The document discusses a three-layered firewall approach for securing services within an Istio service mesh. Layer 1 involves using AWS WAF for basic rate limiting of traffic at the load balancer level. Layer 2 proposes using a Coraza WASM filter within Istio ingress gateways for loose DevOps-managed firewall rules. Layer 3 suggests enabling fine-grained, developer-managed firewall policies specific to each service deployment using Coraza WASM filters within individual pods.
AWS Summit Auckland - Running your Enterprise Windows Workload on AWSAmazon Web Services
This document provides a summary of running Microsoft Windows workloads on AWS. It discusses options for secure remote administration, extending an on-premises network to AWS, using Active Directory services, running SQL Server on AWS, and management tools. It also includes a customer case study of how Xero migrated their accounting software to AWS, discussing their approach to network design, security, and migrating SQL Server databases in phases.
AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...Amazon Web Services
You’re trying to minimize your time to deploy applications, reduce capital expenditure, and take advantage of the economies of scale made possible by using Amazon Web Services; however, you have existing on-premises applications that are not quite ready for complete migration. Hybrid architecture design can help! In this session, we discuss the fundamentals that any architect needs to consider when building a hybrid design from the ground up. Attendees get exposure to Amazon VPC, VPNs, Amazon Direct Connect, on-premises routing and connectivity, application discovery and definition, and how to tie all of these components together into a successful hybrid architecture.
From One to Many: Evolving VPC Design (ARC401) | AWS re:Invent 2013Amazon Web Services
As more customers adopt Amazon Virtual Private Cloud architectures, the features and flexibility of the service are squaring off against increasingly complex design requirements. This session follows the evolution of a single regional VPC into a multi-VPC, multi-region design with diverse connectivity into on-premises systems and infrastructure. Along the way, we investigate creative customer solutions for scaling and securing outbound VPC traffic, managing multi-tenant VPCs, conducting VPC-to-VPC traffic, extending corporate federation and name services into VPC, running multiple hybrid environments over AWS Direct Connect, and integrating corporate multiprotocol label switching (MPLS) clouds into multi-region VPCs.
Presentation by Hugo Trippaers from Schuberg Phillis, he talks about Software Defined Networking and its application in cloud computing. Hugo implemented the integration of the Nicira private gateway in Apache CloudStack. He also covers midonet from Midokura, the BigSwitch virtual wit and the native SDN controller in CloudsStack which uses GRE tunnels. SDN allows to dynamically configure and manage virtual network, this allows for easy provisioning of tenant's network in teh cloud
AWS Webcast - Deploying Remote Desktop Gateway on the AWS CloudAmazon Web Services
This webinar reviews our new Remote Desktop Gateway Reference Implementation Guide which will help you deploy Remote Desktop Gateway on AWS in about an hour. Included is an overview of the reference architecture, best practices for securely accessing your Windows-based instances using the Remote Desktop Protocol (RDP) for remote administration. Also provided are AWS CloudFormation templates to help automate deployment.
The document discusses vCloud Air and how it can host business-critical MySQL databases. It provides an overview of vCloud Air and how to set up MySQL instances within it. While vCloud Air provides basic availability and scalability, VMware Continuent adds high availability, disaster recovery, and replication capabilities to MySQL databases running in vCloud Air. It also discusses using Continuent to implement cross-region clusters spanning vCloud Air and on-premises data centers.
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
Cloud Security Groups are the firewalls of the cloud. They are built-in and provide basic access control functionality as part of the shared responsibility model. However, Cloud Security Groups do not provide the same protection or functionality that enterprises have come to expect with on-premises deployments. In this talk we will discuss the top cloud risks in 2020, why perimeters are a concept of the past and how in the world of no perimitiers do Cloud Security groups, the "Cloud FIrewalls", fit it. We will practically explore Cloud Security Group limitations across different cloud setups from a single vNet to multi-cloud
This document discusses several ways to access AWS cloud workloads from various locations, including from the internet, from other VPCs, and from on-premises networks. It provides an overview of networking services like internet gateways, VPC peering, transit gateways, Direct Connect, and VPN connections. Diagrams show example architectures using these services to provide secure, scalable access to workloads from different networks.
AWS Summit Auckland - Running your Enterprise Windows Workload on AWSAmazon Web Services
This document provides a summary of running Microsoft Windows workloads on AWS. It discusses options for secure remote administration, extending an on-premises network to AWS, using Active Directory services, running SQL Server on AWS, and management tools. It also includes a customer case study of how Xero migrated their accounting software to AWS, discussing their approach to network design, security, and migrating SQL Server databases in phases.
AWS re:Invent 2016: Hybrid Architecture Design: Connecting Your On-Premises W...Amazon Web Services
You’re trying to minimize your time to deploy applications, reduce capital expenditure, and take advantage of the economies of scale made possible by using Amazon Web Services; however, you have existing on-premises applications that are not quite ready for complete migration. Hybrid architecture design can help! In this session, we discuss the fundamentals that any architect needs to consider when building a hybrid design from the ground up. Attendees get exposure to Amazon VPC, VPNs, Amazon Direct Connect, on-premises routing and connectivity, application discovery and definition, and how to tie all of these components together into a successful hybrid architecture.
