Sunday, June 9, 2019

Use Cloud Assembly Blueprint to deploy Ansible Control Machine

In this blog post I will be demonstrating how to create a Cloud Agnostic Blueprint in VMware Cloud Assembly to deploy an Ansible Control Machine to any cloud. The target cloud can be specified as an input during deployment

VMware Cloud Assembly Service Overview

VMware Cloud Assembly orchestrates and expedites infrastructure and application delivery in line with DevOps principles. It uniquely provides broad and deep support for VMware-based private and hybrid clouds including VMware Cloud Foundation, VMware Cloud on AWS and vSphere as well as native AWS and Azure and GCP public cloud environments

What is Ansible Control Machine

Any Linux based machine with Ansible installed. Windows isn’t supported for the control node. There are certain requirements for control node which are listed here

VMware Cloud Assembly Terminology

If you need a refresher, the following table lists the short description of various terminologies for Cloud Assembly.
For more information, you can refer the documentation here
Cloud Accounts Cloud Accounts allow you to bring your public cloud and on-prem data centers under management
Cloud Zones Cloud Zones are the aggregation of the compute resources where the workloads will be provisioned You can link it with a Project to define which users have access to provision to the same.
Projects Projects link users and Cloud Zones. A Project allows user/groups to deploy their blueprint to linked Cloud Zones
Flavor Mappings Instance Sizes. You could create similar to t-shirt sizes like small, medium or large which you can then specify in a blueprint
Image Mappings Images which are used for the deployment. It could be a template, OVF, content library item, AMI, ARM , etc. Similar to Flavor Mappings you will create friendly names that are then consumed in a blueprint
Network Profile A collection of network resources in the Cloud Zone. It provides the ability to configure policies based on which network resource would be chosen
Storage Profile A collection of storage/datastores. It provides the ability to configure policies based on which storage resource would be chosen
Blueprints Blueprints are the specifications for the resources that you deploy. You can continuously improve a blueprint after you deploy it.
Cloud Proxy An on-prem virtual appliance provides connector agents for interacting with on-premises services
Tags Tags drive the placement of deployments through the matching of capabilities and constraints


You need to have the following configuration in your CAS environment
  1. Amazon Web Service (AWS) cloud account for account regions where you will deploy Cloud Assembly blueprints. Click Here for detailed instructions
  2. vCenter cloud account for the account regions that you want to deploy Cloud Assembly blueprints. Click Here for detailed instructions
  3. VMware Cloud on AWS cloud account for the account regions that you want to deploy Cloud Assembly blueprints. Click Here for detailed instructions
  4. Capability Tags for the Cloud Zones as follows (These are examples, and you can substitute your own if you like – just be sure you specify the same ones everywhere)
    • AWS Cloud Zone – AWS
    • vCenter Cloud Zone – OnPrem-vSphere
    • VMware Cloud on AWS- VMWonAWS
  1. Flavor Mappings for all 3 Cloud Accounts (I have used acm_small with the following config, however, you can rename it to something else as well with your desired configuration. Make sure you modify the same in Blueprint)
    • AWS – t2. Micro
    • OnPrem-vSphere – 2 CPU and 4 GB RAM
    • VMWonAWS – 2 CPU and 4GB RAM

  1. Image Mapping for all 3 Cloud Accounts
    • AWS – Ubuntu AMI for your region. I have it for us-east-1
    • OnPrem-vSphere – Ubuntu Cloud OVA
    • VMWonAWS – Ubuntu Cloud OVA

  1. Storage Profile for all 3 Cloud Accounts
  2. Network Profile for all 3 Cloud Accounts

Cloud Agnostic Blueprint

Blueprints are the specifications for the resources that you deploy. We will be using Cloud Agnostic components of the blueprint so that same blueprint can be used to deploy to any cloud.I have shared the blueprint on my GitHub repo here
Let’s walk through blueprint which will give you an idea about the blueprint
There are 3 inputs configured in the inputs which will prompt the user at request time

  • Username – I have default user as root
  • Password – I have a default password. User can input their own password
  • TargetCloudType – I have 3 Clouds Configured (AWS, OnPrem-vSphere & VMWonAWS). We will be using capability tags which will allow CAS to pick the correct cloud at request time
Next, you will be stating the details which were configured as part of the requirements above.
  • Image Mapping – acm_ubuntu
  • Flavor – acm_small
  • Constraints – Capability Tags. Here, we are tying the inputs which user the selects to the actual config specified on the infrastructure
Here we will be using Ubuntu Operating System and deploy a Virtual Machine with the 2 vCPU and 4 GB RAM if it’s a vSphere-based machine or t2.micro if it’s deployed on AWS

Customize the image with Cloud-Init – As you might already be aware, we are using cloud-init to install packages and do the Ansible specific configuration using cloudConfig. You can also refer to Ansible documentation for detailed here for detailed setup instructions. In our blueprint, we are doing the following
  • Enabling Password Authentication
  • Allowing Root Login
  • Restarting sshd service
  • Installing Ansible
  • Modifying Ansible specific configuration so that it can be added as Integration with CAS

Here is what the final blueprint will look like.

