Attendees will learn how to leverage the identity and authorisation, network security and secrets management features of the wider AWS platform for their containers, including Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Container Service for Kubernetes (Amazon EKS). We also discuss best practices for the security of your container images such as scanning them for known vulnerabilities.
Building Cloud-Native App Series - Part 11 of 11
Microservices Architecture Series
Service Mesh - Observability
- Zipkin
- Prometheus
- Grafana
- Kiali
Docker containers have become a key component of modern application design. Increasingly, developers are breaking their applications apart into smaller components and distributing them across a pool of compute resources.
In deploying apps that have been containerized, you have a lot to think about regarding what to use in production. There are a lot of things to manage, so orchestrators become a huge help. providing many services together such as scheduling, container communication, scaling, health, and more. There are major platforms to consider from Kubernetes, Swarm to ECS. In this talk we'll go through the overview of orchestrators and some of the differences between the big players. You should come out of the talk knowing where to go next in determining your orchestrator needs.
While many organizations have started to automate their software development processes, many still engineer their infrastructure largely by hand. Treating your infrastructure just like any other piece of code creates a “programmable infrastructure” that allows you to take full advantage of the scalability and reliability of the AWS cloud. This session will walk through practical examples of how AWS customers have merged infrastructure configuration with application code to create application-specific infrastructure and a truly unified development lifecycle. You will learn how AWS customers have leveraged tools like CloudFormation, orchestration engines, and source control systems to enable their applications to take full advantage of the scalability and reliability of the AWS cloud, create self-reliant applications, and easily recover when things go seriously wrong with their infrastructure.
Building Cloud-Native App Series - Part 11 of 11
Microservices Architecture Series
Service Mesh - Observability
- Zipkin
- Prometheus
- Grafana
- Kiali
Docker containers have become a key component of modern application design. Increasingly, developers are breaking their applications apart into smaller components and distributing them across a pool of compute resources.
In deploying apps that have been containerized, you have a lot to think about regarding what to use in production. There are a lot of things to manage, so orchestrators become a huge help. providing many services together such as scheduling, container communication, scaling, health, and more. There are major platforms to consider from Kubernetes, Swarm to ECS. In this talk we'll go through the overview of orchestrators and some of the differences between the big players. You should come out of the talk knowing where to go next in determining your orchestrator needs.
While many organizations have started to automate their software development processes, many still engineer their infrastructure largely by hand. Treating your infrastructure just like any other piece of code creates a “programmable infrastructure” that allows you to take full advantage of the scalability and reliability of the AWS cloud. This session will walk through practical examples of how AWS customers have merged infrastructure configuration with application code to create application-specific infrastructure and a truly unified development lifecycle. You will learn how AWS customers have leveraged tools like CloudFormation, orchestration engines, and source control systems to enable their applications to take full advantage of the scalability and reliability of the AWS cloud, create self-reliant applications, and easily recover when things go seriously wrong with their infrastructure.
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018Amazon Web Services
In this session, we discuss best practices for securing your Kubernetes deployments on AWS. We cover how to use AWS IAM with Kubernetes role-based access control (RBAC) for new or existing Kubernetes deployments, and we dive deep into how Amazon EKS implements secure cluster configuration by default.
What Is Kubernetes | Kubernetes Introduction | Kubernetes Tutorial For Beginn...Edureka!
***** Kubernetes Certification Training: https://www.edureka.co/kubernetes-certification *****
This Edureka tutorial on "What is Kubernetes" will give you an introduction to one of the most popular Devops tool in the market - Kubernetes, and its importance in today's IT processes. This tutorial is ideal for beginners who want to get started with Kubernetes & DevOps. The following topics are covered in this training session:
1. Need for Kubernetes
2. What is Kubernetes and What it's not
3. How does Kubernetes work?
4. Use-Case: Kubernetes @ Pokemon Go
5. Hands-on: Deployment with Kubernetes
DevOps Tutorial Blog Series: https://goo.gl/P0zAfF
- Archeology: before and without Kubernetes
- Deployment: kube-up, DCOS, GKE
- Core Architecture: the apiserver, the kubelet and the scheduler
- Compute Model: the pod, the service and the controller
Unique course notes for the Certified Kubernetes Administrator (CKA) for each section of the exam. Designed to be engaging and used as a reference in the future for kubernetes concepts.
Amazon EC2 Container Service is a new AWS service that makes it easy to run and manage Docker-enabled applications across a cluster of Amazon EC2 instances. Amazon EC2 Container Service lets you define, schedule, and stop sets of containers. You have access to the state of your resources, making it easy to confirm that tasks are running or view the utilization of Amazon EC2 instances in your cluster. This session will describe the benefits of containers, introduce the Amazon EC2 Container Service, and demonstrate how to use Amazon EC2 Container Service for your applications.
Speakers:
Ian Massingham, AWS Technical Evangelist and
Boyan Dimitrov, Platform Automation Lead, Hailo Cabs
Kubernetes for Beginners: An Introductory GuideBytemark
An introduction to Kubernetes for beginners. Includes the definition, architecture, benefits and misconceptions of Kubernetes. Written in plain English, ideal for both developers and non-developers who are new to Kubernetes.