From One to Many: Evolving VPC Design (ARC401) | AWS re:Invent 2013Amazon Web Services
As more customers adopt Amazon Virtual Private Cloud architectures, the features and flexibility of the service are squaring off against increasingly complex design requirements. This session follows the evolution of a single regional VPC into a multi-VPC, multi-region design with diverse connectivity into on-premises systems and infrastructure. Along the way, we investigate creative customer solutions for scaling and securing outbound VPC traffic, managing multi-tenant VPCs, conducting VPC-to-VPC traffic, extending corporate federation and name services into VPC, running multiple hybrid environments over AWS Direct Connect, and integrating corporate multiprotocol label switching (MPLS) clouds into multi-region VPCs.
Presentation by Hugo Trippaers from Schuberg Phillis, he talks about Software Defined Networking and its application in cloud computing. Hugo implemented the integration of the Nicira private gateway in Apache CloudStack. He also covers midonet from Midokura, the BigSwitch virtual wit and the native SDN controller in CloudsStack which uses GRE tunnels. SDN allows to dynamically configure and manage virtual network, this allows for easy provisioning of tenant's network in teh cloud
AWS Webcast - Deploying Remote Desktop Gateway on the AWS CloudAmazon Web Services
This webinar reviews our new Remote Desktop Gateway Reference Implementation Guide which will help you deploy Remote Desktop Gateway on AWS in about an hour. Included is an overview of the reference architecture, best practices for securely accessing your Windows-based instances using the Remote Desktop Protocol (RDP) for remote administration. Also provided are AWS CloudFormation templates to help automate deployment.
The document discusses vCloud Air and how it can host business-critical MySQL databases. It provides an overview of vCloud Air and how to set up MySQL instances within it. While vCloud Air provides basic availability and scalability, VMware Continuent adds high availability, disaster recovery, and replication capabilities to MySQL databases running in vCloud Air. It also discusses using Continuent to implement cross-region clusters spanning vCloud Air and on-premises data centers.
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
Cloud Security Groups are the firewalls of the cloud. They are built-in and provide basic access control functionality as part of the shared responsibility model. However, Cloud Security Groups do not provide the same protection or functionality that enterprises have come to expect with on-premises deployments. In this talk we will discuss the top cloud risks in 2020, why perimeters are a concept of the past and how in the world of no perimitiers do Cloud Security groups, the "Cloud FIrewalls", fit it. We will practically explore Cloud Security Group limitations across different cloud setups from a single vNet to multi-cloud
This document discusses several ways to access AWS cloud workloads from various locations, including from the internet, from other VPCs, and from on-premises networks. It provides an overview of networking services like internet gateways, VPC peering, transit gateways, Direct Connect, and VPN connections. Diagrams show example architectures using these services to provide secure, scalable access to workloads from different networks.
Ravello webinar - Creating smart labs on AWS/Google for sales demos, training...shrutib
This webinar will cover the concept of Smart Labs that let you spin up your application in as many cloud-based lab environments as you need, without any migration overhead.
Once upon a time - not too long ago - setting up repeatable application environments with complex networking, multiple VMs took days or even weeks and capacity planning was a nightmare. Today, you can automatically spin up complex environments in leading public clouds and run any VMs - including existing VMware/KVM virtual machines, and virtual appliances such as Cisco, Brocade, Juniper, F5, Check Point, Infoblox and any networking - including static IPs, multiple subnets, broadcast and multicast.
We will discuss and demonstrate live how Ravello’s Smart Labs on AWS or Google Cloud, powered by nested virtualization and software defined networking, let you:
1. Provision hundreds of student environments with one click or API call for virtual training or classrooms - and pay only for usage
2. Enable sales teams with live cloud-based demo environments for your application software that they can deploy & destroy as needed from anywhere in the world
3. Ensure that QA teams never have to wait for test environments for automated testing
Running your Windows Enterprise Workloads on AWS - Technical 201Amazon Web Services
Whether it's application services or end user computing, cloud is the new normal for organisations of all sizes. In this session you will learn how to realise the benefits of running a complete Microsoft Enterprise environment securely and cost effectively within the AWS Cloud. Covering topics such as the AWS Active Directory Service, SQL Server, and remote desktops. We will also provide insight into management options including AWS Simple Systems Management (SSM). This session will set you up for success to migrate and operate your Microsoft workloads on AWS.
Speaker: Andrew Mitchell, Principal Solutions Architect, Amazon Web Services
Featured Customer - Carsales.com.au
Radware bringing mission and performance critical applications to cloud sta...ShapeBlue
The document discusses load balancing models in the cloud and Radware's load balancing as a service (LBaaS) solution. It describes Radware's LBaaS architecture, which provides on-demand load balancer provisioning, overlay network interoperability, efficiency through overlay network gateway bypass, high availability, and tenant isolation/SLA guarantees. It also compares Radware's LBaaS solution to competing external load balancing solutions, noting Radware's advantages in elasticity, interoperability, efficiency, availability, and tenant isolation.
