SaaS installation

This guide outlines the installation and configuration process for Instabase SaaS installations with a focus on customer requirements and tasks. For an overview of the Instabase SaaS offering, see the SaaS overview. To learn about the upgrade process, see the SaaS upgrades documentation.

Installation overview

The following table provides an overview of the stages of the installation process, including key events and customer tasks. This process is repeated for each deployment in the customer installation, which typically comprises development (DEV), user-acceptance testing (UAT), and production (PROD) deployments.

Stage Key events Customer tasks Parties engaged
Pre-installation - Deployment URLs are confirmed.
- Instabase license files are generated.		 - Confirm desired URLs for all deployments. Customer, Instabase Customer Success Manager
Deployment creation and testing - The deployment is created, using the latest certified GA Instabase release.

- Deployment testing assesses the deployment’s readiness for standard tasks required for solution development and usage.		 None Instabase Engineering, Instabase Cloud Architect
Cloud Console onboarding - Customer installation is visible in the Instabase Cloud Console.

- First Cloud Console admin is added.		 - Identify a user to be a Cloud Console admin, and create their account at https://console.instabase.com.

- Share the user’s account information with Instabase, so the user can be made a Cloud Console admin.		 Customer, Instabase Cloud Architect
Frontend network configuration - Desired frontend network configuration is confirmed.

- Frontend network configuration is completed.		 - Confirm and provide required information for chosen frontend network configuration. Customer, Instabase Cloud Architect
Backend network configuration - Access is configured between Instabase and any privately hosted services your Instabase deployment will need to integrate with or access.

- Access to any customer-managed cloud-based storage that will be mounted to the deployment is configured.		 - If mounting additional storage, procure and configure the storage, then work with your Instabase Cloud Architect to ensure Instabase can access the storage.

- Ensure Instabase is aware of any privately hosted services your Instabase deployment needs to integrate with.		 Customer, Instabase Cloud Architect
Customer admin onboarding - First customer admin for the Instabase platform is identified and added to the deployment user list. - Provide email address and username for the first customer admin. Customer, Instabase Cloud Architect
User authentication configuration - User authentication is configured, either SSO (preferred) or password-based login with multi-factor authentication (MFA).

- Instabase team’s admin access to the customer deployment is removed.		 - If using SSO: Configure SSO in IdP and provide IdP configuration details to Instabase.

- If using MFA: Customer admin adds all other users to the deployment.		 Customer (Customer Admin), Instabase Cloud Architect
Post-installation - Customer now has full control over the deployment and completes any required post-installation tasks. Complete any necessary post-installation tasks, such as:
- Configuring spaces and subspaces.
- Mounting additional cloud-based storage.
- Completing Cloud Console administration tasks.		 Customer (Customer Admin, Cloud Console Admin)

Pre-installation

The installation process begins with establishing the desired URL for each deployment in your customer installation. This URL is the frontend access point to your deployment and cannot be changed after it’s created.

At this stage, your Instabase license file is also generated according to your license terms.

Customer requirements

  • Confirm desired URLs for all deployments in the customer installation.

Deployment creation and testing

Your deployments are created through the Instabase Cloud Console, a proprietary installation orchestration tool. At this stage the latest certified GA release base configurations as well as your Instabase license are uploaded. After creation, initial diagnostic testing verifies that the deployment is operating correctly.

Further, in-depth testing of the deployment then occurs, with the test series running through a variety of tasks that mimic standard usage of your deployment. This testing ensures all required tasks involved in solution development and usage can be performed, and that all Instabase systems and services are communicating correctly.

Customer requirements

None.

Cloud Console onboarding

When your customer installation is created, it becomes visible in the Instabase Cloud Console at https://console.instabase.com. Cloud Console is a centralized resource where you can monitor and manage your customer installation and administer your Instabase SaaS account. See the Cloud Console documentation for more information.

During the Cloud Console onboarding stage, you must identify and add a user to act as your company’s Cloud Console admin. Cloud Console admins have the highest level of permissions and the greatest access to features. For example, Cloud Console admins can view license usage details from Cloud Console and can make changes to an installation’s configuration settings.

Customer requirements

Frontend network configuration

With your deployment created and tested, the next stage is frontend network configuration. Instabase supports the following approaches to managing frontend access:

  • Public hosting + user authentication: The frontend is publicly hosted and access is gated through user authentication.

  • Public hosting with IP access control list (ACL) + user authentication: The frontend is publicly hosted, but access is gated through user authentication and limited by the IP address of the user. Network policies are applied to only permit access from a given VPN or specific IP addresses or ranges.

  • Private hosting with AWS PrivateLink + user authentication: AWS PrivateLink is implemented such that the frontend endpoint is privately hosted within the client network, and access is gated through user authentication.

Customer requirements

Public hosting + user authentication

  • If using SSO for user authentication: Ensure the Instabase Cloud Architect knows which IdP you are using. SSO configuration occurs at a later stage.

  • If using password-based login + MFA for user authentication: No additional requirements.

Public hosting with IP ACL + user authentication

  • Provide a list of all IP addresses or address ranges that can access your customer installation. These should be static IP addresses, as Instabase does not support integrating directly with client connectors such as Zscaler to automatically refresh the ACL from a dynamic list of IP addresses.

  • If using SSO for user authentication: Ensure the Instabase Cloud Architect knows which IdP you are using. SSO configuration occurs at a later stage.

  • If using password-based login + MFA for user authentication: No additional requirements.

