Red Hat SummitRed Hat Ansible Automation Platform Service on AWS
Install and configure Red Hat Ansible Automation Platform Service on AWS
Abstract
Ansible Automation Platform helps teams manage complex multi-tier deployments by adding control, knowledge, and delegation to Ansible-powered environments. This guide helps you to understand the installation and use of Ansible Automation Platform Service on AWS. This document has been updated to include information for the latest release of Ansible Automation Platform Service on AWS.Preface
This document outlines the service definition and set up for Red Hat Ansible Automation Platform Service on AWS.
Providing feedback on Red Hat documentation
If you have a suggestion to improve this documentation, or find an error, you can contact technical support at https://access.redhat.com to open a request.
Disclaimer: Links contained in this document to external websites are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.
Chapter 1. Introduction to Red Hat Ansible Automation Platform Service on AWS
With the Red Hat Ansible Automation Platform Service on AWS, you can purchase and deploy Ansible Automation Platform through AWS Marketplace. Red Hat configures and provisions an Ansible Automation Platform environment and then maintains it, ensuring reliability and security.
Chapter 2. Red Hat Ansible Automation Platform Service on AWS PULL and PUSH models
There are two communication methods, PULL and PUSH, available for connecting your execution plane nodes to the Ansible Automation Platform Service on AWS control plane.
2.1. Automation using the Red Hat Ansible Automation Platform Service on AWS control plane
The Red Hat Ansible Automation Platform Service on AWS offers a deployment of Ansible Automation Platform purchased through AWS Marketplace. Red Hat configures and provisions an Ansible Automation Platform. The Red Hat team handles the setup and maintenance of the Ansible Automation Platform, ensuring reliability and security.
While Red Hat manages the control plane, the execution plane is implemented in your network using automation mesh hop nodes and execution nodes. For help with configuring execution nodes see Automation mesh for managed cloud or operator environments.
There are two ways to configure the communication between control nodes and execution nodes:
- The PULL connectivity model (recommended)
- The PUSH connectivity model
2.2. PULL connectivity
Remote automation mesh nodes can access Ansible Automation Platform using a 'polling' or 'pull' model, which does not require opening ingress ports in your enterprise network.
The pull model initiates a WebSocket from the remote execution node to the control plane hop node secured with mTLS for authentication and encryption. This model eliminates the need to deploy hop nodes into your demilitarized zone (DMZ) to establish connectivity to private networks if private networks have outbound internet connectivity. Proxy servers that terminate TLS are not supported and will disrupt automation mesh connectivity.
For help with configuring your automation mesh see defining automation mesh node types.
Pull model
2.3. PUSH connectivity
You can design your automation mesh architecture using the push model and configure the communication ports.
The default port is 27199. If you choose a different port ensure it does not conflict with an existing service, such as HTTPS. Ansible Automation Platform Service on AWS supports current automation mesh features that push communication to both hop nodes and execution nodes.
Push model
Chapter 3. Setting up Red Hat Ansible Automation Platform Service on AWS
To set up Red Hat Ansible Automation Platform Service on AWS you must first accept an offer. You can accept a public offer through the AWS Marketplace, or a private offer directly from a Red Hat seller.
3.1. Accepting a Public offer
To set up Red Hat Ansible Automation Platform Service on AWS you must link your Amazon Web Services (AWS) and Red Hat accounts through the AWS Marketplace.
When you link your accounts you can provision and configure your cluster through the Red Hat Hybrid Cloud Console.
Prerequisites
- An AWS Account
Procedure
- Log in to your AWS account.
- Navigate to the Discover products page of the AWS Marketplace. If you have already accepted your offer you can find it in the Manage subscriptions page.
In the search field search for "Red Hat Ansible Automation Platform Service on AWS".
Depending on your region select one of the following:
- For EMEA, select Red Hat Limited.
- For the rest of the world, select Red Hat.
- Click .
- Select your desired contract duration.
- If you would like your contract to auto renew, click .
- Select the contract options.
- Optional: Add a purchase order number.
- Click .
Select . This redirects you to Red Hat Single Sign-On where you must:
- Create or sign into your Red Hat account.
- Connect your AWS account to the Red Hat account. This redirects you to the Provision environment page on the Red Hat Hybrid Cloud Console. Here you can start configuring your environment.
Enter your AWS account ID and click .
- This account ID must be the account ID that purchased the offer from the AWS Marketplace. The system does not recognize associated or nested accounts.
- After your AWS ID is validated click .
- Select your required region.
- Click .
Verification
This redirects you to the Environment details page of the Instances, where you can see all the details of your created instance. Here you can check whether your instance is Ready or still in a Provision in progress state.
Provisioning your environment can take up to two hours. When it is ready, you will receive a confirmation email at the address linked to your account.
Update your password as soon as possible. The confirmation email includes a link to your admin password, which you will use to log in and change your password. This link is one-time use, so be prepared before clicking it.
If you did not receive the email or the initial admin password has expired, you must submit a support ticket and the Red Hat team will assist you with next steps.
3.2. Accepting a Private offer
A private offer is sent to you directly from a Red Hat seller. A private offer includes specific pricing and licensing terms for your account and has an expiration date. If you do not accept the offer by that date, you will either be moved to the public offer for the product or no longer subscribed to it.
