Configure Connection Details of Cloud Service Provider Accounts
You can seamlessly integrate with your cloud platform accounts from within the Lazsa Platform. You need to connect to your cloud account through the Lazsa Platform for various operations, such as creating cloud instances, deploying technologies on Kubernetes clusters, Docker containers, or OpenShift clusters within these cloud instances. After you save the connection details of your active cloud platform account and mark it as default, the Lazsa Platform facilitates easy access to the cloud resources available in your default account.
Currently, the Lazsa Platform supports integration with Amazon Web Services (AWS) and Microsoft Azure.
To save the connection details of your active cloud service provider account, follow these steps:
- Sign in to the Lazsa Platform and click Configuration in the left navigation pane.
- On the Platform Setup screen, on the Cloud Platform, Tools & Technologies tile, click Configure.
- On the Cloud Platform, Tools & Technologies screen, in the Cloud Platforms section, click Configure.
(After you save connection details for at least one cloud service provider account, you see the Modify button here.) -
On the Cloud Platforms screen, click the cloud service provider of your choice.
AWS
Prerequisites
An AWS account with administrative access needs to be created. The following table contains the details of the IAM role that you need to create and the permissions you need to assign to the role.
User Input required in Lazsa Required Permissions Additional Details IAM Cross-account role ARN -
ElasticLoadBalancingFullAccess
-
ECR pull/push
-
Cost explorer read
-
IAM ListEntitiesForPolicy
-
EC2 instance creation/deletion
-
VPC/subnet creation
-
SecurityGroup creation
-
EKS: describe, get cluster
-
ALB read / write access
-
Master account configuration change for cross account
-
Create User permission with assume role permission (For running the CFT to create the cross-account role)
AWS account is required to provision the technology stack and application deployment.
The Lazsa Platform connects with your AWS account by using the cross-account role.
-
Environment Name: Provide a local name to your cloud account environment. Your AWS account connection details are saved by this name in the Lazsa Platform.
-
Description: Provide a description of your configuration. When you save connection details of multiple cloud accounts in the Lazsa Platform, a brief description always helps you identify the saved connection details easily.
-
Depending on the access requirements in your AWS environment, you can decide whether to connect to your AWS account by using AWS IAM user credentials or create a cross-account role with permissions for the Lazsa Platform to access your AWS resources.
For information on when you should sign in as an IAM user and when you should assume an IAM role, refer to the AWS documentation.
-
Use AWS User Credentials
To connect to your AWS account by using specific IAM user credentials, choose this option, and then do the following:-
Region: Select the AWS availability region from the dropdown list.
-
Access Key ID: Enter the access key ID, for example,
AKIAIOSFODNN7EXAMPLE, which is the alphanumeric identifier associated with the IAM user. -
Secret Access Key: Enter the secret access key, for example,
wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY, which is a private key corresponding to your access key ID and is used to authenticate your API requests. -
Test Connection: Click Test Connection to check if you can connect to the configured AWS account successfully.
-
-
Use Cross-Account Role
If you create a cross-account role in your AWS account to allow the Lazsa Platform to access your AWS resources, choose this option and then do the following:-
Region: Select the AWS availability region from the dropdown list.
-
Master AWS Account: Your organization's master account ID is auto-populated. You can copy this ID for your reference.
-
External ID: This is the unique identifier generated by Calibo. You need to mention this ID in the IAM role policy that you create to allow the Lazsa Platform to access your AWS account. If you use the Calibo-provided CFT for IAM role policy, this ID is already mentioned in the template. You can copy this ID for your reference.
-
Cross-Account Role ARN: After you create an IAM role and attach a policy to establish a trusted relationship between your AWS account and Calibo's account, you can provide the role's Amazon Resource Name (ARN) here. This ARN is required for the Lazsa Platform to assume the role that you create in your AWS account.
-
Download CFT: Download this CloudFormation Template provided by Calibo. This template creates an IAM role and the required policy to allow the Lazsa Platform to access your AWS account. This is a reference template which you can customize to suit your requirements.
