Home ACE

ACE

American Cloud Enterprise Services
Dane Joe
By Dane and 1 other
11 articles

ACE Open Tofu / Terraform Install

Installation/Setup Required Software - LTS version TOFU Note To visit our github repo Click Here The environment and accounts will be established by American Cloud engineers. Once complete the inital sign-in creds will be provided. Create ACE directory and clone the repo using command git clone https://github.com/American-Cloud/ACE-TF-Examples.git && cd ACE-TF-Examples Setup the API environment varibles - Sign into the ACE environment by navigating to https://gateway00.americancloud.com:8443/client/#/dashboard. Be sure to add the provided domain. - Generate and retrieve the API and Secret Keys - Once generated add and run the following commands sequencially. export CLOUDSTACK_API_URL="https://gateway00.americancloud.com:8443/client/api" export CLOUDSTACK_API_KEY="<key>" export CLOUDSTACK_SECRET_KEY="<secret>" Add a SSH keypair to the ACE For further description on generating SSH Keys Click Here. - In the navigation select SSH Key Pairs - Select Create A SSH Key Pair - Fill in the required information. (The account field is optional and not required for American Cloud purposes.) Setup the VPC or Non-VPC examples by running the repective bash script from within the directory. ./enable_non_vpc_example.sh ./enable_vpc_example.sh - Using the preferred file editor, edit variables/ace.tfvars file after running the above bash scripts and add the keypair name. keypair = "<keypair name here>" # Key pair created in UI. Provide name here. Initialize TOFU by running the command Tofu init. The below readout should be displayed. Initializing the backend... Initializing provider plugins... - Reusing previous version of american-cloud/cloudstack from the dependency lock file - Using previously-installed american-cloud/cloudstack v0.4.2 OpenTofu has been successfully initialized! You may now begin working with OpenTofu. Try running "tofu plan" to see any changes that are required for your infrastructure. All OpenTofu commands should now work. If you ever set or change modules or backend configuration for OpenTofu, rerun this command to reinitialize your working directory. If you forget, other commands will detect it and remind you to do so if necessary. Run the TOFU plan using the command tofu plan -out example-tfplan -var-file variables/ace.tfvars The following readout will be displayed identifying the resources to be built. OpenTofu used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create OpenTofu will perform the following actions: # cloudstack_egress_firewall.default_egress will be created + resource "cloudstack_egress_firewall" "default_egress" { + id = (known after apply) + managed = false + network_id = (known after apply) + parallelism = 2 + rule { + cidr_list = [ + "0.0.0.0/0", ] + icmp_code = (known after apply) + icmp_type = (known after apply) + ports = [] + protocol = "all" + uuids = (known after apply) } } # cloudstack_firewall.firewall-web will be created + resource "cloudstack_firewall" "firewall-web" { + id = (known after apply) + ip_address_id = (known after apply) + managed = false + parallelism = 2 + rule { + cidr_list = [ + "0.0.0.0/0", ] + icmp_code = (known after apply) + icmp_type = (known after apply) + ports = [ + "2220", ] + protocol = "tcp" + uuids = (known after apply) } } # cloudstack_instance.web_net_1[0] will be created + resource "cloudstack_instance" "web_net_1" { + display_name = "ACE-Test-net-1-web-0" + expunge = true + group = (known after apply) + id = (known after apply) + ip_address = (known after apply) + keypair = "silverbullet" + name = "ACE-Test-net-1-web-0" + network_id = (known after apply) + project = (known after apply) + root_disk_size = 20 + service_offering = "ACE 2 vCPU 4GB Ram - z0" + start_vm = true + tags = { + "environment" = "staging" + "role" = "net-1-web" } + template = "AC-OS-ubuntu-22.04-2023-11-15T15-39-13Z" + zone = "zone0" } # cloudstack_ipaddress.pub-ip will be created + resource "cloudstack_ipaddress" "pub-ip" { + id = (known after apply) + ip_address = (known after apply) + is_portable = false + is_source_nat = (known after apply) + network_id = (known after apply) + project = (known after apply) + tags = (known after apply) + zone = "zone0" } # cloudstack_network.ace-network-1 will be created + resource "cloudstack_network" "ace-network-1" { + acl_id = "none" + cidr = "10.0.1.0/24" + display_text = (known after apply) + endip = (known after apply) + gateway = (known after apply) + id = (known after apply) + name = "ace-network-1" + network_domain = (known after apply) + network_offering = "DefaultIsolatedNetworkOfferingWithSourceNatService" + project = (known after apply) + source_nat_ip_address = (known after apply) + source_nat_ip_id = (known after apply) + startip = (known after apply) + tags = (known after apply) + zone = "zone0" } # cloudstack_port_forward.web_net_1[0] will be created + resource "cloudstack_port_forward" "web_net_1" { + id = (known after apply) + ip_address_id = (known after apply) + managed = false + forward { + private_port = 22 + protocol = "tcp" + public_port = 2220 + uuid = (known after apply) + virtual_machine_id = (known after apply) } } Plan: 6 to add, 0 to change, 0 to destroy. Changes to Outputs: + pub_ip = (known after apply) ─────────────────────────────────────────────────────────────────────────────── Saved the plan to: example-tfplan To perform exactly these actions, run the following command to apply: tofu apply "example-tfplan" Apply the TOFU plan by running tofu apply example-tfplan. Once ran the resource changes will be displayed along with the Public IP to utilize when connecting to the instances. Apply complete! Resources: 6 added, 0 changed, 0 destroyed. Outputs: pub_ip = "x.x.x.x" - SSH into the machine using the following guidelines. ssh -p 222X [email protected] Note The port number 222X the X is the index number of the server created. In the variables/ace.tfvars you will set the count of how many servers to create. If the count is 1, then the port number would be 2220 as the indexing count starts at 0 In the VPC example the port forwarding is only setup on web_net_1 instances. You will need to adjust VPC ACL rules to access instances on the web_net_2, as well as putting a SSH private key on the instances you are port forwarding to, so that you can SSH from web_net_1 instances to web_net_2 Lastly use the following command to cleanup the environment tofu plan --destroy -out example-tfplan -var-file variables/ace.tfvars - A readout will display all resource changes that will take place once applied OpenTofu used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: - destroy OpenTofu will perform the following actions: # cloudstack_egress_firewall.default_egress will be destroyed - resource "cloudstack_egress_firewall" "default_egress" { - id = "89ed85c4-50bc-4e18-91ae-dcfbc9db31c9" -> null - managed = false -> null - network_id = "89ed85c4-50bc-4e18-91ae-dcfbc9db31c9" -> null - parallelism = 2 -> null - rule { - cidr_list = [ - "10.0.1.0/24", ] -> null - icmp_code = 0 -> null - icmp_type = 0 -> null - ports = [] -> null - protocol = "all" -> null - uuids = { - "all" = "1d297874-affe-4795-956a-f6f0e384e54e" } -> null } } # cloudstack_firewall.firewall-web will be destroyed - resource "cloudstack_firewall" "firewall-web" { - id = "7bf925eb-5a65-4ce3-8e04-7840334a73df" -> null - ip_address_id = "7bf925eb-5a65-4ce3-8e04-7840334a73df" -> null - managed = false -> null - parallelism = 2 -> null - rule { - cidr_list = [ - "0.0.0.0/0", ] -> null - icmp_code = 0 -> null - icmp_type = 0 -> null - ports = [ - "2220", ] -> null - protocol = "tcp" -> null - uuids = { - "2220" = "77905ac1-7d8f-459e-b812-8ba8b02a7916" } -> null } } # cloudstack_instance.web_net_1[0] will be destroyed - resource "cloudstack_instance" "web_net_1" { - display_name = "ACE-Test-net-1-web-0" -> null - expunge = true -> null - id = "afd6d90e-fc30-416b-8e1e-c0d8ee912188" -> null - ip_address = "10.0.1.244" -> null - keypair = "silverbullet" -> null - name = "ACE-Test-net-1-web-0" -> null - network_id = "89ed85c4-50bc-4e18-91ae-dcfbc9db31c9" -> null - root_disk_size = 20 -> null - service_offering = "ACE 2 vCPU 4GB Ram - z0" -> null - start_vm = true -> null - tags = { - "environment" = "staging" - "role" = "net-1-web" } -> null - template = "AC-OS-ubuntu-22.04-2023-11-15T15-39-13Z" -> null - zone = "zone0" -> null } # cloudstack_ipaddress.pub-ip will be destroyed - resource "cloudstack_ipaddress" "pub-ip" { - id = "7bf925eb-5a65-4ce3-8e04-7840334a73df" -> null - ip_address = "172.252.211.166" -> null - is_portable = false -> null - is_source_nat = true -> null - network_id = "89ed85c4-50bc-4e18-91ae-dcfbc9db31c9" -> null - tags = {} -> null - zone = "zone0" -> null } # cloudstack_network.ace-network-1 will be destroyed - resource "cloudstack_network" "ace-network-1" { - acl_id = "none" -> null - cidr = "10.0.1.0/24" -> null - display_text = "ace-network-1" -> null - gateway = "10.0.1.1" -> null - id = "89ed85c4-50bc-4e18-91ae-dcfbc9db31c9" -> null - name = "ace-network-1" -> null - network_domain = "cs260cloud.internal" -> null - network_offering = "DefaultIsolatedNetworkOfferingWithSourceNatService" -> null - tags = {} -> null - zone = "zone0" -> null } # cloudstack_port_forward.web_net_1[0] will be destroyed - resource "cloudstack_port_forward" "web_net_1" { - id = "7bf925eb-5a65-4ce3-8e04-7840334a73df" -> null - ip_address_id = "7bf925eb-5a65-4ce3-8e04-7840334a73df" -> null - managed = false -> null - forward { - private_port = 22 -> null - protocol = "tcp" -> null - public_port = 2220 -> null - uuid = "ed849b59-da71-4990-8563-fb8fee09036c" -> null - virtual_machine_id = "afd6d90e-fc30-416b-8e1e-c0d8ee912188" -> null } } Plan: 0 to add, 0 to change, 6 to destroy. Changes to Outputs: - pub_ip = "172.252.211.166" -> null ─────────────────────────────────────────────────────────────────────────────── Saved the plan to: example-tfplan To perform exactly these actions, run the following command to apply: tofu apply "example-tfplan" - Next apply the plan tofu apply example-tfplan - Once complete a readout will display the changed resource Apply complete! Resources: 0 added, 0 changed, 6 destroyed.

