CloudHealth. AWS and Azure On-Boarding

Similar documents
Getting Started with Cloudamize Manage

271 Waverley Oaks Rd. Telephone: Suite 206 Waltham, MA USA

Installation Guide Revision B. McAfee Cloud Workload Security 5.0.0

McAfee Cloud Workload Security Suite Amazon Machine Image Installation Guide

OnCommand Cloud Manager 3.2 Deploying and Managing ONTAP Cloud Systems

Community Edition Getting Started Guide. July 25, 2018

Centrify Identity Services for AWS

Using VMware Cost Insight. VMware Cost Insight services

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

AWS Remote Access VPC Bundle

Course Outline. Module 1: Microsoft Azure for AWS Experts Course Overview

Inventorying Microsoft Azure. Inventorying Microsoft Azure Information with Docusnap X

Microsoft Azure for AWS Experts

A: SETTING UP VMware Horizon

CloudView User Guide. June 8, 2018

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

MIGRATE2IAAS CLOUDSCRAPER TM V0.5 USER MANUAL. 16 Feb 2014 Copyright M2IAAS INC.

Introduction to the Azure Portal

Administrator Guide Administrator Guide

LoadMaster for Azure Resource Manager. Feature Description

Mission Control for the Microsoft Cloud. 5nine Cloud Security. Web Portal Version 12.o. Getting Started Guide

Configuring and Monitoring Amazon EC2. eg Enterprise v5.6

Ansible Tower Quick Setup Guide

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Amazon AppStream 2.0: SOLIDWORKS Deployment Guide

Azure Archival Installation Guide

Integrate Microsoft Office 365. EventTracker v8.x and above

Quest VROOM Quick Setup Guide for Quest Rapid Recovery for Windows and Quest Foglight vapp Installers

StreamSets Control Hub Installation Guide

Documentation. This PDF was generated for your convenience. For the latest documentation, always see

Quest VROOM Quick Setup Guide for Quest Rapid Recovery and Foglight Windows Installers

Vodafone Secure Device Manager Administration User Guide

Cloud Storage for Enterprise Vault

Partner Center: Secure application model

Amazon Web Services (AWS) Solutions Architect Intermediate Level Course Content

AWS Service Catalog. User Guide

Quest VROOM Quick Setup Guide for Quest Rapid Recovery and Foglight Windows Installers

40390: Microsoft Azure for AWS Experts

New in isupport v12.7

Quest VROOM Quick Setup Guide for Quest Rapid Recovery for Windows and Quest Foglight vapp Installers

ForeScout Extended Module for VMware AirWatch MDM

Best Practices for Migrating Servers to Microsoft Azure with PlateSpin Migrate

VMware Notification Service v2.0 Installation and Configuration Guide Configure ENS2 for cloud and on-premises deployments

VMware Notification Service v2.0 Installation and Configuration Guide Configure ENS2 for cloud and on-premises deployments

ForeScout Extended Module for MobileIron

Verizon MDM UEM Unified Endpoint Management

Comodo IT and Security Manager Software Version 6.9

VMware Notification Service v2.0 Installation and Configuration Guide Configure ENS2 for cloud and on-premises deployments

Monitoring Serverless Architectures in AWS

D365 DATA ARCHIVAL & RETENTION

Colligo Console. Administrator Guide

At Course Completion Prepares you as per certification requirements for AWS Developer Associate.

AvePoint Online Services 2

Amazon Web Services Training. Training Topics:

Infoblox Installation Guide. vnios for Microsoft Azure

VX 9000 Virtualized Controller INSTALLATION GUIDE

ForeScout Extended Module for Qualys VM

Azure for On-Premises Administrators Practice Exercises

MANAGING ANDROID DEVICES: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

AvePoint Online Services for Partners 2

BeetleEye Application User Documentation

TECHNICAL WHITE PAPER AUGUST 2017 REVIEWER S GUIDE FOR VIEW IN VMWARE HORIZON 7: INSTALLATION AND CONFIGURATION. VMware Horizon 7 version 7.