Prerequisites
- An AWS Account
A Red Hat seller issues you a purchase order and provides it to you by email.
- For manual steps see Viewing and subscribing to a private offer page on the AWS Marketplace
Procedure
- Click the link in the private offer email to accept the terms.
- Log in to your AWS account.
- Navigate to the Private Offers page of the AWS Marketplace. If you have already accepted your offer you can find it in the Manage subscriptions page.
- Click the URL under the Offer ID column. This redirects you to the Offer Selection page.
- Click .
Select . This redirects you to Red Hat Single Sign-On where you must:
- Create or sign into your Red Hat account.
Connect your AWS account to the Red Hat account.
- If you are connecting to your accounts for the first time you must accept the terms and conditions and click . This redirects you to the Provision environment page on the Red Hat Hybrid Cloud Console. Here you can start configuring your environment.
Enter your AWS account ID and click .
- This account ID must be the account ID that purchased the offer from the AWS Marketplace. The system does not recognize associated or nested accounts.
- After your AWS ID is validated click .
- Select your required region and click .
- Click .
Verification
This redirects you to the Environment details page of the Instances, where you can see all the details of your created instance. Here you can check whether your instance is Ready or still in a Provision in progress state.
Provisioning your environment can take up to two hours. When it is ready, you will receive a confirmation email at the address linked to your account.
Update your password as soon as possible. The confirmation email includes a link to your admin password, which you will use to log in and change your password. This link is one-time use, so be prepared before clicking it.
If you did not receive the email or the initial admin password has expired, you must submit a support ticket and the Red Hat team will assist you with next steps.
3.3. Product Notification Feed
Effective July 2025, the Ansible Automation Platform RSS notification feed is available. This feed serves as a method for communicating various product updates and changes to customers.
Customers can subscribe to the notifications by visiting announcements.ansiblecloud.redhat.com/feed.atom. Using an RSS feed reader, customers are updated with events such as Ansible Automation Platform upgrades and system maintenance.
All Ansible Automation Platform customers can subscribe to this content. Messages include categorization tags to specify deployment types: managed, self-managed (on-premises), or a combination. Red Hat is developing a future enhancement to integrate this feature directly into the UI.
Chapter 4. Configuring Red Hat Ansible Automation Platform Service on AWS
After you subscribe to Ansible Automation Platform Service on AWS and gain access to Ansible Automation Platform, you must configure your automation mesh nodes and set up your automation jobs.
For help with configuring your automation mesh see Automation mesh for managed cloud or operator environments.
Do not change the "Gateway proxy URL" settings. Altering the gateway proxy might cause false outages on the status page.
Chapter 5. Red Hat Ansible Automation Platform Service on AWS Service Definition
The service definition details the shared responsibilities between Red Hat, which manages the control plane, and the customer, who manages the execution plane.
5.1. Account management
This section provides an overview of the billing and environment management operations.
5.1.1. Billing
Red Hat Ansible Automation Platform Service on AWS is billed through Amazon Web Services (AWS). Pricing is based on the number of managed active nodes and related infrastructure management costs. Discount tiers are available for pre-purchasing managed active nodes at the start of a billing cycle.
The service includes one Ansible Automation Platform deployment and 10 Red Hat Enterprise Linux (RHEL) entitlements for running your automation execution plane.
5.1.2. Deployment-self-service
You can self-service deployments including, but not limited to, the following operations:
- Buy and deploy an Ansible Automation Platform on AWS environment.
- Cancel an Ansible Automation Platform on AWS environment subscription.
When you cancel or do not renew a subscription in the AWS Marketplace, the service begins the deprovisioning process 72 hours after the cancellation.
The system keeps an encrypted backup for a limited time after unsubscription to prevent data loss from accidental unsubscription.
You may request a complete purge of the backup data after unsubscription, with the understanding that there is permanent data loss.
If you initiate a cancellation, your deployment will begin to shut down. If you initiated the cancellation in error you have 72 hours from the initial cancellation to submit a Support ticket and the Red Hat team will assist you in recovering the cancelled deployment.
5.1.3. Regions and availability zones
Each supported region is paired with a companion AWS region where backup data is stored in the event of a primary region catastrophe that requires restoration in another AWS region.
Refer to Backup and disaster recovery for the list of supported and backup regions.
5.1.4. Service level agreement
Any service level agreements (SLAs) for the service itself are defined in Appendix 4 (Online Subscription Services) of the Red Hat Enterprise Agreement Product Appendices.
5.1.4.1. Limited support status
When a deployment transitions to "Limited Support" status, Red Hat will no longer troubleshoot execution plane issues.
The SLA is no longer applicable and credits requested against the SLA are denied. However, this does not mean you lose all product support. A deployment can return to full support if you address the issues that caused the limited status.
A deployment might move to a Limited Support status for several reasons, including:
- Lack of an execution plane
- A customer execution plane is required for automation. If you have not configured one or if it’s in a degraded state, you must fix these issues before receiving automation support.