Private hosting with AWS PrivateLink + user authentication

  • Create and complete the AWS PrivateLink configuration; private routing configuration is your responsibility. Your Instabase Cloud Architect provides the Instabase-side information needed to complete the access link.

  • If using SSO for user authentication: Ensure the Instabase Cloud Architect knows which IdP you are using. SSO configuration occurs at a later stage.

  • If using password-based login + MFA for user authentication: No additional requirements.

Backend network configuration

The next stage is backend network configuration. The two main categories of backend network configuration are:

  • Storage: If using customer-managed cloud storage, ensuring Instabase can connect to the storage. Every SaaS deployment includes Instabase-managed Amazon S3 cloud-based storage of up to one terabyte by default. You can mount additional, customer-managed storage to the deployment in the post-installation stage.

  • Other: Ensuring Instabase can connect to any privately hosted services that your Instabase deployment needs to integrate with or access. Examples include downstream client-hosted services or databases your Instabase solution will access.

Customer requirements

Storage

  • If not mounting additional storage: No additional requirements. The AWS S3 storage provided by Instabase is limited to one terabyte (unless otherwise specified in your Instabase agreement).

  • If mounting additional Amazon S3 storage: Use Cloud Console to create S3 integrations for each bucket. Attach the generated IAM cross-account bucket policy to your resource.

  • If mounting additional Azure Blob Storage or Google Cloud Storage: Add Instabase-provided static IP addresses to your IP ACL. These IP addresses might change on a roughly annual basis but are not considered dynamic.

Note

SaaS deployments do not support mounting local file storage, such as Network File System (NFS).

Other

  • Ensure Instabase is notified of all privately-hosted services that your Instabase deployment needs to integrate with or access. You can then work with your Instabase Cloud Architect to meet all backend network configuration requirements.

Customer admin onboarding

The customer admin onboarding stage begins the process of handing off access to your deployment from Instabase to you and your users. This stage involves identifying a customer user to become the deployment’s first administrator user, and providing their email address and user ID. These credentials are then added to the deployment as an administrator role. This step is a prerequisite to completing user authentication configuration.

Customer requirements

  • Confirm the email address and username of the first customer admin.
Note

The username is typically the local-part of the email address, such as jane.doe in jane.doe@domain.com. For SSO configurations the username must match the value of the uid attribute.

User authentication configuration

You can now configure user authentication, with the support of your Instabase Cloud Architect if needed. Instabase supports two methods of user authentication:

After user authentication has been established, you are in control of provisioning users to access the platform. At this time, you can disable the Instabase admin account in your deployment.

SAML SSO

Instabase offers general support for configuring SSO with any Identity Provider (IdP) using SAML 2.0. Our documentation offers more specific guidance on integrating with the following IdPs:

  • Active Directory Federation Services (AD FS)

  • Azure AD (Microsoft Azure Active Directory)

  • Okta

  • Auth0

  • PingFederate

For more information on SAML configuration requirements, see the configure SAML-based SSO for SaaS deployments documentation.

Password-based login with MFA

If not using SSO, you can use the Instabase platform’s built-in credential management system. Each user account must be added by the customer admin, and all password-based logins must be verified with an authentication app, such as Authy, Duo Mobile, Google Authenticator, Okta Verify, or Microsoft Authenticator. SMS-based 2FA is not supported for SaaS deployments using password login.

For more information, see the user management and site settings documentation.

Customer requirements

  • If using SSO, configure the app registration (one per deployment) in your IdP, and work with your Instabase Cloud Architect to get SSO configured in your deployment. Then, ensure the customer admin has deployment access.

  • If using password-based login with MFA, ensure the customer admin has deployment access. Then, the customer admin can add users to the deployment.

  • Disable the Instabase admin account in the deployment.

Post-installation

After the user authentication stage is complete, you have full control over your deployment. You can now complete the necessary steps to arrange and manage access to solutions and data within your deployment.

Key first tasks include:

Managing spaces and subspaces

Spaces and subspaces are the top-level and second-level way that projects are organized in the Instabase file system.

Any additional drives or databases that you mount will be mounted in a specific space or subspace, so it’s important to have a clear understanding of how space and subspace access affects drive and database access. To learn more, see the spaces and subspaces documentation.

Mounting additional storage

Every SaaS deployment includes Amazon S3 cloud-based storage by default. This default storage is managed by Instabase and is the storage behind Instabase Drive. The primary function of Instabase-managed cloud storage is storing required platform components, such as base models, apps, and developer packages. However, you can also use the Instabase-managed cloud storage to store input and output files as part of any extraction workflows. Your default Instabase-managed cloud storage has a maximum capacity of 1 terabyte.

In addition to the default Instabase-managed cloud storage, you can mount your own cloud storage to your SaaS deployment. Supported customer-managed cloud storage providers include Amazon S3, Azure Blob Storage, and Google Cloud Storage.

For requirements and guidance, see the mount drives documentation.

Cloud Console administration

Cloud Console admins might want to perform Cloud Console administration tasks including:

  • Configuring SSO access for Cloud Console. By default, Cloud Console access is managed through basic authentication. You can use SAML-based SSO authentication instead. This SSO configuration is distinct from configuring SSO access to your deployments. See the Cloud Console authentication documentation for more information.

  • Identifying any additional Cloud Console admins.

  • Reviewing the inbound network rules list, if your frontend networking configuration uses an IP ACL.