EPAM Cloud Orchestrator AWS Utilization User Guide January 2015 CIUG-10 Version 2.2 EPAM Cloud Orchestrator - AWS Utilization Guide Contents Preface .................................................................................................................................... 4 About this Guide .............................................................................................................. 4 Audience ......................................................................................................................... 4 The Structure of the Guide .............................................................................................. 4 Documentation References ............................................................................................. 5 1 Overview ......................................................................................................................... 6 2 AWS Global Infrastructure and Regions ......................................................................... 7 3 AWS Images ................................................................................................................... 9 3.1 A Notion of an Image .............................................................................................. 9 3.2 Available AWS Images............................................................................................ 9 4 Working with AWS with EO ........................................................................................... 12 4.1 Activating an AWS Region in Cloud ...................................................................... 12 4.2 Managing Instances in AWS ................................................................................. 12 4.2.1 Running an Instance with Management Console ......................................... 13 4.2.2 Running an Instance with CLI ....................................................................... 14 4.3 Connecting to an Image ........................................................................................ 15 4.3.1 Connecting to a Linux VM ............................................................................. 15 4.3.2 Connecting to a Windows VM ....................................................................... 15 4.4 AWS Management Tools ...................................................................................... 16 4.5 Maestro CLI Specifics for AWS............................................................................. 17 5 EPAM Orchestration Services in AWS ......................................................................... 19 5.1 Mobile Management Console ............................................................................... 19 5.2 Cloud Monitoring and Audit for AWS .................................................................... 20 5.3 Auto Configuration Service ................................................................................... 21 5.3.1 Configuring your VM with Chef ..................................................................... 22 5.3.2 Viewing Chef Client Information .................................................................... 22 6 Environment Orchestration ........................................................................................... 23 6.1 AWS CloudFormation Template Introduction ....................................................... 23 6.2 Working with Stacks via Maestro-CLI ................................................................... 24 2 EPAM CONFIDENTIAL EPAM Cloud Orchestrator - AWS Utilization Guide 6.3 Working with Stacks via Create Wizard ................................................................ 25 7 Billing and Reporting ..................................................................................................... 26 7.1 Pricing ................................................................................................................... 26 7.2 Reporting ............................................................................................................... 26 7.3 Reporting Customization ....................................................................................... 27 8 Security ......................................................................................................................... 29 9 Self-Education ............................................................................................................... 30 9.1 AWS Partner Network ........................................................................................... 30 9.2 AWS Trainings and Webinars ............................................................................... 30 10 Support and Consulting................................................................................................. 31 Annex A. The Supported CLI Commands ............................................................................ 32 Basic Commands .......................................................................................................... 32 Instances ....................................................................................................................... 32 Storage Volumes ........................................................................................................... 33 Audit and Billing ............................................................................................................. 33 Security and Connection ............................................................................................... 34 Stacks ............................................................................................................................ 34 Images ........................................................................................................................... 34 Instance Properties ....................................................................................................... 35 Table of Figures ............................................................................................................ 36 Version History .............................................................................................................. 