Abiquo Documentation Cookies Policy

Our Documentation website uses cookies to improve your experience. Please visit our Cookie Policy page for more information about cookies and how we use them.

Abiquo 4.7

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 27 Next »

eThis manual is a basic guide to how to Administer and Use Public Cloud in Abiquo

The following basic roles are described in this manual: cloud administrator, enterprise administrator, and user.

Cloud administrator tasks

This section describes the cloud administrator tasks in public cloud.

Configure your user account

All users should configure their user accounts before starting work with the cloud platform.

You can configure your user account from the Username menu. The menu options will depend on the platform configuration.

To access the Username menu, click on your User name or the User icon in the top right-hand corner of the screen.

Username menu to configure your user account

Tip: To disable this menu for all users, go to ConfigurationSecurity, and clear the Allow user to change their password checkbox

Edit your user account details

To edit your user account, click on the User name or User icon in the top right-hand corner of the screen, and select Edit user from the pull-down menu.

Abiquo recommends that you change your Password and update your user details, especially your E-mail address and Phone number, which can be used for notifications and authentication.

You can also add your Public key for access to deployed virtual machines.

Enable two factor authentication

Your platform may offer or require two-factor authentication (2fa) to improve user login security with an additional authentication code. For platform configuration instructions, see Configure two factor authentication.

Before you begin:

  • To use Google Authenticator to obtain the codes, install the Google Authenticator app on your cell phone. 
  • To use email authentication to obtain the codes, check that you have a valid email address in your user account on the platform.

To enable two-factor authentication for your user account, do these steps:

  1. Click on the User name or User icon in the top right-hand corner of the screen, and select Two-factor authentication from the pull-down Username menu.
    From the username menu, select enable two-factor authentication
  2. Select the authentication method and click Enable
  3. Copy the Backup codes from the bottom left-hand corner of the configuration window to a secure place. You can use these codes to log in to the platform if the authentication cycle fails

    The platform will display backup codes ONCE only

  4. Authenticate according to your selected method
    • For Google Authenticator, use the Google Authenticator app on your cell phone to scan the QR code. Google will supply a verification code in the app. During login, the platform will request the Authentication code from the app. 
    • For email, during login, every time you enter your user name and password to log in, a code will be sent to the E-mail address registered in your user account. Enter the Authentication code in the Login dialog
 Click here to show/hide the screenshots

Screenshot: Enabling two factor authentication

Two-factor authentication popup to select authentication method

Screenshot: Two factor authentication with backup codes (left) and QR code (middle)

Example of backup codes and QR code for two-factor authentication

Screenshot: Login with two-factor authenticationLogin with two-factor authentication

Edit public cloud credentials for your enterprise

To work with a public cloud region, each enterprise should have its own public cloud account for the cloud provider. All the users in the tenant will work with this same account. 

Before you begin:

  1. Check your provider's documentation and pricing. 
  2. Obtain credentials to access the cloud provider's API. We provide the following basic guides but you should always check with your provider. See Obtain public cloud credentials

    Privilege: Manage provider credentials

To add public cloud credentials:

  1. Go to Users → select and edit enterprise → Credentials → Public
  2. Enter the Credentials as described here

    ProviderSelect public cloud provider or vCloud Director region. Some providers may require different credentials for groups of regions, for example, "Amazon (CHINA)". If a specific provider does not display, for example, a vCloud Director region, the cloud administrator may need to allow access for your enterprise.
    Access key ID

    Identity to access the cloud provider API. For example, a username, API access key ID, subscription ID and certificate, or another account identifier. For DigitalOcean v2, the platform does not use this field but you need to write something in to enable the button Add account after.

    For Azure, the format is subscription-id#app-id#tenant-id

    Secret access keyKey to access the cloud provider API. For example, an API key or other API credential.

    For DigitalOcean v2 enter the token.

    Also use for pricingUse this credential to access pricing data in the provider. For example, to get hardware profile prices from AWS. For Azure, add a separate pricing credential.
    Current credentialsProvider credentials that are already in the platform
  3. Click Add account. The platform will validate your credentials with the cloud provider and save them
  4. Finish editing the enterprise and click Save

Add an application for OAuth

For OAuth applications, users can add applications, display keys, inspect the privileges assigned to the application, and delete the application.

Privilege: Manage user applications

To add an OAuth application:

  1. Click on the User name or User icon in the top right-hand corner of the screen to open the Username menu 
  2. Select Manage applications
  3. Click the + button
  4. Enter the Name and Description of the application
    Popup to add application for OAuth authentication
  5. To set the privileges of the application, go to Privileges. By default, all of the user's privileges are selected for the application. We recommend that you go to Privileges and remove any unnecessary privileges
    Add privileges to OAuth applications
  6. Click Save

Abiquo will add the new application to the Applications list and display the API key and an API secret key. Copy the API key and API secret key to a secure storage area.

View keys and privileges assigned to OAuth application

Create public cloud regions


Unable to render {include} The included page could not be found.

Control tenant resources

You can control the resources that an enterprise may consume. This will help prevent resource over allocation, enterprises using resources from other enterprises, and even DoS attacks. Allocation limits will also help system administrators to anticipate user needs and forecast resource demand. Hard and soft limits are used by the resource scheduler to decide if a user can deploy a virtual appliance or not.

