AWS Marketplace Billing

Deploy SUSE® Security from AWS Marketplace Pay-As-You-Go Listing

SUSE® Security Prime supports monthly billing through your AWS account in a Pay-As-You-Go (PAYG) billing subscription for SUSE support of SUSE® Security.

Usage is billed monthly based on the average number of nodes protected by SUSE® Security during the month. Please see the SUSE® Security marketplace listing for your region for specific pricing tiers and other information.

AWS Private Offers are available for SUSE® Security for special pricing situations in lieu of standard PAYG pricing.

Supported Configurations

The marketplace PAYG listing supports deployment on supported target environments only. As of the July release, only EKS is supported for the billing adapter (see below options for other environments such as Rancher, Kubernetes, OpenShift etc). Each cluster can report its usage (nodes) independently, or an aggregated node count for a multi-cluster deployment can be reported. An aggregated, multi-cluster deployment can take advantage of the volume discount tiers offered by pooling all nodes across clusters into a single usage billing calculation.

All clusters in PAYG billing (single, primary, remotes) must be running SUSE® Security version 5.2.0 or later.

Single Cluster Usage Billing

Each cluster onto which you have deployed the PAYG billing adapter through the marketplace will report usage information for your AWS account.

Multi-cluster Usage Billing

To be able to aggregate the node counts from multiple clusters in order to take advantage of volume discounts, the clusters must have been configured for Multi-cluster federation as described in the SUSE® Security docs. SUSE® Security on the Primary cluster MUST have been deployed through the AWS Marketplace, with the billing adapter installed in the primary cluster, in order to be able to report the primary and all downstream remote cluster node counts. Do not deploy SUSE® Security through the marketplace on downstream remote clusters. Use standard deployment methods (Helm, Operator, kubectl etc) described in the SUSE® Security docs on remote clusters.

Enabling PAYG SUSE® Security Prime Billing for Existing SUSE® Security Clusters

There are several options to enable SUSE® Security Prime billing on existing SUSE® Security clusters.

  • Option 1: The existing cluster must be on a supported PAYG platform. Backup the SUSE® Security configuration of the existing cluster, remove the SUSE® Security deployment, then deploy SUSE® Security through the AWS marketplace. After successful deployment, import the backup configuration. Note: It is recommended that the existing cluster be running version SUSE® Security 5.2.0 or later before the backup and removal. For Helm based deployments, this is a sample Helm upgrade command (replacing account ID, IAM role name, previous helm version values file etc):

    helm upgrade -n neuvector neuvector  oci://709825985650.dkr.ecr.us-east-1.amazonaws.com/suse/neuvector-csp-billing-adapter-llc/core --version 2.4.30002023052201 --create-namespace \
--set awsbilling.accountNumber=$AWS_ACCT_ID,awsbilling.roleName=$IAM_ROLE_NAME \
--set awsbilling.enabled=true,containerd.enabled=true
-f values-x.y.z.yaml

  • Option 2: Add the existing cluster as a federated remote cluster to a (existing or newly deployed) primary cluster which already has PAYG billing deployed on it. In this case, the existing cluster can be on any platform supported by SUSE® Security.

Enabling PAYG SUSE® Security Prime Billing for Rancher, OpenShift, Tanzu, or other SUSE® Security supported clusters

Although PAYG billing deployment is supported on a limited set of AWS platforms (only EKS at initial July release), billing for other supported SUSE® Security platforms can be accomplished using the multi-cluster federation configuration. As long as the primary cluster has the PAYG billing deployment of SUSE® Security, downstream clusters can be any supported SUSE® Security clusters such as Rancher, Kubernetes, OpenShift, or Tanzu. Downstream clusters can even be on-premise, or on other clouds as long as the remote cluster can be federated to the primary (with appropriate network access).

For Rancher managed downstream clusters with SSO to SUSE® Security, these clusters can be federated to a non-Rancher primary cluster which is deployed through the AWS marketplace in order to benefit from consolidated multi-cluster billing.

