Creating and managing network blueprints
You use the Network Designer workspace to create network blueprints. A network blueprint is a topology blueprint used to carve out logical network isolations from physical devices. You can create simple network blueprints that set up a public-facing subnet to host a web application, or more complex blueprints that connect public cloud resources in a private, non-Internet facing corporate data center.
Note
Currently, the Network Blueprint workspace applies to Amazon Web Services (AWS) environments only.
This topic describes how to use the Network Designer to create network blueprints. It includes the following sections:
The following BMC Communities video (6:46) describes how to use IP address resources in network blueprints using BMC Network Automation. The blueprints can then be imported into BMC Cloud Lifecycle Management.
Before you begin
Ensure that you have completed the following tasks:
- If you are creating a blueprint for an AWS environment, ensure that you:
- Plan your network blueprint. Because of the many different ways you can create a network blueprint, you might not need each of the major steps provided in this topic. Plan your blueprint, and then follow the procedures you need to create the blueprint you have planned. You can create network blueprints that include some or all of the following objects, in whatever numbers you choose:
- Internet connections
- Networks
- Gateways (for the Internet or VPN)
- Perimeter and distributed firewalls
- Load balancers
Creating a new network blueprint
The following sections describe the tasks you must perform to create a network blueprint.
To create a network blueprint
Follow this procedure to create a new network blueprint.
- From the BMC Cloud Lifecycle Management Administration Console, click the vertical Workspaces menu on the left side of the window and select Network Designer.
In the Network Designer workspace, click Create New.
The Network Designer canvas is displayed. The following icons indicate the available components you can use to build your network blueprint.
Icon Description Isolation boundary - Represents the scope of the logical hosting environment being modeled by the network blueprint. Entries in the route table are managed automatically based on connections drawn between networks in the network blueprint.
In AWS, the Isolation Boundary represents the Virtual Private Cloud (VPC). Note that within every AWS VPC, there is an implicit router responsible for traffic between all VPC subnets.
Internet - Creates an object representing the Internet, which can be configured to allow nodes inside the Isolation Boundary to access nodes outside of it using the Internet.
By default, the Internet object has a value for the address range that represents the entire addressable space. However, a more restrictive (single) address range can be specified, perhaps representing a particular external network (when not using a VPN tunnel).
Network - Represents a contiguous address range to which workloads can be attached. At least one network must be included in the Isolation Boundary. A network can be public or private, and can be configured for Network Address Translation (NAT).
In AWS, a network represents a VPC subnet, designated as Public or Private.
Note
Routing for networks is driven by an implicit router (which is not represented in a network blueprint). Routing rules are managed by the Layer 3 connectivity lines you draw between networks, which are then applied to the routing table(s) for the networks.Edge gateway - Provides egress from and ingress into the Isolation Boundary, either to the Internet or to a corporate network using a VPN tunnel (based on settings). Place this object within the Isolation Boundary.
For an AWS environment, this object represents an Internet Gateway or a VPN Gateway object within the VPC, depending on the type specified.
Enterprise gateway - Represents the enterprise end of a VPN tunnel. Place the gateway outside the Isolation Boundary and connect it to an Edge Gateway within the Isolation Boundary to model a VPN tunnel.
You configure the settings of the VPN by selecting the connection line on the canvas. Attach a subnet to the gateway to represent address ranges in the enterprise network that will have access to subnets within the Isolation Boundary.
For an AWS environment, this object represents a Customer Gateway.
Perimeter firewall - Represents a logical, stateless, edge firewall service with visibility into network traffic (as opposed to workload-specific traffic).
For an AWS environment, a single Perimeter Firewall object represents (potentially multiple) AWS Network ACLs.
Distributed firewall - Represents a logical, stateful distributed firewall service with visibility into workload-specific traffic (as opposed to network traffic).
For an AWS environment, a single Distributed Firewall object represents (potentially multiple) AWS Security Groups.
Load balancer - Represents a logical load balancer, which distributes traffic across multiple server workloads for scalability and redundancy. These objects are connected on the:
- Server side to subnets, where the server workloads reside
- Client side to subnets (or edge gateways) from which clients connect to the load balanced service
In AWS, these objects do not represent an Elastic Load Balancer (ELB), but are Load Balancer Pools in service blueprints that actually correlate to AWS ELBs. AWS obviates the component that equates to an on-premise logical load balancer. However, BMC Cloud Lifecycle Management still requires the creation of these logical load balancers to:
- Identify Network Containers and Logical Hosting Environments that allow load balancing services (bronze versus silver level containers)
- Govern the networks to which the Load Balancer Pools (or ELBs, in the case of AWS) may be connected during service instance provisioning.
