Why cloud native requires a holistic approach to security and observability

Like any great technology, the interest in and adoption of Kubernetes (an excellent way to orchestrate your workloads, by the way) took off as cloud native and containerization grew in popularity. With that came a lot of confusion. Everyone was using Kubernetes to move their workloads, but as they went through their journey to deployment, they weren’t thinking about security until they got to production. While this might seem like the intuitive thing to do, it doesn’t work in Kubernetes.

With Kubernetes, you can’t wait until the end when you’re ready to move workloads to production; you need to think about security early on. If security is not thought through in a system like Kubernetes, workloads are left vulnerable and you will not end up with a solution that is effective.

Why is this? What makes cloud native so different? Let’s take a look at some of the differences to understand why they warrant a more holistic approach to security and observability for cloud-native applications, whether in Kubernetes or another environment.

Cloud native: Origins, key differences, and challenges

What we’re used to (if we remove cloud native from the equation) is having a client-server architecture, where servers are running Continue reading

Aws Advanced Networking — Enhanced Networking — 3— Intel 82599 VF

The first two posts covered SRIOV/ ENA settings and use-cases, the next one in the series is about using Intel 82599 Virtual Functions adapter.

Post 1: https://r2079.wordpress.com/2021/12/28/enhanced-networking-1-sriov-aws/

Post 2: https://r2079.wordpress.com/2022/01/08/enhanced-networking-2-verifying-ena/

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sriov-networking.html

Instance Types: Select from the following supported instance types: C3, C4, D2, I2, M4 (excluding m4.16xlarge), and R3.

How can we verify:

At instance Level:

aws ec2 describe-instance-attribute --instance-id i-xx --attribute sriovNetSupport

[cloudshell-user@ip-10-0-119-152 ~]$ aws ec2 describe-instance-attribute --instance-id i-xx --attribute sriovNetSupport
{
    "InstanceId": "i-xx",
    "SriovNetSupport": {
        "Value": "simple"      -> Simple indicates its enabled, if not enabled its empty
    }
}

At an AMI Level

aws ec2 describe-images --image-id ami-07d8796a2b0f8d29c --query "Images[].EnaSupport"

[cloudshell-user@ip-10-0-119-152 ~]$ aws ec2 describe-images --image-id ami-07d8796a2b0f8d29c --query "Images[].SriovNetSupport"
[
    "simple"
]

At an Interface Level

ubuntu@ip-172-31-25-23:~$ ethtool -i ens3
driver: ixgbevf
version: 4.1.0-k
firmware-version:
expansion-rom-version:
bus-info: 0000:00:03.0
supports-statistics: yes
supports-test: yes
supports-eeprom-access: no
supports-register-dump: yes
supports-priv-flags: yes
ubuntu@ip-172-31-25-23:~$

Latest Ubuntu HVM and Amazon Linux AMI have drivers for Enhanced Networking, IXGBEVF module and required modules for sriovNetSupport.

There is also the best practices Github guide for ENA Linux best practices and operating system optimisation.

https://github.com/amzn/amzn-drivers/blob/master/kernel/linux/ena/ENA_Linux_Best_Practices.rst

Heavy Networking 612: Cloud-Native Kubernetes Networking For CSPs (Sponsored)

Heavy Networking explores big ideas around service provider and cloud provider network services in 2022, both how they collide and are complementary. Our sponsor is Juniper Networks. We also get an update on Juniper’s Contrail product, a software-defined networking platform that now includes native integration with Kubernetes.

The post Heavy Networking 612: Cloud-Native Kubernetes Networking For CSPs (Sponsored) appeared first on Packet Pushers.

IP Addressing through 2021s

Time for another annual roundup from the world of IP addresses. Let's see what has changed in the past 12 months in addressing the Internet and look at how IP address allocation information can inform us of the changing nature of the network itself.