- Unsupported Execution Plane Dependencies
- Both Red Hat Enterprise Linux (RHEL) and OpenShift-based execution planes need regular maintenance and upgrades to meet minimum supported versions for Ansible Automation Platform dependencies. You can upgrade these resources using various methods, such as Ansible for patching, Red Hat Satellite, or DNF automatic updates. Keeping your OS, cluster, and receptor resources updated with supported Ansible Automation Platform helps reduce support issues.
5.1.5. Responsibilities
Learn about your responsibilities and Red Hat’s responsibilities. Understanding these roles helps you manage your product effectively.
| Feature | Red Hat | Customer |
|---|---|---|
| Control plane infrastructure | ✓ | ┄ |
| Execution plane infrastructure | ┄ | ✓ |
| Control plane deployment | ✓ | ┄ |
| Control plane uptime | ✓ | ┄ |
| Control plane upgrades | ✓ | ┄ |
| Control plane backup and restore | ✓ | ┄ |
| Control plane security | ✓ | ┄ |
| Execution plane (automation mesh) deployment | ┄ | ✓ |
| Execution plane uptime | ┄ | ✓ |
| Execution plane upgrades | ┄ | ✓ |
| Execution plane backup and restore | ┄ | ✓ |
| Execution plane security | ┄ | ✓ |
| Settings and configuration | ┄ | ✓ |
| Automation content | ┄ | ✓ |
| Application integrations | ┄ | ✓ |
| Identity and access | ┄ | ✓ |
| Monitoring SSL and TLS certificate expiration | ┄ | ✓ |
5.2. Control plane
The Ansible Automation Platform control plane includes the application UIs, APIs, components, and services used for managing automation. Red Hat manages these within its own infrastructure.
Each customer deployment is fully isolated at the infrastructure layer. Every deployment provisions its own dedicated network, compute, and database resources, remaining entirely independent from all other customer environments. By enforcing this level of isolation, there is a reduced risk of data leakage or unauthorized cross-deployment interactions, ensuring that actions and information remain confined within their designated environments.
5.2.1. Preparing for deployment
The following optional configurations include custom domains and AWS PrivateLink setup. You can implement these settings to meet your specific security and networking requirements.
5.2.1.1. Prerequisites
Before initiating these configuration requests, ensure the following are available.
- Access: You have access to Red Hat Customer Portal (Customer support) and the AWS Console.
- Infrastructure: You have an active Ansible Automation Platform Service on AWS deployment.
- Network: You have an existing VPC with private subnets (for PrivateLink).
- DNS: You have administrative access to your public or private DNS provider.
5.2.1.2. Execution plane strategy
Red Hat strongly advises provisioning your own execution nodes and instance groups in your VPC.
- Cost Impact: Workloads running on the control plane trigger auto-scaling of vCPUs, which are billed at a higher variable rate ($0.10/vCPU/hr). For more information see Ansible Automation Platform Service on AWS: Infrastructure Metering Changes.
- Recommendation: To maintain predictable costs and security isolation, use the control plane for management only and offload automation execution to your own EC2 instances.
5.2.1.3. Configure AWS PrivateLink
AWS PrivateLink establishes secure connectivity between your VPC and the Red Hat managed control plane without traversing the public internet.
AWS PrivateLink connectivity is supported both into (ingress) and out of (egress) the Ansible Automation Platform control plane. Customers must work with the Red Hat SRE Team to set up the following AWS PrivateLink connectivity directions:
- From customer VPC to Red Hat managed control Plane
- From Red Hat managed control plane to customer VPC
To configure bi-directional connectivity, complete the following steps:
Submit Customer support cases to Red Hat to begin this process.
- A separate ticket must be created for ingress and egress
- The Redhat SRE team will work together with the customer and enable AWS PrivateLink Connectivity via the support case.
To begin this process see Enabling AWS PrivateLink connectivity.
5.2.1.4. Performance guidelines for Event-Driven Ansible on Ansible Automation Platform Service on AWS
Use this information to plan and configure Event-Driven Ansible on Ansible Automation Platform Service on AWS.
All customer workloads differ, and performance results may vary. Red Hat recommends monitoring Subscription Watch for Ansible Automation Platform Service on AWS meters within Hybrid Cloud Console and creating cost alerts in AWS.
The following table reflects the observed performance and resource utilization for the tested configuration.
Observed performance and resource utilization
| Category | Metric | Value |
|---|---|---|
| Tested configuration | Rulebook Activations | 5 |
| Events published per second | 120 | |
| Actions per second | 20 | |
| Derived metrics | Actions per activation (20 events/sec x 30 sec) | 600 |
| Total actions across all activations | 3,000 | |
| Infrastructure | vCPUs | 12 |
| Observed performance | Total Events Sent | 3,000 |
| Job Events | 600 | |
| Failed Iterations | 0 | |
| Event Processing Time | 77.07 seconds |
Performance metrics change as the control plane scales (up or down) based on the running workload.
5.2.1.5. Configure a custom domain
Configure a custom domain, starting with generating a certificate and private key, submitting a support case for SRE configuration, and finalizing the setup with a required DNS update.
For help with this process see the Custom domain section.
5.2.2. Customer access
You can access the control plane through the Ansible Automation Platform user interfaces and APIs.
During the initial configuration of an Ansible Automation Platform Service on AWS deployment, you will receive the URL for your deployment. You can also find this information through the Red Hat Hybrid Cloud Console (HCC).