Last updated on Jul 29, 2025

ACE VPN Portal

ACE VPN Portal Upon receipt of the ACE portal credentials navigate to ace-vpn.americancloud.com and log in to access the remote access dashboard. Once logged in it's possible to manage the organization's users. Below is a layout explanation of the User Interface. 1. The dropdown menu provides a means to access and edit the user account, a VPN connections, or to log out of the session. 2. This button allows quick access to the current user's VPN client profiles. 3. This button allows the management of additional end-users in the organization that may also require access to the ACE environment. 4. This section allows further information on the ACE features, setup and usage of the ACE environment, installation instructions for the WireGuard client to connect with based on OS, and additional CloudStack documentation for reference. User Account To access the user account, reset a password, and enable Two-Factor Authentication, use your dropdown menu and choose Edit Account: The next screen will allow for confirmation of the user's contact information, change the user's password, and toggle Enable 2FA. 2FA SMS Once Enable 2FA is toggled on and the SAVE button is pressed, the 2FA type will be available. Choose the method(s) available. When you choose your 2FA type and SAVE, a Manage type link will be made available for testing and confirm that the method is functioning properly: Access the Manage page and confirm the method is functioning properly prior to logging out of your session. 2FA TOTP For TOTP, an auto-generated seed will be provided. To accept this seed, choose SAVE NEW SEED button, or to have a different one generated choose GENERATE RANDOM SEED. Once the SAVE NEW SEED button is pressed the Verification option will become available. Save your seed to the TOTP application or scan the QR code in the application and enter the TOTP 6-digit code and choose VERIFY NEW CODE. Remote Access VPN Clients To set up a remote access VPN client(s) expand the dropdown menu and choose VPN Clients or use the MANAGE VPN CLIENTS button on the dashboard main page (position 2). The VPN USER-PORTAL page provides the ability to add, edit, and delete your VPN configurations. To create a new peer connection choose ADD NEW PEER from the VPN USER-PORTAL page. This will generate a Public Key and provide an option to give the connection a friendly Identifier. Then select SAVE. Use nicknames that are easy for you to find and manage as needed, like ‘officeworkstation’, ‘mobilephone’, etc. Now a Peer will be listed in the VPN User-Profile page. By selecting the peer it provides a download option of the automatically generated configuration file to import into the local WireGuard client. Choose INFO to access the Download option for the specific Peer being loaded on the current host. This will also display a QR code that can be scanned from a mobile device. Choose INFO at the front of the Profile to view the additional information. Download the client VPN profile and import it into the WireGuard Client. There is an EDIT option as well at the end of each profile to change its nickname identifier or delete the profile. Additional User Setup In order for other end-users within the organization to access the ACE environment they will need to have their own user account within the ACE-VPN portal to create their own VPN Profiles. From the main dashboard choose MANAGE USERS (option 3). This will provide a list of accounts in the organization. Additionally, the page provides the ability to create, edit, or delete users as needed. Only MANAGERS of the organization have this access and ability. Choose ADD NEW USER from the VPN USERS page and fill out the new user information. When finished, SAVE the account and the new user will have access to this portal and may create, edit, and delete their own VPN Peers. More information (Option 4 section of the dashboard) is provided for quick links to additional content, further reading, and ACE online documentation. Your data is your own and by utilizing the American Cloud Enterprise VPN Portal you are in control of who accesses your data, wherever they may be.

