Note Single & clustered deployments of Orchestrator is not in the scope of this article.
Intro
When I joined Wipro, I started working on Aria Automation Cloud which is a SaaS version of VMware Aria Automation tool.
Prior to that, I used to work on two different types of Orchestrators, one working as a single point of automation for various endpoints like vSphere, Cloud Director, Service Now, etc and the other one which comes as part of Aria Automation appliance bundle itself. But recently, I come to know about the third type – Cloud Extensibility Proxy.
In this article, we will try to uncover them, learn about them and the core differences among them.
Let’s talk about these 3 types of orchestrators, one-by-one.
Standalone or External
Usability
The Standalone version of Orchestrator comes as a seperate appliance downloadable from Customer Connect portal as an OVA. This doesn’t require Aria Automation tool for its enablement and most commonly used with endpoints like vSphere, specially with vCOIN plugin for leveraging workflows as Context actions, or
or with Cloud Director for providing workflows as XaaS Service Library item to the tenants, or maybe with Service Now for ITSM and CMDB related tasks.
Standalone Orchestrator can also be used as an external orchestrator with Aria Automation, along with embedded one, in case you want to use a different set of workflows for multi-tenants in Aria Automation or with Service Now.
Services
The Standalone Orchestrator Appliance includes the following components:
- An infrastructure level Kubernetes layer.
- A preconfigured PostgreSQL database.
- The core vRealize Orchestrator services: the server service, Control Center service, and orchestration UI service.
Authentication
To authenticate and manage user permissions, Orchestrator requires a connection to either Aria Automation or a vSphere server instance.
Embedded
Usability
Embedded Orchestrators are mainly used a sub-component of Aria Automation for developing automations that are not provided out-of-the-box. However, we have seen in my other article Importance of Orchestrator in Aria Automation [CB10128], it can be utilized in following areas:
- Day-2 actions for Resources and Deployments
- Event Subscription and extensibility via Orchestrator WFs
- Dynamic Enums
- Service Broker form extensibility
- Custom Datatypes & Dynamic Datatypes
- XaaS (Anything as a Service)
- Automation Pipelines Workflows
You can customize the embedded orchestrator as part of Aria Automation.
Services
As all the core orchestrator services are running on the same appliance as Aria Automation, you can certainly notice the difference in the list of pods and services.
| List of Aria Automation services |
|---|
| ingress-ctl |
| kube-dns |
| etcd-service |
| health-reporting-service |
| kube-apiserver |
| kube-controller-manager |
| kube-flannel-ds |
| kube-proxy |
| kube-scheduler |
| kubelet-rubber-stamp |
| predictable-pod-scheduler |
| tiller-deploy |
| openfaas |
| abx-service |
| approval-service |
| assessment-service |
| ui |
| catalog-service |
| cgs-service |
| cmx-service |
| codestream |
| docker-registry |
| ebs |
| form-service |
| hcmp-service |
| identity-service |
| migration-service |
| no-license |
| postgres |
| project-service |
| provisioning-service |
| proxy-service |
| rabbitmq-ha |
| relocation-service |
| tango-blueprint-service |
| tango-vro |
| terraform-service |
| user-profile-service |
| vco |
| adapter-host-service |
| endpoints |
| lemans-resources |
| lemans-gateway |
| private-cloud-gateway |
Authentication
Orchestrator is configured to authenticate using Aria Automation by default.
CExP or Aria Extensibility Proxy
CExP is a virtual appliance (VA) used in the configuration of the on-premises extensibility action integrations and VMware Aria Automation Orchestrator 8.x integrations in Automation Assembler. This appliance includes a preconfigured Automation Orchestrator instance that is created after you deploy and power on your cloud extensibility proxy.
Usability
You cannot integrate external Automation Orchestrator instances in VMware Aria Automation SaaS or Cloud, you must deploy a cloud extensibility proxy instance, that can be used for extensibility subscriptions and XaaS operations used for cloud templates.
It runs the latest and greatest version on Orchestrator codebase. As you can see, this appliance is already using 8.16 where as November 2023 release of Orchestrator is at version 8.14.1, which is a little weird because VMware doesn’t provide release notes for CExP Orchestrator. VMware mentioned that beginning with versions 8.4 , monthly-styled releases will be made available of the latest available version from Aria Automation SaaS, I am not sure if this is also true for CExP and Standalone Orchestrators as well.
Installing CExP requires you to download VMware-Extensibilty-Appliance-SaaS.ova file. Note that CExP is different from non-cloud extensibility cloud proxy which requires VMware-Cloud-Services-Data-Collector.ova file.
Services
The set of pods is mostly similar to Standalone except with some docker pods.
