Protegrity Anonymization on AWS

Installation of Protegrity Anonymization requires working with the following AWS services: Elastic Container Registry, Elastic Kubernetes Service, EC2. You’ll need an administrator to be able to grant permissions for these services to interact with each other. Proficiency with helm, kubectl and eksctl is strongly recommended.

Create a base machine

We recommend creation of a virtual machine on EC2, from which you’ll interact with all the necessary services to standup Protegrity Anonymization. The following installation instructions have been tested with a Linux machine (Ubuntu 24.04). The following steps assume creation of such a virtual machine.

1. Install the latest AWS CLI on your virtual machine.

   For more information about the installation steps, refer to Installing or updating to the latest version of the AWS CLI.

2. From your virtual machine, login to your account by running and completing the steps presented by:

   aws configure
   

3. Install Kubectl version 1.32 by following the instructions on the link below. Kubectl enables you to run commands from the virtual machine so that you can communicate with the Kubernetes cluster. Follow the instructions on this same page to install eksctl.

Note: For more information about installing kubectl, refer to Install eksctl.

4. Install the Helm client version 3.17.2 for working with Kubernetes clusters.

Note: For more information about installing the Helm client, refer to Installing Helm.

5. Install Docker engine 28.0.4.

Note: For more information about installing the Docker engine 28.0.4, refer to Install Docker Engine. Make sure to run the post-installation steps as well.

6. Create a key pair, by accessing the Key Pairs service on the EC2 service on AWS (ED25519 key pair type and .pem key file format). You’ll need reference this key pair on the cluster-aws.yaml file, later described. This will enable you to authenticate into the k8s cluster.

Create a Container Registry

To create a container registry leverage the Elastic Container Registry service on AWS and configure it according to your environment requirements and constraints.

Note: For more information about creating the Elastic Container Registry, refer to Amazon Elastic Container Registry Documentation.

Deploy Protegrity Anonymization on EKS

Note: Because the installation script changes parameter values of configuration files, if you make a mistake during installation you might end up with inconsistent values for the same parameters. In that case, to attempt installation again, we recommend that you run step 3 again.

1. Make sure to read the optional section for additional configuration options Anonymization on AWS or Azure.

2. Obtain and copy Protegrity Anonymization’s installation artifact ANON-API_RHUBI-ALL-64_x86-64_Generic.K8S_1.3.0.tgz into a directory on your base machine.

3. From that directory, run tar -xvzf ANON-API_RHUBI-ALL-64_x86-64_Generic.K8S_1.3.0.tgz.

4. Edit the install.properties file and follow additional instructions on that file. You’ll encounter global configurations and Cloud specific sections.

5. Edit the cluster-aws.yaml file according to your environment. The mandatory fields that you need to edit are flagged with <>. You may want to change other fields, such as cluster name. Depending on your workloads, you may also want to change the maxSixe of the nodeGroups section.

6. You’ll find a AWS_Install.sh file. Make sure to read the script before you run it, since it contains delete operations, namely deleting Kubernetes namespaces and auxiliary files.

7. Run AWS_Install.sh. This will generally take less than 30 minutes to deploy Protegrity Anonymization. At the end of the script, you’ll be shown an IP address of Ingress which you’ll need to edit your hosts file, like so XX.XX.XX.XX anon.protegrity.com. To get additional information about the deployment, you may leverage the following commands (these are the default namespaces defined in install.properties):

   kubectl get pods -n anon-ns
   kubectl get svc -n anon-ns
   kubectl get pods -n nginx
   kubectl get svc -n nginx
   

8. You may now use Protegrity Anonymization. Use the URLs provided here for viewing the Protegrity Anonymization service and pod details after you have successfully deployed Protegrity Anonymization . For more information about updating the hosts file, refer to step 2 of the section Enabling custom certificates from SDK.

   1. Open a web browser. Use the following URL to view basic information about Protegrity Anonymization: https://anon.protegrity.com/.
   2. Use the following URL to view the Swagger UI. The various Protegrity Anonymization APIs are visible on this page: https://anon.protegrity.com/anonymization/api/v1/ui.
   3. Go to https://anon.protegrity.com/lab, where you’ll have a Jupyter Lab environment available to quickly experiment with Protegrity Anonymization. Inside the folder Anonymization-engine, you’ll find a Jupyter Notebook with several examples.
   4. Use the following URL to view the contractual information for Protegrity Anonymization: https://anon.protegrity.com/about.
   5. Visit https://anon.protegrity.com/sdkapi and you’ll find a link to download the python SDK.
   6. Refer to the Sample Requests for Protegrity Anonymization section for code snippets.

Note: Do not stop or delete the running Dask scheduler or the Protegrity Anonymization API container service, which might lead to loss of the respective data and logs.

Uninstall

From the same Virtual machine from where you installed the product, run the following commands in accordance with what you specified in the install.properties file

1. List deployments with:

   helm list -n anon-ns
   helm list -n nginx
   

2. Uninstall via:

   helm uninstall <name of anon deployment> -n anon-ns
   #eg: helm uninstall anon -n anon-ns
   helm uninstall <name of nginx deployment> -n nginx
   #eg: helm uninstall ingress-nginx -n nginx
   

3. You may monitor the status of the uninstall with:

   kubectl get pods -n anon-ns
   kubectl get pods -n nginx
   kubectl get pv -n anon-ns
   kubectl get pvc -n anon-ns
   

4. Wait for the deletion of the pods.
5. If you face an issue with pv and or pvc at this stage, run:

   # ----- anon-db-pvc -----
   kubectl patch pvc anon-db-pvc -n anon-ns -p '{"metadata":{"finalizers":null}}'
   kubectl patch pv anon-db-pv -n anon-ns -p '{"metadata":{"finalizers":null}}'
   
   kubectl delete pvc anon-db-pvc -n anon-ns --ignore-not-found
   kubectl delete pv anon-db-pv --grace-period=0 --force --ignore-not-found
   
   # ----- anon-nb-pvc -----
   kubectl patch pv anon-nb-pv -n anon-ns -p '{"metadata":{"finalizers":null}}'
   kubectl patch pvc anon-nb-pvc -n anon-ns -p '{"metadata":{"finalizers":null}}'
   
   kubectl delete pv anon-nb-pv --grace-period=0 --force --ignore-not-found
   kubectl delete pvc anon-nb-pvc -n anon-ns --ignore-not-found
   
   # ----- anon-storage-pvc -----
   kubectl patch pvc anon-storage-pvc -n anon-ns -p '{"metadata":{"finalizers":null}}'
   kubectl patch pv anon-storage-pv -n anon-ns -p '{"metadata":{"finalizers":null}}'
   
   kubectl delete pvc anon-storage-pvc -n anon-ns --ignore-not-found
   kubectl delete pv anon-storage-pv --grace-period=0 --force --ignore-not-found
   

6. Delete the EKS cluster.
7. The product installation will create 3 Volumes, which you’ll need to delete (e.g., from the AWS EC2 console). By default, given the properties in install.properties, those volumes are called: deployment_anon_storage; deployment__anon_db; deployment_anon_workstation.