Table of Contents |
---|
Introduction to Abiquo and AWS
The Abiquo Amazon EC2 integration is a hybrid cloud feature that enables our customers to add Amazon public cloud regions to the Abiquo platform as part of our agnostic public cloud management. With the Abiquo hybrid cloud platform you will be able to offer a service that is a federation of Abiquo private clouds and the public cloud. Cloud tenants can deploy virtual resources in public cloud regions or in Abiquo datacenters through the same award-winning user interface. You can control the use of public cloud resources in the same way as in the Abiquo Datacenter (quotas, limits, etc).
Amazon Regions are added as Abiquo public cloud regions. Abiquo manages public cloud regions using a set of the Abiquo Remote Services. The remote services used in a public cloud region can be shared with other datacenters or public cloud regions. No NFS repository is required to use with a public cloud region.
Each Abiquo public cloud region corresponds to a single Region in Amazon EC2. Each Abiquo enterprise using the Amazon public cloud region should have its own Amazon account. Abiquo will validate your Amazon credentials (Access Key ID and Secret Access Key) with AWS. Each enterprise may register ONE set of credentials for the enterprise's AWS account.
When users create a virtual datacenter in the public cloud region, Abiquo works with Amazon EC2. Abiquo creates a Virtual Private Cloud (VPC) for each Abiquo virtual datacenter. By default, for each Amazon VPC, Abiquo creates a public subnet and a private subnet, which is a private connect network. The private subnet has an Internet gateway and access to the VPC from outside the cloud is through NAT or Elastic IPs via the public subnet. Elastic IPs are registered in Abiquo as floating IPs. Floating IPs are managed like public IPs but they do not belong to any Abiquo network. Within your virtual datacenter, you can create more Abiquo private networks (subnets in your VPC), which will enable you to deploy to different Availability Zones. The private subnets in the same availability zone as the public subnet will have internet access through the public subnet.
VMs deployed in the VPC virtual datacenter are Amazon Instances. Add your public key to your Abiquo user before you deploy a VM. Your Amazon instance will be created using your RSA public key to enable remote access. You will need the corresponding RSA private key to access the instance.
Warning | ||
---|---|---|
| ||
Do not rename an Amazon instance in AWS or you will break the link between Abiquo and the VM. If the link is broken, you will not be able to manage the VM with Abiquo again. Do not delete the tags created by Abiquo. If you need to manage your Abiquo Elastic IPs in Amazon, synchronize them to update changes in Abiquo or you may see unexpected results. |
How Abiquo Creates a Virtual Private Cloud
In the AWS integration, Abiquo creates VPCs with NAT support with a public subnet, and allows VMs on different subnets to be connected to the same load balancer. Abiquo supports the AWS gateway address as the first address in the network.
Abiquo configures VPC networking Scenario 2 as described in the AWS documentation http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html.
Under this configuration, users must attach Elastic IPs to VMs with a connection to the public subnet. And by default, VMs in private networks will have internet access through the public subnet. This is helpful for automation because a VM can now connect to the internet to download its configuration, for example, using Chef, without an Elastic IP.
VPC and Subnet
When you create an Abiquo virtual datacenter in an AWS public datacenter, Abiquo creates a VPC of size /16 and a subnet of size /24 (or as defined by the user). The default CIDR for the VPC and the subnet is 192.168.0.0, which is the default private network in Abiquo. You can set a custom private network in Abiquo and this network will be used to create the VPC and subnet in Abiquo. You can create multiple Abiquo private networks in different availability zones in the same VPC.
AWS Reserves IP Addresses
AWS reserves five IP addresses in your private networks. It reserves the first four IP addresses and the last IP address of the VPC private connect network. These IP addresses are not displayed or used by Abiquo. Therefore the first available IP address in a network that is defined to start with address 0, will be address 5, and the gateway address will be address 1.
For example, in the default_private_network with network address 192.168.0.0, the following addresses would be reserved or used as the gateway.
...
Internet Access
Abiquo creates a route table that is equivalent to the AWS route table with the values of the Abiquo private network. You can use the AWS NAT instance for Internet access from the Abiquo virtual datacenter private network. You can acquire floating public IPs for your virtual datacenter and in AWS, these will be created as Elastic IPs with public network addresses. Note that AWS may charge for Elastic IPs when they are NOT in use, i.e. when they are not assigned to a VM or when the VM is not deployed in AWS. You must assign the Elastic IPs to VMs with connections to the Public subnet. When creating a NAT gateway, Abiquo will reuse floating IPs that are not assigned to a VDC.
