Overview of support for Amazon Web Services

BMC Cloud Lifecycle Management supports the external cloud provider Amazon Web Services (AWS). This topic provides an overview of what is supported by BMC Cloud Lifecycle Management and also provides a list of limitations to the support.

The topic includes the following sections:

API/SDK support

BMC Cloud Lifecycle Management uses the AWS Java SDK. See the Amazon Web Services online technical documentation for more information about using the SDKs.

With this API, you can provision Amazon Machine Images (AMIs) available from Amazon Marketplace. AMIs with preconfigured stacks (with application installed) are available from the Amazon Marketplace for IAAS, PAAS, and SAAS. You can provision any appliance from the Marketplace, which appears in the console as a compute node.

For example, a checkpoint firewall provisioned from the Amazon Marketplace appears as a compute VM in the BMC Cloud Lifecycle Management console. You can then add Day 2 operations, such as adding memory, CPU, and start/stop options. Note that no firewall artifacts are generated for this type of resource.

Key terminology

Term	Description
EC2 instance	Amazon EC2 (Elastic Cloud Computing) instances, similar to virtual servers, that can run applications. Instances are created from an Amazon AMI.
Amazon Machine Image (AMI)	A template that contains a software configuration, including an operating system, which defines your operating environment. You can use generic public AMIs or you can customize a public AMI.
Availability Zone	A distinct location within an AWS geographic Region. A Region can contain multiple Availability Zones. An Availability Zone is designed to be isolated so that a failure in another Availability Zone does not impact its instances. A subnet resides in only one Availability Zone. The BMC Cloud Lifecycle Management pod is mapped to an Availability Zone. Consequently, Availability Zones are onboarded as pods.
Virtual Private Cloud (VPC)	A virtual network dedicated to your AWS account that is logically isolated from other virtual networks in the AWS cloud. A VPC creates a separate section of the AWS cloud with its own virtual network topology. You can create multiple VPCs in the AWS cloud. A VPC is contained with an AWS geographic Region, and it can span multiple Availability Zones.
Logical hosting environment (LHE)	A generic BMC Cloud Lifecycle Management construct. In the AWS context, a LHE can be either a VPC or an Availability Zone.
Security Group	A firewall policy that is applied to provisioned virtual machines. A security group consists of rules that control inbound and outbound network traffic. You can assign virtual machine instances to multiple security groups.
SSH key pair	A public/private key pair that enables remote access to your virtual machine instances. Use this key to gain SSH access to Linux instances and Remote Desktop access to Windows instances.
BMC Server Automation Agent	A software package that you can install on an AMI instance to enable the BMC Server Automation use cases on virtual machine instances.
Logical data center	A generic construct that absorbs the key artifacts of any isolated network topology. The logical data center references Logical Distributed Firewalls, Logical Perimeter Firewalls, Logical Data Stores, and Logical Load Balancers.
Logical load balancer	A Logical Load Balancer represents an Elastic Load Balancer. The Logical Load Balancer has IPV4 and IPV6 DNS names to accomodate IPV6 clients. The cloud administrator has the ability to decide the probing protocol and the probing path. For example, a webserver instance listening to traffic on port 80 would have a probing path similar to xxxxx:80/index.html.
Logical perimeter firewall	A construct within the Logical Data Center that provides security at the perimeter of the data center, even though the physical layout is not exposed. Packets coming in from the internet must traverse through these firewalls before they can enter the Logical Data Center. These firewalls typically provide subnet level security.
Logical distributed firewall	A construct within the Logical Data Center that provides security between VLANs. These firewalls are additive to the logical perimeter firewalls and are usually tightly integrated at the hypervisor layer. These firewalls can be associated with elastic load balancers.
Logical data store	A construct within the Logical Data Center that provides a virtual data store.

