...
Introduction to Abiquo and AWS
The Abiquo Amazon EC2 integration is a multi-cloud feature that enables our customers to add Amazon public cloud regions to the Abiquo platform as part of our agnostic public cloud management. With the Abiquo platform you will be able to offer a service that is a federation of Abiquo private clouds and the public cloud. Cloud tenants can deploy virtual resources in public cloud regions or in Abiquo datacenters using the same Abiquo user interface.
You can control the use of public cloud resources in the same way as in the Abiquo datacenter (quotas, limits, viewer roles, etc). And users can also work with Abiquo multi-cloud features such as workload automation with action plans and autoscaling in public cloud. And the platform also obtains billing data from the provider to use in features such as billing dashboards and budgets with action plans, and lets you create a single bill for each customer. And Abiquo supports reseller accounts in the AWS Partner Network for use with tenant hierarchies.
AWS public cloud regions
Administrators add Amazon regions to the platform as Abiquo public cloud regions. Abiquo manages public cloud regions using a set of the Abiquo Remote Services. You can share the remote services in a public cloud region with other datacenters or public cloud regions. Abiquo caches the details of AMI templates without storing their disks, so no NFS repository is required for a public cloud region. Each Abiquo public cloud region corresponds to a single Region in Amazon EC2. Multiple cloud tenants can then access this region.
...
Tenants and AWS credentials
Each Abiquo enterprise using the Amazon public cloud region should have its own AWS account. Abiquo will validate the Amazon credentials (Access Key ID and Secret Access Key) with AWS. Each enterprise may register ONE set of credentials for the enterprise's AWS account. You cannot register another set of credentials for the same account in another enterprise. In the case of a tenant hierarchy, the reseller may register the credentials of their partner account. Then each customer will have compute and/or billing credentials. You can also register an AWS organization under a reseller, and each enterprise under the organization will have its own credentials.
...
If you enable programmatic billing in Amazon and register the S3 bucket where you are saving billing reports, the platform can display provider billing data on the dashboard. The platform can aggregate this data at the customer level for a set of related tenants, as well as at the reseller level. has an integration with AWS for compute and billing.
Abiquo creates virtual datacenters that correspond to virtual private clouds (VPCs) in AWS. You can also onboard VPCs and their associated resources, to create virtual datacenters in Abiquo.
...
For a summary of the AWS compute features that Abiquo supports, please see AWS features table.
Abiquo XaaS also enables you to offer AWS PAAS services as part of your cloud platform, including RDS, and Route 53. For more details, see Abiquo Amazon RDS service and Abiquo Route53 service.
...
Display billing dashboards
Abiquo displays the billing data from Amazon (AWS) on the billing widgets. The billing widgets are part of the default Hybrid dashboard. See Display Amazon billing data, which is for AWS partners and their customers, and Display Amazon billing data for standard accounts.
...
Public cloud regions
To use AWS in Abiquo, the first step is to create a public cloud region.
Creating an Abiquo public cloud region for AWS is a similar process to creating a datacenter. But you can create multiple regions at the same time. And you can share the remote services with datacenters and other public cloud regions.
Amazon may require separate credentials for some groups of regions, and the user should select the separate provider for these regions.
...
For more details, see Create a public cloud region
...
AWS credentials for testing Abiquo
You can add credentials for each Amazon account to ONE Abiquo enterprise only.
If you would like to try the AWS compute and billing features, you can use a standard account, which is an account that was purchased directly from Amazon, and not from a partner or part of an organization.
To try billing features, add the following properties to your Abiquo enterprise, with the appropriate values for your AWS account.
Code Block |
---|
"amazon_discount" : "0"
"amazon_bucket": "my_bucket_name"
"amazon_bucket_region": "my_bucket_region_such_as_us-east-1"
"amazon_report_name": "from amazon_bucket/amazon_bucket_prefix/amazon_report_name/file.csv"
"amazon_bucket_prefix": "from amazon_bucket/amazon_bucket_prefix/amazon_report_name/file.csv"
"amazon_billing_compress_format": "ZIP" (may also be "GZ") |
Some regions, such as those in China, may require separate credentials, and for these regions, the administrator must select a separate provider, for example, AWS (China)
.