  • Hard Limit: the maximum amount of resources (CPU, RAM, Hard Disk, etc.) that an enterprise may consume.
  • Soft Limit: triggers a warning for users that they nearing the hard limits for their enterprise.

Unable to render {include} The included page could not be found.

Enterprise allocation limits are checked during configuration or deploy, or before operations as shown in the above table.

Unable to render {include} The included page could not be found.

Allow the tenant to access regions

To set the datacenters and public cloud regions that an enterprise is allowed to access, edit the Enterprise and click the Datacenters tab.

Select one or more datacenters or public cloud regions in the left pane and drag and drop them into the "Allowed Datacenters" right pane.

Access to at least one datacenter or public cloud region is required in order to deploy VMs. The left pane contains datacenters, which are "Prohibited Datacenters" by default.

Datacenters Automatically Assigned to Current Enterprise on Creation

By default, when a datacenter or public cloud region is created it is automatically assigned as Allowed for the current user's enterprise only.

Note that Allowed datacenters are working datacenters where users can deploy. This is different to an admin user having administration Scope to administer the infrastructure of datacenter. 

Limit tenant resources in the region

You can set resource allocation limits for this enterprise in each allowed datacenter or public cloud region. To set allocation limits, select one of the Allowed Datacenters in the right pane and click the edit button. Set these limit values in the pop-up that opens.

Limit resources for an enterprise in a public cloud region

Unable to render {include} The included page could not be found.

Validation of resource limits in a location

As for overall enterprise limits, resource limits in a datacenter or public cloud region are validated as described in the following table. 

Unable to render {include} The included page could not be found.

Tenants obtain cloud provider credentials

If the tenant does not have cloud provider credentials, they should follow their cloud provider's instructions on how to obtain access to the provider's API.

Abiquo provides basic guides to obtaining credentials, but the tenant should always consult the cloud provider for the most up-to-date information.

Add tenant credentials for each provider

Before you enter public cloud credentials, there must be an existing public cloud region for the provider.

To add credentials for a public cloud provider

  1. Check in Infrastructure view or with your Administrator, that the public cloud region is already created
  2. Edit the enterprise and select the Credentials tab
  3. From the Provider pull down list, select the public cloud provider
  4. Enter your Access key ID, which may be a Username, a specific API access key ID or other account identifier
  5. Enter your Secret access key, which may be an API key or other API credential
  6. Click Validate account
  7. After the account has been validated, click Save

Prepare foundation template library

In the Abiquo Apps Library you can compile a selection of certified public cloud templates for your users to deploy by self-service.

Abiquo will store the details of these templates but not their disks.

Public cloud libraries can have many thousands of VM templates (e.g. AWS has 19,000 AMIs) that are difficult to find and manage. In addition, administrators cannot control the content of public cloud templates. In the Apps library, you can define a cache of details of your approved or certified public cloud templates. And you can customize the templates' representation to make it even easier for cloud users to find the right template. 

Public cloud templates belong only to the region they were created in. Templates in one region usually cannot be accessed from another region and this rule also applies to the Abiquo Apps library. Public cloud templates that are effectively the same will usually have different IDs and names in each region.
The Apps library is a collection of VM templates that enables users to quickly and easily deploy VMs. 

To display public cloud templates:

  1. Click the Apps library icon   in the main menu bar to go to Apps library.
  2. Click on the Public radio button. 
  3. In the public list, click on the name of the public cloud region. By default you will see any templates you can deploy within this region in icon view. 
    1. To change to the list view, click on the List view tab symbol in the top right-hand corner.

To display the details of a template, move the mouse over the template. A tooltip will display the template information.

 Click here to show/hide the screenshot

The VM templates in the Apps library may be marked with the symbols described in the following table.

Template typeSymbolDescription
Shared template

A template that may be used by all enterprises in the template's scope. See Modify a VM Template#ScopestabforsharingVMtemplates

Deleted templateAlso called an Unavailable template. The template has one or more disks missing in the Apps library filesystem.
Failed templateThe template disk file was not properly created

Filter local public cloud templates

The public cloud template search and filter is used for all public clouds and private clouds that use their own registry, such as OpenStack and vCloud Director, and Docker





Free text

For example, ami-0354b96a


Free text

Search for this text in each template Name and Description. The search is not case sensitive

OS type


Any, Windows or Other

32 bits


32-bit images

64 bits


64-bit images

You can filter to find the templates you want to work with in the Apps library. To open the filter, click the funnel Filter button. Enter filter values, including wildcards, and click Accept.

To reset filter values to defaults, click Clear. This will display all local templates. 

Unable to render {include} The included page could not be found.

Tenant administrator tasks

This section describes tasks that will generally be performed by a tenant administrator. These tasks will vary depending on the cloud platform configuration.

Obtain credentials for public cloud

Abiquo provides basic guides to obtaining credentials, but the you should always consult the cloud provider for the most up-to-date information. 

Privilege: Access Virtual datacenters view

In the Virtual datacenters view you can manage your compute, network and storage resources. Each virtual datacenter (VDC) is a separate cloud environment in a single datacenter or public cloud region. 

