×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

Unsupported content

 

This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.
BMC Cloud Lifecycle Management 4.1 Administering

Creating and managing network blueprints

You use the Network Designer workspace to create network blueprints. A network blueprint is a topology blueprint used to carve out logical network isolations from physical devices. You can create simple network blueprints that set up a public-facing subnet to host a web application, or more complex blueprints that connect public cloud resources in a private, non-Internet facing corporate data center.

Note

Currently, the Network Blueprint workspace applies to Amazon Web Services (AWS) environments only.

This topic describes how to use the Network Designer to create network blueprints. It includes the following sections:

The following BMC Communities video (6:46) describes how to use IP address resources in network blueprints using BMC Network Automation. The blueprints can then be imported into BMC Cloud Lifecycle Management.

 https://youtu.be/CQD6Si3wZa4

Before you begin

Ensure that you have completed the following tasks:

  • If you are creating a blueprint for an AWS environment, ensure that you:
  • Plan your network blueprint. Because of the many different ways you can create a network blueprint, you might not need each of the major steps provided in this topic. Plan your blueprint, and then follow the procedures you need to create the blueprint you have planned. You can create network blueprints that include some or all of the following objects, in whatever numbers you choose:
    • Internet connections
    • Networks
    • Gateways (for the Internet or VPN)
    • Perimeter and distributed firewalls
    • Load balancers

Creating a new network blueprint

The following sections describe the tasks you must perform to create a network blueprint.

To create a network blueprint

Follow this procedure to create a new network blueprint.

  1. From the BMC Cloud Lifecycle Management Administration Console, click the vertical Workspaces menu on the left side of the window and select Network Designer.

  2. In the Network Designer workspace, click Create New.

    The Network Designer canvas is displayed. The following icons indicate the available components you can use to build your network blueprint. 

    IconDescription

     

    Isolation boundary - Represents the scope of the logical hosting environment being modeled by the network blueprint. Entries in the route table are managed automatically based on connections drawn between networks in the network blueprint.  

    In AWS, the Isolation Boundary represents the Virtual Private Cloud (VPC). Note that within every AWS VPC, there is an implicit router responsible for traffic between all VPC subnets. 

    Internet - Creates an object representing the Internet, which can be configured to allow nodes inside the Isolation Boundary to access nodes outside of it using the Internet.

    By default, the Internet object has a value for the address range that represents the entire addressable space. However, a more restrictive (single) address range can be specified, perhaps representing a particular external network (when not using a VPN tunnel).

    Network - Represents a contiguous address range to which workloads can be attached. At least one network must be included in the Isolation Boundary. A network can be public or private, and can be configured for Network Address Translation (NAT).

    In AWS, a network represents a VPC subnet, designated as Public or Private.

    Note

    Routing for networks is driven by an implicit router (which is not represented in a network blueprint). Routing rules are managed by the Layer 3 connectivity lines you draw between networks, which are then applied to the routing table(s) for the networks.

    Edge gateway - Provides egress from and ingress into the Isolation Boundary, either to the Internet or to a corporate network using a VPN tunnel (based on settings). Place this object within the Isolation Boundary.

    For an AWS environment, this object represents an Internet Gateway or a VPN Gateway object within the VPC, depending on the type specified.

    Enterprise gateway - Represents the enterprise end of a VPN tunnel. Place the gateway outside the Isolation Boundary and connect it to an Edge Gateway within the Isolation Boundary to model a VPN tunnel.

    You configure the settings of the VPN by selecting the connection line on the canvas. Attach a subnet to the gateway to represent address ranges in the enterprise network that will have access to subnets within the Isolation Boundary.  

    For an AWS environment, this object represents a Customer Gateway.

    Perimeter firewall - Represents a logical, stateless, edge firewall service with visibility into network traffic (as opposed to workload-specific traffic).  

    For an AWS environment, a single Perimeter Firewall object represents (potentially multiple) AWS Network ACLs.

    Distributed firewall - Represents a logical, stateful distributed firewall service with visibility into workload-specific traffic (as opposed to network traffic).  

    For an AWS environment, a single Distributed Firewall object represents (potentially multiple) AWS Security Groups.

