How to use remote access authentication in your Cloud Assembly deployments

In the previous post we’ve seen how to setup Cloud Automation Services, how to use Cloud Assembly to create a fully Cloud agnostic blueprint, how to use input variables and how to integrate Cloud Automation Services with Puppet. Now, I’ll discuss how to access your deployments in a secure way.

When using VMware Cloud Assembly, deploying new virtual machines becomes very simple and straightforward. But you would want to access these virtual machines after you’ve created them. To do this you have three options:

  1. usernamePassword
  2. generatedPublicPrivatekey
  3. publicPrivateKey
  4. sshKeyName

At the moment Cloud Assembly supports the first three methods (A, B and C) on Azure and the last three options (B, C and D) on AWS.

usernamePassword

Available on: Azure, vSphere

This is the classic username and password method. Specify ‘usernamePassword’ as the remote access authenticationType in Cloud Assembly. You then need to supply the username and password to the deployment. See the example below:

inputs: {} resources: Cloud_Machine_1: type: Cloud.Machine properties: image: Windows flavor: medium remoteAccess: authentication: usernamePassword username: vmguru password: VMware1! networks: - name: ‘${Cloud_Network_1.name}’ constraints: - tag: ’env:test’ Cloud_Network_1: type: Cloud.Network properties: name: Cloud Network networkType: existing

(env:test - refers to my Azure cloud zone, image: Windows refers to the ‘WindowsServer:2016-Datacenter:latest’ image on Azure)

Once the deployment is complete, you can check the deployment details. At the bottom of the Cloud_Machine_1 properties you will find the provided username and password in the Custom Properties section.Cloud Assembly

If you follow the link to the Azure console, you can connect to the virtual machine using ssh or RDP.

generatedPublicPrivatekey

Available on: AWS, Azure

When you specify generatedPublicPrivatekey as the remote access authenticationType in Cloud Assembly, the system will generate a public and private key for you which you can use login to the machine using the private key. The only requirement is the image has to be cloudinit enabled. See the example below:

inputs: {} resources: Cloud_Machine_1: type: Cloud.Machine properties: image: Linux flavor: small remoteAccess: authentication: generatedPublicPrivateKey networks: - name: ‘${Cloud_Network_1.name}’ constraints: - tag: ’env:dev’ Cloud_Network_1: type: Cloud.Network properties: name: Cloud Network networkType: existing

(env:dev - refers to my AWS cloud zone, image: Linux refers to an Ubuntu 16.04 image on AWS)

When the deployment is complete, you can check the deployment details. At the bottom of the Cloud_Machine_1 properties you will find the generated public key and private key in the Custom Properties section. Cloud Assembly

Copy the private key and create a [certificate_name].pem file like the example below:

Once created run the following command to change the permissions of the .pem file so only the root user can read it.

chmod 400 [certificate_name].pem

You can now access the virtual machine using ssh by running the following command:

ssh -i generated-private-key.pem ubuntu@13.58.75.209

The IP address being the public IP address which you can find in the Deployment details under the General section. ‘ubuntu’ is the default username for EC2 Ubuntu deployments. For other Linux flavours check the Amazon EC2 documentation.

publicPrivateKey

Available on: AWS, Azure

When you specific publicPrivateKey, you need to generate a public and private key yourself. You can do this by using Puttygen for example. You now have to pass the public key to the deployment as ‘sshkey’ in your Cloud Assembly code. See the example below:

inputs: {} resources: Cloud_Machine_1: type: Cloud.Machine properties: image: Linux flavor: small remoteAccess: authentication: publicPrivateKey sshKey: [Enter_Public_key_here] networks: - name: ‘${Cloud_Network_1.name}’ constraints: - tag: ’env:dev’ Cloud_Network_1: type: Cloud.Network properties: name: Cloud Network networkType: existing

(env:dev - refers to my AWS cloud zone)

The machine will be provisioned with that public key. You can login with private key in the same way.

Store the generated private key and create a [certificate_name].pem file and change the permissions of the .pem file by using the following command.

chmod 400 [certificate_name].pem

You can now access the virtual machine using ssh by using the following command:

ssh -I [certificate_name].pem [username]@[IP_address]

Again, Ubuntu is the default password for Ubuntu deployments on AWS. For other Linux flavours check the Amazon EC2 documentation.

sshKeyName

Available on: AWS

The last method for now is using a predefined key pair. For now this is only available on AWS.

If you do not have a key pair defined, first create a new key pair. Go to AWS > Services > EC2 > Network & Security > Key Pairs and create a key pair. When completed you should automatically have downloaded a new private key file with the name [key_pair_name].pem. Store this private key on the desired location and change the permissions of the .pem file by using the following command.

chmod 400 [certificate_name].pem

In VMware Cloud Assembly simply refer ‘sshKeyName’ to the predefined key pair and you are done. Note: a little inconsistency here, ‘sshKeyName’ does not require the ‘remoteAccess’ property.

inputs: {} resources: Cloud_Machine_1: type: Cloud.Machine properties: image: Linux flavor: small sshKeyName: Demo-pair networks: - name: ‘${Cloud_Network_1.name}’ constraints: - tag: ’env:dev’ Cloud_Network_1: type: Cloud.Network properties: name: Cloud Network networkType: existing

(env:dev - refers to my AWS cloud zone, image: Linux refers to an Ubuntu 16.04 image on AWS)

Once the deployment is complete, you can check the deployment details. At the bottom of the Cloud_Machine_1 properties you will find the name of the key pair which is used under the Custom Properties section.Cloud Assembly

You can now access the virtual machine using ssh by running the following command:

ssh -I [certificate_name].pem [username]@[IP_address]

ssh -i generated-private-key.pem ubuntu@18.191.246.122

Happy deploying!

 

This is not the end of this series because there are a lot of topics still to be explained. So check-in regular for new content!