To access Virtual datacenters view, click the Cloud button at the top of the screen.

 The view is divided into two main sections. On the left there is a list of virtual datacenters, and on the right, there are a series of tabs for managing virtual infrastructure.

Basic virtual datacenter concepts

virtual appliance is like a folder that contains a group of one or more workloads (virtual machines (VMs) or containers) that may be related and can be used together to provide a service. Each VM is an independent entity but you can deploy all of the VMs in the virtual appliance together. You can manage virtual appliances on the Virtual appliances tab in either list view or card view.

Users must create VMs within virtual appliances.

In private cloud with hypervisors, the platform saves the disks and a copy of the original template definition, unless the VM was captured from outside Abiquo, in which case it saves the configuration of the VM. The platform stores the instance under the master template in the Apps library. An instance is a copy of the selected disks of a VM made at a given time and stored as a VM template. In public cloud providers, the platform saves the instance as a new VM template with disks and the configuration of the VM. Remember to enter a name that will help you to identify the instance template

In the platform, hard disks are non-persistent and they are destroyed when deleted from the VMs or when the VMs are undeployed. In private cloud datacenters with hypervisors, the platform creates hard disks on the hypervisor datastore.

In private cloud datacenters, volumes are persistent and independent of the VMs. The platform creates volumes on external storage devices. Volumes are available in private cloud datacenters with hypervisors and they require the external storage feature. 

A persistent VM template has one or more persistent disks on external storage volumes. Persistent VM templates are available in private cloud datacenters with hypervisors and they require the external storage feature.

Persistent VM template disks are associated with a specific virtual datacenter. Hypervisors running persistent VMs will work directly from any persistent volumes. VM data stored on a persistent disk will be persisted on the external storage device. When you undeploy a VM, all changes made to the non-persistent disks will be lost. The next time you deploy the VM, the non-persistent template files will be freshly created, for example, standard template disks will be copied again from the appliance library to the target hypervisor. Note that it is not necessary for you to use a persistent disk as a system disk when you create a persistent VM.

Related pages

Prepare enterprise templates

Depending on their user privileges, the tenant administrator may be able to do the following tasks

  • Search the Apps library for templates
  • Add templates to the Apps library
  • Modify templates
  • Share templates with their customers

Onboard from public cloud

Error rendering macro 'excerpt-include' : No link could be created for '_TEXT onboard select region'.

Onboard virtual datacenters from public cloud

Unable to render {include} The included page could not be found.

Abiquo automatically onboards from public cloud regions

If your public cloud provider does not support virtual datacenter entities, the platform will automatically onboard when you select the public cloud region.

Unable to render {include} The included page could not be found.

Restrict user access to virtual datacenters

By default, all users have access to all virtual datacenters. However, you can select a list of virtual datacenters for each user and they will only be able to access these virtual datacenters.

To restrict VDC access, open Users view and create or edit a user who is not an administrator or who does not have the No VDC restriction privilege.

On the create or edit dialog, select the Restrict access to VDC checkbox to open the list of available virtual datacenters. If none are selected, the user will have access to all VDCs. Select the VDCs where this user will be able to deploy VMs. You can only restrict the VDC access of users without the No VDC restriction privilege.

Manage Networks

This section describes how to manage networks in private datacenters and public cloud providers. 

Display virtual datacenter networks

To display the networks available to a virtual datacenter:

Privileges: Manage virtual network elements, Access external networks tab, Access public networks tab

  1. Go to Virtual datacenters → select virtual datacenter → Network.
  • The default network is highlighted with a star symbol
  • A network with an internet gateway is highlighted with a globe symbol.

API Features

Virtual datacenter networks are available in the Abiquo API. For example, see VirtualDatacentersResource and PrivateNetworksResource.

Network tab in virtual datacenter highlighting default network and internet gateway

In the Networks list, to view the pool and allocation of IPs:

  • To display all the IPs in the virtual datacenter, click the All button at the top of the list
  • To display the IPs in a network, click the Network name

You can then:

  • Use the slider at the bottom of the list to move through the pages 
  • Filter the list by entering text in the Search box. The filter works with all the columns of the table including:
    • IP Address
    • MAC address
    • Network name
    • Virtual appliance using the IP
    • VM using the IP
    • Provider ID of the entity using the IP (for example, a load balancer)

Create a private network

Private networks are only available within a virtual datacenter. However, your cloud provider may configure an external gateway for your virtual datacenter.

To create a private network:

  1. Go to Virtual datacenters → select virtual datacenter → Network
  2. Click the  button  and complete the dialog

Create a private network




Name of the network (VLAN). The name can contain up to 128 characters

IPv6Select checkbox for IPv6 network
NetmaskNetwork mask with an integer value of between 16 and 30

Network Address

Private address range of the network


Gateway of the VLAN. Must be an IP within the range of the network address and mask

Primary DNS

The primary DNS

Secondary DNS

The secondary DNS

DNS suffix

The DNS suffix

Excluded from firewallSelect Excluded from firewall to define a network where VM firewalls will not apply

Static Routes

Select Define to create static routes. See Configure Static Routes

Default network

Make this network the default network, replacing the existing default network.

You can configure static routes when you create or edit a network. However, you should check with your systems administrator about when your VM will receive changes to static routes.