37 EPAM CONFIDENTIAL 3 EPAM Cloud Orchestrator - AWS Utilization Guide Preface About this Guide The guide is intended to provide the user with all the information that would allow them start working with AWS by means of EPAM Orchestration tools from scratch. Here, you can find the details on the integration of Amazon Web Services with EPAM Private Cloud. The guide contains the information on Amazon Global Infrastructure and resources specifics, the way an AWS-based infrastructure can be manipulated via EPAM Orchestration, as well as all the necessary technical information on the resources and controls. Audience This guide is designed for EPAM Private Cloud users who want to use Amazon Web Services in following cases: there is a need to place the resources in a public region; there is a need to use specific Amazon features; the customer wants AWS to be used; there is a need to locate the production servers in AWS; it is recommended due to the geographic position. The Structure of the Guide The guide includes ten sections: 1. The Overview section gives the general idea of AWS integration with EO. 2. The AWS Global Infrastructure and Regions section describes the general infrastructure of AWS, introduces the notions of a region and availability zone. 3. The AWS Images section provides the information on the machine images that can be used in AWS-type regions. 4. The Working with AWS via EO section gives the useful information on AWS regions activation in EPAM Orchestration and the ways AWS-based infrastructure can be manipulated with maestro CLI. 5. The EPAM Orchestration Services in AWS section describes how EPC services are used with AWS-based infrastructures. 6. The Environment Orchestration section gives the details on Maestro and CloudFormation stacks usage. 7. The Billing and Reporting section provides the information in AWS costs and the reports on AWS-based infrastructures. 8. The Security section describes the security arrangements introduced for AWS-based infrastructures. 9. In the Self-Education section, you can find the resources that you can youse to improve your AWS expertise. 10. The Support and Consulting section gives the contacts of the groups responsible for providing support to EPC users. 4 EPAM CONFIDENTIAL EPAM Cloud Orchestrator - AWS Utilization Guide Documentation References The answers to most of your questions can be found in our Knowledge Base You might also want to check the following EPAM Cloud Orchestrator documents: Document Title Contains Information on Maestro CLI Setup Guide Installation of Maestro CLI Client Auto Configuration: Box Solutions Auto Configuration Service concept and usage Maestro CLI Reference Guide EPAM Private Cloud Billing Guide Graphical User Interface Guide Maestro Stacks Guide EPAM Cloud Orchestrator Command Line Interface and the list of CLI commands, their parameters and response examples Current billing model implemented for EPAM Private Cloud EPAM Cloud Orchestration graphical user interface Maestro Stacks creation and utilization Please email your comments and feedback to EPAM Cloud Consulting at [email protected] to help us provide you with documentation that is as clear, correct and readable as possible. EPAM CONFIDENTIAL 5 EPAM Cloud Orchestrator - AWS Utilization Guide 1 Overview It often happens that a project needs placing the development and production environments in different clouds. The development process is performed in EPAM Private Cloud (EPC) that is not accessible for external connections, and the production is deployed to AWS Cloud. One of the main inconveniences of such solution was the difference of the API of the two cloud providers. In order to solve this issue, Maestro CLI API was extended so that it now allows using the same set of commands for manipulating resources in both EPAM and Amazon clouds. This means that for the developer who uses EPAM Orchestration tools to work with EPC and AWS, the only thing that distinguishes between them is the region specification at the command call: EPC: or2run -p DEMO-PRO -r EPAM-MSQ -i W2012Std AWS: or2run -p DEMO-PRO -r AWS-USEAST -i W2012Std In spite EPC and AWS usage was unified, there is still a set of differences you should take into account in order to prevent unexpected issues. These differences are caused by the following factors: Internal Amazon specifics. AWS is based on several virtualization regions, each having its own specifics. That’s why some Amazon services are not available in this or that region. For more details, see the AWS Global Infrastructure and Regions section. Differences in Cloud providers facilities. Due to some functional dissimilarities of EPAM and Amazon Clouds, some of EPAM Orchestration features and services are not available in AWS. For more details, please, see the EPAM Orchestration Services in AWS section and Annex A. Security. The security of your data stored in AWS is provided by a set of additional measures introduced on two levels: o VM-layer security: Additional restrictions on authentication were introduced. Meanwhile, the software protection on AWS instances is weaker than that on o EPC. Networking: The VMs in EPAM private Cloud are placed inside the EPAM Network and are more protected than the VMs in AWS. That’s why we would recommend to take additional protection measures, such as placing your infrastructure in VPC (Amazon Virtual Cloud). For more details on the data security policy for AWS-based infrastructures, please, see the Security section. These and the other specifics and details of creating and manipulating a virtual infrastructure in AWS via EPAM Orchestration are given further in this document. For more details on AWS architecture in examples and infographics, as well as for useful tips and recommendations on building a reliable and highly scalable infrastructure in AWS, please, visit the Amazon Web Services Architecture Center page. 6 EPAM CONFIDENTIAL EPAM Cloud Orchestrator - AWS Utilization Guide 2 AWS Global Infrastructure and Regions To provide EPC users with the ability to work with Amazon Web Services, EPAM Orchestration has to access AWS infrastructure. AWS is hosted in multiple locations. Each location, or a region, is a separate geographic area and is independent of the other areas. At the moment when this document is being created, AWS users can deploy their applications to ten regions, and eight of them are available for EPAM Orchestrator. Each region consists of a number of availability zones. An availability zone is an area isolated from other zones (having a low latency connection with the other zones in the same region). In case one zone fails, the others are still up. Below, you can see the map of existing Amazon regions and availability zones. Figure 1 - AWS Regions Map EPAM Private Cloud Users have access to the following Amazon regions: Region Code ap-northeast-1 ap-southeast-1 ap-southeast-2 eu-west-1 eu-central-1 sa-east-1 us-east-1 us-west-1 us-west-2 EPAM CONFIDENTIAL Region Name Asia Pacific (Tokyo) Region Asia Pacific (Singapore) Region