AcademyCustomer Portal

ECS-Variant-2: New Customers

This article describes the complete process for enabling AskEdgi components for new SaaS customers in the AWS environment. The deployment is largely managed through AWS Control Tower automation, which provisions and configures the necessary AWS resources, including compute, storage, networking, and security components required for AskEdgi operations.

Certain steps, however, require manual verification and configuration to ensure correct integration, compliance with security standards, and readiness of the environment. This document provides detailed instructions for these manual tasks, covering network setup, IAM configurations, ECS task definitions, service discovery, and post-deployment validation to ensure successful enablement of AskEdgi services.

Purpose of the document

The purpose of this document is to provide a clear procedure for enabling AskEdgi components for new SaaS customers under Variant 2, where manual configurations and validations are required after AWS Control Tower automation. It serves as a reference for verifying, configuring, and integrating AskEdgi services, ensuring the correct deployment of AWS resources, secure communication between components, and the successful initialization of AskEdgi functionality.

Prerequisites

Before initiating the AskEdgi SaaS enablement process for Variant 2, the following AWS services and permissions must be available. These services form the foundation for deploying, configuring, and operating AskEdgi components within the environment.

AWS Service
Purpose / Usage

ECS

Hosts AskEdgi containers and manages task execution

IAM

Manages users, roles, and permissions for secure access

RDS

Stores application and workspace data for AskEdgi services

EFS

Provides persistent file storage for the Insight service

Secrets Manager

Stores database credentials and sensitive configuration securely

EC2

Supports underlying compute resources for ECS tasks

  • Ensure the AWS region used for deployment matches the intended operational region for AskEdgi services.

  • Verify that IAM permissions allow creating and modifying ECS tasks, security groups, and service discovery resources.

Implementation Steps

Step 1: Network Security Configuration

  • Create two private subnets for the Edgi Insight Service.

  • Create a Security Group for the Edgi ECS service and configure the following inbound rules:

Protocol
Port
Source/Destination
Description

TCP

8000

Destination VPC range

Allow ECS service communication

TCP

9200

Private Elasticsearch SG

Allow Elasticsearch to ECS Edgi communication

TCP

3306

Private RDS SG

Allow RDS to ECS Edgi communication

All

All

Private EFS SG

Allow EFS to ECS Edgi communication

  • Ensure that ports 8000, 9200, and 3306 are allowed only from specified sources.

  • Security Group configuration ensures proper communication between Edgi ECS, RDS, EFS, and Elasticsearch.

Step 2: EFS Access Points

  • Create EFS Access Points for the Edgi Insight Services using the following paths:

Access Point Path
Notes

/oe_edgi_insights_dev_logs

Stores Insight service logs

/oe_edgi_insights_dev_documents

Stores uploaded documents

/oe_edgi_insights_dev_store

Stores processed data

Assign correct mount permissions to ECS tasks to ensure persistent storage access.

Step 3: S3 Bucket Creation

  • Create a new S3 bucket for storing Edgi-related data.

  • Configure CORS permissions in the bucket settings as shown below:

[
  {
    "AllowedHeaders": ["*"],
    "AllowedMethods": ["PUT"],
    "AllowedOrigins": ["*"],
    "ExposeHeaders": []
  }
]

  • The bucket will store all data uploaded via Edgi Data Service and processed by the Insight Service.

  • Ensure correct permissions to allow S3 to send events to SQS.

Step 4: IAM User Configuration

IAM User for AskEdgi Python

Environment Variable
Value

EDGI_AWS_ACCESS_ID

<access key>

EDGI_AWS_SECRET_KEY

<secret key>

Step 5: ECS Task Role Configuration

  • Create an IAM Role with ECS task execution permissions.

  • Attach the custom policy: AskEdgi ECS Policy JSON.

  • Modify the Trust Relationship for ECS.

  • This IAM role is shared across all ECS Task Definitions to ensure consistent and secure access.

  • Automation scripts handle permission setup automatically, but verification is recommended.

Step 6: ECS Task Definition – Data Service

Create an ECS Task Definition for the Edgi Data Service with the following configuration:

Configuration
Value

CPU

0.5 vCPU

Memory

2 GB

Container Name

edgi-data-service

Port

8000

Environment Variables:

Key
Value

AWS_REGION

<Region>

AWS_SCTNAME

<Database secret name>

BUCKET_NAME

<Bucket name>

CREDENTIAL_TYPE

container

DEPLOYMENT_TYPE

ecs

ENV

production

Additional Configuration

  • Enable CloudWatch Logs for the container.

  • Allocate a maximum of 200 GB under the storage configuration.

Ensure the task definition matches the ECS cluster and service requirements for proper deployment.