Cloud Formation Template provided by Calibo
Copy{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Configure cross account roles",
"Metadata": {
"Version": 0.7
},
"Outputs": {
"RoleArn": {
"Description": "IAM Role ARN for AWS configuration.",
"Value": {
"Fn::GetAtt": [
"DeveloperRole",
"Arn"
]
}
}
},
"Resources": {
"DeveloperEC2Policy": {
"Properties": {
"ManagedPolicyName": "DeveloperEC2Policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"us-gov-west-1"
]
}
},
"Resource": "*",
"Action": [
"eks:*Describe*",
"eks:*List*",
"ce:Get*",
"ce:Describe*",
"ce:List*"
],
"Effect": "Allow"
},
{
"Resource": "*",
"Action": [
"iam:PassRole",
"iam:ListEntitiesForPolicy"
],
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"aws:RequestedRegion": [
"us-gov-west-1"
]
},
"ForAllValues:StringLike": {
"ec2:InstanceType": [
"t3.small",
"t3.medium",
"t3.large"
]
}
},
"Resource": "*",
"Action": [
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:DisassociateAddress"
],
"Effect": "Allow"
},
{
"Resource": "*",
"Action": [
"ec2:AssociateIamInstanceProfile",
"ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteTags",
"ec2:DeleteVolume",
"ec2:DetachVolume",
"ec2:DisassociateIamInstanceProfile",
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:CreateKeyPair",
"ec2:DeleteNetworkInterface",
"ec2:Describe*",
"ec2:ImportKeyPair",
"ec2:CreateVpc",
"ec2:AssociateRouteTable",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateNatGateway",
"ec2:CreateInternetGateway",
"ec2:AttachInternetGateway",
"ec2:ModifyVpcAttribute",
"ec2:CreateSubnet"
],
"Effect": "Allow"
}
]
},
"Roles": [
"DeveloperRole"
]
},
"DependsOn": "DeveloperRole",
"Type": "AWS::IAM::ManagedPolicy"
},
"DeveloperRole": {
"Properties": {
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/ElasticLoadBalancingFullAccess"
],
"RoleName": "DeveloperRole",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Condition": {
"StringEquals": {
"sts:ExternalId": "1405427537549574"
}
},
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Principal": {
"AWS": [
"781950061287"
]
}
},
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "sagemaker.amazonaws.com"
}
}
]
}
},
"Type": "AWS::IAM::Role"
},
"TechstackInstanceRole": {
"Properties": {
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
],
"RoleName": "techstack-instance-role",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
}
}
]
}
},
"Type": "AWS::IAM::Role"
},
"EcrPullPushPolicy": {
"Properties": {
"ManagedPolicyName": "EcrPullPushPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Resource": "*",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
],
"Effect": "Allow"
}
]
},
"Roles": [
{
"Ref": "TechstackInstanceRole"
}
]
},
"DependsOn": "TechstackInstanceRole",
"Type": "AWS::IAM::ManagedPolicy"
}
}
} -
Test Connection: Click Test Connection to check if you can connect to the configured AWS account successfully.
-
-
-
Configure VPC for Technology Deployment:
A Virtual Private Cloud (VPC) is a logically isolated section of the cloud where you can launch AWS resources in a virtual network that you define. A VPC provides network isolation, allowing you to create a private, segmented environment for your applications and services. From within the Lazsa Platform, you can either use your existing AWS VPC or create a new VPC for technology deployments.
To configure a VPC for technology deployments, turn on the toggle.
In the Configure VPC for Technology Deployment section, either specify the details of an existing VPC or create a new VPC in your AWS account.
Depending on your choice, do either of the following:
Use Existing VPC
Specify the following details:
Field Description VPC ID Select from the list of existing VPC IDs or enter a VPC ID. If your IAM policy does not allow the specified IAM user to access the VPC endpoints, the existing VPC IDs cannot be listed. In this case, you must manually enter the VPC ID.
If you manually enter a VPC ID, it must match the following pattern:/vpc-[a-zA-Z0-9]/Private Subnets Select or enter at least two private subnets. Each private subnet must match the following pattern: /subnet-[a-z A-Z 0-9]/Public Subnets (Optional) If you want to specify public subnets, select or enter at least two subnets. Each public subnet must match the following pattern: /subnet-[a-z A-Z 0-9]/Security Groups for EC2 Select or enter the security group name and click Add. You can add as many security groups as allowed per VPC by AWS. For information about security group quota in an AWS VPC, refer to the AWS documentation.
