IBM Cloudability Enablement
The Cloudability Enablement deployable architecture(DA) is designed to automate the deployment and configuration of adding your IBM Cloud account or enterprise to an existing IBM Cloudability account. Once enabled, IBM Cloud billing data is made available to Cloudability allowing the tracking and analysis of IBM Cloud expenses. Billing data is made available to Cloudability by granting access to a Cloud Object Storage (COS) bucket which contains the billing reports, which IBM Cloud Billing updates daily.
A typical use case is to aggregate billing data from multiple cloud vendors or multiple IBM Cloud accounts within Cloudability. This aggregation helps create a complete view of a companies cloud expenses. Also, it allows costs to be allocated based on business division, unit, or team by using Cloudability business mappings (synthetic resource tagging). This helps drive accountability of cloud costs across your organization.
Architecture diagram
The Cloudability Enablement deployable architecture creates an instance of IBM Cloud Object Storage in a target IBM Cloud account, resource group, and region. An IBM Key Protect instance is created in this same resource group and region to provide a custom encryption key. Then, it configures billing reports to be written to the Object Storage bucket. Cloudability is granted access by the DA to read the billing reports within the bucket. Next, the IBM Cloud account is added to Cloudability so that it is made aware of how to pull the data from Object Storage bucker. Events are sent to Monitoring and Activity Tracker by default to help track changes that are made to the Object Storage bucket.
The key management service instance (Key Protect or Hyper Protect Crypto) must be colocated in the same region as the IBM Cloud Object Storage instance.
An account can enable billing report exports for a single account.
Design concepts
Requirements
The following table outlines the requirements that are addressed in this architecture.
| Aspect | Requirements |
|---|---|
| Enterprise applications | Setup and grant access to IBM Cloudability to read billing reports for all accounts within an enterprise. |
| Storage | Provide storage that meets the application performance and security requirements |
| Security |
|
| Resiliency |
|
| Service Management | Monitor audit logs to track changes and detect potential security problems. |
Components
The following table outlines the services that are used in the architecture for each aspect.
| Aspects | Architecture components | How the component is used |
|---|---|---|
| Storage | Cloud Object Storage | Stores IBM Cloud billing reports for an IBM Cloud account or all accounts within an enterprise |
| Security | IAM | IBM Cloud® Identity and Access Management authenticates and authorizes Cloudability access to read the billing report objects and in the case of an enterprise, the list of accounts within an enterprise. |
| Key Protect | Key Management Service used to encrypt the object storage bucket with a custom key | |
| Context-based restrictions | restricts access to Object Storage bucket and Key Management Service keys to only required members based on IP address | |
| Resiliency | Key Protect | Support the selection of Key Protect failover regions if needed. |
| Service Management | IBM Cloud Monitoring | Operational monitoring of your Object Storage bucket is enabled by default. |
| Activity Tracker Event Routing | Object Storage operational logs are enabled by default. |
Next steps
If you don't have access to an IBM Cloudability account, then you need to create one. Once you have access to a Cloudability account, then configure access to run the deployable architecture, and deploy the cloud resources.