- Add, define, and connect components in the network blueprint. Use either of the following methods to add a network component on the canvas:
- Click the network component icon from the component list on the left; the network component icon appears on the canvas.
- Drag a network component icon from the component list and drop the component icon to the desired location on the canvas.
- Ensure that the icons are positioned in the desired location on the canvas.
- Draw connection lines between the objects.
- Check the Design Issues label to ensure that the network blueprint has been properly configured. If there are design issues, hover over the Design Issues label to see a list of the issues.
You can save a blueprint with Design Issues, but will not be able to check it in until the issues are resolved. - Click Save.
- Enter a unique name for your blueprint to describe the network.
- Click Create.
Use the navigation bar below to jump to different sections in the topic:
To add and define network blueprint components
The following table describes how to add the various components to a network blueprint.
Component | Procedure |
---|---|
Internet | Use this option to create an object representing the Internet.
|
Network Network with load balancer | Use this option to create a subnet. You can add one or more subnets.
In AWS, the TARGET_AWS_ZONE tags (provided by default) are used to identify the availability zone in which each network is created. TARGET_AWS_ZONE tags can be specified here in the network blueprint, or be supplied when VPC instances are created from a network blueprint. If no TARGET_AWS_ZONE tag is specified, then BMC Cloud Lifecycle Management will choose an arbitrary Availability Zone. Additionally, more generic tags may be used to identify region-neutral Availability Zone distinctions, such as "AZ-1" and "AZ-2". This method allows service blueprints to designate that two web servers are placed in separate Availability Zones without needing to know what region or specific Availability Zones are in use in a particular VPC. Furthermore, these more generic tags can be used for direction on specific Availability Zones that should be selected during VPC instance creation from the network blueprint. |
Edge gateway | Use this option to create access either to the Internet or to a corporate network using a VPN tunnel (based on settings).
|
Enterprise gateway | Use this option to create the enterprise end of a VPN tunnel. .
|
Perimeter firewall | This option enables you to add an edge firewall service with visibility into network traffic (as opposed to workload-specific traffic). Perimeter firewalls typically provide network-level security. In AWS, this option represents using a Network ACL.
|
Distributed firewall | This option enables you to add a distributed firewall service with visibility into workload-specific traffic (as opposed to network traffic). In AWS, this object represents a Security Group.
|
Load balancer | This option enables you to distribute traffic across multiple server workloads for scalability and redundancy.
|
Use the navigation bar below to jump to different sections in the topic:
To draw connections between components
To draw a connection line:
- Select the Connect icon .
- Click and drag from the source component to start drawing a connection.
- Release while hovering over the destination component to complete the connection.
You use the following objects to draw connections between components:
Connection type | Description | Example |
---|---|---|
Connection lines | The lines that you draw between objects on the blueprint diagram. These lines represent connections between objects in the blueprint diagram as layer 3 routes served by an implicit router. Based on these connections, layer 3 routes are calculated and added to the route table(s). | |
VPN connection line | Draws a connection between an Edge Gateway and an Enterprise Gateway, creating a VPN tunnel. This connection is highlighted in blue and has properties that can be configured when selected. The connection line has the following configurable fields:
|
To delete components and connections
To delete or remove a specific component or connection, do one of the following:
- Select the component or connection and click the Delete key on the keyboard.
- Right-click the selected component or connection and click Delete from the context menu.
Note
Use the navigation bar below to jump to different sections in the topic:
Managing network blueprints
The following sections describe the various management tasks when working with network blueprints.
Network blueprint zoom controls
You can use the following icons to zoom in or out of the network blueprint.
Icon | Description |
---|---|
Zooms in on the network blueprint. | |
Returns the network blueprint to original size. | |
Zooms out on the network blueprint. | |
Fits the content so that all parts of the network blueprint are visible on the canvas. |
To check out and edit an existing blueprint
Follow this procedure to modify an existing network blueprint.
- In the Network Designer workspace, select a network blueprint from the All Blueprints list or use the Search field to locate a blueprint in the list.
The network blueprint appears in view-only mode. The current version of the network blueprint is shown next to the Check Out label.
To work with an earlier version of the blueprint, select the version drop-down and click Switch Version. - Click Check Out.
A local copy of the network blueprint is created and is listed in the My Checked Out Blueprints list. - Add and define components in the network blueprint, as needed. Use either of the following methods to add a network component on the canvas:
- Click the network component icon from the component list on the left; the network component icon appears on the canvas.
- Drag a network component icon from the component list and drop the component icon to the desired location on the canvas.
When you check out a network blueprint and make updates, a new version of the blueprint is created when you check it in.
