Componentes do motor NetApp GenAI
Sugerir alterações
PDFs
Ao implantar a infraestrutura GenAI, o Workload Factory cria uma instância EC2 para o mecanismo GenAI. Ele também cria uma função do IAM, um grupo de segurança e endpoints privados para esta instância. Talvez você queira entender mais detalhes sobre esses componentes que o Workload Factory cria no seu ambiente AWS.
- Tipo de instância EC2
-
m5.large
- Função do IAM
-
A instância do mecanismo GenAI precisa de permissões para enviar partes de dados para o modelo de incorporação na Amazon bedrock e para se comunicar com o back-end do Serviço de IA da NetApp. A função do IAM inclui as seguintes permissões:
Permissões de função do IAM
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:CreateRole", "iam:CreatePolicy", "iam:AttachRolePolicy", "iam:PassRole" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ssm:DescribeDocument", "ssm:DescribeAssociation", "ssm:GetDeployablePatchSnapshotForInstance", "ssm:GetManifest", "ssm:ListInstanceAssociations", "ssm:ListAssociations", "ssm:PutInventory", "ssm:PutComplianceItems", "ssm:PutConfigurePackageResult", "ssm:UpdateAssociationStatus", "ssm:UpdateInstanceAssociationStatus", "ssm:UpdateInstanceInformation", "ssmmessages:CreateControlChannel", "ssmmessages:CreateDataChannel", "ssmmessages:OpenControlChannel", "ssmmessages:OpenDataChannel" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ssm:GetParameter" ], "Resource": "arn:aws:ssm:*:*:parameter/netapp/wlmai/*", "Effect": "Allow" }, { "Action": [ "fsx:DescribeVolumes", "fsx:DescribeStorageVirtualMachines", "fsx:DescribeFileSystems" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "fsx:TagResource", "fsx:ListTagsForResource" ], "Resource": [ "arn:aws:fsx:*:*:storage-virtual-machine/*/*", "arn:aws:fsx:*:*:volume/*/*" ], "Effect": "Allow" }, { "Action": [ "fsx:CreateVolume" ], "Resource": [ "arn:aws:fsx:*:*:volume/*/*", "arn:aws:fsx:*:*:storage-virtual-machine/*/*" ], "Effect": "Allow" }, { "Condition": { "StringLike": { "aws:ResourceTag/netapp:wlmai:<id>:kbId": "*" } }, "Action": "fsx:DeleteVolume", "Resource": [ "arn:aws:fsx:*:*:volume/*/*", "arn:aws:fsx:*:*:backup/*" ], "Effect": "Allow" }, { "Condition": { "StringLike": { "aws:ResourceTag/netapp:wlmai:<id>:qConnectorId": "*" } }, "Action": "fsx:DeleteVolume", "Resource": [ "arn:aws:fsx:*:*:volume/*/*", "arn:aws:fsx:*:*:backup/*" ], "Effect": "Allow" }, { "Condition": { "StringLike": { "aws:ResourceTag/netapp:wlmai:<id>": "*" } }, "Action": "fsx:UntagResource", "Resource": "arn:aws:fsx:*:*:storage-virtual-machine/*/*", "Effect": "Allow" }, { "Condition": { "StringLike": { "aws:ResourceTag/netapp:wlmai:<id>:kbId": "*" } }, "Action": "fsx:UntagResource", "Resource": "arn:aws:fsx:*:*:volume/*/*", "Effect": "Allow" }, { "Condition": { "StringLike": { "aws:ResourceTag/netapp:wlmai:<id>:qConnectorId": "*" } }, "Action": "fsx:UntagResource", "Resource": "arn:aws:fsx:*:*:volume/*/*", "Effect": "Allow" }, { "Action": [ "bedrock:InvokeModel", "bedrock:Rerank", "bedrock:GetFoundationModel", "bedrock:GetInferenceProfile", "bedrock:GetModelInvocationLoggingConfiguration", "bedrock:PutModelInvocationLoggingConfiguration" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ec2messages:GetMessages", "ec2messages:GetEndpoint", "ec2messages:AcknowledgeMessage", "ec2messages:DeleteMessage", "ec2messages:FailMessage", "ec2messages:SendReply" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "qbusiness:ListWebExperiences", "qbusiness:ListApplications", "qbusiness:GetApplication", "qbusiness:CreateDataSource", "qbusiness:DeleteDataSource", "qbusiness:ListIndices", "qbusiness:StartDataSourceSyncJob", "qbusiness:StopDataSourceSyncJob", "qbusiness:ListDataSourceSyncJobs", "qbusiness:BatchPutDocument", "qbusiness:BatchDeleteDocument" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "logs:DescribeLogGroups" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "logs:DescribeLogStreams", "logs:PutLogEvents", "logs:CreateLogStream", "logs:CreateLogGroup" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/bedrock*", "arn:aws:logs:*:*:log-group:/netapp/wlmai/*:log-stream:*", "arn:aws:logs:*:*:log-group:/netapp/wlmai/*" ], "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*", "Effect": "Allow" } ] } - Grupo de segurança
-
As regras de saída estão abertas a todo o tráfego, enquanto as regras de entrada são completamente fechadas.
- Endpoints privados
-
Se a VPC de destino ainda não os tiver, o Workload Factory criará endpoints privados para a instância EC2 do mecanismo GenAI para que ele possa se comunicar com os seguintes serviços da AWS:
-
Amazon bedrock
-
bedrock
-
bedrock-runtime
-
bedrock-agent-runtime
-
-
Amazon Elastic Container Registry (ECR)
-
API
-
docker
-
-
AWS Systems Manager (SSM)
-
ssm
-
ec2messages
-
mensagens de smsm
-
-
Amazon FSX para NetApp ONTAP
-
Amazon CloudWatch
-