2021 IT Blog Awards finalist!

I was surprised but very honoured to learn that my blog was selected as a finalist in the IT Blog Awards. I started this blog to help with my learning during a personal research project and to contribute to the open-source networking community as best I could. I never imagined that someone else might consider it for an honour such as this!

If you have gotten value from reading this blog, please go to the IT Blog Awards voting page and vote for the “Open Source Routing and Network Simulation” blog. Thank you so much!

Designing Instagram

 

This is a guest post by Ankit Sirmorya. Ankit is working as a Machine Learning Lead/Sr. Machine Learning Engineer at Amazon and has led several machine-learning initiatives across the Amazon ecosystem. Ankit has been working on applying machine learning to solve ambiguous business problems and improve customer experience. For instance, he created a platform for experimenting with different hypotheses on Amazon product pages using reinforcement learning techniques. Currently, he is in the Alexa Shopping organization where he is developing machine-learning-based solutions to send personalized reorder hints to customers for improving their experience.

Problem Statement

Design a photo-sharing platform similar to Instagram where users can upload their photos and share it with their followers. Subsequently, the users will be able to view personalized feeds containing posts from all the other users that they follow.

Gathering Requirements

In Scope

The application should be able to support the following requirements.

  • Users should be able to upload photos and view the photos they have uploaded.
  • Users should be able to follow other users.
  • Users can view feeds containing posts from the users they follow.
  • Users should be able to like and comment the posts.

Out of Scope

The truth about Linux true and false commands

True and false are common concepts in all forms of computing. They’re critical to Boolean logic after all, but did you know that true and false are also commands on Linux? Do you know how to use them?The simplest explanation is that the true command generates an exit code of 0 and that the false command generates an exit code of 1. This explanation, however, doesn’t provide much detail on how these commands can best be used.In this post, we’ll look at how the true and false commands work and how you might put them to use on the command line or in your scripts.To read this article in full, please click here

The truth about Linux true and false commands

True and false are common concepts in all forms of computing. They’re critical to Boolean logic after all, but did you know that true and false are also commands on Linux? Do you know how to use them?The simplest explanation is that the true command generates an exit code of 0 and that the false command generates an exit code of 1. This explanation, however, doesn’t provide much detail on how these commands can best be used.In this post, we’ll look at how the true and false commands work and how you might put them to use on the command line or in your scripts.To read this article in full, please click here

Former R&D Engineer Wins Round 2 of Project Jengo, and Cloudflare Wins at the Patent Office

Former R&D Engineer Wins Round 2 of Project Jengo, and Cloudflare Wins at the Patent Office
Former R&D Engineer Wins Round 2 of Project Jengo, and Cloudflare Wins at the Patent Office

The classic children’s fairy tale The Three Billy Goats Gruff tells the story of three goats trying to cross a bridge to a field of yummy grass, despite the monstrous troll that lives underneath the bridge and threatens to eat them. To beat the troll, the goats played on his greed and proceeded across the bridge in order from smallest to largest – and holding the troll at bay each time with promises of a larger meal if he waited for the larger goat to follow. In the end, the troll passed on attacking the smaller goats and was left to do battle with the largest goat who was able to defeat the troll, toss him off the bridge, and watch him float downstream. The goats were then able to enjoy the yummy grass, troll-free. In our fight against Sable Networks (patent troll), we plan on being that third goat, and our recent wins suggest we might be on track to do just that.

$10,000 to our second round of Project Jengo winner!

We started Project Jengo 2 last year as a prior art search contest, so we could enlist your help in the battle against Sable Networks. We committed Continue reading

Just Out: netsim-tools Release 1.1

New Year break was probably my busiest time (programming-wise) in years. Jeroen van Bemmel continued generating great ideas (and writing code and device configuration templates), and I found myself saying, “why not, let’s do the right thing!” more often than I expected. In parallel, Stefano Sasso fixed configuration templates for Junos, Mikrotik Router OS, and VyOS, and we were good to go.

