Vendor
Product
Cloud Network as a Service
OS Versions:
^3.227.0+2023.1.33
Method
Category
Cloud
Project Type
Example Project
View Repository
Workflow
Alkira - Example Use Cases
Overview
This Pre-Built Automation bundle contains an example use case that is applicable when the Itential Automation Platform is integrated with Alkira Cloud Network as a Service, AWS EC2, and Itential Automation Gateway (IAG) using their respective REST API. Because every environment is different, these use cases are fully functioning examples that can be easily modified to operate in your specific environment. These workflows have been written with modularity in mind to make them easy to understand and simple to modify to suit your needs.
Example Workflows
| Name | Overview |
|---|---|
| Provision Cloud Application | Given values provided in form input, provisions VPC and EC2 with networking in AWS, provisions and configures Palo Alto Firewall service in Alkira Cloud Network as a Service as intermediate between on prem site and cloud application, and creates AWS VPC and Internet conntectors in Alkira Cloud Network as a Service. |
For further technical details on how to install and use this Example Project, please click the Technical Documentation tab.
Table of Contents
Getting Started
This section is helpful for deployments as it provides you with pertinent information on prerequisites and properties.
Helpful Background Information
Workflows and processes often include logic that varies from business to business. Our Example Projects are more complex processes that include several of our modular components to build a more complete process.
While these can be utilized, you may find more value in using them as a starting point to build around.
Prerequisites
Itential Example Projects are built and tested on particular versions of IAP. In addition, Example Projects are often dependent on external systems and as such, these Example Projects will have dependencies on these other systems. This version of Alkira - REST - Example has been tested with:
- IAP 2023.2
External Dependencies
| Name | OS Version | API Version |
|---|---|---|
| AWS | ||
| Alkira | v1 | |
| Itential Automation Gateway (IAG) | ^3.227.0+2023.1.33 |
Adapters
| Name | Version | Configuration Notes |
|---|---|---|
| adapter-aws_ec2 | ^0.7.2 | In order to run the workflows in this Pre-Built Automation, the adapter property xmlArrayKeys must be added to the AWS EC2 adapter configuration with value as seen below:This will ensure all response objects will set the data type of any instance of property |
| adapter-alkira | ^0.1.7 | |
| adapter-automation_gateway | 4.29.0-2023.1.12.0 |
How to Install
To install the Example Project:
- Verify you are running a supported version of the Itential Automation Platform (IAP) as listed above in the Supported IAP Versions section in order to install the Example Project.
- Import the Example Project in Admin Essentials.
Testing
Cypress is generally used to test all Itential Example Projects. While Cypress is an opensource tool, at Itential we have internal libraries that have been built around Cypress to allow us to test with a deployed IAP.
When certifying our Example Projects for a release of IAP we run these tests against the particular version of IAP and create a release branch in GitLab. If you do not see the Example Project available in your version of IAP please contact Itential.
While Itential tests this Example Project and its capabilities, it is often the case the customer environments offer their own unique circumstances. Therefore, it is our recommendation that you deploy this Example Project into a development/testing environment in which you can test the Example Project.
Using this Example Project
Example Projects contain 1 or more workflows. Each of these workflows have different inputs and outputs.
Provision Cloud Application
Given values provided in form input, provisions VPC and EC2 with networking in AWS, provisions and configures Palo Alto Firewall service in Alkira Cloud Network as a Service as intermediate between on prem site and cloud application, and creates AWS VPC and Internet conntectors in Alkira Cloud Network as a Service.
Capabilities include:
- Provisions VPC and EC2 instance in AWS with networking
- Provisions and configures Palo Alto Firewall service in Alkira as intermediate between on prem location and cloud application
- Creates AWS VPC and Internet connectors in Alkira
Entry Point IAP Component
The primary IAP component to run Provision Cloud Application is listed below:
| IAP Component Name | IAP Component Type | Provision Cloud Application | Operations Manager Automation |
|---|
Inputs
The following table lists the inputs for Provision Cloud Application:
| Name | Type | Required | Description | Example Value |
|---|---|---|---|---|
| ingressRules | array | yes | List of rules | [
{
"sourceSubnetCidrMask": 32,
"sourceIp": "199.27.253.134",
"protocol": "TCP",
"port": 80
}
] |
| vpcSubnet | string | yes | The IPv4 network range for the VPC, in CIDR notation | 10.20.30.1/28 |
| imageId | string | yes | The ID of the Amazon Machine Image (AMI) for EC2 created | ami-041feb57c611358bd |
| instanceType | string | yes | The EC2 instance type | t2.micro |
| keyName | string | no | The name of the key pair. If you do not specify a key pair, you can't connect to the instance unless you choose an AMI that is configured to allow users another way to log in. | key-name |
