Aws on The IT Hollow

Ubiquiti USG VPN Setup for VMware Cloud on AWS

Fri, 02 Jul 2021 16:15:22 +0000

My day job requires me to do a lot of work with VMware Cloud on AWS. If I plan on doing any real work with the virtual machines, kubernetes clusters, or applications I really need a VPN tunnel to securely access those resources. My problem has been setting up my aging Ubiquiti USG firewall with BGP. This post will show how I setup a route based VPN tunnel with my Ubiquiti USG. Big shoutout to Brian Beach for his work setting up the USG with an AWS Transit Gateway.

Deploy Kubernetes on AWS

Mon, 13 Jan 2020 15:15:39 +0000

The way you deploy Kubernetes (k8s) on AWS will be similar to how it was done in a previous post on vSphere. You still setup nodes, you still deploy kubeadm, and kubectl but there are a few differences when you change your cloud provider. For instance on AWS we can use the LoadBalancer resource against the k8s API and have AWS provision an elastic load balancer for us. These features take a few extra tweaks in AWS.

AWS Account Tagging

Mon, 17 Jun 2019 14:02:18 +0000

We’re getting into the habit of tagging everything these days. It’s been drilled into our heads that we don’t care about names of our resources anymore because we can add our own metadata to resources to later identify them, or to use for automation. But up until June 6th, AWS wouldn’t let us tag one of the most important resources of all, our accounts.

On June 6th though, our cloud world changed when AWS announced that we can now add tags to our accounts through organizations.

Its Up to You to Decide if Apps are Cheaper in the Cloud

Tue, 19 Mar 2019 14:20:29 +0000

Whenever I talk cloud with a customer, there is inevitably a discussion around how much the cloud costs vs what is in the data center. The conversation usually starts with one of several declarations.

“The Cloud is more expensive than on-premises but we want the capabilities anyway.”

“We need the Cloud so we can drive down our costs.”

Well yes, if you’ve paid attention, those are two different arguments about why you need cloud, and both of them came to different conclusions about whether or not the public cloud is more expensive or less expensive than running your own data center.

AWS Native Backups

Tue, 22 Jan 2019 16:00:59 +0000

Amazon Web Services has released yet another service designed to improve the lives of people administering an AWS environment. There is a new backup service, cleverly named, AWS Backup.

This new service allows you to create a backup plan for Elastic Block Store (EBS) volumes, Elastic File System (EFS), DynamoDB, Relational Database Services (RDS), and Storage Gateway.

Now we can build plans to automatically backup, tier and expire old backups automatically based on our own criteria.

Lucidchart Integrations with AWS

Tue, 08 Jan 2019 15:00:02 +0000

Okay, I’m scared of change just like everyone else. I have been building Visios for a pretty long time and know where all the menus are so I’m pretty fast with it. But I do use a Macbook when I travel and firing up Fusion just to run Visio is frustrating. I thought since it’s a new year I should try Lucidchart and see what I though. Now I’m still kind of fond of Visio, but the Integrations feature with Lucidchart on top of the web interface allowing me to use it anywhere, is enough to make me drop Visio for the long haul.

AWS Security Hub

Mon, 17 Dec 2018 15:00:59 +0000

A primary concern for companies moving to the cloud is whether or not their workloads will remain secure. While that debate still happens, AWS has made great strides to assuage customer’s concerns by adding services to ensure workloads are well protected. At re:Invent 2018 another service named AWS Security Hub was added. Security Hub allows you to setup some basic security guardrails and get compliance information for multiple accounts within a single service. Amazon seems to have realized that enabling customers to very easily see their security recommendations for all environments in a single place has great value to their businesses.

Setup AWS Transit Gateway

Wed, 12 Dec 2018 15:00:07 +0000

Amazon announced a new service at re:Invent 2018 in Las Vegas, called the AWS Transit Gateway. The Transit Gateway allows you to connect multiple VPCs together as well as VPN tunnels to on-premises networks through a single gateway device. As a consultant, I talk with customers often, about how they will plan to connect their data center with the AWS cloud, and how to interconnect all of those VPCs. In the past a solution like Aviatrix or a Cisco CSR transit gateway was used which leveraged some EC2 instances that lived within a VPC. You’d then connect spoke VPCs together via the use of VPN tunnels. With this new solution, there is a native service from AWS that allows you to do this without the need for VPN tunnels between spoke VPCs and you can use the AWS CLI/CloudFormation or console to deploy everything you need. This post takes you through an example of the setup of the AWS Transit Gateway in my own lab environment.