However, it comes with following agent services.
| Agent name | What the agent stores | What the agent collects | Used by | Details |
|---|---|---|---|---|
| codestreamlemans-agent | Only log files and proxy.properties are volume mounted. | Helps to proxy commands from code stream SaaS to on-premises endpoints. | VMware Aria Automatio n Pipelines | Enables integration of VMware Aria Automation Pipelines with onpremises endpoints. Helps SaaS run commands on on-premises endpoints via the data pipeline service. Events such as Gerrit push that happen on on-premises endpoints are pushed to VMware Aria Automation Pipelines to start user-configured pipelines. |
| vro-agent | Endpoint credentials | Workflow and action definitions. | VMware Aria Automatio n Assembler | The VMware Aria Automation Orchestrator agent communicates with the on-premises VMware Aria Automation Orchestrator server. The VMware Aria Automation Orchestrator agent propagates information for available workflows to the SaaS version of VMware Aria Automation and allows starting of workflow runs from the SaaS version of VMware Aria Automation. Uses the data pipeline service to communicate with the SaaS version of VMware Aria Automation. Only outbound traffic from the VMware Aria Automation Orchestrator agent to the SaaS version of VMware Aria Automation is used. |
| cloudassemblycmx-agent | Log files. | Information about PKS/K8S resources. | VMware Aria Automatio n Assembler | The CMX agent is responsible for the communication with PKS and K8S clusters. |
| cloudassemblyblueprint-agent | Temporarily stores request inputs and outputs. Logs are volume mounted. | No automatic collection from on-premises to SaaS. Logs are shared or uploaded only. when manually approved. | VMware Aria Automatio n Assembler | Enables VMware Aria Automation Assembler to integrate with onpremises endpoints such as Ansible and Puppet. Commands are sent over the data pipeline service to communicate with these external accounts. |
| cloudassemblysddc-agent | Endpoint certificate thumbprint and self-signed certificates. | vCenter and NSX inventory artifacts such as host, machines, storage, networks, and templates. | VMware Aria Automatio n Assembler | Information is passed between the VMware Cloud service and the onpremises vCenter. The cloud proxy on the vCenter initiates the connection to the VMware Cloud service. After connected, the cloud proxy receives commands from the VMware Cloud service. A VMware Cloud service cannot initiate the connection to the cloud proxy. |
| log-forwarder | Does not store anything. | vCenter and NSX logs. | VMware Aria Operations for Logs | Forwards vCenter and NSX logs to VMware Aria Operations for Logs. |
Authentication
When Orchestrator is deployed within a Cloud Extensibility Proxy appliance (i.e. CEXP Orchestrator) the authentication process is to redirect the user to VMware Cloud Services where they sign in with their user ID and are then redirected to the Orchestrator dashboard.
For getting API access to Orchestrator, you would need to create an OAuth App within VMware Cloud Services and give it the appropriate Service Role to connect to the vRealize Orchestrator instance embedded in the CEXP.
Licensing Model
Standalone instances can utilize both vSphere or Aria Automation based licenses. Embedded instances are restricted to use Aria Automation licences. CExP instances uses a Cloud Services Platform (CSP) authentication that provides the same features as Standalone Orchestrator that use a VMware Aria Automation license.
| Authentication | License | Git Integration | Role management | Multi-language support |
|---|---|---|---|---|
| vSphere | vSphere vCloud Suite Standard | No | No | No |
| vSphere | VMware Aria Automation VMware Aria Suite Advanced or Enterprise vCloud Suite Advanced or Enterprise | Yes | Yes. Limited. | Yes |
| VMware Aria Automation* | VMware Aria Automation VMware Aria Suite Advanced or Enterprise vCloud Suite Advanced or Enterprise | Yes | Roles are managed from the VMware Aria Automation instance used to authenticate Embedded Orchestrator or even Standalone Orchestrator if a Aria Automation license is being used with it. | Yes |
| Vmware Aria Automation Cloud | Cloud Services Platform (CSP) | Yes | Roles are managed from the VMware Aria Automation Cloud instance used to authenticate Automation Orchestrator. | Yes |
The Automation Orchestrator integration in VMware Aria Automation SaaS uses a Cloud Services Platform (CSP) authentication that provides the same features as external Automation Orchestrator deployments that use a VMware Aria Automation license.
Final note
Apart from the forementioned differences, you may find several other differences in terms of certificate management, scalability, CLI command set, etc. Let me know in the comments if you come across any. Hope you like it. Finally, a quick comparison in editions of Aria Automation on-premise and Cloud.
References
- https://txusa.cloud/2020/07/06/one-click-vcsa-update/
- https://docs.vmware.com/en/VMware-Aria-Automation/SaaS/Using-Automation-Assembler/GUID-3F363A84-4F4F-4B77-B38F-547C85F84B7C.html#GUID-3F363A84-4F4F-4B77-B38F-547C85F84B7C
- https://kb.vmware.com/s/article/2143850
- https://docs.vmware.com/en/VMware-Aria-Automation/SaaS/Using-Automation-Assembler/GUID-CD0C39C1-7C43-4AF8-9F3C-3814CB1A94B5.html
- https://www.arunnukula.com/post/vmware-aria-cloud-extensibility-proxy-deploy-and-upgrade-runbook
- https://samperrin.com/posts/monitoring-cloud-extensibility-proxy-orchestrator-with-aria-operations-cloud/
Update (07-01-2024) Added Authentication column in CEXP and updated the references.
Update (08-01-2024) Updated some images.
![Orchestrator Workflow to Notify MS Teams Channel [CB10134]](https://cloudblogger.co.in/wp-content/uploads/2024/04/Bare-Organics.png)
![Bulk cancel Running Workflows in Orchestrator [CB10132]](https://cloudblogger.co.in/wp-content/uploads/2024/04/2024-04-03-20_20_37-1-1.jpg)
Leave a Reply