A vDiscovery job retrieves information about virtual entities in cloud environments that are managed through a cloud management platform (CMP) such as AWS. The current vDiscovery feature supports tenants, networks, and compute VMs only. It does not support data that is retrieved from load balancer networks, load balancer VMs, Kubernetes platform VMs, application gateways, service VMs, SQL VMs, or any other VMs that are created by cloud services such as Kubernetes service or analytics service, where the IPAM is handled by the respective orchestration engines of the cloud provider. If the vDiscovery job retrieves unsupported data from AWS, then it impacts the performance of the vDiscovery process.
For the NIOS vDiscovery feature to work on AWS VPCs with the Infoblox vNIOS for AWS instance on public or private subnets, you configure the DNS Resolver setting in the Grid Properties editor in NIOS to add the IP address of the upstream DNS server within AWS. The DNS server must resolve both the user-provided AWS service endpoint and the host name iam.amazonaws.com to the NIOS configuration. You define the setting for the Grid.
To configure DNS resolver for the Grid, complete the following in Grid Manager:
From the Grid tab -> Grid Manager tab -> Members tab, expand the Toolbar, and then click Grid Properties.
In the Grid Properties editor, do the following:
Click the DNS Resolver tab and select the Enable DNS Resolver checkbox if it is not already selected.
In the Name Servers list, click Add to add the IP address of the upstream DNS server to the list.
Enter the IP address and press Enter.
Save the configuration. The changes may take a brief period of time to become active.
The following figures illustrate AWS cloud-based and on-premises-based appliances communicating with the AWS endpoints to initiate vDiscovery for their VPCs:
Infoblox vNIOS for AWS Appliance Routing to Endpoints for vDiscovery Tasks
By adding the DNS resolver, communication by the Infoblox vNIOS for AWS appliance to the endpoints is automatic for vDiscovery. The following diagram illustrates the same process for an on-premises NIOS Cloud Platform appliance:
On-Premises NIOS Appliance Configured for vDiscovery Tasks
Note
Network routing may also be required to enable the member to communicate with the AWS endpoints.
You can also set up a proxy server in your data center so you can perform vDiscovery through the proxy server. For information about how to configure a proxy server on your NIOS virtual appliance, refer to the Infoblox NIOS Documentation.
Credentials for vDiscovery
When you configure a vDiscovery job through the Infoblox GUI (Grid Manager), you can choose to use Instance Profile or IAM Credential for authentication.
An instance profile is a container for an IAM role that you use to pass role information to an EC2 instance when the instance is up and running. Select this option if you want to collect information from AWS by waiving a user's credentials and using configuration of a predefined IAM role to get a temporary token that allows API calls. Note that you must first configure the option for "instance profile" in AWS, define an IAM role in the instance profile, and then set permissions for this role before you can select this option in NIOS. Otherwise, this option is disabled. When you select this, you do not need to provide user credentials for vDiscovery jobs.
You can also select IAM credentials if you want to authenticate by using IAM roles to grant secure access to AWS resources from your EC2 instances when they are up and running. When you select this authentication method, you must provide the Access Key ID and Secret Access Key for the AWS endpoint. This is the secret key pair for the administrator account that executes the vDiscovery job.
Note
In AWS, access keys are used to digitally sign API calls made to AWS services. Each access key credential is comprised of an access key ID and a secret key. The secret key portion must be secured by the AWS account holder or the IAM user to whom they are assigned. As a best practice, users should rotate their access keys on a regular basis. Refer to the document AWS Security Best Practices by Amazon Web Services (http://aws.amazon.com/whitepapers/aws-security-best-practices/) and the AWS Documentation page IAM Best Practices (http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html) for more information.
Before assignment to the NIOS cloud admin account, AWS users need the following AWS IAM permissions to use the vDiscovery feature to discover the resources in their VPCs and manage them through IPAM:
iam:GetUserec2:DescribeVpcsec2:DescribeSubnetsec2:DescribeRouteTablesec2:DescribeAddressesec2:DescribeNetworkInterfacesec2:DescribeInstances
For more information about how to configure vDiscovery, refer to Configuring vDiscovery Jobs in the Infoblox NIOS Documentation.
Objects Discovered and Collected by vDiscovery
A number of different network object types are discovered, collected and added to the NIOS database during the vDiscovery process. You may convert some object types to Managed objects in NIOS IPAM.
Virtual Private Clouds
Availability Zone
Tenants
Subnets
EC2 Instances (virtual machines);
IP Addresses
Note
vDiscovery is not supported for Elastic IP addresses allocated from a public IP address pool that you have brought to your AWS account, or from a private pool created from your on-premises network (Bring your own IP address). It is supported only if Elastic IP addresses are allocated from Amazon's pool of public IPv4 addresses.
Creating DNS Records for Discovered IP Addresses
When you configure vDiscovery jobs, you can enable the appliance to automatically create DNS records for discovered virtual instances in your AWS VPCs. When you enable this feature, NIOS automatically adds Host records or A and PTR records to the authoritative zones for the discovered IP addresses based on your configuration. You can also enter a formula that NIOS uses to create the DNS names for the discovered IP addresses based on their VM parameters such as vm_name or discovered_name for data discovered through AWS. By doing so, NIOS is able to discover public and private IP addresses by looking up the corresponding DNS names.