AWS Resource Access Manager

Mon, 10 Dec 2018 15:00:44 +0000

At AWS re:Invent this year in Las Vegas, Amazon announced a ton of services, but one that caught my eye was the AWS Resource Access Manager. This is a service that facilitates the sharing of some resources between AWS accounts so that they can be used or referenced across account boundaries. Typically, an AWS account is used as a control plane boundary (or billing boundary) between environments, but even then resources will need to communicate with each other occasionally. Now with AWS Resource Access Manager (RAM) we can shared Hosted DNS zones, Transit Gateways and other objects. This list will undoubtedly grow over time. This post will show you how you can share another new service, the AWS Transit Gateway, across multiple accounts within your organization.

VMware Cloud on AWS Firewalls Overview

Wed, 28 Nov 2018 16:03:46 +0000

If you’re getting started with VMware Cloud on AWS then you should be aware of all the points in which you can block traffic with a firewall. Or, if you look at it another way, the places where you might need to create allow rules for traffic to traverse your cloud. This post is used to show where those choke points live both within your VMware Cloud on AWS SDDC, as well as the Amazon VPC in which your SDDC lives.

Using AWS CloudFormation Drift Detection

Wed, 14 Nov 2018 15:02:55 +0000

Today, AWS announced the release of the long anticipated drift detection feature for CloudFormation. This feature has been a common feature request for many of the AWS customers that I speak with to ensure their deployments are configured as expected. This post will take you through why this is an important feature and how you can use it.

Whats the Big Deal?

If you’re not familiar with it already, CloudFormation is a free service from AWS that lets you describe your infrastructure through a YAML or JSON file and deploy the configuration. Simply define your desired state and CloudFormation will deploy the resources and arrange them so that dependent services are (usually) deployed in the right order. If you’re familiar with Ansible, Chef, or Puppet, this concept of a desired state shouldn’t be new.

Quality Checking Infrastructure-as-Code

Mon, 05 Nov 2018 14:55:55 +0000

If you’ve been doing application development for long, having tools in place to check the health of your code is probably not a new concept. However, if you’re jumping into something like Cloud and you’ve been an infrastructure engineer, this may be a foreign concept to you. Isn’t it bad enough that you’ve started learning Git, JSON, YAML, APIs etc on top of your existing skill sets? Well, take some lessons from the application teams and you may well find that you’re improving your processes and reducing the technical debt and time to provision infrastructure as code resources as well.

Restore or Resize an AWS Transit Router

Mon, 22 Oct 2018 14:03:21 +0000

A transit VPC is a pretty common networking pattern in an AWS environment. [Transit VPCs](http://Should I use a Transit VPC in AWS?) can limit the number of peering connections required to connect all your VPCs by switching from a mesh topology of peers to a hub and spoke method with transit. While transit VPCs offer some nice features, it also requires a bit more management overhead since you need to manage your own routers. Cisco makes the deployment of transit routers very easy but sometimes you need to make some changes to the routers after they’re deployed like if you need to resize them. Also, sometimes bad things happen and those routers can be destroyed by accident. This post shows how you can resize your Cisco CSRs and/or restore an old configuration from snapshot.

Close an AWS Account Belonging to an Organization

Mon, 17 Sep 2018 14:05:24 +0000

Opening an AWS account is very easy to do. AWS makes it possible to create an account with an email address and a credit card. Even better, if you’re setting up a multi-account structure, you can use the API through organizations and you really only need an email address as an input. But closing an account is slightly more difficult. While closing accounts doesn’t happen quite as often as opening new ones, it does happen. Especially if you’re trying to fail fast and have made some organizational mistakes. When you want to clean those accounts up, you’ll need to jump through a couple of small hoops to do so. This post hopes to outline how to remove an account from an AWS Organization and then close it.

AWS Custom Resources

Tue, 04 Sep 2018 14:00:04 +0000

We love to use AWS CloudFormation to deploy our environments. Its like configuration management for our AWS infrastructure in the sense that we write a desired state as code and apply it to our environment. But sometimes, there are tasks that we want to complete that aren’t part of CloudFormation. For instance, what if we wanted to use CloudFormation to deploy a new account which needs to be done through the CLI, or if we need to return some information to our CloudFormation template before deploying it? Luckily for us we can use a Custom Resource to achieve our goals. This post shows how you can use CloudFormation with a Custom Resource to execute a very basic Lambda function as part of a deployment.

