VMware vRealize® Automation Cloud Guardrails™ is a provisioning service for policy and infrastructure. It is an infrastructure-as-code solution that helps you create and keep your environment compliant with rules for the configuration, security, network, performance, and cost of your environment.

To ensure that your environment continuously complies with policies, Cloud Guardrails runs high-level rules, also known as policies. These policies, in the form of Idem code templates, provide ongoing governance for your private or public cloud environments. Cloud Guardrails applies these rules so that the desired state of your environment aligns to the intention of your policies.

Cloud Guardrails deploys templates that contain infrastructure and policy configuration that manage your environment by adhering to rules that you define. With Cloud Guardrails templates, you centralize your policies, deploy your own cloud guardrails, and observe the results.

The Cloud Guardrails policy library includes bootstrap, network, security, cost, configuration, and performance templates.

The Guardrails policy library includes bootstrap, network, security, cost, configuration, and performance templates.

You can enforce guardrails at multiple hierarchical levels in your public or private cloud. For example:

  • S3 buckets must not be public.
  • EC2 instance of type *.xlarge and beyond is not allowed.
  • Only the US-East region is allowed.
  • Resources must have specific tags.
  • VMs must be compliant to CIS OS Configuration Benchmarks.

Cloud Guardrails uses native cloud policy engines and third-party policy engines, and provides permissions by using service roles and user roles.

Cloud Guardrails manages greenfield cloud environments.

  • Greenfield: Cloud Guardrails enables you to create a cloud environment with policies for a predefined org setup, network, IAM and security, cost, and performance.

Cloud Guardrails templates can be both instantiated and discovered, ensuring that greenfield and brownfield applications continuously comply with all policies.

As a Cloud Ops administrator, you can use Cloud Guardrails to establish a set of baseline guardrails. These guardrails programmatically enable policies for cloud security prevention and detection, OS security detection, cost, and performance of your environment.

The following types of policies map to the categories of templates in the Cloud Guardrails library.

Table 1. Types of Cloud Guardrails policies
Type of policy What it does
Bootstrap Bootstrap policies create the cloud environment, including AWS Organizations, Organization Units, and Member Accounts.

Security policies create security controls on the native public cloud and on the outside security engines. Security policies currently contain preventative, detective, and OS detective templates.

Cloud Security Preventative policies applied directly on the public cloud restrict or mandate actions in a group of resources, such as enforcing a port to be closed, or enforcing that logging is enabled and forwarded to a parser.

Cloud Security Detection policies request that VMware CloudHealth Secure State enable a specific compliance framework that monitors a group of resources for violations in that framework.

OS Security Detection policies request that VMware SaltStack SecOps monitor an OS for vulnerabilities based on type of system, OS, benchmark, and security level.

Cost Costing policies request that VMware CloudHealth monitor a group of resources for cost-related violations including cost anomalies, budget violations, and zombie resources.
Performance Performance policies request that VMware vRealize Operations monitor a group of resources for performance violations including API response time.
Network Networking policies handle the creation of cloud native network objects and controls, including VPCs, subnets, routes, and network access control lists (NACLs).
Config Configuration guardrails enable additional configurations on cloud environments, including the creation of IAM roles, creating an S3 bucket for logging of cloudtrails, and enabling 3rd-party tools necessary for cloud management.

The baseline security guardrail templates provide best practices. For example:

  • A cloud security preventative policy to an AWS Organizational Unit (OU) by using Service Control Policy (SCP)
  • A cloud detection policy to an AWS organization
  • An OS security policy to all VMs deployed in an AWS Organizational Unit

For more information about the Cloud Guardrails policy templates, see What is the Cloud Guardrails template structure.

To set up Cloud Guardrails, see Setting up Cloud Guardrails.