Bring Your Own Cloud

Using an external Cloud Provider (AWS, Azure, GCP) for your compute

You can run Anyscale in your cloud provider account to use Ray with Anyscale.

Anyscale launches compute in your private account (data plane), while the clusters are managed by Anyscale (control plane).

In order to use Anyscale, you'll have to configure the cloud provider account that you'll be launching resources in.

Deployment on AWS

Prerequisites

  • You have set up AWS credentials locally (i.e. you have run aws configure). For more details see here.

  • You have registered a user account on Anyscale and have set up the Anyscale CLI locally.

Creating a Cloud in AWS

In order for Anyscale to automanage your compute, we'll need to register a set of AWS credentials with an Anyscale cloud.

  • This will use the default AWS credentials you set up locally. You can also specify environment variables such as AWS_PROFILE=user_1.

  • This will create an IAM role in your account, grant it credentials to interact with EC2 and IAM in your account and allow Anyscale to assume that role.

You can step through the cloud creation process interactively:

$ anyscale cloud setup
Provider (aws, gcp): aws
Region [us-west-2]: us-east-1
Name: mycloud

You are about to give anyscale full access to EC2 and IAM in your AWS account.

Continue? [y/N]: y
Created IAM role arn:aws:iam::123456789:role/anyscale-iam-role-aa83ba01
AWS credentials setup complete!
You can revoke the access at any time by deleting anyscale IAM user/role in your account.
Head over to the web UI to create new sessions in your AWS account!

Alternatively, you can set up a cloud with a single command (for example if you are scripting cloud creation):

$ anyscale cloud setup --name mycloud --provider aws --region us-east-1

Either way, at the end of this process, you'll have an Anyscale cloud.

If you run anyscale cloud setup --region us-east-1 again with a different account, the credentials in us-east-1 will be overwritten.

Credentialing the Anyscale AWS Role

By default, the role Anyscale creates to use within your account has the following permissions:

  • Full EC2 access (this allows us to create and delete instances, VPCs, subnets, volumes and etc.).

  • Full IAM access (used to create IAM role for head nodes in your clusters).

This role is named as follows:

arn:aws:sts:::assumed-role/ray-autoscaler-v1/

If there are other resources you want your applications to have access to, like (e.g., writing CloudWatch logs, reading S3, setting up AWS CLI) you'll need to grant them to the above ray-autoscaler role. If you don't and you need these resources, you might see errors like the following:

botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the CreateLogGroup operation:
   User: arn:aws:sts::<ACCN_NUMBER>:assumed-role/ray-autoscaler-v1/i-<INSTANCE> is not authorized to perform: logs:CreateLogGroup on resource: arn:aws:logs:ap-southeast-2:<ACCN_NUMBER>:log-group:<GRP_NAME>:log-stream:

This is a sign you need to add those permissions to the Anyscale role.

FAQ

How do I add the AWS CLI to my nodes in my Ray cluster?

We don't by default include AWS CLI in our Docker images, so you'd need to add this yourself with:

apt-get install -y curl unzip
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
./aws/install

Please note you may need to properly assign permissions (as shown above) to the Anyscale role for the respective parts of the CLI to work correctly.

Do you store my credentials anywhere?

No. We only store the IAM role ARN that is created in your account. Your credentials never travel across the network to Anyscale.

How do I revoke access?

You can revoke your access by deleting Anyscale IAM role in your account, which should look something like anyscale-iam-role-1234

How do I limit access?

Limiting access or permissions for EC2 or IAM is not currently supported today, but all other resources are both up to you to provision and entirely under your control.

Deployment on GCP

Prerequisites

  • You have registered a user account on Anyscale and have set up the Anyscale CLI locally.

Creating a Cloud in GCP

In order for Anyscale to automanage your compute, we'll need to register a set of GCP credentials with an Anyscale cloud and create an Anyscale folder in your GCP account.

You can step through the cloud creation process interactively:

$ anyscale cloud setup
Provider (aws, gcp): gcp
Region [us-west1]: us-central1
Name: mycloud
Please select the GCP Folder ID where the 'Anyscale\ folder will be created.
  Your GCP account must have permissions to create sub-folders in the specified folder.
  View your organization's folder layout here: https://console.cloud.google.com/cloud-resource-manager
  If not specified, the 'Anyscale' folder will be created directly under the organization.
Folder ID (numerals only): 1234567890
Launching GCP Oauth Flow:
https://console.anyscale.com/api/v2/clouds/gcp/create/mycloud?region=us-central1&folder_id=1234567890
(If this window does not auto-launch, use the link above)

Alternatively, you can run a single command to achieve the same goal:

$ anyscale cloud setup --name mycloud --provider gcp --region us-central1 --gcp-folder-id 123456789

Either way, at the end of this step, you will have to go to the URL returned by the Anyscale CLI. You will be prompted to log into Google. Once logged in, you'll then be prompted to verify the Google account information and billing information for your Google account.

Work with your Anyscale contact to complete and verify the cloud setup.

Deployment on Azure

Azure support is currently under development.

Please contact Anyscale at support@anyscale.zendesk.com if you'd like to request more information!

PreviousAccess Resources From CloudNextConfigure

Last updated

Was this helpful?