Cloud stack networking shapeblue technical deep diveShapeBlue
This document provides a technical deep dive into CloudStack networking. It describes the different physical networks in CloudStack including the management, public, guest, and storage networks. It explains basic and advanced networking configurations, security groups, network service providers, and the use of Citrix NetScaler for elastic IP and load balancing. Virtual private clouds (VPCs) and site-to-site VPN configurations are also covered. The document concludes with a discussion of future software defined networking integrations.
Cisco Cloud Connect Solutions Extend Your Private Network to AWS and Maintain...Amazon Web Services
Cloud Connect is a key component of the Cisco hybrid cloud portfolio. In this session, we review how Cloud Connect solutions can securely extend your private network to the AWS Cloud and ensure the application experience. The products we cover include the CSR1000v and vEdge with Umbrella integration.
VMworld 2014: VMware NSX and vCloud Automation Center Integration Technical D...VMworld
This document provides an overview and agenda for a presentation on integrating VMware NSX and vCloud Automation Center. It discusses how the integration enables dynamic configuration and deployment of NSX logical networking and security services through vCloud Automation Center. Key features covered include network profiles for different application topologies, microsegmentation using security groups, applying firewall and security policies, and load balancing. The integration leverages the new NSX vCenter Orchestrator plugin to abstract workflows and make them more extensible.
In this session, we walk through the fundamentals of connectivity with AWS. First, we cover build-out and design fundamentals for VPCs, including picking your IP space, subnetting, routing, security, NAT, and much more. We then transition to different approaches and use cases for connecting your physical data center to AWS. This mid-level architecture discussion is aimed at architects, network administrators, and technology decision makers interested in understanding the building blocks.
Enterprise Service Delivery from the AWS Cloud (ARC208) | AWS re:Invent 2013Amazon Web Services
(Presented by Citrix)
As we move to a world where all users are mobile and apps are increasingly delivered from the cloud, security, compliance, and user experience service-level expectations are higher than ever, necessitating that IT look beyond traditional methods for delivering applications. However, there are intelligent cloud networking and provisioning solutions on AWS that can be leveraged to create a service delivery model that addresses the new paradigm. Learn how Citrix NetScaler VPX on AWS provides full application visibility and control through a combination of customer case studies and demos.
In this session, you learn how to:
-Deploy Citrix application delivery technologies (NetScaler, NetScaler Gateway, CloudBridge) into AWS
-Optimize next-gen web applications delivered from AWS, using traffic management and application acceleration capabilities
-Provide global application availability across on-premises data centers and multiple AWS regions using CloudBridge, global server load balancing, and Amazon Route 53 DNS
Microsoft technologies form the backbone of many Enterprise IT Infrastructures. Whether you are running Microsoft Exchange, Sharepoint, SQL Server or Active Directory; chances are you rely upon you these services for your mission critical needs. Solutions Architects and IT professionals will get an overview of the common Microsoft workloads running on AWS including approaches for server migrations, design and deployment of infrastructure services and maintenance and monitoring of those services once they are in production.
VMworld 2013: Case Study: VMware vCloud Ecosystem Framework for Network and S...VMworld
VMworld 2013
David Hughes, Silver Peak
Terry Lyons, VMware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...Amazon Web Services
Securing DoD workloads in the cloud is no task to be taken lightly. Today's ever-changing threat landscape requires the advanced capabilities of Palo Alto Networks VM-Series Next Generation Firewall to secure your AWS deployment. Granular security controls based upon users, their applications and the content within those applications give you complete visibility into, and control over, the "who" (via User-ID), and "what" (via App-ID) of your cloud traffic while preventing both known and unknown threats. Coupled with Palo Alto Networks and Amazon's Secure Cloud Computing Architecture (SCCA) Quick Start deployment template, the process of attaining your accreditation is greatly streamlined. Automate your deployment on AWS with many required SCCA security controls both pre-configured and documented at the time of deployment. This session will relate the capabilities that Palo Alto Networks Next Generation Firewall brings to the cloud- including a product demonstration conducted on a VM-Series firewall running on AWS. The target audience is technical security practitioners and information assurance professionals who want to understand the capabilities of Palo Alto Networks on AWS, prevent data breaches, and efficiently attain their accreditation. Learn More: https://aws.amazon.com/government-education/
Microsoft technologies form the backbone of many Enterprise IT Infrastructures. Whether you are running Microsoft Exchange, SharePoint, SQL Server or Active Directory; chances are you rely upon you these services for your mission critical needs. Solutions Architects and IT professionals will get an overview of the common Microsoft workloads running on AWS including approaches for server migrations, design and deployment of infrastructure services and maintenance and monitoring of those services once they are in production.
This document provides a summary of announcements and updates from VMworld 2014, the largest virtualization and cloud global conference. It discusses VMware's vision for the Software Defined Data Center (SDDC) and highlights key technology announcements for various VMware products, including vRealize, NSX, OpenStack, and vCloud Automation Center. Hands-on labs and sessions are also referenced.