The administrator account’s initial password is provided to the HCC user who performed the initial deployment.
You must change this initial password immediately after your first log in to Ansible Automation Platform.
If you need help accessing your deployment, submit a support request through Customer support.
You can provide a custom URL for your Ansible Automation Platform Service on AWS by using a domain name that you own. To request a custom domain name for your deployment, you can submit a customer support request to initiate the configuration process. The Red Hat SRE team will engage the support ticket for collaboration on next steps. Refer to the Custom Domain section for configuration information.
5.2.3. Service uptime
Uptime for Red Hat Ansible Automation Platform Service on AWS is measured by user access and function of the Ansible Automation Platform control plane. This is measured through the uptime of the product web user interface and REST APIs.
Measurements are calculated through successful HTTP response codes (200) to entry points of the UI and API. If either of these return an unsuccessful response code, or are unavailable and time out entirely, then the service will be considered to be in an outage state. Uptime of the execution plane, which is managed by customers, is not included as part of the uptime of the service. Customers are responsible for ensuring that the execution plane is redundant, scalable, and available in order to meet customer uptime objectives.
5.2.4. SRE access and management
Site Reliability Engineering (SRE) access is limited to the infrastructure and services running Ansible Automation Platform. Red Hat only accesses the Ansible Automation Platform interfaces or APIs in exceptional cases, such as during support engagements.
SRE access to control plane resources is restricted to operations that require human intervention and cannot be automated. Any access follows a request-and-approval process and is audited to ensure only authorized personnel can perform these operations.
SREs access resources and audit data are collected when:
- The SRE team requests access to cluster resources using a tool that allows temporary access. This tool generates a log entry detailing the time and the SRE team member who requested access.
- Audit logs are created for any management operation performed on a customer instance and are sent to a centralized logging system.
Red Hat erases job logs every 30 days.
5.2.5. Backup and disaster recovery
Red Hat maintains daily database and file system snapshots in a separate region from each deployment.
| Component | Snapshot Frequency | Retention Policy |
| Database | Daily | 7 days |
| File System | Daily | 7 days |
This recovery data is used if an AWS regional outage cannot be resolved in a reasonable time.
Customer data is replicated to a predefined secondary region based on the deployment region. The currently paired regions are:
| Primary Region | Business Continuity Region |
|---|---|
| af-south-1 (Cape Town) | ap-southeast-2 (Sydney) |
| ap-east-1 (Hong Kong) | ap-south-1 (Mumbai) |
| ap-northeast-1 (Tokyo) | ap-northeast-3 (Osaka) |
| ap-northeast-3 (Osaka) | ap-northeast-1 (Tokyo) |
| ap-southeast-2 (Sydney) | ap-south-1 (Mumbai) |
| ca-central-1 (Central Canada) | us-east-2 (Ohio) |
| ca-west-1 (Canada) | ca-central-1 (Central Canada) |
| eu-central-1 (Frankfurt) | eu-central-2 (Zurich) |
| eu-central-2 (Zurich) | eu-central-1 (Frankfurt) |
| eu-south-2 (Spain) | eu-west-3 (Paris) |
| eu-west-1 (Ireland) | eu-north-1 (Stockholm) |
| eu-west-2 (London) | eu-west-1 (Ireland) |
| eu-west-3 (Paris) | eu-south-2 (Spain) |
| sa-east-1 (São Paulo) | us-east-1 (N. Virginia) |
| us-east-1 (N. Virginia) | us-west-2 (Oregon) |
| us-east-2 (Ohio) | us-west-2 (Oregon) |
| us-west-2 (Oregon) | us-east-1 (N. Virginia) |
To recover an Ansible Automation Platform deployment in a different AWS region, a customer must submit a request specifying their preferred deployment region from the available options. Red Hat evaluates the request and begins building an instance in that region. Data from the previous instance is recovered from the customer’s business continuity region. The customer is responsible for any necessary post-deployment network configuration to integrate the new instance into their environment.
Backup data is not directly accessible to customers. The data is only used in the event of infrastructure failure, not customer configuration errors. Red Hat encourages using configuration-as-code practices to maintain a customer-hosted backup of your configuration.
5.2.6. Infrastructure monitoring
Red Hat is responsible for monitoring the control plane. You do not have access to add any additional monitoring to the resources that run the control plane.
5.2.7. Application monitoring and customer audits
The Ansible Automation Platform activity stream provides detailed information about access to Ansible Automation Platform and usage. To retain this information for auditing or compliance, you must export the logs to supported logging services for retention and querying.
5.2.8. Status notification
Red Hat communicates the health and status of Red Hat Ansible Automation Platform Service on AWS clusters through the Red Hat Hybrid Cloud Console, email notifications to the original deployment contact, and any additional contacts you specify.
5.2.9. Security
The platform is a managed service with robust built-in security, including RBAC and data encryption at rest and in transit (AES-256).
5.2.9.1. Identity and access management
Ansible Automation Platform includes a built-in user model for configuring users and RBAC permissions that define access.
Red Hat recommends using an enterprise identity provider with Ansible Automation Platform to implement multi-factor authentication for users. See the Access management and authentication guide for more information.
