ACE | American Cloud Documentation

ACE Features

American Cloud ACE American Cloud ACE provides everything offered with the American Cloud CMP to include the below: - Backend API access - Backend GUI access - Custom offerings - Create your own templates - Updated Opentofu/Terraform provider - Infrastructure engineering hours (help with devops, etc...) - L3 engineer support access - Slack support channel - 90 day support review Access to CS via GUI & API Users can do just about everything except: - Create/update/delete domains & accounts - Create/update/delete offerings (network, disk, compute, etc...) Templates Featured category: AC-OS* = American Cloud curated OS templates Other os templates (legacy) Community category: Newer OS templates AC-APP* = American Cloud CMP(non-ACE) application templates Other CMP(non-ACE) templates (legacy) Appliances Offerings Prod-Custom-Standard = Custom CPU & MEM on standard hardware (GUI only for now) Prod-Custom-Premium = Custom CPU & MEM on premium hardware (GUI only for now) Dedicated* = pre-configured CPU & MEM on standare or premium ACKS* = pre-configured CPU & MEM for k8s clusters Required Software - LTS version TOFU Note To visit our github repo Click Here

Last updated on Aug 01, 2024

ACE Install and Use

Installation/Setup The environment and accounts will be established by American Cloud engineers. Once complete the inital sign-in creds will be provided. Create ACE directory and clone the repo using command git clone https://github.com/American-Cloud/ACE-TF-Examples.git && cd ACE-TF-Examples Setup the API environment varibles - Sign into the ACE environment by navigating to https://gateway00.americancloud.com:8443/client/#/dashboard. Be sure to add the provided domain. - Generate and retrieve the API and Secret Keys - Once generated add and run the following commands sequencially. export CLOUDSTACK_API_URL="https://gateway00.americancloud.com:8443/client/api" export CLOUDSTACK_API_KEY="<key>" export CLOUDSTACK_SECRET_KEY="<secret>" Add a SSH keypair to the ACE For further description on generating SSH Keys Click Here. - In the navigation select SSH Key Pairs - Select Create A SSH Key Pair - Fill in the required information. (The account field is optional and not required for American Cloud purposes.) Setup the VPC or Non-VPC examples by running the repective bash script from within the directory. ./enable_non_vpc_example.sh ./enable_vpc_example.sh - Using the preferred file editor, edit variables/ace.tfvars file after running the above bash scripts and add the keypair name. keypair = "<keypair name here>" # Key pair created in UI. Provide name here. Initialize TOFU by running the command Tofu init. The below readout should be displayed. Initializing the backend... Initializing provider plugins... - Reusing previous version of american-cloud/cloudstack from the dependency lock file - Using previously-installed american-cloud/cloudstack v0.4.2 OpenTofu has been successfully initialized! You may now begin working with OpenTofu. Try running "tofu plan" to see any changes that are required for your infrastructure. All OpenTofu commands should now work. If you ever set or change modules or backend configuration for OpenTofu, rerun this command to reinitialize your working directory. If you forget, other commands will detect it and remind you to do so if necessary. Run the TOFU plan using the command tofu plan -out example-tfplan -var-file variables/ace.tfvars The following readout will be displayed identifying the resources to be built. OpenTofu used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create OpenTofu will perform the following actions: # cloudstack_egress_firewall.default_egress will be created + resource "cloudstack_egress_firewall" "default_egress" { + id = (known after apply) + managed = false + network_id = (known after apply) + parallelism = 2 + rule { + cidr_list = [ + "0.0.0.0/0", ] + icmp_code = (known after apply) + icmp_type = (known after apply) + ports = [] + protocol = "all" + uuids = (known after apply) } } # cloudstack_firewall.firewall-web will be created + resource "cloudstack_firewall" "firewall-web" { + id = (known after apply) + ip_address_id = (known after apply) + managed = false + parallelism = 2 + rule { + cidr_list = [ + "0.0.0.0/0", ] + icmp_code = (known after apply) + icmp_type = (known after apply) + ports = [ + "2220", ] + protocol = "tcp" + uuids = (known after apply) } } # cloudstack_instance.web_net_1[0] will be created + resource "cloudstack_instance" "web_net_1" { + display_name = "ACE-Test-net-1-web-0" + expunge = true + group = (known after apply) + id = (known after apply) + ip_address = (known after apply) + keypair = "silverbullet" + name = "ACE-Test-net-1-web-0" + network_id = (known after apply) + project = (known after apply) + root_disk_size = 20 + service_offering = "ACE 2 vCPU 4GB Ram - z0" + start_vm = true + tags = { + "environment" = "staging" + "role" = "net-1-web" } + template = "AC-OS-ubuntu-22.04-2023-11-15T15-39-13Z" + zone = "zone0" } # cloudstack_ipaddress.pub-ip will be created + resource "cloudstack_ipaddress" "pub-ip" { + id = (known after apply) + ip_address = (known after apply) + is_portable = false + is_source_nat = (known after apply) + network_id = (known after apply) + project = (known after apply) + tags = (known after apply) + zone = "zone0" } # cloudstack_network.ace-network-1 will be created + resource "cloudstack_network" "ace-network-1" { + acl_id = "none" + cidr = "10.0.1.0/24" + display_text = (known after apply) + endip = (known after apply) + gateway = (known after apply) + id = (known after apply) + name = "ace-network-1" + network_domain = (known after apply) + network_offering = "DefaultIsolatedNetworkOfferingWithSourceNatService" + project = (known after apply) + source_nat_ip_address = (known after apply) + source_nat_ip_id = (known after apply) + startip = (known after apply) + tags = (known after apply) + zone = "zone0" } # cloudstack_port_forward.web_net_1[0] will be created + resource "cloudstack_port_forward" "web_net_1" { + id = (known after apply) + ip_address_id = (known after apply) + managed = false + forward { + private_port = 22 + protocol = "tcp" + public_port = 2220 + uuid = (known after apply) + virtual_machine_id = (known after apply) } } Plan: 6 to add, 0 to change, 0 to destroy. Changes to Outputs: + pub_ip = (known after apply) ─────────────────────────────────────────────────────────────────────────────── Saved the plan to: example-tfplan To perform exactly these actions, run the following command to apply: tofu apply "example-tfplan" Apply the TOFU plan by running tofu apply example-tfplan. Once ran the resource changes will be displayed along with the Public IP to utilize when connecting to the instances. Apply complete! Resources: 6 added, 0 changed, 0 destroyed. Outputs: pub_ip = "x.x.x.x" - SSH into the machine using the following guidelines. ssh -p 222X [email protected] Note The port number 222X the X is the index number of the server created. In the variables/ace.tfvars you will set the count of how many servers to create. If the count is 1, then the port number would be 2220 as the indexing count starts at 0 In the VPC example the port forwarding is only setup on web_net_1 instances. You will need to adjust VPC ACL rules to access instances on the web_net_2, as well as putting a SSH private key on the instances you are port forwarding to, so that you can SSH from web_net_1 instances to web_net_2 Lastly use the following command to cleanup the environment tofu plan --destroy -out example-tfplan -var-file variables/ace.tfvars - A readout will display all resource changes that will take place once applied OpenTofu used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: - destroy OpenTofu will perform the following actions: # cloudstack_egress_firewall.default_egress will be destroyed - resource "cloudstack_egress_firewall" "default_egress" { - id = "89ed85c4-50bc-4e18-91ae-dcfbc9db31c9" -> null - managed = false -> null - network_id = "89ed85c4-50bc-4e18-91ae-dcfbc9db31c9" -> null - parallelism = 2 -> null - rule { - cidr_list = [ - "10.0.1.0/24", ] -> null - icmp_code = 0 -> null - icmp_type = 0 -> null - ports = [] -> null - protocol = "all" -> null - uuids = { - "all" = "1d297874-affe-4795-956a-f6f0e384e54e" } -> null } } # cloudstack_firewall.firewall-web will be destroyed - resource "cloudstack_firewall" "firewall-web" { - id = "7bf925eb-5a65-4ce3-8e04-7840334a73df" -> null - ip_address_id = "7bf925eb-5a65-4ce3-8e04-7840334a73df" -> null - managed = false -> null - parallelism = 2 -> null - rule { - cidr_list = [ - "0.0.0.0/0", ] -> null - icmp_code = 0 -> null - icmp_type = 0 -> null - ports = [ - "2220", ] -> null - protocol = "tcp" -> null - uuids = { - "2220" = "77905ac1-7d8f-459e-b812-8ba8b02a7916" } -> null } } # cloudstack_instance.web_net_1[0] will be destroyed - resource "cloudstack_instance" "web_net_1" { - display_name = "ACE-Test-net-1-web-0" -> null - expunge = true -> null - id = "afd6d90e-fc30-416b-8e1e-c0d8ee912188" -> null - ip_address = "10.0.1.244" -> null - keypair = "silverbullet" -> null - name = "ACE-Test-net-1-web-0" -> null - network_id = "89ed85c4-50bc-4e18-91ae-dcfbc9db31c9" -> null - root_disk_size = 20 -> null - service_offering = "ACE 2 vCPU 4GB Ram - z0" -> null - start_vm = true -> null - tags = { - "environment" = "staging" - "role" = "net-1-web" } -> null - template = "AC-OS-ubuntu-22.04-2023-11-15T15-39-13Z" -> null - zone = "zone0" -> null } # cloudstack_ipaddress.pub-ip will be destroyed - resource "cloudstack_ipaddress" "pub-ip" { - id = "7bf925eb-5a65-4ce3-8e04-7840334a73df" -> null - ip_address = "172.252.211.166" -> null - is_portable = false -> null - is_source_nat = true -> null - network_id = "89ed85c4-50bc-4e18-91ae-dcfbc9db31c9" -> null - tags = {} -> null - zone = "zone0" -> null } # cloudstack_network.ace-network-1 will be destroyed - resource "cloudstack_network" "ace-network-1" { - acl_id = "none" -> null - cidr = "10.0.1.0/24" -> null - display_text = "ace-network-1" -> null - gateway = "10.0.1.1" -> null - id = "89ed85c4-50bc-4e18-91ae-dcfbc9db31c9" -> null - name = "ace-network-1" -> null - network_domain = "cs260cloud.internal" -> null - network_offering = "DefaultIsolatedNetworkOfferingWithSourceNatService" -> null - tags = {} -> null - zone = "zone0" -> null } # cloudstack_port_forward.web_net_1[0] will be destroyed - resource "cloudstack_port_forward" "web_net_1" { - id = "7bf925eb-5a65-4ce3-8e04-7840334a73df" -> null - ip_address_id = "7bf925eb-5a65-4ce3-8e04-7840334a73df" -> null - managed = false -> null - forward { - private_port = 22 -> null - protocol = "tcp" -> null - public_port = 2220 -> null - uuid = "ed849b59-da71-4990-8563-fb8fee09036c" -> null - virtual_machine_id = "afd6d90e-fc30-416b-8e1e-c0d8ee912188" -> null } } Plan: 0 to add, 0 to change, 6 to destroy. Changes to Outputs: - pub_ip = "172.252.211.166" -> null ─────────────────────────────────────────────────────────────────────────────── Saved the plan to: example-tfplan To perform exactly these actions, run the following command to apply: tofu apply "example-tfplan" - Next apply the plan tofu apply example-tfplan - Once complete a readout will display the changed resource Apply complete! Resources: 0 added, 0 changed, 6 destroyed.