Asia Pacific (Sydney) Region EU (Ireland) Region EU (Frankfurt) Region South America (Sao Paulo) Region US East (Northern Virginia) Region US West (Northern California) Region US West (Oregon) Region EPC Reference Name AWS-AP-NORTHEAST AWS-AP-SOUTHEAST AWS-AP-SOUTHEAST-2 AWS-EUWEST AWS-EUCENTRAL AWS-SAEAST AWSUSEAST AWS-USWEST AWS-USWEST-2 7 EPAM Cloud Orchestrator - AWS Utilization Guide Each of the regions has its own specifics and AWS Services availability set. The region that covers all available AWS services is US-EAST-1 (Northern Virginia). The regions with the most restricted possibilities are SA-EAST-1 (Sao Paolo) and AP-SOUTHEAST-2 (Sydney). When you create resources in AWS using EPAM tools, you can specify the region, but the availability zone is selected automatically. The complete information on AWS services coverage by regions is given on AWS Products and Services by Region page. The more detailed information on the global structure of Amazon Web Services is given on Amazon Global Infrastructure page. 8 EPAM CONFIDENTIAL EPAM Cloud Orchestrator - AWS Utilization Guide 3 AWS Images 3.1 A Notion of an Image A special virtual appliance used as a basis for creating a virtual machine is called a machine image. In Internet, you can also come across the terms ‘template’ or just ‘image’. A machine image used for running instances in AWS is called an Amazon Machine Image (AMI). An AMI provides the information that is necessary to run a new instance in Cloud and includes the following elements: A template for the root volume for the instance (for example, an operating system, an application server, and applications) Launch permissions that control which AWS accounts can use the AMI A block device mapping that specifies the volumes that are to be attached to the instance when it’s launched (see more at Amazon Machine Images page). The owner of an AMI determines its availability by specifying launch permissions, which can be of one of the categories below: Public: all AWS accounts have the permissions to use the AMI. Explicit : only the accounts specified by the owner have the permissions to use the AMI. Implicit: the owner has implicit launch permissions for the AMI. 3.2 Available AWS Images The image format is typically bound to the virtualizer this image is aimed to be run with. Therefore, the images that can be used by one software, are inapplicable for another. That’s why EPAM Orchestration uses different types of images to run instances in EPC and in AWS. However, all the images available for AWS are functional ‘twins’ of EPC public images. This means that the VMs run from a pair of ‘twin’ images in different clouds will have the same Operating System. To provide better usability, Maestro CLI supports referencing images with a set of aliases, with one alias referencing both ‘twin’ images. Maestro CLI detects which image is exactly to be used basing on the region specification in the command where the alias is referenced: EPAM CONFIDENTIAL 9 EPAM Cloud Orchestrator - AWS Utilization Guide Figure 2 - Image Alias Processing Scheme The images run in EPC have a bigger set of pre-installed software than their AWS ‘twins’. This especially applies to Windows images. EPAM Private Cloud team prepared a set of images based on the AMI supplied by Amazon. These images were carefully configured and tested and comprise a set of default images available for AWS usage. The table below gives the full list of the EO images and their availability in AWS and EPAM MSQ regions: OS Name AWS MSQ Windows Server 2012 R2 Standard Edition - + Windows Server 2012 Standard Edition + + Windows Server 2003 R2 Standard Edition 32-bit + + Windows Server 2003 R2 Standard Edition 64-bit + + Windows Server 2008 R2 Enterprise Edition - - Windows Server 2008 R2 Standard Edition + + Windows 7 32-bit Enterprise - + Windows 7 64-bit Enterprise - + Windows 8 32-bit Enterprise - + Windows 8 64-bit Enterprise - + Windows 8.1 32-bit Enterprise - - Windows 8.1 64-bit Enterprise - + Windows XP Professional 32-bit - + Linux CentOS 5.9 64-bit + + Linux CentOS 6.5 64-bit + + Linux CentOS 6.4 32-bit + + Debian GNU/Linux 7 64-bit + + Oracle Linux 6 64-bit + + + Linux Ubuntu 12.04 64-bit + + (except for Sydney Region + (except for Sydney Region Linux Ubuntu 14.04 64-bit - + Linux Ubuntu 10.04 32-bit Linux Ubuntu 10.04 64-bit 10 EPAM CONFIDENTIAL + + EPAM Cloud Orchestrator - AWS Utilization Guide Please note that in AWS, Windows instances are more expensive than Linux ones, because the license fee is included to the price. Apart from the default public images, you can also create you custom ones. To do it, modify an instance based on a public image, and use the or2-create-image (or2cim) command to create your own custom image. The custom images are available only for the project-region combination they were created in. EPAM Orchestration does not support transparent image migration between regions. To get your image migrated between the regions, please, submit a support request on EPAM Service Portal. To see the list of the images available for your project and region, use the or2-describeimages (or2dim) command: Figure 3 - AWS Images List The command output provides the following information: ID: The machine image alias. Description: The description of the machine image. Typically provides its operation system details. Group: The image security group. The default public images belong to the Enterprise group, and the custom project images comprise the Project group. State: Current state of the image. When running an instance, use the value of the ID column as the image identifier: or2run -p DEMO-PRO -r AWS-USEAST -i Debian7_64-bit -k my_key EPAM CONFIDENTIAL 11 EPAM Cloud Orchestrator - AWS Utilization Guide 4 Working with AWS with EO 4.1 Activating an AWS Region in Cloud To activate an AWS region in EPAM Private Cloud, simply leave a respective request at EPAM Service Portal: Figure 4 - Region Activation Request in Service Catalog The request is free of charge and will be fulfilled during three working days. Please remember that it should be approved by the Project Manager/Project Coordinator. When the region is activated, all the project members get a corresponding email notification. They can see the new region in the list of available regions (run or2dreg command): >or2dreg -p DEMOPRO The command gives a similar response: Figure 5 - Describing Available Regions If you can see the requested region (AWS-USEAST in the picture above) in the response, you can start utilizing AWS resources via Maestro CLI Tools. 