Red Hat advises keeping at least one local administrator account with a long, complex password for emergency access.
5.2.9.2. Encryption
Data is encrypted at rest in both the database and file system using AWS Key Management Service (KMS), which uses AES-256 encryption. Data in transit is encrypted with TLS 1.2 or higher.
We use AWS Customer Managed Keys (CMKs) to enforce encryption across databases, Amazon S3 buckets, and AWS Secrets Manager secrets. These KMS keys are securely stored in AWS Key Management Service (KMS) under Customer Managed Keys. KMS keys are automatically rotated every 365 days to reduce the risk of key compromise. The Amazon S3 bucket is used for automation hub configuration and backups. AWS Secrets Manager secrets is leveraged to store sensitive information such as credentials and configuration details.
5.2.10. Hosted components
The objective of this offering is to provide an Ansible Automation Platform deployment as a managed service, relieving customers of managing the Ansible Automation Platform control plane.
All Ansible Automation Platform capabilities in the operator-based deployment model are supported.
5.2.11. Custom domain
Ansible Automation Platform control plane is accessible through its user interfaces, APIs, and mesh ingresses. While each service instance has an auto-generated Red Hat URL, you can set up a custom domain. This customization process varies based on whether you plan to use AWS PrivateLink or not.
To use custom domains, you must configure three DNS records according to your service’s connectivity model. These records will be explained in greater detail in the following sections. The conventions for these records are:
-
platform.<optional_subdomain.exampledomain.com> -
mesh-ingress-0.<optional_subdomain.exampledomain.com> -
mesh-ingress-1.<optional_subdomain.exampledomain.com>
You can create custom subdomains under the domain you own.
5.2.11.1. Planning for your custom domain
You can configure a custom URL through Red Hat SRE assistance for your deployment. First, however, you must complete the preparatory steps, for domain identification and TLS certificate creation.
Prerequisites
- Ensure that you have management over the domain or subdomain you intend to use in order to add multiple records.
- Ensure the DNS servers that you use to resolve the record must be accessible wherever you intend to use the domain.
-
Ensure that you use the same domain for all URLs in the deployment (for example, use
exampledomain.comfor custom URLs).
Procedure
- Identify the domain or subdomain to use.
Create the TLS certificate:
- Include all mesh-ingress records in the Subject Alternative Name (SAN) parameter.
-
Alternatively, generate a wildcard certificate to cover subdomains (for example,
*.exampledomain.com).
Bundle the certificate, private key, and any optional intermediary certificates into a zip.
ImportantTLS Certificate requirements for custom domains:
- Private Key: The private key must be unencrypted and cannot have a passphrase or be password protected.
- Expiration: Initial certificates must be valid for at least one year.
- Renewal: You must initiate a support ticket to renew the certificate at least 14 days before the expiration date. When renewing you must use one of the following formats for the certificate’s Subject Alternative Names (SANs):
Explicit SANs: List the required subdomains:
platform,mesh-ingress-0, andmesh-ingress-1. For example, if your domain isexampledomain.com, include the following in the certificate’s SAN:-
platform.exampledomain.com -
mesh-ingress-0.exampledomain.com -
mesh-ingress-1.exampledomain.com -
Wildcard certificate: Use a wildcard to cover all subdomains (for example,
*.exampledomain.com).
-
Open a support ticket with Red Hat requesting a custom URL configuration to your deployment and include the following information:
- Company Name
-
Deployment information (for example,
cus-xxxx) -
Custom domain (for example,
exampledomain.com) - Provide the zip file containing the certificates, or request a presigned URL for secure upload.
- Allow the SRE team to apply the configuration to your deployment, verify the functionality, and collaborate with you on follow-up steps via the support ticket.
- Update image URLs for Execution Environments and Decision Environments to point to the new platform domain address if images are sourced from the private automation hub on the same Ansible Automation Platform instance.
Reconfigure pull mode execution nodes if they were previously configured with the old domain:
-
Locate the
group_vars/all.ymlfile in the tar archive used to set up the execution node. -
Modify the
receptor_peersaddress variable to point to the new mesh ingress node. Rerun the
install_receptor.ymlplaybook.NoteNew mesh-ingresses using the custom domain replace the original ones.
-
Locate the
5.2.11.2. Setting up a custom domain without AWS PrivateLink
If you are not planning to connect to the Ansible Automation Platform UI or use automation mesh through AWS PrivateLink, complete the following steps to configure your DNS.
Procedure
Identify the canonical names of the load balancers of your deployment.
You can use a DNS lookup on the Red Hat-generated URL to identify the DNS names for both load balancers:
Shell # Replace the URL with the "platform" URL of your deployment dig platform.cus-<id>.aws.ansiblecloud.comShell # Replace the URL with the "mesh-ingress" URL of your deployment dig mesh-ingress-0.cus-<id>.aws.ansiblecloud.comCreate DNS CNAME records for your custom domain using the following hostnames pointing to the DNS names identified in the previous step:
-
platform (for example,
platform.exampledomain.com) →cus-xxxxx-alb-11111111.us-east-1.elb.amazonaws.com -
mesh-ingress-0 (for example,
mesh-ingress-0.exampledomain.com) →xxxxx.elb.us-east-1.amazonaws.com -
mesh-ingress-1 (for example,
mesh-ingress-1.exampledomain.com) →xxxxx.elb.us-east-1.amazonaws.com
-
platform (for example,
5.2.11.3. Setting up a custom domain with AWS PrivateLink
If you are planning to connect to the Ansible Automation Platform UI or use automation mesh through AWS PrivateLink, complete the following steps to configure your DNS.