Abiquo VDCs and VMs in Amazon
When users create a virtual datacenter in the public cloud region, Abiquo works with Amazon EC2 to create a Virtual Private Cloud (VPC). When users create VMs, the platform creates Amazon Instances.
...
For remote access to your VM, add your public key to your Abiquo user before you deploy a VM. Add a firewall to your VM to allow access to the remote access port for SSH. The platform will create your VM using your RSA public key. To access the instance, you will need the corresponding RSA private key.
Warning |
---|
Manage Amazon Instances with Abiquo Do not rename an Amazon instance in AWS or you will break the link between Abiquo and the VM. If the link is broken, you will not be able to manage the VM with Abiquo again. Do not delete the tags created by Abiquo. If you need to manage your Abiquo Elastic IPs in Amazon, synchronize them to update changes in Abiquo or you may see unexpected results. |
Abiquo networking options in AWS
When you create a virtual datacenter in Abiquo, you have the following options to create a network:
Default
private networkNone (Abiquo 6.1.2+)
Custom
private network
Abiquo will create an AWS VPC according to these options as described in the following section
How Abiquo creates a virtual private cloud
When you select Default private network
or Custom private network
, Abiquo configures VPC networking Scenario 2 as described in the AWS documentation. See https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html.
Abiquo creates a VPC in AWS with one Availability zone only. When you create this in AWS using the wizard, it creates three routing tables, but Abiquo creates two and marks the private routing table as Main
.
Abiquo creates a public subnet where the name is the AWS Subnet ID, in the format subnet-xxxx
, which is the provider ID for the public subnet. The NAT gateway that AWS creates in a VPC uses a private IP in the public subnet.
...
...
Managing AWS partner accounts
If you have a Partner or Organization account, you can give customers access to compute and/or billing features. To create a tenant hierarchy to manage your customer accounts, see https://abiquo.atlassian.net/wiki/spaces/doc/pages/443056256/Create+an+Azure+reseller.
You can also add a customer’s standard or organization account to a key-node for them to use their accounts in tenant enterprises.
...
...
Onboard a standard AWS account
If you would like to try the AWS compute and billing features, you can use a standard account, which is an account that was purchased directly from Amazon, and not from a partner or part of an organization.
You can also onboard standard accounts into your reseller hierarchy.
To use a standard account in Abiquo, first Obtain AWS credentials for compute and billing, and add the credentials to an Abiquo enterprise.
And for billing features, add the following properties to your Abiquo enterprise, with the appropriate values for your AWS account.
Code Block |
---|
"amazon_discount" : "0"
"amazon_bucket": "my_bucket_name"
"amazon_bucket_region": "my_bucket_region_such_as_us-east-1"
"amazon_report_name": "from amazon_bucket/amazon_bucket_prefix/amazon_report_name/file.csv"
"amazon_bucket_prefix": "from amazon_bucket/amazon_bucket_prefix/amazon_report_name/file.csv"
"amazon_billing_compress_format": "ZIP or GZ" |
...
Hardware profiles
Abiquo will automatically retrieve the hardware profiles for your public cloud region. The platform also registers if a hardware profile is Active
and if it belongs to the Current generation
.
...
...
VM template catalogue
After you create a public cloud region and add credentials, you can go the Catalogue and onboard a selection of AWS VM templates for your users.
...
Tip |
---|
|
For more details, see Import public cloud templates
...
Abiquo should set the correct Operating System and Username for the template for SSH connections to the VM. For more details, see How to deploy a VM in AWS using Abiquo.
...
Virtual datacenters
In AWS, Abiquo virtual datacenters are Virtual Private Clouds (VPCs). Abiquo always creates an address space and VPC network. Then the user can select options to create subnets, or None
.
...
If the user creates a virtual datacenter with a Default
network, then Abiquo creates a VPC and a private subnet.
...
With a Custom
private network, the user can specify a private subnet or a public subnet for the VPC. To create a public subnet, select the Internet gateway checkbox.
...