Deploying SUSE® Security Prime through the AWS Marketplace

A special billing interface is required to enable PAYG to your AWS account. This must be deployed, together with SUSE® Security from the AWS Marketplace listing for SUSE® Security. To deploy the billing adapter and SUSE® Security see the Usage instructions for your region in the marketplace listing above.

The helm install command uses defaults in the values.yaml file. Important defaults to check are the manager service type (LoadBalancer) and container run-time (containerd - which is the typical default for EKS clusters). The default admin username is disabled, and users are required to set a username and password through a secret prior to deployment.

Setting the Admin Username and Password

It is required to set the admin username and password as a Kubernetes secret prior to deployment.

kubectl create secret generic neuvector-init --from-file=userinitcfg.yaml -n neuvector

The above step is mandatory, otherwise an admin user will not be created upon SUSE® Security deployment, making the SUSE® Security deployment unmanageable.

Sample userinitcfg.yaml content:

users:
- Fullname: admin
  Password: (ValidPassword)
  Role: admin
# 8 character(s) minimum,1 uppercase character(s),1 lowercase character(s), 1 number(s).

Sample helm install command:

helm install -n neuvector neuvector --create-namespace \
oci://709825985650.dkr.ecr.us-east-1.amazonaws.com/suse/neuvector-csp-billing-adapter-llc/core --version 2.6.1 \
--set awsbilling.accountNumber=$AWS_ACCOUNT_ID \
--set awsbilling.roleName=$ROLE_NAME \
--set manager.svc.type=LoadBalancer

See the Usage instructions on the AWS marketplace listing for detailed SUSE® Security instructions.

Console Login through Load Balancer

If the manager service type was set to Load Balancer during install, an external IP (URL) has been assigned for logging into the SUSE® Security console. Typically, this URL is accessible from the internet, but your organization may have placed additional restrictions on external access to your cluster. To see the load balancer, type:

kubectl get svc -n neuvector neuvector-service-webui

To get the full login url, type:

SERVICE_IP=$(kubectl get svc --namespace neuvector neuvector-service-webui -o jsonpath="{.status.loadBalancer.ingress[0].hostname}")
echo https://$SERVICE_IP:8443

And you will see something like:

https://a2647ecdxx33498948a70eea84c5-18386345695.us-west-2.elb.amazonaws.com:8443

This is how you can access the SUSE® Security console from your browser on the default port 8443.

Once logged in, you can begin to navigate and configure SUSE® Security.

The SUSE® Security scanner image is updated daily with a new CVE database on the SUSE® Security docker hub registry. It is recommended that the image path be changed to allow for automated daily updates by modifying the scanner and updater image paths AFTER successful initial deployment. For example:

kubectl set image  deploy/neuvector-scanner-pod neuvector-scanner-pod=docker.io/neuvector/scanner:latest
kubectl set image  cronjob/neuvector-updater-pod neuvector-updater-pod=docker.io/neuvector/updater:latest

Obtaining Support

Once PAYG billing is enabled for a cluster or multiple clusters, customers are eligible for support through the SUSE Support Center (SCC) service. This is a web-based service for creating, viewing, and managing support requests. The actual link for submitting your support bundle as described below can be found here.

The SCC portal will require you to upload a Support Configuration bundle in order to verify your eligibility as well as provide cluster information required to start investigations. To download the support config, please go to Settings → Configuration at the bottom of the page for the cluster in question. For multi-cluster configurations, only the Primary cluster’s support config is required, even if the support inquiry is for a downstream remote cluster. If you do not have access to the Primary cluster, the remote cluster’s support config is acceptable.

Upgrading a SUSE® Security PAYG Cluster

The AWS marketplace PAYG listing helm chart is tied to a specific billing adapter AND SUSE® Security version. These are updated periodically as new versions of the billing adapter or SUSE® Security are released. To update the SUSE® Security version to the latest version supported by the marketplace listing, use the Helm update command as normal. To update the SUSE® Security version to a more recent version than is specified in the marketplace listing, manually change the helm values for the images (registry, paths, version tags) to point to the desired version (e.g. docker.io, neuvector/controller:5.2.5).