VMworld 2013: Virtualized Network Services Model with VMware NSX VMworld
This document summarizes a presentation about VMware's NSX virtualized networking solution. It introduces NSX Edge gateways which provide routing, firewalling, load balancing, and VPN services. It discusses how NSX addresses the needs of cloud computing through automation, standard hardware, and a single management plane. Example use cases are shown. Key features of the NSX Edge including scalable performance are outlined. The document also briefly discusses NSX operations and management tools, and its deployment on VMware vCloud Hybrid Service.
Couchbase Server on Azure Cloud - best practices for deploying a development or production environment with Couchbase Server on Microsoft's Azure Cloud Platform.
Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...SkillCertProExams
• For a full set of 760+ questions. Go to
https://skillcertpro.com/product/databricks-certified-data-engineer-associate-exam-questions/
• SkillCertPro offers detailed explanations to each question which helps to understand the concepts better.
• It is recommended to score above 85% in SkillCertPro exams before attempting a real exam.
• SkillCertPro updates exam questions every 2 weeks.
• You will get life time access and life time free updates
• SkillCertPro assures 100% pass guarantee in first attempt.
More Related Content
Similar to Firewalling a Service Mesh with WebAssembly.pdf
Ravello webinar - Creating smart labs on AWS/Google for sales demos, training...shrutib
This webinar will cover the concept of Smart Labs that let you spin up your application in as many cloud-based lab environments as you need, without any migration overhead.
Once upon a time - not too long ago - setting up repeatable application environments with complex networking, multiple VMs took days or even weeks and capacity planning was a nightmare. Today, you can automatically spin up complex environments in leading public clouds and run any VMs - including existing VMware/KVM virtual machines, and virtual appliances such as Cisco, Brocade, Juniper, F5, Check Point, Infoblox and any networking - including static IPs, multiple subnets, broadcast and multicast.
We will discuss and demonstrate live how Ravello’s Smart Labs on AWS or Google Cloud, powered by nested virtualization and software defined networking, let you:
1. Provision hundreds of student environments with one click or API call for virtual training or classrooms - and pay only for usage
2. Enable sales teams with live cloud-based demo environments for your application software that they can deploy & destroy as needed from anywhere in the world
3. Ensure that QA teams never have to wait for test environments for automated testing
Running your Windows Enterprise Workloads on AWS - Technical 201Amazon Web Services
Whether it's application services or end user computing, cloud is the new normal for organisations of all sizes. In this session you will learn how to realise the benefits of running a complete Microsoft Enterprise environment securely and cost effectively within the AWS Cloud. Covering topics such as the AWS Active Directory Service, SQL Server, and remote desktops. We will also provide insight into management options including AWS Simple Systems Management (SSM). This session will set you up for success to migrate and operate your Microsoft workloads on AWS.
Speaker: Andrew Mitchell, Principal Solutions Architect, Amazon Web Services
Featured Customer - Carsales.com.au
Radware bringing mission and performance critical applications to cloud sta...ShapeBlue
The document discusses load balancing models in the cloud and Radware's load balancing as a service (LBaaS) solution. It describes Radware's LBaaS architecture, which provides on-demand load balancer provisioning, overlay network interoperability, efficiency through overlay network gateway bypass, high availability, and tenant isolation/SLA guarantees. It also compares Radware's LBaaS solution to competing external load balancing solutions, noting Radware's advantages in elasticity, interoperability, efficiency, availability, and tenant isolation.
Cloud stack networking shapeblue technical deep diveShapeBlue
This document provides a technical deep dive into CloudStack networking. It describes the different physical networks in CloudStack including the management, public, guest, and storage networks. It explains basic and advanced networking configurations, security groups, network service providers, and the use of Citrix NetScaler for elastic IP and load balancing. Virtual private clouds (VPCs) and site-to-site VPN configurations are also covered. The document concludes with a discussion of future software defined networking integrations.
Cisco Cloud Connect Solutions Extend Your Private Network to AWS and Maintain...Amazon Web Services
Cloud Connect is a key component of the Cisco hybrid cloud portfolio. In this session, we review how Cloud Connect solutions can securely extend your private network to the AWS Cloud and ensure the application experience. The products we cover include the CSR1000v and vEdge with Umbrella integration.
VMworld 2014: VMware NSX and vCloud Automation Center Integration Technical D...VMworld
This document provides an overview and agenda for a presentation on integrating VMware NSX and vCloud Automation Center. It discusses how the integration enables dynamic configuration and deployment of NSX logical networking and security services through vCloud Automation Center. Key features covered include network profiles for different application topologies, microsegmentation using security groups, applying firewall and security policies, and load balancing. The integration leverages the new NSX vCenter Orchestrator plugin to abstract workflows and make them more extensible.
In this session, we walk through the fundamentals of connectivity with AWS. First, we cover build-out and design fundamentals for VPCs, including picking your IP space, subnetting, routing, security, NAT, and much more. We then transition to different approaches and use cases for connecting your physical data center to AWS. This mid-level architecture discussion is aimed at architects, network administrators, and technology decision makers interested in understanding the building blocks.