Last updated on Sep 13, 2024

ACE VPN Portal

ACE VPN Portal Upon receipt of the ACE portal credentials navigate to ace-vpn.americancloud.com and log in to access the remote access dashboard. Once logged in it's possible to manage the organization's users. Below is a layout explanation of the User Interface. 1. The dropdown menu provides a means to access and edit the user account, a VPN connections, or to log out of the session. 2. This button allows quick access to the current user's VPN client profiles. 3. This button allows the management of additional end-users in the organization that may also require access to the ACE environment. 4. This section allows further information on the ACE features, setup and usage of the ACE environment, installation instructions for the WireGuard client to connect with based on OS, and additional CloudStack documentation for reference. User Account To access the user account, reset a password, and enable Two-Factor Authentication, use your dropdown menu and choose Edit Account: The next screen will allow for confirmation of the user's contact information, change the user's password, and toggle Enable 2FA. 2FA SMS Once Enable 2FA is toggled on and the SAVE button is pressed, the 2FA type will be available. Choose the method(s) available. When you choose your 2FA type and SAVE, a Manage type link will be made available for testing and confirm that the method is functioning properly: Access the Manage page and confirm the method is functioning properly prior to logging out of your session. 2FA TOTP For TOTP, an auto-generated seed will be provided. To accept this seed, choose SAVE NEW SEED button, or to have a different one generated choose GENERATE RANDOM SEED. Once the SAVE NEW SEED button is pressed the Verification option will become available. Save your seed to the TOTP application or scan the QR code in the application and enter the TOTP 6-digit code and choose VERIFY NEW CODE. Remote Access VPN Clients To set up a remote access VPN client(s) expand the dropdown menu and choose VPN Clients or use the MANAGE VPN CLIENTS button on the dashboard main page (position 2). The VPN USER-PORTAL page provides the ability to add, edit, and delete your VPN configurations. To create a new peer connection choose ADD NEW PEER from the VPN USER-PORTAL page. This will generate a Public Key and provide an option to give the connection a friendly Identifier. Then select SAVE. Use nicknames that are easy for you to find and manage as needed, like ‘officeworkstation’, ‘mobilephone’, etc. Now a Peer will be listed in the VPN User-Profile page. By selecting the peer it provides a download option of the automatically generated configuration file to import into the local WireGuard client. Choose INFO to access the Download option for the specific Peer being loaded on the current host. This will also display a QR code that can be scanned from a mobile device. Choose INFO at the front of the Profile to view the additional information. Download the client VPN profile and import it into the WireGuard Client. There is an EDIT option as well at the end of each profile to change its nickname identifier or delete the profile. Additional User Setup In order for other end-users within the organization to access the ACE environment they will need to have their own user account within the ACE-VPN portal to create their own VPN Profiles. From the main dashboard choose MANAGE USERS (option 3). This will provide a list of accounts in the organization. Additionally, the page provides the ability to create, edit, or delete users as needed. Only MANAGERS of the organization have this access and ability. Choose ADD NEW USER from the VPN USERS page and fill out the new user information. When finished, SAVE the account and the new user will have access to this portal and may create, edit, and delete their own VPN Peers. More information (Option 4 section of the dashboard) is provided for quick links to additional content, further reading, and ACE online documentation. Your data is your own and by utilizing the American Cloud Enterprise VPN Portal you are in control of who accesses your data, wherever they may be.

