Version: 2023.3

Add an AWS EC2 App Template

The App template defines the settings and configurations of the VM to be deployed in the sandbox as well as the application(s) to be installed on that VM.

Notes:

By default, all public cloud Apps of the same type in the same sandbox are deployed within the same subnet and therefore are connected to each other and isolated from other sandboxes. However, using the Subnet service, blueprint designers can set up multiple subnet networks in the sandbox, instead of having one default subnet for all the Apps of the same cloud provider. For details, see Subnet Connectivity.
Public cloud App deployment requires the management network and subnet(s) to be prepared in advance as part of the sandbox Setup process; CloudShell's out-of-the-box Setup process does this. However, the blueprint must include at least one public cloud App to initiate the Setup script's connectivity preparation process for deployment in that public cloud.

To add a new AWS EC2 App template:

Click + Add.

The Create New App wizard is displayed.
From the Select Deployment Type pane, select AWS EC2 instance.
Enter a Name for the App template.

note
The App template's name has a limit of 100 characters and can only contain alpha-numeric characters, spaces, and the following characters: | . - _ ] [
Click Create.

The App template is created and the App wizard's General page is displayed.

In the General page, define the App template's display settings and category.

Field	Required	Description
Name	Required	App name that is displayed in the catalog.
Description	Optional	Description of the App.
Icon	Optional	Add an image to the catalog definition. The recommended size for the image is 190x120 pixels (image size is limited to 400x400 pixels or 200 KB).
Categories	Optional	Service categories are a method to classify Apps. The Apps are displayed in the Add App / Service side pane in the blueprint and sandbox diagram, arranged in categories. Only users who are permitted to view the category can access the App. Apps without a category are not displayed. By default, the Applications category is selected. Select a category from the dropdown list. You can select additional categories. Examples of categories are: applications, networking and VLAN. Notes: The category must be associated with the domain in which the required cloud provider resides. For information about domain categories, see Managing domain categories. It is recommended to use up to a 2-level hierarchy when organizing the Add App / Service catalog (i.e. root and sub-category). In the Add App / Service side pane, Apps are displayed in the root category only. This includes services associated to sub-categories.

In the left pane, click Deployment Paths and configure the App template's deployment path.

A deployment path defines (1) the AWS AMI image, (2) the VM’s settings such as storage size, CPU and image file, and (3) the CloudShell cloud provider resource that enables CloudShell to access the cloud provider and deploy the VM on it.

Note the deployment path's name (highlighted in the image below). The path's name is dynamic and consists of the selected Cloud Provider resource and Deployment type. You can change the name of the path by clicking the field.

From the Deployment drop down list, select the deployment type.

The selected deployment type's attributes are displayed.

important
The deployment type related to the AWS 2nd Gen cloud provider shell is named "Amazon AWS EC2 Instance 2G".

Fill in the details.