Mapping of AWS constructs with BMC Cloud Lifecycle Management objects

The following table identifies the correlations between the main AWS constructs and their BMC Cloud Lifecycle Management counterparts:

AWS construct	BMC Cloud Lifecycle Management object
Availability Zone	Logical Hosting Environment
Virtual Private Cloud	Logical Hosting Environment
Amazon Machine Image	Template for a provisioning instance
Virtual Private Cloud subnet	Logical Network
Elastic Load Balancers	Logical Load Balancers
Security Groups	Logical Distributed Firewalls
Network ACL	Logical Perimeter Firewalls
Elastic Block Storage	Logical Datastore

Support for Availability Zones and VPCs

BMC Cloud Lifecycle Management allows you to provision virtual machine (VM) instances to Availability Zones or VPCs.

An Availability Zone is a distinct location within an AWS geographic Region. A Region can contain multiple Availability Zones. Availability Zones are designed to be isolated so that a failure in one Availability Zone does not impact instances in another. For more information, see the AWS documentation on Regions and Availability Zones.

Unlike Availability Zones, which are predefined, VPCs are created to delineate a section of the AWS cloud for your use. Within this section you can launch Amazon AWS instances with private, instead of public, IP addresses that lie within a user-defined range. Within the VPC, you can create subnets to group similar AWS instances according to a private IP address range. The following example shows a VPC with four subnets:

The VPC is designated by the address 192.168.24.0/24. The subnets are designated by the following addresses:
192.168.24.0/26
192.168.24.64/26
192.168.24.128/26
192.168.24.192/26

You can assign elastic IP addresses to the private address instances in the VPC. Elastic IP addresses are static, public addresses that, once assigned, enable the instances in the VPC to be reached from external networks.

You can onboard your existing VPCs and Availability Zones as Logical Data Centers to BMC Cloud Lifecycle Management. See Onboarding and offboarding Logical Data Centers for Amazon Web Services.

For instructions about how to create a VPC using BMC Cloud Lifecycle Management, see Creating a Logical Data Center for Amazon Web Services.

Limitations to the support

The following table itemizes the limitations to the current BMC Cloud Lifecycle Management support for AWS.

Item	Limitation
Onboarded Availability Zones	Load Balancer and Firewall management is not supported for Availability Zone-based LDCs. IPAM is also not supported for an onboarded Availability Zone (which is onboarded as an LDC).
Availability Zones	In an AWS environment, some Availability Zones do not support an AMI with a type General Purpose (SSD) volume for provisioning. This behavior is as designed by AWS. If this occurs, BMC Cloud Lifecycle Management displays the following error when trying to provision an instance in the Availability Zone. To work around this issue, provision the AWS instance in a different Availability Zone.
VPCs (onboarded or created)	The BMC Cloud Management console does not support LHE Offboard. Therefore, all of the VPC-based LHEs are deleted from both the Cloud database and AWS when you select Decommission in the BMC Cloud Management console, including the onboarded VPC-based LHEs where the VPCs were created in AWS. LHE Offboard is supported only using the API.
Firewall Rules / Network Paths	Firewalls: Outbound rules for a Distributed Firewall cannot be viewed or created through the Firewall management UI. To view an outbound firewall rule, use the API. Network paths: The Create: Deny Network Paths are only valid between two networks (external or internal). If an endpoint is a Resource Set, the Network Path is invalid. Firewall and network paths: The only valid protocols for firewall rules and network paths are TCP or UDP. If you have multiple network paths, deleting a network path or SOI with a shared firewall rule deletes the rule. This situation might result in failures for other SOIs that also use the shared firewall rule. In the event of a failure, you must re-create the network path to re-instantiate the firewall rule. Distributed firewall: Best practice To enroll the BMC Server Automation server, install the software, and run compliance successfully, BMC recommends that you perform the following actions: * (When the distributed firewall is enabled): Define the required port including the RSCD port (4750) in the service blueprint * (When the distributed firewall is disabled): Define the required port including the RSCD port (4750) in a VPC-level default security group or in the service blueprint
Scaling	Scaling up (adding CPU or memory) or scaling down an Amazon EC2 node is tied to the source instance family, as defined by the AWS SDK. However, if the source instance is a micro instance, a scale-up operation could allow an EC2 node to cross the instance type family boundary from micro to general purpose. Scale-down operations are strictly within an instance family.

Where to go from here

To start your Amazon Web Services implementation, see Configuring the infrastructure for Amazon Web Services support.