Hybrid Cloud

The topic contains the answers to the most frequently asked questions related to AWS, Microsoft Azure and Google Cloud Platform.

This topic contains the following sections:

Which resources does Maestro support in the AWS regions?

EPAM Orchestrator has flexible AWS resources deployment, management and monitoring functionality, available via Maestro Command Line and Web UI interfaces.

EPAM Orchestrator automatically selects the most suitable virtualization type for deploying instances with the following operating systems:

  • - Linux CentOS 6 64-bit
  • - Linux CentOS 7 64-bit
  • - Debian GNU/Linux 7 64-bit
  • - Ubuntu 10.04 32-bit/64-bit
  • - Linux Ubuntu 12.04 64-bit
  • - Linux Ubuntu 14.04 64-bit
  • - Windows Server 2012 R2 Standard Edition
  • - Windows Server 2012 Standard Edition
  • - Windows Server 2008 R2 Standard Edition

All images used in Orchestrator are those provided by AWS by default, and easy auto configuration of machine images is enabled by user-data.

It is also possible to launch any available AWS AMI directly from the AWS Management Console, and the resulting instances will get under Orchestrator control.

When AWS is used via EPAM Orchestrator, the user not only gets access to AWS services and functions, but also can benefit from additional facilities provided by EPAM Orchestrator. This includes consolidated billing, user role-based automatic notification system, infrastructure events monitoring; support for quotas engine which allows to control account expanses; consolidated SSH keys support; detailed user permission management; scheduling infrastructure manipulations; free security scanning and security issues reporting, as well as other functions and services.

For the detailed information on the features supported within AWS integration, please see our Hybrid Cloud Guide.

Can I use a single Amazon account to run instances in the AWS regions for different UPSA projects?

No, please use a different AWS account for each of them.

How do I use default auto-configuration provided by Orchestrator for AWS instances launched from Amazon EC2 console?

Please assign the following property to each of them:

op_orch_ip=https://config.cloud.epam.com/orchestration

How is AWS regions utilization billed?

If you need to plan and calculate costs, please use AWS Simple Monthly Calculator.
In order to get the most current information on AWS pricings, please see the Amazon EC2 Pricing page on AWS website.

Which AWS regions are supported by EPAM Cloud Orchestration?

Ten Amazon regions are available. The table below gives the full list of the Amazon regions that are supported:

Region Code Region Name
ap-northeast-1 Asia Pacific (Tokyo) Region
ap-northeast-2 Asia Pacific (Seoul) Region
ap-southeast-1 Asia Pacific (Singapore) Region
ap-southeast-2 Asia Pacific (Sydney) Region
eu-west-1 EU (Ireland) Region
eu-central-1 EU (Frankfurt) Region
sa-east-1 South America (Sao Paulo) Region
us-east-1 US East (Northern Virginia) Region
us-west-1 US West (Northern California) Region
us-west-2 US West (Oregon) Region

When I run AWS instances with EPAM Orchestrator, do I have any discounts comparing to using AWS directly?

There are no discounts for AWS - we pass-through the charges to the projects. The account manager can decide to charge clients for that. Both live and non-live environments are supported at AWS and we provide deployment automation, continual application and infrastructure support for the solutions deployed at AWS.

The temporary AWS Management Console access session is not enough for my needs. What can I do with it?

Temporary AWS Management console tracks one hour of idle time, after which the connection is closed.

The access provided by or2-aws-management-console command is designed for situations when the user needs one-time or short-time access to AWS Management Console. In case the user needs permanent access to AWS Console, we can create a special user for them, by request. The request should be approved by the project coordinator. All the actions of such user on the resources in AWS will be tracked by Orchestration.

If someone manually launches an instance, does it show up in the portal? What if someone manually makes a change in the AWS portal?

When a new instance is launched manually on Amazon, EPAM Orchestrator detects it, starts collecting the information on this instance and provides VM management controls. New instance detection is enabled by integration with CloudTrail, which (in the current implementation) also allows to track events related to VMs management, IPs and SSH keys manipulations, Security Groups changes.

The information on VMs creation and other events becomes available via EPAM Orchestrator within 10 minutes.

The current implementation covers the types of events that are most required by EPAM Orchestrator users. However, tracking of other event types can be enabled within shorter terms, if requested by customer.

How is a VM moved from EPAM Cloud to AWS?

To move an existing VM from EPAM Cloud to AWS environment, please, submit a Support Request and provide the information on the VM you need to move and the target region.

You can also create an image of your VM and request importing this image to an AWS region.

How is the connection to AWS-based instances organized?

AWS-based instances don't have access to internal EPAM resources. By default, these instances are available through Internet, and from EPAM network.

