Cloud Credentials
To make use of the cloud scaling part of the ONE Game Hosting service, you generally need not worry about creating your own accounts at the hyper cloud providers we support (AWS, GCP, Azure, Tencent). We will use our own accounts with them. By using our credentials, you don't have to worry about cloud accounts, cloud credentials, cloud billing, cloud images, regional access, quotas, etc. You will also take advantage of our bulk pricing agreements with the cloud providers.
That said, if for some reason you want to use your own credentials, you can. For a single cloud provider or multiple, the choice is yours.
Note
At this time, we only support the i3D.net's Tencent Cloud account.
Using your own credentials
For each cloud provider you prefer to use your own credentials, you submit said credentials to our platform. The following chapters should be taken into account when doing so:
Securing your own credentials
We advise locking down your credentials by adding our system IP addresses to your credentials whitelist. The IP addresses and ranges to add are:
- 188.122.92.192/26
- 188.122.94.105
- 188.122.94.89
- 188.122.94.47
Projects
Some cloud platforms (e.g. GCP) use projects to separate a cloud account into sections that can easily be managed. When using your own cloud credentials, we advise you create a new project for i3D.net's ONE Game Hosting service before you create anything else. You give the project any name you prefer.
We will always clearly tag VM's with unique identifiers and use those to identify VMs created by our platform in case separation by projects is not an option.
Permissions
AWS
When creating a service account in AWS, you can use the default permissions. You can verify these are correct by checking its permissions against the following list:
- ec2:CreateTags
- ec2:DeleteTags
- ec2:DescribeInstanceStatus
- ec2:DescribeInstances
- ec2:DescribeRegions
- ec2:DescribeTags
- ec2:MonitorInstances
- ec2:ReportInstanceStatus
- ec2:RunInstances
- ec2:StartInstances
- ec2:StopInstances
- ec2:TerminateInstances
- iam:GetPolicyVersion
- iam:GetUser
- iam:ListPoliciesGrantingServiceAccess
- iam:ListPolicyVersions
AWS does not support projects, so no configuration is needed in that context. We identify your Game Hosting VMs by the tag we assign to them upon creation.
Azure
When creating a Service Principal in Azure, you must grant it one or more Roles so that it has at least the following permissions, scoped to the Resource Group where you would like the resources to be created. You can create a Custom Role in Azure with exactly these permissions to avoid granting unnecessary permissions and to avoid dealing with multiple Azure Roles.
- Microsoft.Resources/subscriptions/read
- Microsoft.Resources/subscriptions/resourceGroups/read
- Microsoft.Network/networkSecurityGroups/read
- Microsoft.Network/networkSecurityGroups/write
- Microsoft.Network/virtualNetworks/read
- Microsoft.Network/virtualNetworks/write
- Microsoft.Network/networkSecurityGroups/join/action
- Microsoft.Network/networkInterfaces/write
- Microsoft.Network/virtualNetworks/subnets/join/action
- Microsoft.Network/networkInterfaces/read
- Microsoft.Compute/virtualMachines/write
- Microsoft.Network/networkInterfaces/join/action
- Microsoft.Compute/virtualMachines/read
- Microsoft.Network/networkInterfaces/delete
- Microsoft.Compute/virtualMachines/delete
- Microsoft.Network/publicIPAddresses/write
- Microsoft.Network/publicIPAddresses/read
- Microsoft.Network/publicIPAddresses/delete
- Microsoft.Network/publicIPAddresses/join/action
GCP
When creating a service account in GCP, you can use the default permissions. You can verify these are correct by verifying the service account has access to the Compute section of GCP. Make sure access is granted to the correct project.
Billing permissions
In order for our platform to handle billing properly, you must ensure that you have granted billing rights to the service account credentials you provide to our platform. The reason for this is that we need to charge a service fee on top of any incurred cloud costs. This permission should have been granted by default. If this is not the case, our platform will notify you when you submit your credentials to our platform.
