Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

You can configure the following cloud service providers in the Aquila Clouds platform.

...

You can configure the following cloud service providers in the Aquila Clouds platform.

  • Amazon Web Services (AWS)
  • Microsoft Azure

Anchor
_Toc33339052
_Toc33339052
Configuring AWS in Aquila Clouds

To configure AWS in Aquila Clouds, perform the following tasks:

  • Identify the permissions required in AWS
  • Configure IAM role related permissions in AWS
  • Configure access to billing details in AWS
  • Creating IAM role related policy to grant access to the S3 bucket
  • Adding AWS environment to Aquila Clouds

Anchor
_Toc33339053
_Toc33339053
Identify the permissions required in AWS

Before you configure AWS environment for Aquila Clouds platform, understand and identify all the permissions required by your organization for effectively monitoring and managing AWS resources.

Permissions for cost recommendations, alerts, utilization, Container and Application dashboard

This section lists the permissions that enable the cost recommendations, alerts and Container and Application dashboards in Aquila Clouds platform for your organization's AWS resources.
ec2:DescribeSnapshots,
ec2:DescribeVolumes,
ec2:DescribeVolumeStatus,
ec2:DescribeSnapshotAttribute,
ec2:DescribeInstances,
ec2:DescribeVolumeAttribute,
ec2:DescribeInstanceStatus,
ec2:DescribeTags,
ecs:List*,
ecs:Describe*,
eks:List*,
eks:Describe*,
ec2:Describe*,
elasticloadbalancing:Describe*,
cloudwatch:ListMetrics,
cloudwatch:GetMetricStatistics,
cloudwatch:GetMetricData,
cloudwatch:Describe*,
autoscaling:Describe*,

Permissions for actions in the Recommendations dashboard and Action console

This section lists the permissions that enable actions in the Recommendations dashboard and Action console in the Aquila Clouds platform for your organization's AWS resources.
ec2:CopySnapshot
ec2:ModifyVolumeAttribute,
ec2:CreateImage,
ec2:ResetInstanceAttribute,
ec2:CopyImage,
ec2:StartInstances,
ec2:StopInstances
ec2:ImportSnapshot,
ec2:CreateLaunchTemplateVersion,
ec2:CreateLaunchTemplate,
ec2:ModifyInstanceCreditSpecification,
ec2:AssociateIamInstanceProfile
ec2:UnmonitorInstances
ec2:MonitorInstances,
ec2:ReportInstanceStatus,
ec2:DeleteVolume,
ec2:ModifySnapshotAttribute,
ec2:StartInstances,
ec2:CreatePlacementGroup,
ec2:ImportImage,
ec2:DetachVolume,
ec2:ModifyVolume,
ec2:ResetImageAttribute,
ec2:CreateTags,
ec2:RegisterImage,
ec2:ModifyInstanceEventStartTime,
ec2:RunInstances,
ec2:StopInstances,
ec2:CreateVolume,
ec2:EnableVolumeIO,
ec2:AttachVolume,
ec2:ImportVolume,
ec2:RequestSpotInstances,
ec2:DeleteTags,
ec2:RunScheduledInstances,
ec2:RequestSpotFleet,
ec2:ModifyImageAttribute,
ec2:CreateSnapshot,
ec2:ModifyInstanceAttribute,
ec2:ModifyReservedInstances,
ec2:RebootInstances,
ec2:CreateInstanceExportTask,
ec2:ModifyInstancePlacement,
ec2:TerminateInstances,
ec2:ImportInstance,
ec2:ResetSnapshotAttribute,
ec2:ModifyInstanceCapacityReservationAttributes