Last updated on Aug 30, 2024

Knox

About Knox Knox is American Cloud's self-hosted credential platform based off of the trusted BitWarden Password Management application. As such, Knox provides a secure means for American Cloud to share and manage sensitive data with our clients via customized organizations and vaults. Knox provides a combination of both asymmetric and asymmetric encryption that protects sensitive information as it is shared, as well as organizational policies that ensure compliance with AICPA SOC2 Type 2 / Privacy Shield, GDPR, and CCPA regulations. All logins stored on Knox reside in an encrypted vault, utilizing AES-CBC 256 bit encryption, salted hashing, and PBKDF2 SHA-256 algorithms. Security is tantamount when it comes to credential and authentication management and American Cloud feels a solution as strong as Fort Knox is what it takes to deliver this. Creating Account Knox is self hosted and completely separate from BitWarden.  Please make sure to follow these steps even if you are already an active user of VaultWarden or BitWarden.  There is information later in this document that goes over connecting this account to your current BitWarden Clients and Account Switching Invitation When it’s necessary for Clients of American Cloud to share information such as secure logins with an engineer or vice versa an invite to join a secure Organization in Knox will be initiated.  Employees of American Cloud will never ask for login information over the phone, email, or text. Once you have opened the email from “Knox” with the email address ([email protected]) click the “Join Organization Now” button. Join the Organization Important: For new user’s of American Cloud’s Knox Create a new account using the “Create Account” button.  Even if you have a current BitWarden or VaultWarden account DO NOT try to Log In, Knox is a unique Vault with its own unique Domain(knox.americancloud.io). Master Password After clicking the “create account” button you will be taken to the following screen.  Here you will be able to create your username and master password. Important:  If you forget your master password it will be unrecoverable.  The only way to allow you back into the vault will be by having an Admin from American Cloud remove you from Knox completely and you will need to create a new account after being re-invited. Logging In When you want to log into Knox you will navigate in your web browser to: knox.americancloud.io.  There you will be able to enter your email address and your master password.  There will be instructions at the end of this document detailing how to add this domain to your bitwarden extensions and client if you are already a BitWarden user. ** ** 2FA and SOC-2 Compliance In order to be fully SOC-2 compliant we require all users to set up two factor authentication.  If 2FA is not set up within 24 hours you will be removed from the organization.  In order to gain access to the organization you will need to set up 2FA and an Admin from American Cloud will have to re-invite you. Along with that personal information should not be shared or stored in Knox.  We have disabled the My Vault option.  If you store any information in “My Vault” prior to joining the Organization you were invited to, it will be destroyed and unrecoverable upon joining the Organization. Setting Up 2FA Navigate to Account Settings once you are logged in Choose Security from the Account Setting menu and choose a form of 2FA.  Any type of 2FA you choose will work.  Account Switching If you have accounts on multiple servers, for example a previous bitwarden account and now knox.americancloud.io, use the server selector drop down that is located on the login screen and select the Self-hosted menu to change the Server URL to the URL for the account. Self-hosted domain selectorSelf-hosted domain selector In this example, for American Cloud you would use knox.americancloud.io as the domain.

