Abiquo 5.1
This manual is a basic guide to how to Administer and Use Public Cloud in Abiquo
The following basic roles are described in this manual: cloud administrator, enterprise administrator, and user.
This section describes the cloud administrator tasks in public cloud.
All users should configure their user accounts before starting work with the cloud platform.
To change your user password and user details:
Note that you cannot change many of the details of the main cloud administrator account, and you cannot change its role and privileges. However, you can replace the main cloud administrator account with another equivalent cloud administrator account. You can also edit this user account and other user accounts in Users View
Before you begin:
To enable two-factor authentication for your user account, do these steps:
Copy the Backup codes from the configuration window to a secure place. You can use these codes to log in to the platform if the authentication cycle fails
The platform will display Backup codes ONCE only
Privilege: Manage provider credentials
Before you begin:
Obtain credentials to access the cloud provider's API. We provide basic guides but you should always check with your provider. See Obtain public cloud credentials.
To add public cloud credentials:
Attribute | Description |
---|---|
Provider | Select public cloud provider or vCloud Director region. Some providers may require different credentials for groups of regions, for example, "Amazon (CHINA)". If a specific provider does not display, for example, a vCloud Director region, the cloud administrator may need to allow access for your enterprise. |
Access key ID | Identity to access the cloud provider API. For example, a username, API access key ID, subscription ID and certificate, or another account identifier. For DigitalOcean v2, the platform does not use this field but you need to write something in to enable the button Add account after. For Azure, the format is subscription-id#app-id#tenant-id |
Secret access key | Key to access the cloud provider API. For example, an API key or other API credential. For DigitalOcean v2 enter the token. |
Also use for pricing | Use this credential to access pricing data in the provider. For example, to get hardware profile prices from AWS. For Azure, add a separate pricing credential. |
Current credentials | Provider that have credentials already in the platform |
Create account | For resellers with Amazon, Azure ARM, and other partner accounts, click the enterprise create account button to create a customer account in the provider and add it to an enterprise in the platform |
Finish editing the enterprise and click Save
This will add a cloud provider account for a tenant enterprise with access to a public cloud region.
Privilege: Manage user applications
To add an OAuth application:
Abiquo will add the new application to the Applications list and display the API key and an API secret key. Copy the API key and API secret key to a secure storage area.
You can control the resources that an enterprise may consume. This will help prevent resource over allocation, enterprises using resources from other enterprises, and even DoS attacks. Allocation limits will also help system administrators to anticipate user needs and forecast resource demand. Hard and soft limits are used by the resource scheduler to decide if a user can deploy a virtual appliance or not.
Enterprise allocation limits are checked during configuration or deploy, or before operations as shown in the above table.
To set the datacenters and public cloud regions that an enterprise is allowed to access, edit the Enterprise and click the Datacenters tab.
Select one or more datacenters or public cloud regions in the left pane and drag and drop them into the "Allowed Datacenters" right pane.
Access to at least one datacenter or public cloud region is required in order to deploy VMs. The left pane contains datacenters, which are "Prohibited Datacenters" by default.
Datacenters Automatically Assigned to Current Enterprise on Creation
By default, when a datacenter or public cloud region is created it is automatically assigned as Allowed for the current user's enterprise only.
Note that Allowed datacenters are working datacenters where users can deploy. This is different to an admin user having administration Scope to administer the infrastructure of datacenter.
You can set resource allocation limits for this enterprise in each allowed datacenter or public cloud region. To set allocation limits, select one of the Allowed Datacenters in the right pane and click the edit button. Set these limit values in the pop-up that opens.
As for overall enterprise limits, resource limits in a datacenter or public cloud region are validated as described in the following table.
If the tenant does not have cloud provider credentials, they should follow their cloud provider's instructions on how to obtain access to the provider's API.
Abiquo provides basic guides to obtaining credentials, but the tenant should always consult the cloud provider for the most up-to-date information.
Before you enter public cloud credentials, there must be an existing public cloud region for the provider.