| tenantNetworkId | number | yes | The id of the tenant network | 170 |
| customerName | string | yes | Name of customer | customer |
| internetConnectorGroup | string | yes | Name of group to add internet connection to | inet-zone |
| internetConnectorAlgorithm | string | yes | The type of algorithm to be used for traffic distribution | HASHING |
| internetConnectorKeys | string | yes | Keys for algorithm for traffic distribution. Values are DEFAULT or SRC_IP | DEFAULT |
| cxpRegion | string | yes | The name of the CXP. A network is usually associated with one or more CXPs. A connector can be placed on any CXP that is associated with the network. Valid values are 'US-WEST', 'US-EAST', 'US-WEST-1', 'US-EAST-2', 'EU-WEST-1', 'EU-WEST-2', 'AP-SOUTH-1', 'EU-CENTRAL', 'AP-NORTHEAST', 'AP-SOUTHEAST', 'AP-NORTHEAST-2', 'AP-SOUTHEAST-1', 'USEAST-AZURE-2', 'USCENTRAL-AZURE-3' | US-WEST-1 |
| awsRegion | string | yes | The name of the AWS region associated with the VPC | us-west-1 |
| awsVpcConnectorGroup | string | yes | Name of group to add this AWS VPC connection to | PROD-AWS |
| awsVpcConnectorSize | string | yes | The size of the AWS VPC connector. Can be 'SMALL', 'MEDIUM', 'LARGE', '2LARGE' | SMALL |
| username | string | yes | Username credential for provisioning Palo Alto firewall | username |
| password | string | yes | Password credential for provisioning Palo Alto firewall | password |
| prodAwsZone | array | yes | Mapping of zone name 'prod-aws-zone' to group. The groups that can be mapped to a zone MUST be of type 'EXPLICIT', 'USER_GROUP' or 'SEGMENT_RESOURCE'. To get a list of groups that can be used with zones use the Groups API. | [
"PROD-AWS"
] |
| onPremZone | array | yes | Mapping of zone name 'on-prem-zone' to group. The groups that can be mapped to a zone MUST be of type 'EXPLICIT', 'USER_GROUP' or 'SEGMENT_RESOURCE'. To get a list of groups that can be used with zones use the Groups API. | [
"OnPrem"
] |
| inetZone | array | yes | Mapping of zone name 'inet-zone' to group. The groups that can be mapped to a zone MUST be of type 'EXPLICIT', 'USER_GROUP' or 'SEGMENT_RESOURCE'. To get a list of groups that can be used with zones use the Groups API. | [
"INET-Connector"
] |
| prodAzureZone | array | yes | Mapping of zone name 'prod-azure-zone' to group. The groups that can be mapped to a zone MUST be of type 'EXPLICIT', 'USER_GROUP' or 'SEGMENT_RESOURCE'. To get a list of groups that can be used with zones use the Groups API. | [
"PROD_AZURE"
] |
| maxInstanceCount | number | yes | The maximum number of PAN instances that should be deployed when auto-scale is enabled | 1 |
| minInstanceCount | number | yes | The minimum number of PAN instances that should be deployed at any point of time. In case of Global Protect minInstanceCount should be same as maxInstanceCount as the auto-scale is not supported with Global Protect enabled | 1 |
| globalProtectEnabled | boolean | yes | Indicates if global protect feature should be supported or not for the given pan service. For global protect to work bundle must be set to 'VM_SERIES_BUNDLE_2' | false |
| panoramaEnabled | boolean | yes | This should be set to true if Panorama is enabled | true |
| credentialId | string | yes | An opaque identifier which is generated when storing PAN credentials. See https:// | alkira-credentials |
| tunnelProtocol | string | yes | Supported tunnel protocol types, 'IPSEC' and 'GRE'. For Azure regions, only IPSEC is supported | IPSEC |
| registrationPin | string | yes | PAN Registration value required for automated deployments to securely access the device certificate and other Palo Alto cloud-delivered services | 2abfbad825a4233b8d1e243a07925a2c |
| registrationPinId | string | yes | PAN Registration ID required for automated deployments to securely access the device certificate and other Palo Alto cloud-delivered services | a52685ac-1fb8-4a90-b891-18cf9b461237 |
| expirationDate | string | yes | Expiration date of PAN registration PIN | 2024-02-08T15:55:04.651Z |
| licenseType | string | yes | Type of license to use, values are 'BRING_YOUR_OWN' or 'PAY_AS_YOU_GO' | PAY_AS_YOU_GO |
| bundle | string | yes | This indicates the software image bundle that would be used for PAN instance deployment. This is applicable for licenseType 'PAY_AS_YOU_GO' only. If not provided default 'PAN_VM_300_BUNDLE_2' would be used. However 'PAN_VM_300_BUNDLE_2' is legacy bundle and is no more supported on AWS. It is recommended to use 'VM_SERIES_BUNDLE_1' and 'VM_SERIES_BUNDLE_2' (supports Global Protect) | VM_SERIES_BUNDLE_1 |
| paloAltoFirewallServiceSize | string | yes | The size of the Palo Alto Firewall. Can be 'SMALL', 'MEDIUM', 'LARGE' | SMALL |
| version | string | yes | The version of Palo Alto firewall that should be deployed | 9.1.3 |
| segment | string | yes | Name of the segment to be used in segment options for the provisioned Palo Alto Firewall service. Note segment must be associated with tenant network Id chosen for this automation | CORP |
| awsEc2Adapter | string | yes | Name of the adapter to use to send commands to AWS EC2 | alkira |
| automationGatewayAdapter | string | yes | Name of the adapter to use to send commands to Itential Automation Gateway (IAG) | alkira |
| alkiraAdapter | string | yes | Name of the adapter to use to send commands to Alkira Network as a Service | alkira |
Outputs
There are no outputs for Provision Cloud Application.
