Abiquo 5.1
This manual is a basic guide to how to Administer and Use Public Cloud in Abiquo
All users should configure their user accounts before starting work with the cloud platform.
You can control the resources that an enterprise may consume. This will help prevent resource over allocation, enterprises using resources from other enterprises, and even DoS attacks. Allocation limits will also help system administrators to anticipate user needs and forecast resource demand. Hard and soft limits are used by the resource scheduler to decide if a user can deploy a virtual appliance or not.
Enterprise allocation limits are checked during configuration or deploy, or before operations as described in the above table.
When creating allocation limits, you cannot have a hard limit only. And soft limits must always be less than or equal to hard limits. In addition, if the limits are equal to 0, then this means there is no limit to resource usage at this level. See Allocation limit rules.
To set the public cloud regions and datacenters that an enterprise is allowed to access, edit the Enterprise and click the Datacenters tab.
Drag and drop one or more public cloud regions or providers, or datacenters from the left pane into the "Allowed Datacenters" pane on the right.
An enterprise needs access to at least one public cloud region or datacenter so that its users can deploy VMs.
Note: when you create a public cloud region or a datacenter, the platform allows it for your own enterprise automatically. For all other enterprise, the platform adds it to the list in the left pane, which contains "Prohibited datacenters".
Allowed datacenters are working datacenters where users can deploy. This is different to an admin user having administration Scope to administer the infrastructure of datacenter.
You can set resource allocation limits for this enterprise in each allowed datacenter or public cloud region. To set allocation limits, select one of the Allowed Datacenters in the right pane and click the edit button. Set these limit values in the pop-up that opens.
Each tenant should have its own set of API credentials for each provider.
If the tenant does not have cloud provider credentials, they should follow their cloud provider's instructions on how to obtain access to the provider's API.
Abiquo provides basic guides to obtaining credentials, but the tenant should always consult the cloud provider for the most up-to-date information.
Before you enter public cloud credentials, there must be an existing public cloud region for the provider.
To add credentials for a public cloud provider
In the Abiquo Apps Library you can compile a selection of certified public cloud templates for your users to deploy by self-service.
Abiquo will store the details of these templates but not their disks.
Public cloud libraries can have many thousands of VM templates (e.g. AWS has 19,000 AMIs) that are difficult to find and manage. In addition, administrators cannot control the content of public cloud templates. In the Apps library, you can define a cache of details of your approved or certified public cloud templates. And you can customize the templates' representation to make it even easier for cloud users to find the right template.
To display the details of a template, move the mouse over the template. A tooltip will display the template information.
To filter templates in the Apps library:
To reset filter values to defaults, click Clear.
You can work with virtual machines, networks and storage in Virtual datacenters view
This section describes how to manage networks in private datacenters and public cloud providers.
Privileges: Manage virtual network elements, Access external networks tab, Access public networks tab
API Features
Virtual datacenter networks are available in the Abiquo API. For example, see VirtualDatacentersResource and PrivateNetworksResource.
Screenshot: Private networks in private cloud
Screenshot: Private networks in public cloud (AWS)
In the Networks list, to view the pool and allocation of IPs:
You can then:
Private networks are only available within a virtual datacenter. However, your cloud provider may configure an external gateway for your virtual datacenter.
To create a private network:
Create private network
Create private network Amazon
Button | Action |
---|---|
Name | Name of the network (VLAN). The name can contain up to 128 characters |
IPv6 | Select checkbox for IPv6 network |
Network Address | Private address range of the network |
Netmask | For IPv4 a network mask with an integer value of between 16 and 30 |
Gateway | Gateway of the VLAN. Must be an IP within the range of the network address and mask |
Availability zone | In AWS, optionally select an Availability zone for high availability. To deploy a group of VMs separately, use a different availability zone for each VM. To assign a VM to an availability zone, assign a private IP address in the network belonging to the required availability zone |
Primary DNS | The primary DNS |
Secondary DNS | The secondary DNS |
DNS suffix | The DNS suffix |
Excluded from firewall | Select Excluded from firewall to define a network where VM firewalls will not apply |
Static Routes | In supported providers, optionally select Define to create static routes. See Configure Static Routes using DHCP |
Default network | Select to make this network the default network, replacing the existing default network |
You can configure static routes when you create or edit a network. However, you should check with your systems administrator about when your VM will receive changes to static routes.
Field | Description | Example |
---|---|---|
Netmask | Destination network mask | 255.255.255.0 |
Network ID | Destination network or host | 1.1.1.0 |
Gateway IP | Next hop (on your network) | 10.10.10.100 |
To create new IP addresses in a private network do these steps.
