AWS, Azure Cloud, Cloud, Development, GCP

Throttling Design Pattern

Knows as Rate Limiting. We place a throttle in front of the target service or process to control control the rate of the invocations or data flow into the target.

We can use the cloud services to apply this design pattern. This can be useful if we have an old system and we don’t want to change the code.

On each cloud vendor we have a service which does the throttling for us.

API Management

Approach

  • Reject too frequent requests
  • We have to break up logic into smaller steps (Pipes & Filter Design Pattern) and deploy it as higher/lower priority queues.

Note: It you have to handle long-running tasks, use queue, or batch.

Autoscaling & Throttling

They are used together and in combination. They affect the system architecture in great measure. Think about them in the early phase of the application design.

AWS, Azure Cloud, Cloud, Enterprise, GCP

Security

The security in “Bring Your Enterprise on Cloud” topic is a very hug job. But it’s implementation is not impossible. This topic is based on the related links.

The conceptual check list for security is as follows

Enterprise Infrastructure Security

  1. Network security
  2. Data encryption
  3. Key and secret management
  4. Identity & Access Management
  5. Duty segregation
  6. Least Privileges
  7. Zero trust
  8. Defense in depth
  9. Platform policies
  10. Vulnerability check/management
  11. Compliance Monitoring

Enterprise Application Security

  1. Database
  2. Storage
  3. Container image registry
  4. Container service
  5. Kubernetes service
  6. Serverless functions
  7. App Service
  8. Queue services
  9. Event services
  10. Cache services
  11. Load balancers
  12. CDN services
  13. VMs
  14. VM Disks

Approach

These are the topics, which must be considered in “Bring Your Enterprise on Cloud” topic. In the following links I’ll provide an exact check list based on cloud provider.

Security check list

Security check list

Security check list

Security check list

To make the job easier it’s better to go through the conceptual check list in a layered way as demonstrated in the sample below. This can help to do the job Agile.

Layer 1: We explain how should be e.g. the network.

Layer 2: We explain how we can have e.g. a resilient network (we decide which platform service or a 3th party service or tool can to realize it)

Layer 3: We explain how we can have e.g. a high available network (we decide which platform service or a 3th party service or tool can to realize it)

Layer 4: We can add layers if we need more

Network

Resilient

High Available

Key/ Secret management

Resilient

High Available

Identity & Access Management

Resilient

High Available

Related links

Architecture, Azure Cloud

Azure Credential Management

Topics

Related topics

Use cases

To manage and safe guard the credentials. What are the credentials?

  1. Certificates
  2. Keys
    1. API Keys
    2. Encryption Keys (It’s recommended to use RSA-Keys to encrypt data at rest)
    3. Storage Keys
    4. Event Hub Access Keys
  3. Values
    1. DB Connection strings

There available services on Azure are as follows:

  • Key/Vault
  • HSM
  • HashiCorp Vault
Key/Vault

HSM
  • HSM kinds and both support FIPS (Federal Information Processing Standard) 140-2 Level 3.

For more info refer to COMPUTER SECURITY RESOURCE CENTER.

  • Consider your organizational data security compliance by provisioning the HSM e.g.
    • Soft delete retention period e.g. 60 days
    • Purge protection enabled
    • Fully isolated private endpoint
    • Logging enabled
    • Specify the allowed region
Managed vs. Dedicated
ManagedDedicated
  • HSM hosted in a MS datacenter that is connected directly to a customer virtual network (VNet).

  • It obtains a private IP address from the VNet address space.

  • MS doesn’t have any access to HSM and the customer is a full administrative access and functionality.
    • Security Domain (It’s the disaster recovery solution)Doesn’t need
    Dedicated HSM Availability & Disaster Recovery Model
    Managed HSM Availability & Disaster Recovery Model

    The following features provide the availability & disaster recovery requirements:

    • Security Domain
    • Soft Delete + Retention Period
    • Purge protection
    HashiCorp Vault

    Architecture, AWS, Azure Cloud, Cloud, Enterprise, GCP, Industry

    Bring Your Enterprise on Cloud

    We cannot generalize a migration way to the cloud for all the companies & enterprises. But I have provided a check list of topics which can help to have a good start without wasting the time with staring from scratch.