Query Output
There are no query output examples for Provision Cloud Application.
Example Inputs and Outputs
Example 1
Input:
{
"formData": {
"aws": {
"ingressRules": [
{
"sourceSubnetCidrMask": 24,
"port": 80,
"sourceIp": "10.0.0.0",
"protocol": "TCP"
},
{
"sourceSubnetCidrMask": 24,
"port": 443,
"sourceIp": "10.0.0.0",
"protocol": "TCP"
}
],
"vpcSubnet": "192.168.84.0/24",
"imageId": "ami-05014f9776cc26f27",
"instanceType": "t2.micro",
"keyName": "itential-california-key"
},
"alkira": {
"tenantNetworkId": 170,
"customerName": "CustomerName",
"internetConnectorGroup": "inet-zone",
"internetConnectorAlgorithm": "HASHING",
"internetConnectorKeys": "DEFAULT",
"cxpRegion": "US-WEST-1",
"awsRegion": "us-west-1",
"awsVpcConnectorGroup": "PROD-AWS",
"awsVpcConnectorSize": "SMALL"
},
"paloAlto": {
"username": "username",
"maxInstanceCount": 1,
"minInstanceCount": 1,
"globalProtectEnabled": false,
"panoramaEnabled": false,
"prodAwsZone": [
"OnPrem"
],
"onPremZone": [
"PROD-AWS"
],
"inetZone": [
"INET-Connector"
],
"prodAzureZone": [
"PROD_AZURE"
],
"credentialId": "17afa9b7-12f9-a534-1549-1adba240a130",
"tunnelProtocol": "IPSEC",
"registrationPin": "2abab1d825a4433b8d17223a07827f1b",
"registrationPinId": "ba1655da-2de8-5c30-ae78-b6cf1b5168ca",
"expirationDate": "2024-02-09T22:20:27.493Z",
"password": "password",
"licenseType": "PAY_AS_YOU_GO",
"bundle": "VM_SERIES_BUNDLE_1",
"paloAltoFirewallServiceSize": "SMALL",
"version": "9.1.3",
"segment": "CORP"
},
"iap": {
"awsEc2Adapter": "aws-ec2",
"automationGatewayAdapter": "automation-gateway",
"alkiraAdapter": "alkira"
}
}
} Output:
{} API Links
| API Name | API Documentation Link | API Link Visibility |
|---|---|---|
| Create AWS VPC Connector | https://{instance_name}.portal.alkira.com/doc/api.html#operation/createAWSVPCConnector | Private |
| Create Internet Connector | https://{instance_name}.portal.alkira.com/doc/api.html#operation/createInternetConnector | Private |
| List all Segments | https://{instance_name}.portal.alkira.com/doc/api.html#operation/getsegments | Private |
| Add Palo Alto Credentials | https://{instance_name}.portal.alkira.com/doc/api.html#operation/addPANCredentialsUsingPOST | Private |
| Add Palo Alto Registration Credentials | https://{instance_name}.portal.alkira.com/doc/api.html#operation/addPANRegistrationCredentialsUsingPOST | Private |
| Add Palo Alto Instance Credentials | https://{instance_name}.portal.alkira.com/doc/api.html#operation/addPANInstanceCredentialsUsingPOST | Private |
| Create a Palo Alto Firewall Service | https://{instance_name}.portal.alkira.com/doc/api.html#operation/createPANFWService | Private |
| Itential Automation Gateway (IAG) Netmiko Customized Template | https://docs.itential.com/docs/execution-flow-by-role-type-2023-1#netmiko-customized-templates | Public |
| AWS EC2 API Reference | https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Welcome.html | Public |
| Authorize Security Group Ingress - AWS EC2 | https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html | Public |
| Create Internet Gateway - AWS EC2 | https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateInternetGateway.html | Public |
| Attach Internet Gateway - AWS EC2 | https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AttachInternetGateway.html | Public |
| Run Instances - AWS EC2 | https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html | Public |
| Describe Instance Status - AWS EC2 | https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceStatus.html | Public |
| Create Tags - AWS EC2 | https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html | Public |
| Create Route - AWS EC2 | https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html | Public |
| Configure Route Tables - AWS EC2 | https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html | Public |
| Describe Route Tables - AWS EC2 | https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeRouteTables.html | Public |
| Create Security Group - AWS EC2 | https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSecurityGroup.html | Public |
| Authorize Security Group Ingress - AWS EC2 | https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html | Public |
| Create VPC - AWS EC2 | https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateVpc.html | Public |
| Create Subnet - AWS EC2 | https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSubnet.html | Public |
Additional Information
Support
Please use your Itential Customer Success account if you need support when using this Workflow Project.