4.2 Managing Instances in AWS The AWS instances are managed by the same commands as EPC ones. Before you run an instance, you have to decide not only on its image, but also on its shape. A Shape is a combination of CPU and RAM that your new instance will have. The table below lists the existing shapes: 12 EPAM CONFIDENTIAL EPAM Cloud Orchestrator - AWS Utilization Guide Instance Type Micro Mini Small Medium Large XL 2XL 3XL #vCPU 1 1 1 1 2 8 2 4 Memory 512MB 1GB 1.7GB 3.75GB 7.5GB 7.5GB 15GB 15GB AWS shape mapping t1.micro t2.micro m1.small m1.medium m1.large c1.xlarge m2.xlarge m1.xlarge To see the list of shapes available for your project and region, use the or2-describe-shapes (or2dshape) command: or2dshape -p DEMOPRO -r AWS-USEAST Please remember that the selected shape influences the instance price. There are two ways to run an instance: using CLI; using the graphical wizard on Orchestration Management Console. 4.2.1 Running an Instance with Management Console You can run an instance using a Create Wizard available on Orchestration Management Console. To call the Wizard, click on the Create button on the Orchestration Management Console: Figure 6 - Create Wizard call EPAM CONFIDENTIAL 13 EPAM Cloud Orchestrator - AWS Utilization Guide Then, follow the step by step instruction by selecting the target project, region and other parameters for your new VM. Please remember, that to create a Linux instance, you will have to create and specify an SSH key. When an instance is launched, a corresponding message will appear on the Audit page and you will get an automatic email notification. 4.2.2 Running an Instance with CLI To run an instance in AWS, use the or2run command. To run a Windows instance, specify the target project, region and the alias of the image to be used: or2run -p DEMOPRO -r AWS-USEAST -i W2012Std A Linux image can be run only with an SSH key specified. Use the or2-describe-keypairs (or2dkey) command to see the list of the available keys. If you don’t have a key, create one with the or2-create-keypair (or2addkey) command: or2addkey -p DEMOPRO -k my_key When a key is created, use it to run a new Linux instance: or2run -p DEMOPRO -r AWS-USEAST -i CentOS5-template -k my_key As soon as an image is run, you will get a letter giving you the instance details and providing the list of the most common commands ready for copy-pasting to your CLI: Figure 7 - Instance Run Notification 14 EPAM CONFIDENTIAL EPAM Cloud Orchestrator - AWS Utilization Guide 4.3 Connecting to an Image 4.3.1 Connecting to a Linux VM To connect to a Linux VM, run the following Linux command: ssh user@<hostname> -i <path> Where <hostname> stands for your VM DNS Name and <path> stands for the full path to your key file. 4.3.2 Connecting to a Windows VM To connect to a Windows VM, perform the following steps: 1. Run the Remote Desktop Connection tool and specify the VM DNS name and ‘localhost\user’ user name: Figure 8 - Connecting to a Windows VM, Step 1 2. Click the Connect button. 3. Input the password in the security dialog: 4fsD321fDFf35g: Figure 9 - Connecting to a Windows VM, Step 2 EPAM CONFIDENTIAL 15 EPAM Cloud Orchestrator - AWS Utilization Guide For security purpose, we strongly recommend to change the default passwords after the initial login. NB: In order to access Windows instances via SSH, you first have to access them via RDP and configure SSH connection. In case any issues with connecting to your VMs arise, especially if you connect through EPAM VPN, please, contact the WFT IT Services Network group. 4.4 AWS Management Tools As with EPAM Private Cloud, Amazon provides users with both CLI and Web Management Console controls over their resources and data. EPAM Private Cloud supports both these options the following way: Cloud users can now get AWS Management Console Access with a single CLI command that returns a URL to connect. By following this URL, you will get access to all AWS services, except for IAM. To get the URL, run the or2-aws-management-console command: or2-aws-management-console -p project Follow the link to login to Amazon Management Console directly, no credentials input will be needed, your EPAM credentials will be used automatically. Figure 10 - AWS Console 16 EPAM CONFIDENTIAL EPAM Cloud Orchestrator - AWS Utilization Guide All the bills for the AWS services usage will be included to your project’s bill at the end of the billing month. All the AWS instances run in Cloud, have a specified IAM role, which supports the following manipulations: o Volume management o Tags management o Elastic IP management o S3 Management. All these operations are performed via Amazon CLI that is to be set up on an AWS instance, run with Orchestrator. To set up the AWS CLI on a VM, perform the following steps: o o Login to the VM via SSH Run the following commands in the VM’s console: apt-get update apt-get install python-pip pip install awscli o Check the AWS CLI work with Amazon S3: aws s3 ls s3: This command displays the folders in the S3 root. The output can be similar to this one: 2014-11-21 16:17:05 storage-eu-west 2014-11-21 16:10:02 storage-us-east To see the content of the subfolders, use the command: aws s3 l3://storage-eu-west 4.5 Maestro CLI Specifics for AWS As it has been mentioned before, the commands to control EPC and AWS infrastructure were unified. You can use the Maestro CLI to manipulate AWS resources without any additional preparations. However, some EPC services and facilities are not available in AWS. This is caused by engineering specifics of cloud providers and by security reasons. The following EPAM Orchestration facilities are not available in AWS: Working with checkpoints; Files manipulation (do not confuse with stack templates manipulation); Auto Configuration based services (do not confuse with the Auto Configuration service itself). EPAM CONFIDENTIAL 17 EPAM Cloud Orchestrator - AWS Utilization Guide The full list of the EPC commands and the information of their availability in Amazon is given in Annex A. For more details on the CLI commands usage, please, see the Maestro CLI Reference Guide. The AWS operations that are not covered by Maestro CLI are available for EPC users through AWS CloudFormation stacks that are described in details in the following section. 18 EPAM CONFIDENTIAL EPAM Cloud Orchestrator - AWS Utilization Guide 5 EPAM Orchestration Services in AWS AWS provides its users with a big set of services that are constantly updated and enhanced. As it was already mentioned before, the services availability varies in different AWS regions. The full list of AWS services and the information on their availability in different regions are given on the Products and Services by Region page. In addition to the core set of Amazon services, the users who create a virtual infrastructure in AWS via EPAM Orchestration have access to a set of EPC services and abilities, not included to AWS. These are the following: Mobile Management Console; Advanced Cloud Monitoring and Audit; Advanced Auto Configuration Service; Load-balancing Service; Ambari Service. The details on these services are given further in this section. 