    Load balancer - Represents a logical load balancer, which distributes traffic across multiple server workloads for scalability and redundancy. These objects are connected on the:

    • Server side to subnets, where the server workloads reside
    • Client side to subnets (or edge gateways) from which clients connect to the load balanced service

    In AWS, these objects do not represent an Elastic Load Balancer (ELB), but are Load Balancer Pools in service blueprints that actually correlate to AWS ELBs. AWS obviates the component that equates to an on-premise logical load balancer. However, BMC Cloud Lifecycle Management still requires the creation of these logical load balancers to:

    • Identify Network Containers and Logical Hosting Environments that allow load balancing services (bronze versus silver level containers)
    • Govern the networks to which the Load Balancer Pools (or ELBs, in the case of AWS) may be connected during service instance provisioning.
  3. Add, define, and connect components in the network blueprint. Use either of the following methods to add a network component on the canvas:
    1. Click the network component icon from the component list on the left; the network component icon appears on the canvas.
    2. Drag a network component icon from the component list and drop the component icon to the desired location on the canvas.
  4. Ensure that the icons are positioned in the desired location on the canvas.
  5. Draw connection lines between the objects.
  6. Check the Design Issues label to ensure that the network blueprint has been properly configured. If there are design issues, hover over the Design Issues label to see a list of the issues. 

    You can save a blueprint with Design Issues, but will not be able to check it in until the issues are resolved.
  7. Click Save.
  8. Enter a unique name for your blueprint to describe the network.
  9. Click Create.

Use the navigation bar below to jump to different sections in the topic:

Create

Define

Connect

Check out

Check in

Delete

Example

To add and define network blueprint components

The following table describes how to add the various components to a network blueprint.

ComponentProcedure

Internet

Use this option to create an object representing the Internet.

  1. Enter a unique Name for the internet connection.
  2. Optionally, enter a Description.
  3. Enter the IP address in the Network Address field. 
    Along with Network Mask, the Network Address identifies the address range that workloads in the Isolation Boundary can access.  By default, the Internet object has a value for the address range (0.0.0.0/0.0.0.0) which represents the entire addressable space. However, a more restrictive (single) address range can be specified, perhaps representing a particular external network (when not using a VPN tunnel).
  4. Enter a Network Mask. The default value is 0.0.0.0. Enter a range of IP addresses to limit Internet access to a specific range of addresses.
    Along with Network Address, the Network Mask identifies the address range that workloads in the Isolation Boundary can access. The default value (0.0.0.0/0.0.0.0) allows for the entire addressable space, but a more narrow range could be used to restrict to specific external network's address range. 
  5. Optionally, add a Tag.
    Use a tag value such as "internet" or "external" for the Internet object. This tag should match the tag value on the load balancer pool object in Service Blueprints. For more information about using tags, see Creating tag groups and tags.

Network

Network with load balancer

Use this option to create a subnet. You can add one or more subnets.

  1. Enter a unique Name for the subnet.
  2. Optionally, enter a Description.
  3. Enter a Network Address.
    Along with Network Mask, the Network Address identifies the IP Address range of the subnet. 
  4. Enter a Network Mask. Along with the Network Address, the Subnet Mask identifies the IP Address range of the subnet. 
    In AWS, address ranges for VPCs can be no broader than 255.255.0.0; therefore the network ranges must fit within that scope.
  5. Select from the following options:
    1. Public - Select if the network is public-facing. 

      In this case, a route is added in the route table allowing outbound traffic through the Edge Gateway. If this option is not selected (indicating a private network), only a local route is added.

      In AWS, this corresponds to descriptions of Public and Private subnets in the Amazon VPC creation wizard.

    2. Client - Select this option to indicate that this network will contain server workloads that will make client requests of a load balancer connected to this network. For example, if this network will house web servers that will initiate connections to a load balanced application server farm, then select this option. The option is displayed only if the network is connected to a load balancer.
    3. Server - Select this option to indicate that this network will contain servers that will be load balanced by a load balancer connected to this network. For example, select this option if this network will house web servers that make up a load. The option is displayed only if the network is connected to a load balancer.
    4. Use Default Route Table - Select this option to use the common, default route table shared by other networks in this network blueprint. 
      A network must have exactly one route table, which specifies the allowed routes for outbound traffic leaving the network. Networks might share a common route table or they might have their own. Use of the default (common) route table is primarily relevant to public networks, as private networks should not use the default route table. Entries in the route table are managed automatically based on connections drawn between networks in the network blueprint.
    5. Use NAT - Select this option to specify that this network needs Network Address Translation (NAT) when accessing network endpoints outside the Isolation Boundary. A network using NAT should not be marked public (it must be a private network).