Or you can add an IP directly to a VM. To do this:
IP Addresses |
---|
30.30.30.30 |
30.30.30.31 |
30.30.30.32 |
30.30.30.33 |
30.30.30.34 |
30.30.30.35 |
When you add IPv6 addresses on strict networks, you don't need to set the starting address. On non-strict IPv6 networks, Abiquo recommends that you create an automatic IP address, or you can enter a From IP address manually.
The new settings will apply to all VMs deployed after you save the network.
To delete a private network:
Privileges: Manage virtual network elements, Access external networks tab, Manage external network elements
To display onboarded external networks
If an onboarded network has been deleted in the provider, its name will display in light gray text. If a VM is using an IP from this network, then you cannot deploy the VM.
If there are no VMs using the IPs of an external network that was already deleted in the provider, to delete the network in the platform, select it and click the delete button.
Privileges: Manage virtual datacenter network elements, Access public network tab, Manage public network elements, Access external network tab, Manage external network elements
To set a new or existing network as the default:
In private cloud, if you set a public network as the default, remember to obtain IP addresses for your VMs before you deploy!
Privilege: Manage public IPs, Access public networks tab, Manage public network elements
To add new public IP addresses to your virtual datacenter:
The platform will add the IPs to your VDC
You can also reserve public IPs directly from the Edit VM dialog.
During onboarding from public cloud, the platform will onboard existing public IP addresses in providers that support them, such as AWS and Azure. You can obtain them from the provider and assign them to your virtual datacenters and VMs.
The provider may charge for public IP addresses as soon as you reserve them for your virtual datacenter. Therefore you should reserve your IP addresses just before you deploy and check they are deleted when you undeploy your VMs. Remember that your provider may also limit the number of public IP addresses that you can use per virtual datacenter.
To add public IP addresses to your virtual datacenter, so that you can later assign them to your VMs:
Privileges: Manage virtual network elements, Manage floating IPs, Access public networks tab, Manage public network elements
Now when you edit a VM in the VDC and go to Network → Public, the platform will display the public IP address and you can add it to your VM.
To obtain a public IP directly for a VM, click Purchase public IPs.
To onboard any public IP addresses that were already created in your cloud provider, or update changes made directly in the provider:
Privileges: Manage virtual network elements, Manage floating IPs, Access public networks tab, Manage public network elements
You can release a public IP if it is not assigned to a VM.
In private cloud, to release a public IP that belongs to a public network, select the IP in the IP list and click the delete button.
In public cloud, click the link to Remove from VDC and then click the delete button.
This section describes firewall policies, which are similar to security groups. The platform supports firewall policies in private cloud with network managers (NSX) and in public cloud (AWS, Azure). In Oracle Cloud, the platform enables users to onboard classic firewalls and assign them to VMs.
In vCloud Director, the platform also supports classic firewalls, which are Edge firewalls at level of the public cloud region (orgVDC). See Manage classic firewalls
To synchronize firewalls do these steps:
To synchronize a firewall before you add new firewall rules:
The platform can create firewall policies in virtual datacenters in the provider, or in the platform only, for later use in providers, depending on provider support.
Privilege: Manage firewall
To create a new firewall, do these steps:
Field | Description |
---|---|
Name | Name of the firewall policy. |
Location | Public cloud region or datacenter |
Virtual datacenter |
|
Default | Optional. Select to make the firewall the default for the virtual datacenter |
Description | Description of the firewall policy |
If you entered a virtual datacenter, the platform created your firewall in the provider. The platform will display a Provider-ID and a Virtual datacenter ID for the firewall.
If you selected No virtual datacenter, the firewall will be created in the platform in the public cloud region for your enterprise. The synchronize process will not update this firewall. The platform will not create it in the provider until you select a virtual datacenter.
Privilege: Manage default firewall
To set or unset a default firewall for a virtual datacenter:
When the user creates a VM, the platform will assign the default firewall. The firewall rules apply to VMs, not individual NICs on the VMs. Changes to the firewall ruleset will apply to every VM in the virtual datacenter with the default firewall. If you do not set a default firewall but the provider requires one, for example, AWS, the platform will set the provider's default firewall. In AWS the default firewall is not marked.