Configure static routes for Abiquo networks





Destination network mask

Network ID

Destination network or host

Gateway IP

Next hop (on your network)

 Click here to show/hide IPv6 networks

Strict network


Non-strict network



Name of the VLAN. The name can contain up to 128 characters

IPv6Select checkbox for IPv6 network
StrictIPv6 only. If you select Strict, Abiquo will automatically generate the network address (ULA) and also the IP addresses. If you do not select strict, you can enter the network address and IP addresses.
NetmaskNetwork mask of 48, 56 or 64.

Network Address

Private address range of the network. Only for non-strict networks

Primary DNS

The primary DNS

Secondary DNS

The secondary DNS

DNS suffix

The DNS suffix

Default network

Make this network the default network. In a datacenter, this will override the existing default network

Use private networks in public cloud

In public cloud providers that support networks:

  • When you onboard resources, the platform will onboard private networks, including details of IP addresses not used by VMs
  • You can synchronize private networks
  • You can create additional private networks in the provider
    • When you create a custom private network in AWS, you can choose the Availability Zone. Availability Zones enable users to deploy VMs separately, with high availability. 
    • To deploy in an Availability Zone, assign a private IP address in the network belonging to that Availability Zone

Create IP addresses in private networks

To create new IP addresses in a private network do these steps.

  1. Go to Virtual datacenters → optionally select a virtual datacenter
  2. Go to NetworksPrivate → select a private network
  3. Click the Add + button in the top right-hand corner of the Private IPs page and enter details

Or you can add an IP directly to a VM. To do this:

  1. Go to Virtual datacenters → edit VM → Network
  2. Click the Add + button and enter details (or drag the Auto-generated IP label into the Network pane)

Enter the Number of IPs to create and the From IP address (the first in the range). The first IP address must be a new address that does not already exist in the network. After creating the first IP address, the platform will try to create the other IPs and it will skip any existing IP addresses. 

For example, if you have IP addresses in network, which are 30, 33, and 34 and then you request 3 new IPs from The new IPs created should be as follows: 31, 32, 35. 
IP Addresses
 Click here to show/hide IPv6 details

When you add IPv6 addresses on strict networks, you don't need to set the starting address.

On non-strict IPv6 networks, Abiquo recommends that you create an automatic IP address, or you can enter a From IP address manually as shown here.

Edit a private network

To edit a private network
  1. Go to Virtual datacenters → select a virtual datacenter → Network
  2. Select the network
  3. Click the Edit button  above the Networks list:
  4. You can change the network Name, Gateway, DNS settings, and optionally make the network the new default for this virtual datacenter.
  5. Click Save

The new settings will apply to all VMs deployed after you save the network.

Delete a private network

You can delete a private network if no VMs are using its IPs and it is not the default network for the virtual datacenter.

To delete a private network:

  1. Go to Virtual datacenters → select a virtual datacenter → NetworkPrivate
  2. Select the network and click the Delete button  above the Networks list. 

Display onboarded external networks

The platform automatically onboards external networks when you onboard virtual datacenters from vCloud Director.

Privileges: Manage virtual network elements, Access external networks tab, Manage external network elements

To display onboarded external networks

  1. Go to Virtual datacentersNetwork → Select vCloud VDC → External

Delete an onboarded external network

If an onboarded network has been deleted in the provider, its name will display in light gray text. If a VM is using an IP from this network, then you cannot deploy the VM.

If there are no VMs using the IPs of an external network that was already deleted in the provider, to delete the network in the platform, select it and click the Delete button.

Set default virtual datacenter networks

The platform always requires a default network for a virtual datacenter to ensure that if you deploy a VM without assigning a NIC, the platform will be able to add one from the default network.

Privileges: Manage virtual datacenter network elements, Access public network tab, Manage public network elements, Access external network tab, Manage external network elements

To set a new or existing network as the default:

  1. When you create or edit the network, select the Default network checkbox. The new default network will apply to all VMs deployed after you set it.  

In private cloud, if you set a public network as the default, remember to obtain IP addresses for your VMs before you deploy!

Manage firewalls

Introduction to Firewalls

The platform provides a unified interface to firewalls in varied cloud environments. 

This section describes firewall policies, which are similar to security groups. The platform supports firewall policies in private cloud with network managers (NSX, Neutron) and in public cloud (AWS, Azure). In Oracle Cloud, the platform enables users to onboard classic firewalls and assign them to VMs.

In vCloud Director, the platform supports classic firewalls, which are Edge firewalls at level of the public cloud region (orgVDC). The platform does not support security groups for VMs in vCloud Director. See Manage classic firewalls

Synchronize firewall policies with the cloud provider

The synchronization process will onboard firewalls and it will update the platform's information about firewalls that already exist in the cloud provider. The platform synchronizes automatically when you onboard virtual resources from public cloud. Depending on the provider, the platform may support synchronization at the level of the location (public cloud region) or virtual datacenter.

To synchronize firewalls do these steps:

  1. Select All virtual datacenters and the location, or a single virtual datacenter
  2. Click the double-arrow synchronize button 

To synchronize a firewall before you add new firewall rules:

  1. Select the firewall and click the double-arrow synchronize button

Create a firewall policy

The platform can create firewall policies in virtual datacenters in the provider, or in the platform only, for later use in providers, depending on provider support.