Security
By default Abiquo assigns instances to the default VPC security group. This means that by default, all outbound traffic from instances is allowed. Enterprise administrators should configure an Abiquo firewall. Abiquo will create an AWS Security group in the VPC when this firewall is assigned to a virtual datacenter. Users can synchronize their firewalls with AWS, which will import existing security groups. The most basic configuration is to allow SSH inbound traffic, for example, port 22, which will allow SSH connections to the machine through a public IP, NAT, or from a private IP within the virtual datacenter. See AWS Security Groups as Abiquo Firewalls.
Number of IP Addresses per VM
Abiquo supports multiple IP addresses in the AWS integration. You can synchronize existing VMs with multiple IP addresses and create multiple IP addresses through Abiquo, including multiple Elastic IPs.
Abiquo supports the number of IP addresses supported by the AWS hardware profile (instance type). See httphas an integration with AWS for compute and billing.
Abiquo creates virtual datacenters that correspond to virtual private clouds (VPCs) in AWS. You can also onboard VPCs and their associated resources, to create virtual datacenters in Abiquo.
...
For a summary of the AWS compute features that Abiquo supports, please see AWS features table.
Abiquo XaaS also enables you to offer AWS PAAS services as part of your cloud platform, including RDS, and Route 53. For more details, see Abiquo Amazon RDS service and Abiquo Route53 service.
...
Display billing dashboards
Abiquo displays the billing data from Amazon (AWS) on the billing widgets. The billing widgets are part of the default Hybrid dashboard. See Display Amazon billing data, which is for AWS partners and their customers, and Display Amazon billing data for standard accounts.
...
Public cloud regions
To use AWS in Abiquo, the first step is to create a public cloud region.
Creating an Abiquo public cloud region for AWS is a similar process to creating a datacenter. But you can create multiple regions at the same time. And you can share the remote services with datacenters and other public cloud regions.
Amazon may require separate credentials for some groups of regions, and the user should select the separate provider for these regions.
...
For more details, see Create a public cloud region
...
AWS credentials for testing Abiquo
You can add credentials for each Amazon account to ONE Abiquo enterprise only.
If you would like to try the AWS compute and billing features, you can use a standard account, which is an account that was purchased directly from Amazon, and not from a partner or part of an organization.
To try billing features, add the following properties to your Abiquo enterprise, with the appropriate values for your AWS account.
Code Block |
---|
"amazon_discount" : "0"
"amazon_bucket": "my_bucket_name"
"amazon_bucket_region": "my_bucket_region_such_as_us-east-1"
"amazon_report_name": "from amazon_bucket/amazon_bucket_prefix/amazon_report_name/file.csv"
"amazon_bucket_prefix": "from amazon_bucket/amazon_bucket_prefix/amazon_report_name/file.csv"
"amazon_billing_compress_format": "ZIP" (may also be "GZ") |
Some regions, such as those in China, may require separate credentials, and for these regions, the administrator must select a separate provider, for example, AWS (China)
.
...
Managing AWS partner accounts
If you have a Partner or Organization account, you can give customers access to compute and/or billing features. To create a tenant hierarchy to manage your customer accounts, see https://abiquo.atlassian.net/wiki/spaces/doc/pages/443056256/Create+an+Azure+reseller.
You can also add a customer’s standard or organization account to a key-node for them to use their accounts in tenant enterprises.
...
...
Onboard a standard AWS account
If you would like to try the AWS compute and billing features, you can use a standard account, which is an account that was purchased directly from Amazon, and not from a partner or part of an organization.
You can also onboard standard accounts into your reseller hierarchy.
To use a standard account in Abiquo, first Obtain AWS credentials for compute and billing, and add the credentials to an Abiquo enterprise.
And for billing features, add the following properties to your Abiquo enterprise, with the appropriate values for your AWS account.
Code Block |
---|
"amazon_discount" : "0"
"amazon_bucket": "my_bucket_name"
"amazon_bucket_region": "my_bucket_region_such_as_us-east-1"
"amazon_report_name": "from amazon_bucket/amazon_bucket_prefix/amazon_report_name/file.csv"
"amazon_bucket_prefix": "from amazon_bucket/amazon_bucket_prefix/amazon_report_name/file.csv"
"amazon_billing_compress_format": "ZIP or GZ" |
...
Hardware profiles
Abiquo will automatically retrieve the hardware profiles for your public cloud region. The platform also registers if a hardware profile is Active
and if it belongs to the Current generation
.
...
...
VM template catalogue
After you create a public cloud region and add credentials, you can go the Catalogue and onboard a selection of AWS VM templates for your users.
...
Tip |
---|
|
For more details, see Import public cloud templates
...
Abiquo should set the correct Operating System and Username for the template for SSH connections to the VM. For more details, see How to deploy a VM in AWS using Abiquo.
...
Virtual datacenters
In AWS, Abiquo virtual datacenters are Virtual Private Clouds (VPCs). Abiquo always creates an address space and VPC network. Then the user can select options to create subnets, or None
.
...