5.1 Mobile Management Console EPAM Orchestration Mobile Management Console allows you to access your virtual infrastructure at any time and from any place. Use https://cloud.epam.com to connect to EPAM Private Cloud Management Console from any place where internet connection is possible. The handy mobile interface provides you with an easy access to Orchestration UI, where you can quickly collect all the EPC and AWS resources information without need to connect to EPAM network. You can make the access to the mobile console even faster by adding the link to the desktop of your mobile device. For example, on Apple iOS, you can use the “Add” button ( ) and select “Add to your home screen”. If you use Android, you can find this option in the mobile browser menu. This all puts your AWS-based infrastructure only a couple of clicks away from you and provides you with the constant access to your resources. EPAM CONFIDENTIAL Figure 11 - Mobile Management Console 19 EPAM Cloud Orchestrator - AWS Utilization Guide 5.2 Cloud Monitoring and Audit for AWS You can easily monitor your AWS resources performance, utilization and changes using EO Management Console (both desktop and mobile). The process and facilities are similar to those designed for monitoring EPAM Orchestration instances. So, you can use the Console to get the following information: The detailed infrastructure actions audit (Audit page): Figure 12 - Audit on an AWS region Here, all the events on your EPC and AWS based infrastructures are reflected in realtime mode. Any action related to an instance state change (run, start, stop, kill) is described here. For EPC-based resources, an audit message includes the name of the user who initiated the action. For AWS, the user name is unknown. The detailed information on each of the VMs (Management page). Here, on selecting an instance, you can see the basic instance information: related project and zone, instance ID, shape, state, IP’s and DNS’s, instance Owner: Figure 13 - Amazon VM details The detailed information on VM performance, retrieved due to integration with Amazon Cloud Watch (Monitoring page). By default, you can see the data on the default AWS-supported metrics: CPU utilization, Disk Read/Write information, Network Traffic and Status Check. The data on each of the metrics is represented as a graph, the same way as with EO VMs metrics: 20 EPAM CONFIDENTIAL EPAM Cloud Orchestrator - AWS Utilization Guide Figure 14 - AWS Cloud Watch In EO Management Console You can use the Zoom tool to change the period to be viewed on the graph. Please, remember that the maximum number of points that can be represented on the graph is 1400, which means that the graph detailing can change on zooming. If you need to get more information on your AWS VM, you can customize the metrics, but it will bring additional costs. For more details on Amazon Cloud Watch, please, see the Amazon Cloud Watch page. To find more about Monitoring in EPAM Private Cloud, please, see the Cloud Analytics guide. 5.3 Auto Configuration Service Auto Configuration service allows Cloud users running instances with pre-installed sets of software, effectively eliminating the need to install and configure software manually. It was designed to work in same manner in all regions, including AWS. Auto Configuration Service is activated by default as soon as the project gets activated in Cloud. The service is based on the Chef tool and performs auto-configuration using a set of roles, each containing a description of the configuration and settings to be installed on the target VM. EPAM CONFIDENTIAL 21 EPAM Cloud Orchestrator - AWS Utilization Guide 5.3.1 Configuring your VM with Chef In order to set a chef role or several roles to an instance, you can use the or2-set-instanceproperties (or2setp) command with the following flags: -c/--chefattribute to specify the desired chef attribute to be used -h/--chefrole - the role to be set to the instance: or2setp -i i-48cced22 -h role1 -h role2 -c value1 -c "recipename1.attribute1=value2" -p epmc-2chef You can find the detailed information on the service on our Auto Configuration page. 5.3.2 Viewing Chef Client Information As soon the Auto Configuration Service successfully performs at least one operation on a VM, the Chef Server starts collecting the information on the VM’s Chef Client. This information can be found on Management page of Orchestration UI: Figure 15 - Chef tab on the Monitoring Page When the tab is unfolded, you can see the main details on the Chef client installed on the machine and the actions that are performed there: Figure 16 - Chef details view The toolbar at the top of the Chef tab allows group actions on Chef details groups: you can Expand or Collapse all the groups and subgroups or leave them expanded up to a selected level (2, 3, 4 or 5). 22 EPAM CONFIDENTIAL EPAM Cloud Orchestrator - AWS Utilization Guide 6 Environment Orchestration EPAM Orchestrator supports two engines for automation of infrastructure setup. These are EPAM Private Cloud Maestro Stacks and AWS CloudFormation. Both engines provide the users with the ability to automatically perform a set of pre-defined actions with a few CLI commands or UI Wizard actions. The sets are called stack templates and are stored in JSON or XML files. Despite having similar purpose, Maestro Stacks and AWS CloudFormation stacks have a number of differences. The choice of the engine to be used should base on your needs and the engine facilities: Maestro Stacks: Maestro Stacks can be used in both EPC and AWS Clouds, and can be also used in Open Stack. This means, that you can create a template that would fit any Cloud you chose and you won’t have to adjust it when you have to migrate or create a new infrastructure in a new Cloud. However, when it comes to AWS, Maestro Stacks support only those Amazon actions that are supported by Orchestration, the rest of the Amazon facilities is not accessible. To find the detailed guidelines on working with Maestro Stacks, please, see our Maestro Stacks guide. CloudFormation: CloudFormation stacks can be used only for AWS-based infrastructures and are not applicable to EPAM Private Cloud. On the other hand, CloudFormation stacks support all the existing related AWS functionality, irrespectively of whether it is covered by EPAM Orchestration or not. This provides a big range of additional AWS opportunities for EPC users. The AWS CloudFormation page gives full information on the subject. 