Discovered data includes IP addresses for the VMs and associated information such as VM ID, VM Name, Tenant ID, and others. Note that corresponding zones must already exist in order for NIOS to add DNS records. Otherwise, NIOS does not add any DNS records and it logs a message to the syslog.
NIOS automatically adds DNS records based on the following conditions:
The corresponding DNS zones must already exist in the NIOS database. NIOS does not automatically create DNS zones for the records.
To create a PTR record, the corresponding reverse-mapping zone must exist.
A DNS zone cannot be associated with more than one DNS view. NIOS does not create DNS records for zones that are associated with multiple DNS views.
NIOS adds new DNS records only if the VM name for the discovered IP address is available and there is no conflict between the discovered data and the associated network view.
The following matrix captures some scenarios about how vDiscovery handles various actions and what the outcome is for the information on the Cloud Platform appliance and in the NIOS database.
Note
vDiscovery modifies records that are created by the vDiscovery process only. It does not create or update DNS records that are originally created by other admin users.
Actions and Conditions | Cloud Platform Data before vDiscovery | Cloud Platform Data after vDiscovery | NIOS Data before vDiscovery | NIOS Data after vDiscovery |
|---|---|---|---|---|
| 10.10.10.1 | 10.10.10.1 | Zone: corp1.com | Zone: corp1.com |
| 10.10.10.1 | 10.10.10.1 | Zone: corp1.com | Zone: corp1.com |
| 10.10.10.1 | 10.10.10.1 | Zone: corp1.com | Zone: corp1.com |
| 10.10.10.1 | No data for vma | Zone: corp1.com | Zone: corp1.com |
| 10.10.10.1 | No data for vma | Zone: corp1.com | Zone: corp1.com |
| 10.10.10.1 | 10.10.10.1 | Zone: corp1.com | Zone: corp1.com |
| 10.10.10.1 | 10.10.10.1 | Zone: corp1.com | Zone: corp1.com |
| 10.10.10.1 | 10.10.10.1 | Zone: corp1.com | Zone: corp1.com |
| 10.10.10.1 | 10.10.10.1 | Zone: corp1.com | Zone: corp1.com |
| 10.10.10.1 | 10.10.10.1 | Zone: corp1.com | Zone: corp1.com |
| 10.10.10.1 | 10.10.10.1 | Zone: corp1.com | Zone: corp1.com |
| 10.10.10.1 | 10.10.10.1 | Zone: corp1.com | Zone: corp1.com |
| 10.10.10.1 | 10.10.10.1 | Zone: corp1.com | Zone: corp1.com |
| No data for vma | 10.10.10.1 | Zone: corp1.com | Zone: corp1.com |
| No data for vma | 10.10.10.1 | Zone: corp1.com | Zone: corp1.com |
| 10.10.10.1 | 10.10.10.1 | Zone: corp1.com | Zone: corp1.com |
To enable the appliance to automatically create DNS records, complete the following in Grid Manager:
For a new vDiscovery job: From the Data Management tab, select the IPAM tab, then select vDiscovery -> New from the Toolbar; or from the Cloud tab, select vDiscovery -> New from the Toolbar.
or
To modify an existing job: From the Data Management tab, select the IPAM tab and click vDiscovery -> Discovery Manager from the Toolbar, or from the Cloud tab, select vDiscovery -> Discovery Manager from the Toolbar. In the vDiscovery Job Manager editor, click the Action icon next to a selected job and select Edit from the menu.In step four of the vDiscovery Job wizard, or on the Data Consolidation tab of the vDiscovery Job Properties editor, complete the following:
For every newly discovered IP address, create: Select this checkbox to enable NIOS to automatically create or update DNS records for discovered VM instances if the records were originally created by vDiscovery.Host: Select this to automatically create Host records for discovered VMs.
A & PTR Record: Select this to automatically create A and PTR records for discovered VMs. Note that the DNS zones and reverse-mapping zones to which the records belong must exist in NIOS. Otherwise, vDiscovery does not create the records.
The DNS name will be computed from the formula: Enter the formula that NIOS uses to create FQDNs for discovered VMs. You can use the auto-generated FQDNs for DNS resolution purposes. You must use the syntax of ${parameter name} for this formula. For AWS, this field supports the vm_name and discovered_name parameters. For example, when you enter ${vm_name}.corp100.com and the discovered vm_name = XYZ, the DNS name for this IP becomes XYZ.corp100.com. When you enter ${discover_name} here and the discovered name for the IP is ip-172-31-1-64.us-west-1.compute.internal, the DNS name for this IP is ip-172-31-1-64.us-west-1.compute.internal.
Note that if the ${vm_name} parameter of an instance contains any special character, the appliance will not be able to identify this instance and will convert it to a managed VM using the vm_id parameter.