Privilege: Manage firewall

To create a new firewall, do these steps:

  1. Go to Virtual datacentersNetworkFirewalls
  2. Click the Add button
  3. Enter the firewall details




    Name of the firewall policy.

    LocationPublic cloud region
    Virtual datacenter
    • Virtual datacenter: The platform will create your firewall in the cloud provider. It will add a provider-ID that will display on the main Firewalls page. The platform will synchronize rules with the provider
    • No virtual datacenter: The platform will create the firewall in the platform only, for your enterprise in the public cloud region. The platform will not synchronize rules with the provider. The platform will create the firewall in the provider when you select a virtual datacenter.


    Description of the firewall policy

  4. Click Save to create the firewall
  5. Add Firewall rules as described below

If you entered a virtual datacenter, the platform created your firewall in the provider. The platform will display a Provider-ID and a Virtual datacenter ID for the firewall. 

If you selected No virtual datacenter, the firewall will be created in the platform in the public cloud region for your enterprise. The synchronize process will not update this firewall. The platform will not create it in the provider until you select a virtual datacenter.

Related links:

Set a firewall policy as the default for a virtual datacenter

You can set a default firewall policy for each virtual datacenter. 

Privilege: Manage default firewall

To set or unset a default firewall for a virtual datacenter:

  1. Select the firewall
  2. Click the star button

When the user creates a VM, the platform will assign the default firewall. The firewall rules apply to VMs, not individual NICs on the VMs. Changes to the firewall ruleset will apply to every VM in the virtual datacenter with the default firewall. If you do not set a default firewall but the provider requires one, for example, AWS, the platform will set the provider's default firewall. In AWS the default firewall is not marked. 

Edit a firewall policy

If your provider allows it, you may edit a firewall policy in the platform. 

To edit a firewall policy:

  1. Go to Virtual datacenters → select virtual datacenter or select a region → Network → Firewalls
  2. Select the firewall and click the pencil edit button.
  3. Make your changes and click Save




Name of the firewall policy

Virtual datacenter
  • Virtual datacenter: If your firewall had no virtual datacenter and you select one, the platform will create your firewall in the cloud provider. It will add a provider-ID that will display on the main Firewalls page. The platform will synchronize rules with the provider
DefaultSelect this option to set the firewall as the default. Note: The platform will not assign the default firewall to existing VMs.


Description of the firewall policy

If the provider does not allow you to edit the policy, you may be able to delete the firewall in the provider, then reuse the configuration.

Edit firewall rules in AWS

Amazon allows you to edit firewall rules and you can do this through the platform. First synchronize the firewall to update the rules because AWS will not allow you to create a rule that already exists in the security group. Remember that it may take some time for firewall rules to propagate throughout AWS. Until the rules have propagated, the platform will not be able to detect them. See http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/query-api-troubleshooting.html#eventual-consistency

Edit firewalls in AWS

To edit an AWS firewall in Abiquo, you can delete the firewall directly in the provider, then synchronize so the provider ID will be removed from the firewall in the platform. You can now edit the firewall and the firewall rules, and you can even assign the firewall to another virtual datacenter. The following screenshot shows the default firewall for several different VDCs. The "webDB" firewall currently exists in AWS. The other firewalls have been created in the platform but are not assigned to a virtual datacenter and do not currently exist in AWS.

 Click here to show/hide the screenshot

Editing a firewall in AWS

Edit firewall policy rules

You can define firewall rules for inbound and outbound traffic in your firewall policy.

To add a new firewall rule:

  1. Select the virtual datacenter or location
  2. Select the firewall
  3. On the Firewall rules panel, click the pencil Edit button
  4. Select the Inbound or Outbound tab for the traffic direction you wish to control
  5. Enter the details of a rule
    1. Protocol
      • Select from Common protocols, OR
      • Select and enter a Custom protocol
    1. Port range with the Start port and End port that this rule will apply to. To enter one port, enter the same value twice, or optionally apply the rule to a number of ports at the same time
    2. Sources or Targets as a network address and netmask
  6. Click Add. The firewall rule will be added to the Firewall rules list
  7. Enter more rules as required, then click Save

Edit firewall rules

Delete firewall policy rules

To delete firewall rules, do these steps.

  1. Go to Virtual datacenters → select a virtual datacenter or select All → Network → Firewalls
  2. Edit the firewall
  3. Select the Inbound or Outbound tab
  4. On the left-hand side of each rule you wish to delete, click the trash/garbage Delete button
  5. Click Save

Display firewall policies

You can display and manage firewalls in the platforms at the level of the virtual datacenter or the location (public cloud region or datacenter).

To display firewalls that exist in a virtual datacenter in the provider:

  1. Go to Virtual datacenters → select a virtual datacenter → NetworkFirewalls

Virtual datacenters view with Network tab on Firewalls page

To display all firewalls in a location (public cloud region or datacenter), including those that only exist in the platform and not in the provider:

  1. In the Virtual datacenters list, select All
  2. On the Firewalls tab, select the location (public cloud region or datacenter)
    Virtual datacenters view with Network tab displaying all firewalls in a region of the cloud provider

To filter firewalls, enter text in the Search box to search by the NameDescription, and Provider ID in the Firewalls list.