Find out more about Kubernetes at Bytemark here: https://www.bytemark.co.uk/managed-kubernetes/
How to test infrastructure code: automated testing for Terraform, Kubernetes,...Yevgeniy Brikman
This talk is a step-by-step, live-coding class on how to write automated tests for infrastructure code, including the code you write for use with tools such as Terraform, Kubernetes, Docker, and Packer. Topics covered include unit tests, integration tests, end-to-end tests, test parallelism, retries, error handling, static analysis, and more.
In this session customers will learn how to leverage the identity and authorisation, network security and secrets management features of the wider AWS platform for their containers. We will also show you how to scan container images for vulnerabilities as part of your CI/CD pipeline.
Speaker: Marcus Santos, Solutions Architect, AWS
Using HashiCorp’s Terraform to build your infrastructure on AWS - Pop-up Loft...Amazon Web Services
Using Terraform to automate your infrastructure on AWS. What is Terraform and how is it different from Ansible. How to control cloud deployments using Terraform.
Building Cloud-Native App Series - Part 7 of 11
Microservices Architecture Series
Containers Docker Kind Kubernetes Istio
- Pods
- ReplicaSet
- Deployment (Canary, Blue-Green)
- Ingress
- Service
[AWS Dev Day] 앱 현대화 | DevOps 개발자가 되기 위한 쿠버네티스 핵심 활용 예제 알아보기 - 정영준 AWS 솔루션즈 아키...Amazon Web Services Korea
쿠버네티스에 어플리케이션을 손쉽게 배포하는 방법은 무엇일까요? 복잡하게 배포된 어플리케이션의 파드들은 어떻게 디버깅하고 로깅해야 할까요? 또한 요즘 자주 이야기 되는 클라우드 네이티브 아키텍처로 설계된 어플리케이션은 어떻게 만들고 배포해야하는 걸까요?삼성전자 무선사업부에서 삼성헬스를 EKS 에 배포한 사례를 살펴보며, 이러한 문제를 어떻게 해결했는지 알아봅니다. 또한 복잡하게만 느껴졌던 쿠버네티스의 어플리케이션 배포와 클라우드 네이티브 아키텍처의 베스트 프렉티스를 EKS 에 어플리케이션을 배포하고, 관리하는 예제를 통하여 간편하게 이해할 수 있게 도와드립니다.
Originally created for the session titled "Securing Containerized Workloads on ECS" @ the August Monthly Meetup of AWS User Group - Colombo [31/08/2023]
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018Amazon Web Services
In this session, we discuss best practices for securing your Kubernetes deployments on AWS. We cover how to use AWS IAM with Kubernetes role-based access control (RBAC) for new or existing Kubernetes deployments, and we dive deep into how Amazon EKS implements secure cluster configuration by default.
What Is Kubernetes | Kubernetes Introduction | Kubernetes Tutorial For Beginn...Edureka!
***** Kubernetes Certification Training: https://www.edureka.co/kubernetes-certification *****
This Edureka tutorial on "What is Kubernetes" will give you an introduction to one of the most popular Devops tool in the market - Kubernetes, and its importance in today's IT processes. This tutorial is ideal for beginners who want to get started with Kubernetes & DevOps. The following topics are covered in this training session:
1. Need for Kubernetes
2. What is Kubernetes and What it's not
3. How does Kubernetes work?
4. Use-Case: Kubernetes @ Pokemon Go
5. Hands-on: Deployment with Kubernetes
DevOps Tutorial Blog Series: https://goo.gl/P0zAfF
- Archeology: before and without Kubernetes
- Deployment: kube-up, DCOS, GKE
- Core Architecture: the apiserver, the kubelet and the scheduler
- Compute Model: the pod, the service and the controller
Unique course notes for the Certified Kubernetes Administrator (CKA) for each section of the exam. Designed to be engaging and used as a reference in the future for kubernetes concepts.
Amazon EC2 Container Service is a new AWS service that makes it easy to run and manage Docker-enabled applications across a cluster of Amazon EC2 instances. Amazon EC2 Container Service lets you define, schedule, and stop sets of containers. You have access to the state of your resources, making it easy to confirm that tasks are running or view the utilization of Amazon EC2 instances in your cluster. This session will describe the benefits of containers, introduce the Amazon EC2 Container Service, and demonstrate how to use Amazon EC2 Container Service for your applications.
Speakers:
Ian Massingham, AWS Technical Evangelist and
Boyan Dimitrov, Platform Automation Lead, Hailo Cabs
Kubernetes for Beginners: An Introductory GuideBytemark
An introduction to Kubernetes for beginners. Includes the definition, architecture, benefits and misconceptions of Kubernetes. Written in plain English, ideal for both developers and non-developers who are new to Kubernetes.
Find out more about Kubernetes at Bytemark here: https://www.bytemark.co.uk/managed-kubernetes/
How to test infrastructure code: automated testing for Terraform, Kubernetes,...Yevgeniy Brikman
This talk is a step-by-step, live-coding class on how to write automated tests for infrastructure code, including the code you write for use with tools such as Terraform, Kubernetes, Docker, and Packer. Topics covered include unit tests, integration tests, end-to-end tests, test parallelism, retries, error handling, static analysis, and more.
In this session customers will learn how to leverage the identity and authorisation, network security and secrets management features of the wider AWS platform for their containers. We will also show you how to scan container images for vulnerabilities as part of your CI/CD pipeline.
