Overview

Larger Enterprise companies often require a layer of abstraction across their company. For example, multiple departments or projects within a company might have various billing/technical requirements that warrant separate but related RightScale accounts. To assist our Enterprise customers in the overall management of the RightScale platform across their company, RightScale offers an Enterprise component to the Dashboard that's only available in our Enterprise Edition.

The Enterprise feature within RightScale lets larger companies manage all of the RightScale accounts within their enterprise, which is comprised of a 'master' and one or more 'child' accounts. Each RightScale account within the enterprise will have separate cloud credentials. The main benefit of the enterprise is that the 'enterprise_manager' can create sharing groups within the 'master' account and then automatically grant child accounts access to those sharing groups without the need of sharing group invitations. In this way, the Enterprise Manager can control which ServerTemplates and Macros will be accessible to all users of a 'child' account.

Actions and Procedures

Connecting AWS Consolidated Billing Accounts to RightScale

Background

Cloud Analytics uses two primary data sources for helping you manage costs:

  • Bill data - Bill information is collected from your public cloud provider to enable an accurate view of all of your costs across your accounts and services
  • Usage data - Usage data is collected from RightScale Cloud Management to provide additional detail for slicing and dicing costs across many different dimensions

This page describes the legacy method for how to connect bill data for AWS. Learn about the data sources for Cloud Analytics, how to connect bills for other clouds, and how to connect usage data.

This section will walk you through setting up RightScale to work with your AWS Consolidated Billing accounts. Once set up, RightScale usage and cost reporting will be more accurate and reflect the benefits of Consolidated Billing, such as sharing Reserved Instances across accounts. This will enable you to optimize your costs across all your Consolidated Billing accounts and make better purchase option decisions.

Please note that in order to get the benefits of usage and cost reporting, you will need to connect all your AWS accounts to RightScale and have at least 'observer' permissions to each RightScale account. However if you'd like to get an overview of your costs per AWS account in the Cloud Analytics dashboard, all you need to connect to is the AWS Payer account.

Prerequisites

In order to set up your AWS Consolidated Billing with RightScale, you need to have permissions to create RightScale accounts and connect to clouds. Therefore, the 'enterprise_manager' and 'admin' permissions are required. Please see the User Roles page for additional information.

You also need to be on a RightScale account which has access to the Consolidated Billing page. To check if you have access to this page, log into RightScale Cloud Management and navigate to Settings > Consolidated Billing.

If you do not have the required roles, or cannot see the Consolidated Billing page, please reach out to your RightScale account administrator, or email support@rightscale.com.

Steps

In order for RightScale to receive your AWS billing data and recognize your Consolidated Billing account structure, AWS CloudWatch needs to be enabled to Receive Billing Alerts on your AWS Payer Account.

  1. Log into your AWS Payer Account.
  2. Navigate to the Billing & Cost Management menu option.
    cm-consolidated-billing-aws-login.png
  3. Go into the Preferences menu option, select 'Receive Billing Alerts' and click Save preferences.

cm-consolidated-billing-aws-prefs.png

Now that CloudWatch Billing Alerts have been set up, you need to connect AWS to RightScale.

  1. Log into the RightScale Cloud Management dashboard.
  2. Navigate to Settings > Consolidated Billing. If you do not see this menu option, please note the prerequisites above.
  3. If you have connected all your AWS accounts to RightScale, this page will validate this by showing you all the AWS accounts under your Consolidated Billing group, and the links between these and the RightScale accounts they have been connected to.
  4. If you have not connected all your AWS accounts to RightScale, this page will give you the option to quickly create RightScale accounts and connect them to your AWS account. cm-consolidated-billing-tab.png
  5. For each AWS account which has not been connected to RightScale, click the Create New Account link. This will open a dialog enabling you to enter a RightScale account name, and the AWS IAM credentials to establish the connection. If you need help in setting up AWS IAM, please read the step-by-step guide for setting up IAM with RightScale.
    cm-consolidated-billing-aws-create-rs-account-dialog.png
  6. Once you have connected all your AWS accounts to RightScale, it will take up to 24 hours for your cost reports to reflect the change.

If you have any questions, or would like help in setting up your AWS Consolidated Billing with RightScale, please email support@rightscale.com.

Create a New Child Account

Child accounts are an easy way to manage and control multiple accounts in RightScale through a single account. One benefit of having a child account is the ability to have a user enter in a set of cloud credentials that differ from the parent account. As an example, let's say you want to have a user add their own AWS account number to RightScale but still manage your own AWS credentials. You can provision a child account and have a user add in their own credentials while still being able to manage and control users to that account.

Prerequisites

  • You must be logged into an Enterprise account and have the 'enterprise_manager' role enabled.

Steps

  1. Go to Settings > Enterprise and click New Child Account.
  2. Enter the following:
    • Child Account Name: The name of the child account that will be created under the parent account.
    • Child Account Location: If you are connecting this account to AWS, we recommend that you choose a RightScale cluster that is in a different AWS region from where your primary AWS usage will be. Otherwise, we recommend you create the account in a cluster closest to the users of the child account so speeds will better for the users.
    • Add cloud credentials after saving new child account: If you enable this option, you will be taken to the child account's clouds section to add cloud credentials for the account. For more information, see Add a Cloud Account to a RightScale Account.
  3. Click Save.
  4. Once a child account is created, all administrator users and their roles will be carried over to the child account. As an 'enterprise_manager,' you can manage roles from either the parent account or log in and manage users from the child account. All users with the 'admin' role will be able to manage users from the child account.