Enterprise Service Delivery from the AWS Cloud (ARC208) | AWS re:Invent 2013Amazon Web Services
(Presented by Citrix)
As we move to a world where all users are mobile and apps are increasingly delivered from the cloud, security, compliance, and user experience service-level expectations are higher than ever, necessitating that IT look beyond traditional methods for delivering applications. However, there are intelligent cloud networking and provisioning solutions on AWS that can be leveraged to create a service delivery model that addresses the new paradigm. Learn how Citrix NetScaler VPX on AWS provides full application visibility and control through a combination of customer case studies and demos.
In this session, you learn how to:
-Deploy Citrix application delivery technologies (NetScaler, NetScaler Gateway, CloudBridge) into AWS
-Optimize next-gen web applications delivered from AWS, using traffic management and application acceleration capabilities
-Provide global application availability across on-premises data centers and multiple AWS regions using CloudBridge, global server load balancing, and Amazon Route 53 DNS
Microsoft technologies form the backbone of many Enterprise IT Infrastructures. Whether you are running Microsoft Exchange, Sharepoint, SQL Server or Active Directory; chances are you rely upon you these services for your mission critical needs. Solutions Architects and IT professionals will get an overview of the common Microsoft workloads running on AWS including approaches for server migrations, design and deployment of infrastructure services and maintenance and monitoring of those services once they are in production.
VMworld 2013: Case Study: VMware vCloud Ecosystem Framework for Network and S...VMworld
VMworld 2013
David Hughes, Silver Peak
Terry Lyons, VMware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...Amazon Web Services
Securing DoD workloads in the cloud is no task to be taken lightly. Today's ever-changing threat landscape requires the advanced capabilities of Palo Alto Networks VM-Series Next Generation Firewall to secure your AWS deployment. Granular security controls based upon users, their applications and the content within those applications give you complete visibility into, and control over, the "who" (via User-ID), and "what" (via App-ID) of your cloud traffic while preventing both known and unknown threats. Coupled with Palo Alto Networks and Amazon's Secure Cloud Computing Architecture (SCCA) Quick Start deployment template, the process of attaining your accreditation is greatly streamlined. Automate your deployment on AWS with many required SCCA security controls both pre-configured and documented at the time of deployment. This session will relate the capabilities that Palo Alto Networks Next Generation Firewall brings to the cloud- including a product demonstration conducted on a VM-Series firewall running on AWS. The target audience is technical security practitioners and information assurance professionals who want to understand the capabilities of Palo Alto Networks on AWS, prevent data breaches, and efficiently attain their accreditation. Learn More: https://aws.amazon.com/government-education/
Microsoft technologies form the backbone of many Enterprise IT Infrastructures. Whether you are running Microsoft Exchange, SharePoint, SQL Server or Active Directory; chances are you rely upon you these services for your mission critical needs. Solutions Architects and IT professionals will get an overview of the common Microsoft workloads running on AWS including approaches for server migrations, design and deployment of infrastructure services and maintenance and monitoring of those services once they are in production.
This document provides a summary of announcements and updates from VMworld 2014, the largest virtualization and cloud global conference. It discusses VMware's vision for the Software Defined Data Center (SDDC) and highlights key technology announcements for various VMware products, including vRealize, NSX, OpenStack, and vCloud Automation Center. Hands-on labs and sessions are also referenced.
VMworld 2013: Virtualized Network Services Model with VMware NSX VMworld
This document summarizes a presentation about VMware's NSX virtualized networking solution. It introduces NSX Edge gateways which provide routing, firewalling, load balancing, and VPN services. It discusses how NSX addresses the needs of cloud computing through automation, standard hardware, and a single management plane. Example use cases are shown. Key features of the NSX Edge including scalable performance are outlined. The document also briefly discusses NSX operations and management tools, and its deployment on VMware vCloud Hybrid Service.
Couchbase Server on Azure Cloud - best practices for deploying a development or production environment with Couchbase Server on Microsoft's Azure Cloud Platform.
Similar to Firewalling a Service Mesh with WebAssembly.pdf (20)
Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...SkillCertProExams
• For a full set of 760+ questions. Go to
https://skillcertpro.com/product/databricks-certified-data-engineer-associate-exam-questions/
• SkillCertPro offers detailed explanations to each question which helps to understand the concepts better.
• It is recommended to score above 85% in SkillCertPro exams before attempting a real exam.
• SkillCertPro updates exam questions every 2 weeks.
• You will get life time access and life time free updates
• SkillCertPro assures 100% pass guarantee in first attempt.
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie WellsRosie Wells
Insight: In a landscape where traditional narrative structures are giving way to fragmented and non-linear forms of storytelling, there lies immense potential for creativity and exploration.
'Collapsing Narratives: Exploring Non-Linearity' is a micro report from Rosie Wells.
Rosie Wells is an Arts & Cultural Strategist uniquely positioned at the intersection of grassroots and mainstream storytelling.
Their work is focused on developing meaningful and lasting connections that can drive social change.
Please download this presentation to enjoy the hyperlinks!
This presentation by OECD, OECD Secretariat, was made during the discussion “Pro-competitive Industrial Policy” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/pcip.
