A big part of my work lately has been describing, tracking and managing the risk involed with moving data from the traditional datacentre with it’s firewalled perimiter to public cloud. The NIST Cyber Security Framework was useful as a way of grouping and classifying risks.
https://www.slideshare.net/AlexMagnay/risk-management-for-public-cloud-projects
Amazon invited me to record a segment in the AWS Architecture series. This was a fun afternoon in their studio.
While hunting for some Hyper-V videos, I came across recorded sessions from the 4th Nordic Infrastructure Conference. No sales pitches, only some great talks from field hardened consultants. The sessions are focused on Enterprise Infrastructure (Microsoft Windows Server, System Centre, Azure, PowerShell DSC, Identity Management, Security/hacking).
Session Info http://2015.nicconf.com/sessions Recorded sessions: https://www.youtube.com/channel/UChu8zqu8d1mjWxNRLlGXUAw
Getting a Direct Connect link to AWS from our colo datacentre was straight forward. Encrypting traffic between colo and AWS via Direct Connect is proving to be more difficult. Although the traffic is logically isolated, we wanted it encrypted as it traverses 3rd party WAN providers.
This is the best resource I’ve come across so far explaining how to setup a VPN over AWS direct connect: https://www.youtube.com/watch?v=SMvom9QjkPk
@SadServer at PuppetConf2015 provides a rather depressing view of the state of IT as a combination of crappy software with more crappy software to manage and monitor the crappy software. But there’s a ray of hope!
https://www.youtube.com/watch?v=TBwW2vTKVy4
I got a message today from our Red Hat account manager to let me know that Microsoft has signed Red Hat’s Certified Cloud Service Provider agreement, meaning that over time they will make available, and be available to host, Red Hat products in Azure.
RHEL will become the premium Enterprise Linux offering in Azure.
This is fantastic news for Red Hat Customers. Previously Azure was not a Red Hat Certified Platform.
Attended “Achieving agility with control in Financial Services on AWS” talk today at AWS Loft London 2015.
The usual AWS slide of company logos was there for “look how many companies use AWS, so it must be safe!”. This list wasn’t tailored to Financial Services (Tinder, really?). There was a bit about Agility focusing on Continuous Integration (CI also known as automated testing) and Continuous Deployment (CD also known as automated deployment).
Terraform is a tool by Hashicorp (who do Vagrant, Packer and other ops tools). You maintain a single configuration file and it trues up your environment, creating and deleting machines, to match the configuration file. Their products are coming together into a cohesive suite. The first part describes the Terraform product.
At 30 mins there’s a description of “DevOps” (that cuts through much of the BS). Basically:
Developers care about:
So it turns out AWS isn’t so Enterprise friendly. If you plan to start using Amazon AWS as an extension to your datacentre, be aware that you better put everything in one VPC (July 2015).
Systems in peered VPCs are not accessible from corporate network over AWS VPN or Direct Connect :-(
Be aware of limitations on transiting VPCs in your cloud networking designs.
http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/invalid-peering-configurations.html#edge-to-edge-vgw
When you get started with Amazon Web Services (AWS) one thing to do early is secure access to the web console. Rather than manage another set of user accounts you can reuse your corporate directory (Microsoft Active Directory) to login to the AWS console. You use AD Federation Services to do this. Also, if you keep your ADFS server internal, then your AWS console is not accessible from the public Internet.