Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
Chapter 5. Red Hat Ansible Automation Platform Service on AWS Service Definition
The service definition details the shared responsibilities between Red Hat, which manages the control plane, and the customer, who manages the execution plane.
5.1. Account management
This section provides an overview of the billing and environment management operations.
5.1.1. Billing
Red Hat Ansible Automation Platform Service on AWS is billed through Amazon Web Services (AWS). Pricing is based on the number of managed active nodes and related infrastructure management costs. Discount tiers are available for pre-purchasing managed active nodes at the start of a billing cycle.
The service includes one Ansible Automation Platform deployment and 10 Red Hat Enterprise Linux (RHEL) entitlements for running your automation execution plane.
5.1.2. Deployment-self-service
You can self-service deployments including, but not limited to, the following operations:
- Buy and deploy an Ansible Automation Platform on AWS environment.
- Cancel an Ansible Automation Platform on AWS environment subscription.
When you cancel or do not renew a subscription in the AWS Marketplace, the service begins the deprovisioning process 72 hours after the cancellation.
The system keeps an encrypted backup for a limited time after unsubscription to prevent data loss from accidental unsubscription.
You may request a complete purge of the backup data after unsubscription, with the understanding that there is permanent data loss.
If you initiate a cancellation, your deployment will begin to shut down. If you initiated the cancellation in error you have 72 hours from the initial cancellation to submit a Support ticket and the Red Hat team will assist you in recovering the cancelled deployment.
5.1.3. Regions and availability zones
Each supported region is paired with a companion AWS region where backup data is stored in the event of a primary region catastrophe that requires restoration in another AWS region.
Refer to Backup and disaster recovery for the list of supported and backup regions.
5.1.4. Service level agreement
Any service level agreements (SLAs) for the service itself are defined in Appendix 4 (Online Subscription Services) of the Red Hat Enterprise Agreement Product Appendices.
5.1.4.1. Limited support status
When a deployment transitions to "Limited Support" status, Red Hat will no longer troubleshoot execution plane issues.
The SLA is no longer applicable and credits requested against the SLA are denied. However, this does not mean you lose all product support. A deployment can return to full support if you address the issues that caused the limited status.
A deployment might move to a Limited Support status for several reasons, including:
- Lack of an execution plane
- A customer execution plane is required for automation. If you have not configured one or if it’s in a degraded state, you must fix these issues before receiving automation support.
- Unsupported Execution Plane Dependencies
- Both Red Hat Enterprise Linux (RHEL) and OpenShift-based execution planes need regular maintenance and upgrades to meet minimum supported versions for Ansible Automation Platform dependencies. You can upgrade these resources using various methods, such as Ansible for patching, Red Hat Satellite, or DNF automatic updates. Keeping your OS, cluster, and receptor resources updated with supported Ansible Automation Platform helps reduce support issues.
5.1.5. Responsibilities
Learn about your responsibilities and Red Hat’s responsibilities. Understanding these roles helps you manage your product effectively.
| Feature | Red Hat | Customer |
|---|---|---|
| Control plane infrastructure | ✓ | ┄ |
| Execution plane infrastructure | ┄ | ✓ |
| Control plane deployment | ✓ | ┄ |
| Control plane uptime | ✓ | ┄ |
| Control plane upgrades | ✓ | ┄ |
| Control plane backup and restore | ✓ | ┄ |
| Control plane security | ✓ | ┄ |
| Execution plane (automation mesh) deployment | ┄ | ✓ |
| Execution plane uptime | ┄ | ✓ |
| Execution plane upgrades | ┄ | ✓ |
| Execution plane backup and restore | ┄ | ✓ |
| Execution plane security | ┄ | ✓ |
| Settings and configuration | ┄ | ✓ |
| Automation content | ┄ | ✓ |
| Application integrations | ┄ | ✓ |
| Identity and access | ┄ | ✓ |
| Monitoring SSL and TLS certificate expiration | ┄ | ✓ |
5.2. Control plane
The Ansible Automation Platform control plane includes the application UIs, APIs, components, and services used for managing automation. Red Hat manages these within its own infrastructure.
Each customer deployment is fully isolated at the infrastructure layer. Every deployment provisions its own dedicated network, compute, and database resources, remaining entirely independent from all other customer environments. By enforcing this level of isolation, there is a reduced risk of data leakage or unauthorized cross-deployment interactions, ensuring that actions and information remain confined within their designated environments.