Comprehensive set of permissions for the entire set of features

This section lists comprehensive set of permissions for the entire set of features in the Aquila Clouds platform for your organization's AWS resources.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:CopySnapshot",
"ec2:DescribeInstances",
"ec2:UnmonitorInstances",
"ec2:ModifyVolumeAttribute",
"ec2:MonitorInstances",
"ec2:CreateImage",
"ec2:ResetInstanceAttribute",
"ec2:CopyImage",
"ec2:DescribeSnapshots",
"ec2:ReportInstanceStatus",
"ec2:DeleteVolume",
"ec2:DescribeVolumeStatus",
"ec2:ModifySnapshotAttribute",
"ec2:StartInstances",
"ec2:CreatePlacementGroup",
"ec2:DescribeVolumes",
"ec2:ImportImage",
"ec2:DetachVolume",
"ec2:ModifyVolume",
"ec2:ResetImageAttribute",
"ec2:CreateTags",
"ec2:DescribeSnapshotAttribute",
"ec2:RegisterImage",
"ec2:ModifyInstanceEventStartTime",
"ec2:RunInstances",
"ec2:StopInstances",
"ec2:DescribeVolumeAttribute",
"ec2:CreateVolume",
"ec2:EnableVolumeIO",
"ec2:ModifyInstanceCapacityReservationAttributes",
"ec2:AttachVolume",
"ec2:ImportVolume",
"ec2:RequestSpotInstances",
"ec2:DeleteTags",
"ec2:RunScheduledInstances",
"ec2:RequestSpotFleet",
"ec2:ModifyImageAttribute",
"ec2:CreateSnapshot",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyReservedInstances",
"ec2:DescribeInstanceStatus",
"ec2:RebootInstances",
"ec2:CreateInstanceExportTask",
"ec2:ModifyInstancePlacement",
"ec2:TerminateInstances",
"ec2:ImportInstance",
"ec2:DescribeTags",
"ec2:ResetSnapshotAttribute",
"ec2:ImportSnapshot",
"ec2:CreateLaunchTemplateVersion",
"ec2:CreateLaunchTemplate",
"ec2:ModifyInstanceCreditSpecification",
"ec2:AssociateIamInstanceProfile",
"ecs:List*",
"ecs:Describe*",
"eks:List*",
"eks:Describe*",
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"cloudwatch:GetMetricData",
"cloudwatch:Describe*",
"autoscaling:Describe*",
"ec2:DescribeInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"rds:DescribeReservedDBInstances",
"rds:ListTagsForResource",
"rds:DescribeDBInstances",
"rds:DescribeDBParameters",
"pi:*",
"rds:DescribeDBClusters"
],
"Resource": "*"
}
]
}

Permissions for billing reports

Thi section lists the permissions that enable billing reports of your organization's AWS resources on the Aquila Clouds platform.
{
"Version": 2012-10-17,
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::BUCKET_NAME",
"arn:aws:s3:::BUCKET_NAME/*"
]
}
]
}

Anchor
_Toc33339054
_Toc33339054
Configuring IAM role related permissions in AWS

To properly monitor and manage AWS on the Aquila Clouds platform, on the AWS platform, create an IAM role for Aquila Clouds and assign all the permissions to that role. We recommend you use Aquila Clouds' Role Creator application to create and configure the IAM role for Aquila Clouds.
If you cannot use the Role Creator application, see the following steps to create and configure an IAM role in AWS platform.
Before you begin: Identify the permissions required for your organization's setup.
If you want to use the Aquila Clouds platform only for monitoring AWS VMs, assign only the following two permissions to the IAM role.

  • AmazonEC2ReadOnlyAccess
  • CloudWatchReadOnlyAccess
  • Configuring IAM role related permissions in AWS
  1. Log in to the AWS management console
  2. Open the IAM console and from the navigation pane, choose Roles > Create Role page.
  3. Choose the Another AWS account role type.
  4. For Account ID, type 807331824280. This is AWS Account ID for Aquila Clouds.
  5. Select the Require external ID check box, to enhance security.
  6. In the External ID box, type A2I_COMPANY_EXTERNAL_ID.
  7. Choose Next: Permissions.
  8. Select the check box for the required permission.

Note: Aquila Clouds recommends assigning all permissions to the IAM role to effectively use the Aquila Clouds platform.