      In AWS, this option creates a NAT translator, which assigns dynamic public IP addresses to associated instances workloads in private networks in the VPC, as they access external endpoints.

    6. Serving customer traffic - Select this option to indicate that this network will be used for customer traffic (for example, general web or database access), as opposed to management purposes (for example, by BMC Server Automation).  Some networks may be used for both.    
    7. Serving management traffic - Select this option to indicate that this network will be used for management purposes (for example, by BMC Server Automation), as opposed to customer traffic (for example, general web or database access). Some networks may be used for both.    .
  6. Optionally, set the Tags that are referenced by service blueprints to place workloads in this network.  
    For example, if this network (along with others) is intended to host web servers, you might specify Web as the tag. For more information about using tags, see Creating tag groups and tags.

In AWS, the TARGET_AWS_ZONE tags (provided by default) are used to identify the availability zone in which each network is created. TARGET_AWS_ZONE tags can be specified here in the network blueprint, or be supplied when VPC instances are created from a network blueprint. If no TARGET_AWS_ZONE tag is specified, then BMC Cloud Lifecycle Management will choose an arbitrary Availability Zone. Additionally, more generic tags may be used to identify region-neutral Availability Zone distinctions, such as "AZ-1" and "AZ-2".

This method allows service blueprints to designate that two web servers are placed in separate Availability Zones without needing to know what region or specific Availability Zones are in use in a particular VPC. Furthermore, these more generic tags can be used for direction on specific Availability Zones that should be selected during VPC instance creation from the network blueprint.

Edge gateway

Use this option to create access either to the Internet or to a corporate network using a VPN tunnel (based on settings).

  1. Enter a unique Name for the gateway.
  2. Optionally, enter a Description.
  3. Set the Gateway Type to indicate whether this Edge Gateway is intended to connect to an Internet Gateway (public traffic) or to an enterprise VPN Gateway (private traffic).

Enterprise gateway

Use this option to create the enterprise end of a VPN tunnel. .

  1. Enter a unique Name for the gateway.
  2. Optionally, enter a Description.
  3. Select the routing option to determine the type of routing for the Enterprise Gateway:
    1. Select Static Routing to indicate routing via a static IP address, and then add the IP Address in the field below. 
    2. If you prefer non-static routing, clear the Static Routing checkbox, which indicates dynamic routing via Border Gateway Protocol (BGP), and specify the IP Address.

Perimeter firewall

This option enables you to add an edge firewall service with visibility into network traffic (as opposed to workload-specific traffic). Perimeter firewalls typically provide network-level security.

In AWS, this option represents using a Network ACL.

  1. Enter a unique Name for the firewall.
  2. Optionally, enter a Description.
  3. To add a firewall interface that defines interfaces on the firewall, each of which secures a network, complete the following steps:
    1. Click the Add icon
      The Firewall Interface - New panel is displayed.
    2. Add a name for the firewall interface.
    3. Optionally, add a description.
    4. Select the target network being secured by this firewall interface.

    5. From the drop-down list, select the direction of the traffic (Inbound, Outbound, or Direction Agnostic) that is being secured by subsequent firewall rules. You add rules via provisioning of service instances with network path details or via the ad-hoc Manage Firewall Rules or Manage Network Path panels).

      Note

      The cloud administrator must open the following ports in the Network ACLs to enable communication with the BMC Server Automation RSCD Agent:

      • Inbound connection: Open the RSCD Agent port (by default, port 4750) for TCP communication
      • Outbound connection: Open all the ports for TCP communication (ports 1 – 65535, since the firewall is stateless)

      You can create these firewall rules using the ad-hoc Manage Firewall Rules panel available in the Resources workspace. These ports must be opened to ensure the RSCD agent on the provisioned instance is able to communicate with the BMC Server Automation server to enable the creation of security groups, as defined in the Service Blueprint.

Distributed firewall

This option enables you to add a distributed firewall service with visibility into workload-specific traffic (as opposed to network traffic).

In AWS, this object represents a Security Group.

  1. Enter a unique Name for the firewall.
  2. Optionally, enter a Description.
  3. To add a firewall interface that defines interfaces on the firewall, each of which secures a network, complete the following steps:
    1. Click the Add icon . The Firewall Interface - New panel is displayed.
      The Firewall Interface - New panel is displayed.
    2. Add a name for the firewall interface.
    3. Optionally, add a description.
    4. Select the target network being secured by this firewall interface.
    5. From the drop-down list, select the direction of the traffic (Inbound, Outbound, or Direction Agnostic) that is being secured by subsequent firewall rules. You add rules via provisioning of service instances with network path details or via the ad-hoc Manage Firewall Rules or Manage Network Path panels).