This presentation was uploaded with the author’s consent.
This presentation by OECD, OECD Secretariat, was made during the discussion “Artificial Intelligence, Data and Competition” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/aicomp.
This presentation was uploaded with the author’s consent.
This presentation by Professor Alex Robson, Deputy Chair of Australia’s Productivity Commission, was made during the discussion “Competition and Regulation in Professions and Occupations” held at the 77th meeting of the OECD Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found at oe.cd/crps.
This presentation was uploaded with the author’s consent.
Carrer goals.pptx and their importance in real lifeartemacademy2
Career goals serve as a roadmap for individuals, guiding them toward achieving long-term professional aspirations and personal fulfillment. Establishing clear career goals enables professionals to focus their efforts on developing specific skills, gaining relevant experience, and making strategic decisions that align with their desired career trajectory. By setting both short-term and long-term objectives, individuals can systematically track their progress, make necessary adjustments, and stay motivated. Short-term goals often include acquiring new qualifications, mastering particular competencies, or securing a specific role, while long-term goals might encompass reaching executive positions, becoming industry experts, or launching entrepreneurial ventures.
Moreover, having well-defined career goals fosters a sense of purpose and direction, enhancing job satisfaction and overall productivity. It encourages continuous learning and adaptation, as professionals remain attuned to industry trends and evolving job market demands. Career goals also facilitate better time management and resource allocation, as individuals prioritize tasks and opportunities that advance their professional growth. In addition, articulating career goals can aid in networking and mentorship, as it allows individuals to communicate their aspirations clearly to potential mentors, colleagues, and employers, thereby opening doors to valuable guidance and support. Ultimately, career goals are integral to personal and professional development, driving individuals toward sustained success and fulfillment in their chosen fields.
This presentation by Thibault Schrepel, Associate Professor of Law at Vrije Universiteit Amsterdam University, was made during the discussion “Artificial Intelligence, Data and Competition” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/aicomp.
This presentation was uploaded with the author’s consent.
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...Suzanne Lagerweij
This is a workshop about communication and collaboration. We will experience how we can analyze the reasons for resistance to change (exercise 1) and practice how to improve our conversation style and be more in control and effective in the way we communicate (exercise 2).
This session will use Dave Gray’s Empathy Mapping, Argyris’ Ladder of Inference and The Four Rs from Agile Conversations (Squirrel and Fredrick).
Abstract:
Let’s talk about powerful conversations! We all know how to lead a constructive conversation, right? Then why is it so difficult to have those conversations with people at work, especially those in powerful positions that show resistance to change?
Learning to control and direct conversations takes understanding and practice.
We can combine our innate empathy with our analytical skills to gain a deeper understanding of complex situations at work. Join this session to learn how to prepare for difficult conversations and how to improve our agile conversations in order to be more influential without power. We will use Dave Gray’s Empathy Mapping, Argyris’ Ladder of Inference and The Four Rs from Agile Conversations (Squirrel and Fredrick).
In the session you will experience how preparing and reflecting on your conversation can help you be more influential at work. You will learn how to communicate more effectively with the people needed to achieve positive change. You will leave with a self-revised version of a difficult conversation and a practical model to use when you get back to work.
Come learn more on how to become a real influencer!
XP 2024 presentation: A New Look to Leadershipsamililja
Presentation slides from XP2024 conference, Bolzano IT. The slides describe a new view to leadership and combines it with anthro-complexity (aka cynefin).
This presentation by Yong Lim, Professor of Economic Law at Seoul National University School of Law, was made during the discussion “Artificial Intelligence, Data and Competition” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/aicomp.
This presentation was uploaded with the author’s consent.
This presentation by Nathaniel Lane, Associate Professor in Economics at Oxford University, was made during the discussion “Pro-competitive Industrial Policy” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/pcip.
This presentation was uploaded with the author’s consent.
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussion
Firewalling a Service Mesh with WebAssembly.pdf
1. MEETUP
Firewalling a Service Mesh with WebAssembly: Pick low hanging Fruits
for secure and performant self-servicing
SDA DevOps Team | 29.11.2023
2. SDA SE
SDA SE
• What we have now
• The Plan: 3 Layered Firewall
• Layer 1: IP-Based Rate-Limiting
• Layer 2: DevOps managed loose Istio Firewall
• Layer 3: Developer managed fine-grained Istio Firewall
• Closing words and questions
AGENDA
Thanks for attending
30.11.23 Firewalling a Service Mesh with WebAssembly 2
3. SDA SE
SDA SE
CLUSTER CONFIGURATION
11/30/23 3
Tools Cluster
Here we find all the tools we need to develop software based on industry best practices.
