Piggy bank of IT recipes

A treasure trove of experience and solutions

vRA: Integration with AWS

Posted on by Posted in Aria (vRealize)

vRealize Automation supports cloud platforms by transforming a private cloud into a hybrid. A more complete and better integration is realized with the Amazon cloud: deploying and managing EC2 instances, executing scripts, creating multi-cloud applications … I suggest you quickly set up and test yourself.

Settings on the AWS side

Policy creation

To connect the vRA to AWS, you need a Programmatic user, and you need to create an Access Policy for that user. The user can be made an administrator (Administrator Access), but it is better to always do with the minimum set of rights:

  • AIM service: Services -> AIM ;
  • Create a new policy: Policies -> Create policy ;
  • In JSON, set the following rights: 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeImages",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeVpcs",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeVolumes",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeAddresses",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeImageAttribute",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeVolumeStatus",
                "ec2:DescribeVpnConnections",
                "ec2:DescribeRegions",
                "ec2:DescribeTags",
                "ec2:DescribeVolumeAttribute",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeNetworkInterfaceAttribute",
                "ec2:DisassociateAddress",
                "ec2:GetPasswordData",
                "ec2:ImportKeyPair",
                "ec2:ImportVolume",
                "ec2:CreateVolume",
                "ec2:DeleteVolume",
                "ec2:AttachVolume",
                "ec2:ModifyVolumeAttribute",
                "ec2:DetachVolume",
                "ec2:AssignPrivateIpAddresses",
                "ec2:UnassignPrivateIpAddresses",
                "ec2:CreateKeyPair",
                "ec2:DeleteKeyPair",
                "ec2:CreateTags",
                "ec2:AssociateAddress",
                "ec2:ReportInstanceStatus",
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:ModifyInstanceAttribute",
                "ec2:MonitorInstances",
                "ec2:RebootInstances",
                "ec2:RunInstances",
                "ec2:TerminateInstances",
                "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
                "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeInstanceHealth"
            ],
            "Resource": "*"
        }
    ]
}
  • Next, enter a name for the new policy, for example vRA2AWS and its description.

User creation

  • AIM service: Services -> AIM ;
  • Create a user: Users -> Add user ;
  • Set the name (User name) and mark the access type Programmatic access ;
  • Now give the user the following rights: Attach existing policies directly , in the Filter policies field, enter the name of the created policy (mine is vRA2AWS) and select the found policy;
  • Create user;
  • Important! To work with the API, a key is created, consisting of an Access key ID and a Secret access key , be sure to save them (you can download them as a file using the Download .csv button). If you have not saved the secret key, then it can be generated again in the user settings.

Creating a security group

Security Group is a set of traffic filtering rules or simply firewall settings. Create a new security group for the operation of your instances (for example, for access via http and https) and remote control of them (rdp, ssh):

  • VPC service: Services -> VPC ;
  • New group: Security Groups -> Create Security Grou p;
  • Add rules for filtering incoming traffic: select your group -> Inbound tab -> Edit ;
  • Add the ports / protocols you need, for example http, https, rdp, ssh. As a source of requests for http and https – everything (Anywhere, 0.0.0.0/0), and it is better to limit control only to your external IP / network;
  • Order an instance with a new security group and test access.

Configuring the Cloud on the vRA Side

Connect to AWS

  • Infrastructure -> Endpoints -> Endpoints ;
  • New -> Cloud -> Amazon EC2 ;
  • Enter the endpoint name for EC2;
  • Enter the Access key ID and Secret access key you received when you created the user on AWS (Create User step).
New Amazon EC2 endpoint

To check if there is a connection to EC2, select your endpoint and run Data Collection . If the process ends with an error, then see the last logs: Infrastructure -> Monitoring -> Log .