Last updated on Sep 13, 2024

Creating a Windows Server 2019 Demo Network

1. Navigate to https://gateway00.americancloud.com:8443/client 2. Login to your ACE environment using the credentials from the Knox Vault. Build Network 1. First, create an Isolated network to build your VM's on. 1. Click "Add network" 1. Provide the required information: Name: Provide a name based on your required naming convention Description: Helps to distinguish between networks Zone: This should be the zone you're wanting to build the VM's in. Domain: Since building an isolated network be sure to select the domain. Account: Once the domain is selected an additional box will display labeled account. Select the appropriate account for the network. Network Domain: Leave Blank Network Offering: Select [[Offering for Isolated networks with Source Nat service enabled]]. External ID: Leave Blank 1. The remainder of the boxes can be left blank unless building the network for a VPC. Select 'OK'. 1. Click "Win-Demo-Net" or the network built. 1. Click "Public IP addresses" 1. To begin we'll be missing an IP for our network. Following the first build ACE will assign an IP to the machine and enable that IP as the source NAT. On this page additional IP's can be acquired and managed for sequential machines. Build the Instance 1. Click [[cloud/instance]] icon from the left navigation bar and select [[instances]]. 1. Select [[Add Instance +]] toggle. 1. Select the zone the VM should reside in. The zone should mirror the zone of the network to build on. Alert: Currently Zone 0 offers a standard and premium node while Zone 1 only offers standard. 1. Click the "Search" field. 1. Type "wind [[enter]]" This will narrow down the selection of offerings presented. 2. Click "Community" 1. Click [[AC-OS-Windows-Server-2019-Standar-2024-07-01]] is the newest template of windows. Select it by the radio button to the left. 1. If selecting an offering for zone0, you'll see two different options. An [[ACE-1C32-1R64-P]] and [[ACE-1C32-1R64-S]] where P= premium and S= standard. Zone 1 as stated above will only have the standard cluster. Select the appropriate offering. The ones listed above are custom offerings, allowing you to provision the vm more to your needs. We also have several default offerings. Once you've selected the CUSTOM service offering select the CPU cores from 1-32 and RAM from 1000-64000. This can all be scaled at a later date if necessary. 1. Once CPU/RAM have been selected. You'll want to decide upon the size of the root disk. While looking at the VM build in the right-hand pane. You can identify the default disk offering of 50 GB. If your project requires more of a root disk. Select [[Override root disk offering]] toggle. In the disk offerings section select [[CustomLocal]]. Then scale the root disk to the appropriate size. If additional data disk are required select the size in section 4. Data Disk. 1. Select the network for the VM. For the initial build we select the network we built in the first steps. Under default network we can leave the IP Address and MAC Address blank as they'll be issued via Cloudstack. 1. The additional blocks are informational and optional. Fill them in as necessary and select [[Launch Instance]]. 1. The machine will launch and move to a starting status. 1. Once the machine goes to a running state, the password will be presented. Be sure to copy and securely store this password for SSH purposes if you haven't built a ssh key. You can close the popup once copied. Tip: Congrats you've built your Windows machine. Access Machine 1. Click "VM-12c7eb61-e7ea-4b26-80f2-8ca4d77b5bb2" 1. Click this icon. 1. Initial a new password for the Administrator is required. Select 'OK'. 1. Once the password has been excepted and changed successfully. Select 'OK' 1. You'll be logged in and directed to the Server Manager for windows 2019 datacenter. Tip: Additional to the ACE console is remote access. Remote access is a more desirable connection. Made with Scribe

