Prepare for deployment

Before deploying Linksight, organizations need to complete several important preparation steps to ensure a successful installation and deployment. This guide walks you through the essential prerequisites and planning considerations needed to set up Linksight in your organization.

The preparation process involves two main phases:

1. Organization Setup: Setting up your organization's presence on the Linksight platform
   • Create an organization in the Governance Hub (if not already done)
   • Set up appropriate access permissions for system administrators
2. Deployment Planning: Planning the technical deployment of the required components
   • Understand the Linksight Platform architecture and its distributed nature
   • Choose the appropriate deployment method based on your organization's infrastructure and requirements
   • Review network connections, firewall rules, and security requirements
   • Arrange TLS certificate for the Analysis Hub
   • Configure firewall rules for peer-to-peer connections between data stations

Following these steps will help ensure a smooth deployment process and proper integration with your existing infrastructure.

Organization Setup

1. Create an organization on the Linksight platform
   • Check with peers whether an organization has already been created on the Linksight platform.
   • If your organization doesn't already have an organization on the Linksight platform, an organization administrator needs to create one. This can be done in the Governance Hub: https://linksight.network.
2. Set up organization access permissions
   • Ensure the system administrator responsible for deployment receives an invitation to join the organization.
   • The system administrator needs to be granted one of the following roles:
     • IT Administrator role
     • Organization Administrator role
   • Either of these roles will provide the required permissions to manage and register new data stations and Analysis Hubs.

Deployment Planning

1. Understand the Linksight Platform architecture
   • The Linksight platform consists of three primary components:
     • Governance Hub (hosted at https://linksight.network): Allows Data Stewards to oversee data collaborations and governance, ensuring secure and compliant data sharing.
     • Data station: Handles datasets and executes protocols in collaboration with other data stations across organizations, ensuring data privacy.
     • Analysis Hub: Offers an interface for Data Scientists to interact with the Data station, allowing them to securely run and monitor data analyses.
   • The data station and Analysis Hub need to be deployed by your organization
2. Choose your deployment method
   • Linksight offers multiple installation options to suit different organizational needs:
     • Self-hosted Deployment Options:
       • Deploy with Docker
       • Deploy with Kubernetes
     • Cloud Provider Deployment Options:
       • Deploy via Azure Marketplace
       • Deploy via SURF Research Cloud
     • Preferred Supplier Deployment:
       • Get in touch with us and we will connect you to a preferred supplier
   • Select the deployment method that best fits your organization:
     • Infrastructure requirements
     • Security policies
     • Budget constraints
3. Network configuration (Docker/Kubernetes)
   • The system and/or network administrator should review the network connections documentation
   • This documentation covers critical aspects such as:
     • Necessary network connections and their specifications
     • Firewall setup and configurations
     • Implementation of mutual TLS for secure peer-to-peer connections between data stations
     • Suggested network configurations for environments utilizing SSL Offloading, Deep Packet Inspection, or Web Application Firewalls
     • Using forward proxies
   • Understanding these requirements is crucial for proper network setup and security
4. TLS certificate for the Analysis Hub
   • The Analysis Hub frontend should be reachable internally and can be secured with a TLS certificate (recommended, not required)
   • The TLS certificate can be self-issued or automatically issued using Let's Encrypt (Docker only)
   • If your organization plans to use its self-issued TLS certificate, ensure that this is arranged before the deployment
   • Read more about TLS certificates for your deployment method:
     • Docker
     • Kubernetes
     • Azure Marketplace
     • SURF Research Cloud: TLS is automatically configured.
5. Firewall configuration for peer-to-peer connections
   • For enhanced security, network administrators should consider implementing IP-based firewall restrictions
   • These restrictions limit peer-to-peer connections exclusively to known partner organizations' data stations
   • The IP addresses of legitimate peers can be identified through:
     • The Network Status page in the Governance/Analysis Hub interface, which displays all trusted peers with their IP addresses
     • Connection log lines in the data station's logs, which record IP addresses of new incoming connections and failing outgoing connections
   • For detailed configuration instructions, refer to the network connections documentation

Next Steps

After completing these preparation steps, you can proceed with the actual deployment. Make sure to:

• Have all necessary credentials and access rights ready as a system administrator
• Ensure your infrastructure meets the minimum requirements
• Have a clear understanding of your chosen deployment method
• Have network configurations planned according to the documentation