To add credentials for a public cloud provider
In the Abiquo Apps Library you can compile a selection of certified public cloud templates for your users to deploy by self-service.
Abiquo will store the details of these templates but not their disks.
Public cloud libraries can have many thousands of VM templates (e.g. AWS has 19,000 AMIs) that are difficult to find and manage. In addition, administrators cannot control the content of public cloud templates. In the Apps library, you can define a cache of details of your approved or certified public cloud templates. And you can customize the templates' representation to make it even easier for cloud users to find the right template.
To display the details of a template, move the mouse over the template. A tooltip will display the template information.
To filter templates in the Apps library:
To reset filter values to defaults, click Clear.
This section describes tasks that will generally be performed by a tenant administrator.
Abiquo provides basic guides to obtaining credentials, but the you should always consult the cloud provider for the most up-to-date information.
Depending on their user privileges, the tenant administrator may be able to do the following tasks
Privilege: Access Virtual datacenters view
To display all the virtual datacenters in specific providers, click the funnel filter button at the top of the list and select one or more providers.
In private cloud with hypervisors, the platform saves the disks and a copy of the original template definition, unless the VM was captured from outside Abiquo, in which case it saves the configuration of the VM. The platform stores the instance under the master template in the Apps library. An instance is a copy of the selected disks of a VM made at a given time and stored as a VM template. In public cloud providers, the platform saves the instance as a new VM template with disks and the configuration of the VM. Remember to enter a name that will help you to identify the instance template
In the platform, hard disks are non-persistent and they are destroyed when deleted from the VMs or when the VMs are undeployed. In private cloud datacenters with hypervisors, the platform creates hard disks on the hypervisor datastore.
In private cloud datacenters, volumes are persistent and independent of the VMs. The platform creates volumes on external storage devices. Volumes are available in private cloud datacenters with hypervisors and they require the external storage feature.
A persistent VM template has one or more persistent disks on external storage volumes. Persistent VM templates are available in private cloud datacenters with hypervisors and they require the external storage feature.
Persistent VM template disks are associated with a specific virtual datacenter. Hypervisors running persistent VMs will work directly from any persistent volumes. VM data stored on a persistent disk will be persisted on the external storage device. When you undeploy a VM, all changes made to the non-persistent disks will be lost. The next time you deploy the VM, the non-persistent template files will be freshly created, for example, standard template disks will be copied again from the appliance library to the target hypervisor. Note that it is not necessary for you to use a persistent disk as a system disk when you create a persistent VM.
Related pages
If you public cloud provider does not support virtual datacenter entities, Abiquo will automatically onboard when you select the public cloud region.
By default, all users have access to all virtual datacenters. However, you can select a list of virtual datacenters for each user and they will only be able to access these virtual datacenters.
To restrict VDC access, open Users view and create or edit a user who is not an administrator or who does not have the No VDC restriction privilege.
On the create or edit dialog, select the Restrict access to VDC checkbox to open the list of available virtual datacenters. If none are selected, the user will have access to all VDCs. Select the VDCs where this user will be able to deploy VMs. You can only restrict the VDC access of users without the No VDC restriction privilege.
This section describes how to manage networks in private datacenters and public cloud providers.
