Before setting up the environment, gather the following details to ensure proper configuration:

• Region & Availability Zones
  • Choose the AWS region where resources will be deployed (e.g., us-east-1, eu-west-1).
  • Decide on Availability Zones. While Quix supports multiple AZs, we generally advise against it to reduce complexity and cost. Additionally, AWS charges for cross-AZ traffic, which can become expensive depending on workload patterns.
• Networking & CIDR Ranges
  • Identify any existing Virtual Private Clouds (VPCs) that this environment needs to peer with.
  • Define the primary CIDR range for this environment (e.g., 10.1.0.0/19) that does not overlap with existing networks.

Setup

1. Create a new AWS account through your internal process

   Steps:

   1. Login to your organisation’s root AWS account.
   2. Click on your user @ accountid (top right) > Organization.
   3. Click Add an AWS account (top).
   4. Fill in the required details and apply tags per company policy.
   5. Once created, switch to the new account.

2. Set up an IAM role for access

   Steps:

   1. Search for IAM in the AWS console and open the IAM service.

   2. Click Roles (left menu), then click Create role (top right).

   3. Select Custom trust policy.

   4. Replace the JSON content with the following:

      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "AWS": "arn:aws:iam::662139353635:user/infrastructure"
            },
            "Action": "sts:AssumeRole"
          }
        ]
      }
      
      

   5. Click Next.

   6. Attach the AdministratorAccess policy, then click Next.

   7. Set the role name to QuixAdminRole

   8. Set the description to Allows Quix Admins to manage the Quix Platform

   9. Add any necessary tags according to company policy.

   10. Click Create role

3. Once account and role are created, send the new Account’s id to us so we can begin the setup process. Also send us the gathered details asked at the beginning of this guide.

Frequently Asked Questions

Access & Permissions

Q: Can I assign a different role instead of AdministratorAccess? A: No, we require AdministratorAccess to manage AWS IAM roles, policies, and networking configurations effectively. Lesser roles may prevent necessary permissions from being assigned.

Q: Do I need to create individual IAM users for each Quix engineer? A: No, you only need to set up the QuixAdminRole with the trust policy for arn:aws:iam::662139353635:user/infrastructure. Our internal team will manage access on our side.

Q: Can I remove Quix’s access after the setup is complete? A: You can restrict access after deployment, but without AdministratorAccess, we can only provide guidance—you’ll need to apply fixes manually. This may affect SLA commitments if an issue requires direct intervention. We recommend keeping at least ReadOnlyAccess for monitoring and a Break-Glass role to temporarily restore full permissions if needed.

Networking & Peering

Please see our private networking guide.

Security & Compliance

Q: Does Quix require public internet access? A: No, all required services can be configured to use private endpoints among other options. Incoming connections can remain private, but outgoing traffic requires NAT. Please let us know if this is required.

Q: What if my security team has additional compliance requirements? A: We can accommodate specific security controls. Share your compliance requirements early so we can incorporate them into the setup.