Day Two Cloud 127: Avoiding Infrastructure As Code (IaC) Pitfalls
There are a lot of good things you can do with Infrastructure as Code (IaC) for automation, repeatability, and ease of operations and development. But there are also code and infrastructure pitfalls where you can tumble into a hole, break your leg, and get eaten by spiders. OK, maybe not that bad, but on today's episode we talk about potential IaC pitfalls and how to avoid them with guest Tim Davis.Why Cloudflare Bought Zaraz
Today we're excited to announce that Cloudflare has acquired Zaraz. The Zaraz value proposition aligns with Cloudflare's mission. They aim to make the web more secure, more reliable, and faster. And they built their solution on Cloudflare Workers. In other words, it was a no-brainer that we invite them to join our team.
Be Careful Who Takes Out the Trash
To understand Zaraz's value proposition, you need to understand one of the biggest risks to most websites that people aren't paying enough attention to. And, to understand that, let me use an analogy.
Imagine you run a business. Imagine that business is, I don't know, a pharmacy. You have employees. They have a process and way they do things. They're under contract, and you conduct background checks before you hire them. They do their jobs well and you trust them. One day, however, you realize that no one is emptying the trash. So you ask your team to find someone to empty the trash regularly.
Your team is busy and no one has the time to add this to their regular duties. But one plucky employee has an idea. He goes out on the street and hails down a relative Continue reading
Cloudflare acquires Zaraz to enable cloud loading of third-party tools
We are excited to announce the acquisition of Zaraz by Cloudflare, and the launch of Cloudflare Zaraz (beta). What we are releasing today is a beta version of the Zaraz product integrated into Cloudflare’s systems and dashboard. You can use it to manage and load third-party tools on the cloud, and achieve significant speed, privacy and security improvements. We have bet on Workers, and the Cloudflare technology and network from day one, and therefore are particularly excited to be offering Zaraz to all of Cloudflare's customers today, free of charge. If you are a Cloudflare customer all you need to do is to click the Zaraz icon on the dashboard, and start configuring your third-party stack. No code changes are needed. We plan to keep releasing features in the next couple of months until this beta version is a fully-developed product offering.
It’s time to say goodbye to traditional Tag Managers and Customer Data Platforms. They have done their part, and they have done it well, but as the web evolves they have also created some crucial problems. We are here to solve that.
The problems of third-party bloat
Yo'av and I founded Zaraz after having experienced working on opposite Continue reading
Guest Blog: k8s tunnels with Kudelski Security
Today, we’re excited to publish a blog post written by our friends at Kudelski Security, a managed security services provider. A few weeks back, Romain Aviolat, the Principal Cloud and Security Engineer at Kudelski Security approached our Zero Trust team with a unique solution to a difficult problem that was powered by Cloudflare’s Identity-aware Proxy, which we call Cloudflare Tunnel, to ensure secure application access in remote working environments.
We enjoyed learning about their solution so much that we wanted to amplify their story. In particular, we appreciated how Kudelski Security’s engineers took full advantage of the flexibility and scalability of our technology to automate workflows for their end users. If you’re interested in learning more about Kudelski Security, check out their work below or their research blog.
Zero Trust Access to Kubernetes
Over the past few years, Kudelski Security’s engineering team has prioritized migrating our infrastructure to multi-cloud environments. Our internal cloud migration mirrors what our end clients are pursuing and has equipped us with expertise and tooling to enhance our services for them. Moreover, this transition has provided us an opportunity to reimagine our own security approach and embrace the best practices of Zero Trust.
So far, one Continue reading
Introducing Clientless Web Isolation
Today, we're excited to announce the beta for Cloudflare’s clientless web isolation. A new on-ramp for Browser Isolation that natively integrates Zero Trust Network Access (ZTNA) with the zero-day, phishing and data-loss protection benefits of remote browsing for users on any device browsing any website, internal app or SaaS application. All without needing to install any software or configure any certificates on the endpoint device.
Secure access for managed and unmanaged devices
In early 2021, Cloudflare announced the general availability of Browser Isolation, a fast and secure remote browser that natively integrates with Cloudflare’s Zero Trust platform. This platform — also known as Cloudflare for Teams — combines secure Internet access with our Secure Web Gateway solution (Gateway) and secure application access with a ZTNA solution (Access).