Speaker: Marcus Santos, Solutions Architect, AWS
Using HashiCorp’s Terraform to build your infrastructure on AWS - Pop-up Loft...Amazon Web Services
Using Terraform to automate your infrastructure on AWS. What is Terraform and how is it different from Ansible. How to control cloud deployments using Terraform.
Building Cloud-Native App Series - Part 7 of 11
Microservices Architecture Series
Containers Docker Kind Kubernetes Istio
- Pods
- ReplicaSet
- Deployment (Canary, Blue-Green)
- Ingress
- Service
[AWS Dev Day] 앱 현대화 | DevOps 개발자가 되기 위한 쿠버네티스 핵심 활용 예제 알아보기 - 정영준 AWS 솔루션즈 아키...Amazon Web Services Korea
쿠버네티스에 어플리케이션을 손쉽게 배포하는 방법은 무엇일까요? 복잡하게 배포된 어플리케이션의 파드들은 어떻게 디버깅하고 로깅해야 할까요? 또한 요즘 자주 이야기 되는 클라우드 네이티브 아키텍처로 설계된 어플리케이션은 어떻게 만들고 배포해야하는 걸까요?삼성전자 무선사업부에서 삼성헬스를 EKS 에 배포한 사례를 살펴보며, 이러한 문제를 어떻게 해결했는지 알아봅니다. 또한 복잡하게만 느껴졌던 쿠버네티스의 어플리케이션 배포와 클라우드 네이티브 아키텍처의 베스트 프렉티스를 EKS 에 어플리케이션을 배포하고, 관리하는 예제를 통하여 간편하게 이해할 수 있게 도와드립니다.
Originally created for the session titled "Securing Containerized Workloads on ECS" @ the August Monthly Meetup of AWS User Group - Colombo [31/08/2023]
Community Builder session on Amazon EKS and how to enforce Security controls on top of it. This deep dive on the core difference with EC2 security model as long as the native integration with other AWS Security Services
Introduction to Containers - AWS Startup Day Johannesburg.pdfAmazon Web Services
In this session, we cover all the options for running containers on AWS. This will include an intro of container concepts, and an overview to different services like ECS, EKS, ECR and Fargate. We cover topics like: how to choose the right orchestration platform for your workload, some different tools that are out there to make the process easier, and how to find more information and support as you work.
Max Körbächer - AWS EKS and beyond master your Kubernetes deployment on AWS -...Codemotion
Kubernetes (K8s) is on everyone’s lips, but it is easy to experience pitfalls during the development of a K8s cluster. In this talk we will give you an introduction of AWS EKS (Elastic Container Service for Kubernetes), the managed service for deploying and operate Kubernetes on AWS resources, and how you can reach a production readiness. This seamless integration of K8s into the AWS environment allows you a rapid application development assuming architectural concepts of microservice and serverless architecture.
Max Körbächer - AWS EKS and beyond – master your Kubernetes deployment on AWS...Codemotion
Kubernetes (K8s) is on everyone’s lips, but it is easy to experience pitfalls during the development of a K8s cluster. In this talk we will give you an introduction of AWS EKS (Elastic Container Service for Kubernetes), the managed service for deploying and operate Kubernetes on AWS resources, and how you can reach a production readiness. This seamless integration of K8s into the AWS environment allows you a rapid application development assuming architectural concepts of microservice and serverless architecture.
Building a Kubernetes App with Amazon EKSDevOps.com
Interested in learning how to set up a Kubernetes cluster and use automation to test and deploy an app?
During this presentation, Laura Frank will take a deep dive into CI/CD best practices with Kubernetes and Amazon EKS. You will be introduced to AmazonEKS, Amazon’s Kubernetes service and CloudBees CodeShip, a flexible continuous integration (CI)/continuous delivery(CD) tool that runs your builds in the cloud. Designed with developers in mind, both EKS and CodeShip when used together reduce the complexity of running an app with Kubernetes.
Attend this webinar to learn:
- An overview of Amazon EKS
- How to set up your own CI/CD pipeline
- How to leverage CI/CD best practices with Kubernetes
Interested in learning how to set up a Kubernetes cluster and use automation to test and deploy an app?
During this presentation, Laura Frank will take a deep dive into CI/CD best practices with Kubernetes and Amazon EKS. You will be introduced to AmazonEKS, Amazon’s Kubernetes service and CloudBees CodeShip, a flexible continuous integration (CI)/continuous delivery(CD) tool that runs your builds in the cloud. Designed with developers in mind, both EKS and CodeShip when used together reduce the complexity of running an app with Kubernetes.
Attend this webinar to learn:
- An overview of Amazon EKS
- How to set up your own CI/CD pipeline
- How to leverage CI/CD best practices with Kubernetes
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...Davide Benvegnù
[SLIDES FROM MICROSOFT ONLINE TECH FORUM SESSION]
Kubernetes is the open source container orchestration system that supercharges applications with scaling and reliability and unlocks advanced features, like A/B testing, Blue/Green deployments, canary builds, and dead-simple rollbacks.
In this session, see how Tailwind Traders took a containerized application and deployed it to Azure Kubernetes Service (AKS).