5.2.1. Preparing for deployment
The following optional configurations include custom domains and AWS PrivateLink setup. You can implement these settings to meet your specific security and networking requirements.
5.2.1.1. Prerequisites
Before initiating these configuration requests, ensure the following are available.
- Access: You have access to Red Hat Customer Portal (Customer support) and the AWS Console.
- Infrastructure: You have an active Ansible Automation Platform Service on AWS deployment.
- Network: You have an existing VPC with private subnets (for PrivateLink).
- DNS: You have administrative access to your public or private DNS provider.
5.2.1.2. Execution plane strategy
Red Hat strongly advises provisioning your own execution nodes and instance groups in your VPC.
- Cost Impact: Workloads running on the control plane trigger auto-scaling of vCPUs, which are billed at a higher variable rate ($0.10/vCPU/hr). For more information see Ansible Automation Platform Service on AWS: Infrastructure Metering Changes.
- Recommendation: To maintain predictable costs and security isolation, use the control plane for management only and offload automation execution to your own EC2 instances.
5.2.1.3. Configure AWS PrivateLink
AWS PrivateLink establishes secure connectivity between your VPC and the Red Hat managed control plane without traversing the public internet.
AWS PrivateLink connectivity is supported both into (ingress) and out of (egress) the Ansible Automation Platform control plane. Customers must work with the Red Hat SRE Team to set up the following AWS PrivateLink connectivity directions:
- From customer VPC to Red Hat managed control Plane
- From Red Hat managed control plane to customer VPC
To configure bi-directional connectivity, complete the following steps:
Submit Customer support cases to Red Hat to begin this process.
- A separate ticket must be created for ingress and egress
- The Redhat SRE team will work together with the customer and enable AWS PrivateLink Connectivity via the support case.
To begin this process see Enabling AWS PrivateLink connectivity.
5.2.1.4. Performance guidelines for Event-Driven Ansible on Ansible Automation Platform Service on AWS
Use this information to plan and configure Event-Driven Ansible on Ansible Automation Platform Service on AWS.
All customer workloads differ, and performance results may vary. Red Hat recommends monitoring Subscription Watch for Ansible Automation Platform Service on AWS meters within Hybrid Cloud Console and creating cost alerts in AWS.
The following table reflects the observed performance and resource utilization for the tested configuration.
Observed performance and resource utilization
| Category | Metric | Value |
|---|---|---|
| Tested configuration | Rulebook Activations | 5 |
| Events published per second | 120 | |
| Actions per second | 20 | |
| Derived metrics | Actions per activation (20 events/sec x 30 sec) | 600 |
| Total actions across all activations | 3,000 | |
| Infrastructure | vCPUs | 12 |
| Observed performance | Total Events Sent | 3,000 |
| Job Events | 600 | |
| Failed Iterations | 0 | |
| Event Processing Time | 77.07 seconds |
Performance metrics change as the control plane scales (up or down) based on the running workload.
5.2.1.5. Configure a custom domain
Configure a custom domain, starting with generating a certificate and private key, submitting a support case for SRE configuration, and finalizing the setup with a required DNS update.
For help with this process see the Custom domain section.
5.2.2. Customer access
You can access the control plane through the Ansible Automation Platform user interfaces and APIs.
During the initial configuration of an Ansible Automation Platform Service on AWS deployment, you will receive the URL for your deployment. You can also find this information through the Red Hat Hybrid Cloud Console (HCC).
The administrator account’s initial password is provided to the HCC user who performed the initial deployment.
You must change this initial password immediately after your first log in to Ansible Automation Platform.
If you need help accessing your deployment, submit a support request through Customer support.
You can provide a custom URL for your Ansible Automation Platform Service on AWS by using a domain name that you own. To request a custom domain name for your deployment, you can submit a customer support request to initiate the configuration process. The Red Hat SRE team will engage the support ticket for collaboration on next steps. Refer to the Custom Domain section for configuration information.
5.2.3. Service uptime
Uptime for Red Hat Ansible Automation Platform Service on AWS is measured by user access and function of the Ansible Automation Platform control plane. This is measured through the uptime of the product web user interface and REST APIs.