    Enterprise Infrastructure

    1. On-Prem <-> Cloud
      1. Azure
        1. VPN
        2. Express Route
      2. AWS
    2. DNS
      1. Azure
        1. DNS private, public
      2. AWS
        1. Route 53 private, public
    3. Network
      1. Azure
        1. Vnet, Subnet, NSG, ASG, UDR
        2. Subnet Endpoint, Private Endpoint, Service Endpoint
      1. AWS
        1. VPC, Subnet, SecurityGroup, InternetGateway, NAT
        2. Subnet Endpoint, Service Endpoint
    4. Credential management
      1. Azure
        1. Key/Vault
        2. Manage or Dedicated HSM (FIPS 140-2 level 3)
      2. AWS
        1. Secret Management
        2. Certificate Management
        3. CloudHSM [AWS DOC] (FIPS 140-2 level 3)
        4. Key Management Service (KMS)
    5. Backup & Restore
    6. Logging & Monitoring
      1. Azure
        1. Application Insight
        2. Monitor
      2. AWS
        1. CloudWatch
    7. Access Control (who access to was)

    Enterprise Application

    1. Storage
      1. Azure
        1. Storage
      2. AWS
        1. S3
    2. Serverless services
      1. Azure
        1. App Function
        2. Logic App
      2. AWS
        1. Lambda
    3. API/APP Gallery
      1. Azure
        1. API Management
      2. AWS
        1. API Gateway

    Related links

    Architecture, AWS, Azure Cloud, Cloud, DevOps

    Terraform : Cloud

    Create organization and workspace in terraform cloud

    1. Sign up/in to this URL (https://app.terraform.io/signup/account)
    2. Skip all the questions
    3. Create an organization

    4. Create a workspace (by clicking on create one now)

    5. Select the type of the workspace (CLI-driven workflow)

    6. Give a name to the workspace.

    7. Create the workspace.

    8. After creation the workspace the following page is appeared.

    9. Set the terraform version in workspace > Setting > General and save settings.

    10. Change execution mode to local (to run Terraform commands from the workstation with local variables.)

    11. Pay attention: you see two settings on the page.

    12. For changing the Plan & Billing go to the Organization setting.

    We can use remote state to avoid saving the terraform state file locally and safe keeping the terraform state.

    Configure remote state

    Related links

    Architecture, AWS, Azure Cloud, Cloud, GCP

    Clouds : Shared responsibility model

    In doesn’t make difference which cloud vendor you have chosen as the platform. All of them follow the shared responsibility model.

    What does it mean?

    It means the cloud provider has the security responsibility of the cloud and cloud customer has the security responsibility in the cloud.

    AzureAWSGCPIBM
    Shared responsibility modelShared responsibility modelShared responsibility modelShared responsibility model
    [Source]

    What is customer responsible for?

    • Configure the access to the resources e.g. servers
    • Responsible for operating system hardening of the servers
    • Ensure the disk volume has been encrypted
    • Determine the identity and access permissions of specific resources
    • ooo

    Who should take care of security?

    In companies where they up and run services/application on the cloud, the responsible teams have to have enough knowledge about the security on the cloud.

    Developers
    and Enterprise architect    		Ensure cloud services they use are designed and deployed with security.
    DevOps
    and SRE Teams    		Ensure security introduced into the infrastructure build pipeline and the environments remain secure post-production.
    InfoSec TeamSecure systems

    In which step of the project the security have to be applied?

    Uncategorized

    AWS : Costs and Pricing

    Topics

    • Key concepts
    • Cost structure
    • AWS Pricing
      • Paid AWS Cloud Services
      • AWS does not charge for
      • Good Cost Hygiene Practices
      • Costs In Regions
      • Key Points
      • Tips for Reducing Costs

    Key concepts

    Cost structure [Source]

    Managing cloud spend is one of the major challenges facing experienced IT organizations today. We must be able to do the following taks in a best way.