It is possible to establish access form AWS instances to EPAM resources by creating a VPN point-2-point connection, within VPC for each project separately. This needs network engineers' assistance. To make the server available via internet, the Expose to Internet procedure should be performed

The AWS-based instances access Internet via Amazon channel, and do not use EPAM network.

Can I manipulate and monitor AWS resources by means of Cloud Management Console?

Yes, you can:

- You can use the Run wizard to create new instances in AWS and to run Amazon CloudFormation stacks.
- The information on the resources is available on the Monitoring page.
- You can change instance states using the control buttons in the Instance details section of the Management page.

How do you make changes to AWS security groups? How do you choose where a instance gets deployed into - VPC and security groups?

EPAM Orchestrator supports a comprehensive set of admin commands that provide broad facilities of security group management. This includes security group creation and updating, tracking security group changes, as well as the ability to create security group configuration backup for further reverting to them.

During the initial project activation in AWS, the configurations are applied automatically via a Groovy script which, if necessary, can be customized according to the specific customer's needs.

After that, manual security group customization is possible.

You can find the information on security group setup operation in our Maestro CLI Admin Utility Guide (sections 4.5.1 and 4.5.2).

Besides this, security group changes can be performed by the users who do not belong to the Cloud Admin group, in case they have an IAM User account with security group management rights. These rights are granted upon an additional request, after approval from the project manager and security group side.

Concerning VPC: Each AWS linked account (project in EPAM Cloud terms) gets a special (isolated) VPC that can be configured according to the customer's needs. By default all new infrastructure runs in this special VPC. VPC management/deployment is not supported currently by EPAM Orchestrator integration with AWS. However, this can be scheduled to implementation upon request.

How do you deploy a VPC, RDS, S3 bucket, etc?

Currently, we deploy S3 bucket and configure it with CloudFormation stacks, and use S3 to establish consolidated billing and audit. VPC and other services deployment via EPAM Orchestrator can be implemented by request.

What is a project construct?

In AWS terms, a project is a linked account from a root one which has highly restricted access. Generally, a project is a unique unit, which can be linked to a business unit, or a product, a subsystem, etc. Each virtual resource or service is assigned to a specific project, which is charged for their usage.

Please note that EPAM Orchestrator has role-based authorization implemented. Only the users assigned to a project have access to such project resources and information within the set of permissions based on their project role by default. Project manager/coordinator can customize the permissions depending on the project needs. There are also costs control tools (quotas engine) that allow to specify the cost limits for a project.

Thus, project approach can be used as a tool for permission and expense control in Cloud.

Please note that all terms used in EPAM Orchestrator, are described in the Glossary. For more details on project concept, please see the Tenant/Project article.

How do you handle notifications or CloudWatch events?

Currently, EPAM Orchestrator supports CloudWatch "as is". The integration allows to view the basic information on existing AWS resources from the Monitoring page of EPAM Cloud UI, without need to additionally log in to AWS.

To enable more complicated operations, we implemented a proxy that allows to use EPAM Orchestrator as an entry point for AWS SDK. We also plan to add CloudWatch events to EPAM Orchestrator audit, as this feature has been highly requested by our users recently.

I got an SMS saying my AWS account was compromised. What does it mean and what should I do?

A Project Manager or a Delivery Manager receives such sms in case their project's daily resource creation quota for AWS is exceeded within an hour. There is also an "Unusual activity in AWS detected" email with the details on these activities. The email contains the information on the created resources and the IAM accounts that initiated these activities. There are also the Approve and Reject buttons. By clicking the Approve button, you verify that the enormous resource creation activities are expected. If you click Reject, all the resources listed in your report will be terminated, and the mentioned accounts deleted.

This mechanism is implemented to establish quick reaction on unexpected situations, including hack attacks, and allows to minimize possible harm and project losses.

Please note that in case the Approve or Reject button is not pressed by Project Manager or Delivery Manager within 15 minutes after the notification, EPAM Cloud Support team can take the responsibility to Reject resources creation and to take all the necessary hack-protection measures.

How can I make sure that additional volumes are deleted together with termination of an AWS instance?

AWS supports an option for the user to choose if they wish additional volumes to be removed together with the related instance or to remain available after the instance termination. EPAM Orchestrator automatically sets this option to "volume removal" for all AWS instances discovered within the Orchestrator framework. This is done to prevent additional costs resulting from volumes remaining in the system after the corresponding instance termination.

Therefore, no special actions are required to have additional volumes removed together with instances. However, if your project needs require that additional volumes remain available, detach them before terminating the instance:

or2detvol -p project_id -r region -v volume_id

Note that detached volumes generate costs chargeable by GB of the volume size.

How is the security of IAM accounts ensured?

According to the EPAM Cloud Terms and Conditions, all IAM users must set up multi-factor authentication for their accounts.