Measurements are calculated through successful HTTP response codes (200) to entry points of the UI and API. If either of these return an unsuccessful response code, or are unavailable and time out entirely, then the service will be considered to be in an outage state. Uptime of the execution plane, which is managed by customers, is not included as part of the uptime of the service. Customers are responsible for ensuring that the execution plane is redundant, scalable, and available in order to meet customer uptime objectives.
5.2.4. SRE access and management
Site Reliability Engineering (SRE) access is limited to the infrastructure and services running Ansible Automation Platform. Red Hat only accesses the Ansible Automation Platform interfaces or APIs in exceptional cases, such as during support engagements.
SRE access to control plane resources is restricted to operations that require human intervention and cannot be automated. Any access follows a request-and-approval process and is audited to ensure only authorized personnel can perform these operations.
SREs access resources and audit data are collected when:
- The SRE team requests access to cluster resources using a tool that allows temporary access. This tool generates a log entry detailing the time and the SRE team member who requested access.
- Audit logs are created for any management operation performed on a customer instance and are sent to a centralized logging system.
Red Hat erases job logs every 30 days.
5.2.5. Backup and disaster recovery
Red Hat maintains daily database and file system snapshots in a separate region from each deployment.
| Component | Snapshot Frequency | Retention Policy |
| Database | Daily | 7 days |
| File System | Daily | 7 days |
This recovery data is used if an AWS regional outage cannot be resolved in a reasonable time.
Customer data is replicated to a predefined secondary region based on the deployment region. The currently paired regions are:
| Primary Region | Business Continuity Region |
|---|---|
| af-south-1 (Cape Town) | ap-southeast-2 (Sydney) |
| ap-east-1 (Hong Kong) | ap-south-1 (Mumbai) |
| ap-northeast-1 (Tokyo) | ap-northeast-3 (Osaka) |
| ap-northeast-3 (Osaka) | ap-northeast-1 (Tokyo) |
| ap-southeast-2 (Sydney) | ap-south-1 (Mumbai) |
| ca-central-1 (Central Canada) | us-east-2 (Ohio) |
| ca-west-1 (Canada) | ca-central-1 (Central Canada) |
| eu-central-1 (Frankfurt) | eu-central-2 (Zurich) |
| eu-central-2 (Zurich) | eu-central-1 (Frankfurt) |
| eu-south-2 (Spain) | eu-west-3 (Paris) |
| eu-west-1 (Ireland) | eu-north-1 (Stockholm) |
| eu-west-2 (London) | eu-west-1 (Ireland) |
| eu-west-3 (Paris) | eu-south-2 (Spain) |
| sa-east-1 (São Paulo) | us-east-1 (N. Virginia) |
| us-east-1 (N. Virginia) | us-west-2 (Oregon) |
| us-east-2 (Ohio) | us-west-2 (Oregon) |
| us-west-2 (Oregon) | us-east-1 (N. Virginia) |
To recover an Ansible Automation Platform deployment in a different AWS region, a customer must submit a request specifying their preferred deployment region from the available options. Red Hat evaluates the request and begins building an instance in that region. Data from the previous instance is recovered from the customer’s business continuity region. The customer is responsible for any necessary post-deployment network configuration to integrate the new instance into their environment.
Backup data is not directly accessible to customers. The data is only used in the event of infrastructure failure, not customer configuration errors. Red Hat encourages using configuration-as-code practices to maintain a customer-hosted backup of your configuration.
5.2.6. Infrastructure monitoring
Red Hat is responsible for monitoring the control plane. You do not have access to add any additional monitoring to the resources that run the control plane.
5.2.7. Application monitoring and customer audits
The Ansible Automation Platform activity stream provides detailed information about access to Ansible Automation Platform and usage. To retain this information for auditing or compliance, you must export the logs to supported logging services for retention and querying.
5.2.8. Status notification
Red Hat communicates the health and status of Red Hat Ansible Automation Platform Service on AWS clusters through the Red Hat Hybrid Cloud Console, email notifications to the original deployment contact, and any additional contacts you specify.
5.2.9. Security
The platform is a managed service with robust built-in security, including RBAC and data encryption at rest and in transit (AES-256).
5.2.9.1. Identity and access management
Ansible Automation Platform includes a built-in user model for configuring users and RBAC permissions that define access.
