Does the Bluemix local provide devops services like Delivery Pipeline and Active Deploy?
Bluemix Local includes a private syndicated catalog that displays the local services that are available exclusively to you. It also includes additional services that are made available to you to use from Bluemix Public. The syndicated catalog provides the function to create hybrid applications that consist of public and private services.
Bluemix Local comes with all included Bluemix runtimes and a set of services and components available. Take a look at the Table 1. Local Services in Bluemix Local Docs.
As you can see, for example the Auto-Scaling service is already included in the local environment. However you have the option to decide which public services meet the requirements for your business based on your data privacy and security criteria.
Related
I am planning to migrate my work to Azure Stack Hub. Can someone please let me know whether I can use Azure DevOps Services in Azure Stack Hub. If so please advise me on how to.
Thanks
If your Azure Stack Management URLs are not public, you'll need a Self-hosted Agent on-prem or somewhere that it can see the Azure Stack Management URLs.
The Self-Host agent will need the Azure Stack Environments created for your Azure Stack Hub e.g. AzureStackUser and/or AzureStackAdmin using the appropriate Management URL.
In Azure DevOps, create a New Service Connection for Azure Resource Manager, but make sure the Environment is set to Azure Stack.
The Server Url must be to one of the Management URLs of your Azure Stack that match the Environment you configure. This depends on what you're doing.
For Admin related configuration:
Use the Admin Management URL e.g. https:///adminmanagement.local.azurestack.external
Set the Subscription ID and Subscription Name to the Default Subscription on the Azure Stack Hub
Enter the Service Principal and Connection Details
For User related configuration:
Use the Management URL e.g. https:///management.local.azurestack.external
Set the Subscription ID and Subscription Name to the User Subscription defined on the Azure Stack Hub
Enter the Service Principal and Connection Details
NOTE: The Service Principal must have the appropriate Role on either the Default Subscription or the User Subscriptions.
Don't verify the Connection, unless the Management URLs are accessible publically
Hope this helps.
In doing some testing of the IBM Cloud Security and Compliance items, specifically the CIS Benchmarks for Best Practices, one item I was non-compliant on was in Cloud Key protect for the Goal "Check whether Key Protect is accessible only by using private endpoints"
My Key-protect instance was indeed set to "Public and Private" so I changed it to Private. This change now requires me to manage my Key-Protect instance from the CLI.
When I try to even look at my Key-Protect instance policy from the CLI I receive the following error:
ibmcloud kp instance -i my_instance_id policies
Retrieving policy details for instance: my_instance_id...
Error while getting instance policy: kp.Error: correlation_id='cc54f61d-4424-4c72-91aa-d2f6bc20be68', msg='Unauthorized: The user does not have access to the specified resource'
FAILED
Unauthorized: The user does not have access to the specified resource
Correlation-ID:cc54f61d-4424-4c72-91aa-d2f6bc20be68
I'm confused - I am running the CLI logged, in as the tenant admin with Access policy of All resources in account (including future IAM enabled services)
What am I doing wrong here?
Private endpoints are only accessible from within IBM Cloud. If you connect from the public internet, access should be blocked.
There are multiple ways, how to work with such a policy in place. One is to deploy (a VPC with) a virtual machine on a private network. Then, connect to it with a VPN or Direct Link. Thus, your resources are not accessible from the public internet, but only through private connectivity. You could continue to use the IBM Cloud CLI, but set it to use private endpoints.
I'm having trouble connecting to the Bluemix Object Store using the instructions presented by this link: https://knowledgelayer.softlayer.com/procedure/connect-object-storage-using-sftp
It's unclear to me what the username and account ID are so I would appreciate it if someone can clarify
The instructions are valid
Where I can find the values for SLOS/IBMOS etc?
I do not have access to the Softlayer customer portal as this service as created in Bluemix.
I can confirm that an sftp server is listening at the appropriate region endpoint.
Brien, it is not possible to use SFTP to access the Bluemix Object Storage if you create it from the Services catalog area of the Bluemix UI:
https://console.ng.bluemix.net/catalog/services/object-storage
This one can be accessed via swift cli or REST API.
To use SFTP to access your Object Storage you need to create it from the Infrastructure are of the Bluemix UI - that is the legacy Softayer that is now integrated with Bluemix.
https://console.ng.bluemix.net/catalog/infrastructure/object_storage/
Also, to create the Object Storage from the Infrastructure catalog you need to first link your Bluemix and Softlayer accounts:
https://console.ng.bluemix.net/docs/admin/softlayerlink.html
I have created a space and a BigInsight cluster on Bluemix. In order to test Knox, I need multiple users for authentication. Is it possible to create users in Bluemix Biginsight service? The ID that is provided to access the cluster does not have root access. Also, it would be helpful if someone can explain in detail how the admin-related task(adding more components like Hue,Drill using yum commands) could be performed in Bluemix Biginsights service. Thanks in advance.
I am guessing here that you have created a Bluemix Biginsights Basic (Beta) plan.
This service is a single user service and cannot have multiple users.
In addition this service is a managed service and installation of software by the user is not allowed.
This service comes with preconfigured settings and pre-installed softwares that is fixed. If you do need something apart from this, I would suggest to open a Biginsights service ticket through Bluemix Support page with a request for it and why you need the software.
The product management team will look at it and see if they can be preinstalled in the future release.
These installations will not be done on a any Basic (Beta) plan for individual clusters.
I would like to find out what the best practices are for managing developers' access to a sub-set of resources on a client's subscription?
I've searched Google and the Azure documentation looking for definitive answers, but I have yet to come across an article that puts it all together. Because Azure is still developing so rapidly I often find it difficult to determine whether a particular article may still be relevant.
To sum up our situation:
I've been tasked with researching and implementing the Azure infrastructure for a web site our company is developing for a client. At the moment our manager and I have access to the client's entire subscription on the Azure Portal by means of the Service Administrator's credentials, even though we're managing only:
Azure Cloud Service running a Web-Role (2-instances with Production and Staging environments).
Azure SQL Database.
Azure Blob Storage for deployments, diagnostics etc.
We're now moving into a phase where more of the developers in the team will require access to perform maintenance type tasks such as performing a VIP swap, retrieving diagnostic info etc.
What is the proper way to manage developer's access on such a project?
The approach I've taken was to implement Role Based Access Control (https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure/)
Move 1, 2, and 3 above into a new Resource Group according to http://blog.kloud.com.au/2015/03/24/moving-resources-between-azure-resource-groups/
Creating a new User Group for our company, say "GroupXYZ".
Adding the "GroupXYZ" to the Contributor role.
Adding the particular developer's company accounts to "GroupXYZ"
Motivation for taking the role-based approach
From what I understand giving everyone access as a Co-Administrator would mean that they have full access to every subscription in the portal.
Account-based authentication is preferable to certificate-based authentication due to the complexity added by managing the certificates.
What caused me to question my approach was the fact that I could not perform a VIP swap against the Cloud Service using PowerShell; I received an error message stating that a certificate could not be found.
Do such role-based accounts only have access to Azure by means of the Resource Manager Commandlets?
I had to switch PowerShell to the Azure Service Manager (ASM) Mode before having access to the Move-AzureDeployment commandlet.
Something else I'm not sure of is whether or not Visual Studio will have access to those resources (in the Resource Group) when using Role Based Access Control.
When you apply RBAC to Azure as you have or just in general, give access to an account via RBAC, then those accounts can only access Azure via the Azure Resource Manager APIs, whether that's PowerShell, REST or VS.
VS 2015 can access Azure resources via RBAC when using the 2.7 SDK. VS 2013 will have support for it soon.