You’ll walk away with a deep understanding of major Kubernetes concepts and how to put it all to use with industry standard tooling.
AWS is architected to be one of the most flexible and secure cloud computing environments available today. It provides an extremely scalable, highly reliable platform that enables customers to deploy applications and data quickly and securely. When using AWS, not only are infrastructure headaches removed, but so are many of the security issues that come with them.
Amazon EKS Architecture in detail including CNI/Networking, IAM, Provisioning, Shared Responsibility Model, Project Calico, Load Balancing, Logging/Metrics, CI/CD using AWS CodePipeline, CodeCommit, CodeBuild, Lambda, Amazon ECR and Parameter Store and finally the use of Spot Instances which could yield a savings of 70-90% versus conventional on-demand EC2 instances.
The presentation was given on 11/12/2018 on CloudExpo NY. The presentation talks about software portability approaches and technologies on Kubernetes, microservices, service mesh, and serverless platforms
AWS Webcast - Best Practices in Architecting for the CloudAmazon Web Services
Join us to get a better understanding around architecting scalable, reliable applications for the cloud. You'll learn about monitoring, alarming, automatic scaling, load balancing, replication, and more, direct from AWS Senior Evangelist Jeff Barr.
Modernizing applications with Amazon EKS - MAD304 - Santa Clara AWS Summit.pdfAmazon Web Services
In this session, learn how to easily containerize and migrate existing applications to Amazon Elastic Container Service for Kubernetes (Amazon EKS) without needing to refactor your code or tooling. Amazon EKS makes it easy to deploy, manage, and scale containerized applications using Kubernetes on AWS.
Weaveworks at AWS re:Invent 2016: Operations Management with Amazon ECSWeaveworks
Alfonso described how Weave open source projects (Weave Net and Weave Scope) can help with networking, visualization, and control for ECS. Specifically, Weave acts as a key communicator for networking containers with its multi-host overlay and additional features (including automatic DNS service discovery and multicast).
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
Il Forecasting è un processo importante per tantissime aziende e viene utilizzato in vari ambiti per cercare di prevedere in modo accurato la crescita e distribuzione di un prodotto, l’utilizzo delle risorse necessarie nelle linee produttive, presentazioni finanziarie e tanto altro. Amazon utilizza delle tecniche avanzate di forecasting, in parte questi servizi sono stati messi a disposizione di tutti i clienti AWS.
In questa sessione illustreremo come pre-processare i dati che contengono una componente temporale e successivamente utilizzare un algoritmo che a partire dal tipo di dato analizzato produce un forecasting accurato.
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
La varietà e la quantità di dati che si crea ogni giorno accelera sempre più velocemente e rappresenta una opportunità irripetibile per innovare e creare nuove startup.
Tuttavia gestire grandi quantità di dati può apparire complesso: creare cluster Big Data su larga scala sembra essere un investimento accessibile solo ad aziende consolidate. Ma l’elasticità del Cloud e, in particolare, i servizi Serverless ci permettono di rompere questi limiti.
Vediamo quindi come è possibile sviluppare applicazioni Big Data rapidamente, senza preoccuparci dell’infrastruttura, ma dedicando tutte le risorse allo sviluppo delle nostre le nostre idee per creare prodotti innovativi.
Ora puoi utilizzare Amazon Elastic Kubernetes Service (EKS) per eseguire pod Kubernetes su AWS Fargate, il motore di elaborazione serverless creato per container su AWS. Questo rende più semplice che mai costruire ed eseguire le tue applicazioni Kubernetes nel cloud AWS.In questa sessione presenteremo le caratteristiche principali del servizio e come distribuire la tua applicazione in pochi passaggi
Vent'anni fa Amazon ha attraversato una trasformazione radicale con l'obiettivo di aumentare il ritmo dell'innovazione. In questo periodo abbiamo imparato come cambiare il nostro approccio allo sviluppo delle applicazioni ci ha permesso di aumentare notevolmente l'agilità, la velocità di rilascio e, in definitiva, ci ha consentito di creare applicazioni più affidabili e scalabili. In questa sessione illustreremo come definiamo le applicazioni moderne e come la creazione di app moderne influisce non solo sull'architettura dell'applicazione, ma sulla struttura organizzativa, sulle pipeline di rilascio dello sviluppo e persino sul modello operativo. Descriveremo anche approcci comuni alla modernizzazione, compreso l'approccio utilizzato dalla stessa Amazon.com.
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
L’utilizzo dei container è in continua crescita.
Se correttamente disegnate, le applicazioni basate su Container sono molto spesso stateless e flessibili.
I servizi AWS ECS, EKS e Kubernetes su EC2 possono sfruttare le istanze Spot, portando ad un risparmio medio del 70% rispetto alle istanze On Demand. In questa sessione scopriremo insieme quali sono le caratteristiche delle istanze Spot e come possono essere utilizzate facilmente su AWS. Impareremo inoltre come Spreaker sfrutta le istanze spot per eseguire applicazioni di diverso tipo, in produzione, ad una frazione del costo on-demand!
In recent months, many customers have been asking us the question – how to monetise Open APIs, simplify Fintech integrations and accelerate adoption of various Open Banking business models. Therefore, AWS and FinConecta would like to invite you to Open Finance marketplace presentation on October 20th.
