Administrator > Serverless runtime environments > Before you begin
  

Before you begin

Before you can create a serverless runtime environment, you must set up your cloud environment to connect to the serverless runtime environment.
Complete the following tasks:
  1. 1Optionally, create a NAT gateway that the serverless runtime environment can use to connect to external services.
  2. 2Optionally, create S3 folders for supplementary files, such as JAR files and external libraries.
  3. 3Set up an IAM role that can be used to create an ENI.
  4. 4Create a security group that the serverless runtime environment will attach to the ENI.

Step 1. Create a NAT gateway

Optionally, create a NAT gateway to allow the subnet that is configured in the serverless environment to connect to external services through the internet.
You must create a NAT gateway in the following situations:
When you configure the NAT gateway, complete the following tasks, configure the NACL (network access control list) that is associated with the subnet with inbound rules to allow all traffic on the following ports:
For information about creating a NAT gateway, refer to the AWS documentation.

Step 2. Create S3 folders for supplementary files

If your environment and data integration jobs require JAR files and external libraries, dedicate a location on Amazon S3 to store the files and create folders for each file type. The serverless runtime environment will access the location to retrieve the files.
Create the following file structure on Amazon S3:
S3 location for supplementary files
├── ext
│ └── python
├── odbc
│ └── lib
└── jars
└── ctjars
Store the following types of files in each location:
Location
Files
<S3 location>/ext
JDBC JAR files
<S3 location>/ext/python/
Python installation and resource files used in the Python transformation
<S3 location>/odbc
The following files:
  • - odbc.ini
  • - odbcinst.ini
  • - exports.ini
<S3 location>/odbc/lib
ODBC shared libraries for a Linux operating system
<S3 location>/jars/ctjars
JAR files to use with the Java transformation

Step 3. Set up an IAM role

Create an IAM role to establish trust between your AWS account and the Informatica AWS account so that the serverless runtime environment can create an ENI and securely connect to data sources in your cloud environment.
Create a cross-account IAM role in your AWS account that identifies Informatica as a trusted entity.
  1. 1Create a role for another AWS account.
  2. 2In the trust relationship, specify the Informatica account number and the external ID.
    3. For example, specify the following policy in the trust relationship:
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Principal": {
    "AWS": "arn:aws:iam::<Informatica account>:root"
    },
    "Action": "sts:AssumeRole",
    "Condition": {
    "StringEquals": {
    "sts:ExternalId": "<External ID>"
    }
    }
    }
    ]
    }
  3. 3Edit the role permissions and specify a policy to grant the serverless runtime environment a minimal set of permissions on your account.
    4. Use the following template for the policy:
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "VisualEditor0",
    "Effect": "Allow",
    "Action": [
    "ec2:DetachNetworkInterface",
    "ec2:DeleteTags",
    "ec2:DescribeTags",
    "ec2:CreateTags",
    "ec2:DeleteNetworkInterface",
    "ec2:DescribeSecurityGroups",
    "ec2:CreateNetworkInterface",
    "ec2:DeleteNetworkInterfacePermission",
    "ec2:DescribeNetworkInterfaces",
    "ec2:DescribeAvailabilityZones",
    "ec2:CreateNetworkInterfacePermission",
    "ec2:AttachNetworkInterface",
    "ec2:DescribeNetworkInterfacePermissions",
    "ec2:DescribeSubnets",
    "ec2:DescribeNetworkAcls"
    ],
    "Resource": "*"
    },
    {
    "Sid": "VisualEditor1",
    "Effect": "Allow",
    "Action": [
    "s3:PutObject",
    "s3:GetObject",
    "s3:ListBucket",
    "s3:DeleteObject",
    "s3:GetBucketAcl"
    ],
    "Resource": [
    "arn:aws:s3:::<S3 location for supplementary files>",
    "arn:aws:s3:::<S3 location for supplementary files>/*"
    ]
    }
    ]
    }
For more information about setting up cross-account IAM roles, refer to the AWS documentation.

Step 4. Create a security group

Create a security group that the serverless runtime environment will attach to the ENI.
When you create the security group, verify that the security group restricts all inbound traffic and permits all outbound traffic.