To edit a firewall policy:
Field | Description |
---|---|
Name | Name of the firewall policy. Some providers will not allow you to edit the name of the firewall policy |
Default | Select this option to set the firewall as the default. The platform will assign the default firewall to new VMs. |
Description | Description of the firewall policy |
To move a firewall to another virtual datacenter
To add a new firewall rule:
Before you edit firewall rules in AWS, synchronize the firewall to update the rules because AWS will not allow you to create a rule that already exists in the security group. Remember that it may take some time for firewall rules to propagate throughout AWS. Until the rules have propagated, the platform will not be able to detect them. See http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/query-api-troubleshooting.html#eventual-consistency
To delete firewall rules, do these steps.
To display firewalls that exist in a virtual datacenter in the provider:
To display all firewalls in a location (public cloud region or datacenter), including those that only exist in the platform and not in the provider:
To filter firewalls, enter text in the Search box to search by the Name, Description, and Provider ID in the Firewalls list.
See Assign a firewall policy to a VM
To delete a firewall policy:
API Documentation
For the Abiquo API documentation of this feature, see Abiquo API Resources and the page for this resource FirewallPoliciesResource.
Please refer to cloud provider documentation as the definitive guide to the load balancing features. And remember to check your cloud provider pricing before you begin.
In vCloud Director, load balancers belong to a public cloud region, not a virtual datacenter. This means that in vCloud Director, you can attach VMs from more than one virtual datacenter to the same load balancer, and these load balancers do not work with private networks, which belong to only one virtual datacenter.
See Provider support for load balancers tables
To display load balancers in a region, including those that are not assigned to a virtual datacenter in a provider
To display load balancers in virtual datacenters:
Select a virtual datacenter
Go to Network → Load balancers.
Privilege: Manage load balancers, Assign load balancers
To create a load balancer:
Click the + add button and complete the following dialogs according to your cloud provider's documentation
The following screenshots are from AWS or Azure
Field | Value |
---|---|
Name | The name of the load balancer.
|
Subnets | In providers that support subnets, the subnets to which the load balancer will connect |
Algorithm | See cloud provider documentation for more information |
Addresses |
|
Field | Value |
---|---|
Common protocols | Select one of the common protocols to load presets |
Protocol in | The incoming protocol to the load balancer. See cloud provider documentation for accepted values. |
Port in | The incoming port to the load balancer. See cloud provider documentation for accepted values. |
Protocol out | The outgoing protocol from the load balancer. |
Port out | The outgoing port from the load balancer |
SSL Cerftificate | For secure connections (e.g. HTTPS), you can add an SSL certificate.
|
Add | Click Add to save a routing rule for the load balancer |
To delete a routing rule, click the delete button beside the name of the routing rule in the list
Field | Value |
---|---|
Name | Name of the certificate |
Certificate | The certificate contents |
Intermediate certificate | An intermediate certificate can be issued by a provider to support older browsers that may not have all of the trusted root certificates for that provider, so that users will not receive invalid SSL warnings. If you have an intermediate certificate, add it at the same time as the certificate to ensure that a trusted-chain certificate is configured. |
Private key | The RSA private key for the certificate |
Field | Value |
---|---|
Common protocols | Select one of the most common protocols to load presets |
Name | Name of the health check |
Protocol | The protocol with which the health check will be performed |
Port | The port to which the health check will be performed |
Path | The server path to ping (for supported protocols) |
Interval (sec) | The interval in seconds between health checks |
Timeout (sec) | The timeout in seconds after which an attempted health check will be considered unsuccessful |
Attempts | The number of attempts before the health check will be considered unsuccessful |
Add | Add the current health check to the load balancer |
If your provider supports firewalls, to add a firewall to your load balancer, select your firewall from the list of Firewalls that were created in your provider. Rackspace does not display a firewall selection list.
If a firewall is not on the list, it may not have been properly synchronized. In this case, you will need to click Cancel, synchronize firewalls and start again to create a new load balancer.
To assign your load balancer to VMs, drag and drop the VMs them from the Available Nodes list into the Attached Nodes list.
The platform will display the Status of the load balancer nodes on the Nodes tab, if status information is available from the provider.
You can also check the status using the Abiquo API.
API Documentation
For the Abiquo API documentation of this feature, see Abiquo API Resources and the page for this resource LoadBalancersResource.
The cloud provider determines which elements of a load balancer that you can modify. Due to different provider support for load balancer features, it may be possible to make modifications in the platform that will later be rejected by the cloud provider, triggering an error. Check your cloud provider documentation for supported modifications.
Privilege: Assign load balancers
To assign a virtual machine to a load balancer, select the load balancer from the list.
To access vCloud load balancers, and provider-only load balancers
To synchronize all load balancers in a VDC or region:
Load balancers that have been deleted directly in the provider are displayed in light gray text. You can edit these load balancers to recreate them in the provider, or delete them.