  1. Choose Next: Review.
  2. For Role name, type a name for your role. Role names must be unique within your AWS account.
  3. Click Create Role.
  4. Navigate to the Roles page and open the new role.
  5. Select the Trust relationships tab and click Edit trust relationship.
  6. In the Policy Document, next to the Account ID, replace root with user/aquila_product_user.
  7. Save the Policy Document and in the Role Summary, copy the ARN for the role and add it in the Add Environment page of Aquila Clouds.


Anchor
_Toc33339063
_Toc33339063
Figure 1: TRUST RELATIONSHIPS SCREEN
The IAM role is created and configured in the AWS platform for Aquila Clouds.

Anchor
_Toc33339055
_Toc33339055
Configuring access to billing details in AWS

You can create an S3 bucket, billing reports of required resources and configure AWS to store billing reports in the new S3 bucket.
Note: If you do not create an S3 bucket, Aquila Clouds will still be able to display the billing reports in the Aquila Clouds platform. These reports will be based on the standard billing rates available from AWS and will not include any user/organization specific discounts (if any).

  • Configuring IAM role related permissions in AWS
  1. Login to the Amazon S3 console. Create an S3 bucket to store the daily billing reports of your AWS resources that are generated by AWS.
  2. In the AWS Billing and Cost Management console, create a billing report and schedule daily generation of AWS cost and usage report.
  3. On the navigation pane, choose Cost & Usage Reports.
  4. Choose Reports > Create Report.
  5. For Report name, type the name for your report.
  6. For Additional report details, select Include resource IDs to associate resources with business services and click Next.
  7. In the Configure S3 bucket, select the S3 bucket created in Step 1.
  8. For the Report path prefix, define the required prefix to be prepended to the name of the report.

Note: If you don't specify a prefix, the default prefix is the name that you specified for the report in Step c and the date range for the report, in the following format:
/report-name/date-range/

  1. For Time granularity, select Daily to aggregate report data every day.
  2. Enable the Automatically refresh your Cost & Usage Report when charges are detected for previous months with closed bills checkbox.
  3. Click Next.
  4. Review the settings and click Review and Complete.

S3 bucket is created and AWS is configured to store billing details in the new S3 bucket.

Anchor
_Toc33339056
_Toc33339056
Creating IAM role related policy to grant access to the S3 bucket

You can grant the access of S3 bucket to the IAM role created for Aquila Clouds platform.

  • Creating IAM role related policy to grant access to the S3 bucket
  1. In the AWS Management Console, in the navigation pane, choose Policies.
  2. On the Welcome to Managed Policies page, click Create Policy.
  3. Choose Create Policies with the Visual Editor.
  4. On the Visual editor tab, choose Choose a service.
  5. Select S3 service.
  6. Choose Select Actions and in the Access level group, select the List and Read check boxes.
  7. In the Resources group, select Specific.
  8. In the bucket section, click Add ARN.
  9. In the Add ARN dialog box, type the required bucket name in the Bucket name box and click Add. For instance, set the bucket name to aquila-billing-bucket.


Anchor
_Toc33339064
_Toc33339064
Figure 2: ADD ARN FOR BUCKET SCREEN

  1. In the object section, click Add ARN.
  2. In the Add ARN dialog box, type the same bucket name as used for Add ARN (in Step 9) and in the Object name box type *{}(wildcard) and select the Any check box for the Object name. Verify the bucket name and object name in the Specify ARN for Object box. For instance, for the bucket name set to aquila-billing-bucket, the text in Specify ARN for Object box is set to arn:aws:s3::: aquila-billing-bucket/{*}.

This grants permissions to any resource of aquila-billing-bucket type.

Anchor
_Toc33339065
_Toc33339065
Figure 3: ADD ARN FOR OBJECT SCREEN

  1. Click Add.
  2. Click Review policy and type Name and Description for the new policy.
  3. Review the policy summary and click Create Policy.

AWS creates the new policy for Aquila Clouds.

  1. In the navigation pane, choose Policies.
  2. From the policies list, select the new policy and in the Policy actions, choose Attach.
  3. Select the IAM role for Aquila Clouds to attach to the policy and choose Attach Policy.

AWS attaches the new policy to the IAM role for Aquila Clouds.