Privileges: Manage virtual network elements, Access external networks tab, Access public networks tab API Features Virtual datacenter networks are available in the Abiquo API. For example, see VirtualDatacentersResource and PrivateNetworksResource. Screenshot: Private networks in private cloud Screenshot: Private networks in public cloud (AWS) In the Networks list, to view the pool and allocation of IPs: You can then: Private networks are only available within a virtual datacenter. However, your cloud provider may configure an external gateway for your virtual datacenter. To create a private network: Create private network Create private network Amazon Button Action Name Name of the network (VLAN). The name can contain up to 128 characters Network Address Private address range of the network Gateway Gateway of the VLAN. Must be an IP within the range of the network address and mask Primary DNS The primary DNS Secondary DNS The secondary DNS DNS suffix The DNS suffix Static Routes In supported providers, optionally select Define to create static routes. See Configure Static Routes using DHCP Default network Select to make this network the default network, replacing the existing default network You can configure static routes when you create or edit a network. However, you should check with your systems administrator about when your VM will receive changes to static routes. Field Description Example Netmask Destination network mask 255.255.255.0 Network ID Destination network or host 1.1.1.0 Gateway IP Next hop (on your network) 10.10.10.100 To create new IP addresses in a private network do these steps. Or you can add an IP directly to a VM. To do this: When you add IPv6 addresses on strict networks, you don't need to set the starting address. On non-strict IPv6 networks, Abiquo recommends that you create an automatic IP address, or you can enter a From IP address manually. The new settings will apply to all VMs deployed after you save the network. To delete a private network: Privileges: Manage virtual network elements, Access external networks tab, Manage external network elements To display onboarded external networks If an onboarded network has been deleted in the provider, its name will display in light gray text. If a VM is using an IP from this network, then you cannot deploy the VM. If there are no VMs using the IPs of an external network that was already deleted in the provider, to delete the network in the platform, select it and click the delete button. Privileges: Manage virtual datacenter network elements, Access public network tab, Manage public network elements, Access external network tab, Manage external network elements To set a new or existing network as the default: In private cloud, if you set a public network as the default, remember to obtain IP addresses for your VMs before you deploy! Privilege: Manage public IPs, Access public networks tab, Manage public network elements To add new public IP addresses to your virtual datacenter: The platform will add the IPs to your VDC You can also reserve public IPs directly from the Edit VM dialog. During onboarding from public cloud, the platform will onboard existing public IP addresses in providers that support them, such as AWS and Azure. You can obtain them from the provider and assign them to your virtual datacenters and VMs. The provider may charge for public IP addresses as soon as you reserve them for your virtual datacenter. Therefore you should reserve your IP addresses just before you deploy and check they are deleted when you undeploy your VMs. Remember that your provider may also limit the number of public IP addresses that you can use per virtual datacenter. Privileges: Manage virtual network elements, Manage floating IPs, Access public networks tab, Manage public network elements Now when you edit a VM in the VDC and go to Network → Public, the platform will display the public IP address and you can add it to your VM. To obtain a public IP directly for a VM, click Purchase public IPs. To onboard any public IP addresses that were already created in your cloud provider, or update changes made directly in the provider: Privileges: Manage virtual network elements, Manage floating IPs, Access public networks tab, Manage public network elements You can release a public IP if it is not assigned to a VM. In private cloud, to release a public IP that belongs to a public network, select the IP in the IP list and click the delete button. In public cloud, click the link to Remove from VDC and then click the delete button.Display virtual datacenter networks
Create a private network
IPv6 Select checkbox for IPv6 network Netmask For IPv4 a network mask with an integer value of between 16 and 30 Availability zone In AWS, optionally select an Availability zone for high availability. To deploy a group of VMs separately, use a different availability zone for each VM. To assign a VM to an availability zone, assign a private IP address in the network belonging to the required availability zone Excluded from firewall Select Excluded from firewall to define a network where VM firewalls will not apply Create IP addresses in private networks
For example, if you have IP addresses in network 30.30.30.30, which are 30, 33, and 34 and then you request 3 new IPs from 30.30.30.31. The new IPs created should be as follows: 31, 32, 35. IP Addresses 30.30.30.30 30.30.30.31 30.30.30.32 30.30.30.33 30.30.30.34 30.30.30.35 Edit a private network
Delete a private network
Display onboarded external networks
Delete an onboarded external network
Set default virtual datacenter networks
Obtain IP addresses from public networks
Obtain public IP addresses in public cloud
To add public IP addresses to your virtual datacenter, so that you can later assign them to your VMs:Synchronize public IP addresses with the cloud provider
Release a reserved public IP address