Add AWS Web Application Firewall to Protect your Apps

Mon, 20 Aug 2018 14:02:31 +0000

Some things change when you move to the cloud, but other things are very much the same. Like protecting your resources from outside threats. There are always no-gooders out there trying to steal data, or cause mayhem like in those Allstate commercials. Our first defense should be well written applications, requiring authentication, etc and with AWS we make sure we’re setting up security groups to limit our access to those resources. How about an extra level of protection from a Web Application Firewall. AWS WAF allows us to leverage some extra protections at the edge to protect us from those bad guys/girls.

Using AWS CodeDeploy to Push New Versions of your Application

Mon, 06 Aug 2018 14:04:33 +0000

Getting new code onto our servers can be done in a myriad of ways these days. Configuration management tools can pull down new code, pipelines can run scripts across our fleets, or we could run around with a USB stick for the rest of our lives. With container based apps, serverless functions, and immutable infrastructure, we’ve changed this conversation quite a bit as well. But what about a plain old server that needs a new version of code deployed on it? AWS CodeDeploy can help us to manage our software versions and rollbacks so that we have a consistent method to update our apps across multiple instances. This post will demonstrate how to get started with AWS CodeDeploy so that you can manage the deployment of new versions of your apps.

How to Setup Amazon EKS with Mac Client

Tue, 31 Jul 2018 14:06:02 +0000

We love Kubernetes. It’s becoming a critical platform for us to manage our containers, but deploying Kubernetes clusters is pretty tedious. Luckily for us, cloud providers such as AWS are helping to take care of these tedious tasks so we can focus on what is more important to us, like building apps. This post shows how you can go from a basic AWS account to a Kubernetes cluster for you to deploy your applications.

How to Setup Amazon EKS with Windows Client

Mon, 30 Jul 2018 16:05:09 +0000

Easy Snapshot Automation with Amazon Data Lifecycle Manager

Mon, 23 Jul 2018 14:05:53 +0000

Amazon has announced a new service that will help customers manage their EBS volume snapshots in a very simple manner. The Data Lifecycle Manager service lets you setup a schedule to snapshot any of your EBS volumes during a specified time window.

In the past, AWS customers might need to come up with their own solution for snapshots or backups. Some apps moving to the cloud might not even need backups based on their deployment method and architectures. For everything else, we assume we’ll need to at least snapshot the EBS volumes that the EC2 instances are running on. Prior to the Data Lifecycle Manager, this could be accomplished through some fairly simple Lambda functions to snapshot volumes on a schedule. Now with the new service, there is a solution right in the EC2 console.

Should I use a Transit VPC in AWS?

Mon, 16 Jul 2018 14:05:46 +0000

A common question that comes up during AWS designs is, “Should I use a transit VPC?” The answer, like all good IT riddles is, “it depends.” There are a series of questions that you must ask yourself before deciding whether to use a Transit VPC or not. In this post, I’ll try to help formulate those questions so you can answer this question yourself.

The Basics

Before we can ask those tough questions, we first should answer the question, “What is a Transit VPC?” Well, a transit VPC acts as an intermediary for routing between two places. Just like a transit network bridges traffic between two networks, a transit VPC ferries traffic between two VPCs or perhaps your data center.

Visualizing the Chicago Cubs via Amazon QuickSight

Mon, 14 May 2018 15:01:07 +0000

If you’re interested in visualizing your data in easy to display graphs, Amazon QuickSight may be your solution. Obviously, Amazon has great capabilities with big data, but sometimes even if you have “little” data you just need a dashboard or way of displaying that content. This post shows an example of how you can display data to tell a compelling story. For the purposes of this blog post, we’ll try to determine why the Chicago Cubs are the Major League’s favorite baseball team.

AWS IAM Indecision

Mon, 07 May 2018 14:55:55 +0000

Identity and Access Management (IAM) can be a confusing topic for people that are new to Amazon Web Services. There are IAM Users that could be used for authentication or solutions considered part of the AWS Directory Services such as Microsoft AD, Simple AD, or AD Connector. If none of these sound appealing, there is always the option to use Federation with a SAML 2.0 solution like OKTA, PING, or Active Directory Federation Services (ADFS). If all of these option have given you a case of decision fatigue, then hopefully this post and the associate links will help you to decide how your environment should be setup.