Red Hat recommends using an enterprise identity provider with Ansible Automation Platform to implement multi-factor authentication for users. See the Access management and authentication guide for more information.
Red Hat advises keeping at least one local administrator account with a long, complex password for emergency access.
5.2.9.2. Encryption
Data is encrypted at rest in both the database and file system using AWS Key Management Service (KMS), which uses AES-256 encryption. Data in transit is encrypted with TLS 1.2 or higher.
We use AWS Customer Managed Keys (CMKs) to enforce encryption across databases, Amazon S3 buckets, and AWS Secrets Manager secrets. These KMS keys are securely stored in AWS Key Management Service (KMS) under Customer Managed Keys. KMS keys are automatically rotated every 365 days to reduce the risk of key compromise. The Amazon S3 bucket is used for automation hub configuration and backups. AWS Secrets Manager secrets is leveraged to store sensitive information such as credentials and configuration details.
5.2.10. Hosted components
The objective of this offering is to provide an Ansible Automation Platform deployment as a managed service, relieving customers of managing the Ansible Automation Platform control plane.
All Ansible Automation Platform capabilities in the operator-based deployment model are supported.
5.2.11. Custom domain
Ansible Automation Platform control plane is accessible through its user interfaces, APIs, and mesh ingresses. While each service instance has an auto-generated Red Hat URL, you can set up a custom domain. This customization process varies based on whether you plan to use AWS PrivateLink or not.
To use custom domains, you must configure three DNS records according to your service’s connectivity model. These records will be explained in greater detail in the following sections. The conventions for these records are:
-
platform.<optional_subdomain.exampledomain.com> -
mesh-ingress-0.<optional_subdomain.exampledomain.com> -
mesh-ingress-1.<optional_subdomain.exampledomain.com>
You can create custom subdomains under the domain you own.
5.2.11.1. Planning for your custom domain
You can configure a custom URL through Red Hat SRE assistance for your deployment. First, however, you must complete the preparatory steps, for domain identification and TLS certificate creation.
Prerequisites
- Ensure that you have management over the domain or subdomain you intend to use in order to add multiple records.
- Ensure the DNS servers that you use to resolve the record must be accessible wherever you intend to use the domain.
-
Ensure that you use the same domain for all URLs in the deployment (for example, use
exampledomain.comfor custom URLs).
Procedure
- Identify the domain or subdomain to use.
Create the TLS certificate:
- Include all mesh-ingress records in the Subject Alternative Name (SAN) parameter.
-
Alternatively, generate a wildcard certificate to cover subdomains (for example,
*.exampledomain.com).
Bundle the certificate, private key, and any optional intermediary certificates into a zip.
ImportantTLS Certificate requirements for custom domains:
- Private Key: The private key must be unencrypted and cannot have a passphrase or be password protected.
- Expiration: Initial certificates must be valid for at least one year.
- Renewal: You must initiate a support ticket to renew the certificate at least 14 days before the expiration date. When renewing you must use one of the following formats for the certificate’s Subject Alternative Names (SANs):
Explicit SANs: List the required subdomains:
platform,mesh-ingress-0, andmesh-ingress-1. For example, if your domain isexampledomain.com, include the following in the certificate’s SAN:-
platform.exampledomain.com -
mesh-ingress-0.exampledomain.com -
mesh-ingress-1.exampledomain.com -
Wildcard certificate: Use a wildcard to cover all subdomains (for example,
*.exampledomain.com).
-
Open a support ticket with Red Hat requesting a custom URL configuration to your deployment and include the following information:
- Company Name
-
Deployment information (for example,
cus-xxxx) -
Custom domain (for example,
exampledomain.com) - Provide the zip file containing the certificates, or request a presigned URL for secure upload.
- Allow the SRE team to apply the configuration to your deployment, verify the functionality, and collaborate with you on follow-up steps via the support ticket.
- Update image URLs for Execution Environments and Decision Environments to point to the new platform domain address if images are sourced from the private automation hub on the same Ansible Automation Platform instance.
Reconfigure pull mode execution nodes if they were previously configured with the old domain:
-
Locate the
group_vars/all.ymlfile in the tar archive used to set up the execution node. -
Modify the
receptor_peersaddress variable to point to the new mesh ingress node. Rerun the
install_receptor.ymlplaybook.NoteNew mesh-ingresses using the custom domain replace the original ones.
