Skip to main content
Interania

Configure Consolidated Billing (AWS) for Interana

0votes
5updates
197views

Consolidated Billing is an AWS feature that allows you to create a separate account that is completely isolated from your main assets while enabling Interana's operations personnel to manage all aspects of the Interana application and its AWS dependencies.

Virtual Private Cloud (VPC) isolates the network in a safe way from the outside world and provides additional security controls. It is already in use by many AWS customers and is the AWS standard for enterprise class security. This allows you to share your S3 bucket without providing any root credentials or keys. This gives you greater transparency and security at the same time because you own all the assets, inventory, and data.

The combination of Consolidated Billing and VPC enables Interana to provide a turn-key management capability for AWS-based deployments of Interana software.

Using reserved instances with Consolidated Billing

For billing purposes, Consolidated Billing treats all the accounts on the consolidated bill as a single account. This means that all accounts on a consolidated bill can receive the hourly cost benefit of Amazon EC2 Reserved Instances purchased by any other account. You can reserve the instance types for the region and zone where Interana is deployed in their Master Payer Account. When the bill is compiled, the reserved instances for the entire account is applied to usage on all sub accounts.  

To avoid any issues, make sure that you reserve instances in the Region and Zone where Interana is deployed. It can be difficult to transfer reserved instances across Zones. Transferring reserved instances across Regions will require escalation via Amazon Support and the Amazon Account Rep.


important_icon.png Adjusting reserved instances: If you later decide to adjust your reserved instance, you must meet Amazon's reserved instance requirements and include specific information in the request. See Amazon's Requirements for modification for detailed information about this process.


Architecture overview

You will need to set up your Consolidated Billing account and grant that account read-only access to your S3 Bucket. Interana will take care of the setup, provisioning, and import.

Logical network architecture

The logical network setup has two subnets that decide whether there is an external IP. All nodes on the private network should have complete access to the public subnet. Nodes on the public subnet can be reached based on the security rules applied. The S3 bucket will be shared via a separate AWS account via a bucket policy.

Security architecture

This security architecture describes how machines are accessed from public and private networks. 

Public Subnet

Front End Web Servers

  • Port 443 to the world for access to UI

Admin Node

  • Port 22 open only to Interana Management Networks
  • RBAC installed to tracking and privileged access

Private Subnet

Data, String, Import, and Config Nodes

  • Port 22 access from Admin Nodes Only
  • Inter-vlan communication open only to Private Subnet

S3 Bucket

  • Accessed via Amazon VPC Endpoint and Read Only bucket policy

Setting up AWS account credentials

Following these steps will allow an existing S3 bucket to be utilized with in this new interana account.  Once policy is generated, you will send Interana a new cluster setup file (interana_cluster.json) to support.  Interana will then generate the VPC and Interana Cluster.

Follow these instructions to configure a new account that will be used to run an Interana cluster in AWS. Our solution creates a completely firewalled account using VPC and allows you to attach it to your Master AWS account to take advantage of AWS Consolidated Billing.

  1. Create the Amazon account
  2. Apply the S3 bucket policy
  3. Create the cluster parameters
  4. Set up Consolidated Billing

important_icon.png Only use the credentials with the new account in running scripts. Do not paste in your master account access keys!


Create the Amazon account

  1. Download Interana's provision tools from Git Hub: https://github.com/Interana/provision_tools
  2. Use the credentials aws_access_key and aws_secret_key for your master account, or leave these blank if you are using an instance profile, ~/.aws/configure, or any other pre-authorized method.
  3. Using a new email address, sign-up for a new Amazon account at https://aws.amazon.com/. Use a new email address and credit card. Keep your root email and password information available for the initial login to the Interana account you just created.
  4. Open https://console.aws.amazon.com/billing/home#/account and note your account ID.
  5. Log in to the account and navigate to the Identity & Access Management (or IAM) service. 
  6. Click Users.

  1. In the dialog box that opens, click Create New Users.
  2. Create a new user and check Generate an access key for each user.

  1. In the next screen, click Download Credentials to download the Secret and Access keys to your repository.

  1. Click on the Users section of the IAM Dashboard.
  2. Click on the interana_admin user you created. 
  3. Scroll down to the Permissions section and click Attach Policy.

  1. Select the AdministratorAccess role and click Attach Policy

Apply the S3 bucket policy

You must apply the S3 bucket policy after you create the Amazon account. 