If your enterprise does not have credentials in the provider, then the load balancer will be released (it will be deleted in the platform but it will remain in cloud provider).
This section describes the tasks that may be performed by the cloud user.
After you log in, you may need to edit your user account to update your details:
Add your public key that that the platform will use to launch VMs so that you can access them with SSH
If you would like the platform to notify you when an alarm activates, create an Alert for it in Control view.
You can create alarms for built-in VM metrics or scaling group metrics, as well as custom metrics created using the API for VMs, scaling groups, virtual appliances, and virtual datacenters.
To create an alarm:
Privilege: Access alarms section, Manage alarms
Field | Description |
---|---|
Entity type | Select an entity with metrics from the list on the left. |
Entity name | The name of the entity |
Entity label | The label of the entity, which for VMs is shown in the list on the left |
Entity icon | The icon that the platform displays in the UI for VMs and virtual appliances |
Name | Name of the alarm with up to 128 characters. Alarm names must be unique for each metric |
Description | Description of the alarm. Used together with the alarm name and VM name to identify the alarm, for example, when creating an alert |
Metric | Select one of the metrics available for the VM |
Metric unit | The unit of the metric. Read only |
Metric description | The description of the metric. Read only |
Dimension | When the metric has multiple dimensions, optionally select one or more dimensions. For example, if a VM has multiple hard disks, then the disk read bytes metric may have a dimension for each disk |
Last datapoints in period | The number of datapoints that the platform will evaluate the metric during the elapsed time. If you request the evaluation of an alarm more frequently than metric data is collected by the platform or sent by the provider, then the alarm will not activate. We recommend that you create alarms with longer evaluation periods, for example, an average of 10 points over the last hour, so the transmission and collection intervals will not affect the activation of the alarm. |
Statistic | Statistic that the platform will use for evaluating the alarm, which can be: average, maximum, minimum, sum, count, dev |
Formula | Operator that the platform will use for evaluation of the alarm, for example, greater than. Values can be: notequal, greaterthan, greaterthanorequalto, lessthan, lessthanorequalto, trendup, trenddown |
Threshold | Value that the platform will evaluate the alarm against, if appropriate |
The platform will create the alarm for the metric. If you would like the platform to notify you when an alarm is triggered, create an Alert.
Troubleshooting alarms that do not trigger
For a scaling group, an alarm on a metric of the VM in the base workload will receive input from the metrics of all VMs in the scaling group. This means the base workload and/or the clone VMs. So an alarm for a scaling group can activate, even if the base workload is not deployed.
For API documentation about alarms on an entity, see the API documentation for the entity's resource. For example, for VMs, see VirtualMachinesResource.
When you edit an alarm, there is an extra field, "Active", that shows if the alarm is activated or not.
After you save the alarm, the platform will start to evaluate it again with new data when it receives the next set of metrics datapoints.
You can also remove an alarm from an alert.
Privilege: Access alarms section, Manage alarms, Manage alerts
To delete an alarm:
To remove an alarm from an alert:
Go to Control → Alerts → edit alert
Select the alarm, click the delete button, and confirm
The platform will remove it from this alert, but it will remain in all other alerts that it is associated with
If you delete a VM, the platform will delete any alarms associated with its metrics.
To automate the configuration of your VM, edit the VM and on the Bootstrap tab, add a configuration or script that will run with cloud-init. Remember that your VM template must be compatible with cloud-init version 0.7.9 or above, and for Windows systems this will be a Cloudbase-Init template.
To add variables for use by cloud-init configurations or scripts, edit the VM and on the Variables tab, add the key and value for each variable that will be sent to the VM at deploy time. Remember that your VM template must be compatible with cloud-init version 0.7.9 or above, and for Windows system this will be a Cloudbase-Init template.
Chef is an infrastructure automation product that uses configuration recipes. You can use Abiquo Chef Integration to deploy a VM that will then configure itself using Chef recipes and roles on Linux VMs.
The Chef tab will display if your tenant has a Chef configuration and your VM template is compatible with cloud-init.
To add Chef roles and recipes for your VM:
To change the order of the runlist, click on the pencil button beside a role or recipe, then edit the order number, then click OK.
If you change the runlist after deploy, Abiquo will update the Chef server, and your Chef-client recipe can obtain these changes from the Chef server.
See also Configuring and Using Abiquo Chef Integration in the Abiquo HOWTOs and Troubleshooting Abiquo Chef Integration in the Administrator's Guide.