Event Agenda :
Open banking so far (short recap)
• PSD2, OB UK, OB Australia, OB LATAM, OB Israel
Intro to Open Finance marketplace
• Scope
• Features
• Tech overview and Demo
The role of the Cloud
The Future of APIs
• Complying with regulation
• Monetizing data / APIs
• Business models
• Time to market
One platform for all: a Strategic approach
Q&A
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
Per creare valore e costruire una propria offerta differenziante e riconoscibile, le startup di successo sanno come combinare tecnologie consolidate con componenti innovativi creati ad hoc.
AWS fornisce servizi pronti all'utilizzo e, allo stesso tempo, permette di personalizzare e creare gli elementi differenzianti della propria offerta.
Concentrandoci sulle tecnologie di Machine Learning, vedremo come selezionare i servizi di intelligenza artificiale offerti da AWS e, anche attraverso una demo, come costruire modelli di Machine Learning personalizzati utilizzando SageMaker Studio.
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
Con l'approccio tradizionale al mondo IT per molti anni è stato difficile implementare tecniche di DevOps, che finora spesso hanno previsto attività manuali portando di tanto in tanto a dei downtime degli applicativi interrompendo l'operatività dell'utente. Con l'avvento del cloud, le tecniche di DevOps sono ormai a portata di tutti a basso costo per qualsiasi genere di workload, garantendo maggiore affidabilità del sistema e risultando in dei significativi miglioramenti della business continuity.
AWS mette a disposizione AWS OpsWork come strumento di Configuration Management che mira ad automatizzare e semplificare la gestione e i deployment delle istanze EC2 per mezzo di workload Chef e Puppet.
Scopri come sfruttare AWS OpsWork a garanzia e affidabilità del tuo applicativo installato su Instanze EC2.
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
Vuoi conoscere le opzioni per eseguire Microsoft Active Directory su AWS? Quando si spostano carichi di lavoro Microsoft in AWS, è importante considerare come distribuire Microsoft Active Directory per supportare la gestione, l'autenticazione e l'autorizzazione dei criteri di gruppo. In questa sessione, discuteremo le opzioni per la distribuzione di Microsoft Active Directory su AWS, incluso AWS Directory Service per Microsoft Active Directory e la distribuzione di Active Directory su Windows su Amazon Elastic Compute Cloud (Amazon EC2). Trattiamo argomenti quali l'integrazione del tuo ambiente Microsoft Active Directory locale nel cloud e l'utilizzo di applicazioni SaaS, come Office 365, con AWS Single Sign-On.
Dal riconoscimento facciale al riconoscimento di frodi o difetti di fabbricazione, l'analisi di immagini e video che sfruttano tecniche di intelligenza artificiale, si stanno evolvendo e raffinando a ritmi elevati. In questo webinar esploreremo le possibilità messe a disposizione dai servizi AWS per applicare lo stato dell'arte delle tecniche di computer vision a scenari reali.
Amazon Web Services e VMware organizzano un evento virtuale gratuito il prossimo mercoledì 14 Ottobre dalle 12:00 alle 13:00 dedicato a VMware Cloud ™ on AWS, il servizio on demand che consente di eseguire applicazioni in ambienti cloud basati su VMware vSphere® e di accedere ad una vasta gamma di servizi AWS, sfruttando a pieno le potenzialità del cloud AWS e tutelando gli investimenti VMware esistenti.
Molte organizzazioni sfruttano i vantaggi del cloud migrando i propri carichi di lavoro Oracle e assicurandosi notevoli vantaggi in termini di agilità ed efficienza dei costi.
La migrazione di questi carichi di lavoro, può creare complessità durante la modernizzazione e il refactoring delle applicazioni e a questo si possono aggiungere rischi di prestazione che possono essere introdotti quando si spostano le applicazioni dai data center locali.
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
Molte aziende oggi, costruiscono applicazioni con funzionalità di tipo ledger ad esempio per verificare lo storico di accrediti o addebiti nelle transazioni bancarie o ancora per tenere traccia del flusso supply chain dei propri prodotti.
Alla base di queste soluzioni ci sono i database ledger che permettono di avere un log delle transazioni trasparente, immutabile e crittograficamente verificabile, ma sono strumenti complessi e onerosi da gestire.
Amazon QLDB elimina la necessità di costruire sistemi personalizzati e complessi fornendo un database ledger serverless completamente gestito.
In questa sessione scopriremo come realizzare un'applicazione serverless completa che utilizzi le funzionalità di QLDB.
Con l’ascesa delle architetture di microservizi e delle ricche applicazioni mobili e Web, le API sono più importanti che mai per offrire agli utenti finali una user experience eccezionale. In questa sessione impareremo come affrontare le moderne sfide di progettazione delle API con GraphQL, un linguaggio di query API open source utilizzato da Facebook, Amazon e altro e come utilizzare AWS AppSync, un servizio GraphQL serverless gestito su AWS. Approfondiremo diversi scenari, comprendendo come AppSync può aiutare a risolvere questi casi d’uso creando API moderne con funzionalità di aggiornamento dati in tempo reale e offline.
Inoltre, impareremo come Sky Italia utilizza AWS AppSync per fornire aggiornamenti sportivi in tempo reale agli utenti del proprio portale web.
