Wednesday, November 30, 2022

Aria Automation and Azure Devops better together

 In an always-evolving world, companies of all sizes are constantly looking for ways to increase their agility in providing services and solutions.


One of those services is Azure DevOps, a platform that supports a collaborative culture surrounded by a toolset of pipelines, version control, reporting, release management, automated builds, and testing, bringing together developers, project managers, and contributors to improve products at a faster pace.

That's all great, but everything has a start! Before anyone can begin to contribute and create new things, you need to first set up such an environment of work.

Of course, you don't want to rely upon ticketing systems and manual tasks, which take days to provide such environments, while keeping your developers idle and angry to start creating those new unique solutions.

That's where VMware Aria Automation comes to the rescue, this outstanding multi-cloud platform that can deliver self-service repeatable, and standardized solutions at your fingertips, just like Azure DevOps projects.

Leveraging the Terraform provider for Azure DevOps, it did not take me more than 40 minutes to create its initial implementation, let me show you how.

Aria Automation has been built in a way you don't have to provide your credentials on the Terraform configuration file, instead, it would leverage its project's constructs to look into your cloud account credentials just using the provider section on the cloud template. Unfortunately, Aria Automation just supports aws, azurerm, google, and vsphere at this moment.

So, how do we make use of azuredevops provider?

Luckily, this provider allows us to add the Org URL and the personal token directly on the Terraform configuration file, then we just need to remove the provider section entirely from the cloud template and let the Terraform configuration file do its job.

Now, my developers and project managers can order new Projects, select the features they desire, like Boards, Artifacts, Pipelines, TestPlans, and Repositories to start working in a matter of minutes.


 

New Project has been created as requested.

 

This code sample can be found at my Github repository.



 

Thursday, October 13, 2022

SaltStack firewall rules

Recently I've been working with a customer to showcase de security capabilities of Aria Automation for Secure Hosts (formerly SaltStack SecOps) which I could define into two distinct modules:


Vulnerability:  

Allows the Security and IT team to scan and detect security advisories that reference the Common Vulnerabilities and Exposures (CVE), upon those finds you can easily remediate those systems with a click of a button.





Compliance:

Leveraging best practices and hardening Guides, such as CIS and NIST, allows you to define policies based on those benchmarks or even create your own custom policy. After policy definition you can asses your environment to find non-compliant systems and remediate them instantly, enhancing the secure posture of your environment.




















I'm almost getting to the point of this post;

Where Aria Automation for Secure Hosts gets all this information from?


To make sure the solution has the most up-to-date security information, the RaaS service checks daily for the latest benchmarks, and security advisories along with the software packages or versions to fix them.


Luckily VMware consolidates the CVEs from multiples vendors into a central location, that way you don't need to open access to several locations: So you only want to allow access to:


https://enterprise.saltstack.com/secops_downloads - for Compliance content.

https://enterprise.saltstack.com/vman_downloads - for Vulnerability Management content


you can double-check that on the RaaS configuration file: /etc/raas/raas


One caveat, RaaS service itself does not know about system-wide proxy settings, so if you have to use proxies, don't forget to configure the RaaS service to do so. it's pretty good documented in the section Ingesting content via http(s) proxy


That's all, keep your environment safe folks !!!

 

Monday, September 26, 2022

Demystifying Aria

A few weeks ago Raghu, during his general session at VMware Explore, unveiled VMware Aria in the center of the main stage exploring how it can bring peace to the Cloud Chaos caused by the great but still disorganized cloud adoption during the past few years, leading companies from every size to live with a disparate set of tools, siloed teams, miss-configurations, lack of compliance and even high unnecessary expends. You can still catch the replay here.



First and foremost what Aria means?
It has a musical meaning; the word is used to describe a piece for voice. That piece could be an instrumental accompaniment or be solo, and is usually part of a longer work, like an opera. Sing with One Voice

It makes perfect sense because VMware Aria is all about bringing everything together, from cost, and performance to configuration into a single central management console, something that has never been seen before.

Another common mistake is to think it's a simple rebrand of vRealize Suite. Not the case !!
Although VMware Aria will benefit from several solutions that you already own and love, meaning you can leverage everything you have built so far, including the knowledge you acquired along the road, also brings to the table new groundbreaking technology such as Aria Hub and Aria Graph:

Let me give you an overview of the entire VMware Aria portfolio:

Aria Hub: That's the centralized multi-cloud management portal where you can see and manage your entire fleet of apps, from Cloud Native to on-prem workloads. Along with your App details, you will see dependencies/relationships, cost, performance metrics, security information, and more without the need to jump from screen to screen;



Aria Graph: the database powering Aria Hub. Designed for the challenges of the cloud world, being able to ingest billions of data points from different sources, and correlate and federate them in a way to make consumption much easier.