Load balancer

This option enables you to distribute traffic across multiple server workloads for scalability and redundancy.

  1. Enter a unique Name for the load balancer.
  2. Optionally, enter a Description.

Use the navigation bar below to jump to different sections in the topic:

Create

Define

Connect

Check out

Check in

Delete

Example

To draw connections between components

To draw a connection line:

  1. Select the Connect icon .
  2. Click and drag from the source component to start drawing a connection.
  3. Release while hovering over the destination component to complete the connection.

You use the following objects to draw connections between components:

Connection typeDescriptionExample
Connection lines

The lines that you draw between objects on the blueprint diagram.  

These lines represent connections between objects in the blueprint diagram as layer 3 routes served by an implicit router. Based on these connections, layer 3 routes are calculated and added to the route table(s).

VPN connection line

Draws a connection between an Edge Gateway and an Enterprise Gateway, creating a VPN tunnel.

This connection is highlighted in blue and has properties that can be configured when selected.

The connection line has the following configurable fields:

  1. Enter a unique Name for the connection.
  2. Optionally, enter a brief Description.
  3. Select the routing option:
    • Select Static Routing to indicate routing via a static IP address, and then add the IP Address in the field below. 
    • If you prefer non-static routing, clear the Static Routing checkbox, which indicates dynamic routing via Border Gateway Protocol (BGP), and specify the IP Address.

To delete components and connections

To delete or remove a specific component or connection, do one of the following:

  • Select the component or connection and click the Delete key on the keyboard.
  • Right-click the selected component or connection and click Delete from the context menu.

Note

When you delete a component, all the connections attached to the component are also deleted.

Use the navigation bar below to jump to different sections in the topic:

Create

Define

Connect

Check out

Check in

Delete

Example

Managing network blueprints

The following sections describe the various management tasks when working with network blueprints.

Network blueprint zoom controls

You can use the following icons to zoom in or out of the network blueprint. 

IconDescription
Zooms in on the network blueprint.
Returns the network blueprint to original size.
Zooms out on the network blueprint.
Fits the content so that all parts of the network blueprint are visible on the canvas.

To check out and edit an existing blueprint

Follow this procedure to modify an existing network blueprint.

  1. In the Network Designer workspace, select a network blueprint from the All Blueprints list or use the Search field to locate a blueprint in the list.
    The network blueprint appears in view-only mode. The current version of the network blueprint is shown next to the Check Out label. 

    To work with an earlier version of the blueprint, select the version drop-down and click Switch Version.
  2. Click Check Out.
    A local copy of the network blueprint is created and is listed in the My Checked Out Blueprints list. 
  3. Add and define components in the network blueprint, as needed. Use either of the following methods to add a network component on the canvas:
    1. Click the network component icon from the component list on the left; the network component icon appears on the canvas.
    2. Drag a network component icon from the component list and drop the component icon to the desired location on the canvas.

When you check out a network blueprint and make updates, a new version of the blueprint is created when you check it in.

Use the navigation bar below to jump to different sections in the topic:

Create

Define

Connect

Check out

Check in

Delete

Example

To check in a network blueprint

Follow this procedure when you are ready to check in the network blueprint.

  1. After you finish editing a network blueprint and save it, close the Network Designer. 
    The Network Designer workspace is displayed. 
  2. Check the Design Issues label to ensure that the network blueprint has been properly configured. If there are design issues, hover over the Design Issues label to see a list of the issues. 

    You can save a blueprint with Design Issues, but will not be able to check it in until the issues are resolved.
  3. Click Working copy and select Check In.
    The working copy of the blueprint is removed from the My Checked Out Blueprints list, and a new version of the blueprint is added to the blueprint library (under All Blueprints).

Use the navigation bar below to jump to different sections in the topic:

Create

Define

Connect

Check out

Check in

Delete

Example

To revert to a previous version

To revert a blueprint to a previous version, select an older version of the blueprint from All Blueprints list and save that version as the latest.

To discard or delete a network blueprint

You can discard a particular version of a blueprint, or you can delete a blueprint and all of its versions.

TaskProcedure

To discard a working copy of a network blueprint

  1. In the Network Designer workspace, click Working copy and select Discard.

  2. On the confirmation dialog box, click Yes.

The working copy of the specific blueprint version is removed from the My Checked Out Blueprints list.