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
Molte organizzazioni sfruttano i vantaggi del cloud migrando i propri carichi di lavoro Oracle e assicurandosi notevoli vantaggi in termini di agilità ed efficienza dei costi.
La migrazione di questi carichi di lavoro, può creare complessità durante la modernizzazione e il refactoring delle applicazioni e a questo si possono aggiungere rischi di prestazione che possono essere introdotti quando si spostano le applicazioni dai data center locali.
In queste slide, gli esperti AWS e VMware presentano semplici e pratici accorgimenti per facilitare e semplificare la migrazione dei carichi di lavoro Oracle accelerando la trasformazione verso il cloud, approfondiranno l’architettura e dimostreranno come sfruttare a pieno le potenzialità di VMware Cloud ™ on AWS.
Amazon Elastic Container Service (Amazon ECS) è un servizio di gestione dei container altamente scalabile, che semplifica la gestione dei contenitori Docker attraverso un layer di orchestrazione per il controllo del deployment e del relativo lifecycle. In questa sessione presenteremo le principali caratteristiche del servizio, le architetture di riferimento per i differenti carichi di lavoro e i semplici passi necessari per poter velocemente migrare uno o più dei tuo container.
2. Agenda
• Introduction
• A (brief) refresher on security in AWS
• Security considerations of ECS (EC2 and Fargate) and EKS
• Container image best practice and scanning approaches
• Conclusion
3. Challenges of Containers at Scale
• More transient / dynamic
• More distributed and complex
• More services interdependent over network
• Scheduling / Scaling / Resource Management
• Less isolated
• Share a kernel
• Often share a network and (in case of EKS) a network interface
All these new challenges have solutions / mitigations
4. ECS EKS
EC2 Fargate EC2 Fargate
1. Choose your
orchestration tool
2. Choose your
launch type
Coming
Soon!
We Give You The Power to Choose:
5.
6. Shared Responsibility Model
Responsible for
Security “of” the
cloud
Responsible for
Security “in” the
cloud
Network and Firewall Configuration
Identity & Access Management
Customer Data
Compute Storage Database Networking
Regions Availability Zones Edge Locations
Operating System
Applications Platform
AWSCUSTOMER
7. Shared Responsibility Model
Responsible for
Security “of” the
cloud
Responsible for
Security “in” the
cloud
Network and Firewall Configuration
Identity & Access Management
Customer Data
Compute Storage Database Networking
Regions Availability Zones Edge Locations
Operating System
Applications Platform
AWSCUSTOMER
8.
9. Shared Responsibility Model
Responsible for
Security “of” the
cloud
Responsible for
Security “in” the
cloud
Network and Firewall Configuration
Identity & Access Management
Customer Data
Compute Storage Database Networking
Regions Availability Zones Edge Locations
Operating System
Applications Platform
AWSCUSTOMER
10. IAM = Who can do what in the platform/cluster?
People Code / Pipelines
Photo & Licence Photo & Licence
11. Invest in end-to-end automation via pipelines
• AWS Infrastructure-as-Code
• Code & Container Builds
• Security (DevSecOps)
• Deployments
Make it fast and easy for your
team to do the right thing!
Photo
12. Why DevSecOps via pipelines?
Because if you don’t
make it fast and easy to
do the right thing then
people will often just go
around the
rules/restrictions to get
their work done!
Photo & Licence
14. K8s action allowed/denied
Authorization of AWS
Identity against Kubernetes
RBAC
K8s API
Passes AWS Identity
Verifies AWS Identity
kubectl
AWS IAM
Authentication
EKS: IAM Authentication + kubectl
15. Kubernetes RBAC built-in ClusterRoles
Default
ClusterRole
Description
cluster-admin
Allows super-user access to perform any action on any resource. When used in
a ClusterRoleBinding, it gives full control over every resource in the cluster and in all
namespaces. When used in a RoleBinding, it gives full control over every resource in the
rolebinding's namespace, including the namespace itself.
admin
Allows admin access, intended to be granted within a namespace using a RoleBinding. If
used in a RoleBinding, allows read/write access to most resources in a namespace,
including the ability to create roles and rolebindings within the namespace. It does not
allow write access to resource quota or to the namespace itself.
edit
Allows read/write access to most objects in a namespace. It does not allow viewing or
modifying roles or rolebindings.
view
Allows read-only access to see most objects in a namespace. It does not allow viewing
roles or rolebindings. It does not allow viewing secrets, since those are escalating
17. AWS IAM Role per Task / Pod?
Assigning an IAM Role to a ECS Task
is an included feature in the AWS
Platform and ‘just works’.
If running Kubernetes then you need
to add either kube2iam or kiam to
leverage this functionality.
Assigning an IAM role to an Instance/Task/Function means the right
AWS access key and secret to call the AWS CLI/SDK are transparently
obtained and rotated.
18. AWS Container Roadmap on GitHub
Captured
19/5/2019
https://github.com/aws/containers-roadmap
19. Shared Responsibility Model
Responsible for
Security “of” the
cloud
Responsible for
Security “in” the
cloud
Network and Firewall Configuration
Identity & Access Management
Customer Data
Compute Storage Database Networking
Regions Availability Zones Edge Locations
Operating System
Applications Platform
AWSCUSTOMER
20. Logging and Auditing the Control Plane
ECS is part of the AWS platform and the
control plane logs go to CloudTrail just like
the rest of the platform.