Aria Guardrails: a high-level policy definition to enforce your desired state on your environment, network, cloud accounts, organizations, and more. But also to be able to remediate your settings as drift occurs;

Aria Business Insights: dozens of events and alerts coming these days from different sources, Which one is critical ? Which one is relevant? Which one is simple noise ? That's the goal of this AI, leveraging ML to present you the relevant insights so you can take actions to remediate your app, which could be a performance anomaly or a suddenly cost increase, or even a security vulnerability;

Aria Migration: designed to help migrate your workloads to the cloud taking into consideration cost, performance impact, and dependencies,  allowing you to schedule when the migration will occur. All of this with a rich set of pipelines for you to customize adding extra steps and approvals along the way;

Aria Cost (formerly CloudHealth): a complete FinOps platform that simplifies financial management, streamlines operations and improves cross-organization collaboration across multi-cloud environments;

Aria Automation (formerly vRealize Automation): Modern automation platform allowing self-service cloud consumption with governance and Dev-Ops based infrastructure management;

Aria Automation Assembler (formerly Cloud Assembly): part of Aria Automation in charge of the creation and design of end-to-end services and offers to be consumed by end-users;

Aria Automation Consumption (formerly Service Broker): part of Aria Automation responsible for Catalog presentation, approval policies and governance;

Aria Automation Pipelines (formerly Code Stream): part of Aria Automation providing pipelines services for CI/CD activities;

Aria Automation Config (formerly SaltStack Config): It's VMware's configuration management solution to configure systems, install products on-demand, enforce policies and guidelines, remediation, Vulnerability and compliance checks remediations;

Aria Automation Orchestrator (formerly Orchestrator): it's a long-time VMware veteran in charge of extensibilities beyond what's provided out of the box, with hundreds of plugins available so you can extend your solution far beyond;

Aria Operations (formerly vRealize Operations): enables self-driving IT Operations delivering continuous performance, capacity and cost optimization;

Aria Operations for Applications (formerly Tanzu Observability and before that Wavefront): provides unified observability for your applications covering metrics, logs, traces, and events from a single source of truth for greater business agility with unmatches scalability in the millions of points per second;

Aria Operations for Logs (formerly vRealize Log Insight): Centralized log management with deep operational visibility and intelligent analytics for troubleshooting and auditing;

Aria Operations for Networks (formerly vRealize Network Insight): Manage your network at scale with intelligent application discovery, analytics and troubleshooting to help you identify trends, patterns and even not allowed traffic;

Aria Operations for Integrations (formerly vRealize True Visibility Suite):  Extend Aria Operations to data depth and context to additions solutions, like physical datastore, applications, networks and more;

Aria Operations for Secure Clouds (formerly CloudHealthSecure State): Find risks and misconfiguration by visualizing and correlating resources for faster response and remediation to protect your cloud environments;


If you got this far, thanks a lot. 

I'm sure now you understand how all those details can be brought together for a comprehensive understanding of your applications, making your life much easier !!


Tuesday, September 6, 2022

Beacons as States

Beacons at VMware Aria Automation Config (AKA vRealize Automation Saltstack Config) is a key enabler to creating a self-healing, healthy and stable environment. It allows you to continually monitor events on the minions, like logins, disks and processes usage, services, and much more, once a defined activity occurs the beacon will notify the system, and then you can trigger a Reactor, which is the piece that does the remediation/configuration, but Reactor is a topic for another post, today let's focus on the beacon itself.

There are a few methods to enable beacons, through the use of config files, Pillars, or with the use of state modules.

Here's come the first challenge, if you look at tutorials and blogs out there, you will only find examples of config file manipulation, local to the minions or through the use of the file state module.

Second challenge; complexity and scalability:
IMHO, using the file state module is a little complex and requires some extra attention as the solution scales;
Let's take an example of 3 behaviors you wanna monitor; A, B, and C (for this example it does not matter what those beacons are).

To get it to work on every possible combination you will need to create 7 different config files to distribute for your minions depending on the combination of activities you want them to monitor.

file 1: only a
file 2: only b
file 3: only c
file 4: a+b
file 5: a+c
file 6: b+c
file 7: a+b+c

To summarize, to monitor only 3 behaviors you will need 7 config files, you can imagine how complex it would be if you have dozens of individual behaviors to monitor. Plus, when you are manipulating the config file you need to restart the salt-minion service for the new beacon to take effect (would that be another challenge?).

Now comes my preferred method;  the use of state modules;
You can write individual beacons for the behaviors you want to monitor and apply them whenever you want without having to worry about previous beacons or a combination of the desired config file, It will just add up to the beacons that are already applied, and because it's applied through the states it's automatically enabled, no need to restart the service.
Taking the A, B, and C example, you will end up with only 3 state files.
 
But now here's come another challenge, there are not many beacon examples of state files out there;

even though they look pretty much the same for other states, I usually have a hard time getting them right, so I decided to share its syntax.




1 - It's the ID, can be anything you want, or the name of the module;
2 - this one is self-explained, right ?! it's a beacon;
3 - the name of the module you want t monitor;
4 - it saves the beacon to the local minion's config file,  it will persists upon reboots, otherwise it will just monitor available during the actual session;
5 - enable, means enable, right...why create something if you will keep it disabled;
6 - extra parameters the module might require;

if you are looking for some other examples, check my GitHub repository.

Now, it's your turn, tell me how you manage beacons in your environment.

 

Who am I

My photo
I’m an IT specialist with over 15 years of experience, working from IT infrastructure to management products, troubleshooting and project management skills from medium to large environments. Nowadays I'm working for VMware as a Consulting Architect, helping customers to embrace the Cloud Era and make them successfully on their journey. Despite the fact I'm a VMware employee these postings reflect my own opinion and do not represents VMware's position, strategies or opinions. Reach me at @dumeirell

Most Viewed Posts

Blog Archive