Qualys CloudView v1.x

Amazon Web Services (AWS) Training Course Content

Single Sign-On for PCF. User's Guide

Comodo IT and Security Manager Software Version 6.6

VMware AirWatch Database Migration Guide A sample procedure for migrating your AirWatch database

SUREedge Migrator Installation Guide for Amazon AWS

271 Waverley Oaks Rd. Telephone: Suite 206 Waltham, MA USA

INSTALLATION GUIDE Spring 2017

Enroll Now to Take online Course Contact: Demo video By Chandra sir

Web Cloud Solution. User Guide. Issue 01. Date

Comodo SecureBox Management Console Software Version 1.9

Getting Started with VMware Horizon Cloud Service on Microsoft Azure

Tableau Server on Microsoft Azure:

VX 9000E WiNG Express Manager INSTALLATION GUIDE

Confluence Data Center on the AWS Cloud

Comodo IT and Security Manager Software Version 6.4

ForeScout CounterACT. (AWS) Plugin. Configuration Guide. Version 1.3

F5 Analytics and Visibility Solutions

Amazon Web Services. Block 402, 4 th Floor, Saptagiri Towers, Above Pantaloons, Begumpet Main Road, Hyderabad Telangana India

VMware vcloud Air User's Guide

Are You Sure Your AWS Cloud Is Secure? Alan Williamson Solution Architect at TriNimbus

ForeScout Amazon Web Services (AWS) Plugin

ForeScout Extended Module for IBM BigFix

TECHNICAL WHITE PAPER DECEMBER 2017 VMWARE HORIZON CLOUD SERVICE ON MICROSOFT AZURE SECURITY CONSIDERATIONS. White Paper

Windows Intune Trial Guide Getting the most from your Windows Intune trial. Simplify PC management. Amplify productivity.

LINUX, WINDOWS(MCSE),

vcloud Director Administrator's Guide vcloud Director 8.10

VMware Notification Service v2.0 Installation and Configuration Guide Configure ENSv2 for cloud and on-premises deployments

vrealize Business Standard User Guide

Version 2.3 User Guide

DenyAll WAF User guide for AWS

Training on Amazon AWS Cloud Computing. Course Content

DOCUMENTATION. UVM Appliance Azure. Quick Start Guide

SUREedge DR Installation Guide for Windows Hyper-V

Cloud Access Manager Configuration Guide

ForeScout Extended Module for IBM BigFix

EASYHA SQL SERVER V1.0

Integrate your CSP Direct Agreement

Transcription:

CloudHealth AWS and Azure On-Boarding

Contents 1. Enabling AWS Accounts... 3 1.1 Setup Usage & Billing Reports... 3 1.2 Setting Up a Read-Only IAM Role... 3 1.3 CloudTrail Setup... 5 1.4 Cost and Usage Report (CUR) Configuration... 6 2. Enabling Azure Accounts... 9 2.1 Configure Azure Account for Enterprise Agreement... 9 2.1.1 Prerequisites... 9 2.1.2 Get Enrollment Number and API Access Key... 9 2.1.3 Get Enrollment Start Date and Commitment Amount... 10 2.1.4 Connect Azure Enrollment to CloudHealth Platform... 11 2.2 Configure Azure Account through Service Principals... 12 2.3 Configure Service Principals Using Azure Portal... 12 2.4 Azure VM Metrics Collection with Azure Monitoring... 13 2.5 Azure VM Metrics Collection with the CloudHealth Agent... 15 Page 2 of 15, Issue No: 1.1 Issue Date: 09/08/2017: CLASSIFIED: CONFIDENTIAL