Kubernetes’ control plane logs include an
audit trail. With EKS these logs are not
exposed by default but you can (and should)
enable sending them to CloudWatch Logs.
Logging of the control plane, especially around an audit trail of API
actions, is an important aspect of security.
21. Shared Responsibility Model
Responsible for
Security “of” the
cloud
Responsible for
Security “in” the
cloud
Network and Firewall Configuration
Identity & Access Management
Customer Data
Compute Storage Database Networking
Regions Availability Zones Edge Locations
Operating System
Applications Platform
AWSCUSTOMER
22. AWS Security Groups vs. Kube Network Polices
If using ECS then that is an
extension of the AWS platform
and you only need to understand
and configure AWS VPC and
Security Groups.
If running Kubernetes yourself or
EKS then you need to understand
and configure BOTH AWS VPCs /
Security Groups as well as
Kubernetes Network Polices
23. Default/Root Namespace
lo
eth0
Task Namespace
lo
eth1
Networking with ECS
When using ECS with the aws-vpc
network mode (optional for EC2 mode
but required for Fargate mode) then
each Task gets its own dedicated
Elastic Network Interface (ENI).
Since each Task is 1:1 with an ENI
and each ENI is 1:1 with a Security
Group (SG) that means any
communication in/out of each Task
goes through its SG on both ingress
and egress.
24. Micro-segmenting with Security Groups
You can use a security group ID as both a source and destination for
other security group rules – both to loop back to itself or referencing other
SGs.
• This enables network segmentation without complex subnetting
25. Private EKS Control Plane API Endpoints
Worker VPC (your account)
Kubectl
Master VPC (AWS account)
etcd
AZ 1 AZ 2
API Server
etcd
API Server
EKS-owned
ENIs
Public == false
Private == true
prod-cluster-123.eks.amazonaws.com
Private hosted zone
Kubelet
AZ 1
Worker
node
Kube-proxy
Kubelet
AZ 2
Worker
node
Kube-proxy
26. Networking with EKS
ENI
Secondary IPs:
10.0.0.1
10.0.0.2
10.0.0.1
10.0.0.2
ENI
10.0.0.20
10.0.0.22
Secondary IPs:
10.0.0.20
10.0.0.22
ec2.associateaddress()
VPC Subnet –
10.0.0.0/24
Instance 1 Instance 2
VPC
27. Installing a Network Policy Provider on
Kubernetes
You first need to add a Network Policy Provider to EKS / Kubernetes in
order to use Network Policies. A popular one covered in our
documentation is Calico.
https://docs.aws.amazon.com/eks/latest/userguide/calico.html
35. Alternative – Multiple NodeGroups or Clusters
One way that you can both assign both EC2 Instance-level IAM
Roles (without kops or kiam) as well as fully trust Security Group-
based micro-segmentation without Tigera is to have a different set
of worker nodes, or even entirely separate Clusters, for different
services or trust boundaries.
EKS has the concept of a NodeGroup which is a separate Auto
Scaling Group of worker Nodes that can be labelled in such a way
that you can limit which pods/services can be run on them.
https://kubernetes.io/docs/concepts/configuration/assign-pod-node
36. Wildcard – Service Mesh Instead?
Instead of imposing network-level restrictions like AWS Security Groups
or Kubernetes Network Policies you can instead use a Service Mesh to
both encrypt and authenticate between all of your services allowing for a
flatter more unsegmented underlying network yet still staying safe.
AWS App Mesh Istio
37. Why Service Mesh?
http/tcp
Service
team A
Service
team B
Common need: Manage inter-service traffic
How to generate uniform logs,
metrics and traces
How to load balance traffic
How to shift traffic between
deployments
How to decouple service teams
How to minimize impact to
application code
How to ensure all traffic is
encrypted
How to ensure that the service
making the request is the one
that SHOULD be making it
38. Why App Mesh?
http/tcp
Service
team A
Service
team B
Proxy
Sits between all services
Manages and observes traffic
Control plane
Translates intent to proxy config
Distributes proxy config
Control plane
39. Sidecar proxy with containers
Proxy runs
as a container
Task or pod
External traffic
Application
code as a
container
40. OSS project
Wide community support, numerous integrations
Stable and production-proven
Graduated Project in Cloud Native Computing Foundation
Started at Lyft in 2016
App Mesh and Istio both use Envoy
42. Mutual TLS authentication (mTLS)
Client Server
Certificate Authority
Certificate Exchange
Certificate Generation /
Signing for Client & Server
Client Validates Server Cert
and
Server Validates Client Cert
Private Key
Client Cert
Private Key
Server Cert
Client Cert
Server Cert
43. AWS App Mesh vs. Istio
App Mesh
• Orchestrates Envoy sidecar
• Integrated with Kubernetes
• Does not yet support
encryption and mTLS
• Wider integration with AWS
• Regional Managed Service
• Fully supported by AWS
Istio (on EKS)
• Orchestrates Envoy sidecar
• Integrated with Kubernetes
• Supports encryption and mTLS
• Requires Kubernetes
• State stored in Kubernetes’
control plane and etcd via
Custom Resources
• Best effort support by AWS
44. AWS AppMesh Roadmap on GitHub
https://github.com/aws/aws-app-mesh-roadmap
Captured
45. Shared Responsibility Model
Responsible for
Security “of” the
cloud
Responsible for
Security “in” the
cloud
Network and Firewall Configuration
Identity & Access Management
Customer Data
Compute Storage Database Networking
Regions Availability Zones Edge Locations
Operating System
Applications Platform
AWSCUSTOMER
46. EC2 Mode – Customer Responsibilities
• Instance type and quantity to choose?
