AWS Cloud Operations Blog
Use AWS Systems Manager for Multicloud operations management
A multicloud strategy creates management and governance challenges for our customers. These challenges include maintaining consistent cloud security and compliance policies across cloud providers, providing a single pane of glass for visualizing and acting on operational data, and providing deployment automation and control of cloud infrastructure across multiple cloud environments.
AWS Cloud Operations services lets customers enable, provision, and operate their environment for both business agility and governance control. In a multicloud environment, AWS Cloud Operations services can be used to provide customers with a unified operational view and an optimized IT infrastructure to alleviate their management, orchestration, and portability challenges across clouds.
AWS Systems Manager is a secure end-to-end management solution that can be used to manage VMs ands servers running on AWS, on premises or on other clouds. In this post, we’ll demonstrate how Systems Manager’s node management capabilities can be used to remotely manage your compute in a multicloud environment. Systems Manager provides centralized node management, including collecting inventory, initiating secure sessions, automating patches, and deploying packages for your compute running in both AWS, on premise and other clouds including Azure.
Installation
Azure setup
Deploy an Azure virtual machine (VM). Follow these steps to use the Azure portal to deploy a Linux virtual machine (VM) running Ubuntu 18.04 LTS. After deployment, this is our Azure VM on the Azure portal:
AWS setup
Follow these steps to configure Systems Manager to provide centralized operations and management for hybrid and multicloud environments. After you finish configuring your Azure VM for Systems Manager, the IDs of your hybrid managed node (i.e., the Azure VM) will be distinguished from Amazon Elastic Compute Cloud (Amazon EC2) instances with the prefix “mi-“. Amazon EC2 instance IDs use the prefix “i-“.
Solution Architecture
The following image shows the solution architecture diagram for our setup. As shown, Systems Manager provides centralized node management, including collecting inventory, initiating secure sessions, automating patches, and deploying packages for your compute running in both an AWS and Azure VM.
Fleet Manager
Fleet Manager, a capability of Systems Manager, lets you drill down to individual nodes (services, devices, or other resources) to perform common system management tasks, such as disk and file exploration, log management, and user management from a console.
Navigate to the Systems Manager console, and select Fleet Manager on the left panel. On the Managed nodes panel in the main console, select the Azure node with the prefix “mi-“. When you drill down on the managed node, you can view information about the folder and file data stored on the volumes attached to your Azure VM. This includes information such as performance data about your instances in real-time, as well as managing operating system (OS) user accounts on your VM.
Patch management
Patch Manager, a capability of Systems Manager, automates the process of patching managed nodes with both security related and other types of updates.
Navigate to the Systems Manager console, and select Patch Manager on the left panel. Select Compliance reporting on the main console. We see that that our Azure VM shows non-compliance and requires two security updates. Let’s run an on-demand patching operation for our Azure VM from the Systems Manager console. Patch now uses AWS recommended best practices for concurrency and error threshold options.
Navigate back to the Systems Manager console, and select Patch Manager on the left panel. Select Patch now on the main console. Select Scan and Install as the Patching operation, and select Patch only the target instances I specify as the Instances to patch. On Target selection, select Choose instances manually, and select the Azure VM that is prefixed with “mi-“.
Session management
Session Manager, a capability of Systems Manager, provides secure and auditable node management without needing to open inbound ports, maintain bastion hosts, or manage SSH keys. Administrators can grant and revoke access to your Azure VM from a single location, as well as provide one solution to users for Linux, macOS, and Windows Server managed nodes in a multicloud environment. Users can connect to the managed node (e.g., Azure VM) across clouds with just one click from the browser or AWS Command Line Interface (AWS CLI) without having to provide SSH keys.
Navigate to the Systems Manager console, and select Session Manager on the left panel. Select Start session on the main console. On the next screen, filter Target instances with the Instance ID value for your Azure VM, and select Start session as shown in the following:
Inventory
Inventory, a capability of Systems Manager, collects metadata from your managed nodes running on AWS – either on-premises or on other clouds. The metadata includes applications (application names, publishers, versions), files (name, size, version, installed date, modification, last accessed times), network configurations (IP address, MAC address, DNS, gateway, subnet mask), etc. Access the full list of metadata types collected by Systems Manager Inventory here.
To get started with Inventory for your Azure VM, navigate to the Systems Manager console, and in the navigation pane, select Inventory. The data in the Systems Manager console on the Inventory page includes several predefined cards to help you query the data.
To drill down on the collected inventory, scroll down to the Corresponding managed instances, select your Azure VM managed instance, and then select Inventory. Now you can search the application related inventory for your Ubuntu Azure VM as shown in the following, as well as other inventory related metadata on your Azure VM that was collected by Systems Manager.
Cleanup
To avoid recurring charges, and to clean up your account after trying the solution outlined in this post, perform the following:
- Follow these steps to uninstall the Systems Manager agent on your Azure VM.
- Delete the Azure VM and associated resource as described here.
Conclusion
Cloud Operations services can provide a unified operational view and an optimized IT infrastructure to alleviate your management, orchestration, and portability challenges across clouds. Systems Manager, an Cloud Operations service, provides node management capabilities that can be used to remotely manage your compute in a multicloud environment. In this post, we demonstrated how you can use Systems Manager to collect inventory, initiate secure sessions, automate patches, and deploy packages for your compute running in both AWS and Azure.