Ansible Control Machine Deployment

You can now deploy from Blueprint and specify the input parameters. Here I have selected AWS as the TargetCloudType with default credentials.
Once the deployment is successful

You can ssh to the AWS EC2 instance and ensure Ansible is installed by running “ansible –version”

And yes, you can also add this Ansible Control Machine as an Integration in CAS. You can refer here for more details!



This hopefully showed you can leverage VMware Cloud Assembly to build a Cloud Agnostic blueprint to provision real world, useful applications across multiple clouds. You can refer here for more blueprint samples in CAS

Orginal Blog

My Original Blog is posted here 

VMware Cloud on AWS Infrastructure Visibility using Log intelligence

In the blog post, I will be exhibiting key capabilities of Log Intelligence which helps Customers gain operational insights into VMware Cloud on AWS environment

VMware Cloud on AWS Service Overview

VMware Cloud on AWS brings VMware enterprise-class Software-Defined Data Center (SDDC) software to the AWS Cloud. It enables customers to run production across private, public & hybrid cloud environments based on VMware vSphere®, with optimized access to AWS services.

VMware Log Intelligence Service Overview

VMware Log Intelligence offers unified visibility across private clouds and AWS, including VMware Cloud on AWS, to provide deep operational insights and faster root cause analysis. It adds structure to unstructured log data, provides rich dashboards and delivers innovative indexing and machine learning based intelligent grouping for faster troubleshooting
AWS log intelligence

Key Capabilities of Log Intelligence for VMware Cloud on AWS

Log Intelligence is deeply integrated with VMware Cloud on AWS Infrastructure which makes it the only logging solution which provides visibility to VMware Cloud on AWS SDDC(s).
AWS log intelligence

The following section gives the details for capabilities which Log Intelligence offer

Audit and NSX-T firewall Log Data

By default, Audit logs are collected in Log Intelligence for all the SDDCs deployed in VMware Cloud on AWS. For NSX-T firewall its matter of enabling it in the Log Intelligence UI and admins will automatically start seeing firewall logs, allowing them to audit, monitor and troubleshoot VMC environment
This is a unique capability of log intelligence

VMware Cloud on AWS Content Pack

This content pack provides powerful insights into the NSX-T firewall rules, packet traffic rules created in VMware cloud on AWS along with audit details allowing administrators to audit, monitor and troubleshoot the behavior of configured rules in their VMware Cloud on AWS environment
Once enabled you will get queries, alert definitions which can be used
Alert Definitions
You can save the queries on the Shared or Private Dashboards or enable Alert Definitions to send email/webhook notifications.

Here I have saved 2 queries on Shared Dashboard so that all users can view the same
Alerts and Notifications
Once enabled you can view recent alerts on the Home Page and if configured you can get an email or webhook notification. Here I have sent webhook to slack
Recent Alerts
Email Notification
Webhook Notification on slack

Forward log events from Log Intelligence to other endpoints

Log intelligence allows you to forward logs to other endpoints. You can forward all VMC logs or use filters to forward specific logs.
Currently, it supports the following endpoints
  • OnPrem vRealize Log Insight
  • On Prem Syslog Server using TCP
  • On Prem Syslog Server using UDP
  • On Prem Splunk
  • On Prem Default – Authenticated HTTPs endpoint
  • Splunk Cloud Endpoint
  • Authenticated Cloud endpoint over HTTPs
Note – Any OnPrem endpoint will need Cloud Proxy deployed in your environment which log intelligence communicates with to forward logs

For detailed configuration on how to configure log forward please refer documentation here

Export Log Events

You can export the results of a log query to share them with other systems, or forward them to your support contact


Log Intelligence provides real-time visibility into VMware Cloud on AWS SDDC environment via Audit logs. Firewall Logs allows customers to log packets for specific firewall rules to accelerate troubleshooting and maintain security

Original Blog

My Original Blog is posted here