Example: Securing AWS Deployment
Nadeem Lughmani created an excellent solution for the securing your cloud deployment hands-on exercise in our public cloud online course. His Terraform-based solution includes:
- Security groups to restrict access to web server and SSH bastion host;
- An IAM policy and associated user that has read-only access to EC2 and VPC resources (used for monitoring)
- An IAM policy that has full access to as single S3 bucket (used to modify static content hosted on S3)
- An IAM role for AWS CloudWatch logs
- Logging SSH events from the SSH bastion host into CloudWatch logs.
Mitigating the Risks of Instance Metadata in AWS EKS
Compromising a pod in a Kubernetes cluster can have disastrous consequences on resources in an AWS Elastic Kubernetes Service (EKS) account if access to the Instance Metadata service is not explicitly blocked. The Instance Metadata service is an AWS API listening on a link-local IP address. Only accessible from EC2 instances, it enables the retrieval of metadata that is used to configure or manage an instance. Although you can only access instance metadata and user data from within the instance itself, the data is not protected by authentication or cryptographic methods.
A recent blog described a scenario where an attacker compromised a pod in an EKS cluster by exploiting a vulnerability in the web application it was running, thus enabling the attacker to enumerate resources in the cluster and in the associated AWS account. This scenario was simulated by running a pod and attaching to a shell inside it.
By querying the Instance Metadata service from the compromised pod, the attacker was able to access the service and retrieve temporary credentials for the identity and access management (IAM) role assigned to the EC2 instances acting as Kubernetes worker nodes. At that point, the attacker was able to pursue multiple exploits, Continue reading
Adding ML To Legacy Applications Without The Learning Curve
If you read The Next Platform, you probably love hardware and there are probably two reasons for that. …
Adding ML To Legacy Applications Without The Learning Curve was written by Nicole Hemsoth at The Next Platform.
Docker Support for the New GitHub Container Registry
Docker and GitHub continue to work together to make life easier for developers. GitHub today announced a new container registry: GitHub Container Registry. GitHub and Docker both occupy essential components in the developer workflow for building and deploying cloud native applications so we thought we would provide some insight into how the new tooling benefits developers.
Found at ghcr.io, the new GitHub registry adds support for anonymous pulls and decouples git repositories permissions from container registry’s permissions. This allows projects to have private git repositories with a public container registry or vice versa. Other features like OCI compliance, Helm charts, and support for GITHUB_TOKEN are expected later.
The GitHub Container Registry was built with Docker in mind so your Docker Engines and Docker Desktops will seamlessly work with this new registry. Let’s take a look at this in action over at our upcoming Docker Login GitHub Action:
name: ci
on:
push:
branches: master
jobs:
login:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v2
-
name: Login to GitHub Package Registry
uses: docker/login-action@v1
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GHCR_TOKEN }}
That is all you need to do. When Continue reading
History of Networking: Networking at Google with Richard Hay
Google fascinates network engineers because of the sheer scale of their operations, and their obvious influence over the way networks are built and operated. In this episode of the History of Networking, Richard Hay joins Donald Sharp and Russ White to talk about some past designs and stories of failure and success in one of the world’s largest operating networks.
The Next Database Platform (Full Recording Available)
Last week we brought you The Next Database Platform live event and now we are providing most sessions from the full recording below. …
The Next Database Platform (Full Recording Available) was written by Nicole Hemsoth at The Next Platform.
MySQL on Azure Performance Benchmark – ScaleGrid vs. Azure Database
Microsoft Azure is one of the most popular cloud providers in the world, and a natural fit for database hosting on applications leveraging Microsoft across their infrastructure. MySQL is the number one open source database that’s commonly hosted through Azure instances. While Microsoft offers their own Azure Database product, there are other alternatives available that may be able to help you improve your MySQL performance. In this blog post, we compare Azure Database for MySQL vs. ScaleGrid MySQL on Azure so you can see which provider offers the best throughput and latency performance. We measure latency in ms 95th percentile latency.
Two clicks to add region-based Zero Trust compliance
Your team members are probably not just working from home - they may be working from different regions or countries. The flexibility of remote work gives employees a chance to work from the towns where they grew up or countries they always wanted to visit. However, that distribution also presents compliance challenges.
Depending on your industry, keeping data inside of certain regions can be a compliance or regulatory requirement. You might require employees to connect from certain countries or exclude entire countries altogether from your corporate systems.
When we worked in physical offices, keeping data inside of a country was easy. All of your users connecting to an application from that office were, of course, in that country. Remote work changed that and teams had to scramble to find a way to keep people productive from anywhere, which often led to sacrifices in terms of compliance. Starting today, you can make geography-based compliance easy again in Cloudflare Access with just two clicks.
You can now build rules that require employees to connect from certain countries. You can also add rules that block team members from connecting from other countries. This feature works with any identity provider configured and requires no Continue reading
Docker Services 101
Last week I published an overview of how complex (networking-wise) Docker Swarm services can get. This time let’s focus on something that should have been way simpler: running container-based services on a single Linux host.
In the first part of this article I’m focusing on the basics, including exposed ports, and published ports. The behind-the-scenes details are coming in a week or so; in the meantime you can enjoy (most of them) in the Docker Networking Deep Dive webinar.
LXC as Virtual Service Container on IOS XE
In the last tutorial, we have discussed Cisco open service container based on Kernel Virtual Machine (KVM). Virtual machines include the application, binaries and libraries along with entire guest OS. As a result, we can run any guest OS supported by KVM hypervisor. Containers, however share the same kernel with; each container still acts as […]Continue reading...
Pushing to Multiple Git Remotes
How to push to multiple git repos across different git providers.Build DSCP to ToS conversion table with Python
Contents
- Introduction
- Problem description.
- Discovery and research phase
- Plan of action
- Writing tests
- Closing thoughts
- References
- GitHub repository with code for this post
Introduction
In this post we're going to write Python program that generates DSCP to ToS conversion table while avoiding hardcoding values as much as possible. We will then save the final table to csv file with pre-defined column headers.
I got the idea for this blog article from the tweet posted the other day by Nick Russo. I thought it is an interesting problem to tackle as similar ones pop up all the time during early stages of Network Automation journey. What makes this challenge great is that it requires us to carry out tasks that apply to writing larger programs.
- We need to understand the problem and possibly do some research.
- We have to come up with plan of action.
- We need to break down larger tasks into smaller pieces.
- We need to implement all Continue reading
Network Automation at AnsibleFest 2020
This year, we are adapting our signature automation event, AnsibleFest, into a free virtual experience to connect our communities with a wider audience and to collaborate to solve problems. Seasoned pros and brand new Ansiblings alike can find answers and guidance for Red Hat Ansible Automation Platform, the enterprise solution for building and operating automation at scale. We’re giving our attendees an inside peek into exactly what to expect from each channel. Let’s take a closer look at what is to come from the network channel at AnsibleFest 2020.
Network Automation at AnsibleFest
Gone are the days of hand-typing commands into network devices one by one. Manage your network infrastructure using Ansible throughout the entire development and production life cycle. This AnsibleFest channel focuses on network automation topics for module and Collection developers to playbook writers, and is geared towards network and cloud engineers/operators. The channel has a good mix of community, customers, partners and Red Hatters that aims to provide something for everyone.
Attendees will learn how network automation can no longer be a “point tool”, but instead part of a holistic automation strategy that spans IT teams. Although Ansible was built as a DIY tool, it needs Continue reading