Includes the following tools, among others: Applications Cluster (Testing)
Software will be deployed over GitOps, by using ArgoCD
from the Tools Cluster
Applications Cluster (Integration)
Software will be deployed over GitOps, by using ArgoCD
from the Tools Cluster, after passing all tests in the application
Cluster (Testing)
Applications Cluster (Prod)
Software will be deployed over GitOps, by using ArgoCD
from the Tools Cluster, after passing all tests in the application
Cluster (Staging)
Log
Cluster Analysis Platt-
form
Security
Monitor
Cluster
Image
Scanner
Requirements/
Supporting Tools
We believe in IaC (Infrastructure as Code), these tools help us
deploy our Code/Infrastructure
Tools & Application Cluster (4 separated kubernetes cluster)
Cluster
Monitor
Log
DBs
Cluster
Monitor
Log
DBs
Cluster
Monitor
Log
DBs
Firewalling a Service Mesh with WebAssembly
What we have now
4. SDA SE
SDA SE
CLUSTER CONFIGURATION
11/30/23 4
Firewalling a Service Mesh with WebAssembly
What we have now
Key Points to take away
• Many Clusters
• Like to pull Cloud-Features into k8s
• Plattform Tools
• Business-Logic Software
• DevOps doesn’t know upfront what will be deployed
• Terraform everything
5. SDA SE
SDA SE
CLUSTER CONFIGURATION
Private Clusters Networking
30.11.23 5
What we have now
AWS Cloud
AWS account
VPC - 10.x.x.x/18
Private – tools-meetup-a - 10.x.x.x/22
Private – tools-meetup-b - 10.x.x.x/22
Private – tools-meetup-c - 10.x.x.x/22
Public – tools-meetup-a - 10.x.x.x/24
Public – tools-meetup-b - 10.x.x.x/24
Public – tools-meetup-c - 10.x.x.x/24
Private – dev-meetup-a - 10.x.x.x/22
Private – dev-meetup-b - 10.x.x.x/22
Private – dev-meetup-c - 10.x.x.x/22
Public – dev-meetup-a - 10.x.x.x/24
Public – dev-meetup-b - 10.x.x.x/24
Public – dev-meetup-c - 10.x.x.x/24
Firewalling a Service Mesh with WebAssembly
6. SDA SE
SDA SE
CLUSTER CONFIGURATION
Private Clusters Networking
30.11.23 Firewalling a Service Mesh with WebAssembly 6
What we have now
7. SDA SE
SDA SE
CLUSTER CONFIGURATION
Private Clusters Networking
30.11.23 Firewalling a Service Mesh with WebAssembly 7
What we have now
External-DNS needs
svc.Status.LoadBalancer.Ingress
for Route53 record content
8. SDA SE
SDA SE
CLUSTER CONFIGURATION
11/30/23 8
Firewalling a Service Mesh with WebAssembly
What we have now
Key Points to take away
• Using Istio Service-Mesh
• Currently no Firewall
• Always Public/Private capabilities
• Manage Infrastructure from inside k8s
• External-DNS needs service status
9. SDA SE
SDA SE
3 LAYERS OF FIREWALL
30.11.23 Firewalling a Service Mesh with WebAssembly 9
The Plan
1. Point of first contact
• Implement Rate-Limit to keep malicious traffic out of the cluster
• Swap NLB for ALB
• Attach AWS WAF Rules to said ALB
2. Last DevOps managed point of contact
• Implement Software Firewall at Ingress-Gateways
• Use loose ruling to fit common use-cases
• Implement lower coverage of OWASP CRS
3. Deployment specific point of contact
• Implement Software Firewall as part of Deployment
• Implement, at best, all of OWASP CRS
10. SDA SE
SDA SE
IP-BASED RATE LIMIT
30.11.23 Firewalling a Service Mesh with WebAssembly 10
Layer 1
• Guard from large number of requests from recent IPs
• Required for both Public/Private – so no CDN
• Istio is distributed, counting requests is hard
• AWS WAF is cheap, request agnostic
11. SDA SE
SDA SE
IP-BASED RATE LIMIT
30.11.23 Firewalling a Service Mesh with WebAssembly 11
Layer 1
From this:
12. SDA SE
SDA SE
IP-BASED RATE LIMIT
30.11.23 Firewalling a Service Mesh with WebAssembly 12
Layer 1
To this:
13. SDA SE
SDA SE
IP-BASED RATE LIMIT
30.11.23 Firewalling a Service Mesh with WebAssembly 13
Layer 1
But:
• AWS LoadBalancer Controller only creates ALB for Ingress type resources
• AWS LoadBalancer Controller doesn’t create Service Status for ALBs
• Can’t manually set Service Status using Terraform
14. SDA SE
SDA SE
IP-BASED RATE LIMIT
30.11.23 Firewalling a Service Mesh with WebAssembly 14
Layer 1
So:
• Create ALB using Terraform
• Allocate public EIP and cut private subnet IP from subnets
• Set IPs to externalIPs field of service
15. SDA SE
SDA SE
IP-BASED RATE LIMIT
30.11.23 Firewalling a Service Mesh with WebAssembly 15
Layer 1
But:
• ALBs don’t support choosing Ips
• Only NLBs support attaching EIPs and private IPs
16. SDA SE
SDA SE
IP-BASED RATE LIMIT
30.11.23 Firewalling a Service Mesh with WebAssembly 16
Layer 1
So:
17. SDA SE
SDA SE
IP-BASED RATE LIMIT
30.11.23 Firewalling a Service Mesh with WebAssembly 17
Layer 1
But:
• External-DNS VirtualService does only read service status
and not externalIPs
18. SDA SE
SDA SE
IP-BASED RATE LIMIT
30.11.23 Firewalling a Service Mesh with WebAssembly 18
Layer 1
So:
• We need to add this via Open-Source PR
• Layer 1 plan has failed so far
19. SDA SE
SDA SE
DEVOPS MANAGED SERVICE-MESH FIREWALL
Service-Mesh
30.11.23 Firewalling a Service Mesh with WebAssembly 19
Layer 2
• dedicated infrastructure layer
• communication between microservices
• manage and control the interactions
• We use Istio – biggest player
20. SDA SE
SDA SE
DEVOPS MANAGED SERVICE-MESH FIREWALL
Coraza WAF
30.11.23 Firewalling a Service Mesh with WebAssembly 20
Layer 2
• Web Application Firewall (WAF)
• 100% compatible with OWASP CRS v4
• written in Go - is a library at its core
• replace ModSecurity Engine
• Itself an Engine – useless without rules
21. SDA SE
SDA SE
DEVOPS MANAGED SERVICE-MESH FIREWALL
OWASP CRS
30.11.23 Firewalling a Service Mesh with WebAssembly 21
Layer 2
• Generic attack detection rules, like OWASP Top Ten
• Can be loaded into compatible WAFs
• Customizable – using paranoia levels, exclusions etc.