Typically, admins deploy Browser Isolation by rolling out Cloudflare’s device client on endpoints, so that Cloudflare can serve as a secure DNS and HTTPS Internet proxy. This model protects users and sensitive applications when the administrator manages their team's devices. And for end users, the experience feels frictionless like a local browser: they are hardly aware that they are actually browsing on a secure machine running in a Cloudflare Continue reading
Extending Cloudflare’s Zero Trust platform to support UDP and Internal DNS
At the end of 2020, Cloudflare empowered organizations to start building a private network on top of our network. Using Cloudflare Tunnel on the server side, and Cloudflare WARP on the client side, the need for a legacy VPN was eliminated. Fast-forward to today, and thousands of organizations have gone on this journey with us — unplugging their legacy VPN concentrators, internal firewalls, and load balancers. They’ve eliminated the need to maintain all this legacy hardware; they’ve dramatically improved speeds for end users; and they’re able to maintain Zero Trust rules organization-wide.
We started with TCP, which is powerful because it enables an important range of use cases. However, to truly replace a VPN, you need to be able to cover UDP, too. Starting today, we’re excited to provide early access to UDP on Cloudflare’s Zero Trust platform. And even better: as a result of supporting UDP, we can offer Internal DNS — so there’s no need to migrate thousands of private hostnames by hand to override DNS rules. You can get started with Cloudflare for Teams for free today by signing up here; and if you’d like to join the waitlist to gain early access to UDP and Continue reading
Zero Trust Private Networking Rules
Earlier this year, we announced the ability to build a private network on Cloudflare’s network with identity-driven access controls. We’re excited to share that you will soon be able to extend that control to sessions and login intervals as well.
Private networks failed to adapt
Private networks were the backbone for corporate applications for years. Security teams used them to build a strict security perimeter around applications. In order to access sensitive data, a user had to physically be on the network. This meant they had to be in an office, connecting from a corporately managed device. This was not perfect — network access could be breached over physical connection or Wi-Fi, but tools like certificates and physical firewalls existed to prevent these threats.
These boundaries were challenged as work became increasingly more remote. Branch offices, data centers and remote employees all required access to applications, so organizations started relying on Virtual Private Networks (VPNs) to put remote users onto the same network as their applications.
In parallel to the problem of connecting users from everywhere, the security model of a private network became an even more dangerous problem. Once inside a private network, users could access any resource on Continue reading
Page Shield is generally available
Supply chain attacks are a growing concern for CIOs and security professionals.
During a supply chain attack, an attacker compromises a third party tool or library that is being used by the target application. This normally results in the attacker gaining privileged access to the application’s environment allowing them to steal private data or perform subsequent attacks. For example, Magecart, is a very common type of supply chain attack, whereby the attacker skimms credit card data from e-commerce site checkout forms by compromising third party libraries used by the site.
To help identify and mitigate supply chain attacks in the context of web applications, today we are launching Page Shield in General Availability (GA).
With Page Shield you gain visibility on what scripts are running on your application and can be notified when they have been compromised or are showing malicious behaviour such as attempting to exfiltrate user data.
We’ve worked hard to make Page Shield easy to use: you can find it under the Firewall tab and turn it on with one simple click. No additional configuration required. Alerts can be set up separately on an array of different events.
What is Page Shield?
Back in March of this Continue reading
Zaraz use Workers to make third-party tools secure and fast
We decided to create Zaraz around the end of March 2020. We were working on another product when we noticed everyone was asking us about the performance impact of having many third-parties on their website. Third-party content is an important part of the majority of websites today, powering analytics, chatbots, conversion pixels, widgets — you name it. The definition of third-party is an asset, often JavaScript, hosted outside the primary site-user relationship, that is not under the direct control of the site owner but is present with ‘approval’. Yair wrote in detail about the process of measuring the impact of these third-party tools, and how we pivoted our startup, but I wanted to write about how we built Zaraz and what it actually does behind the scenes.