Note

You can only discard a working copy of a particular version of a network blueprint, not a version of the checked-in blueprint.

To delete a blueprint

  1. In the Network Designer workspace, select a network blueprint from the All Blueprints list or use the Search field to locate a blueprint in the list.
  2. Ensure that the blueprint is not checked out and is not being referenced by a provisioned Local Host Environment blueprint.
  3. From the Blueprint drop-down menu, select Delete. 

  4. On the confirmation dialog box, click Yes.

All versions of the network blueprint are deleted, and the network blueprint is removed from the All Blueprints list.

Use the navigation bar below to jump to different sections in the topic:

Create

Define

Connect

Check out

Check in

Delete

Example

Blueprint example

In this example, you want to create a topology to run a single-tier, public-facing web application such as a blog or simple web site.

  1. From the BMC Cloud Lifecycle Management Administration Console, click the vertical Workspaces menu on the left side of the window and select Network Designer.

  2. In the Network Blueprints workspace, click Create New.
    The Network Blueprints Designer is displayed, with the Isolation Boundary for the network in the center of the canvas.

  3. Click the Internet icon , and enter the settings for the network.

    1. Enter a Name for the internet connection. This example uses Internet as the name, and does not enter a description.
    2. Enter the IP address in the Network Address field. 
      This example accepts the default for the Internet object, a value for the address range (0.0.0.0/0.0.0.0) representing the entire addressable space. However, a more restrictive (single) address range can be specified, perhaps representing a particular external network (when not using a VPN tunnel).
    3. This example uses the default Network Mask of 0.0.0.0, which does not want to limit Internet access to a specific range of addresses.

  4. Click the Edge Gateway icon , and position the icon inside the Isolation Boundary.

    1. Enter a unique Name for the gateway. This example uses Blog Gateway.
    2. Set the Gateway Type. This example uses Internet Gateway as the gateway if for public traffic. 

  5. Click the Network icon , and enter the settings for the network.

    1. Enter a unique Name for the network. This example uses Calbro Services.
    2. Select Public to specify the network is public-facing. 
    3. Use Default Route Table - Select this option to use the common, default route table shared by other networks in this network blueprint. 
    4. Serving customer traffic - Select this option to indicate that this network will be used for customer traffic (for example, general web access or database access), as opposed to management purposes (for example, by BMC Server Automation). Some networks may be used for both.  
    5. Leave all other options blank.

  6. Click the Perimeter Firewall icon , and enter the settings for the firewall interface. In this example, add a firewall interface for the inbound traffic only, as the web server does not initiate outbound communication.

    1. Select the Network icon, and draw a connection line to the Perimeter Firewall icon. To add a firewall interface, connect the Network icon to the Perimeter Firewall icon.
    2. Click the Add icon . The Firewall Interface - New panel is displayed.
      The Firewall Interface - New panel is displayed.
    3. Add a name for the firewall interface. This example uses the default, Firewall Interface 1.
    4. Select the specific target network being secured by this firewall interface. This example uses the Calbro Services network.

    5. From the drop-down list, select the direction of the traffic that is being secured. This example uses Inbound.

    6. Click OK to add the Firewall Interface 1. The firewall interface information is now displayed on the Firewall Interfaces table.

    7. Position the Perimeter Firewall inside the Isolation Boundary, between the Edge Gateway and the Network.

  7. Add other connections to the components:

    1. Select the Edge Gateway icon, and draw a connection line to the Internet icon.

    2. Select the Perimeter Firewall icon, and draw a connection line to the Edge Gateway icon.
      The following example shows the network blueprint with all connections drawn.

  8. Click Save.

  9. Enter a unique name for your blueprint to describe the network. This example uses Calbro Services Blog.
  10. Click Create. The Network Designer workspace is displayed, and you will see Calbro Services Blog blueprint listed under My Checked Out Blueprints list.
  11. Click Working Copy (v0) in the dropdown menu.
  12. Click Check In.

Use the navigation bar below to jump to different sections in the topic:

Create

Define

Connect

Check out

Check in

Delete

Example

Where to go next

You can now use this network blueprint to create a logical hosting environment onto which you can build end-user service offerings.

This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Last modified by Lisa Greene on Apr 08, 2016
videos

Comments

Log in or register to comment.

Container substitution parameter syntax
Creating and managing resources
© Copyright 2024 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.