Security group name must match the following pattern:
/sg-[a-z A-Z 0-9]/Security Groups for Load Balancer (Optional) Select or enter the security group name and click Add. You can add up to 5 security group names. Security group name must match the following pattern: /sg-[a-z A-Z 0-9]/AMI ID (Optional) Select or enter the unique ID of the AWS AMI that you want to launch. You can find out the desired AMI ID from the AWS Management Console. Use Existing Key Pair To use a key pair that you have already created in your account, select this option, and then select your preferred key pair name from the dropdown list of existing key pair names. Create New Key Pair To create a new key pair from within the platform, type a key pair name that is easy for you to remember. To import a key pair which you have generated from a third-party tool, type a key pair name and paste the contents of your public key into the Public Key field. Create New VPC
Specify the following details:
Field Description VPC CIDR Specify the IPv4 CIDR block for your VPC. The allowed block size is between a /16 netmask (65,536 IP addresses) and /28 netmask (16 IP addresses). For more information about VPC CIDR blocks, refer to the AWS documentation.
By default, the 10.0.0.0/19 CIDR block is specified, which you can edit.
Private Subnets Select or enter at least two private subnets. Each private subnet must match the following pattern: /subnet-[a-z A-Z 0-9]/Public Subnets (Optional) If you want to specify public subnets, select or enter at least two subnets. Each public subnet must match the following pattern: /subnet-[a-z A-Z 0-9]/Source Address for Security Group of Load Balancer (Optional) It represents the allowed sources from which traffic is accepted by the security group associated with the load balancer. Specify the IP address range in CIDR notation.
AMI ID (Optional) Select or enter the unique ID of the AWS AMI that you want to launch. You can find out the desired AMI ID from the AWS Management Console. Use Existing Key Pair To use a key pair that you have already created in your account, select this option, and then select your preferred key pair name from the list of existing key pair names. Create New Key Pair To create a new key pair from within the platform, type a key pair name that is easy for you to remember. To import a key pair which you have generated from a third-party tool, type a key pair name and paste the contents of your public key into the Public Key field. Cloud Tags (Optional) Cloud tags are used to label and categorize AWS resources for identification, organization, and cost tracking. You can add optional tags to resources created within this configuration. Currently, the tags you specify are applied to the following objects that are created in AWS from within the Lazsa Platform:
-
Virtual Private Cloud (VPC)
-
Subnets (Public and Private)
-
Route Tables
-
Internet Gateway
-
NAT Gateway
-
Elastic IP Address for NAT Gateway
-
Security Groups
-
SSH Keys
-
- To password-protect your AWS connection details, turn on the Secure configuration details with a password toggle, enter a password, and then retype it to confirm.
This is optional but recommended. When you share the connection details with multiple users, password protection helps you ensure authorized access to the connection details.
-
After you save and activate the configured AWS connection details, you can see them listed in the Cloud Platforms section on the Cloud Platform, Tools & Technologies screen.
Microsoft Azure
Prerequisites
User Input required in Lazsa Required Permissions Additional Details Subscription ID
Tenant ID
Client ID
-
Application Gateway full access
-
ACR pull/push
-
Cost Analysis read
-
Microsoft.Authorization read
-
VM instance creation/deletion
-
VNET/subnet creation
-
NSG creation
-
AKS: describe, get cluster
-
Resource group read / create access
-
Storage Read
Azure Subscription is required to provision the technology stack and application deployment.
The Lazsa Platform connects with your Azure account by using the provided credential details.
-
Environment Name: Provide a local name to your cloud account environment. Your Microsoft Azure account connection details are saved by this name in the Lazsa Platform.
-
Description: Provide a description of your configuration. When you save connection details of multiple cloud accounts in the Lazsa Platform, a brief description always helps you identify the saved connection details easily.
-
Subscription ID: Enter the unique alphanumeric identifier for your Microsoft Azure subscription.
-
Tenant ID: Enter your unique identifier for the Azure AD (Active Directory) tenant.
-
Client ID: Enter the unique identifier for your application (service principal) in Azure AD.
- Select Secret Manager
In this section, you can directly key in the credentials to connect to your Microsoft Azure resources, or choose to retrieve them programmatically from Azure Key Vault depending on your secrets management preferences.