Procedure
Retrieve the main DNS name of the Amazon Virtual Private Cloud (VPC) endpoint you created to connect to AWS PrivateLink endpoint service by performing the following steps:
- Log in to the Amazon Web Services portal and select → .
- Click the VPC Endpoint for Red Hat Ansible Automation Platform Service on AWS.
Retrieve the DNS names in the Details tab.
There are a few entries. To find the correct DNS name, go to the Details tab and look for the entry that is not tied to a specific Availability Zone (AZ). For instance, choose
vpce-xxxx-xxxx.vpce-svc-xxxx.us-east-1.vpce.amazonaws.comrather than one that includes an AZ likeus-east-1aorus-east-1b.Alternatively, you can choose to use Amazon Web Services CLI to retrieve the DNS names of that endpoint by entering:
Shell aws ec2 describe-vpc-endpoints --vpc-endpoint-ids vpce-xxxx --query 'VpcEndpoints[0].DnsEntries[*].DnsName'
After you have retrieved the DNS name, create the DNS CNAME records for your custom domain using the following hostnames pointing to the DNS name identified in the previous step:
-
platform (for example,
platform.exampledomain.com) →vpce-xxxx-xxxx.vpce-svc-xxxx.us-east-1.vpce.amazonaws.com -
mesh-ingress-0 (for example,
mesh-ingress-0.exampledomain.com) →vpce-xxxx-xxxx.vpce-svc-xxxx.us-east-1.vpce.amazonaws.com -
mesh-ingress-1 (for example,
mesh-ingress-1.exampledomain.com) →vpce-xxxx-xxxx.vpce-svc-xxxx.us-east-1.vpce.amazonaws.com
-
platform (for example,
5.3. Execution plane
You can only run test and cleanup jobs on the default or controller execution planes. All other automation must be configured to run on your execution plane.
As part of the Ansible Automation Platform Service on AWS subscription, you receive 10 Red Hat Enterprise Linux (RHEL) entitlements for running the execution plane. Additional RHEL or OpenShift licenses can be purchased separately.
5.3.1. Shape
Your execution plane’s size and shape depend on the type of automation and the locations connected to the mesh. Use the following guidelines for your automation mesh implementation:
Ansible Automation Platform minimum requirements:
Hop Nodes: Red Hat Ansible Automation Platform Service on AWS includes two hop nodes that customers can use to peer with execution nodes. They typically require minimal resources. The shape of a hop node depends on the number of connected execution nodes. A virtual machine (VM) with 2 vCPUs and 2 GB RAM can route traffic for 2-4 execution nodes.
- For help with configuring your automation mesh see Automation mesh for managed cloud or operator environments.
- For automation in fewer locations (such as specific geographies or clouds), create a mesh with fewer VMs that can be scaled vertically. Most clouds and hypervisors allow shape changes with minimal downtime.
- For CPU or RAM-intensive automation, use larger machine shapes.
- For automation spanning multiple locations, create a mesh with nodes that connect to those locations.
- Consider using different CPU architectures, like ARM, and reserved instances to reduce execution plane costs.
- To configure redundancy in the automation mesh, set up at least two mesh nodes of the same shape in different availability zones within the same region, connecting each machine to both hosted hop nodes.
- Use OpenShift if auto-scaling the execution plane is necessary.
5.3.2. Networking
Understand the automation mesh architecture and the connectivity requirements for the execution plane
5.3.2.1. Automation mesh
Ansible Automation Platform Service on AWS provides default “mesh-ingress” hop nodes. These hosted hop nodes allow execution nodes to poll for automation work through egress from a customer’s private network, eliminating the need to open inbound firewall ports. Hosted hop nodes use port 443 for inbound traffic.
The following is an example of an execution node in a private address space with egress-only internet access connected to Ansible Automation Platform Service on AWS through this model.
You can also configure the automation mesh with outbound connectivity from the control plane to your execution plane, allowing you to specify the ports used by the automation mesh.
You can use the Automation mesh for managed cloud or operator environments documentation for instructions.
5.3.2.2. PrivateLink configuration types
The PrivateLink configuration offers both ingress, for UI/API access to the Ansible Automation Platform control plane, and egress, for the control plane to connect to your private resources. For more information, see section AWS PrivateLink connectivity into the Ansible Automation Platform control plane.
- Ingress PrivateLink: Connects your VPC to the Ansible Automation Platform control plane (for UI/API access). Requires a support ticket providing your AWS Account ID and Region.
- Egress PrivateLink: Connects the Ansible Automation Platform control plane to your private resources (for example, private automation hub). This requires a separate support ticket to authorize the connection to your Endpoint Service.
5.3.2.3. Connectivity
The execution plane can communicate with the control plane under the following conditions:
- Polling (mesh-ingress): Execution nodes must route stateful egress traffic to the Ansible Automation Platform deployment domain over port 443.