Assign a firewall policy to a VM

See Assign a firewall policy to a VM

Move a firewall policy to another VDC

To move a firewall to another virtual datacenter:

  • In Neutron, edit the firewall in Abiquo and change the VDC

  • In Azure ARM, edit the firewall and change or remove the virtual datacenter
  • In AWS, delete the firewall directly in the provider, then synchronize so the provider ID will be removed from the firewall in Abiquo. Now you can edit the firewall and change the virtual datacenter. This is because you are not allowed to edit firewalls or move them from one VPC to another in AWS but you can do this in Abiquo. The following screenshot shows a firewall after the AWS security group was deleted. The firewall rules are preserved for you to edit or apply to another virtual datacenter. 

Reuse a firewall after deleting a virtual datacenter

If you delete a virtual datacenter, the firewalls will be deleted in the cloud provider or network virtualization system but they will still be present in the platform. The details of the firewalls may vary, for example, in AWS they will not have a Provider ID but in Neutron they will have a provider ID. You can edit these firewalls as required and assign them to another virtual datacenter.

To assign a firewall with no virtual datacenter to a virtual datacenter, do these steps

  1. Go to Virtual datacenters → Network → Firewalls

  2. Go to V. Datacenters All → Firewalls location

     Click here to expand...

    Reuse a firewall after deleting a virtual datacenter

  3. Select and edit the firewall
  4. Select the virtual datacenter to assign it to
  5. Click Save
 Click here to show/hide the screenshot

Edit a firewall to assign it to a new virtual datacenter

Delete a firewall policy

To delete a firewall policy:

  1. Edit each VM that is using the firewall policy to remove the firewall policy
  2. Select the firewall policy
  3. Click the Delete button

Troubleshoot firewall policies

Q: Does my firewall exist in the provider? Which VDC does it belong to?

A: In the Abiquo API, the firewall object contains a link to the virtual datacenter it belongs to.

  • In AWS or Azure ARM, if a firewall has a provider ID, then it exists in the cloud provider. The provider ID is the AWS security group ID or the Azure firewall name.
  • Neutron assigns a provider ID to the firewall and it remains the same. In Neutron, the provider ID does not indicate if the firewall is assigned to a VDC or not. This means that the firewall can have a provider ID even when it does not exist in the provider.

Manage firewalls with the API

API Documentation

For the Abiquo API documentation of this feature, see Abiquo API Resources and the page for this resource FirewallPoliciesResource.

Manage load balancers

Introduction to load balancers

The load balancer feature aims to simplify the creation of load balancers across all cloud platforms, providing a unified interface. You can create a load balancer in the enterprise for the location and later assign it to a virtual datacenter, and then the platform will create it in the provider. You can also reuse load balancer configurations.

Please refer to cloud provider documentation as the definitive guide to the load balancing features.  And remember to check your cloud provider pricing before you begin.

To manage load balancers, go to Virtual datacenters → select a virtual datacenter → Network → Load balancers.

To display load balancers for a region, including those that are not assigned to a virtual datacenter in a provider

  1. In the Virtual datacenters list, select All
  2. In the Regions pull-down list next to the Search box, select the Region name

To display load balancers in virtual datacenters, select a virtual datacenter.

Virtual datacenters view with Network tab displaying load balancers

Load balancers in a provider usually belong to a virtual datacenter but in vCloud Director they belong to a public cloud region. This means that in vCloud Director, you can attach VMs from more than one virtual datacenter to the same load balancer, and these load balancers do not work with private networks, which belong to only one virtual datacenter.

See Provider support for load balancers tables

Create a load balancer

Before you begin:
  • Synchronize your virtual datacenters (including VMs, networks, firewalls, firewall rules, and load balancers)
  • If required by your provider, create firewalls for your VMs to allow your load balancers to access the VMs

To create a load balancer:

  1. Go to Virtual datacenters → select a virtual datacenter → NetworkLoad balancers 
    For vCloud, select All virtual datacentersNetworkLoad balancersRegion
  2. Click the + Add button and complete the following dialogs according to your cloud provider's documentation
    Screenshot: Creating a load balancer in AWS

    Screenshot: Creating a load balancer in vCloud Director

     Click here to show/hide the screenshot

Load balancer general information

The following screenshots are from AWS.

Create a load balancer entering general information




The name of the load balancer.

  • Amazon will only accept the following characters: A-Z, a-z, 0-9 and "-", and you cannot modify the name
  • Azure will not accept names with white space


In providers that support subnets, the subnets that the load balancer is connected to.


See cloud provider documentation for more information


  • AWS: private or public IP
    Rackspace: private or public IP
    Azure ARM: private or public IP
    Neutron: private IP, or private and public IPs
    NSX: private IP, or private and public IPs
    vCloud Director: private or public IP (IPs on external networks)

  • You may be able to change the address to another one in the same VDC by editing the load balancer

Load balancer routing rules

Create a load balancer entering a routing rule



Common protocols

Select one of the common protocols to load presets

Protocol in

The incoming protocol to the load balancer. See cloud provider documentation for accepted values.

Port in

The incoming port to the load balancer. See cloud provider documentation for accepted values.