Standard IAM users, when created, have access only to the operations that allow to set up Multi-Factor Authentication (MFA) for the account. The full access to the operations, allowed by the user's permissions, is provided as soon as MFA is enabled.

Which Microsoft Azure regions are available for hosting virtual resources through EPAM Orchestrator?

Thirteen Azure regions are available for hosting virtual resourcs through EPAM Orchestrator. The table below gives the list of supported Azure regions with their physical locations and names under which they are referenced in EPAM Orchestrator:

Region Name Location Orchestrator Reference Name
Central US Iowa AZURE-CUS
East US Virginia AZURE-EUS
East US 2 Virginia AZURE-EUS-2
North Central US Illinois AZURE-NCUS
South Central US Texas AZURE-SCUS
West US California AZURE-WUS
North Europe Ireland AZURE-NEU
West Europe Netherlands AZURE-WEU
East Asia Hong Kong AZURE-EA
Southeast Asia Singapore AZURE-EA
Japan East Tokyo, Saitama AZURE-JE
Japan West Osaka AZURE-JW
Brazil South Sao Paolo State AZURE-BS

How are Azure resources billed?

EPAM Orchestrator forwards the bills for resources used in Azure regions "as is".

To estimate the cost of your Azure infrastructure, use Microsoft Azure Pricing Calculator.
In order to get the most current information on Azure pricing, visit the Azure Pricing page.

In Microsoft Azure, only the used storage space is billed. Each Linux VM has a default 40 GB storage and Windows has 100, and at the VM start, only the storage taken by the system is considered used and is charged.

Which machine images are supported by EPAM Orchestrator for Microsoft Azure?

With EPAM Orchestrator, you can run virtual machines of the following images in Microsoft Azure:

  • - Linux CentOS 6 64-bit
  • - Linux CentOS 7 64-bit
  • - Linux Ubuntu 12.10 64-bit
  • - Linux Ubuntu 14.04 64-bit
  • - Ubuntu 16.04 64-bit
  • - Windows Server 2012 R2 Standard Edition
  • - Windows Server 2012 Standard Edition
  • - Windows Server 2008 R2 Standard Edition

It is also possible to launch any available Azure machine image directly from Azure Portal.

Can I manipulate and monitor Azure resources through the Cloud Management Console?

Yes, you can:

- You can use the Run wizard to create new instances in Azure.
- The information on the resources is available on the Monitoring page.
- You can change instance states using the control buttons in the Instance details section of the Management page.

Which Google Cloud regions are available for hosting virtual resources through EPAM Orchestrator?

Google Cloud Platform has six reginos ensuring global service coverage. Regions are sub-divided into zones which are physically located in the same place but may support different features. An instance started in a certain zone will be billed subject to the billing rules of the corresponding region and will be included in the report for that region.

The table below gives the list of supported Google Cloud regions with their physical locations and names under which they are referenced in EPAM Orchestrator:

Region Name Location Orchestrator Reference Name
Eastern Asia-Pacific Changhua County, Taiwan GCP-AS-EAST
Northeastern Asia-Pacific Tokyo, Japan GCP-AS-NORTHEAST
Western Europe St. Ghislain, Belgium GCP-EUWEST
Central US Council Bluffs, Iowa GCP-USCENTRAL
Eastern US Berkeley County, South Carolina GCP-USEAST
Western US The Dalles, Oregon GCP-USWEST

How can I estimate the cost of hosting virtual resources in Google Cloud?

To estimate the cost of your Google Cloud infrastructure, use Google Cloud Platform Pricing Calculator.
In order to get the most current information on Google Cloud pricing, visit the Google Cloud Pricing page.

In Google Cloud, certain operating systems (for example, CentOS) are free of charge, while others (for example, Windows) are charged. You can find the detailed up-to-date information in the Google Cloud Platform Pricing Calculator at the link above.

Storage is billed for the provisioned space, regardless of how much space is actually used.

Which machine images does Google Cloud Platform support?

You can run instances in Google Cloud platform based on the following images:

  • - Windows Server 2012 R2 Standard Edition
  • - Windows Server 2016 Standard
  • - Windows Server 2008 R2 Standard Edition
  • - CentOS 6 64-bit
  • - CentOS 7 64-bit
  • - Debian GNU/Linux 8 64-bit
  • - Ubuntu 14.04 64-bit LTS
  • - Ubuntu 16.04 64-bit LTS

Can I use the Cloud Management Console to manage virtual machines in Google Cloud?

Yes, you can:

- You can use the Run wizard to create new instances in Google Cloud.
- The information on the resources is available on the Monitoring page.
- You can change instance states using the control buttons in the Instance details section of the Management page.

I didn't find the answer to my question here. Where should I address?

If this section does not contain the answer to your question, please, address our Consulting Team.