This section describes firewall policies, which are similar to security groups. The platform supports firewall policies in private cloud with network managers (NSX) and in public cloud (AWS, Azure). In Oracle Cloud, the platform enables users to onboard classic firewalls and assign them to VMs. In vCloud Director, the platform also supports classic firewalls, which are Edge firewalls at level of the public cloud region (orgVDC). See Manage classic firewalls To synchronize firewalls do these steps: To synchronize a firewall before you add new firewall rules: The platform can create firewall policies in virtual datacenters in the provider, or in the platform only, for later use in providers, depending on provider support. Privilege: Manage firewall To create a new firewall, do these steps: Field Description Name Name of the firewall policy. Description Description of the firewall policy If you entered a virtual datacenter, the platform created your firewall in the provider. The platform will display a Provider-ID and a Virtual datacenter ID for the firewall. If you selected No virtual datacenter, the firewall will be created in the platform in the public cloud region for your enterprise. The synchronize process will not update this firewall. The platform will not create it in the provider until you select a virtual datacenter. Privilege: Manage default firewall To set or unset a default firewall for a virtual datacenter: When the user creates a VM, the platform will assign the default firewall. The firewall rules apply to VMs, not individual NICs on the VMs. Changes to the firewall ruleset will apply to every VM in the virtual datacenter with the default firewall. If you do not set a default firewall but the provider requires one, for example, AWS, the platform will set the provider's default firewall. In AWS the default firewall is not marked. To edit a firewall policy: Field Description Name Name of the firewall policy. Some providers will not allow you to edit the name of the firewall policy Description Description of the firewall policy To move a firewall to another virtual datacenter To add a new firewall rule: Before you edit firewall rules in AWS, synchronize the firewall to update the rules because AWS will not allow you to create a rule that already exists in the security group. Remember that it may take some time for firewall rules to propagate throughout AWS. Until the rules have propagated, the platform will not be able to detect them. See http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/query-api-troubleshooting.html#eventual-consistency To delete firewall rules, do these steps. To display firewalls that exist in a virtual datacenter in the provider: To display all firewalls in a location (public cloud region or datacenter), including those that only exist in the platform and not in the provider: To filter firewalls, enter text in the Search box to search by the Name, Description, and Provider ID in the Firewalls list. See Assign a firewall policy to a VM To delete a firewall policy:
API Documentation For the Abiquo API documentation of this feature, see Abiquo API Resources and the page for this resource FirewallPoliciesResource. Please refer to cloud provider documentation as the definitive guide to the load balancing features. And remember to check your cloud provider pricing before you begin. In vCloud Director, load balancers belong to a public cloud region, not a virtual datacenter. This means that in vCloud Director, you can attach VMs from more than one virtual datacenter to the same load balancer, and these load balancers do not work with private networks, which belong to only one virtual datacenter. See Provider support for load balancers tables To display load balancers in a region, including those that are not assigned to a virtual datacenter in a provider To display load balancers in virtual datacenters: Select a virtual datacenter Go to Network → Load balancers. Privilege: Manage load balancers, Assign load balancers To create a load balancer: Click the + add button and complete the following dialogs according to your cloud provider's documentation The following screenshots are from AWS or Azure Field Value Name The name of the load balancer. Subnets In providers that support subnets, the subnets to which the load balancer will connect Algorithm See cloud provider documentation for more information Addresses AWS: private or public IP Field Value Common protocols Select one of the common protocols to load presets Protocol in The incoming protocol to the load balancer. See cloud provider documentation for accepted values. Port in The incoming port to the load balancer. See cloud provider documentation for accepted values. Protocol out The outgoing protocol from the load balancer. To delete a routing rule, click the delete button beside the name of the routing rule in the list Field Value Name Name of the certificate Certificate The certificate contents Intermediate certificate An intermediate certificate can be issued by a provider to support older browsers that may not have all of the trusted root certificates for that provider, so that users will not receive invalid SSL warnings. If you have an intermediate certificate, add it at the same time as the certificate to ensure that a trusted-chain certificate is configured. Private key The RSA private key for the certificate Field Value Common protocols Select one of the most common protocols to load presets Name Name of the health check Protocol The protocol with which the health check will be performed Port The port to which the health check will be performed If your provider supports firewalls, to add a firewall to your load balancer, select your firewall from the list of Firewalls that were created in your provider. Rackspace does not display a firewall selection list. If a firewall is not on the list, it may not have been properly synchronized. In this case, you will need to click Cancel, synchronize firewalls and start again to create a new load balancer. To assign your load balancer to VMs, drag and drop the VMs them from the Available Nodes list into the Attached Nodes list. The platform will display the Status of the load balancer nodes on the Nodes tab, if status information is available from the provider. You can also check the status using the Abiquo API.
