SaaS installation

This guide outlines the installation and configuration process for Instabase SaaS installations with a focus on customer requirements and tasks. For an overview of the Instabase SaaS offering, see the SaaS overview. To learn about the upgrade process, see the SaaS upgrades documentation.

Installation overview

The following table provides an overview of the stages of the installation process, including key events and customer tasks. This process is repeated for each environment in the customer installation, which typically comprises development (DEV), user-acceptance testing (UAT), and production (PROD) environments.

Stage Key events Customer tasks Parties engaged
Pre-installation - Environment URLs are confirmed.
- Instabase license files are generated.		 - Confirm desired URLs for all environments. Customer, Instabase Customer Success Manager
Environment creation and testing - The environment is created, using the latest certified GA Instabase release.

- Environment testing assesses the environment’s readiness for standard tasks required for solution development and usage.		 None Instabase Engineering, Instabase Cloud Architect
Cloud Console onboarding - Customer installation is visible in the Instabase Cloud Console.

- First Cloud Console admin is added.		 - Identify a user to be a Cloud Console admin, and create their account at https://console.instabase.com.

- Share the user’s account information with Instabase, so the user can be made a Cloud Console admin.		 Customer, Instabase Cloud Architect
Frontend network configuration - Desired frontend network configuration is confirmed.

- Frontend network configuration is completed.		 - Confirm and provide required information for chosen frontend network configuration. Customer, Instabase Cloud Architect
Backend network configuration - Access is configured between Instabase and any privately hosted services your Instabase environment will need to integrate with or access.

- Access to any customer-managed cloud-based storage that will be mounted to the environment is configured.		 - If mounting additional storage, procure and configure the storage, then work with your Instabase Cloud Architect to ensure Instabase can access the storage.

- Ensure Instabase is aware of any privately hosted services your Instabase environment needs to integrate with.		 Customer, Instabase Cloud Architect
Customer admin onboarding - First customer admin for the Instabase platform is identified and added to the environment user list. - Provide email address and username for the first customer admin. Customer, Instabase Cloud Architect
User authentication configuration - User authentication is configured, either SSO (preferred) or password-based login with multi-factor authentication (MFA).

- Instabase team’s admin access to the customer environment is removed.		 - If using SSO: Configure SSO in IdP and provide IdP configuration details to Instabase.

- If using MFA: Customer admin adds all other users to the environment.		 Customer (Customer Admin), Instabase Cloud Architect
Post-installation - Customer now has full control over the environment and completes any required post-installation tasks. Complete any necessary post-installation tasks, such as:
- Configuring spaces and subspaces.
- Mounting additional cloud-based storage.
- Completing Cloud Console administration tasks.		 Customer (Customer Admin, Cloud Console Admin)

Pre-installation

The installation process begins with establishing the desired URL for each environment in your customer installation. This URL is the frontend access point to your environment and cannot be changed after it’s created.

At this stage, your Instabase license file is also generated according to your license terms.

Customer requirements

  • Confirm desired URLs for all environments in the customer installation.

Environment creation and testing

Your environments are created through the Instabase Cloud Console, a proprietary installation orchestration tool. At this stage the latest certified GA release base configurations as well as your Instabase license are uploaded. After creation, initial diagnostic testing verifies that the environment is operating correctly.

Further, in-depth testing of the environment then occurs, with the test series running through a variety of tasks that mimic standard usage of your environment. This testing ensures all required tasks involved in solution development and usage can be performed, and that all Instabase systems and services are communicating correctly.

Customer requirements

None.

Cloud Console onboarding

When your customer installation is created, it becomes visible in the Instabase Cloud Console at https://console.instabase.com. Cloud Console is a centralized resource where you can monitor and manage your customer installation and administer your Instabase SaaS account. See the Cloud Console documentation for more information.

During the Cloud Console onboarding stage, you must identify and add a user to act as your company’s Cloud Console admin. Cloud Console admins have the highest level of permissions and the greatest access to features. For example, Cloud Console admins can view license usage details from Cloud Console and can make changes to an installation’s configuration settings.

Customer requirements

Frontend network configuration

With your environment created and tested, the next stage is frontend network configuration. Instabase supports the following approaches to managing frontend access:

  • Public hosting + user authentication: The frontend is publicly hosted and access is gated through user authentication.

  • Public hosting with IP access control list (ACL) + user authentication: The frontend is publicly hosted, but access is gated through user authentication and limited by the IP address of the user. Network policies are applied to only permit access from a given VPN or specific IP addresses or ranges.

  • Private hosting with AWS PrivateLink + user authentication: AWS PrivateLink is implemented such that the frontend endpoint is privately hosted within the client network, and access is gated through user authentication.

Customer requirements

Public hosting + user authentication

  • If using SSO for user authentication: Ensure the Instabase Cloud Architect knows which IdP you are using. SSO configuration occurs at a later stage.

  • If using password-based login + MFA for user authentication: No additional requirements.

Public hosting with IP ACL + user authentication

  • Provide a list of all IP addresses or address ranges that can access your customer installation. IP addresses must be static IP addresses, as Instabase does not support integrating directly with client connectors such as Zscaler to automatically refresh the ACL from a dynamic list of IP addresses.

  • If using SSO for user authentication: Ensure the Instabase Cloud Architect knows which IdP you are using. SSO configuration occurs at a later stage.

  • If using password-based login + MFA for user authentication: No additional requirements.