For AWS EC2 Instance attributes

Attribute	AWS EC2 shell version	Description
Cloud Provider	All	Name of the AWS EC2 cloud provider resource to be used
AWS AMI ID	All	AWS AMI ID to launch the instance from. For example, "ami-6869aa05". note The AMI must be accessible in the selected cloud provider's AWS region.
Allow All Sandbox Traffic	All	Determines if the App allows inbound traffic from all other AWS EC2 Apps in the sandbox. If set to False, the instance will be isolated. Access from specific Apps or subnets can be defined using the Inbound Ports attribute or API. note By default, this attribute is True. This means that all access is allowed to all ports from all Apps in the sandbox and all ports are open for traffic within the sandbox.
Instance Type	All	AWS EC2 instance type. The instance type determines the CPU, memory, storage and networking capacity of the instance. For example, "t2.large". Leave empty to use the default instance type specified in the AWS EC2 cloud provider resource. For built-in or Marketplace images, make sure the instance type is supported by the image you defined in the App.
IAM Role Name	All	(Optional) Name of the IAM role to associate to the App's AWS EC2 instance. The instance will use this role to access AWS. Notes: The role must have the AWS permissions required for the actions the instance is expected to perform. If the role does not exist, or there are other issues with launching the instance with the role, App deployment will fail.
Inbound Ports	All	Semi-colon separated list of ports and protocols to open for inbound traffic. Note that by default all ports are open for traffic between AWS EC2 App instances within the sandbox, but this can be changed using the Allow All Sandbox Traffic attribute. In addition, all outbound traffic is allowed. The syntax is: `port[single/range]:protocol[tcp(default)/udp]` For example: "80;443:tcp;200-220:udp". note If not specified, the protocol defaults to TCP. Tips: To allow QualiX in-browser connections to the VM from the sandbox, include port "22". To set more specific security groups, it is recommended to use the TestShell API's SetAppsSecurityGroup method instead. Unlike the Inbound Ports attribute, it enables you to define different port settings per subnet and allow inbound access to specific source CIDRs. For additional information, see SetAppSecurityGroups Code Example.
Public IP Options	All	Enables access to the instance from the internet. Options are: No Public IP - default option Public IP (single subnet) - (for Apps connected to a single subnet [private or public]) allocates a public IP Elastic IPs - (for Apps connected to multiple subnets) allocates an elastic IP for the App in each of the public subnets that it is connected to note In AWS EC2 Apps, this setting is mandatory if the App is connected to more than one network (private or public).
Storage Size	2^nd Gen only	The root volume size. The value must be greater or equal to the size of the root snapshot used. If set to 0, the default defined in the image will be used. For example: 30.
Storage IOPS	2^nd Gen only	The default number of I/O operations per second that the root volume can support. This parameter is used only for storage of type io1, in which you can provision up to 30 IOPS per GiB. If set to 0, the default in the image is used. For example: 240.
Storage Type	2^nd Gen only	The type of storage volume. In AWS, there are several EBS Volume types that can be used, gp2 and io1 for SSD, st1 and sc1 for HDD or the standard type which is the old generation EBS volume type. If auto is selected, the storage type defined in the image is used.
Root Volume Name	2^nd Gen only	The device names available for the volume. Depending on the block device driver of the selected AMI's kernel, the device may be attached with a different name than what you specify. If left empty, the default defined in the AMI is used. For example: /dev/xvda
Autoload	2^nd Gen only	Enables the automatic execution of the Autoload command during reservation Setup.
Wait for IP	2^nd Gen only	If set to False, the deployment will not wait for the VM to get an IP.
Wait for Status Check	2^nd Gen only	If set to True, the App's deployment will end successfully only after instance status checks have passed. The status checks include network connectivity, physical host status, system status and more.
Wait for Credentials	2^nd Gen only	Enable in order to retrieve credentials from a Windows machine. Note that if this parameter is enabled and the credentials are not retrieved within 15 minutes, the deployment will fail.
Custom Tags	All	Custom tags to be set on CloudShell-deployed AWS EC2 instances for billing, like the details of the project or team that deployed the instance. For multiple tags, specify a comma-separated list of the key-value pairs. For example: `tag_name1:ec2_instance,tag_name2:ec2_instance2`
User Data URL	All	(Optional) URL to the raw version of the script to execute (PowerShell, bash, sh, etc.).
User Data Parameters	All	(Optional) Parameters to pass to the user data script. For example, specifying `param1 param2` will result in the command running as follows: `./file.sh param1 param2`
Private IP	All	When the VPC is in static mode (defined on the AWS EC2 cloud provider resource's VPC Mode attribute), this attribute is used to set a static private IP for the deployed App. To set a static private IPs in multi-subnet mode, specify a json string that maps the subnet request CIDR to the requested static private IP. For example: {"10.0.0.0/28": "10.0.0.6"}
Enable Source Dest Check	2^nd Gen only	Set to True to enable source/destination checks. Source/destination checks allow users to create custom routing inside the VPC. It is applied to all vNICs of a certain instance. If enabled, you can reconfigure routing to go through that instance. This value must be False for Virtual Appliance instances like virtual firewalls/routers. Important: This value must be False for Virtual Appliance instances like virtual firewalls/routers. The reason for this is that some virtual appliances may take a while to fully deploy and AWS will show them as impaired from 20 minutes until they fully deploy. Setting Enable Source Dest Check to False ensures the instances are not stopped when they become impaired.
Status Check Timeout	2^nd Gen only	Timeout, in seconds, for AWS status checks to pass. Some virtual appliances may take a while to fully deploy and AWS will show them as impaired from 20 minutes until they fully deploy. Therefore, to ensure virtual appliance instances are not stopped when they become impaired, use this attribute to provide a long enough timeout for the instance to complete its status check. note The default timeout is 600 seconds (10 minutes). However, instance deployment will fail once the instance status becomes "impaired". Specifying a status check timeout period will configure CloudShell to ignore the "impaired" status and instead wait for the instance deployment to complete or the timeout period to pass.

