Blog
21 April, 2024
For various reasons, organizations often need to secure and isolate environments for different deployments; unfortunately, when dealing with high volume, the limit imposed on Virtual Private Clouds (VPCs) in AWS can pose a hurdle. Recently, a TeraSky client faced exactly this situation. Their vSphere on-premises environment housed countless daily deployments, each of which required numerous related lab deployments for running automations and tests. Each deployment needed to function independently, without access to other deployments or networks. Initially, the approach was to create separate VPCs for each deployment. However, AWS has limitations on VPC creation, which were insufficient for the customer’s needs.
To tackle this challenge, our team envisioned a solution using custom security groups for each deployment. The idea was to ensure that instances within the same group could communicate while still being isolated from other deployments. This meant allowing access only to the instances within the specific security group; in other words, all of the instances of a given deployment would be able to access other deployments that are assigned within the same security group but no others.
The team’s first hurdle was the absence of native support for creating security groups in AWS via VMware’s vRealize Automation (VRA). To overcome this limitation, the team turned to VMware’s Action Based Extensibility (ABX) to create custom resources. ABX allowed us to manage the code independently of plugin versions or potential future mismatches. By utilizing Python scripts and AWS modules, we communicated programmatically with AWS. ABX provided the flexibility to download necessary modules during execution, simplifying the integration process.
The implementation process involved defining custom resources with ABX, enabling us to create, read, and delete security groups. The initial provisioning step was crucial. The security group creation action returned the unique group ID, which was essential for attaching instances in subsequent steps. Instances were provisioned with temporary security groups, ensuring no access until the final security groups were applied. Next, a workflow subscription was set up to wait for instance IDs to be available. Once all instances were ready, a Python script using Boto3 assigned the appropriate security group to each instance, enabling secure communication within deployments.
This innovative approach demonstrated the power of leveraging custom resources and ABX in VMware’s ecosystem. By dynamically creating and managing security groups for each deployment, the team achieved a secure, isolated, and scalable solution, not only meeting the immediate needs of the customer but also providing a foundation for future deployments and ensuring a robust and secure cloud infrastructure.
Written by: Zach Benassayag, Cloud Automation Senior Engineer