• What is the CPU to RAM ratio?
• Excess capacity for scaling and
availability?
• Which OS to choose?
• If Amazon Linux we provide AMIs
• Hardening the OS (e.g. against CIS
benchmark)
• Patching of the OS, Docker, ECS
Agent or kubelet etc.
Photo & Licence
47. Security Benefits Of Fargate
We do more, you do less.
• Patching (OS, Docker, ECS Agent, etc.)
• Task isolation (via separate Clusters)
• No --privileged mode for containers
• Requires awsvpc network mode so ENI/SG per Task
• No runtime access for users (ssh or interactive
Docker)
48. EC2-mode ECS Shared Responsibility Model
Network and Firewall Configuration
Customer Data
Storage Database Networking
Regions Edge Locations
Operating System
Images ECS Config
ECS Control Plane
Instance Scaling
Compute
Identity & Access Management
Availability Zones
AWSCUSTOMER
49. ECS Fargate Shared Responsibility Model
Network and Firewall Configuration
Customer Data
Storage Database Networking
Regions Edge Locations
Operating System
Images ECS Config
ECS Control Plane
Instance Scaling
Compute
Identity & Access Management
Availability Zones
AWSCUSTOMER
50. Updating EKS
• Kubernetes has a new major version every quarter
• Kubernetes has a new minor version quite regularly
• Sometimes Kubernetes updates are security-related
• EKS has APIs to trigger an update of the control plane
• You then need to update the worker Nodes - both re:
Kubernetes as well as Docker and OS
• Often the workers are in an Autoscaling
Group so this means building updating
AMIs
• We provide a regularly updated EKS Node
AMI as well as scripts to build your own.
51. Shared Responsibility Model
Responsible for
Security “of” the
cloud
Responsible for
Security “in” the
cloud
Network and Firewall Configuration
Identity & Access Management
Customer Data
Compute Storage Database Networking
Regions Availability Zones Edge Locations
Operating System
Applications Platform
AWSCUSTOMER
52. AWS Parameter Store, Secrets Manager and
Kubernetes Secrets
AWS has both Parameter Store and Secrets
Manager to store your Secrets. They are
integrated into ECS but you’ll need to call
them within the Pod on Kubernetes via our
CLI or SDK.
Kubernetes’ built-in Secrets functionality
stores secrets in its control plane and puts
them into running Pods via Environment
Variables or files in the filesystem. You can’t
use these outside of the Kubernetes cluster.
53.
54. Shared Responsibility Model
Responsible for
Security “of” the
cloud
Responsible for
Security “in” the
cloud
Network and Firewall Configuration
Identity & Access Management
Customer Data
Compute Storage Database Networking
Regions Availability Zones Edge Locations
Operating System
Applications Platform
AWSCUSTOMER
55. Security Best Practices For Container Images
Less is more (secure)
• No secrets in them
• One service per container
- Use sidecars within Task / Pod
• Minimise container footprint
- Include only what is needed at runtime bootfs
kernel
Base image
Image
Image
Container
References
parent
image
56. Security Best Practices For Container Images
• Use known and trusted base images
- Official on Docker Hub
- Read the Dockerfiles
- Scan the image for CVEs
• Specify USER in Dockerfile
(otherwise it’s root)
• Unique and informative image tags
- Be able to tell which commit at a
glance
bootfs
kernel
Base image
Image
Image
Container
References
parent
image
57. Image Scanning
• Scan images in your registry
• Docker Hub does this
• On our roadmap to do with Elastic Container Registry (ECR) as well
• Scan images in your build pipeline
• Clair - https://github.com/coreos/clair
• Aqua Microscanner - https://github.com/aquasecurity/microscanner
• Scan images at runtime / running containers (these can also scan in pipeline)
• Aqua - https://www.aquasec.com/solutions/aws-container-security/
• Twistlock - https://www.twistlock.com/solutions/aws-security/
All of the above?
58. Runtime container security
You can protect against zero-day vulnerabilities not yet even in a CVE database
via partner products from the likes of Aqua and Twistlock.
• Limit what can execute within container(s) via rules engine
• e.g. “Do not run things that were not in the image” or
“Do not run things that are not on this whitelist”
• Ensure only trusted images can be deployed/run in your cluster
• Get visibility into the runtime behaviour of the entire environment
• Detect vulnerable running containers as soon as a CVE is made public
60. Summing Up
The customer has many responsibilities in running containers securely in AWS -
especially when running Kubernetes on the platform rather than running ECS.
The key areas to delve into include:
• Identity and Access Management
• Network Topology and Firewalling
• Logging and Auditing
• Encryption and Mutual Authentication between Tasks/Pods
• Patching (container images, container hosts and the Kubernetes control plane)
• Secrets Management
• What is in, and what isn’t in, each container image you run