Step 7: ECS Task Definition - Edgi Insight

  • Create an ECS Task Definition for the Edgi Insight Service with the following configuration:

Configuration
Value

CPU

1 vCPU

Memory

2 GB

Container Name

oe_edgi_insights_service (customizable)

Port

8000

Environment Variables

Key

Value

AI_FUNCTION_QUEUE_NAME

ai_functions_queue

AWS_REGION

<Region>

AWS_SCTNAME

<Database secret name>

BUCKET_NAME

<S3 bucket name>

CLUSTER_NAME

<ECS cluster name>

CREDENTIAL_TYPE

container

DATA_SYNC_QUEUE_NAME

data_sync_queue

DEPLOYMENT_TYPE

ecs

DNS_NAME_SPACE_ID

<ECS namespace ID>

DOCS_FOLDER

/app/documents

EDGI_WORKSPACE_DISCOVERY

dynamic

EDGI_WORKSPACE_HOST

edgi-data-service

EDGI_WORKSPACE_NAME_SPACE

<ECS namespace name>

ENV

prod

LOG_PATH

/app/logs

SECURITY_GROUPS

<Edgi Insight Security Group>

SQS_QUEUE_PREFIX

<SQS prefix name>

STORE_FOLDER

/app/store

SUBNETS

<edgi insight service two subnets> sub1, sub2

TASK_DEFINITION

<Edgi Data Task Definition latest revision ARN>

Additional Configuration

  • Add three EFS mounts for the Insight service.

  • Enable CloudWatch Logs.

  • Allocate up to 200 GB for storage.

Important:

  • Ensure EFS mounts match the container paths required by the Insight service.

  • Verify network security groups allow communication between ECS tasks and other services.

Step 8: ECS Service Creation – Edgi Insight

  1. Create an ECS Service using the Edgi Insight Task Definition.

Network Security

  1. Enable Service Discovery during service creation.

  2. Go to Configuration and Networking and select Service Discovery.

  3. Note the Service Discovery Endpoint for later use in the Ovaledge configuration.

Important: Service Discovery must be enabled for proper integration with Ovaledge.

Step 9: Update Ovaledge Task Definition (UI and Job)

Update both the UI and Job ECS Task Definitions with the following environment variables to enable AskEdgi functionality:

Key

Value

BRIDGE_AWS_USER_ACCESS_KEY

<Bridge user access key>

BRIDGE_AWS_USER_SECRET_KEY

<Bridge user secret key>

EDGI_AI_FUNCTION_QUEUE

ai_functions_queue

EDGI_AWS_ACCESS_ID

<Edgi user access key>

EDGI_AWS_SECRET_KEY

Edgi user secret key>

EDGI_AWS_REGION

<Region>

EDGI_BUCKET_NAME

<S3 bucket name>

EDGI_CLIENT_PREFIX

<SQS prefix name>

EDGI_CONSUMER_CREDENTIAL_TYPE

static

EDGI_ENABLE

true

EDGI_INSIGHT_SERVICE_HOST

<Insight service discovery endpoint>

EDGI_WORKSPACE_DISCOVERY

dynamic

EDGI_WORKSPACE_HOST

<Edgi data task definition family name>

EDGI_WORKSPACE_NAMESPACE

<ECS cluster namespace>

Optional OAUTH2 Configuration

Key

Value

OAUTH2_BASE_URL

<dev team will provide the URL>

OAUTH2_CLIENTID

<dev team will provide the URL>

OAUTH2_CLIENT_REGISTRATION

auth0

OAUTH2_ROLE_ATTRIBUTE

https://<Domain_name>/roles

OAUTH2_SECRET

<dev team will provide the URL>

OVALEDGE_SECURITY_TYPE

oauth2

Notes:

  • Both UI and Job task definitions must be updated before deploying new ECS services.

  • Always deploy the latest task definition revision to apply changes.

Step 10: AskEdgi Feature Verification

  • Log in with an admin user once the application is running.

  • Verify that the workspace for the Data Service is automatically created with a valid project ID.

  • Go to Application, select Settings, then navigate to AI and open OpenAI.

  • Add the API Key provided by the development team and save the configuration.

  • Functionality:

  • Data Analytics Edition (default): Supports data upload and cataloging.

  • Metadata Analytics Edition (If configured): Supports only data cataloging.

  • Log out and re-login.

  • Access the AskEdgi module and wait for workspace initialization.

  • Upload a file to confirm successful operation.

  • Go to Application Settings, then select AI.

  • Ensure the marketplace details are available in the settings.

If Workspace is Not Created:

  • Check Insight Service logs for errors.

  • Validate IAM Role permissions.

  • Verify the user entry in the database:

select * from edgi_data_service_stack edss ;

delete * from edgi_data_service_stack edss;

delete from edgi_data_service_uptime_history ;

Important:

  • Do not execute delete queries unless confirmed by the development team.

  • Validate environment variables and task definitions if issues are encountered.

  • Go to AWS Cloud Map, access the Service Discovery Resource, delete the user entry, and then re-login to the application.

  • Verify that the files have been uploaded successfully.

Copyright © 2025, OvalEdge LLC, Peachtree Corners, GA, USA.

PreviousECS Variant-1: New CustomersNextAuthentication & SSO Setup

Last updated

Was this helpful?