Proxy connection

When working through a prosk server, it is important to ensure the availability of all servers used on the Amazon side (requests to them come from the IaaS server). The most likely connection error would be: ” Workflow ‘AmazonEC2EndpointDataCollection’ failed with the following exception: A WebException with status ProtocolError was thrown. Inner Exception: The remote server returned an error: (407) Proxy Authentication Required . “.
If you are using the EU (Frankfurt) region closest to us, then you need access to ec2.eu-central-1.amazonaws.com (see all addresses in the documentation: AWS Regions and Endpoints ), some requests go to ec2.amazonaws.com and are forwarded to us-east-1.

A separate Proxy endpoint is created in vRA to use the proxy server:

  • New -> Network and Security -> Proxy ;
  • On the General tab, enter the proxy server address (no protocol) and port, and user / password if necessary;
  • On the Associations tab, add the link to the Amazon EC2 endpoint.

Another possible error: ” Workflow ‘AmazonEC2EndpointDataCollection’ failed with the following exception: A WebException with status NameResolutionFailure was thrown. Inner Exception: The remote name could not be resolved: ‘http’. »
As a solution, you can specify the URL of the Amazon EC2 configuration service via the Custom Properties
endpoint : amazon.AmazonEC2Config.ServiceURL = https://ec2.eu-central-1.amazonaws.com (see https://kb.vmware.com/s/article/52260).

Creation of the Fabric Group

The AWS regions used are listed in Fabric Groups as normal local clusters: Infrastructure> Endpoints> Fabric Groups . You can create a new fabric group for public clouds, or edit an existing one to add the desired AWS regions.

Preparing keys

To connect to EC2 instances, you need a key pair:

  • Infrastructure -> Reservation -> Key Pairs ;
  • For a new key, specify a name and select an endpoint;
  • After successfully creating a key on AWS (Key Management on AWS: EC2 -> Network & Security -> Key Pairs ), it will appear in the vRA interface.

If you need to use your old keys created on the AWS side, then after the Data Collection is executed, they will appear in vRA (sometimes this does not happen immediately, patience). Edit the key by uploading the private key file or its contents to vRA.

Making a reservation

Making a reservation for Amazon EC2 is intuitive and does not differ much from the standard procedure. Instead of specifying resources and quotas, you must select an available region and security groups, or VPCs and subnets. A key pair for accessing instances is also specified here.

Preparing blueprints

To order Amazon EC2 instances, all that remains is to prepare the blueprints. The process is also similar to creating a standard blueprint for a virtual machine on vSphere. Instead of the VM template, select the Amazon image, and instead of resources, select the types of instances available to users (instances are configured in Infrastructure -> Administration -> Instance Types ). You can publish a blueprint, grant rights to it and start testing:

VRA Integration - Amazon EC2
VRA Integration – Amazon EC2

Important! Be sure to review the custom properties available to use . For example, the Amazon.Extensions.UserData property allows you to pass a script to the “User data” field to configure an instance. Only there is a small problem with passing end-of-line characters in multi-line scripts, replace them with “{LF}”:

Source script:

#!/bin/bash 
yum update -y
yum -y install tomcat tomcat-admin-webapps
systemctl enable tomcat
systemctl restart tomcat

Final script in one line:

#!/bin/bash{LF}sudo yum update -y{LF}sudo yum -y install tomcat tomcat-admin-webapps{LF}sudo systemctl enable tomcat{LF}sudo systemctl restart tomcat

The same replacement will work for PowerShell scripts as well.

VRA software components can be used with Amazon EC2 instances. To do this, when you install a software agent to enter the Cloud Provider is not vSphere , and ec2 .

Managing AWS from vRO

Working with AWS, like with vSphere, is not limited to creating and deleting instances / virtual machines. To create full-fledged automation processes, there is an orchestrator plugin: https://marketplace.vmware.com/vsx/solutions/vmware-vrealize-orchestrator-plug-in-for-amazon-web-services-version-1-1-0- 1-1-0

Translated by Google Translate

Leave a comment

Your email address will not be published. Required fields are marked *

Лимит времени истёк. Пожалуйста, перезагрузите CAPTCHA.