Manage Multiple AWS Accounts with Role Switching

Mon, 30 Apr 2018 14:05:52 +0000

A pretty common question that comes up is how to manage multiple accounts within AWS from a user perspective. Multi-Account setups are common to provide control plane separation between Production, Development, Billing and Shared Services accounts but do you need to setup Federation with each of these accounts or create an IAM user in each one? That makes those accounts kind of cumbersome to manage and the more users we have the more chance one of them could get hacked.

AWS Directory Service - AD Connector

Mon, 23 Apr 2018 14:05:05 +0000

Just because you’ve started moving workloads into the cloud, doesn’t mean you can forget about Microsoft Active Directory. Many customers simply stand up their own domain controllers on EC2 instances to provide domain services. But if you’re moving to AWS there are also some great services you can take advantage of, to provide similar functionality. This post focuses on AD Connector which makes a connection to your on-premises or EC2 installed domain controllers. AD Connector doesn’t run your Active Directory but rather uses your existing active directory intances within AWS. As such, in order to use AD Connector you would need to have a VPN connection or Direct Connect to provide connectivity back to your data center. Also, you’ll need to be prepared to have credentials to connect to the domain. Domain Admin credentials will work, but as usual you should use as few privileges as possible so delegate access to a user with the follow permissions:

AWS Directory Service - Microsoft AD

Mon, 09 Apr 2018 14:55:20 +0000

Just because you’ve started moving workloads into the cloud, doesn’t mean you can forget about Microsoft Active Directory. Many customers simply stand up their own domain controllers on EC2 instances to provide domain services. But if you’re moving to AWS there are also some great services you can take advantage of, to provide similar functionality. This post focuses on Microsoft AD which is a Server 20012 R2 based domain that provides a pair of domain controllers across Availability Zones and also handles DNS. This service is the closest service to a full blow Active Directory that you’d host on premises. You can even create a trust between the Microsoft AD deployed in AWS and your on-prem domain. You cannot extend your on-premises domain into Microsoft AD at the time of this writing though. If you wish to extend your existing domain, you should consider building your own DCs on EC2 instances and then you have full control over your options.

Protect Your AWS Accounts with GuardDuty

Mon, 02 Apr 2018 14:05:29 +0000

Locking down an AWS environment isn’t really that if you know what threats you’re protecting against. You have services such as the Web Application Firewall, Security Groups, Network Access Control Lists, Bucket Policies and the list goes on. But many times you encounter threats from malicious attackers just trying to probe which vulnerabilities might exist in your cloud. AWS has built a service, called Amazon GuardDuty, to help monitor and protect your environment that is based on AWS machine learning tools and threat intelligence feeds. GuardDuty currently reads VPC Flow Logs (used for network traffic analysis) and CloudTrail Logs (used for control plane access analysis) along with DNS log data to protect an AWS environment. GuardDuty will use threat intelligence feeds to alert you when your workloads may be communicating with known to be malicious IP Addresses and can alert you when privileged escalation occurs as part of its machine learning about suspicious patterns.

Migration to the Cloud with CloudEndure

Mon, 05 Mar 2018 15:07:45 +0000

I’m a big advocate for building your cloud apps to take advantage of cloud features. This usually means re-architecting them so that things like AWS Availability Zones can be used seemlessly. But I also know that to get benefits of the cloud quickly, this can’t always happen. If you’re trying to reduce your data center footprint rapidly due to a building lease or hardware refresh cycle quickly approaching, then you probably need a migration tool to accomplish this task.

AWS Reserved Instance Considerations

Mon, 19 Feb 2018 15:10:10 +0000

Reserved Instances are often used to reduce the price of Amazon EC2 instance on-demand pricing. If you’re not familiar with Reserved Instances, then you’re missing out. Reserved Instances, or RIs, are a billing construct used in conjunction with Amazon EC2 instances (virtual machines). The default usage on the AWS platform is the on-demand pricing in which you get billed by the hour or second with no commitments. Basically, when you decide to terminate an instance you stop paying for it.

Setup MFA for AWS Root Accounts

Mon, 12 Feb 2018 15:07:56 +0000

Multi-Factor Authentication or MFA, is a common security precaution used to prevent someone from gaining access to an account even if an attacker has your username and password. With MFA you must also have a device that generates a time based one time password (TOTP) in addition to the standard username/password combination. The extra time it might take to login is well worth the advantages that MFA provides. Having your AWS account hijacked could be a real headache.