Protocol out

The outgoing protocol from the load balancer.

Port outThe outgoing port from the load balancer
SSL CerftificateFor secure connections (e.g. HTTPS), you can add an SSL certificate.
  • The platform will never store or validate the SSL certificate 
  • The platform will pass the certificate directly to the provider
Select an existing certificate or add a new one. Cannot be used in platform-only load balancers
AddClick Add to save a routing rule for the load balancer

To delete a routing rule, click the Delete button beside the name of the routing rule in the list

Load balancer SSL certificate

Create a load balancer entering a certificate




Name of the certificate


The certificate contents

Intermediate certificate

An intermediate certificate can be issued by a provider to support older browsers that may not have all of the trusted root certificates for that provider, so that users will not receive invalid SSL warnings. If you have an intermediate certificate, add it at the same time as the certificate to ensure that a trusted-chain certificate is configured.

Private key

The RSA private key for the certificate

Load balancer health check

Create a load balancer entering a health check




Common protocols

Select one of the most common protocols to load presets


Name of the health check


The protocol with which the health check will be performed


The port to which the health check will be performed

PathThe server path to ping (for supported protocols)
Interval (sec)The interval in seconds between health checks
Timeout (sec)The timeout in seconds after which an attempted health check will be considered unsuccessful
AttemptsThe number of attempts before the health check will be considered unsuccessful
AddAdd the current health check to the load balancer

Load balancer firewalls

If your provider supports firewalls, to add a firewall to your load balancer, select your firewall from the list of Firewalls that were created in your provider. Rackspace does not display a firewall selection list.

If a firewall is not on the list, it may not have been properly synchronized. In this case, you will need to click Cancel, synchronize firewalls and start again to create a new load balancer.

Create a load balancer selecting firewall policies to assign to the load balancer

Assign load balancer nodes

To assign your load balancer to VMs, drag and drop the VMs them from the Available Nodes list into the Attached Nodes list.

Privilege: Manage load balancers, Assign load balancers

  • The VMs to be load balanced can be in the same or different virtual appliances in the same virtual datacenter
  • You can also attach VMs by selecting load balancers when configuring the VM.

The following screenshot is from OpenStack Neutron. 

Create a load balancer assigning nodes

The platform will display the Status of the load balancer nodes on the Nodes tab, if status information is available from the provider.

You can also check the status using the Abiquo API.

Manage load balancers with the API

API Documentation

For the Abiquo API documentation of this feature, see Abiquo API Resources and the page for this resource LoadBalancersResource.

Edit load balancers

The cloud provider determines which elements of a load balancer that you can modify. Due to different provider support for load balancer features, it may be possible to make modifications in the platform that will later be rejected by the cloud provider, triggering an error. Check your cloud provider documentation for supported modifications.

Edit VMs to assign or unassign to load balancers

Privilege: Assign load balancers

To assign a virtual machine to a load balancer, select the load balancer from the list.

Edit VM to assign a load balancer

Onboard and synchronize load balancers from public cloud

When you onboard a VDC from a public cloud provider, the load balancers associated with the VDC and its VMs will be onboarded into the platform.

To access vCloud load balancers, and provider-only load balancers

  1. Go to Virtual datacenters → All virtual datacenters
  2. Go to Network → Load balancers → select region

To synchronize all load balancers in a VDC or region:

  1. Go to Virtual datacenters
  2. Select the VDC or region
  3. Click the straight double arrow synchronize button.

Load balancers that have been deleted directly in the provider are displayed in light gray text. You can edit these load balancers to recreate them in the provider, or delete them.

Delete or release load balancers

To delete a load balancer, select the load balancer and click the delete button.

If your enterprise does not have credentials in the provider, then the load balancer will be released (it will be deleted in the platform but it will remain in cloud provider).

Cloud user tasks

This section describes the tasks that may be performed by the cloud user. 

Edit your user account details

After you log in, you may need to edit your user account to update your details:

  1. Click on the user icon in top right-hand corner of the screen and select Edit user from the pull-down menu
  2. Change your password and edit your user details. Check you have the correct email and phone number to receive passwords and authentication
  3. Add your public key that that the platform will use to launch VMs so that you can access them with SSH

     Click here to expand...

    Edit user general information

    Edit user advanced

Create a virtual appliance to group your VMs

A virtual appliance is folder that holds a group of VMs so that you can easily access them and launch them into the cloud together. At the virtual appliance level, you may also be able to create templates from the disks of your VMs, view VM metrics and create alarms. 

To create a new virtual appliance:

  1. Open the Virtual datacenters view
  2. Select the Virtual datacenter where you will deploy the VM
  3. Click the  add button for virtual appliances, and complete the form as shown below

The platform will create the virtual appliance. To open it, click on its name.

