With the arrival of the vRealize Automation Cloud May 2022 release, the foundation for a new governance capability known as Cloud Guardrails (currently in technical preview) has been introduced in Cloud Assembly.
Tech Preview means that not all functionality and capabilities are currently available, but we are releasing incremental capabilities to gather your feedback. You’ll see this feature suite grow in capabilities over the next several releases.
Now, this is a new policy service that deploys policies through templates that monitor and manage the configuration, security, network, performance, and cost drift in your environment, by adhering to rules that you define and apply via data templates. Please note that this is the first release that sets the foundation of this new capability that will be continuously enhanced in subsequent vRealize Automation releases.
So, what is a Guardrail?
A guardrail is a high-level rule or policy that provides ongoing governance for your private or public cloud environment.
Examples of cloud guardrails are:
- S3 buckets must not be public.
- EC2 instance of type
*.xlarge& beyond is not allowed. - Only the US-East region is allowed.
- Resources must have specific tags.
- VMs must be compliant to CIS OS Configuration Benchmarks.
Cloud Guardrails applies these rules so that the desired state of your environment aligns to your policy intentions.
To ensure that your environment continuously complies with policies, Cloud Guardrails runs high-level rules, also known as policies, these policies, in the form of Open Source Idem SLS templates, provide ongoing governance for your cloud environments.
To assist customers in this journey with Cloud Guardrails, Cloud Assembly is providing a set of out-of-the-box templates, grouped into specific “Guardrails Categories” (below) to accomplish common use-cases needed in the public cloud.
Bootstrap policies create the cloud environment, including AWS Organizations, Organization Units, and Member Accounts.
Costing policies request that VMware CloudHealth monitor a group of resources for cost-related violations including cost anomalies, budget violations, and zombie resources.
Security policies create security controls on the native public cloud and on the outside security engines. Security policies currently contain preventative, detective, and OS detective templates.
Networking policies handle the creation of cloud native network objects and controls, including VPCs, subnets, routes, and network access control lists (NACLs).
Performance policies request that VMware vRealize Operations monitor a group of resources for performance violations including API response time.
Configuration Policies enable additional configurations on cloud environments, including the creation of IAM roles, creating an S3 bucket for logging of cloudtrails, and enabling 3rd-party tools necessary for cloud management.
Please note, that additionally to using the templates available in the library, you can create your own “From Scratch” by using the embedded template editor or simply “Upload SLS File“. The documentation describes the Guardrails template structure in detail and you could visit the Open Source Idem SLS templates for more information.
Now, when Cloud Guardrails is activated, you will find a new “Guardrails” tab visible inside Cloud Assembly for users with Cloud Assembly Administrator Role and the new Cloud Guardrails Guardrail User Role.
From there, you will have 3 available menu options:
Templates
Here is where consumers can now add Open Source Idem SLS templates into the templates list by either authoring their own, or adding one of the pre-baked options from the templates library.
You can also inspect the details of the Guardrail Template and associated policies then Create Desired State out of them
Please note that complex Guardrail Templates with multiple policies are broken down into different sections for easy access to policies definitions within the template.
Desired States
Here you can see the list of created “Desired States” and project associations
Once a template or composite template is finalized, it can be used to generate an “Enforcement”. This allows the consumer to add inputs to the template (as defined in the template Idem SLS code) then send for execution, also note that in future releases, these “Desired States” could be on a schedule or triggered by changes directly on the public cloud.
Of course, you can create +New Desired State as well, you just need to provide the name, select the appropriate template from your list, and in this release, Cloud Guardrails Desired States will utilize the credentials available from Cloud Assembly’s Cloud Accounts.
You can then update input, Validate the whole template together including the input itself (validate right input format and/or mandatory fields), Save and more importantly Run Desired State.
Enforcements
Here you will find a list of all the “Desired States” executions and their status, as well the ability to re-run them at any point, once again, upcoming releases include more detailed and log information for better troubleshooting.
Conclusion:
vRealize Automation has made it a priority to expand its capabilities deeper in the public cloud space. One of the identified areas is in the provisioning, policy application, and continuous management of public cloud environments with an everything-as-code approach. This initial Cloud Guardrails Initial functionality release represents a first step toward that vision.