- Push: A configurable firewall port must be open in the customer’s remote networks to allow Ansible Automation Platform to push information to execution nodes.
You can configure automation mesh nodes behind firewalls, proxy servers, and similar services. These services route or proxy traffic originating from Ansible Automation Platform without altering headers, payload, or other information that would affect functionality of the automation mesh.
You can restrict access to the control plane by providing CIDR blocks to the Red Hat support team through a Customer support request. This controls the inbound access to the control plane limiting it to the IP ranges you provide for traffic over the public internet. The application of these rules do not apply to traffic over PrivateLink. These restrictions do not affect outbound traffic that originates from the control plane.
Customers must allowlist the following wildcard domain in their local firewalls to permit the SRE team’s maintenance and monitoring:
-
*.redhat.com
5.3.3. Monitoring
You can configure monitoring and hardening tools of your choice on the execution plane. You are responsible for their operation, functionality, and maintenance, ensuring they do not interfere with the execution plane’s operation.
Any additional workloads on the execution plane requires extra resources from the virtual machines or OpenShift clusters where the tools are deployed. Make sure to size resources accordingly to accommodate these additional requirements.
5.3.4. DNS
Execution nodes use the DNS configuration of the host machine for DNS queries. Configure DNS using standard RHEL network practices to ensure proper lookups during automation execution.
5.3.5. Networking with overlapping CIDR blocks
Automation mesh connects the control plane to multiple networks that share the same Classless Inter-Domain Routing (CIDR) block (that is, the same class A address space repeated across different clouds or data centers). Execution nodes regard their deployment network as the local network. You must have at least one execution node instance paired with an instance group to target automation in each network.
5.3.6. Updates and maintenance
Automation mesh execution nodes are designed to minimize the need for patching the execution plane when the control plane is updated. However, future updates to the technology will require customer involvement to update the components in each execution plane node.
When patches are needed, customers should follow the process for updating an automation mesh node. For help with updating your receptor see the Updating Receptors section of the Automation mesh for managed cloud or operator environments.
5.4. Support
Red Hat Ansible Automation Platform Service on AWS includes Red Hat Premium Support, accessible through the Red Hat Customer Portal.
For support response times, refer to the Production Support Terms of Service.
AWS support is subject to the customer’s existing support contract with AWS.
Chapter 6. Red Hat Ansible Automation Platform best practices
This section covers Ansible Automation Platform product use that has specific content or context for using Ansible Automation Platform as a service.
6.1. Configure automation to use instance groups
Red Hat Ansible Automation Platform Service on AWS requires that customers implement their own automation execution plane.
Job templates must use a customer-configured instance or container group to run. If omitted, job runs can seem non-functional and eventually time out due to automation execution failure. Each job template must be assigned to a customer-configured instance group to function.
6.2. Syncing content with private automation hub
Private automation hub allows you to attempt to sync all content between automation hub or Ansible Galaxy. However, this synchronization fails due to the storage and resource demands of such a large task.
When syncing content from external sources, limit the synchronization to the collections your organization plans to use, focusing on recent or known used versions to reduce the synchronization scope.
Chapter 7. Red Hat Ansible Automation Platform Service on AWS Private Link Connectivity
Private link connectivity is a networking feature commonly used in cloud environments. Private link connectivity allows services to communicate privately over a secure, internal network without exposing traffic to the public internet. On AWS, private link connectivity is known as AWS PrivateLink.
7.1. Key benefits of private link connectivity
To ensure maximum network isolation and security, AWS PrivateLink connectivity establishes a private connection for the Ansible Automation Platform Service on AWS, which is essential because:
- It enables the Ansible Automation Platform Service on AWS control plane to connect to project and execution environment repositories hosted on private networks that are inaccessible from the public internet.
- It keeps automation mesh data within a private network rather than traversing the public internet.
Automation mesh uses industry standard TLS encryption regardless of how automation mesh nodes are connected. Consider this traffic secured in the same manner as all TLS traffic.
7.2. How AWS PrivateLink works
AWS PrivateLink connectivity is supported both into (ingress) and out of (egress) the Ansible Automation Platform control plane.
For more AWS specific information about how AWS PrivateLink works, see the Amazon Virtual Private Cloud documentation.
7.2.1. AWS PrivateLink connectivity from customer VPC into the Ansible Automation Platform control plane
For AWS PrivateLink connectivity into the control plane, an AWS Endpoint Service has automatically provisioned AWS PrivateLink connectivity into the control plane in your AWS environment. You must create an AWS Endpoint to connect to this service in your Virtual Private Cloud (VPC), and enable private DNS resolution of the endpoint service hostname. With this in place, any traffic originating from your VPC to the control plane API or mesh ingress connects to a private IP address and does not traverse the public internet. Traffic is stateful, so there is no need to open a private link in the reverse direction for responses to Transmission Control Protocol (TCP) requests that originate from the customer VPC
7.2.2. AWS PrivateLink connectivity from Ansible Automation Platform control plane to customer VPCs
You can configure Ansible Automation Platform to use external resources such as source code repositories, container registries, and execution nodes. By default, the control plane connects to these resources over the public internet. However, if your resources are not publicly available, you can leverage AWS PrivateLink to securely access your private resources without traversing the public internet.