If the user creates a virtual datacenter with a Default
network, then Abiquo creates a VPC and a private subnet.
...
With a Custom
private network, the user can specify a private subnet or a public subnet for the VPC. To create a public subnet, select the Internet gateway checkbox.
...
Note |
---|
Known issue in Abiquo 6.2.0: you can select the NAT gateway checkbox but this will cause an error because there is no existing public subnet with an internet gateway connection. |
...
If the user selects the option of None
, Abiquo will create the VPC and VPC network only. So the user must enter the Address range for the VPC network.
...
When you create a VDC with a custom private network, you can also specify the address range of the virtual network. And you can create, onboard, and delete address ranges from AWS. See Manage address ranges.
...
Private networks
After you create a virtual datacenter, you can create more private networks, which are private subnets or public subnets in your AWS VPC. You can also create private subnets with a route to a NAT gateway.
To create a public subnet, select the Internet gateway checkbox.
...
To give your VMs outbound access to the internet, if you have an existing public subnet, create a private network and select the NAT gateway option. This option will use an existing NAT gateway or create a new one, and then create a private subnet with a route to the NAT gateway. This will let you create a configuration similar to the AWS configuration of a VPC with private subnets and NAT (see https://docs.aws.amazon.com/AWSEC2vpc/latest/UserGuide/using-eni.html#AvailableIpPerENI
If the user adds multiple IPs in the same subnet, Abiquo adds them to the same elastic network interface. And if the IPs are in a different subnet, Abiquo adds them to a different elastic network interface. For information about Elastic Network Interfaces, see http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html
AWS Features
...
AWS Synchronization
To onboard virtual resources from public cloud:
- Go to Virtual datacenters and the top of the V. Datacenters list
- Click the + Add button select Synchronize public cloud from the pull-down menu
- The platform opens a dialog box with a pull-down list of public cloud regions. Select one of these regions.
- After you select the region, there are two possibilities:
- If the provider supports virtual datacenters, Abiquo will display a list of virtual datacenters
- If the provider does not support virtual datacenters, Abiquo will automatically onboard the virtual resources in the region
Onboard virtual datacenters from public cloud
To onboard a virtual datacenter:
...
The platform will detect a public subnet by the presence of a custom route table and NAT gateway, and the platform will mark the public subnet with a globe symbol and set the Internet gateway flag for this subnet. Users with bespoke network configurations should check the results of the synchronization. The platform will synchronize private and public IP addresses even if they are not in use by VMs, and mark the IP addresses in use by provider entities with provider identifiers.
Expand | ||
---|---|---|
| ||
The platform will import VM templates. If the VM template cannot be found, the VM will be created in the platform with no registered template. In this case, to save a copy of your VM disk as a template, so you can recreate the VM, make an Abiquo instance of the VM.
Expand | ||
---|---|---|
| ||
Warning |
---|
If you delete a synchronized VDC, the platform will delete it in the provider. Always check which is the default VDC in your provider, e.g. AWS default VPC, because it may be inconvenient to delete this VPC If your enterprise does not have valid credentials for the public cloud provider, when you delete public cloud entities in the platform, they will still exist in the public cloud provider |
View classic VMs
To view classic VMs, for example in AWS these are EC2 classic VMs, click the "See classic" link.
Expand | ||
---|---|---|
| ||
Synchronize VDCs and resources
During VDC synchronization, the platform will ensure that the resources in the platform and the provider are the same.
- It will delete entities in the platform that were deleted already in the provider
- However, it will maintain resources attached to undeployed VMs in the platform
- For example, if a user has an undeployed VM with IPs and a load balancer, then after the synchronization, these resources are attached to the VM in the platform only
- Warning: These resources are "free" in the provider. Users working directly in the provider could assign these resources to other VMs. This will cause a conflict and error at deploy time
To update a virtual datacenter and onboard any changes made in the provider, synchronize the virtual datacenter:
- Go to Virtual datacenters → V. Datacenters list
- Beside the virtual datacenter name, click the double arrow Refresh button
You can also synchronize resources such as networks, public IPs, firewalls, and load balancers. To do this, go to the resource tab and click the straight double arrow Synchronize button. For more information, see the resource documentation.
Expand | ||
---|---|---|
| ||
Screenshot: Synchronize firewalls Screenshot: Synchronize private networks in public cloud |
Info | ||
---|---|---|
| ||
Note to System Administrators: For information about tuning public cloud synchronization, see Abiquo Configuration Properties. |
Manage resources that were deleted directly in the provider
When administrators delete resources in the provider, the platform will display the resource name in light gray to indicate that the user cannot work with the resource. The resource types include:
- External networks
- Firewalls
- Classic firewalls
- Load balancers
- NAT network
- NAT IPs
To delete these resources (if they are not in use), select the resource and click the delete button.
