Skip to main content

Data Separation

Ahana Cloud for Presto is deployed using a cloud-first architecture best practice that splits the service into a control plane and compute plane.

  • The control plane, or the Ahana Console, is hosted by Ahana in an Ahana-owned AWS account. The control plane communicates to a Compute Plane through an authenticated EKS API connection by assuming the Ahana Provisioning Role.

  • The Compute Plane is provisioned in the customer’s AWS account.

Ahana Control Plane and Compute Plane

The separation of the Ahana SaaS Console in the Ahana account from your Presto clusters in your Ahana Compute Plane in your AWS account means that Ahana does not have direct access to customer data or Presto cluster logs unless they are explicitly shared by you for investigation or troubleshooting. Your data stays in your AWS accounts.

Data separation provides security: your data and queries stay in your Compute Plane in your AWS account. However, security and convenience are often a tradeoff. Because of the principle of data separation in Ahana's design, Ahana does not have access to your Presto cluster logs without you acting to send Presto cluster logs to Ahana Support.

The principle of data separation is why the set up of a Compute Plane task begins in the Ahana control plane to open a CloudFormation stack in AWS. Switching to the AWS Console, you run a CloudFormation stack to create the cross-account role and policies, and find the ARN of the created role in the stack output. In the Ahana control plane, you enter the role ARN and then start the process to provision your Compute Plane.