Note |
---|
Known issue in Abiquo 6.2.0: you can select the NAT gateway checkbox but this will cause an error because there is no existing public subnet with an internet gateway connection. |
...
If the user selects the option of None
, Abiquo will create the VPC and VPC network only. So the user must enter the Address range for the VPC network.
...
When you create a VDC with a custom private network, you can also specify the address range of the virtual network. And you can create, onboard, and delete address ranges from AWS. See Manage address ranges.
...
Private networks
After you create a virtual datacenter, you can create more private networks, which are private subnets or public subnets in your AWS VPC. You can also create private subnets with a route to a NAT gateway.
To create a public subnet, select the Internet gateway checkbox.
...
To give your VMs outbound access to the internet, if you have an existing public subnet, create a private network and select the NAT gateway option. This option will use an existing NAT gateway or create a new one, and then create a private subnet with a route to the NAT gateway. This will let you create a configuration similar to the AWS configuration of a VPC with private subnets and NAT (see https://docs.aws.amazon.com/vpc/latest/userguide/subnet-sizingvpc-example-private-subnets-nat.html).
In Abiquo the public IP of the NAT gateway enables access to the internet from the private subnet, but it does not allow incoming connections.
To connect from outside the VPC, you will need at least one VM with an IP address in the public subnet, and one public IP. To allow connections to your VM via the public IP, AWS automatically creates a DNAT rule using the internet gateway.
When you create a VPC in Abiquo, it does not onboard the IPs of the private subnets. You need to synchronize each network to onboard its IPs.
Abiquo can create a VPC with no network
In Abiquo 6.1.2+, the user can now choose not to create networks when they create the VDC. In this case, Abiquo will create an AWS VPC with no public subnet, internet gateway, or the NAT gateway (and no expensive elastic IP!). Abiquo will still create an address range for the VPC, and the user should enter these details before creating a VDC.
If you do not create the networks when you create the VDC, you cannot connect to your VMs or use NAT for outward internet connectivity.
To connect to a VM in an AWS VDC with the None
option for networks:
In your virtual datacenter, go to Network → Private
Click + add and complete the dialog, selecting the Internet gateway checkbox.
Edit your VM and add an IP from the public subnet
Connect to your VM as usual. For more details, see How to deploy a VM in AWS using Abiquo.
...
A NAT gateway uses an Elastic IP in AWS, so check the cost of this configuration.
...
When you deploy a VM (AWS instance) in the private network with the NAT gateway, it will have outbound internet access.
...
Public IP addresses
In AWS, you can allocate and assign public IPs as in other public cloud providers. The platform will onboard and synchronize Elastic IPs as public IPs within virtual datacenters. To be able to connect to your VM, add a private IP address in a public subnet, and a public IP address.
...
The Optimization dashboard in the Home view will display your unused public IPs.
...
...
AWS firewalls
Abiquo supports firewall policies, which are AWS Security Groups. In Abiquo, you can apply one firewall to a VM and the firewall will apply to all vNICs. Abiquo will onboard the default firewall policy, which will allow all outbound traffic.
...
To be able to connect to your VMs, add an inbound firewall rule to the firewall policy to allow the SSH protocol. Allow connections from the desired IP address (in this case we used 0.0.0.0/0
...
To allow outward NAT connectivity from VMs in an AWS VDC with the None
option for networks:
Create a public subnet in your VDC (as described above)
Create a private network in your VDC
Manually create the NAT gateway in the AWS console (see AWS documentation at Create a NAT gateway)
Edit the main route table to add a new route with
target = igw
anddestination 0.0.0.0/0
.
...
Technical notes about AWS networks
The following notes describe how Abiquo manages AWS networks in VDCs with a Default private network
or Custom private network
, where Abiquo configures VPC networking Scenario 2.
When creating a NAT gateway, Abiquo will reuse floating IPs that are not assigned to a VDC.
VMs in private networks will have internet access through the public subnet.
Users can create public subnets and Abiquo will assign them to route tables with a route to the internet gateway.
When Abiquo creates new public subnets, it will not create any new NAT gateways.