Add a New AWS Account to an Existing Organization from the CLI

Mon, 05 Feb 2018 15:12:17 +0000

AWS Organizations is a way for you to organize your accounts and have a hierarchy not only for bills to roll up to a single paying account, but also to setup a way to add new accounts programatically.

For the purposes of this discussion, take a look at my AWS lab account structure.

From the AWS Organizations Console we can see the account structure as well.

I need to create a new account in a new OU under my master billing account. This can be accomplished through the console, but it can also be done through the AWS CLI, which is what I’ll do here. NOTE: This can be done through the API as well which can be really useful for automating the building of new accounts.

An Introduction to AWS CloudFormation Change Sets

Mon, 22 Jan 2018 15:05:12 +0000

If you’ve done any work in Amazon Web Services you probably know the importance of CloudFormation (CFn) as part of your Infrastructure as Code (IaC) strategy. CloudFormation provides a JSON or YAML formatted document which describes the AWS infrastructure that you want to deploy. If you need to re-deploy the same infrastructure across production and development environments, this is pretty easy since the configuration is in a template stored in your source control.

In the Cloud World, It's Cheaper to Upgrade

Tue, 16 Jan 2018 15:10:26 +0000

If you’ve been in technology for a while, you’ve probably had to go through a hardware refresh cycle at some point. These cycles usually meant taking existing hardware, doing some capacity planning exercises and setting out to buy new hardware that is supported by the vendors. This process was usually lengthy and made CIOs break into a cold sweat just thinking about paying for more hardware, that’s probably just meant to keep the lights on. Whenever I first learned of a hardware refresh cycle, my first thoughts were “Boy, this sounds expensive!”

Use Amazon CloudWatch Logs Metric Filters to Send Alerts

Mon, 11 Dec 2017 16:14:47 +0000

With all of the services that Amazon has to offer, it can sometimes be difficult to manage your cloud environment. Face it, you need to manage multiple regions, users, storage buckets, accounts, instances and the list just keeps going on. Well the fact that the environment can be so vast might make it difficult to notice if something nefarious is going on in your cloud. Think of it this way, if a new EC2 instance was deployed in one of your most used regions, you might see it and wonder what it was, but if that instance (or 50 instances) was deployed in a region that you never login to, would you notice that?

Use AWS Config Managed Rules to Protect Your Accounts

Mon, 27 Nov 2017 15:10:54 +0000

If you’re an Amazon Web Services customer and you’re not using the built in AWS config rules, you should be. AWS Config is a service that shows you the configuration changes that have happened on your AWS accounts. Whether that’s changes to your user accounts, changes to networks, modifications to S3 buckets or plenty of other configurations. AWS Config will keep this audit log of your changes in a specified S3 bucket which could be used for all sorts of other solutions such as updating your ServiceNow configuration management database. See this post from ServiceNow on some details of the solution.

AWS Dedicated Hosts

Mon, 13 Nov 2017 15:15:46 +0000

Sometimes it’s just not desirable to have your Amazon EC2 instances deployed all willy-nilly across the AWS infrastructure. Sure it’s nice not having to manage the underlying infrastructure but in some cases you actually need to be able to manage the hosts themselves. One example is when you have licensing that is “old-fashioned” and uses physical core counts. With the default tenancy model, host core counts just don’t make sense, so what can we do?

Manage vSphere Virtual Machines through AWS SSM

Mon, 06 Nov 2017 15:15:18 +0000

Amazon Web Services has some great tools to help you operate your EC2 instances with their Simple Systems Manager services. These services include ensuring patches are deployed within maintenance windows specified by you, automation routines that are used to ensure state and run commands on a fleet of servers through the AWS console. These tools are great but wouldn’t be be even better if I could use these tools to manage my VMware virtual machines too? Well, you’re in luck, because EC2 SSM can do just that and better yet, the service itself is free! Now, if you’ve followed along with the " AWS EC2 Simple Systems Manager Reference" guide you’ve probably already seen the goodies that we’ve got available, so this post is used to show you how you can use these same tools on your vSphere, Hyper-V or other on-premises platforms.