-
Locate the
5.2.11.2. Setting up a custom domain without AWS PrivateLink
If you are not planning to connect to the Ansible Automation Platform UI or use automation mesh through AWS PrivateLink, complete the following steps to configure your DNS.
Procedure
Identify the canonical names of the load balancers of your deployment.
You can use a DNS lookup on the Red Hat-generated URL to identify the DNS names for both load balancers:
Shell # Replace the URL with the "platform" URL of your deployment dig platform.cus-<id>.aws.ansiblecloud.comShell # Replace the URL with the "mesh-ingress" URL of your deployment dig mesh-ingress-0.cus-<id>.aws.ansiblecloud.comCreate DNS CNAME records for your custom domain using the following hostnames pointing to the DNS names identified in the previous step:
-
platform (for example,
platform.exampledomain.com)cus-xxxxx-alb-11111111.us-east-1.elb.amazonaws.com -
mesh-ingress-0 (for example,
mesh-ingress-0.exampledomain.com)xxxxx.elb.us-east-1.amazonaws.com -
mesh-ingress-1 (for example,
mesh-ingress-1.exampledomain.com)xxxxx.elb.us-east-1.amazonaws.com
-
platform (for example,
5.2.11.3. Setting up a custom domain with AWS PrivateLink
If you are planning to connect to the Ansible Automation Platform UI or use automation mesh through AWS PrivateLink, complete the following steps to configure your DNS.
Procedure
Retrieve the main DNS name of the Amazon Virtual Private Cloud (VPC) endpoint you created to connect to AWS PrivateLink endpoint service by performing the following steps:
-
Log in to the Amazon Web Services portal and select
. - Click the VPC Endpoint for Red Hat Ansible Automation Platform Service on AWS.
Retrieve the DNS names in the Details tab.
There are a few entries. To find the correct DNS name, go to the Details tab and look for the entry that is not tied to a specific Availability Zone (AZ). For instance, choose
vpce-xxxx-xxxx.vpce-svc-xxxx.us-east-1.vpce.amazonaws.comrather than one that includes an AZ likeus-east-1aorus-east-1b.Alternatively, you can choose to use Amazon Web Services CLI to retrieve the DNS names of that endpoint by entering:
Shell aws ec2 describe-vpc-endpoints --vpc-endpoint-ids vpce-xxxx --query 'VpcEndpoints[0].DnsEntries[*].DnsName'
-
Log in to the Amazon Web Services portal and select
After you have retrieved the DNS name, create the DNS CNAME records for your custom domain using the following hostnames pointing to the DNS name identified in the previous step:
-
platform (for example,
platform.exampledomain.com)vpce-xxxx-xxxx.vpce-svc-xxxx.us-east-1.vpce.amazonaws.com -
mesh-ingress-0 (for example,
mesh-ingress-0.exampledomain.com)vpce-xxxx-xxxx.vpce-svc-xxxx.us-east-1.vpce.amazonaws.com -
mesh-ingress-1 (for example,
mesh-ingress-1.exampledomain.com)vpce-xxxx-xxxx.vpce-svc-xxxx.us-east-1.vpce.amazonaws.com
-
platform (for example,
5.3. Execution plane
You can only run test and cleanup jobs on the default or controller execution planes. All other automation must be configured to run on your execution plane.
As part of the Ansible Automation Platform Service on AWS subscription, you receive 10 Red Hat Enterprise Linux (RHEL) entitlements for running the execution plane. Additional RHEL or OpenShift licenses can be purchased separately.
5.3.1. Shape
Your execution plane’s size and shape depend on the type of automation and the locations connected to the mesh. Use the following guidelines for your automation mesh implementation:
Ansible Automation Platform minimum requirements:
Hop Nodes: Red Hat Ansible Automation Platform Service on AWS includes two hop nodes that customers can use to peer with execution nodes. They typically require minimal resources. The shape of a hop node depends on the number of connected execution nodes. A virtual machine (VM) with 2 vCPUs and 2 GB RAM can route traffic for 2-4 execution nodes.
- For help with configuring your automation mesh see Automation mesh for managed cloud or operator environments.
- For automation in fewer locations (such as specific geographies or clouds), create a mesh with fewer VMs that can be scaled vertically. Most clouds and hypervisors allow shape changes with minimal downtime.