To give you an idea of how fast we were moving: issue #84 was created on December 22nd, Sunday’s pull request that pushed release 1.1 into the master branch was #135 (GitHub numbers everything you do sequentially).

Starting with release 1.3, we renamed netsim-tools to netlab.
Read more …

Just Out: netsim-tools Release 1.1

New Year break was probably my busiest time (programming-wise) in years. Jeroen van Bemmel continued generating great ideas (and writing code and device configuration templates), and I found myself saying, “why not, let’s do the right thing!” more often than I expected. In parallel, Stefano Sasso fixed configuration templates for Junos, Mikrotik Router OS, and VyOS, and we were good to go.

To give you an idea of how fast we were moving: issue #84 was created on December 22nd, Sunday’s pull request that pushed release 1.1 into the master branch was #135 (GitHub numbers everything you do sequentially).

Read more …

2021 IT Blog Awards finalist!

IT Blog Awards Finalist 2021

I have the honor of having my blog selected as a finalist in the 2021 IT Blog Awards, hosted by Cisco. It is a privilege and a great joy for me to have my blog selected for the fourth consecutive year! Congratulations also to all of the other finalists, who all produce great and valuable content! Click here to vote and choose the winner of the 2021 IT Blog Awards. If you want to vote for my blog, you can find it under: “Let’s talk about Network“, thank you in advance…

The post 2021 IT Blog Awards finalist! appeared first on AboutNetworks.net.

Keeping up with the Pepelnjakᣵ — OSPF over unnumbered interfaces for SROS

🎥Keeping up with the Pepelnjakᣵ — OSPF over unnumbered interfaces for SROS

Running OSPF over unnumbered interfaces using SROS and Containerlab

Another week, another Netsim-Tools release 😩 One would think that a “reduced scope of activities” and Irena leaving would slow things down, but…The “s” (exponential) in the title reflects my suspicion that Ivan has somehow managed to clone himself, or perhaps we are seeing the outputs of an as-yet unnamed team of collaborators publishing in his name. Either way, things are crazy hot and changing on a daily basis, the “bleeding edge” of network automation indeed.

OSPF over unnumbered interfaces

This morning Ivan published a blog post about OSPF over unnumbered interfaces. The topology for that article can be found here; observant readers will quickly notice a problem with it, but we can easily fix that:

netlab up -d sros -p clab

That is, bring up the same topology, but use Nokia SR-OS devices and Containerlab instead of the defaults.

Topology with removed unnumbered multi-access link

As Ivan explains in his article, OSPF doesn’t work over unnumbered multi-access links, and so Netsim-Tools complains and stops you from wasting more time.

After the nodes boot (and adding support for OVS bridges), we Continue reading

Latest 5G specs highlight IoT support, better spectrum efficiency

The latest 5G technical specifications from an overarching standards organization sets a roadmap for development that addresses streamlined IoT support, AI/machine learning, and more efficient use of wireless spectrum.The 3rd Generation Partnership Project (3GPP), a group of seven organizations developing telecom standards, has issued Release 18 of the specs on both 5G systems architecture and radio access networks.“This is deciding on which project the 3GPP ecosystem is going to work on, and how far the scope of each project needs to go,” said Qualcomm senior director of technical marketing Danny Tseng. Qualcomm is a member of 3GPP and an important contributor to 5G development.To read this article in full, please click here

Tech Bytes: Embracing Policy-Driven Networks To Support Hybrid Work (Sponsored)

Today on the Tech Byte podcast we discuss redefining networks and policy in today’s hybrid world–that is, a network that needs to be available anywhere, anytime, anyhow, and any way. Aruba is our sponsor and we’re joined by James Robertson, CTO Advisor and Technology Strategist in the Office of the CTO.

The post Tech Bytes: Embracing Policy-Driven Networks To Support Hybrid Work (Sponsored) appeared first on Packet Pushers.

1 545 546 547 548 549 3,792