To add additional deployment paths to the App template, click the Add New Deployment Path link at the bottom of the wizard and fill in the required information.

In the left pane, click Configuration Management and configure the application to be installed on the VM.

tip

To learn how to develop custom scripts and Ansible playbooks, including examples, and set up support for the desired configuration management tool, see Developing Configuration Management Scripts for Apps.

Notes:

To run configuration management on an Azure App, make sure the App's VM size is Basic_A2 or larger.
For configuration management operations, CloudShell uses an available Execution Server (for Ansible, it's a Linux Execution Server that has the Supports Ansible flag).

If the cloud provider resource has an Execution Server Selector configured, it will use that selector. If the selector is empty, CloudShell will use the selector defined in the appropriate Resource Manager Client >Configuration Services model (Ansible Configuration or Custom Script Configuration).
Execution Server selectors specified on the deployed App shell/resource are not used to execute configuration management operations.

Define the script or playbook to install.

Attribute	Description
Select Tool	Select the application's installation and configuration tool. None: Do not use any Configuration Management option. Use this option if, for example, the image or template already contains the application to install. Script: Select the custom script to run (PowerShell, bash or sh). Ansible: (Intended for customers who are already using Ansible) Select the Ansible playbook to run. note The playbook runs once during the Setup phase for all of the sandbox's Apps that use that playbook, after CloudShell has finished deploying their VMs. This is done both to improve performance and support cross-server logic where multiple applications need to be installed and configured in a certain way. Note that the playbook runs once for all of the sandbox's Apps that use that playbook, after CloudShell has finished deploying their VMs. Depending on the selection, additional options may become available.
Connection Method	The method to use to connect to the VM. Select: SSH if the VM has a Linux OS Windows Remote Management if the VM has a Windows OS note To run configuration management on a Windows VM, the VM must have WinRM enabled. For details, see Enable WinRM on Windows VMs to Support Configuration Management.
Playbook / Script Location	Details of the Ansible playbook or custom script. URL: Raw URL of the Ansible playbook or ZIP file, or custom script on the online repository (GitHub, GitLab and BitBucket are supported). URL must be accessible to the Execution Servers. tip The URL can accept parameters defined on the App, enabling you to test new versions of scripts without affecting consumer-ready versions. For example, you can have an App everyone is using, but if you want to test a version you're developing, simply change the value of the URL parameter in the test blueprint. To use parameters, specify the parameter name in curly brackets (for example: {branch}). If the App has this parameter, CloudShell will replace the {branch} with its value during execution. If the parameter is missing, CloudShell will replace {branch} with an empty string. If you are using a global input, customers would be well advised to set a default value on the global input For GitHub, specify the raw URL. For example: `https://raw.githubusercontent.com/.../site.yml` For GitLab, specify the API endpoint in the format: `https://gitlab.com/api/v4/projects/{Project ID}/repository/files/testsharding%2Eyml/raw?ref=master` Where: Each special character that the file contains has to be encoded. In the example above - "%2E” is an encoded point (".”) The ref value is the branch name (master for this example) For BitBucket Data Center (on premise), use the following URL format: `http://{datacenter