6.1 AWS CloudFormation Template Introduction A CloudFormation Template is a simple JSON file that describes the AWS infrastructure to be created. It allows creating and using resources which are not available through Maestro CLI commands. A template contains several sections. The Resources section is the only obligatory one. The template text should start with an open brace symbol ({) and end with a closed brace (}). Below, you can see the basic anatomy of a template with all the possible sections: EPAM CONFIDENTIAL 23 EPAM Cloud Orchestrator - AWS Utilization Guide { "AWSTemplateFormatVersion" : "version date", "Description" : "JSON string", "Parameters" : { "Mappings" : { set of parameters set of mappings }, }, "Conditions" : { set of conditions }, "Resources" : { set of resources }, "Outputs" : { set of outputs } } Format Version: Specifies the AWS CloudFormation template version that the template conforms to. The template format version is not the same as the API or WSDL version. The template format version can change independently of the API and WSDL versions. Description: A text string that describes the template. This section must always follow the template format version section. Parameters: Specifies values that you can pass in to your template at runtime (when you create or update a stack). You can refer to parameters in the Resources and Outputs sections of the template. Mappings: A mapping of keys and associated values that you can use to specify conditional parameter values, similar to a lookup table. You can match a key to a corresponding value by using the Fn::FindInMap intrinsic function in the Resources and Outputs section. Conditions: Defines conditions that control whether certain resources are created or whether certain resource properties are assigned a value during stack creation or update. For example, you could conditionally create a resource that depends on whether the stack is for a production or test environment. Resources: Specifies the stack resources and their properties, such as an Amazon EC2 instance or an Amazon S3 bucket. You can refer to resources in the Resources and Outputs sections of the template. Outputs: Describes the values that are returned whenever you view your stack's properties. The order of some of the sections in a JSON file can be changed. However, as the values from one section can be referenced in another, it is recommended to keep to the logical ordering in the scheme above. For more information about templates and snippets please visit the CloudFormation Template Reference page. 6.2 Working with Stacks via Maestro-CLI Maestro CLI tool has a set of commands designed to manipulate stacks. The AWS-stack related commands are similar to those used for Maestro Stacks, but there are some differences in the set of the commands and their syntax: 24 EPAM CONFIDENTIAL EPAM Cloud Orchestrator - AWS Utilization Guide EPC CLI for Maestro Stacks or2-upload-file (or2uf) or2-describe-files (or2df) EPC CLI for AWS Stacks Result or2-upload-template (or2upt) Uploads a template file to the server Describes the templates uploaded to the server Describes a specified template stored in the Orchestrator storage and saves it to a local file Runs a new stack based on the specified template Describes the existing stacks for the specified project and region Returns the events related to the specified stack Describes the resources created during the stack execution Deletes the specified stack - or2-describe-templates (or2dt) or2-read-template (or2rt) or2-run-maestro-stack (or2rmstack) or2-describe-maestro-stacks (or2dmstack) or2-run-aws-stack (or2rawss) or2-describe-aws-stacks (or2dawss) or2-describe-maestro-stackresources (or2dmsr) or2-describe-aws-stackevents (or2dawsse) or2-describe-aws-stackresources (or2dawssr) or2-delete-maestro-stack (or2delmstack) or2-delete-aws-stack (or2delawss) The AWS-related commands can be used only for AWS-type regions. Maestro Stack commands can be run for both EPC and AWS. 6.3 Working with Stacks via Create Wizard EPAM Orchestration provides EPAM Private Cloud users with the ability to run Maestro and AWS stacks using a graphical wizard, same used for running instances. The wizard is reached from the Main Page of the EO Management Console. After you run the wizard, follow the step by step instruction by selecting the target project, region, stack and stack parameters: Figure 17 - Cloud Formation stack parameters selection EPAM CONFIDENTIAL 25 EPAM Cloud Orchestrator - AWS Utilization Guide 7 Billing and Reporting 7.1 Pricing The pricing for AWS machines run in Cloud differs from that of EO machines. You can find the actual prices and AWS billing models on the Amazon EC2 Pricing page on AWS website. To estimate the price of the AWS-based infrastructure you plan to create, you can use the AWS Simple Monthly Calculator. The table below gives the approximate costs for full-time monthly utilization of similar resources in Amazon and EPAM clouds. The data are retrieved according to the following pre-conditions: AWS Prices are based on US-EAST-1 (Virginia) region price list EPC Prices are based on EPAM-MSQ (Minsk) region price list The prices are true for 09/18/2014 Both AWS and EPC prices include storage price estimations. For AWS, they are default storage volumes supposed by AWS for each of the shapes. For EPC, they are default storage volumes provisioned for the OS type SHAPE SMALL MEDIUM LARGE 3XL Ondemand 31,680 62,640 126,000 252,000 Linux 1-year 3-year LU LU 24,480 19,440 48,960 38,880 97,920 77,760 195,120 154,800 EPC Monthly 40,26 57,06 73,86 150,56 Ondemand 54,000 107,280 215,280 430,560 Windows 1-year 3-year LU LU 42,480 36,720 84,960 74,160 169,200 146,880 338,400 293,760 EPC Monthly 53,23 70,03 86,84 163,54 Please note that storage billing principles in AWS and EPC differ. In AWS, the user pays for the provisioned space irrespectively of the actual storage usage. In EPAM Private Cloud, only the used storage is billed. Each Linux VM has a default 20 GB storage and Windows has 60, and at the VM start, only the storage taken by the system is considered used and is charged. 