Note As of January 2024, VMware by Broadcom has discontinued its Aria SaaS offering. Consequently, the purchase of Aria Automation SaaS is no longer available, rendering CEXP orchestrators obsolete.
- Intro
- Standalone or External
- Embedded
- CExP or Aria Extensibility Proxy (Deprecated)
- Licensing Model
- Final note
- References
Intro
When I joined Wipro, I started working on Aria Automation SaaS which is a cloud version of VMware Aria Automation tool.
Prior to this, I worked with two distinct types of Orchestrators. One functioned as a singular point of automation for multiple endpoints such as vSphere, Cloud Director, and Service Now, while the other was integrated into the Aria Automation appliance bundle itself. Although I was aware of the third type, CEXP (Cloud Extensibility Proxy), I had never witnessed it in action. Upon finally observing its functionality, I discerned significant differences among all three variants.
In this article, I will endeavor to reveal them, discuss them, and delineate the fundamental differences among them.
Let’s talk about these 3 types of orchestrators, one-by-one.
Standalone or External
Usability
The Standalone version of Orchestrator comes as a seperate appliance downloadable from Customer Connect portal as an OVA. This doesn’t require Aria Automation tool for its enablement and most commonly used with endpoints like vSphere, specially with vCOIN plugin for leveraging workflows as Context actions, or
or with Cloud Director for providing workflows as XaaS Service Library item to the tenants, or maybe with Service Now for ITSM and CMDB related tasks.
Standalone Orchestrator can also be used as an external orchestrator with Aria Automation on-prem, along with embedded one, in case you want to use a different set of workflows for multi-tenants in Aria Automation. Get more details on the setup here https://thecloudxpert.net/2020/11/03/howto-configure-multi-org-tenancy-in-vra8-part7/.
Services
The Standalone Orchestrator Appliance includes the following components:
- An infrastructure level Kubernetes layer.
- A preconfigured PostgreSQL database.
- The core vRealize Orchestrator services: the server service, Control Center service, and orchestration UI service.
Authentication
Generally, orchestrators typically do not have their own authentication mechanisms and instead rely on external systems for this purpose. In order to authenticate and oversee user permissions, an orchestrator necessitates a connection to either an on-premises Aria Automation or an on-premises vSphere server instance (excluding VMC).
Embedded
Usability
Embedded Orchestrators are mainly used a sub-component of Aria Automation for developing automations that are not provided out-of-the-box. It comes embedded in the Automation appliance and there is no requirement to deploy a seperate VM for this type of orchestrator.
Let’s see how it can be utilized as an extensibility to Aria Automation in following areas:
- Day-2 actions for Resources and Deployments
- Event Subscription and extensibility via Orchestrator WFs
- Dynamic Enums
- Service Broker form extensibility
- Custom Datatypes & Dynamic Datatypes
- XaaS (Anything as a Service)
- Automation Pipelines Workflows
Learn more in details further about these points here Importance of Orchestrator in Aria Automation [CB10128],
Additionally, You have the option to implement aesthetic modifications to the integrated orchestrator within Aria Automation.
Services
As all the core orchestrator services are running on the same appliance as Aria Automation, you can certainly notice the difference in the list of pods and services.
| List of Aria Automation services |
|---|
| ingress-ctl |
| kube-dns |
| etcd-service |
| health-reporting-service |
| kube-apiserver |
| kube-controller-manager |
| kube-flannel-ds |
| kube-proxy |
| kube-scheduler |
| kubelet-rubber-stamp |
| predictable-pod-scheduler |
| tiller-deploy |
| openfaas |
| abx-service |
| approval-service |
| assessment-service |
| ui |
| catalog-service |
| cgs-service |
| cmx-service |
| codestream |
| docker-registry |
| ebs |
| form-service |
| hcmp-service |
| identity-service |
| migration-service |
| no-license |
| postgres |
| project-service |
| provisioning-service |
| proxy-service |
| rabbitmq-ha |
| relocation-service |
| tango-blueprint-service |
| tango-vro |
| terraform-service |
| user-profile-service |
| vco |
| adapter-host-service |
| endpoints |
| lemans-resources |
| lemans-gateway |
| private-cloud-gateway |
Authentication
This type of Orchestrator is configured to be authenticated using Aria Automation by default.
CExP or Aria Extensibility Proxy (Deprecated)
CExP is a virtual appliance (VA) used in the configuration of the on-premises extensibility action integrations and VMware Aria Automation Orchestrator 8.x integrations in Automation Assembler. This appliance includes a preconfigured Automation Orchestrator instance that is created after you deploy and power on your cloud extensibility proxy.
Usability
You cannot integrate external Automation Orchestrator instances in VMware Aria Automation SaaS or Cloud, you must deploy a cloud extensibility proxy instance, that can be used for extensibility subscriptions and XaaS operations used for cloud templates.
Protip Installing CExP requires you to download VMware-Extensibilty-Appliance-SaaS.ova file. Note that CExP is different from non-cloud extensibility cloud proxy which requires VMware-Cloud-Services-Data-Collector.ova file.
Services
The set of pods is mostly similar to Standalone except with some docker pods.