Move an EC2 Instance to Another Region

Mon, 23 Oct 2017 14:12:31 +0000

Sometimes, you just need to change the data center where you’re running your virtual machines. You could be doing this for disaster recovery reasons, network latency reasons, or just because you’re shutting down a region. In an on-prem environment, you might move workloads to a different data center by vMotion, VMware Site Recovery Manager, Zerto, Recoverpoint for VMs, Veeam, or one of the other great tools for a virtualized environment. But how about if that VM is running in an AWS region and you want to move it to another region?

Understanding AWS Tenancy

Mon, 16 Oct 2017 15:00:10 +0000

When it comes to deploying EC2 instances within Amazon Web Services VPCs, you may find yourself confused when presented with those tenancy options. This post aims to describe the different options that you have with AWS tenancy and how they might be used.

First and foremost, what do we mean by tenancy? Well, tenancy determines who is the owner of a resource. It might be easiest to think of tenancy in terms of housing. For instance if you have a house then you could consider it a dedicated tenant since only one family presumably lives there. However, if you have an apartment building, there is a good chance that several families have rooms in a single building which would be more like a shared tenancy model.

AWS EC2 Simple Systems Manager Reference

Mon, 02 Oct 2017 14:07:07 +0000

Please use this post as a landing page to get you started with using the EC2 Simple Systems Manager services from Amazon Web Services. Simple Systems Manager or (SSM) is a set of services used to manage EC2 instances as well as on-premises machines (known as managed instances) with the SSM agent installed on them. You can use these services to maintain state, run ad-hoc commands, and configure patch compliance among other things.

AWS EC2 Systems Manager - State Manager

Tue, 26 Sep 2017 14:06:57 +0000

Sometimes you need to ensure that things are always a certain way when you deploy AWS EC2 instances. This could be things like making sure your servers are always joined to a domain when being deployed, or making sure you run an Ansible playbook every hour. The point of the AWS EC2 SSM State Manager service is to define a consistent state for your EC2 instances.

This post will use a fictional use case where I have a an EC2 instance or instances that are checking every thirty minutes to see if they should use a new image for their Apache website. The instance will check against the EC2 Simple Systems Manager Parameter Store, which we’ve discussed in a previous post, and will download the image from the S3 location retrieved from that parameter.

AWS EC2 Simple Systems Manager Documents

Mon, 18 Sep 2017 14:32:16 +0000

Amazon Web Services uses Systems Manager Documents to define actions that should be taken on your instances. This could be a wide variety of actions including updating the operating system, copying files such as logs to another destination or re-configuring your applications. These documents are written in Javascript Object Notation (JSON) and are stored within AWS for use with theother Simple Systems Manager (SSM) services such as the Automation Service or Run command.

EC2 Systems Manager Parameter Store

Mon, 11 Sep 2017 14:15:52 +0000

Generally speaking, when you deploy infrastructure through code, or run deployment scripts you’ll need to have a certain amount of configuration data. Much of your code will have install routines but what about the configuration information that is specific to your environment? Things such as license keys, service accounts, passwords, or connection strings are commonly needed when connecting multiple services together. So how do you code that exactly? Do you pass the strings in at runtime as a parameter and then hope to remember those each time you execute code? Do you bake those strings into the code and then realize that you’ve got sensitive information stored in your deployment scripts?

Patch Compliance with EC2 Systems Manager

Mon, 24 Jul 2017 14:05:31 +0000

Deploying security patches to servers is almost as much fun as managing backup jobs. But everyone has to do it, including companies that have moved their infrastructure to AWS. As we’ve learned with previous posts, Amazon EC2 Systems Manager allows us to use some native AWS tools for management of our EC2 instances, and patch management is no exception.

EC2 Systems Manager allows you to do patch compliance where you can set a baseline and then based on a defined maintenance window a scheduled scan and deployment can be initiated on those EC2 instances. This assumes that you’ve already installed the SSM Agent and setup the basic IAM permissions for the instances to communicate with the Systems Manager service. The details can be found in the previous post.

Run Commands through EC2 Systems Manager

Mon, 17 Jul 2017 14:05:12 +0000

In a previous post we covered the different capabilities and basic setup of EC2 Systems Manager, including the IAM roles that needed to be created and the installation of the SSM Agent. In this post we’ll focus on running some commands through the EC2 Systems Manager Console.

We’ve already got an Amazon Linux instance deployed within our VPC. I’ve placed this instance in a public facing subnet and it is a member of a security group that allows HTTP traffic over port 80.

