AWS Cloud Operations Blog

Use AWS Systems Manager for Multicloud operations management

A multicloud strategy creates management and governance challenges for our customers. These challenges include maintaining consistent cloud security and compliance policies across cloud providers, providing a single pane of glass for visualizing and acting on operational data, and providing deployment automation and control of cloud infrastructure across multiple cloud environments.

AWS Cloud Operations services lets customers enable, provision, and operate their environment for both business agility and governance control. In a multicloud environment, AWS Cloud Operations services can be used to provide customers with a unified operational view and an optimized IT infrastructure to alleviate their management, orchestration, and portability challenges across clouds.

AWS Systems Manager is a secure end-to-end management solution that can be used to manage VMs ands servers running on AWS, on premises or on other clouds. In this post, we’ll demonstrate how Systems Manager’s node management capabilities can be used to remotely manage your compute in a multicloud environment. Systems Manager provides centralized node management, including collecting inventory, initiating secure sessions, automating patches, and deploying packages for your compute running in both AWS, on premise and other clouds including Azure.

Installation

Azure setup

Deploy an Azure virtual machine (VM). Follow these steps to use the Azure portal to deploy a Linux virtual machine (VM) running Ubuntu 18.04 LTS. After deployment, this is our Azure VM on the Azure portal:

Azure portal describing details of the Azure VM.

Figure 1. Azure portal describing details of the Azure VM

AWS setup

Follow these steps to configure Systems Manager to provide centralized operations and management for  hybrid and multicloud environments. After you finish configuring your Azure VM for Systems Manager, the IDs of your hybrid managed node (i.e., the Azure VM) will be distinguished from Amazon Elastic Compute Cloud (Amazon EC2) instances with the prefix “mi-“. Amazon EC2 instance IDs use the prefix “i-“.

Solution Architecture

The following image shows the solution architecture diagram for our setup. As shown, Systems Manager provides centralized node management, including collecting inventory, initiating secure sessions, automating patches, and deploying packages for your compute running in both an AWS and Azure VM.

Solution Architecture diagram depicting centralized operations management via Systems Manager for AWS and Azure instances.

Figure 2. Solution Architecture diagram depicting centralized operations management via Systems Manager for AWS and Azure instances

Fleet Manager

Fleet Manager, a capability of Systems Manager, lets you drill down to individual nodes (services, devices, or other resources) to perform common system management tasks, such as disk and file exploration, log management, and user management from a console.

Navigate to the Systems Manager console, and select Fleet Manager on the left panel. On the Managed nodes panel in the main console, select the Azure node with the prefix “mi-“. When you drill down on the managed node, you can view information about the folder and file data stored on the volumes attached to your Azure VM. This includes information such as performance data about your instances in real-time, as well as managing operating system (OS) user accounts on your VM.

Systems Manager Fleet Manager provides node level details of the Azure VM.

Figure 3. Systems Manager Fleet Manager provides node level details of the Azure VM

Systems Manager Fleet Manager provides files and folder level details of the Azure VM.

Figure4. Systems Manager Fleet Manager provides files and folder level details of the Azure VM

Systems Manager Fleet Manager provides user and group details of the Azure VM

Figure 5. Systems Manager Fleet Manager provides user and group details of the Azure VM

Patch management

Patch Manager, a capability of Systems Manager, automates the process of patching managed nodes with both security related and other types of updates.

Navigate to the Systems Manager console, and select Patch Manager on the left panel. Select Compliance reporting on the main console. We see that that our Azure VM shows non-compliance and requires two security updates. Let’s run an on-demand patching operation for our Azure VM from the Systems Manager console. Patch now uses AWS recommended best practices for concurrency and error threshold options.

Systems Manager Patch Manager provides patch non-compliance details of the Azure VM.

Figure 6. Systems Manager Patch Manager provides patch non-compliance details of the Azure VM

Navigate back to the Systems Manager console, and select Patch Manager on the left panel. Select Patch now on the main console. Select Scan and Install as the Patching operation, and select Patch only the target instances I specify as the Instances to patch. On Target selection, select Choose instances manually, and select the Azure VM that is prefixed with “mi-“.