If users delete the original public subnet, this will also delete the original NAT gateway. But Abiquo will replace all the routes in the main route table that route traffic to the deleted NAT gateway with a new rule to route traffic to the internet gateway.
Abiquo users must attach Elastic IPs to VMs with a connection to a public subnet.
Note that AWS may charge for Elastic IPs when they are NOT in use, i.e. when they are not assigned to a VM or when the VM is not deployed in AWS.
The private subnet is a private connect network.
To deploy to different Availability zones, create a private networks (VPC subnet) for each zone.
The private subnets in the same availability zone as a public subnet will have internet access through the public subnet.
Abiquo creates a VPC with a minimum network size of /16 and a subnet of size /24, or with the sizes defined by the user.
You can set a custom private network in Abiquo and this network will be used to create the VPC and subnet in Abiquo.
You can create multiple address spaces (called Abiquo address ranges) and Abiquo private networks in different availability zones in the same VPC.
AWS reserves the first four IP addresses and the last IP address of a VPC private connect network.
For a network that is defined to start with address 0, the first available IP address will be address 4 and the gateway address is address 1.
You can synchronize existing VMs and create new IP addresses through Abiquo, including multiple Elastic IPs.
The maximum number of IP addresses is determined by the AWS hardware profile (instance type). See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#AvailableIpPerENI
Abiquo adds IPs in the same subnet to the same elastic network interface.
For information about Elastic Network Interfaces, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html
Security groups
Abiquo firewall policies correspond to AWS Security Groups and Abiquo onboards security groups from Amazon VPCs. Abiquo registers the default security group of a VPC as the default firewall policy of the Abiquo virtual datacenter. This firewall policy allows all outbound traffic from VMs. Abiquo users can select another firewall policy as the default. Remember that you must configure a firewall to allow remote access to your VMs in AWS.
See Manage firewalls
Load balancers
Abiquo supports Classic load balancers and Application load balancers. Abiquo allows VMs on different subnets to be connected to the same load balancer.
Storage
Abiquo supports EBS storage, including encryption and delete on termination volumes.
See Abiquo and AWS storage for convenience, but we don’t recommend this for security reasons).
...
See Manage firewalls
...
Virtual machines
To create a VM in AWS, select a template and enter the VM Name.
...
Then select a Hardware profile as in other public cloud providers.
...
To be able to connect to your VM, edit your VM and add a private IP and a public IP address in the first vNIC sequence position.
...
To be able to connect to the VM, also select the firewall to allow connections.
...
After you deploy your VM, you should be able to connect using the VM template Username and the private key that corresponds to the SSH public key of your Abiquo user.
Warning |
---|
Do not rename an Amazon instance directly in AWS or you will break the link between Abiquo and the VM. If the link is broken, you will not be able to manage the VM with Abiquo again. Do not delete the tags created by Abiquo. If you need to manage your Abiquo Elastic IPs in Amazon, synchronize them to update changes in Abiquo or you may see unexpected results. |
...
Load balancers
Abiquo supports Classic load balancers and Application load balancers in AWS.
For more details of the integration, see AWS load balancers table.
And for details of how to use the load balancer features, see Manage load balancers and Manage application load balancers.
...
Volumes
You can create volumes of external storage in AWS at the virtual datacenter or location level. Abiquo volumes are EBS disks in AWS. Abiquo support for EBS storage includes encryption and delete on termination volumes. For more details, see Abiquo and AWS storage
...
Then when you create or edit a VM, you can go to the Storage tab to drag a volume into the VM configuration.
...
After you detach a volume from a VM or delete a VM, the synchronization process will make the volume available in the public cloud region.
...
When you undeploy a VM, the platform will delete the boot volume because it defines the boot volume as a non-persistent hard disk. But the platform will keep the other disks as volumes in the virtual datacenter. Users can add these volumes to other VMs and move the volumes to other virtual datacenters in the same public cloud region.
When you onboard resources, if a VM has volumes attached, the platform will add them to the VDC and VM. Otherwise, it will add them to the cloud location.
For more details, see Manage storage in public cloud
...
VPNs
Abiquo supports AWS VPNs. For more details, see Manage VPNs.
...
Related links for Abiquo and AWS
...