Introduction to Abiquo and AWS
The Abiquo Amazon EC2 integration is a hybrid cloud feature that enables our customers to add Amazon public cloud regions to the Abiquo platform as part of our agnostic public cloud management. With the Abiquo hybrid cloud platform you will be able to offer a service that is a federation of Abiquo private clouds and the public cloud. Cloud tenants can deploy virtual resources in public cloud regions or in Abiquo datacenters through the same award-winning user interface. You can control the use of public cloud resources in the same way as in the Abiquo Datacenter (quotas, limits, etc).
Amazon Regions are added as Abiquo public cloud regions. Abiquo manages public cloud regions using a set of the Abiquo Remote Services. The remote services used in a public cloud region can be shared with other datacenters or public cloud regions. No NFS repository is required to use with a public cloud region.
Each Abiquo public cloud region corresponds to a single Region in Amazon EC2. Each Abiquo enterprise using the Amazon public cloud region should have its own Amazon account. Abiquo will validate your Amazon credentials (Access Key ID and Secret Access Key) with AWS. Each enterprise may register ONE set of credentials for the enterprise's AWS account.
When users create a virtual datacenter in the public cloud region, Abiquo works with Amazon EC2. Abiquo creates a Virtual Private Cloud (VPC) for each Abiquo virtual datacenter. By default, for each Amazon VPC, Abiquo creates a public subnet and a private subnet, which is a private connect network. The private subnet has an Internet gateway and access to the VPC from outside the cloud is through NAT or Elastic IPs via the public subnet. Elastic IPs are registered in Abiquo as floating IPs. Floating IPs are managed like public IPs but they do not belong to any Abiquo network. Within your virtual datacenter, you can create more Abiquo private networks (subnets in your VPC), which will enable you to deploy to different Availability Zones. The private subnets in the same availability zone as the public subnet will have internet access through the public subnet.
VMs deployed in the VPC virtual datacenter are Amazon Instances. Add your public key to your Abiquo user before you deploy a VM. Your Amazon instance will be created using your RSA public key to enable remote access. You will need the corresponding RSA private key to access the instance.
Manage Amazon Instances with Abiquo
Do not rename an Amazon instance in AWS or you will break the link between Abiquo and the VM. If the link is broken, you will not be able to manage the VM with Abiquo again. Do not delete the tags created by Abiquo.
If you need to manage your Abiquo Elastic IPs in Amazon, synchronize them to update changes in Abiquo or you may see unexpected results.How Abiquo Creates a Virtual Private Cloud
In the AWS integration, Abiquo creates VPCs with NAT support with a public subnet, and allows VMs on different subnets to be connected to the same load balancer. Abiquo supports the AWS gateway address as the first address in the network.
Abiquo configures VPC networking Scenario 2 as described in the AWS documentation http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html.
Under this configuration, users must attach Elastic IPs to VMs with a connection to the public subnet. And by default, VMs in private networks will have internet access through the public subnet. This is helpful for automation because a VM can now connect to the internet to download its configuration, for example, using Chef, without an Elastic IP.
VPC and Subnet
When you create an Abiquo virtual datacenter in an AWS public datacenter, Abiquo creates a VPC of size /16 and a subnet of size /24 (or as defined by the user). The default CIDR for the VPC and the subnet is 192.168.0.0, which is the default private network in Abiquo. You can set a custom private network in Abiquo and this network will be used to create the VPC and subnet in Abiquo. You can create multiple Abiquo private networks in different availability zones in the same VPC.
AWS Reserves IP Addresses
AWS reserves five IP addresses in your private networks. It reserves the first four IP addresses and the last IP address of the VPC private connect network. These IP addresses are not displayed or used by Abiquo. Therefore the first available IP address in a network that is defined to start with address 0, will be address 4, and the gateway address will be address 1.
For example, in the default_private_network with network address 192.168.0.0, the following addresses would be reserved or used as the gateway.
| IP Address | Notes |
|---|---|
| 192.168.0.1 | Reserved by AWS, default gateway address |
| 192.168.0.2 | Reserved by AWS |
| 192.168.0.3 | Reserved by AWS |
| 192.168.0.254 | Reserved by AWS |
Internet Access
Abiquo creates a route table that is equivalent to the AWS route table with the values of the Abiquo private network. You can use the AWS NAT instance for Internet access from the Abiquo virtual datacenter private network. You can acquire floating public IPs for your virtual datacenter and in AWS, these will be created as Elastic IPs with public network addresses. Note that AWS may charge for Elastic IPs when they are NOT in use, i.e. when they are not assigned to a VM or when the VM is not deployed in AWS. You must assign the Elastic IPs to VMs with connections to the Public subnet. When creating a NAT gateway, Abiquo will reuse floating IPs that are not assigned to a VDC.
