I’m currently assessing various configuration management systems for managing mostly Windows machines. I’m liking the look of Ansible so far, but I am concerned I have a fairly major blocker. I need the chosen system to be able to manage nodes that are both on a local network (which is fine) and on a remote network (inside Azure) that is not directly connected to my main network.
I know Ansible can talk to Azure resources, but I am primarily thinking about configuring the Azure VMs once created. These VMs are not currently directly addressable over the internet and ideally, I want to avoid having to give every VM a public IP and expose WINRM for all machines. When looking at an agent-based system such as Puppet it works fine as the nodes call into the master, but obviously, that is not the case with Ansible. I note that it is possible ot use a jump server, but this appears to be Linux only.
Given this requirement, is Ansible a no-go or is there a way round this?
Could you not spin up a linux box in Azure and put ansible on that? Then you can manage your azure windows nodes from there.
Its always best to keep your ansible controlers ‘near’ (in networking terms) to the machines you are managing anyway.
At work we have 1 ansible controller per datacenter. They can all pull their configuration from source control so the roles and playbooks are consistent and it works ok for us.
It’s feasblie we could do that, not ideal as we have lots of smalle segregated environment but possible. My concern though is reporting, if we go with Ansible we would be wanting to use tower to report and manage compliance and we would really want this reporting and management to be in a single instance. Is this possible?
We’re not using Tower so I can’t really comment on that, but I guess you could rsync / scp / transfer data in other ways to some central machine for reporting purposes.
We use rsync for moving binaries between datacenters (via ansible synchronise module) (and some smbclient for fetching stuff from windows hosts) and it works well.
Just came across a Tower feature that might be just what you are looking for.
It's called Isolated Nodes - see the description herehttps://www.ansible.com/blog/deep-dive-red-hat-ansible-tower-3-2
Hope this helps,
Jon