1. Enabling AWS Accounts 1.1 Setup Usage & Billing Reports Note: if this is a linked account (as in not a consolidated or standalone account), you can jump ahead to Setting Up a Read-Only IAM User. ANS require the billing bucket name in order to configure CloudHealth, you can obtain your billing bucket name as follows: 1. In the AWS Console, from the drop down menu located under your user name in the topright, go to the My Account page, 2. From the menu on the left, click Preferences 3. If Receive Billing Reports is checked, make a note of the name of the billing bucket (from the Save to S3 bucket field). Please provide the billing bucket name to ANS. 4. In the AWS Console, make sure these three boxes are checked: Monthly report Detailed billing report Detailed billing report with resources and tags 5. ANS will use the bucket name to create the policy required for creation of the IAM Role in the next step. 1.2 Setting Up a Read-Only IAM Role Now that usage and billing reports are properly configured, we need to create a read-only IAM Role within the AWS Console for our target account. The below steps will walk you through the process of creating an IAM Role for this account using our best practice least privilege approach (note: the default AWS Read Only policy provides read access to data - such as S3 objects - and so is strongly discouraged from being used here). 1. Login to the AWS Console for the targeted account as a user that has permission to create an IAM Role. Go to the IAM service, click Policies from the navigation menu and click Create Policy 2. Select Create Your Own Policy to create a custom policy to support the role 3. Provide the policy with a Name (e.g. ANS-CloudHealth) and Description. 4. Paste the policy provided by ANS into the Policy Document field Page 3 of 15, Issue No: 1.1 Issue Date: 09/08/2017: CLASSIFIED: CONFIDENTIAL

5. Click Create Policy 6. Click Roles and Create New Role 7. Provide the role a Name (e.g. ANS-CloudHealth) and click Next 8. Click Select for the role type Allows IAM users from a 3rd party AWS account to access this account under the header Roles for Cross-Account Access 9. For Account ID, enter the account number 454464851268, which is a secured CloudHealthmanaged account and provide an External ID of your choosing (the external id acts sort of as a password for this role). The External ID is not required but is highly recommended as a good security practice. It is up to you to choose an External ID for your account. Note: Since this role will be used to provide programmatic access to CloudHealth, it is important not to select the Require MFA option Page 4 of 15, Issue No: 1.1 Issue Date: 09/08/2017: CLASSIFIED: CONFIDENTIAL

10. From Filters select Customer Managed Policies, choose the ANS-CloudHealth policy you created in the previous steps, and click Next 11. Before clicking Create Role, make a note of the Role ARN 12. Please Provide the Role ARN and External ID to ANS for use in setting up your account. 13. ANS will complete the creation of your account in CloudHealth 1.3 CloudTrail Setup ANS can collect and report on CloudTrail data in order to make it easy for you to identify who launched, shut down infrastructure, or made security changes across your infrastructure. 1. For each account with a CloudTrail bucket, go to the AWS Console, open the CloudTrail service, and find the name and prefix for the S3 bucket configured to store the CloudTrail logs. Click on the edit icon (See upper right corner of the below screenshot): 2. The edit settings will provide the S3 bucket name and any custom Log File prefix (if configured). See the below screenshot. Make a note of these and provide ANS with the details. Page 5 of 15, Issue No: 1.1 Issue Date: 09/08/2017: CLASSIFIED: CONFIDENTIAL

3. ANS will provide you with a policy associated with the IAM user or IAM role for this account to grant permission to read from the CloudTrail bucket. 1.4 Cost and Usage Report (CUR) Configuration AWS Cost and Usage Reports provide comprehensive data about your costs, including those related to product, pricing, and usage. In order for ANS to report on the information included in the CUR, your AWS account must be configured to create a Cost and Usage Reports and make them available for consumption by ANS. 1. Login to the AWS Console as an administrator and navigate to the Billing & Cost Management Dashboard. 2. From the left menu, select Reports and click Create report. Page 6 of 15, Issue No: 1.1 Issue Date: 09/08/2017: CLASSIFIED: CONFIDENTIAL

3. Fill out the configuration form. Report Name: Use an easily identifiable name, for example, cloudhealth-hourly-cur. Time Unit: Select Hourly. Check the box next to Include Resource ID. Click Next. Page 7 of 15, Issue No: 1.1 Issue Date: 09/08/2017: CLASSIFIED: CONFIDENTIAL