Security
By default Abiquo assigns instances to the default VPC security group. This means that by default, all outbound traffic from instances is allowed. Enterprise administrators should configure an Abiquo firewall. Abiquo will create an AWS Security group in the VPC when this firewall is assigned to a virtual datacenter. Users can synchronize their firewalls with AWS, which will import existing security groups. The most basic configuration is to allow SSH inbound traffic, for example, port 22, which will allow SSH connections to the machine through a public IP, NAT, or from a private IP within the virtual datacenter. See AWS Security Groups as Abiquo Firewalls.
Number of IP Addresses per VM
Abiquo supports multiple IP addresses in the AWS integration. You can synchronize existing VMs with multiple IP addresses and create multiple IP addresses through Abiquo, including multiple Elastic IPs.
Abiquo supports the number of IP addresses supported by the AWS hardware profile (instance type). See http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#AvailableIpPerENI
If the user adds multiple IPs in the same subnet, Abiquo adds them to the same elastic network interface. And if the IPs are in a different subnet, Abiquo adds them to a different elastic network interface. For information about Elastic Network Interfaces, see http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html
AWS Features
This table describes AWS features offered in the public cloud integration as well as Abiquo features that add important multi-cloud functionality.
See AWS integration for full details of the Abiquo Amazon Web Services integration.
AWS feature | Support | Comments |
|---|---|---|
Partner accounts |
| Add a partner account for each hierarchy of tenants |
All regions |
| Amazon may require separate credentials for groups of regions. |
Hardware profiles |
| Onboard hardware profile families and types |
Pricing |
| Onboard prices for hardware profiles, manage a markup, and use prices in estimates, usage metering, and billing |
Billing dashboard |
| Obtain and display the provider billing data including the latest bills and estimated bill. |
Billing |
| Incorporate AWS billing data into a single bill for the multi-cloud platform |
Configure and remove VMs |
| When you create a VM, select the hardware profile |
Reconfigure VMs |
| |
Power on VM |
| |
Power off VM |
| |
Reset VM | - | |
Pause and resume VM | - | |
Storage |
|
|
Take a VM snapshot |
| The VM must be powered off in Abiquo, although the actual VM is not powered off. |
Remote access |
| Open a console window to access your VM using your SSH key registered in Abiquo |
Create and delete networks |
| Users can specify the network address space, and create private and public subnets |
Create and delete VPNs |
| From private cloud (NSX-T) to AWS |
Create and delete VPCs |
| |
Create and manage firewall policies |
| AWS security groups |
Use Chef |
| Enterprise Chef or your own server |
Use Chef attributes |
| |
VM bootstrap scripts |
| Users can work with shell scripts or cloud-init to automate VM configuration |
VM variables |
| The variables are stored on the VM filesystem in |
Load balancing |
| Abiquo supports Classic load balancers and Application load balancers |
Import and synchronize |
|
|
VM monitoring and metrics |
| With Abiquo monitoring and metrics server |
Deploy AMI from AWS marketplace | - | Abiquo cannot deploy an AMI from the AWS marketplace because Abiquo cannot display the EULA to the end user. |
Import VM template |
| Use compatible templates prepared according to provider instructions. See VM Template Mobility |
Automated actions |
| Abiquo can run action plans on VMs |
Autoscaling |
| Abiquo can automatically clone VMs or undeploy VMs to match your changing application needs |
AWS Synchronization
To onboard virtual resources from public cloud:
- Go to Virtual datacenters and the V. Datacenters list
- Click the + Add button select Synchronize public cloud from the pull-down menu
- The platform opens a dialog box with a pull-down list of public cloud regions. Select one of these regions.
- After you select the region, there are two possibilities:
- If the provider supports virtual datacenters, Abiquo will display a list of virtual datacenters
- If the provider does not support virtual datacenters, Abiquo will automatically onboard the virtual resources in the region
Onboard virtual datacenters from public cloud
To onboard a virtual datacenter:
- For the public cloud region, the platform will display a list of virtual datacenter entities. For example, VPCs in AWS or Virtual networks in Azure. Select an entity and click Synchronize.
- The platform will load all of the elements into a virtual datacenter so they can be managed. For example, from AWS, the platform will import the VPC, VMs, subnet with IP addresses, public IPs, firewalls and load balancers, which will be named with their provider identifiers.
The platform will detect a public subnet by the presence of a custom route table and NAT gateway, and the platform will mark the public subnet with a globe symbol and set the Internet gateway flag for this subnet. Users with bespoke network configurations should check the results of the synchronization. The platform will synchronize private and public IP addresses even if they are not in use by VMs, and mark the IP addresses in use by provider entities with provider identifiers.
The platform will import VM templates. If the VM template cannot be found, the VM will be created in the platform with no registered template. In this case, to save a copy of your VM disk as a template, so you can recreate the VM, make an Abiquo instance of the VM.
If you delete a synchronized VDC, you can choose whether to delete it in the provider or not.
If your enterprise does not have valid credentials for the public cloud provider, when you delete public cloud entities in the platform, they will still exist in the public cloud provider
View classic VMs
To view classic VMs, for example in AWS these are EC2 classic VMs, click the "See classic" link.
