG Workloads.
-
Astro routes all public and private traffic to your Transit Gateway from your Astro Deployments and Private Network Egress mode is enabled.
Resetting the Transit Gateway ID disables the routing of workload traffic (public and private) to your Transit Gateway, which might cause task failures. You must re-configure a new Transit Gateway to enable Customer Managed Egress again.