VM images
When using your own credentials, you must also have the necessary VM images on your account (cross-account image usage is not supported). We will handle this automatically and will upload the necessary images to your cloud account(s).
Networking & Firewall
If you use your own cloud credentials, you also need to ensure that VMs created on your cloud account will have access to the internet. Or rather, your game clients must be able to connect to your game servers. We advise creating a security group or firewall policy and configure it with range the port ranges our platform provides: the public range 10240 - 29999
and the private range 30000 - 49151
for both TCP and UDP. Additionally remote administrator access is advisable for trouble shooting purposes, so add port 22 (Linux) or 3389 (Windows) as well.
You can supply the name of the security group (AWS) or network (GCP) along with your cloud credentials. Please refer to the examples below for more information on how to submit a security group name or network name. A security group or network name is not required.
Accessing your VMs (Key Pairs)
To access your VMs when using your own cloud credentials, you must generate a key-pair. While doing so you must give it a name. You can pass this name while submitting your cloud credentials. Out platform will then run VMs in your cloud account with the given key-pair, allowing you to access your VMs. Please refer to the examples below for more information on how to submit the key-pair name. A key-pair value is not required.
Note
Be sure to enter your Key Pair. If you don't enter a Key Pair, it will automatically default to "i3dOdp" which will assume that is the actual filename.
API examples
All values below are invalid or otherwise faked, they are here only for example values. You should replace the body variables with your own data.
Submitting AWS credentials
POST /cloud/configuration/credential
JSON request data:
{
"providerId": 27,
"name": "my-aws-credentials",
"params": {
"accessKeyId": "9NCE78VT76BC4GR38BNW",
"secretAccessKey": "NQ8s64wpfvnN4LEiXmGJN5aUwSPAGcubljsL5LbG",
"defaultRegion": "eu-central-1",
"securityGroup": "test-security-group",
"keyPair": "myVmKeyPairName",
},
"status": 1
}
Submitting Azure credentials
POST /cloud/configuration/credential
JSON request data:
{
"providerId": 28,
"name": "azure-credentials",
"params": {
"tenantId": "e1468f6f-1574-4145-a8eb-f856ab455eed",
"subscriptionId": "8220edd7-a771-40da-a60b-ccebd11de763",
"clientId": "5ba888cd-bbaa-4da1-8526-fc6d2fbabd98",
"clientSecretKey": "kmORJNvMWT6W71mF6W/Nq/jXyUyzFDbD",
"resourceName": "LIVE-RESOURCE",
"defaultRegion": "westeurope"
},
}
Note
The resourceName
property is the name of the resource that you must create / have created in Azure to host your application in. Upon submission of the credentials this resource must exist in the defaultRegion
that you provide. You do not have to create the resource in other regions - our platform will automatically create the resource if it does not yet exist.
Submitting GCP credentials
POST /cloud/configuration/credential
JSON request data:
{
"providerId": 31,
"name": "my-gcp-credentials",
"params": {
"projectName": "myCloudProject",
"authJson": {
"type": "service_account",
"project_id": "celtic-medium-936452",
"private_key_id": "ZOm76pt5AtMlAKhzLrwqngQC6OGTThlZfXIYI2eJ",
"private_key": "-----BEGIN PRIVATE KEY-----\nPRIVATEKEY-GOES-HERE\n-----END PRIVATE KEY-----\n",
"client_email": "98765473562-compute@developer.gserviceaccount.com",
"client_id": "182634629475355783532",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/98765473562-compute%40developer.gserviceaccount.com"
},
"keyPair": "myVmKeyPairName",
"network": "myOdpNetworkName"
},
"status": 1
}
Updating your Cloud credentials
If you (for example) have an API key that has expired and you need to replace it, follow the steps below.
Note
It's important to note to remove any VMs that are running on your expired key before you update your cloud credentials. They will not be removed automatically when you update your cloud credentials.
- Submit your new credentials with your respective Cloud provider.
- Delete your old credentials by using a DELETE HTTP request with your previous credential.