Service Graph Connector for AWS - Functional Spec and CI

Hi Murali,

First of all, this is all very awesome! However, I'm confused now between the AWS Cloud Discovery capability and this Service Graph Connector.

I understand that there is a difference when it comes to licensing (one is ITOM Visibility, the other Service Graph), but now we basically have two overlapping products doing the same thing, or to some extend not?

What I am now looking for is: What is the difference between these two products and which one should I chose first if the license discussion is not really of concern?

Thanks,
Best regards,
Michel

Hi Michel,

Cloud Discovery - 

• API-based Discovery
• Cloud resource Inventory and Tags (metadata)

And to do Deep dive Discovery – Server, OS, software, TCP connections, processes & relationships, IP discovery needs to be set up. And MID is recovered for this.

 However, for SG-AWS no MID is required and it does – 

• API-based Discovery
• Cloud Resource Inventory, Tags and Relationships
• Deep dive discovery – Server, OS, Software, Processes

SG-AWS is an option where we need deep dive Discovery but credentials and/or MID Servers are an issue.

Thanks

Hi,

Thanks you so much, very helpful!

I also see that you went out of your way to create a new article on this subject, much appreciated!

Best regards,
Michel

Hi Conmic,

If License is not an issue then Discovery is better choice over the graph connector. As per my understanding Graph connector will be used if there is no discovery (License) available. 

Both of the applications have their own advantages 

Regards,
Pranav Patil 

From the latest I've heard, the AWS Service Graph connector is only available bundled with other SKUs, like Discovery or HAM Pro.  Per ServiceNow's guidance, it seems the AWS SG Connector is the recommended approach even if the client has Discovery, because of the architectural and performance advantages.  

Can this connector replace Cloud Discovery if we are using ServiceNow Service Mapping?

SGC-AWS is not a replacement to Cloud Discovery. Its an alternative mechanism for customers who doesn't want to use MID layer. SGC architecture has IntegrationHub ETL for you to customize the mapping if required https://www.servicenow.com/products/service-graph-connectors.html, https://docs.servicenow.com/bundle/rome-servicenow-platform/page/product/configuration-management/co...       Let me know if this answers your question                          

@Murali Reddy1  Hi Murli,

Thanks for the detailed article.

I was referring the steps to install SGC for AWS, in the first step of Guided setup it is asked to run few scripts at AWS side. "Download the scripts" and run in Cloud Formation module in AWS.

Can you please give us more idea on what are these scripts exactly?

Hello @Aarti6, the download scripts are part of the SGC-AWS plugin's guided setup. These scripts basically setup the environment like setting up AWS Config, IAM roles for Servicenow user, setting up SSM Inventory, etc. These setup is required for us to securely integrate with AWS environment. 

The setup instructions for each script is described in the guided setup "AWS Setup Instructions"

Thanks Murali

This connector is creating some issues for us.

SG-AWS is creating a VM instance which is related to a Server CI (i.e. cmdb_ci_server and not Windows/Linux). And it is using the field privatednsname for setting the name of the Server CI (which as per AWS standard is ip-x-x-x-x). We have also discovered the same server CI via IP based discovery and have a separate Windows/Linux CI in the system.

So now we have a VM instance, a Server CI and a WIndows/Linux server.

As part of upcoming 2.0 release in May 2023, we will be populating in Windows/Linux server. Please see 

https://www.servicenow.com/community/cmdb-articles/sgc-aws-release-2-0-features/ta-p/2511663. 

However, in case of name, we have to be in sync with discovery product (which populates name as ip-x-x-x-x) to avoid duplicate entries. 

Thanks for the update Murali.

But why is the connector using privatednsname for populating Name of the Server CI. This will just now create a new Windows/Linux CI with name as ip-x-x-x-x. (I confirmed with our cloud team and this is how AWS populates privatednsname and there is nothing the cloud team can do)

This can be easily avoided by updating the mapping to use ec2name field which is already happening for VM instances.

@Rawel  PrivateDNS name is being used in Discovery product and some clients are using both SGC & Discovery. Having a different name will create duplicated and we have to be in sync with discovery product. If you want, you can customize in ETL to have ec2Name or resource id or any other custom name you want to define. . Hope this helps. 

Cloud Load Balancer and Cloud Gateway in picture is under Datacenter but NO relation to VPC. 

Is this correct since I think those are under VPC so there should be dependency to VPC instead datacenter or then both ? 

@Murali Reddy1 
We are finding the SG is causing a few duplicates due to naming as well.

IP Based discovery is setting correlation_id and object_id to the VM's Instance Id.  To me this appears to be a more reliable way to match the host.  Do you see any issues in that?

With a reconciliation rule we can then prevent the SG from setting ip-x-x-x-x naming for hosts that were discovered by IP.

We are actively using the AWS SG connector.  Could you add support for more of the resource types that AWS config can provide please to start to fill some of the gaps in the current discovery ?   ( e.g. Cloudfront distributions, EFS file systems, Redshift clusters, ECR repos, ACM certificates, Autoscaling groups and launch configs, Route 53 zones, SNS topics, SQS queues....  ). Thankyou.

@Murali Reddy1 regarding using the ETL to re-map the 'Name' field to use the ec2name, we've tried this on our instance, but it's only updating a small number of servers.

Is there a setting which is only detecting delta changes in the environment for recognizing the updates made in ETL? As this was the case with classifying servers into the Windows and Linux classes as found on CS6979561.

@James99 The AWS SG does run as delta, it will only get data back from AWS for EC2s that were changed since the last run.

The delta time is stored in the Last run Datetime field on the datasource

Hi @Murali Reddy1,

Thank you for your beneficial information.

From your information, SGC-AWS can deep dive discovery - for example,  Server, OS, Software, and Processes.

If I need to discover WEB and WAS CIs on EC2, does SGC-AWS support this?

Regards,

Anna

Hi @Murali Reddy1 

As a part of AWS ECS, what all services are being pulled by SG-AWS, can you share some information around it?

Regards

Bhim