Private hosting with AWS PrivateLink + user authentication

  • Create and complete the AWS PrivateLink configuration; private routing configuration is your responsibility. Your Instabase Cloud Architect provides the Instabase-side information needed to complete the access link.

  • If using SSO for user authentication: Ensure the Instabase Cloud Architect knows which IdP you are using. SSO configuration occurs at a later stage.

  • If using password-based login + MFA for user authentication: No additional requirements.

Backend network configuration

The next stage is backend network configuration. The two main categories of backend network configuration are:

  • Storage: If using customer-managed cloud storage, ensuring Instabase can connect to the storage. Every SaaS environment includes Instabase-managed Amazon S3 cloud-based storage of up to one terabyte by default. You can mount additional, customer-managed storage to the environment in the post-installation stage.

  • Other: Ensuring Instabase can connect to any privately hosted services that your Instabase environment needs to integrate with or access. Examples include downstream client-hosted services or databases your Instabase solution will access.

Customer requirements

Storage

  • If not mounting additional storage: No additional requirements. The AWS S3 storage provided by Instabase is limited to one terabyte (unless otherwise specified in your Instabase agreement).

  • If mounting additional Amazon S3 storage: Use Cloud Console to create S3 integrations for each bucket. Attach the generated IAM cross-account bucket policy to your resource.

  • If mounting additional Azure Blob Storage or Google Cloud Storage: Add Instabase-provided static IP addresses to your IP ACL. These IP addresses might change on a roughly annual basis but are not considered dynamic.

Note

SaaS environments do not support mounting local file storage, such as Network File System (NFS).

Other

  • Ensure Instabase is notified of all privately-hosted services that your Instabase environment needs to integrate with or access. You can then work with your Instabase Cloud Architect to meet all backend network configuration requirements.

Customer admin onboarding

The customer admin onboarding stage begins the process of handing off access to your environment from Instabase to you and your users. This stage involves identifying a customer user to become the environment’s first administrator user, and providing their email address and user ID. These credentials are then added to the environment as an administrator role. This step is a prerequisite to completing user authentication configuration.

Customer requirements

  • Confirm the email address and username of the first customer admin.
Note

The username is typically the local-part of the email address, such as jane.doe in jane.doe@domain.com. For SSO configurations the username must match the value of the uid attribute.

User authentication configuration

You can now configure user authentication, with the support of your Instabase Cloud Architect if needed. Instabase supports two methods of user authentication:

After user authentication has been established, you are in control of provisioning users to access the platform. At this time, you can disable the Instabase admin account in your environment.

SAML SSO

Instabase offers general support for configuring SSO with any Identity Provider (IdP) using SAML 2.0. Our documentation offers more specific guidance on integrating with the following IdPs:

  • Active Directory Federation Services (AD FS)

  • Azure AD (Microsoft Azure Active Directory)

  • Okta

  • Auth0

  • PingFederate

For more information on SAML configuration requirements, see the configure SAML-based SSO for SaaS environments documentation.

Password-based login with MFA

If not using SSO, you can use the Instabase platform’s built-in credential management system. Each user account must be added by the customer admin, and all password-based logins must be verified with an authentication app, such as Authy, Duo Mobile, Google Authenticator, Okta Verify, or Microsoft Authenticator. SMS-based 2FA is not supported for SaaS environments using password login.

For more information, see the user management and site settings documentation.

Customer requirements

  • If using SSO, configure the app registration (one per environment) in your IdP, and work with your Instabase Cloud Architect to get SSO configured in your environment. Then, ensure the customer admin has environment access.

  • If using password-based login with MFA, ensure the customer admin has environment access. Then, the customer admin can add users to the environment.

  • Disable the Instabase admin account in the environment.

Post-installation

After the user authentication stage is complete, you have full control over your environment. You can now complete the necessary steps to arrange and manage access to solutions and data within your environment.

Key first tasks include:

Managing spaces and subspaces

Spaces and subspaces are the top-level and second-level way that projects are organized in the Instabase file system.

Any additional drives or databases that you mount will be mounted in a specific space or subspace, so it’s important to have a clear understanding of how space and subspace access affects drive and database access. To learn more, see the spaces and subspaces documentation.

Mounting additional storage

Every SaaS environment includes Amazon S3 cloud-based storage by default. This default storage is managed by Instabase and is the storage behind Instabase Drive. The primary function of Instabase-managed cloud storage is storing required platform components, such as base models, apps, and developer packages. However, you can also use the Instabase-managed cloud storage to store input and output files as part of any extraction workflows. Your default Instabase-managed cloud storage has a maximum capacity of 1 terabyte.

In addition to the default Instabase-managed cloud storage, you can mount your own cloud storage to your SaaS environment. Supported customer-managed cloud storage providers include Amazon S3, Azure Blob Storage, and Google Cloud Storage.

For requirements and guidance, see the mount drives documentation.

Cloud Console administration

Cloud Console admins might want to perform Cloud Console administration tasks including:

  • Configuring SSO access for Cloud Console. By default, Cloud Console access is managed through basic authentication. You can use SAML-based SSO authentication instead. This SSO configuration is distinct from configuring SSO access to your environments. See the Cloud Console authentication documentation for more information.

  • Identifying any additional Cloud Console admins.

  • Monitoring the status and license usage of your Instabase SaaS installations and environments. See the status and usage monitoring documentation.

  • Reviewing the inbound network rules list, if your frontend networking configuration uses an IP ACL.

  • Creating secrets to be used in your Instabase environments.