 Click here to show/hide the screenshots

Screenshot: Select a virtual datacenter and click Create virtual appliance

Screenshot: Create a virtual appliance




The name of the virtual appliance

Virtual datacenter

The virtual datacenter where the virtual appliance will be deployed, selected in the V. Datacenters list or with this selector

IconThe URI of the icon to represent the virtual appliance
(Checkbox)To go straight in to the virtual appliance, select Automatically open it after creation

Create VMs

To create a VM:

  1. Open Virtual datacenters → Select a virtual datacenter
  2. Go to the Virtual appliances tab → Open a virtual appliance by clicking on its name or create a new virtual appliance
  3. Drag and drop a VM template from the Templates tab into the VMs pane. Or double-click on a template to create a VM from it
  4. Select a hardware profile for your VM

The platform will create your VM. The status bar below the VM icon says NOT_ALLOCATED, which means that the VM has not yet been launched into the cloud. Select your VM to display its details in the lower panel.

Screenshot: Create a VM with drag and drop

Screenshot: Select a hardware profile

Launch VMs

To launch your VMs, click the Deploy virtual appliance button on the right-hand side of the screen.

The platform will launch the VMs and power them on. The status bar below each VM icon will be coloured green. And the Deploy button changes to become the Undeploy button, which you can use to destroy the VMs.

Screenshot: Deploy a virtual appliance

Manage VMs

To display the VM control panel, select the VM icon. From this panel, you can:

  • Check the details of the VM 
  • Power it off or on, and pause or reset as allowed by the provider, using the round control buttons
  • Destroy (undeploy) or launch (deploy) the VM
  • Connect to the VM with remote access, using the eye icon

By default, the description panel provides a short description of the VM template. 

The following screenshots show the Network and Storage panels, which are an easy way to check what IP addresses and storage are assigned to your machine. 

Configure or reconfigure a VM

To change the general configuration of a VM:

  1. Check that the VM is powered off or not deployed, depending on the provider. The status bar of the VM should be red with the word "OFF".
  2. Mouse over the VM options menu, and select Edit
  3. Make changes to the VM details as described below
 Click here to show/hide the screenshots

Edit virtual machine General


  1. Select the Private or Public tab, depending on the type of IP address you want to add to the VM
  2. If you want to add a new public IP address, click + and select the address
  3. Drag and drop the IP address into the Network interfaces list

Continue configuring your VM or click Save to finish

Firewall policies

  • Select the firewall policies to add. You can add as many firewall policies as necessary, up to the cloud provider's limit

Bootstrap script

  • Use a template that is compatible with cloud-init version 0.7.9 or above, or cloud-base init
  • Paste the configuration or script in the text box

Load balancers

  • Select the load balancers to use for the VM


  • Use a template that is compatible with cloud-init version 0.7.9 or above, or cloud-base init
  • Add the variables that will be sent to the VM at deploy time

If the VM is deployed, the changes may not be applied directly. You may need to synchronize the running appliance to apply the changes in the hypervisor. The blue Sync virtual appliance button replaces the Deploy button on the right-hand side of the screen. Click the Sync virtual appliance button to apply your changes, which may include deploying newly added VMs. 

Configure Chef Recipes and Roles

Chef is an infrastructure automation product that uses configuration recipes. You can use Abiquo Chef Integration to deploy a VM that will then configure itself using Chef recipes and roles. 

The Chef tab is enabled if the enterprise is Chef-enabled and the VM template is Chef-enabled. Before the VM is deployed, you can select from the available roles and recipes. These will be added to the machine's runlist. When the machine is deployed it will download the roles and recipes, and run them in order. Click the Chef tab. By default on this tab you can select roles. Mark the "Select individual components" checkbox to select individual recipes too. The selected recipes will be added to the Virtual Appliance's runlist in order of selection.

To change the order of the runlist, click on the pencil button beside a role or recipe, then edit the order number, then click OK.

Change the Order of Roles and Recipes After Deployment

To change the runlist order after deployment click on the pencil button, then edit the order number, then click OK. The Abiquo Chef Agent will connect to the Chef Server and update the runlist.

See also Configuring and Using Abiquo Chef Integration in the Abiquo HOWTOs and Troubleshooting Abiquo Chef Integration in the Administrator's Guide.

Unable to render {include} The included page could not be found.

Configure Monitoring and Metrics

You can enable the option to fetch metrics from the public cloud region.

To enable VM monitoring and metrics,work with a VM that is powered off or undeployed:

  1. Edit the VM and go to the Monitoring tab
  2. Mark the Fetch metrics checkbox.
  3. Select from the available options, for example, for AWS, you can select detailed or basic monitoring
  4. The functionality and list of available metrics depend on the underlying virtualization technology
  5. Select the individual metrics you would like to retrieve for your VM
Display Metrics for a VM

To display metrics for a VM, on the VM icon, click the Monitoring symbol. The metrics panel will open.

To update the display of a metric, click the refresh button .

To configure the display of a metric

  1. Click the filter button
  2. Set the:
    1. Granularity, which is how often the metric is sampled
    2. Statistic, which determines how the raw values will be processed over time
    3. "Last" period, which is how long the display will look behind at the processed data.
    Click Accept to save the values.

To view the exact metric values in a call-out box, mouse over the monitoring graph line.

To create a highlight point, click on the metric graph line.

To simultaneously view the data for more than one VM, use the virtual appliance monitoring view.

Delete a VM

To delete a VM, move the mouse over the VM icon, and from the options menu, select Delete. You can delete a VM that is deployed. If you undeploy a VM before you delete it, the platform may request that you synchronize the virtual appliance until you delete the undeployed VM.

  • No labels