Invite a User to Join an Enterprise Account

Adding a user to a RightScale enterprise account by sending an account invitation grants access to the specified account, as well as defines the granted user role privileges within the account. Only users with 'enterprise_manager' user role privileges can send RightScale enterprise account invitations to other users. In order to invite a user to a RightScale enterprise account, you must send the invitation to the email address that the user will use to log into the RightScale Dashboard. Remember, RightScale users are identified by their email address, not by a name or username.

Prerequisites

  • 'enterprise_manager' user role privileges in the RightScale account into which you are going to invite a new user.
  • Paid RightScale enterprise account - Required to invite users to a RightScale enterprise account and grant them non-Admin privileges.

Steps

Permanent Invitations

Use the following procedure to permanently invite one or more users to join a RightScale enterprise account.

  1. Log into the RightScale dashboard using your 'enterprise_manager' user profile.
  2. Navigate to Settings > Enterprise > Invitations.
  3. Click Invite Users. Enter the email address for the user you want to send an invitation to, and use the Select Account drop-down to specify one or more accounts you want to invite the user to join. Each account you select along with its available permissions is displayed just below the drop-down. Note that you can deselect an account by clicking remove.
    cm-enterprise-invites.png
  4. Choose the permissions you want the user to have for a given account using the available checkboxes.
  5. Add additional user email addresses and account settings as needed.
  6. Click Send Invitations.

Temporary Invitations

Temporary invitations allow enterprise managers to invite users to their account, but the invited user will be removed after a specified number of days. If the invited user already exists on the account, any additional permissions will be added for the listed number of days. In Settings > Enterprise > Invitations, there is a section for inviting permanent users with specified permissions and a section under it for inviting temporary users with specified permissions. If new temporary permissions are added to a user that already has temporary permissions, the new permissions and expiration period will supersede the previous one.

Manage IP Whitelists for Enterprise Accounts

Objective

You can manage IP whitelists by adding, modifying, or deleting Dashboard and API IP access rules that have been created on Enterprise parent and child accounts. Parent and child account holders of an Enterprise account have the ability to create a range of IP Whitelists. This feature is beneficial if account administrators would like to enable access to RightScale through a company's IP address, essentially blocking traffic from any other IP address. For more information, see Add an IP Whitelist Range.

To be able to properly manage this feature, Enterprise account managers can modify, add, or delete an IP Whitelist range that has been set from parent or child accounts of an Enterprise account. The instructions below explain how to use this feature.

Prerequisites

  • Requires 'admin' and 'enterprise_manager' user role privileges and Enterprise Edition account to configure this feature. Contact your account manager or sales@rightscale.com for more details.

Steps

  • Go to Settings > Enterprise > IP Whitelists

cm-enterprise-ip-white-list.png

Add a New Rule

  • To add a new IP Range, click on New Rule

cm-enterprise-whitelist-new-rule.png

  • Enter in the following details:
    • IP Range (CIDR): Specify the IP Range in CIDR notation to control the range of IP addresses that will be allowed access for your account. 0.0.0.0/0 (default) allows access to any IP address whereas 0.0.0.0/32 denies access to all IP addresses. If you enter a range that does not include your own IP address, you may be denied access to your account.
    • Description (Optional): This is a user-defined description to help describe the purpose of the IP Range.
    • Accounts: A collection of one or more accounts to which the IP Whitelist will apply. Users with IP addresses outside of the whitelist range will not be able to access these accounts.

Edit an IP Whitelist Range

When parent or child accont memebers of the Enterprise account add an IP Whitelist Range from the Settings > Account Settings > Access Controls , the range will be viewable from the Enterprise IP Whitelists section. If you would like to modify this range, select the IP Whitelist Range and click Edit in the Selected Item window.

cm-enterprise-ip-whitelist-edit.png

You will have the ability to modify the IP Range (CIDR), Description , and the Accounts of the selected range.

Delete an IP Whitelist Range

Additionally, if you would like to remove this range, you can do this by selected the IP Whitelist Range, clicking Actions, and then Delete.

cm-enterprise-ip-whitelist-delete.png

Once you delete an IP Whitelist Range, it will be removed from the Access Controls tab (Settings > Account Settings > Access Controls) of the child or parent user that has access to view the tab.

Update Organization name

Ensure the name of your Organization (i.e. Enterprise) is meaningful to your users. You need to have enterprise_manager role in order to perform this action.

Steps

  1. Select any account in the Organization that you wish to update from the account selector. gov_find_enterprise.png

  2. Under Settings, select Enterprise gov_enterprise_settings.png

  3. At the top, click anywhere on the existing name above the dotted line gov_update_org_name.png

  4. Enter new name and click OK to save gov_update_org_name_save.png

  5. The new name will now be displayed gov_update_org_name_display.png

Further Reading