server IP}/rest/api/1.0/projects/{projectKey}/repos/{repository name}/raw/testsharding.yml` For BitBucket Cloud, use one of the following: For source code files, specify the API endpoint: `https://api.bitbucket.org/2.0/repositories/{workspace}/{repository name}/src/{GUID- the Commit hash string}/testsharding.yml` For download files (files residing in the repository's "Downloads" folder), specify this endpoint: `https://api.bitbucket.org/2.0/repositories/{workspace}/{repository name}/downloads/site.yml` important If the URL is private (HTTPS), the VM will need to have a valid SSL certificate. To disable the certificate check, open Resource Manager Client>Resource Families>Configuration Services (Ansible Configuration or Custom Script Configuration) and set the Verify Certificate attribute to False. User/Password: (For private repositories) Access credentials or token to the script/playbook's online repository. Token: (For private repositories) Access token to the script/playbook's online repository. For GitHub and GitLab, specify the API token. For BitBucket Cloud, set the repo's "App Password" in the App template's Password field. For BitBucket Data Center, specify the personal access token. Notes: For Custom Script configurations: In SSH mode, only bash and sh scripts are allowed. In WinRM mode, only PowerShell scripts are allowed. WinRM over HTTPS only applies to custom scripts at this time. If WinRM is configured to run over HTTPS, the execution server will first try to run the custom script over HTTPS and then fall back to HTTP if HTTPS is unsuccessful. To prevent the fallback, set the winrm_transport parameter to ssl. For Ansible configurations: The Ansible playbook must be a YML or YAML file. To specify multiple playbooks or a hierarchy of an Ansible project, you can specify multiple Ansible playbooks or a ZIP package. For example: `https://raw.githubusercontent.com/QualiSystemsLab/private-repo-zip-download/master/README.zip` If a ZIP containing 2 or more playbooks is specified, CloudShell will use the playbook file titled `site.yml` or `site.yaml`. If the file is missing, the App's deployment will fail.
Inventory Groups	(For Ansible) Specify the host groups for the application to be installed, separated by semicolons (;). The newly deployed VM will be associated to these groups, thus allowing plays that target these groups to run on the VM. For example: `Servers/AppServers;Servers/DBServers`
Parameters	Parameters to be passed to the Ansible playbook or custom script. Specify the parameters and their default values. In the blueprint or sandbox diagram, privileged users can also set the parameter to receive the value that is specified for a global input when reserving a sandbox containing the App. This is done by selecting the global input when editing the App in the blueprint or sandbox diagram. For example, a global input that specifies the build number of a product to be tested or which components of a product to install. important (For Ansible) To customize the port to be used to communicate with the VM, add the `Ansible_port` parameter. Default: `SSH` / `Port: 22` / `WinRM: 5985`.
Additional Arguments	(For Ansible) Define arguments to be passed to the execution of the playbook (`Ansible-playbook` command). For example, `-v` will set verbose mode on while `-f` will set the maximum number of VMs to be handled in parallel. Multiple arguments can be given, separated by spaces. For additional information on possible arguments, see the official Ansible documentation. The arguments must be specified in Resource Manager Client > Configuration Services family > Ansible Configuration model > Ansible Additional Arguments attribute. note The arguments are defined globally for all Apps using Ansible. important To configure Ansible to connect to certified hosts only (Linux VMs with a valid 'known_hosts' key), include the following additional arguments: `--ssh-extra-args='-o StrictHostKeyChecking=yes'`