Third parties are great in that they let you integrate already-made solutions with your website, and you barely need to do any coding. Analytics? Just drop this code snippet. Chat widget? Just add this one. Third-party vendors will usually instruct you on how to add their tool, and from that point on things should just be working. Right? But when you add third-party code, it usually fetches even more code from remote Continue reading
Announcing Foundation DNS — Cloudflare’s new premium DNS offering
Today, we’re announcing Foundation DNS, Cloudflare’s new premium DNS offering that provides unparalleled reliability, supreme performance and is able to meet the most complex requirements of infrastructure teams.
Let’s talk money first
When you’re signing an enterprise DNS deal, usually DNS providers request three inputs from you in order to generate a quote:
- Number of zones
- Total DNS queries per month
- Total DNS records across all zones
Some are considerably more complicated and many have pricing calculators or opaque “Contact Us” pricing. Planning a budget around how you may grow brings unnecessary complexity, and we think we can do better. Why not make this even simpler? Here you go: We decided to charge Foundation DNS based on a single input for our enterprise customers: Total DNS queries per month. This way, we expect to save companies money and even more importantly, remove complexity from their DNS bill.
And don’t worry, just like the rest of our products, DDoS mitigation is still unmetered. There won’t be any hidden overage fees in case your nameservers are DDoS’d or the number of DNS queries exceeds your quota for a month or two.
Why is DNS so important?
The Domain Name System (DNS) Continue reading
Helping You Benefit from our Pluggable eBPF Data Plane – Introducing the New Calico eBPF Data Plane Certification
Why Create a Course About Calico’s eBPF Data Plane?
Calico is the industry standard for Kubernetes networking and security. It offers a proven platform for your workloads across a huge range of environments, including cloud, hybrid, and on-premises.
Calico has had a high-quality, production-ready, performant, eBPF data plane option for some time!
However, although many users are deploying it in production and benefitting, we still sometimes see users who don’t know that Calico has an eBPF data plane or feel confident deploying it, and:
- Don’t understand the benefits of Calico’s pluggable architecture
- Don’t fully understand what eBPF is
- Don’t know that Calico has an eBPF data plane
- Don’t understand why it is not the default Calico data plane or best choice
- Don’t feel confident to deploy the Calico eBPF data plane
We created the new CCO-L2-EBPF (Certified Calico Operator: eBPF) course specifically to address these points. The course will help you to understand the strengths of eBPF and when it is, or is not, the right choice. It will also help you see how easy it is to deploy the Calico eBPF data plane if you have made the choice that it is right for you and your cluster.
What Are You Going to Test in Network Automation CI/CD Pipeline?
Network automation CI/CD pipeline seems to be the next hot thing, with vendors and bloggers describing in detail how you could get it done. How realistic is that idea for an average environment that’s barely starting its automation journey?
TL&DR: it will take a long time to get there, and lack of tests is the first showstopper.
Is SONiC Right for Your Data Center and Private Cloud Network?
There are a number of questions that enterprises, communication service providers and tier 2 cloud service providers need to ask themselves to understand if SONiC is a good choice for their on-prem data center and private cloud networks.
The post Is SONiC Right for Your Data Center and Private Cloud Network? appeared first on Pluribus Networks.
Is SONiC Right for Your Data Center and Private Cloud Network?
Many data center operators are interested in bringing the benefits of hyperscaler technologies to on-prem data centers. One of these technologies is SONiC, an open source network operating system that is being advanced under the auspices of the Open Compute Project (OCP). There are a number of questions that enterprises, communication service providers and tier 2 cloud service providers need to ask themselves to understand if SONiC is a good choice for their on-prem data center and private cloud networks.
What is SONiC?
SONiC, which stands for “Software for Open Networking in the Cloud,” is a network operating system originally designed by Microsoft for their data center networks. Microsoft was frustrated with the overly complex operating systems provided by vendors like Cisco, Juniper and Arista that included many features that Microsoft simply did not need for their Azure cloud network. Thus, SONiC was built by Microsoft in a completely modular way based on running networking functions in containers so components could be added or removed as a mechanism to build a lean, optimized OS that only contained the essential features to run the Microsoft Azure cloud network. They also developed the Switch Abstraction Interface (SAI) with a goal of enabling Continue reading