Use the navigation bar below to jump to different sections in the topic:
To check in a network blueprint
Follow this procedure when you are ready to check in the network blueprint.
- After you finish editing a network blueprint and save it, close the Network Designer.
The Network Designer workspace is displayed. - Check the Design Issues label to ensure that the network blueprint has been properly configured. If there are design issues, hover over the Design Issues label to see a list of the issues.
You can save a blueprint with Design Issues, but will not be able to check it in until the issues are resolved. - Click Working copy and select Check In.
The working copy of the blueprint is removed from the My Checked Out Blueprints list, and a new version of the blueprint is added to the blueprint library (under All Blueprints).
Use the navigation bar below to jump to different sections in the topic:
To revert to a previous version
To revert a blueprint to a previous version, select an older version of the blueprint from All Blueprints list and save that version as the latest.
To discard or delete a network blueprint
You can discard a particular version of a blueprint, or you can delete a blueprint and all of its versions.
Task | Procedure |
---|---|
To discard a working copy of a network blueprint |
The working copy of the specific blueprint version is removed from the My Checked Out Blueprints list. Note You can only discard a working copy of a particular version of a network blueprint, not a version of the checked-in blueprint. |
To delete a blueprint |
All versions of the network blueprint are deleted, and the network blueprint is removed from the All Blueprints list. |
Use the navigation bar below to jump to different sections in the topic:
Blueprint example
In this example, you want to create a topology to run a single-tier, public-facing web application such as a blog or simple web site.
- From the BMC Cloud Lifecycle Management Administration Console, click the vertical Workspaces menu on the left side of the window and select Network Designer.
In the Network Blueprints workspace, click Create New.
The Network Blueprints Designer is displayed, with the Isolation Boundary for the network in the center of the canvas.Click the Internet icon , and enter the settings for the network.
- Enter a Name for the internet connection. This example uses Internet as the name, and does not enter a description.
- Enter the IP address in the Network Address field.
This example accepts the default for the Internet object, a value for the address range (0.0.0.0/0.0.0.0) representing the entire addressable space. However, a more restrictive (single) address range can be specified, perhaps representing a particular external network (when not using a VPN tunnel). - This example uses the default Network Mask of 0.0.0.0, which does not want to limit Internet access to a specific range of addresses.
Click the Edge Gateway icon , and position the icon inside the Isolation Boundary.
- Enter a unique Name for the gateway. This example uses Blog Gateway.
- Set the Gateway Type. This example uses Internet Gateway as the gateway if for public traffic.
Click the Network icon , and enter the settings for the network.
- Enter a unique Name for the network. This example uses Calbro Services.
- Select Public to specify the network is public-facing.
- Use Default Route Table - Select this option to use the common, default route table shared by other networks in this network blueprint.
- Serving customer traffic - Select this option to indicate that this network will be used for customer traffic (for example, general web access or database access), as opposed to management purposes (for example, by BMC Server Automation). Some networks may be used for both.
- Leave all other options blank.
Click the Perimeter Firewall icon , and enter the settings for the firewall interface. In this example, add a firewall interface for the inbound traffic only, as the web server does not initiate outbound communication.
- Select the Network icon, and draw a connection line to the Perimeter Firewall icon. To add a firewall interface, connect the Network icon to the Perimeter Firewall icon.
- Click the Add icon . The Firewall Interface - New panel is displayed.
The Firewall Interface - New panel is displayed. - Add a name for the firewall interface. This example uses the default, Firewall Interface 1.
- Select the specific target network being secured by this firewall interface. This example uses the Calbro Services network.
From the drop-down list, select the direction of the traffic that is being secured. This example uses Inbound.
Click OK to add the Firewall Interface 1. The firewall interface information is now displayed on the Firewall Interfaces table.
Position the Perimeter Firewall inside the Isolation Boundary, between the Edge Gateway and the Network.
Add other connections to the components:
- Select the Edge Gateway icon, and draw a connection line to the Internet icon.
Select the Perimeter Firewall icon, and draw a connection line to the Edge Gateway icon.
The following example shows the network blueprint with all connections drawn.
Click Save.
- Enter a unique name for your blueprint to describe the network. This example uses Calbro Services Blog.
- Click Create. The Network Designer workspace is displayed, and you will see Calbro Services Blog blueprint listed under My Checked Out Blueprints list.
- Click Working Copy (v0) in the dropdown menu.
- Click Check In.
Use the navigation bar below to jump to different sections in the topic:
Where to go next
You can now use this network blueprint to create a logical hosting environment onto which you can build end-user service offerings.
Comments
Log in or register to comment.