  1. Install the Python requirements for this project (using https://virtualenv.pypa.io/en/latest/virtualenv or with root privileges).
sudo pip install -r requirements.txt
  1. Run the provision.py script in the aws/s3bucket folder to generate a bucket policy to share the S3 bucket from your Interana account ID. In the following example, replace my-bucket/my_path/* with your S3 Bucket and Path and interana_account_id with the account ID of the account you created.
    • Using the ~.aws/credentials: python ./provision.py --s3_bucket 'my-bucket/my_path/*' -r <region> --interana_account_id 999999999999 --action create -c <Customer_Name>
    • Using the command line: python ./provision.py --s3_bucket 'my-bucket/my_path/*' -r us-east-1 --interana_account_id 999999999999 --action create -w <aws_access_key> -x <aws_secret_key> -c <Customer_Name>
  2. In the folder, open the file s3_bucket_list.policy and copy its contents.
  3. Open the Amazon Console and select S3 (https://console.aws.amazon.com).
  4. Click on the bucket that you want to share.
  5. Open the properties and and click on permissions.

  1. Click Edit the Bucket Policy (or Add Policy if one doesn't exist).
  2. Paste in the policy if there is no policy listed. 

  1. If there are policies listed, add the new policy in the Statements array of an existing policy. For example: 
Statement : [
{ original policy....},
{ s3_share policy....}
]

Create the cluster parameters

  1. Run the ./provision.py script to confirm that all permissions are correctly stated. You will need your account ID from the My Account tab. For example:
    • Using the ~.aws/credentials: python ./provision.py --s3_bucket 'my-bucket/my_path/*' -r <region> --interana_account_id 999999999999 --action check -c <Customer_Name>
    • Using the command line: python ./provision.py --s3_bucket 'my-bucket/my_path/*' -r us-east-1 --interana_account_id 999999999999 --action check -w <aws_access_key> -x <aws_secret_key> -c <Customer_Name>
  2. I​​​​​f the check is successful, this will generate the interana_cluster.json file:
Checking Account Setup for interana_admin and policies. 
Checking Bucket for read allow only access at prefix 'my_data/'
Checking Bucket for read deny only access at prefix 'my_data'
Checking Bucket for read deny only access at prefix ''
Successfully verified read only access
****interana_cluster.json contents. Please email to support@interana.com***
{
"aws_secret_key": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"aws_access_key": "XXXXXXXXXXXXXXXXXXX",
"aws_region_name": "us-east-1",
"s3_bucket": "interana-vpc-test/my_data/",
"s3_bucket_policy": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetBucketLocation"
],
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXX:root"
},
"Resource": "arn:aws:s3:::interana-vpc-test",
"Effect": "Allow",
"Sid": "AllowGetBucketToInterana"
},
{
"Resource": [
"arn:aws:s3:::interana-vpc-test"
],
"Effect": "Allow",
"Sid": "AllowReadAccessToInterana",
"Action": [
"s3:ListBucket"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"my_data/*"
]
}
},
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXXX:root"
}
},
{
"Action": [
"s3:GetObject"
],
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXXXXX:root"
},
"Resource": [
"arn:aws:s3:::interana-vpc-test/my_data/**"
],
"Effect": "Allow",
"Sid": "AllowReadAccessToInterana"
}
]
},
"user": {
"user": {
"path": "/",
"user_id": "XXXXXXXXXXXXXXXXX",
"create_date": "2015-06-10T23:22:59Z",
"arn": "arn:aws:iam::XXXXXXXXXXXX:user/interana_admin",
"user_name": "interana_admin"
}
},
"all_policies": {
"policy_names": [],
"is_truncated": "false"
}
}
  1. Email the interana_cluster.json file to help@interana.com.

After setting up the VPC, you will see new instances created by our provisioner in the **Instances** page of your Interana account.

Set up Consolidated Billing

After the Interana cluster is created, you must set up consolidated billing. 

  1. Go to https://console.aws.amazon.com/billi...lidatedbilling and log in with your Master Account.
  2. Click Send a Request.
  3. Enter the email address for your Master Account to sign up.

  1. The Interana account will receive the request for consolidated billing. Log in to that account and click Accept Request.

  1. The account will now be listed on your Master Account > Consolidated Billing page.  

Allow AWS notifications to go to Interana

This will allow Interana to receive notifications from AWS regarding any environment maintenance related to your cluster.

  1. Go to https://console.aws.amazon.com/billing/home?#/account
  2. Under Alternate Contacts, click Edit.

  1. Under the Operations field, fill out the form as shown below.

  1. Click Update.

Amazon AWS, EBS, and EC2 service limits

Make sure that the appropriate AWS, EBS (Elastic Block Store), and EC2 service limits are set for your instance, as appropriate. 

See the following for more information about the service limits and how to request a limit increase:

See the following for more information about the default Amazon account limits: 

  • Was this article helpful?