22. SDA SE
SDA SE
DEVOPS MANAGED SERVICE-MESH FIREWALL
ModSecurity policy
30.11.23 Firewalling a Service Mesh with WebAssembly 22
Layer 2
SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,t:lowercase,deny"
• SecRule = Keyword
• REQUEST_URI = Variable e.g “/admin”
• “@streq /admin” = compare variable to string
• Id = id of the rule – they need to be unique
• phase:1 = request headers and body processing
• deny = action
23. SDA SE
SDA SE
DEVOPS MANAGED SERVICE-MESH FIREWALL
Coraza Proxy WASM
30.11.23 Firewalling a Service Mesh with WebAssembly 23
Layer 2
• WAF WASM filter
• Implementing the proxy-wasm Application Binary Interface specification
• Event-driven streaming APIs
• In binary format and run in a sandbox (module)
• WASM modules gain adoption in container ecosystems like containerd and docker registries
• Can be loaded into Istio-Proxy (envoy)
24. SDA SE
SDA SE
DEVOPS MANAGED SERVICE-MESH FIREWALL
Istio Ingress-Gateway WAF
30.11.23 Firewalling a Service Mesh with WebAssembly 24
Layer 2
25. SDA SE
SDA SE
DEVOPS MANAGED SERVICE-MESH FIREWALL
Istio Ingress-Gateway WAF
30.11.23 Firewalling a Service Mesh with WebAssembly 25
Layer 2
• WAF implemented at Gateway level
• ALL services of whole Gateway now secured by the rules
• Activating full OWASP CRS at this level is nearly impossible in our case
26. SDA SE
SDA SE
DEVELOPER MANAGER FINE-GRAINED ISTIO FIREWALL
Service specific WAF
30.11.23 Firewalling a Service Mesh with WebAssembly 26
Layer 3
• As close as possible to service
• No host matching
• Each pod can get own WAF and own paranoia levels
• As close as possible to full OWASP CRS coverage
• Can even be used for service-to-service
• WAF can be tested in Pull-Requests
27. SDA SE
SDA SE
DEVELOPER MANAGER FINE-GRAINED ISTIO FIREWALL
Service specific WAF
30.11.23 Firewalling a Service Mesh with WebAssembly 27
Layer 3
28. SDA SE
SDA SE
DEVELOPER MANAGER FINE-GRAINED ISTIO FIREWALL
Service specific WAF
30.11.23 Firewalling a Service Mesh with WebAssembly 28
Layer 3
29. SDA SE
SDA SE
DEVELOPER MANAGER FINE-GRAINED ISTIO FIREWALL
Take aways
30.11.23 Firewalling a Service Mesh with WebAssembly 29
Layer 3
• Layer 1 for generic rate-limiting
• Private endpoints can’t have CDN
• Possible in Istio but have to manage Redis Cluster
• Cloud Solutions scale great and are not too expensive
• Layer 2 for generic DevOps managed WAF
• Enforced least amount of OWASP CRS coverage
• Great if deployed services are unknown
• Enforcing great coverage in Layer 3 is hard
• Layer 3 for close at service WAF
• Very specific maximum OWASP CRS coverage
• Requires a lot of testing
• Is part of deployment and can be tested in PRs
30. SDA SE
SDA SE
DEVELOPER MANAGER FINE-GRAINED ISTIO FIREWALL
Closing words
30.11.23 Firewalling a Service Mesh with WebAssembly 30
Layer 3
31. SDA SE
SDA SE
Contact us at devops@sda-se.com for further questions or specific code snippet
FINISHED
ANY QUESTIONS?
30.11.23 Titel der Präsentation 31