Last updated on Jan 21, 2025

Getting Started With ACE

This guide provides a quick view of how to start using your ACE environment and how to build your first VM. For more detailed articles click the following links: - KNOX User Guide - ACE VPN Portal - Adding New Users - Installation of Open Tofu/Terraform - Affinity Groups - Templates and ISO's - SHH Key Pairs Getting Started with ACE After connecting to the ACE VPN Navigate to https://gateway00.americancloud.com:8443/client/#/dashboard. Enter your username, password and domain ID to log in on the ACE panel. - Tip! These Credentials are NOT the same as your **AmericanCloud.com customer portal. These are the credentials that were shared with you in your KNOX Vault. (https://knox.americancloud.io/#/login) Click "Login" Creating a Virtual Machine and Isolated Network - Tip! We recommend adding a network or VPC before building your VM. Adding an Isolated Network An isolated network can be deployed with different services like an HAproxy load balancer in the virtual router or source nat to communicate with other networks or a simple layer 2 network. A Network Offering in ACE defines how the isolated network is set up and which services to include with its deployment. Offering For Isolated Networks with Source Nat Service Enabled is our default offering that creates a single virtual router with Source Nat service enabled and egress traffic blocked by default. It provides the following services [DHCP, firewall, port forwarding, Source NAT, Static NAT, User data, DNS, Load balancer and VPN] - We also have an offering used for our Kubernetes Service which is explained in a separate article. From the Dashboard Select "Network" Select "Guest Networks" Click "Add Network" Name your Network and Add a Description if Needed Select your Domain Select the Zone where you will be building your Network and VM Select "Offering for Isolated networks with Source Nat service enabled" Click "OK" Your Isolated Network has Been Allocated. The network can be viewed by going to Network > Guest networks Creating a New Virtual Machine From the ACE Dashboard panel choose Compute > Instances, click Add Instance Select "Instances" Select "Add Instance" Choose the zone where you will be building your VM and have already built your Network Choose a Template or ISO. *Templates are images containing an OS used to boot up the server, or boot from an ISO a virtual DVD/ CD that can be uploaded separately. Too see a list of all of our templates *Click Here. Select a Compute Offering for your Instance, which determines how many CPU cores and memory is allocated to the server or Create a custom offering. Override the Root Disk Offering if needed Select the Network in which the server will be deployed that was created earlier in this tutorial. You can Choose to associate an SSH key pair to the server. If you created SSH key pairs under the Account section they will show up here. Tip! Select additional options under Advanced Mode, like boot type, add user data and/or select an Affinity Group to place the virtual machine in. - These options are not required but can help with setting up the virtual machine in a more specific state. Click "Launch Instance" After the server is deployed, you will see the password show up in the panel if the password set has been configured in the chosen Template. Make sure to the save the password in a password manager of your choice.

Last updated on Aug 01, 2025

ACE Affinity Groups

Description To further reduce fault tolerance, running multiple instances serving your application/ service together with the load balancer feature provided from the virtual router in ACE, is recommended. In case you have multiple servers running your services, you can assign instances to an Affinity group in ACE. Affinity groups control VM placement by defining whether instances should run together (affinity) or apart (anti-affinity). Strict rules enforce hard placement—VMs must follow the rule or fail to deploy—while non-strict rules act as preferences that the scheduler will try to honor but may override for availability. Use strict settings when placement is critical (e.g., redundant services on separate hosts), and non-strict when flexibility or uptime takes priority. Tip! Affinity groups can be attached to instances while creating the instance. You can change an Affinity group of an existing instance from the Instance Details tab. Make sure to stop the instance before changing the Affinity group. Adding New Affinity Groups 1. From the left menu choose Compute > Affinity Groups, click Add new Affinity Group. 2. Provide a name, optionally the description and choose affinity type. Adding Affinity Group to an Instance that has Already Been Built 1. From the left menu choose Compute > Instances, click on the instance name. 2. Stop the instance, by clicking on Stop instance from the top right options. 3. Click on Change Affinity, from the top right options. 4. Select the Affinity group and confirm by clicking OK. 5. Make sure to start up your instance again.

Last updated on Jul 30, 2025