4. Select delivery options. S3 Bucket: Enter the name of the S3 bucket that the CloudHealth platform is currently using to process the DBR. If you prefer to create a new bucket, see Enable Billing Bucket for Amazon Account. Report path prefix: Enter a unique prefix, preferably different from the one used for your current DBR. Compression: Select GZIP. 5. Click Next to review your configuration then click Reviewand Complete. 6. Provide ANS with the following information: Bucket Name: Name of S3 bucket that stores the hourly CUR data. Report Prefix: The prefix to the CUR data in the S3 bucket. Report Name: Name of CUR report. 7. ANS will use the provided information to create an updated version of the policy applied to the IAM Role created in section 1.2 of this document. 1.5 CloudHealth Agent ANS require the installation of the CloudHealth agent on EC2 instances to be monitored. The CloudHealth agent monitors CPU, Memory, Disk and Network activity on an instance and helps to build a more accurate picture when making rightsizing recommendations. Please contact ANS to discuss deployment options for the CloudHealth agent. Page 8 of 15, Issue No: 1.1 Issue Date: 09/08/2017: CLASSIFIED: CONFIDENTIAL

2. Enabling Azure Accounts 2.1 Configure Azure Account for Enterprise Agreement Note: If you do not have an Enterprise Agreement, skip to section 2.2 - Configure Azure Account through Service Principals. 2.1.1 Prerequisites Confirm access to the Azure Enterprise Agreement Portal. Get Enrolment Number Get API Access Key API Access Key Expiration Date 2.1.2 Get Enrollment Number and API Access Key To connect your Azure environment to the CloudHealth platform, you need two pieces of information: your Enrollment Number and API Access Key. 1. Log into the Azure Enterprise Agreement Portal. 2. From the left menu, click Manage. 3. On the Manage page, select the Enrollment tab, and locate your Enrollment Number. Copy this number into a text document. 4. From the left menu, click Report. 5. On the Report page, select the Download Usage tab, and click API Access Key. Then click Expand Key to display the entire key. Page 9 of 15, Issue No: 1.1 Issue Date: 09/08/2017: CLASSIFIED: CONFIDENTIAL

There are two API keys on the page. Which one to use? Both API keys provide read-only access to your Azure environment. Use either key to connect to the CloudHealth platform. What privileges should the user generating the API key have? The user generating the API keys must be an Azure administrator, so that the CloudHealth platform has read access to all the subscriptions, accounts, and departments. What is the significance of API key regeneration? Microsoft requires that all keys be regenerated every 6 months. If your API key expires, the connection between your Azure environment and the CloudHealth platform breaks. No reports are generated during the period when the key has expired. To ensure that your API keys are always active, consider staggering their expiration dates and scheduling reminders for regenerating them. ANS will also contact you with a reminder when the API keys provided are due to expire. 2.1.3 Get Enrollment Start Date and Commitment Amount 1. Log into the Azure Enterprise Agreement Portal. 2. From the left menu, click Manage. 3. On the Manage page, select the Enrollment tab, and locate the start and end dates. If the start date is before the current year, it is necessary to input the start date of the commitment plus the current year. Page 10 of 15, Issue No: 1.1 Issue Date: 09/08/2017: CLASSIFIED: CONFIDENTIAL

4. From the left menu, click Reports. 5. The CloudHealth Burndown Report only tracks the current commitment year. If you purchased a multi-year commitment, first select the current year in the top-left of the chart area. Then, highlight the earliest point on the annual commitment chart. The New Purchases value indicates the commitment amount. 2.1.4 Connect Azure Enrollment to CloudHealth Platform ANS will configure the Azure Account in AWS. Please provide the following information obtained in sections 2.1.2 and 2.1.3: Enrollment ID Access Key Commitment Amount: the commitment amount for your Azure enrollment. Start Date: the commitment start date for the Azure enrollment. If the start date is before the current year, enter the start date of the commitment plus the current year. Page 11 of 15, Issue No: 1.1 Issue Date: 09/08/2017: CLASSIFIED: CONFIDENTIAL