However, it comes with following agent services.
| Agent name | What the agent stores | What the agent collects | Used by | Details |
|---|---|---|---|---|
| codestreamlemans-agent | Only log files and proxy.properties are volume mounted. | Helps to proxy commands from code stream SaaS to on-premises endpoints. | VMware Aria Automatio n Pipelines | Enables integration of VMware Aria Automation Pipelines with onpremises endpoints. Helps SaaS run commands on on-premises endpoints via the data pipeline service. Events such as Gerrit push that happen on on-premises endpoints are pushed to VMware Aria Automation Pipelines to start user-configured pipelines. |
| vro-agent | Endpoint credentials | Workflow and action definitions. | VMware Aria Automatio n Assembler | The VMware Aria Automation Orchestrator agent communicates with the on-premises VMware Aria Automation Orchestrator server. The VMware Aria Automation Orchestrator agent propagates information for available workflows to the SaaS version of VMware Aria Automation and allows starting of workflow runs from the SaaS version of VMware Aria Automation. Uses the data pipeline service to communicate with the SaaS version of VMware Aria Automation. Only outbound traffic from the VMware Aria Automation Orchestrator agent to the SaaS version of VMware Aria Automation is used. |
| cloudassemblycmx-agent | Log files. | Information about PKS/K8S resources. | VMware Aria Automatio n Assembler | The CMX agent is responsible for the communication with PKS and K8S clusters. |
| cloudassemblyblueprint-agent | Temporarily stores request inputs and outputs. Logs are volume mounted. | No automatic collection from on-premises to SaaS. Logs are shared or uploaded only. when manually approved. | VMware Aria Automatio n Assembler | Enables VMware Aria Automation Assembler to integrate with onpremises endpoints such as Ansible and Puppet. Commands are sent over the data pipeline service to communicate with these external accounts. |
| cloudassemblysddc-agent | Endpoint certificate thumbprint and self-signed certificates. | vCenter and NSX inventory artifacts such as host, machines, storage, networks, and templates. | VMware Aria Automatio n Assembler | Information is passed between the VMware Cloud service and the onpremises vCenter. The cloud proxy on the vCenter initiates the connection to the VMware Cloud service. After connected, the cloud proxy receives commands from the VMware Cloud service. A VMware Cloud service cannot initiate the connection to the cloud proxy. |
| log-forwarder | Does not store anything. | vCenter and NSX logs. | VMware Aria Operations for Logs | Forwards vCenter and NSX logs to VMware Aria Operations for Logs. |
Authentication
When Orchestrator is deployed within a Cloud Extensibility Proxy appliance (i.e. CEXP Orchestrator), the authentication process entails directing the user to VMware Cloud Services, where they must authenticate using their user ID before being redirected to the Orchestrator dashboard.
For getting API access to Orchestrator, you would need to create either an OAuth App or API token within VMware Cloud Services and give it the appropriate Service Role to connect to the vRealize Orchestrator instance.
Licensing Model
Standalone instances can utilize both vSphere or Aria Automation based licenses. Embedded instances are restricted to use Aria Automation licences. CExP instances uses a Cloud Services Platform (CSP) authentication that provides the same features as Standalone Orchestrator that use a VMware Aria Automation license.
| Authentication | License | Git Integration | Role management | Multi-language support |
|---|---|---|---|---|
| vSphere | vSphere vCloud Suite Standard | No | No | No |
| vSphere | VMware Aria Automation VMware Aria Suite Advanced or Enterprise vCloud Suite Advanced or Enterprise | Yes | Yes. Limited. | Yes |
| VMware Aria Automation* | VMware Aria Automation VMware Aria Suite Advanced or Enterprise vCloud Suite Advanced or Enterprise | Yes | Roles are managed from the VMware Aria Automation instance used to authenticate Embedded Orchestrator or even Standalone Orchestrator if a Aria Automation license is being used with it. | Yes |
| Vmware Aria Automation Cloud | Cloud Services Platform (CSP) | Yes | Roles are managed from the VMware Aria Automation Cloud instance used to authenticate Automation Orchestrator. | Yes |
The Automation Orchestrator integration in VMware Aria Automation SaaS uses a Cloud Services Platform (CSP) authentication that provides the same features as external Automation Orchestrator deployments that use a VMware Aria Automation license.
Final note
Apart from the forementioned differences, you may find several other differences in terms of certificate management, scalability, CLI command set, etc. Let me know in the comments if you come across any. Hope you like it.
References
- https://txusa.cloud/2020/07/06/one-click-vcsa-update/
- https://docs.vmware.com/en/VMware-Aria-Automation/SaaS/Using-Automation-Assembler/GUID-3F363A84-4F4F-4B77-B38F-547C85F84B7C.html#GUID-3F363A84-4F4F-4B77-B38F-547C85F84B7C
- https://kb.vmware.com/s/article/2143850
- https://docs.vmware.com/en/VMware-Aria-Automation/SaaS/Using-Automation-Assembler/GUID-CD0C39C1-7C43-4AF8-9F3C-3814CB1A94B5.html
- https://www.arunnukula.com/post/vmware-aria-cloud-extensibility-proxy-deploy-and-upgrade-runbook
- https://samperrin.com/posts/monitoring-cloud-extensibility-proxy-orchestrator-with-aria-operations-cloud/
Update (07-01-2024) Added Authentication column in CEXP and updated the references.
Update (08-01-2024) Updated some images.
Discover more from Cloud Blogger
Subscribe to get the latest posts sent to your email.
[…] Learn more about the different Orchestrator types on my blogpost 3 Types of Aria Automation Orchestrator [CB10130] […]
What is the difference between CExP and vREx?
vREx: It is basically a cloud account proxy agent for connecting geographically distant or network isolated vCenters to Aria Automation. So basically, vREx = vRA + far away vCenters.
CeXP: It was an Orchestrator appliance with build-in proxy to allow extensibility operations from Aria Automation Cloud. So basically, CeXP = vRA Cloud + vRO on-prem.
Links: https://www.linkedin.com/posts/mayankgoyal1994_cloudblogger-broadcom-ariaautomation-activity-7289976984367992833-pxrj?utm_source=share&utm_medium=member_desktop&rcm=ACoAAArxUGsB6TPigSLKITPbO8ok6zLnKmzMYOo