IBM Cloud Docs
Schematics agents

Schematics agents

IBM Cloud® Schematics Agent extends the ability to use Schematics workspace and action jobs to provision, configure, and securely access your private cloud and on-premises infrastructure. Dedicated agents on your private network, enable Schematics to provision, configure, and securely access private or on-premises resources. Also dedicated agents include converged-infrastructure, hypervisors, private Git repositories, configuration, and Secrets Manager services.

Schematics does not have direct access to your network, to an agent or your private cloud resources. An agent uses a pull model and polls for the workspace or actions jobs that run on an agent. You are in control of the agent resources, its network policies, its connection to Schematics and the jobs that are ran on the agent. Agents are designed not to require inbound access from Schematics or the opening of inbound firewall or network access ports. All communication between the agent and Schematics is outbound from the agent and under your control.

Schematics Agent overview

Agents enable your Schematics workspace and actions jobs to run on your private cloud network or in any isolated network zone and directly work with your cloud infrastructure. Agents extend the existing Schematics shared multi-tenant service, with private dedicated workers (agents) running workspace and action jobs on your private network. The diagram illustrates agent-based job execution alongside the existing shared multi-tenant service.

Schematics workspace and action operations with agents
Schematics agents architecture running workspaces and actions

Agent (assignment) policies dynamically route workspace and action jobs to run on an agent determined by user specified policy attributes. The default, without policies that are defined, are for all workspace and actions jobs to run on the Schematics shared infrastructure. When defined, assignment policies route workspace and action jobs to agents deployed in specific private cloud or network locations. Policy selection attributes include workspace and action Resource Groups, region, and user assigned tags.

Without policy definitions, job execution is installed through the shared multi-tenant Schematics service. The shared environment is described for the deployment architectures in Schematics workspaces and Schematics actions. The shared service runs jobs on the Schematics network to connect the IBM Cloud APIs over the public or private network as needed. If you use the shared service, jobs that require access to resources on the private network, with the running SSH commands or Ansible, access to the users private network. It is done through the public internet by using a user-configured bastion host.

With agents, policies determine the workspaces and actions that you want to run on agents deployed on your private network. Under your control, jobs that run on these agents can configure, and access your cloud or on-premises services and cluster resources, managed by your own network access policies. If you use agents on your private network, bastion host access through the public internet is not needed. The use of agents simplifies the infrastructure and security requirements if you use Ansible or Terraform through SSH and eliminates various security considerations.

Schematics identifies and authenticates your agent by using an IBM Cloud trusted profile identity that is provided by the Kubernetes cluster that runs the agent. This identity is dynamically created when an agent is created and deployed. The trusted profile identities confirm that no one can spoof your agent’s identity, and steal data from Schematics or your account. You are in control of the access permissions that are defined for the trusted profile identity by using IAM access policies.

The agent runtime includes Terraform, Ansible, and more micro-services. For more information about the software utilities included in the agent runtime, see Schematics Agent runtime.

Private network configuration when using agents

The following diagram illustrates a possible agent deployment on a cluster environment with multiple VPCs connected through a transit gateway. Here an agent, running workspace and action jobs, has a direct connection to cloud resources over the private cloud network. In this deployment model, your job can directly configure your cloud resources by using SSH, without the need for bastion hosts to gain access through the public network.

Schematics agents connectivity
Schematics agents connectivity

With agents you are in control of the network security policies of the Kubernetes cluster, and any VPC Security Group or Access Control List policies for the running agent. Also the ability of the workspace and actions jobs to have access to your private cloud resources.

Benefits of using agents

Schematics is a multi-tenant service that supports concurrent usage by many users. The multi-tenant model imposes some restrictions to maintain fair usage across all users and maintain network isolation between users.

The following are some benefits of using agents with Schematics:

  • Agents extend the benefits of using the Schematics along with IBM Cloud Satellite®: to provision and configure hybrid cloud resources across multiple cloud providers.
  • Agents give users their own execution queues. With the multi-tenant shared Schematics service, jobs are placed in a shared queue for all users. Jobs that run on the agents waits in the shared queue and starts sooner. In other words, other tenants workloads do not affect your job performance and response time.
  • If your automation needs special software or versions, or requires more capacity (CPU, memory) to run: The multi-tenant Schematics service does not address your requirements. Agents can be deployed and configured to use dedicated infrastructure to run your automation that can be scaled up or down depending on the capacity needs. In a future release, agent images can be extended to include or use your own automation software and versions along with automation engine that is provided by the Schematics runtime.
  • The multi-tenanted Schematics service uses network access policies: that's common to all users. Agents enable you to implement fine-gained control over the network access policies when performing workspace or actions jobs that access your private network resources. You can configure the ingress or egress rules of the agent cluster and VPC security policies that are used by agents executing your jobs to connect to your private cloud infrastructure.
  • Agents relieves several of the restrictions of running in a shared service: that is necessary to ensure fair usage of the shared service. Schematics agents relax the timeout limitation for local-exec, remote-exec, and Ansible playbook execution. The timeout limitations in the multi-tenant service are removed to ensure fair service utilization by all users. No duration is applied for jobs ran on agents.

Next steps

You learned about Schematics Agent and its usage. Explore the steps to prepare an agent setup to deploy an agent in your IBM Cloud account.