Manage DeploymentsRemote Execution

Remote Execution shared responsibility model

Remote Execution uses a decoupled architecture where Astronomer manages the orchestration plane and the customer manages the execution plane. This document defines the responsibilities for each party.

For the general Astro shared responsibility model, see Shared responsibility model.

Astronomer responsibilities

Astronomer is responsible for managing the orchestration plane and supporting the Remote Execution platform, including:

Orchestration plane

  • Operating and maintaining the Airflow scheduler, API server, web server, and metadata database in Astro’s cloud infrastructure.
  • Managing the Remote Execution API that coordinates task distribution between the orchestration plane and customer-managed agents, and performs task lifecycle management.
  • Monitoring agent heartbeats and automatically rerouting tasks to healthy agents when an agent becomes unavailable.
  • Providing the Astro UI and Astro API for Deployment management, agent registration, and token creation.
  • Securing authentication and authorization for all orchestration plane interfaces, including the Astro UI, API, and CLI.
  • Maintaining data encryption at rest and in transit for all orchestration plane components.

Agent software and support

  • Publishing and maintaining Remote Execution Agent images.
  • Publishing and maintaining the Remote Execution Agent Helm chart.
  • Providing Astronomer support for Remote Execution configuration and troubleshooting.

Customer responsibilities

The customer is responsible for managing the execution plane and the infrastructure that Remote Execution Agents run on, including:

Kubernetes infrastructure

  • Provisioning and maintaining Kubernetes clusters where agents run.
  • Managing cluster capacity, node pools, and autoscaling to support agent workloads.
  • Applying Kubernetes and node OS security patches and version upgrades.
  • Configuring network policies, firewalls, and access controls within the cluster.
  • Ensuring network connectivity from agent clusters to the Astro orchestration plane. See Allowlist Astro domains.

Agent deployment and operations

  • Installing and configuring Remote Execution Agents using the Helm chart.
  • Creating and managing agent tokens for authenticating agents to the orchestration plane.
  • Pulling agent images from the Astronomer registry and storing them in a private registry when required.
  • Building and maintaining custom agent images with additional Python packages and OS-level dependencies required by Dag code.
  • Upgrading agents to latest (recommended) or other supported versions within the maintenance window.
  • Monitoring agent Pod health and resource utilization in Kubernetes.

Secrets and credentials

  • Configuring a secrets backend (AWS Secrets Manager, Azure Key Vault, Google Cloud Secret Manager, or HashiCorp Vault) for Airflow connections and variables.
  • Managing and rotating credentials stored in the secrets backend.
  • Configuring workload identity or service account permissions for agents to access the secrets backend.

Data storage

  • Configuring an XCom backend (AWS S3, Azure Blob Storage, or GCP Cloud Storage).
  • Provisioning and managing object storage buckets or containers used for XCom and logging.
  • Configuring IAM roles, managed identities, or service accounts for agent access to storage resources.
  • Managing storage lifecycle policies, encryption, and access controls.

Dag code and sources

  • Developing and maintaining Dag code with security and quality coding practices.
  • Configuring Dag sources (GitDagBundle or LocalDagBundle) for agent access to Dag code.
  • Managing Git repository authentication credentials for GitDagBundle configurations.
  • Building and deploying Remote Execution project images for both the orchestration and execution planes.

Logging and observability

  • Configuring task logging to preserve logs from agent Pods.
  • Provisioning and managing external logging platforms or object storage for log export.
  • It is recommended to enable Sentinel for agent health monitoring.
  • Optionally configuring OpenLineage for data lineage tracking.

Security

  • Managing user roles, permissions, and authentication assets (tokens, connections, environment variables).
  • Integrating with identity providers for secure SSO/MFA.
  • Managing customer-owned credentials.
  • Securing outbound network connections from agent clusters to the Astro orchestration plane.
  • Configuring private connectivity (AWS PrivateLink or Azure Private Link) when required.
  • Securing network communications between agents and data resources in the execution plane, including secrets backends, object storage, and data sources.
  • Managing IP allowlists and firewall rules for agent clusters.
  • Implementing and maintaining secure, high-quality data pipelines, including dependency and vulnerability management.