Do one of the following:
- Select Lazsa, type your Client Secret Key, and select the Azure region where your resources are located. In this case, your Microsoft Azure credentials are securely stored in the Lazsa-managed secrets store.
- Select Azure Key Vault. In the Vault Configuration dropdown list, the Azure Key Vault configurations that you save and activate in the Vault Configuration section on the Cloud Platform, Tools & Technologies screen are listed for selection. Select the desired configuration from the dropdown list. Provide the Vault Name and Client Secret Key and select the Azure region where your resources are located. This helps the Lazsa Platform retrieve the credential values programmatically.
- Test Connection: Click Test Connection to check if you can connect to the configured Azure account successfully.
-
Configure Virtual Network for Tech Stack Deployment:
In Azure, a Virtual Network (VNet) is a fundamental building block that allows you to logically isolate and securely connect Azure resources, such as virtual machines, to the internet and to each other. It acts as a representation of your own network in the cloud.
From within the Lazsa Platform, you can either connect to your existing Azure virtual network or create a new virtual network for technology deployments.
To configure an Azure virtual network for technology deployments, turn on the toggle.
In the Configure Virtual Network for Technology Deployment section, either specify the details of an existing Azure virtual network or create a new Azure virtual network.
Depending on your choice, do either of the following:
Use Existing Virtual Network
Specify the following details:
Field Description Image ID (Optional) Provide your Azure instance image ID. Resource Group The Azure resource group is a logical container for resources deployed in Azure. Select the desired resource group from the list of your existing resource groups or enter the desired resource group where your virtual network is located. Virtual Network This is the Azure Virtual Network to which you want to connect from the Lazsa Platform. Select the desired virtual network from the list of your existing virtual networks or enter the desired virtual network name. Private Subnets Private subnets are used to host resources that should not be directly accessible from the internet. Enter at least one private subnet ID within the chosen virtual network. A subnet ID should begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens. Public Subnets (Optional) Public subnets are used for resources that require internet access. If needed, specify at least one public subnet ID within the chosen virtual network. A subnet ID should begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens. Application Gateway Subnet (Optional) Enter or select the subnet from the dropdown list where the Application Gateway is located. This is an optional field.
Network Security Group for Virtual Machine Enter or select the Network Security Group (NSG) that is associated with the virtual machines in the chosen virtual network. Application Security Group (Optional) Enter or select the Application Security Group if applicable. This is an optional field. SSH Key Name Enter or select the SSH key name from the list. This key is used for secure access to virtual machines. Create New Virtual Network
Specify the following details:
Field Description Virtual Network Address Space Enter the desired IPv4 address space for the Azure virtual network. This defines the range of private IP addresses that can be used within the virtual network. The address space for a virtual network is composed of one or more non-overlapping address ranges that are specified in CIDR notation. For detailed information about virtual network address space, refer to the Microsoft Azure documentation. Resource Group (Optional) Azure resource group is a logical container for resources deployed in Azure. Enter or select the Azure resource group where you want to deploy the new virtual network. This is an optional field. Private Subnets Private subnets are used to host resources that should not be directly accessible from the internet. Specify at least one private subnet for your virtual network. Public Subnet should begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens. Public Subnets (Optional) Public subnets are used for resources that require internet access. If needed, specify at least one public subnet within the chosen virtual network. Public Subnet should begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens. Application Gateway Subnet (Optional) Enter or select the subnet from the dropdown list where the Application Gateway is located. This is optional and applicable if you are using an Application Gateway.
Network Security Group for Virtual Machine Enter or select the Network Security Group (NSG) that is associated with the virtual machines in the chosen virtual network. Application Security Group (Optional) Enter or select the Application Security Group if applicable. This is an optional field. SSH Key Name Enter or select the SSH key name from the list. This key is used for secure access to virtual machines. - To password-protect your Azure connection details, turn on the Secure configuration details with a password toggle, enter a password, and then retype it to confirm.
This is optional but recommended. When you share the connection details with multiple users, password protection helps you ensure authorized access to the connection details.
-
After you save and activate the configured Azure connection details, you can see them listed in the Cloud Platforms section on the Cloud Platform, Tools & Technologies screen.
Recommended Topics
What's next? Configure Technologies and Testing Tools -