SolarWinds and AWS, where do you start?

Talking needles in haystacks, this is it, SolarWinds and AWS, at least for me. Here is my experience so far, maybe it will help others.

First you need to open these URLs if they are blocked by your Cyber Team.

https://amazonaws.com
https://aws.amazon.com
autoscaling.*.amazonaws.com
https://*.awsstatic.com
https://*.amazontrust.com
https://ec2.*.amazonaws.com
https://events.*.amazonaws.com

Reference: thwack.solarwinds.com/.../orion-urls-for-firewall-whitelisting

Second you want one of your AWS admins to create a "runtime" account for Orion to use.

- Access Key ID and Secret Access Key is what you will need.

IAM Required Permissions
> https://documentation.solarwinds.com/en/success_center/orionplatform/content/core-cloud-configure-aws.htm

Third, if your like my org, you want to limit "where" your API requests go. I wanted all requests to go to North American Amazon sites, "only".

Look at the database table dbo.CLM_AwsRegions and modify it to your liking, again for me, NA sites only.

For the Record, to get anything done in AWS you need (for YOUR user account), PowerUserAccess for the EC2 Instance(s) you are trying to manage.

Now your ready to make the connection in the Orion UI.

We started with Settings/All Settings/Add Cloud Account.

Once we got our runtime account setup, we were able to connect. Then I started testing "Cloud Instance Management", (minus DELETE, we will not be using this so we left it out of the configuration above, i.e., IAM User Profile for SolarWinds). But we did test Start/Stop/Reboot/Unmanage/Poll Now. This is where we found Start and Reboot needed the ADDITIONAL configuration for the AWS SolarWinds User: Good luck in finding this documented somewhere.

> Amazon EBS encryption - Permissions for IAM users - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#ebs-encryption-permissions

What we learned from the Start/Reboot actions and during the "StartInstances" action a call was made to KMS to access the key that the EBS volumes attached to the instance are encrypted with. The CreateGrant call fail effectively b/c the user did not have the kms:CreateGrant action, who knew. Implement the above link, problem fixed.

We also learned through this process (I know, I am definitely a beginner with AWS). That what Orion is doing here is making API calls to CloudWatch to pull these metrics, which are pretty cool in the bigger picture.

You can track your API calls this way (while your testing).
-Login to AWS with your PowerUserAccess personal user account

-Search CloudTrail in the Navigator
- Select Event History
- Change the first tab from "READ ONLY" to "AWS access key".
- Enter the following AWS Access Key > [YOUR AWS Access Key]
- Now you are filtered on the logs coming from on-prem Orion

This completed configuration provides some really good detail on the EC2 instances and discovers any new EC2 instances created in your target region. We subsequently created monitors and alerts to show up/down status of all EC2 instances in the region.

But now we have to figure out how to monitor the services on our EC2 instances, CloudWatch does NOT have this capability. So enter SolarWinds, the question for me now is, which is the most optimal way to do this

Agents or installing a poller in our AWS region. Trying to find information on these options has been frustrating for me. I would be very interested in you guys experience and recommendations.

-Richard

PS: I have went over this link 20 times, does not help me, need more > documentation.solarwinds.com/.../install-orion-aws.htm

Find more posts tagged with

sam

AWS

npm

Comments

There are no comments yet