- For CPU or RAM-intensive automation, use larger machine shapes.
- For automation spanning multiple locations, create a mesh with nodes that connect to those locations.
- Consider using different CPU architectures, like ARM, and reserved instances to reduce execution plane costs.
- To configure redundancy in the automation mesh, set up at least two mesh nodes of the same shape in different availability zones within the same region, connecting each machine to both hosted hop nodes.
- Use OpenShift if auto-scaling the execution plane is necessary.
5.3.2. Networking
Understand the automation mesh architecture and the connectivity requirements for the execution plane
5.3.2.1. Automation mesh
Ansible Automation Platform Service on AWS provides default “mesh-ingress” hop nodes. These hosted hop nodes allow execution nodes to poll for automation work through egress from a customer’s private network, eliminating the need to open inbound firewall ports. Hosted hop nodes use port 443 for inbound traffic.
The following is an example of an execution node in a private address space with egress-only internet access connected to Ansible Automation Platform Service on AWS through this model.
You can also configure the automation mesh with outbound connectivity from the control plane to your execution plane, allowing you to specify the ports used by the automation mesh.
You can use the Automation mesh for managed cloud or operator environments documentation for instructions.
5.3.2.2. PrivateLink configuration types
The PrivateLink configuration offers both ingress, for UI/API access to the Ansible Automation Platform control plane, and egress, for the control plane to connect to your private resources. For more information, see section AWS PrivateLink connectivity into the Ansible Automation Platform control plane.
- Ingress PrivateLink: Connects your VPC to the Ansible Automation Platform control plane (for UI/API access). Requires a support ticket providing your AWS Account ID and Region.
- Egress PrivateLink: Connects the Ansible Automation Platform control plane to your private resources (for example, private automation hub). This requires a separate support ticket to authorize the connection to your Endpoint Service.
5.3.2.3. Connectivity
The execution plane can communicate with the control plane under the following conditions:
- Polling (mesh-ingress): Execution nodes must route stateful egress traffic to the Ansible Automation Platform deployment domain over port 443.
- Push: A configurable firewall port must be open in the customer’s remote networks to allow Ansible Automation Platform to push information to execution nodes.
You can configure automation mesh nodes behind firewalls, proxy servers, and similar services. These services route or proxy traffic originating from Ansible Automation Platform without altering headers, payload, or other information that would affect functionality of the automation mesh.
You can restrict access to the control plane by providing CIDR blocks to the Red Hat support team through a Customer support request. This controls the inbound access to the control plane limiting it to the IP ranges you provide for traffic over the public internet. The application of these rules do not apply to traffic over PrivateLink. These restrictions do not affect outbound traffic that originates from the control plane.
Customers must allowlist the following wildcard domain in their local firewalls to permit the SRE team’s maintenance and monitoring:
-
*.redhat.com
5.3.3. Monitoring
You can configure monitoring and hardening tools of your choice on the execution plane. You are responsible for their operation, functionality, and maintenance, ensuring they do not interfere with the execution plane’s operation.
Any additional workloads on the execution plane requires extra resources from the virtual machines or OpenShift clusters where the tools are deployed. Make sure to size resources accordingly to accommodate these additional requirements.
5.3.4. DNS
Execution nodes use the DNS configuration of the host machine for DNS queries. Configure DNS using standard RHEL network practices to ensure proper lookups during automation execution.
5.3.5. Networking with overlapping CIDR blocks
Automation mesh connects the control plane to multiple networks that share the same Classless Inter-Domain Routing (CIDR) block (that is, the same class A address space repeated across different clouds or data centers). Execution nodes regard their deployment network as the local network. You must have at least one execution node instance paired with an instance group to target automation in each network.
5.3.6. Updates and maintenance
Automation mesh execution nodes are designed to minimize the need for patching the execution plane when the control plane is updated. However, future updates to the technology will require customer involvement to update the components in each execution plane node.
When patches are needed, customers should follow the process for updating an automation mesh node. For help with updating your receptor see the Updating Receptors section of the Automation mesh for managed cloud or operator environments.
5.4. Support
Red Hat Ansible Automation Platform Service on AWS includes Red Hat Premium Support, accessible through the Red Hat Customer Portal.
For support response times, refer to the Production Support Terms of Service.
AWS support is subject to the customer’s existing support contract with AWS.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}