7.2 Reporting EPAM Private Cloud provides billing capabilities and features, such as reporting on hourly basis, total reporting etc. You can use these features to get reports for your AWS-based projects. Use the or2report command to get the necessary report: or2-report -r AWS-USEAST -p DEMOPRO -m 8 -y 2014 -t total The response of such command will contain total costs for the specified month. As with any of the EO regions, you can also use the Reporting page of Orchestration Management Console to see the reports on the AWS resources utilization: 26 EPAM CONFIDENTIAL EPAM Cloud Orchestrator - AWS Utilization Guide Figure 18 - An AWS report on Orchestration Management Console Please, note that EPAM Orchestrator retrieves AWS-regions costs from Amazon, where the data is updated four times a day. Therefore, the hourly reports for current day may contain a bit outdated data. NB: In case an Amazon billing item is not bound to any of the regions, its cost will be added to one of the AWS regions costs (typically, AWS-USEAST). EPAM Orchestration uses linked account technologies in working with AWS. Each project gets its own account and all the costs for each month are billed to this root account by the 5th day of the next month. EPAM Orchestration processes this data and passes to the accounting department, and the monthly billing report for a project contains costs for both EPAM Cloud and AWS-based resources. For more information on reporting, please read our EPAM Private Cloud Billing Guide. 7.3 Reporting Customization To sort your AWS costs and optimize the reports you get, you can set cost allocation tags to AWS items. An AWS cost allocation tag consists of two parts - a key and a value that you define on the tag creation. The diagram below illustrates the concept of tags in AWS. Figure 19 - AWS Tags EPAM CONFIDENTIAL 27 EPAM Cloud Orchestrator - AWS Utilization Guide There are two Amazon instances, each having two tags, called Cost Center and Stack. The tags have an associated value. Both tagged and untagged resources will be included to the monthly reports, but you can use tags to aggregate the reporting data by logical, functional or any other criteria. For more details on AWS cost allocation tags, please, see the original AWS Billing and Cost Management Guide. 28 EPAM CONFIDENTIAL EPAM Cloud Orchestrator - AWS Utilization Guide 8 Security As AWS-regions based resources are placed in a public cloud, there is a set of security limitations introduced to ensure your data safety: All the VMs created in EPC contain a pre-installed set of security check software. The AWS instances don’t have this software installed, that’s why their security cannot be controlled by EPAM Orchestration, and the owners of the AWS-based VMs are responsible for their safety. In case it is necessary to create infrastructure in AWS, it is recommended to do it in VPC (Amazon Virtual Private Cloud) in order to ensure higher network safety. Authorization to Linux instances can be performed only via SSH keys. Only the images prepared and verified by EPAM Private Cloud team are allowed for using in AWS. To see all the images available for your project in the specified region, please use the or2-describe-images CLI command. You can also create your custom images based on the VMs run from the allowed public images. By default, EPAM employees have no access to AWS Management Console. However, in case of a project need, it is possible to provide temporary access to the Console that would allow to perform basic AWS-related configuration. To get such an access, please, submit a respective request on EPAM Service Portal or contact EPAM Private Cloud Consulting Team. In case you need to create infrastructure in a protected network, specify this requirement in the request for the AWS region activation. The infrastructure will be created in Amazon Virtual Private Cloud (VPC), an isolated section of AWS where you have the complete control over the virtual networking environment. This includes the ability to specify your own IP address range, to configure network gateways and route tables and to create subnets if needed. For more details on this feature, please, see the Amazon VPC official page. EPAM CONFIDENTIAL 29 EPAM Cloud Orchestrator - AWS Utilization Guide 9 Self-Education 9.1 AWS Partner Network EPAM Systems has become a member of AWS Partner Network (APN). The partnership program opens a wide range of possibilities for its members who have a good opportunity to improve their AWS skills, to get new experience and the evidence of their professionalism. Amazon Partners have access to Amazon Partners Training program which provides a variety of Partner Training resources in the APN Portal. Online APN Partner Accreditation courses provided at no cost help you effectively articulate AWS solutions and leverage AWS best practices with your customers. AWS provides partner discounts on hands-on instructor-led classes and self-paced labs that help you deepen technical your skills for working with AWS products and solutions. To receive the trainings and other training resources, simply complete the AWS Partner Network registration (http://www.apn-portal.com/SelfRegisterPartner) by registering with EPAM domain. If any questions or issues related to APN Portal Registration occur, feel free to contact the APN Support team ([email protected] ). The program gives you possibility to earn AWS Certifications to gain credibility with your customers for your expertise with AWS. We are glad to announce the list of EPAMers who have already passed the certification: Apart from getting an AWS certificate, all the people who pass the training automatically get an AWS Certification badge on EPAM Heroes portal. For more details, please, see the Amazon Partner Network page. 9.2 AWS Trainings and Webinars EPAM Private Cloud team provides a set of webinars and self-education programs aimed to help our users to get acquainted with AWS and to develop the existing skills and expertise: 30 Amazon Web Services self-education training will introduce the basic information on Amazon Web Services, auto configuration and stacks in Amazon cloud EPAM experts regularly provide trainings and webinars to help all the interested EPAMers to upgrade their AWS skills. Please, visit the EPAM Training Portal to search for the upcoming trainings and webinars. EPAM CONFIDENTIAL EPAM Cloud Orchestrator - AWS Utilization Guide 10 Support and Consulting In case you have any issues with using AWS with EPAM Orchestration, please, feel free to leave a support request on EPAM Service Portal or contact EPAM Private Cloud Consulting Team. You can also find the answers on the most frequently asked questions on our FAQ page. EPAM CONFIDENTIAL 31 EPAM Cloud Orchestrator - AWS Utilization Guide Annex A. The Supported CLI Commands All the CLI Commands can be logically divided into groups