AWS PrivateLink connectivity allows the Ansible Automation Platform control plane to connect privately to your resources including, registries, repositories, and execution nodes. Traffic is stateful, eliminating the need to open a private link in the reverse direction for responses to Transmission Control Protocol (TCP) requests that originate from the control plane VPC.
To enable AWS PrivateLink connectivity from the control plane to your private resources, create one or more Endpoint Services in your VPC. Then reach out to Red Hat support to create the consuming Endpoints.
When creating the Endpoint Service in your VPC, you must enable the Private DNS option. This ensures that the Ansible Automation Platform control plane can resolve and connect to your service using the specified domain over AWS PrivateLink. Private DNS enables DNS queries from Ansible Automation Platform resolve to the private IP addresses of the interface endpoint, facilitating secure and direct communication over PrivateLink.
7.3. Inbound traffic control (IP restrictions)
Two distinct layers of traffic control are available depending on your connectivity method.
| Method | Scope | Managed by | Action required |
|---|---|---|---|
| Public internet access | Restricts access to the Ansible Automation Platform UI and API over the public internet. | Red Hat SRE | Open a Support Ticket requesting "Traffic Control CIDR Allowlisting."
You must provide the specific IP CIDR blocks (for example, |
| PrivateLink access | Restricts access coming through your PrivateLink VPC Endpoint. | Customer | Configure the AWS Security Group attached to your VPC Endpoint to allow inbound HTTPS (443) traffic only from specific internal subnets or VPN CIDRs. |
7.4. Enabling AWS PrivateLink connectivity
To enable private link connectivity, submit a customer support ticket and the Red Hat team will work with you on the next steps.
You must create two separate support tickets for bi-directional connectivity:
- One enabling AWS PrivateLink connectivity from Customer VPC into the control plane
- One enabling AWS PrivateLink connectivity out of the control plane to Customer VPC.
7.4.1. Configuring AWS PrivateLink connectivity from customer VPC to Red Hat managed control plane
This configuration allows your internal users and automation to access the Ansible Automation Platform UI and API over PrivateLink.
Procedure
- To request Ingress PrivateLink submit a Customer support case to Red Hat using the Ingress AWS PrivateLink request template step 2.
You must include your:
- AWS Account ID.
- Region.
- Deployment URL.
- After Red Hat provides you with a VPC Endpoint Service Name, you must create a VPC Endpoint in your AWS account that points to the provided service name.
For your Ingress AWS PrivateLink request template:
Select "Endpoint services that use NLBs and GWLBs".
- In the Service name field, paste the VPC Endpoint Service Name provided by Red Hat and click .
Complete the network and security group configuration as required by your organization.
Subject: Request for Ingress PrivateLink Connection: <Your Company Name> - <Deployment ID> Body: Hello Red Hat Support, We would like to enable Ingress PrivateLink connectivity for our AAP on AWS instance. This will allow our internal users and automation tools to access the AAP Control Plane (UI/API) securely from our VPC without traversing the public internet. Deployment details: AAP Deployment Name/ID: <for example., ans-123456> AAP Deployment URL: <for example, https://ans-123456.ansible.redhat.com> Our Network Information: Our AWS Account ID: <Your 12-digit AWS Account ID> Target Region: <for example, us-east-1> Action required: Please create the Endpoint Service configuration on the Control Plane side and provide us with the VPC Endpoint Service Name so we can create the interface endpoint in our VPC. Thank you.
7.4.2. Configuring AWS PrivateLink connectivity from Red Hat managed control plane to customer VPCs
This configuration allows the Ansible Automation Platform control plane to connect to your private resources, such as internal Git or private automation hub.
Procedure
Create an Endpoint Service in your VPC:
- Confirm your private resource is behind an AWS Network Load Balancer (NLB).
Create an Endpoint Service in your AWS VPC that points to that NLB.
ImportantYou must select the service type that supports Interface endpoints and enable the Private DNS option.
- To initiate control plane egress, you must submit a separate Customer support case using the Egress PrivateLink request template.
- Red Hat uses the information provided to create an Interface Endpoint on their side. When Red Hat creates this endpoint, they select the category "Endpoint services that use NLBs and GWLBs" to connect to your service.
- Your Internal Network or IT Team must configure the Internal DNS.
- To ensure users route through the secure PrivateLink connection, you must request a Split-Horizon DNS configuration.
- Copy the Egress PrivateLink request template, fill in your specific VPC Endpoint Service Name, and submit it to Red Hat.
Egress PrivateLink request template
Subject:
Egress PrivateLink Configuration for <Instance ID>
Body:
We need to enable Egress PrivateLink connectivity to allow the AAP control plane to access our internal private resources (for example, private automation hub, Git and so on).
Configuration details:
Our AWS Account ID: <Your 12-digit AWS Account ID>
Our Endpoint Service Name: <for example, com.amazonaws.vpce.us-east-1.vpce-svc-xxxxxxxx>
Service Regions/AZs: <for example., us-east-1 / us-east-1a, us-east-1b>
Action required:
Please confirm when Red Hat has initiated the connection request so we can approve it in our AWS Console.
Thank you.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}