Amazon EC2 Systems Manager Services

Mon, 10 Jul 2017 14:05:29 +0000

We love Amazon EC2 instances because of how easy they are to deploy and we have a huge catalog of templates (AMIs) to choose from which really speeds up our provisioning. But once those instances are up and running it would be really nice to have some methods of managing those instances. Luckily, Amazon has developed several capabilities to help manage Amazon EC2 instances after they’ve been deployed. These capabilities are used to execute scripts, manage patches and kick off automation routines within an EC2 instance, directly from the AWS console.

Migrate vSphere VMs to Amazon with AWS Server Migration Service

Mon, 26 Jun 2017 14:05:01 +0000

AWS is taking the virtualization world by storm. Workloads that used to get spun up on vSphere are now being deployed in AWS in many cases. But what if you’ve got workloads in vSphere that need to be moved? Sure, it probably makes sense to build new servers in AWS and decommission the old ones but sometimes it’s OK to lift and shift. Amazon has a service that can help with this process called the AWS Server Migration Service.

Setup Amazon Storage Gateway

Tue, 13 Jun 2017 14:10:17 +0000

Amazon’s S3 is a cost effective way to store file but many organizations are used to mapping NFS shares to machines for file storage purposes. Amazon Storage Gateways are a good way to cache or store files on an NFS mount and then back them up to an S3 bucket. This post goes through the setup of an AWS Storage Gateway in an EC2 instance for caching files and storing them in an S3 bucket. This same solution (and a similar but different process) can be used to mount block devices through iSCSI or setup a Tape Gateway for backup products.

Using Packer to Create vSphere and AWS Images

Mon, 06 Mar 2017 15:15:52 +0000

Packer is a free tool from Hashicorp that allows you to build new images. Keeping base vSphere templates up to date is not too difficult of a task for many, but as we add things like AWS accounts and regions, it’s pretty easy to have sprawl to deal with. We’d like to make sure that an image in our vSphere datacenter looks the same as an image in our public clouds.

AWS Service Catalog

Mon, 27 Feb 2017 15:06:51 +0000

Many cloud initiatives require having a portal for users to choose which workloads can be deployed. Think of this as a supermarket full of servers, networks, databases, or all of the above. There are product offerings from VMware, Cisco, RightScale and Redhat, used for these deployment methodologies. If you’re an AWS customer though, you’ve got your own catalog available from the native AWS tools called the “Service Catalog” service. This service enables you to deploy and publish CloudFormation templates for your users so that they don’t have to know how RDS, or EC2 instances work. They can select from the catalog and deploy anything you can build in an Amazon CFT. Think of the possibilities.

AWS Step Functions

Tue, 17 Jan 2017 15:01:40 +0000

This year at AWS re:Invent Amazon announced a new service called Step Functions. According to AWS, Step Functions is an easy way to coordinate the components of distributed applications and microservices using visual workflows. That pretty much sums it up! When you’ve got a series of small microservices that need to be coordinated, it can be tricky to write this code into each lambda function to call the next function. Step Functions gives you a visual editor to manage the calls to multiple Lambda functions to make your life easier. I’ve written about this before on the AHEAD blog.

AWS PowerShell Console with XAML

Tue, 29 Nov 2016 15:05:49 +0000

I’ve always liked the idea of taking a series of Microsoft PowerShell scripts and putting them behind a user interface so that I can give the tool to other users. I’m not sure why this idea appeals to me, but probably because it makes me feel like a programmer, if only for a little while. I came across this post by Stephen Owen and I had to try it out.

The project that I picked for this was based on the AWS PowerShell tools that I hadn’t used yet. Let’s face it, this is a good way to check out two different things, I didn’t have much experience with: The AWS PowerShell Tools and XAML for creating GUIs.

Execute vRO Workflow from AWS Lambda

Tue, 26 Jul 2016 14:00:15 +0000

The use cases here are open for debate, but you can setup a serverless call to vRealize Orchestrator to execute your custom orchestration tasks. Maybe you’re integrating this with an Amazon IoT button, or you want voice deployments with Amazon Echo, or maybe you’re just trying to provide access to your workflows based on a CloudWatch event in Amazon. In any case, it is possible to setup an Amazon Lambda call to execute a vRO workflow. In this post, we’ll actually build a Lambda function that executes a vRO workflow that deploys a CentOS virtual machine in vRealize Automation, but the workflow could really be anything you want.