Figure 7. Systems Manager Patch Manager enables patch automation on the Azure VM

Figure 7. Systems Manager Patch Manager enables patch automation on the Azure VM

Systems Manager Patch Manager enables patch automation on the Azure VM via built in Systems Manager State Management capability.

Figure 8. Systems Manager Patch Manager enables patch automation on the Azure VM via built in Systems Manager State Management capability

Session management

Session Manager, a capability of Systems Manager, provides secure and auditable node management without needing to open inbound ports, maintain bastion hosts, or manage SSH keys. Administrators can grant and revoke access to your Azure VM from a single location, as well as provide one solution to users for Linux, macOS, and Windows Server managed nodes in a multicloud environment. Users can connect to the managed node (e.g., Azure VM) across clouds with just one click from the browser or AWS Command Line Interface (AWS CLI) without having to provide SSH keys.

Navigate to the Systems Manager console, and select Session Manager on the left panel. Select Start session on the main console. On the next screen, filter Target instances with the Instance ID value for your Azure VM, and select Start session as shown in the following:

Systems Manager Session Manager enables initiating a secure session with the Azure VM directly from the AWS console and without needing to open inbound ports or maintain bastion hosts

Figure 9. Systems Manager Session Manager enables initiating a secure session with the Azure VM directly from the AWS console and without needing to open inbound ports or maintain bastion hosts

Systems Manager Session Manager enables secure session login to the Azure VM without needing to open inbound ports or maintain bastion hosts

Figure 10. Systems Manager Session Manager enables secure session login to the Azure VM without needing to open inbound ports or maintain bastion hosts

Inventory

Inventory, a capability of Systems Manager, collects metadata from your managed nodes running on AWS – either on-premises or on other clouds. The metadata includes applications (application names, publishers, versions), files (name, size, version, installed date, modification, last accessed times), network configurations (IP address, MAC address, DNS, gateway, subnet mask), etc. Access the full list of metadata types collected by Systems Manager Inventory here.

To get started with Inventory for your Azure VM, navigate to the Systems Manager console, and in the navigation pane, select Inventory. The data in the Systems Manager console on the Inventory page includes several predefined cards to help you query the data.

Systems Manager Inventory displays predefined cards to help you query inventory metadata on your Azure VM

Figure 11. Systems Manager Inventory displays predefined cards to help you query inventory metadata on your Azure VM

To drill down on the collected inventory, scroll down to the Corresponding managed instances, select your Azure VM managed instance, and then select Inventory. Now you can search the application related inventory for your Ubuntu Azure VM as shown in the following, as well as other inventory related metadata on your Azure VM that was collected by Systems Manager.

Systems Manager Inventory provides drilldown that display inventory metadata details for your Azure VM

Figure 12. Systems Manager Inventory provides drilldown that display inventory metadata details for your Azure VM

Cleanup

To avoid recurring charges, and to clean up your account after trying the solution outlined in this post, perform the following:

  1. Follow these steps to uninstall the Systems Manager agent on your Azure VM.
  2. Delete the Azure VM and associated resource as described here.

Conclusion

Cloud Operations services can provide a unified operational view and an optimized IT infrastructure to alleviate your management, orchestration, and portability challenges across clouds. Systems Manager, an Cloud Operations service, provides node management capabilities that can be used to remotely manage your compute in a multicloud environment. In this post, we demonstrated how you can use Systems Manager to collect inventory, initiate secure sessions, automate patches, and deploy packages for your compute running in both AWS and Azure.

About the Authors:

Kanishk Mahajan

Kanishk Mahajan is a Principal, Solutions Architect at AWS. He leads cloud transformation and solution architecture for ISV partners and mutual customers. Kanishk specializes in management and governance, migrations and modernizations, and security and compliance. He is a Technical Field Community (TFC) member in each of those domains at AWS.

Snehal Nahar

Snehal Nahar is a Sr.Technical Account Manager (Security Specialist) with AWS in Charlotte, North Carolina. She is passionate about building innovative solutions using AWS services to help customers achieve their business objectives. She enjoys spending time with family and friends, playing board games and watching TV.