  1. Navigate to S3 > Buckets and open the bucket for Aquila Clouds.
  2. In the Json permissions code, set the <bucketname> to the name of the S3 bucket created for Aquila Clouds.

{
Version: 2012-10-17,
Statement: [
{
Effect: Allow,
Principal: {
AWS: 386209384616
},
Action: [
s3:GetBucketAcl,
s3:GetBucketPolicy
],
Resource: arn:aws:s3:::<bucketname>
},
Statement: [
{
Effect: Allow,
Principal: {
AWS: 386209384616
},
Action: [
s3:PutObjectGetBucketAcl,
s3:GetBucketPolicy
],
Resource: arn:aws:s3:::<bucketname>/*
}
]
}
Note: Ensure that you do not change the AWS Principal number 386209384616.
This enables AWS to send billing reports to the S3 bucket.

...

In the Aquila Clouds platform, add the AWS environment details to enable monitoring and management of your AWS resources from the Aquila Clouds platform.
Before you begin: Get the following details from your AWS environment:

  • ARNs
  • Payee Account ID
  • Billing bucket name and region
  • Billing report prefix and name
  • Adding AWS environment to Aquila Clouds
  1. On the top bar, select Image Removed > Administration.
  2. On the Administration page, select the Manage Environments tab.
  3. In the Environments area, click Image Removed Add New Environment.
  4. On the Add Environment page, toggle on Active.
  5. In the Environment Type group, select Amazon AWS.

...

  1. In the Name of the environment, type the name of AWS environment.
  2. Enter the following details for the connection parameters:
  • ARN List: Type ARN or list of ARNs that are configured in AWS for permitting access of your AWS environment to the Aquila Clouds platform.

Note: You would typically have a list of ARNs for managing a set of related accounts (root and its sub accounts together) by Aquila Clouds. For a set of related accounts, add the ARNs in another Environment.

  • Payee Account Id: Type the payee account ID of the AWS environment required to be managed from the Aquila Clouds platform. If an explicit Payee Account is not designated, you can type the root account ID.
  • Billing Bucket Name: Type the name of the S3 bucket created in AWS for Aquila Clouds.
  • Billing Bucket Region: Type the region code for the region that S3 bucket is created. For instance, for Ohio the region code is us-east-2.
  • Billing Report Prefix: Type the billing prefix as defined in the AWS environment without using '/'.
  • Billing Report Name: Type the name of the billing report configured in AWS for Aquila Clouds platform.
  1. Click Apply.
  2. Review the environment details and click Do you wish to confirm?.

AWS environment is configured in Aquila Clouds. You can start monitoring and managing AWS resources from Aquila Clouds platform according to the permissions defined in AWS environment.

...

To configure Azure in Aquila Clouds, perform the following tasks:

  • Creating an app registration for Aquila Clouds
  • Adding secrets and generating a secret key for Aquila Clouds
  • Identify Durable ID and assigning role for Aquila Clouds
  • Adding Azure environment to Aquila Clouds

...

You can create an app registration in the Azure environment for Aquila Clouds.

  • Creating an app registration for Aquila Clouds
  1. Login to the Azure console.
  2. If your account gives you access to more than one tenant, select your account in the top right corner, and set your portal session to the Azure AD tenant that you want.
  3. Search for and select Azure Active Directory. From the navigation pane, select App registrations and select New registration.
  4. On the Register an application page, enter the following details:
  • Name: Type name for registering Aquila Clouds on Azure. For instance, type Aquila Clouds.
  • Supported account types: Select Accounts in this organizational directory only (Default Directory only – Single tenant).
  • Redirect URI (Optional): In the list select Web and type product.aquilaclouds.com in the URL.
  1. Click Register.

Azure creates an app registration for Aquila Clouds.

...

You can add secret and generate a secret key for Aquila Clouds.:<bucketname>
},
{
Effect: Allow,
Principal: {
AWS: 386209384616
},
Action: s3:PutObject,
Resource: arn:aws:s3:::<bucketname>/*
}
]
}
Note: Ensure that you do not change the AWS Principal number 386209384616.
This enables AWS to send billing reports to the S3 bucket.