Synchronize VDCs and resources
During VDC synchronization, the platform will ensure that the resources in the platform and the provider are the same.
- It will delete entities in the platform that were deleted already in the provider
- However, it will maintain resources attached to undeployed VMs in the platform
- For example, if a user has an undeployed VM with IPs and a load balancer, then after the synchronization, these resources are attached to the VM in the platform only
- Warning: These resources are "free" in the provider. Users working directly in the provider could assign these resources to other VMs. This will cause a conflict and error at deploy time
To update a virtual datacenter and onboard any changes made in the provider, synchronize the virtual datacenter:
- Go to Virtual datacenters → V. Datacenters list
- Beside the virtual datacenter name, click the round arrow Refresh button
You can also synchronize resources such as networks, public IPs, firewalls, and load balancers. To do this, go to the resource tab and click the Synchronize button. For more information, see the resource documentation.
Public cloud synchronization parameters
Note to System Administrators: For information about tuning public cloud synchronization, see Abiquo Configuration Properties.
Manage resources that were deleted directly in the provider
When administrators delete resources in the provider, the platform will display the resource name in light gray to indicate that the user cannot work with the resource. The resource types include:
- External networks
- Firewalls
- Classic firewalls
- Load balancers
- NAT network
- NAT IPs
To delete these resources (if they are not in use), select the resource and click the delete button.
Delete or release virtual resources in public cloud
The virtual resources that you onboarded or created in public cloud will be grouped with their associated virtual datacenters.
Before you begin:
- If you recently created virtual resources, such as load balancers, synchronize the virtual datacenter to ensure that the platform can find and delete all the dependencies of the virtual datacenter.
To delete onboarded resources in public cloud:
- Delete each virtual datacenter
- You can choose to delete each virtual datacenter in the platform only, or in the platform and the provider. If you delete in the platform only, the platform will automatically remove VMs, virtual appliances, load balancers, public IPs, and firewalls. Remember to check which is the default VDC in your provider, e.g. AWS default VPC, because it may be inconvenient to delete this VPC
If the enterprise does not have valid credentials for the public cloud provider, when you delete public cloud entities in the platform, they will continue to exist in the public cloud provider
Onboard from public cloud using the API
Abiquo API Feature
This feature is available in the Abiquo API. See VirtualDatacentersResource for synchronization and AllowedLocationsResource for retrieval of virtual datacenters and VMs.
AWS Firewalls and Load balancers
For general information, see Manage Firewalls and Manage Load Balancers
To configure the load balancer integration:
- Set Abiquo Configuration Properties#amazon for the healthy threshold of machines in AWS in the abiquo.properties file.
- The Load balancer UI options can be configured in the client-config-custom.json file. See Configure Abiquo UI
In AWS, the platform supports load balancers as described in the following table.
Abiquo supports AWS Classic load balancers and Application load balancers.
AWS Element | Notes |
|---|---|
AWS documentation | https://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/SvcIntro.html |
Healthy threshold | AWS will assign a previously unhealthy machine a healthy status after a number of successful health checks. |
Load balancer name |
|
Algorithm |
|
Subnets |
|
High availability | For high availability, create private networks (subnets) in different availability zones in your virtual datacenter |
Routing rules |
|
Routing rule protocol in | AWS accepts HTTP, HTTPS, TCP |
Routing rule port in | AWS accepts 80, 443 and 1024-65535 inclusive |
SSL certificate | Can be a new certificate or an existing one registered in AWS with an ARN.
|
Health check |
|
Firewalls | If a firewall does not display, it may not have been properly synchronized. In this case, you will need to click Cancel, synchronize firewalls and start again creating a new load balancer |
Storage
In Amazon, you can work with volumes that are EBS disks.
General information about EBS disks
- Users can onboard and create volumes, and attach them to VMs as auxiliary disks. The volumes must be in the same availability zone as the VM network.
- When you onboard disks, the platform will make them available to users that can access All virtual datacenters in the tenant
- After users detach auxiliary disks from VMs, the synchronization process will make them available in the virtual datacenter. Users can move disks between virtual datacenters and release them to the region. When users undeploy or delete a VM, the synchronization process will make auxiliary disks available in the virtual datacenter.
Delete on termination disks
- If you onboard a VM with Delete on termination disks. When you undeploy or delete the VM, the platform will destroy these disks. When you detach the disks from the deployed VM, the platform will synchronize them as volumes in the virtual datacenter.
Instance templates with multiple disks
- In AWS, users can create an instance template with a copy of the selected VM disks.
When you create a VM from an instance template, the platform will display one disk only, with the total size of all disks. After you deploy the VM, the platform will update the additional disks.
Encrypted EBS disks
- You can create encrypted EBS disks in the platform and you can onboard encrypted disks
- If your AWS account has encryption set as the default, all EBS disks will be created with encryption. If you create a disk without encryption, the platform will display a warning message
- The platform will use encryption when you create an instance template of an encrypted disk, and when you create a VM from this template