To enable the end-user to rerun the App's configuration management on the deployed App in the sandbox, select Allow rerunning configuration management for resources deployed from the App. Once the App's deployment completes, a Rerun Configuration Management command is included in the deployed App's Application Commands pane. For details, see Run App Commands. This is useful for rolling back the App's VM to its original state.
To enable blueprint and sandbox owners to modify the App's Configuration Management details, select Allow blueprint/sandbox owners to modify the App's Configuration Management. The following details can be modified: playbook/script, authentication details, inventory groups, and parameters. Note that the modifications only apply to the blueprint or sandbox of the instance.
Optionally click the Add New Script/Playbook link at the bottom right to add additional custom scripts/Ansible playbooks to the App. The scripts will run in their display order, from top to bottom. You can drag scripts up or down to rearrange.
To change the script's alias, click the script's name and change as appropriate.

In the left pane, click App Resource to optionally set the VM's operating system user credentials (for example, to connect to the VM via RDP or SSH). You can also change the deployed App's Shell.

important

To help sandbox end-users connect to the VM, it is recommended to include the User and Password in the blueprint's instructions. For additional information, see Add Instructions.

Attribute	Description
Shell	The Shell on which the App's VMs are based. When an App is deployed in a sandbox, it changes into a "deployed App resource", which is based on the selected Shell. By default, the "Generic App Model" Shell is used. Deployed Apps include a default set of commands such as Power On and Refresh IP, and the VM's User and Password attributes, as explained below. note Changing the Shell might cause additional fields to become visible and you may need to enter further information.
User	User defined in the App's image. The User/Password credentials are used by QualiX to create in-browser connections to the VM from within the sandbox. Notes: For AWS instances,make sure to set the User of a user that already exists on the Amazon machine image. For custom images, the image owner should know the credentials, while community/marketplace images have the image's credentials listed in their documentation. Azure VM username and password restrictions apply. For details, see Frequently asked question about Windows Virtual Machines. For Azure Marketplace images, CloudShell will create a user on the VM based on the User/Password credentials you specify. For Azure Marketplace VMs, if the user is not set, CloudShell will set adminuser as the default user name.
Password	VM user's password. Notes: For AWS Marketplace images, leave the Password empty. The AWS shell generates a new key-pair for each sandbox, which QualiX will use to establish the in-browser connection. For Azure Marketplace images: If the password is not set, only the user name will be required. For Linux VMs, CloudShell will create an SSH key-pair to enable a secure connection. If the password is set, it will be displayed as asterisks (******) in the blueprint or sandbox.

Attribute

Description

Shell

The Shell on which the App's VMs are based. When an App is deployed in a sandbox, it changes into a "deployed App resource", which is based on the selected Shell. By default, the "Generic App Model" Shell is used.

Deployed Apps include a default set of commands such as Power On and Refresh IP, and the VM's User and Password attributes, as explained below.

note

Changing the Shell might cause additional fields to become visible and you may need to enter further information.

User

User defined in the App's image. The User/Password credentials are used by QualiX to create in-browser connections to the VM from within the sandbox.

Notes:

For AWS instances,make sure to set the User of a user that already exists on the Amazon machine image. For custom images, the image owner should know the credentials, while community/marketplace images have the image's credentials listed in their documentation.
Azure VM username and password restrictions apply. For details, see Frequently asked question about Windows Virtual Machines.
For Azure Marketplace images, CloudShell will create a user on the VM based on the User/Password credentials you specify.
For Azure Marketplace VMs, if the user is not set, CloudShell will set adminuser as the default user name.

Password

VM user's password.

Notes:

For AWS Marketplace images, leave the Password empty. The AWS shell generates a new key-pair for each sandbox, which QualiX will use to establish the in-browser connection.
For Azure Marketplace images:
- If the password is not set, only the user name will be required. For Linux VMs, CloudShell will create an SSH key-pair to enable a secure connection.
- If the password is set, it will be displayed as asterisks (******) in the blueprint or sandbox.

Click Done.

The new App template is displayed in the Apps page.
Next, Configure the Qualix Server for AWS EC2.