Anchor
_Toc33339057
_Toc33339057
Adding AWS environment to Aquila Clouds

In the Aquila Clouds platform, add the AWS environment details to enable monitoring and management of your AWS resources from the Aquila Clouds platform.
Before you begin: Get the following details from your AWS environment:

  • ARNs
  • Payee Account ID
  • Billing bucket name and region
  • Billing report prefix and name
  • Adding AWS environment to Aquila Clouds
  1. On the top bar, select Image Added > Administration.
  2. On the Administration page, select the Manage Environments tab.
  3. In the Environments area, click Image Added Add New Environment.
  4. On the Add Environment page, toggle on Active.
  5. In the Environment Type group, select Amazon AWS.

Image Added

Anchor
_Toc33339066
_Toc33339066
Figure 4: ADD ENVIRONMENT AMAZON AWS SCREEN

  1. In the Name of the environment, type the name of AWS environment.
  2. Enter the following details for the connection parameters:
  • ARN List: Type ARN or list of ARNs that are configured in AWS for permitting access of your AWS environment to the Aquila Clouds platform.

Note: You would typically have a list of ARNs for managing a set of related accounts (root and its sub accounts together) by Aquila Clouds. For a set of related accounts, add the ARNs in another Environment.

  • Payee Account Id: Type the payee account ID of the AWS environment required to be managed from the Aquila Clouds platform. If an explicit Payee Account is not designated, you can type the root account ID.
  • Billing Bucket Name: Type the name of the S3 bucket created in AWS for Aquila Clouds.
  • Billing Bucket Region: Type the region code for the region that S3 bucket is created. For instance, for Ohio the region code is us-east-2.
  • Billing Report Prefix: Type the billing prefix as defined in the AWS environment without using '/'.
  • Billing Report Name: Type the name of the billing report configured in AWS for Aquila Clouds platform.
  1. Click Apply.
  2. Review the environment details and click Do you wish to confirm?.

AWS environment is configured in Aquila Clouds. You can start monitoring and managing AWS resources from Aquila Clouds platform according to the permissions defined in AWS environment.

Anchor
_Toc33339058
_Toc33339058
Configuring Azure in Aquila Clouds

To configure Azure in Aquila Clouds, perform the following tasks:

  • Creating an app registration for Aquila Clouds
  • Adding secrets and generating a secret key for Aquila Clouds
  1. From the navigation pane, select Certificates & secrets.
  2. On the Client secrets page, click + New client secret.
  3. Type the required description and set the duration for expiry of the client secret.
  4. Click Add.

Azure saves the new secret and generates a key value.

  1. Copy the key value and save it.

...

  • Identify Durable ID and assigning role for Aquila Clouds
  • Adding Azure environment to Aquila Clouds


Anchor
_

...

Toc33339059
_

...

Toc33339059
Creating an app registration for Aquila Clouds

You can identify the Durable ID for the Aquila Clouds and assign a role to the registered application.

...

create an app registration in the Azure environment for Aquila Clouds.

  • Creating an app registration for Aquila Clouds
  1. From the navigation pane, select Azure Active Directory > App registrations.
  2. Select the ID for the app registered for Aquila Clouds.
  3. Login to the Azure console.
  4. If your account gives you access to more than one tenant, select your account in the top right corner, and set your portal session to the Azure AD tenant that you want.
  5. Search for and select Azure Active Directory. From the navigation pane, select Subscriptions. Select Properties.

The Offer ID displayed is the offer Durable ID. Copy this ID and save it.

  1. Navigate to All Services > Subscriptions.
  2. Click subscription for Aquila Clouds.
  3. Select Access Control (IAM).
  4. Select Add role assignment.
  5. In the Add role assignment group, set the following values.
  • Role: Select Contributor role to perform actions on your organization's Azure resources from Aquila Clouds platform. Select Reader role to only read and display data related to your organization's Azure resources in Aquila Clouds platform.
  • Assign access to: Select Azure AD applications.
  • Select: Select the application registered for Aquila Clouds.