API Documentation For the Abiquo API documentation of this feature, see Abiquo API Resources and the page for this resource LoadBalancersResource. The cloud provider determines which elements of a load balancer that you can modify. Due to different provider support for load balancer features, it may be possible to make modifications in the platform that will later be rejected by the cloud provider, triggering an error. Check your cloud provider documentation for supported modifications. Privilege: Assign load balancers To assign a virtual machine to a load balancer, select the load balancer from the list. To access vCloud load balancers, and provider-only load balancers To synchronize all load balancers in a VDC or region: Load balancers that have been deleted directly in the provider are displayed in light gray text. You can edit these load balancers to recreate them in the provider, or delete them. If your enterprise does not have credentials in the provider, then the load balancer will be released (it will be deleted in the platform but it will remain in cloud provider).Manage firewalls
Introduction to Firewalls
Synchronize firewall policies with the cloud provider
Create a firewall policy
Location Public cloud region or datacenter Virtual datacenter Default Optional. Select to make the firewall the default for the virtual datacenter Set a firewall policy as the default for a virtual datacenter
Edit a firewall policy
Default Select this option to set the firewall as the default. The platform will assign the default firewall to new VMs. Move a firewall policy to another virtual datacenter
Edit firewall rules
Edit firewall rules in AWS
Delete firewall policy rules
Display firewall policies
Assign a firewall policy to a VM
Delete a firewall policy
Manage firewalls with the API
Manage load balancers
Introduction to load balancers
Display load balancers
Create a load balancer
Load balancer general information
Rackspace: private or public IP
Azure ARM: private or public IP
Neutron: private IP, or private and public IPs
NSX: private IP, or private and public IPs
vCloud Director: private or public IP (IPs on external networks)Load balancer routing rules
Port out The outgoing port from the load balancer SSL Cerftificate For secure connections (e.g. HTTPS), you can add an SSL certificate.
Select an existing certificate or add a new one. Cannot be used in platform-only load balancersAdd Click Add to save a routing rule for the load balancer Load balancer SSL certificate
Load balancer health check
Path The server path to ping (for supported protocols) Interval (sec) The interval in seconds between health checks Timeout (sec) The timeout in seconds after which an attempted health check will be considered unsuccessful Attempts The number of attempts before the health check will be considered unsuccessful Add Add the current health check to the load balancer Load balancer firewalls
Assign load balancer nodes
Manage load balancers with the API
Edit load balancers
Edit VMs to assign or unassign to load balancers
Onboard and synchronize load balancers from public cloud
Delete or release load balancers
This section describes the tasks performed by the cloud user. Depending on user privileges, some of these functions may be performed by the tenant administrator.
Click on your user name in the top right-hand corner of the screen.
Edit your user account and update your details. Add a public key for SSH access to VMs deployed in public cloud.
To create a new virtual appliance, open the Virtual datacenters view. Then select the virtual datacenter where the virtual appliance will be deployed, click the add button, and complete the form.
The basic process for working with VMs is the same throughout the whole Abiquo cloud platform, regardless of the underlying technology, which may be hypervisors, public clouds or Docker. The following screenshots show a private cloud environment, but they would be very similar for a public cloud or even a Docker environment.