    • Cloud Costs
    • Service Pricing
    • Cost Management
    • Cost Optimization and Monitoring

    To do the tasks above we have the following possibilities in aws:

    • Simple Monthly Calculator – allows you to explore AWS services, model solutions, and create estimates for the cost of your use cases on AWS
    • TCO Calculator – used to compare the cost of running your applications in an on-premises or colocation environment to AWS
    • AWS Pricing Calculator (NEW- replaces the Simple Monthly Calculator)

    AWS Pricing

    An accurate cost estimation that meets and exceeds your organization’s budgetary goals requires you to ask important questions, interpret data, and implement AWS best practices [Source].

    TermDefinition
    11 9’s guarantee99.999999999% durability of objects over a given year. This durability level corresponds to an average annual expected loss of 0.000000001% of objects
    AWS SupportPaid support plans offering AWS customers access to AWS technical experts and professional guidance
    DurabilityThe probability that the object will remain intact and accessible after a period of one year
    Fault ToleranceThe property that enables a system to continue operating properly in the event of the failure of (or one or more faults within) some of its components
    High AvailabilityRefers to systems that are durable and likely to operate continuously without failure for a long time
    Memory-OptimizedThe R3 instance class recommended for applications that require high memory performance
    Storage-OptimizedInstances are designed for workloads that require high, sequential read and write access to very large data sets on local storage. They are optimized to deliver tens of thousands of low-latency, random I/O operations per second (IOPS) to applications

    Paid AWS Cloud Services

    • Running Compute Resources
    • Storage
    • Provisioned Databases
    • Data Transfer

    you only pay for services you use, and once you stop using them, AWS stops charging you immediately and doesn’t levy any termination fees.

    AWS does not charge for

    • AWS Elastic Beanstalk – Rapid application deployment
    • AWS Cloud Formation – AWS Branded Infrastructure as Code service
    • Auto-Scaling – Scaling EC2 instances up/down or in/out based on your application requirements
    • AWS IAM – User and access management

    There is no cost for uploading data into the AWS cloud, although you will pay for storage and data transfer back out. Because of the massive scale of the AWS technology platform, there is no limit to how much data you can upload.

    Good Cost Hygiene Practices

    • Establish a naming convention for Servers and Databases
    • Use Tags to track costs by:
      • Group
      • Lifecycle
      • Person
      • Application
    • Create IT Governance rules
    • Set Billing Alarms

    Costs In Regions

    TermDefinition
    Availability ZonesA logical data center in an AWS region with redundant and separate power, networking and connectivity reducing the likelihood of two zones failing simultaneously
    AWS CloudFrontFast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency
    AWS Local ZonesA type of AWS infrastructure deployment that places AWS compute, storage, database, and other select services closer to large population, industry, and IT centers where no AWS Region exists today
    AWS RegionsA geographical location with a collection of availability zones physically isolated from and independent of every other region
    Edge LocationA physical site that CloudFront uses to cache copies of your content for faster delivery to users at any location
    Points of PresenceAWS Edge Locations and Regional Edge Caches used for both AWS CloudFront and Lambda@Edge to deliver content to end users at high speeds
    VPC PeeringA networking connection between two AWS VPCs that allows you to route traffic between them using private IP addresses
    VPC Sharingallows you to share subnets with other AWS accounts in your organization

    Key Points

    • AWS costs depend on the region
    • Costs vary due to:
      • local regulations
      • cost of doing business
      • competition
    • Least costly region is US East 1 in N. Virginia

    Tips for Reducing Costs

    • Use AWS CloudFront to cache data close to end users
    • Avoid inter-region data transfer costs
    • Peering via AWS Transit Gateway for VPCs reduces costs
    US East 1 (N. Virginia) [Source]

    You owe your dreams your courage.

    Koleka Putuma