Azure saves the new secret and generates a key value.

  1. Select Save to save the role assignment for Aquila Clouds platform.

...

In the Aquila Clouds platform, add the Azure environment details to enable monitoring and management of your Azure resources from the Aquila Clouds platform.
Before you begin: Get the following details from your Azure environment:

  • Tenant ID (navigation path: Azure Portal -> Azure Active Directory ->Properties -> The Directory ID)
  • Application Access Key
  • Application ID
  • Offer Durable ID
  • Adding Azure environment to Aquila Clouds
  1. On the top bar, select Image Removed > Administration.
  2. On the Administration page, select the Manage Environments tab.
  3. In the Environments area, click Image Removed Add New Environment.
  4. On the Add Environment page, toggle on Active.
  5. In the Environment Type group, select Microsoft Azure.

...

  1. In the Name of the environment, type the name of Azure environment.
  2. Enter the following details for the connection parameters:
  • Tenant Id: Type the Tenant ID.
  • Application Access Key: Type the application access key
  • Billing Bucket Name: Type the name of the S3 bucket created in AWS for Aquila Clouds.
  • Application Id: Type the Application ID for the Aquila Clouds application registered in Azure.
  • Offer Durable Id: Type the offer durable ID for the subscription registered in Azure.
  1. Click Apply.
  2. Review the environment details and click Do you wish to confirm?.

...

  1. select App registrations and select New registration.
  2. On the Register an application page, enter the following details:
  • Name: Type name for registering Aquila Clouds on Azure. For instance, type Aquila Clouds.
  • Supported account types: Select Accounts in this organizational directory only (Default Directory only – Single tenant).
  • Redirect URI (Optional): In the list select Web and type product.aquilaclouds.com in the URL.
  1. Click Register.

Azure creates an app registration for Aquila Clouds.

Anchor
_Toc33339060
_Toc33339060
Adding secrets and generating a secret key for Aquila Clouds

You can add secret and generate a secret key for Aquila Clouds.

  • Adding secrets and generating a secret key for Aquila Clouds
  1. From the navigation pane, select Certificates & secrets.
  2. On the Client secrets page, click + New client secret.
  3. Type the required description and set the duration for expiry of the client secret.
  4. Click Add.

Azure saves the new secret and generates a key value.

  1. Copy the key value and save it.

This Application Access key is required for adding Azure environment in Aquila Clouds.

Anchor
_Hlk32073799
_Hlk32073799
Anchor
_Toc33339061
_Toc33339061
Identifying Durable ID and assigning role for Aquila Clouds

You can identify the Durable ID for the Aquila Clouds and assign a role to the registered application.

  • Identifying Durable ID and assigning role for Aquila Clouds
  1. From the navigation pane, select Azure Active Directory > App registrations.
  2. Select the ID for the app registered for Aquila Clouds.
  3. From the navigation pane, select Subscriptions. Select Properties.

The Offer ID displayed is the offer Durable ID. Copy this ID and save it.

  1. Navigate to All Services > Subscriptions.
  2. Click subscription for Aquila Clouds.
  3. Select Access Control (IAM).
  4. Select Add role assignment.
  5. In the Add role assignment group, set the following values.
  • Role: Select Contributor role to perform actions on your organization's Azure resources from Aquila Clouds platform. Select Reader role to only read and display data related to your organization's Azure resources in Aquila Clouds platform.
  • Assign access to: Select Azure AD applications.
  • Select: Select the application registered for Aquila Clouds.

Azure saves the new secret and generates a key value.

  1. Select Save to save the role assignment for Aquila Clouds platform.


  1. Index of Figures

Figure 1: TRUST RELATIONSHIPS SCREEN
Figure 2: ADD ARN FOR BUCKET SCREEN
Figure 3: ADD ARN FOR OBJECT SCREEN
Figure 4: ADD ENVIRONMENT AMAZON AWS SCREEN
Figure 5: ADD ENVIRONMENT MICROSOFT AZURE SCREEN

...