Expand | ||
---|---|---|
| ||
Delete or release virtual resources in public cloud
The virtual resources that you onboarded or created in public cloud will be grouped with their associated virtual datacenters.
Before you begin:
- If you recently created virtual resources, such as load balancers, synchronize the virtual datacenter to ensure that the platform can find and delete all the dependencies of the virtual datacenter.
To delete onboarded resources in public cloud:
- Delete each virtual datacenter
- You can choose to delete each virtual datacenter in the platform only, or in the platform and the provider. If you delete in the platform only, the platform will automatically remove VMs, virtual appliances, load balancers, public IPs, and firewalls. Remember to check which is the default VDC in your provider, e.g. AWS default VPC, because it may be inconvenient to delete this VPC
Warning |
---|
If the enterprise does not have valid credentials for the public cloud provider, when you delete public cloud entities in the platform, they will continue to exist in the public cloud provider |
Onboard from public cloud using the API
Tip | ||
---|---|---|
| ||
This feature is available in the Abiquo API. See VirtualDatacentersResource for synchronization and AllowedLocationsResource for retrieval of virtual datacenters and VMs. |
AWS Firewalls and Load balancers
For general information, see Manage Firewalls and Manage Load Balancers
To configure the load balancer integration:
- Set Abiquo Configuration Properties#amazon for the healthy threshold of machines in AWS in the abiquo.properties file.
- The Load balancer UI options can be configured in the client-config-custom.json file. See Configure Abiquo UI
In AWS, the platform supports load balancers as described in the following table.
Include Page
A NAT gateway uses an Elastic IP in AWS, so check the cost of this configuration.
...
When you deploy a VM (AWS instance) in the private network with the NAT gateway, it will have outbound internet access.
...
Public IP addresses
In AWS, you can allocate and assign public IPs as in other public cloud providers. The platform will onboard and synchronize Elastic IPs as public IPs within virtual datacenters. To be able to connect to your VM, add a private IP address in a public subnet, and a public IP address.
...
The Optimization dashboard in the Home view will display your unused public IPs.
...
...
AWS firewalls
Abiquo supports firewall policies, which are AWS Security Groups. In Abiquo, you can apply one firewall to a VM and the firewall will apply to all vNICs. Abiquo will onboard the default firewall policy, which will allow all outbound traffic.
...
To be able to connect to your VMs, add an inbound firewall rule to the firewall policy to allow the SSH protocol. Allow connections from the desired IP address (in this case we used 0.0.0.0/0 for convenience, but we don’t recommend this for security reasons).
...
See Manage firewalls
...
Virtual machines
To create a VM in AWS, select a template and enter the VM Name.
...
Then select a Hardware profile as in other public cloud providers.
...
To be able to connect to your VM, edit your VM and add a private IP and a public IP address in the first vNIC sequence position.
...
To be able to connect to the VM, also select the firewall to allow connections.
...
After you deploy your VM, you should be able to connect using the VM template Username and the private key that corresponds to the SSH public key of your Abiquo user.
Warning |
---|
Do not rename an Amazon instance directly in AWS or you will break the link between Abiquo and the VM. If the link is broken, you will not be able to manage the VM with Abiquo again. Do not delete the tags created by Abiquo. If you need to manage your Abiquo Elastic IPs in Amazon, synchronize them to update changes in Abiquo or you may see unexpected results. |
...
Load balancers
Abiquo supports Classic load balancers and Application load balancers in AWS.
For more details of the integration, see AWS load balancers table.
And for details of how to use the load balancer features, see Manage load balancers and Manage application load balancers.
...
Volumes
You can create volumes of external storage in AWS at the virtual datacenter or location level. Abiquo volumes are EBS disks in AWS. Abiquo support for EBS storage includes encryption and delete on termination volumes. For more details, see Abiquo and AWS storage
...
Then when you create or edit a VM, you can go to the Storage tab to drag a volume into the VM configuration.
...
After you detach a volume from a VM or delete a VM, the synchronization process will make the volume available in the public cloud region.
...
When you undeploy a VM, the platform will delete the boot volume because it defines the boot volume as a non-persistent hard disk. But the platform will keep the other disks as volumes in the virtual datacenter. Users can add these volumes to other VMs and move the volumes to other virtual datacenters in the same public cloud region.
When you onboard resources, if a VM has volumes attached, the platform will add them to the VDC and VM. Otherwise, it will add them to the cloud location.
For more details, see Manage storage in public cloud
...
VPNs
Abiquo supports AWS VPNs. For more details, see Manage VPNs.
...
Related links for Abiquo and AWS
AWS features table : contains details of AWS features supported by Abiquo
Onboard from public cloud : describes how to synchronize AWS resources into the Abiquo cloud platform
AWS load balancers table : contains details of load balancers features supported by Abiquo
Manage storage in public cloud: describes how to use AWS storage in Abiquo