Last updated on Aug 30, 2024

Knox

About Knox Knox is American Cloud's self-hosted credential platform based off of the trusted BitWarden Password Management application. As such, Knox provides a secure means for American Cloud to share and manage sensitive data with our clients via customized organizations and vaults. Knox provides a combination of both asymmetric and asymmetric encryption that protects sensitive information as it is shared, as well as organizational policies that ensure compliance with AICPA SOC2 Type 2 / Privacy Shield, GDPR, and CCPA regulations. All logins stored on Knox reside in an encrypted vault, utilizing AES-CBC 256 bit encryption, salted hashing, and PBKDF2 SHA-256 algorithms. Security is tantamount when it comes to credential and authentication management and American Cloud feels a solution as strong as Fort Knox is what it takes to deliver this. Creating Account Knox is self hosted and completely separate from BitWarden. Please make sure to follow these steps even if you are already an active user of VaultWarden or BitWarden. There is information later in this document that goes over connecting this account to your current BitWarden Clients and Account Switching Invitation When it’s necessary for Clients of American Cloud to share information such as secure logins with an engineer or vice versa an invite to join a secure Organization in Knox will be initiated. Employees of American Cloud will never ask for login information over the phone, email, or text. Once you have opened the email from “Knox” with the email address ([email protected]) click the “Join Organization Now” button. Join the Organization Important: For new user’s of American Cloud’s Knox Create a new account using the “Create Account” button. Even if you have a current BitWarden or VaultWarden account DO NOT try to Log In, Knox is a unique Vault with its own unique Domain(knox.americancloud.io). Master Password After clicking the “create account” button you will be taken to the following screen. Here you will be able to create your username and master password. Important: If you forget your master password it will be unrecoverable. The only way to allow you back into the vault will be by having an Admin from American Cloud remove you from Knox completely and you will need to create a new account after being re-invited. Logging In When you want to log into Knox you will navigate in your web browser to: knox.americancloud.io. There you will be able to enter your email address and your master password. There will be instructions at the end of this document detailing how to add this domain to your bitwarden extensions and client if you are already a BitWarden user. ** ** 2FA and SOC-2 Compliance In order to be fully SOC-2 compliant we require all users to set up two factor authentication. If 2FA is not set up within 24 hours you will be removed from the organization. In order to gain access to the organization you will need to set up 2FA and an Admin from American Cloud will have to re-invite you. Along with that personal information should not be shared or stored in Knox. We have disabled the My Vault option. If you store any information in “My Vault” prior to joining the Organization you were invited to, it will be destroyed and unrecoverable upon joining the Organization. Setting Up 2FA Navigate to Account Settings once you are logged in Choose Security from the Account Setting menu and choose a form of 2FA. Any type of 2FA you choose will work. Account Switching If you have accounts on multiple servers, for example a previous bitwarden account and now knox.americancloud.io, use the server selector drop down that is located on the login screen and select the Self-hosted menu to change the Server URL to the URL for the account. Self-hosted domain selectorSelf-hosted domain selector In this example, for American Cloud you would use knox.americancloud.io as the domain.