by purpose. In this Annex, you can see the list of the Command groups, the main purpose of each group and the extent to which the commands of this group are supported for AWS-type regions. Please note that some of EPAM Private Cloud facilities and services are not supported for AWS. The commands dealing with these facilities are not listed below: Checkpoints Files manipulation (do not confuse with stack templates manipulation) Auto Configuration based services (do not confuse with the Auto Configuration service itself) Basic Commands The basic commands group covers the commands needed to start working with Cloud and to get all the information needed for further infrastructure creation. CLI command or2-check-version or2-describe-projects or2-describe-regions or2-describe-shapes or2-describe-vlans or2-get-access or2-get-info or2-update-cli or2-view-pool-state AWS + + + + + + + - Instances The commands in this group deal with different instance-related manipulations and instance operations scheduling. CLI command 32 AWS or2-describe-instances + or2-create-schedule + or2-delete-schedule + or2-describe-schedules + or2-move-instance-to-vlan - or2-move-to-project - or2-reboot-instances + or2-run-instances + or2-schedule-add-instances + EPAM CONFIDENTIAL EPAM Cloud Orchestrator - AWS Utilization Guide CLI command AWS or2-schedule-remove-instances + or2-start-instances + or2-stop-instances + or2-suspend-instances - or2-terminate-instances + Storage Volumes These commands deal with storage volumes that can be used to increase HDD capacity of the VMs running in cloud. CLI command AWS or2-attach-volume + or2-create-attach-volume + or2-delete-volume - or2-describe-volumes + or2-detach-volume + or2-resize-volume - Audit and Billing Audit and Billing commands deal with project resources costs reporting, prices and events audit. CLI command AWS or2-add-eo-account + or2-audit + or2-delete-eo-account + or2-delete-tag + or2-describe-eo-account + or2-describe-tag + or2-price - or2-report + or2-set-tag + or2-update-eo-account + EPAM CONFIDENTIAL 33 EPAM Cloud Orchestrator - AWS Utilization Guide Security and Connection This Section lists a set of commands used to connect to your VMs and to provide their security. CLI command AWS or2-console - or2-create-keypair + or2-delete-keypair + or2-describe-keypairs + Stacks The stack-related commands deal with AWS and Maestro Stacks that can be run in both EPAM and Amazon Clouds. CLI command AWS or2-delete-aws-stack + or2-describe-aws-stack-events + or2-describe-aws-stack-resources + or2-describe-aws-stacks + or2-describe-templates + or2-read-template + or2-run-aws-stack + or2-upload-template + or2-delete-maestro-stack + or2-describe-maestro-stack-resources + or2-describe-maestro-stacks + or2-run-maestro-stack + Images These commands are aimed to create and delete custom images as well as to get the information about the images available for the specified project in the specified region. CLI command 34 AWS or2-create-image + or2-delete-image + or2-describe-images + EPAM CONFIDENTIAL EPAM Cloud Orchestrator - AWS Utilization Guide Instance Properties The commands in this section are used to create and manipulate user-defined metadata, known as properties CLI command AWS or2-delete-instance-properties + or2-describe-instance-properties + or2-set-instance-properties + EPAM CONFIDENTIAL 35 EPAM Cloud Orchestrator - AWS Utilization Guide Table of Figures Figure 1 - AWS Regions Map ................................................................................................. 7 Figure 2 - Image Alias Processing Scheme .......................................................................... 10 Figure 3 - AWS Images List .................................................................................................. 11 Figure 4 - Region Activation Request in Service Catalog ..................................................... 12 Figure 5 - Describing Available Regions ............................................................................... 12 Figure 6 - Create Wizard call ................................................................................................ 13 Figure 7 - Instance Run Notification...................................................................................... 14 Figure 8 - Connecting to a Windows VM, Step 1 .................................................................. 15 Figure 9 - Connecting to a Windows VM, Step 2 .................................................................. 15 Figure 10 - Mobile Management Console ............................................................................. 19 Figure 11 - Audit on an AWS region ..................................................................................... 20 Figure 12 - Amazon VM details ............................................................................................. 20 Figure 13 - AWS Cloud Watch In EO Management Console ............................................... 21 Figure 14 - Chef tab on the Monitoring Page ........................................................................ 22 Figure 15 - Chef details view ................................................................................................ 22 Figure 16 - Cloud Formation stack parameters selection ..................................................... 25 Figure 17 - An AWS report on Orchestration Management Console ................................... 27 Figure 18 - AWS Tags........................................................................................................... 27 36 EPAM CONFIDENTIAL EPAM Cloud Orchestrator - AWS Utilization Guide Version History Version Date Summary 1.0 September 12, 2013 - First published 1.01 November 28, 2013 - Added Preface Documentation links are updated 1.1 March 22, 2014 - Added new AWS regions, updated cost and billing sections 1.2 May 22, 2014 - Added the APN Training info to the Overview 2.0 September 20, 2014 - Renamed to “AWS Utilization” - Totally restructured and updated 2.1 November 1, 2014 - Documentation reference updated 2.2 January 31, 2015 - Added Frankfurt region to the list and EPC - Reference names for AWS regions Removed reattach volume info - Added AWS Management Tools section EPAM CONFIDENTIAL 37 Global 41 University Drive Suite 202, Newtown (PA), 18940, USA Phone: Fax: +1-267-759-9000 +1-267-759-8989 EU Corvin Offices I. Futó st 4753 Budapest, H-1082, Hungary Phone: +36-1-327-7400 Fax: +36-1-577-2384 CIS 9th Radialnaya Street, Building 2 Moscow, 115404, Russia Phone: +7-495-730-6360 Fax: +7-495-730-6361 © 1993-2014 EPAM Systems. All Rights Reserved.
© Copyright 2024