Configuring VMs in public cloud is similar to private cloud.
Do NOT change the Abiquo tag on the Amazon Instance
Do not change the Abiquo platform's tag on an Amazon instance in Amazon or you will break the link between Abiquo and the VM. If the link is broken, you will not be able to manage the VM with Abiquo.
You can edit the network configuration of an AWS machine if it is:
Click on the Network tab to edit the network configuration.
Do Not Rename the Amazon Instance
Do not change the virtualmachine tag of an AWS instance in AWS or you will break the link between Abiquo and the VM. If the link is broken, you will not be able to manage the VM with Abiquo.
To add a floating public IP to your VM:
A floating public IP should be displayed as shown in the following screenshot. The floating IP is not part of any Abiquo VLAN.
To remove a floating IP from your VM, power off or undeploy the VM and click the X button near the IP address.
The floating IP will still be assigned to your virtual datacenter.
Your public cloud provider may charge for a public IP that is assigned to a virtual datacenter but not in use.
When you undeploy the VM, remember to remove the floating IP after you undeploy the VM because AWS charges for floating IPs that are not in use.
To ensure that your public cloud provider does not charge you for the floating public IP, remove it from your virtual datacenter. The floating public IP will be released and you cannot add it to another machine. When you add another floating IP to your virtual datacenter and VM, there is no guarantee that it will have the same IP address.
If firewalls are offered in your datacenter and firewalls have been created in your virtual datacenter, then you can assign firewalls to your VMs.
Privilege: Assign firewall
To assign a firewall from the virtual datacenter to a VM, edit the VM and open the Firewalls tab. Mark the firewall with a tick in the Firewall policies checklist. You can add as many firewall policies as necessary, up the public cloud provider's limit. See http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html#VPCSecurityGroups
Click Save.
Privilege: Assign firewall
To remove a firewall from a VM, edit the VM and open the Firewalls tab. Remove the tick beside the firewall in the Firewall policies checklist. Click Save.
Chef is an infrastructure automation product that uses configuration recipes. You can use Abiquo Chef Integration to deploy a VM that will then configure itself using Chef recipes and roles.
The Chef tab is enabled if the enterprise is Chef-enabled and the VM template is Chef-enabled. Before the VM is deployed, you can select from the available roles and recipes. These will be added to the machine's runlist. When the machine is deployed it will download the roles and recipes, and run them in order. Click the Chef tab. By default on this tab you can select roles. Mark the "Select individual components" checkbox to select individual recipes too. The selected recipes will be added to the Virtual Appliance's runlist in order of selection.
To change the order of the runlist, click on the pencil button beside a role or recipe, then edit the order number, then click OK.
To change the runlist order after deployment click on the pencil button, then edit the order number, then click OK. The Abiquo Chef Agent will connect to the Chef Server and update the runlist.
See also Configuring and Using Abiquo Chef Integration in the Abiquo HOWTOs and Troubleshooting Abiquo Chef Integration in the Administrator's Guide.
If you have the privilege to Manage VM monitoring and it is configured in your virtual datacenter, you can enable the option to fetch metrics from the hypervisor or public cloud region.
To enable VM monitoring and metrics, work with a VM that is powered off or undeployed.
Edit the VM and go to the Monitoring tab.
Mark the fetch metrics checkbox.
Select from the available options, f or example, for AWS, you can select detailed or basic monitoring.
The functionality and list of available metrics depend on the underlying virtualization technology.
Select the individual metrics you would like to retrieve for your VM.
On the VM icon, click the Monitoring symbol to display the metrics.
The metrics panel will open.
Select the refresh button
to update the display of a metric.Select the filter button
to configure the display of the metric.Set the
Click Accept to save the values.
To view the exact metric values in a call-out box, mouse over the monitoring graph line.
To create a highlight point, click on the metric graph line.
To simultaneously view the data for more than one VM, use the virtual appliance monitoring view.