Last updated on Sep 13, 2024

Enable Static NAT

Enable Static NAT 1. Navigate to https://gateway00.americancloud.com:8443/client 2. This is the VPC you built. Which looks good. 3. Click "Public IP addresses" to list the already allocated IP Addresses. 4. The below image identifies the IP addresses available. One is identified as source nat. Leave that one as is. The other can be utilized as needed. 5. We'll select the IP not being utilized. 6. That will bring us to the IP management page. We can assign an IP by selecting the '+' icon in the upper right as depicted. 7. Once selected a list of currently running vm's will appear. Simply select the VM to enable static nat for. There are no VM's listed above b/c you've not built any or have destroyed what you had built. Unique IPs 1. If you'd like multiple servers with unique IP's. Therefore, to acquire a new IP Click "Acquire new IP" 2. The system will automatically select the first available IP for distribution. By selecting the drop-down arrow you can select from a list of available IP addresses. Once the IP is acquired follow the previous steps to enable static nat.

Last updated on Nov 26, 2024

Creating a Windows Server 2019 Demo Network

1. Navigate to https://gateway00.americancloud.com:8443/client 2. Login to your ACE environment using the credentials from the Knox Vault. Build Network 1. First, create an Isolated network to build your VM's on. 1. Click "Add network" 1. Provide the required information: Name: Provide a name based on your required naming convention Description: Helps to distinguish between networks Zone: This should be the zone you're wanting to build the VM's in. Domain: Since building an isolated network be sure to select the domain. Account: Once the domain is selected an additional box will display labeled account. Select the appropriate account for the network. Network Domain: Leave Blank Network Offering: Select [[Offering for Isolated networks with Source Nat service enabled]]. External ID: Leave Blank 1. The remainder of the boxes can be left blank unless building the network for a VPC. Select 'OK'. 1. Click "Win-Demo-Net" or the network built. 1. Click "Public IP addresses" 1. To begin we'll be missing an IP for our network. Following the first build ACE will assign an IP to the machine and enable that IP as the source NAT. On this page additional IP's can be acquired and managed for sequential machines. Build the Instance 1. Click [[cloud/instance]] icon from the left navigation bar and select [[instances]]. 1. Select [[Add Instance +]] toggle. 1. Select the zone the VM should reside in. The zone should mirror the zone of the network to build on. Alert: Currently Zone 0 offers a standard and premium node while Zone 1 only offers standard. 1. Click the "Search" field. 1. Type "wind [[enter]]" This will narrow down the selection of offerings presented. 2. Click "Community" 1. Click [[AC-OS-Windows-Server-2019-Standar-2024-07-01]] is the newest template of windows. Select it by the radio button to the left. 1. If selecting an offering for zone0, you'll see two different options. An [[ACE-1C32-1R64-P]] and [[ACE-1C32-1R64-S]] where P= premium and S= standard. Zone 1 as stated above will only have the standard cluster. Select the appropriate offering. The ones listed above are custom offerings, allowing you to provision the vm more to your needs. We also have several default offerings. Once you've selected the CUSTOM service offering select the CPU cores from 1-32 and RAM from 1000-64000. This can all be scaled at a later date if necessary. 1. Once CPU/RAM have been selected. You'll want to decide upon the size of the root disk. While looking at the VM build in the right-hand pane. You can identify the default disk offering of 50 GB. If your project requires more of a root disk. Select [[Override root disk offering]] toggle. In the disk offerings section select [[CustomLocal]]. Then scale the root disk to the appropriate size. If additional data disk are required select the size in section 4. Data Disk. 1. Select the network for the VM. For the initial build we select the network we built in the first steps. Under default network we can leave the IP Address and MAC Address blank as they'll be issued via Cloudstack. 1. The additional blocks are informational and optional. Fill them in as necessary and select [[Launch Instance]]. 1. The machine will launch and move to a starting status. 1. Once the machine goes to a running state, the password will be presented. Be sure to copy and securely store this password for SSH purposes if you haven't built a ssh key. You can close the popup once copied. Tip: Congrats you've built your Windows machine. Access Machine 1. Click "VM-12c7eb61-e7ea-4b26-80f2-8ca4d77b5bb2" 1. Click this icon. 1. Initial a new password for the Administrator is required. Select 'OK'. 1. Once the password has been excepted and changed successfully. Select 'OK' 1. You'll be logged in and directed to the Server Manager for windows 2019 datacenter. Tip: Additional to the ACE console is remote access. Remote access is a more desirable connection. Made with Scribe

Last updated on Jan 21, 2025