2.2 Configure Azure Account through Service Principals To agentlessly collect usage and performance data from your Azure assets, CloudHealth provides the capability to configure Azure Service Principals. Service Principals give the CloudHealth platform the ability to scan your Azure subscriptions and collect usage and performance data on a regular cadence. You can also use this approach to configure Pay-As-You-Go accounts for use within CloudHealth. Then, configure an Active Directory application for CloudHealth in order to gather usage and performance metrics through Azure Service Principals. The Active Directory application is the global representation of your application. It contains the credentials (an application ID and either a password or certificate). The service principal is the local representation of your application in an Active Directory. It contains the role assignment. 2.3 Configure Service Principals Using Azure Portal Note: When signing into the Azure Portal, use an account that satisfies both these conditions: The account has Global administrator privileges in your active directory tenant. The account has access to the subscriptions that you want to manage through the CloudHealth platform. 1. Login to the Microsoft Azure Portal. 2. From the left menu, select Azure Active Directory service. 3. Navigate to the App Registrations page by clicking either the menu item or the live tile. 4. Click Add at the top of the App Registrations page to begin creating a service principal. If you have multiple directories, name the Service Principal after the respective directory; otherwise, enter a friendly name. Page 12 of 15, Issue No: 1.1 Issue Date: 09/08/2017: CLASSIFIED: CONFIDENTIAL

5. For the Sign-on URL, enter https://apps.cloudhealthtech.com. Then, click Create. Note: If you have subscriptions in multiple directories, add a service principal for each directory. 6. Open the Service principal you just created. 7. Make a note of the Display Name and Application ID. This information is required by ANS. 8. On the App Registrations page in the Azure Portal, open the Endpoints blade next to the Add button. Make a note of the OAuth 2.0 Authorization Endpoint as this is also required by ANS. 9. Generate a key for CloudHealth to use for authentication. Open the Keys menu in the Service Principal. 10. Give the key a description and select a duration. Click Save, then make a note of the newly generated key and provide that to ANS. 11. Assign a Reader role to the Service Principal for all subscriptions in the directory. Copy the Application ID of the Service Principal. From the menu, navigate to the Subscriptions Service. Select your subscription and open the Access Control (IAM) page. Click Add, select Reader, and paste the Application ID. Select the service principal and click Save. 12. Enable diagnostics on the VM instance so that CloudHealth can collect the performance data agentlessly. For instructions, see Azure Diagnostic Logs. Once enabled, it will take up to 24 hours for CloudHealth to begin populating usage and performance data into reports. 2.4 Azure VM Metrics Collection with Azure Monitoring CloudHealth can ingest and analyse VM performance metric data that has been saved by Azure Page 13 of 15, Issue No: 1.1 Issue Date: 09/08/2017: CLASSIFIED: CONFIDENTIAL

Diagnostics in storage tables. To understand Azure diagnostics and monitoring capabilities, see How to Monitor Cloud Services. To get the most from CloudHealth performance related features, such as Rightsizing recommendations, basic metrics need to be enabled for VMs. For specific VMs, this can be done in the portal by viewing that VM and then checking Basic metrics under Monitoring > Diagnostics. For managing metrics collection for large numbers of VMs, use the Azure Diagnostic Extension in a resource manager template. For instructions, see Add the Azure Diagnostics extension to the VM resource definition. Page 14 of 15, Issue No: 1.1 Issue Date: 09/08/2017: CLASSIFIED: CONFIDENTIAL

2.5 Azure VM Metrics Collection with the CloudHealth Agent If you prefer not to configure an Azure Service Principal and enable diagnostics, as described above, but still wish to receive performance data on your Azure assets, you may instead install the CloudHealth Agent. You can deploy the lightweight CloudHealth Agent to collect granular metrics on CPU, memory, disk, and network usage. The agent supports both Linux and Windows VMs running in Azure. For more information, see CloudHealth Monitoring Agent. 2.6 CloudHealth Agent ANS require the installation of the CloudHealth agent on Virtual Machines to be monitored. The CloudHealth agent monitors CPU, Memory, Disk and Network activity on an instance and helps to build a more accurate picture when making rightsizing recommendations. Please contact ANS to discuss deployment options for the CloudHealth agent. Page 15 of 15, Issue No: 1.1 Issue Date: 09/08/2017: CLASSIFIED: CONFIDENTIAL

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback