12 posts tagged with "aws"

Managing cloud deployments and IaC pipelines can be challenging. I’ve put together a simple pattern for deploying stacks in AWS using CloudFormation templates using GitLab CI.

This deployment framework enables you to target different environments based upon refs (branches or tags) for instance deploy to a dev environment for a push or merge into develop and deploy to prod on a push or merge into main, otherwise just lint/validate (e.g., for a push to a non-protected feature branch). Templates are uploaded to a designated S3 bucket and staged for use in the pipeline and can be retained as an additional audit trail (in addition to the GitLab project history).

Furthermore, you can review changes (by inspecting change set contents) before deploying, saving you from fat finger deployments 😊.

How it works​

The logic is described here:

@startuml

partition prepare {
  (*) --> === S1 ===
  === S1 === --> "Validate Template"
  --> === S2 ===
  === S1 === --> "Check Stack State"
  --> === S2 ===
}

partition publish {
  --> "Publish Template to S3"
}

partition plan {
  --> "Stack Exists?"
  --> === S3 ===
  === S3 === --> [Yes] "Create Change Set"
  === S3 === --> [No] === S4 ===
  "Create Change Set" --> === S4 ===
}

partition deploy {
  --> "MANUAL: Review Changes"
  --> "Deploy Change Set"
}

-->(*)

@enduml

The pipleline looks like this in GitLab:

Prerequisites​

You will need to set up GitLab CI variables for AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and optionally AWS_DEFAULT_REGION. You can do this via Settings -> CI/CD -> Variables in your GitLab project. As AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are secrets, they should be configured as protected (as they are only required for protected branches) and masked so they are not printed in job logs.

.gitlab-ci.yml code​

The GitLab CI code is shown here:

Reviewing change sets (plans) and applying​

Once a pipeline is triggered for an existing stack it will run hands off until a change set (plan) is created. You can inspect the plan by clicking on the Plan GitLab CI job where you would see output like this:

If you are OK with the changes proposed, you can simply hit the play button on the last stage of the pipeline (Deploy). Voilà, stack deployed, enjoy!

if you have enjoyed this post, please consider buying me a coffee ☕ to help me keep writing!

Following on from the recent post GCP Templates for C4 Diagrams using PlantUML, cloud architects are often challenged with producing diagrams for architectures spanning multiple cloud providers, particularly as you elevate to enterprise level diagrams.

In this post, with the magic of !includeurl we have brought PlantUML template libraries together for AWS, Azure and GCP icon sets, allowing us to produce multi cloud C4 diagrams using PlantUML like this one:

Creating a multi cloud diagram is simple, start by adding the following include statements after the @startuml label in a new PlantUML C4 diagram:

Then add references to the required services from different providers…

Then include the predefined resources from your different cloud providers in your diagram as shown here (describing a client server application over a cloud to cloud VPN between Azure and GCP)...

Happy multi-cloud diagramming!

Full source code is available at:

https://github.com/gamma-data/plantuml-multi-cloud-diagrams

if you have enjoyed this post, please consider buying me a coffee ☕ to help me keep writing!

There are many posts available which map analogous services between the different cloud providers, but this post attempts to go a step further and map additional concepts, terms, and configuration options to be the definitive thesaurus for cloud practitioners familiar with AWS looking to fast track their familiarisation with GCP.

It should be noted that AWS and GCP are fundamentally different platforms, nowhere is this more apparent than in the way networking is implemented between the two providers, see: GCP Networking for AWS Professionals

This post is focused on the core infrastructure, networking and security services offered by the two major cloud providers, I will do a future post on higher level services such as the ML/AI offerings from the respective providers.

Furthermore this will be a living post which I will continue to update, I encourage comments from readers on additional mappings which I will incorporate into the post as well.

I have broken this down into sections based upon the layout of the AWS Console.

• Compute
• Storage
• Database
• Networking & Content Delivery
• Security, Identity, & Compliance

Compute​

EC2 (Elastic Compute Cloud)	GCE (Google Compute Engine)
Availability Zone	Zone
Instance	VM Instance
Instance Family	Machine Family
Instance Type	Machine Type
Amazon Machine Image (AMI)	Image
IAM Role (for an EC2 Instance)	Service Account
Security Groups	VPC Firewall Rules (ALLOW)
Tag	Label
Termination Protection	Deletion Protection
Reserved Instances	Committed Use Discounts
Capacity Reservation	Reservation
User Data	Startup Script
Spot Instances	Preemptible VMs
Dedicated Instances	Sole Tenancy
EBS Volume	Persistent Disk
Auto Scaling Group	Managed Instance Group
Launch Configuration	Instance Template
ELB Listener	URL Map (Load Balancer)
ELB Target Group	Backend/ Instance Group
Instance Storage (ephemeral)	Local SSDs
EBS Snapshots	Snapshots
Keypair	SSH Keys
Elastic IP	External IP
Lambda	Google Cloud Functions
Elastic Beanstalk	Google App Engine
Elastic Container Registry (ECR)	Google Container Registry (GCR)
Elastic Container Service (ECS)	Google Kubernetes Engine (GKE)
Elastic Kubernetes Service (EKS)	Google Kubernetes Engine (GKE)
AWS Fargate	Cloud Run
AWS Service Quotas	Allocation Quotas
Account (within an Organisation)†	Project
Region	Region
AWS Cloud​Formation	Cloud Deployment Manager

Storage​

Simple Storage Service (S3)	Google Cloud Storage (GCS)
Standard Storage Class	Standard Storage Class
Infrequent Access Storage Class	Nearline Storage Class
Amazon Glacier	Coldline Storage Class
Lifecycle Policy	Retention Policy
Tags	Labels
Snowball	Transfer Appliance
Requester Pays	Requester Pays
Region	Location Type/Location
Object Lock	Hold
Vault Lock (Glacier)	Bucket Lock
Multi Part Upload	Parallel Composite Transfer
Cross-Origin Resource Sharing (CORS)	Cross-Origin Resource Sharing (CORS)
Static Website Hosting	Bucket Website Configuration
S3 Access Points	VPC Service Controls
Object Notifications	Pub/Sub Notifications for Cloud Storage
Presigned URL	Signed URL
Transfer Acceleration	Storage Transfer Service
Elastic File System (EFS)	Cloud Filestore
AWS DataSync	Transfer Service for on-premises data
ETag	ETag
Bucket	Bucket
aws s3	gsutil

Database​

Relational Database Service (RDS)	Cloud SQL
DynamoDB	Cloud Datastore
ElastiCache	Cloud Memorystore
Table (DynamoDB)	Kind (Cloud Datastore)
Item (DynamoDB)	Entity (Cloud Datastore)
Partition Key (DynamoDB)	Key (Cloud Datastore)
Attributes (DynamoDB)	Properties (Cloud Datastore)
Local Secondary Index (DynamoDB)	Composite Index (Cloud Datastore)
Elastic Map Reduce (EMR)	Cloud DataProc
Athena	Big Query
AWS Glue	Cloud DataFlow
Glue Catalog	Data Catalog
Amazon Simple Notification Service (SNS)	Cloud PubSub (push subscription)
Amazon Kinesis	Cloud PubSub
Amazon Simple Queue Service (SQS)	Cloud PubSub (poll and pull mode)

Networking & Content Delivery​

Virtual Private Cloud (VPC) (Regional)	VPC Network (Global or Regional)
Subnet (Zonal)	Subnet (Regional)
Route Tables	Routes
Network ACLs (NACLS)	VPC Firewall Rules (ALLOW or DENY)
CloudFront	Cloud CDN
Route 53	Cloud DNS/Google Domains
Direct Connect	Dedicated (or Partner) Interconnect
Virtual Private Network (VPN)	Cloud VPN
AWS PrivateLink	Google Private Access
NAT Gateway	Cloud NAT
Elastic Load Balancer	Load Balancer
AWS WAF	Cloud Armour
VPC Peering Connection	VPC Network Peering
Amazon API Gateway	Apigee API Gateway
Amazon API Gateway	Cloud Endpoints

Security, Identity, & Compliance​

Root Account	Super Admin
IAM User	Member
IAM Policy	Role (Collection of Permissions)
IAM Policy Attachment	IAM Role Binding (or IAM Binding)
Key Management Service (KMS)	Cloud KMS
CloudHSM	Cloud HSM
Amazon Inspector (agent based)	Cloud Security Scanner (scan based)
AWS Security Hub	Cloud Security Command Center (SCC)
Secrets Manager	Secret Manager
Amazon Macie	Cloud Data Loss Prevention (DLP)
AWS WAF	Cloud Armour
AWS Shield	Cloud Armour

† No direct equivalent, this is the closest equivalent

if you have enjoyed this post, please consider buying me a coffee ☕ to help me keep writing!

One you get beyond the Associate level AWS certification exams into the Professional or Speciality track exams the degree of difficulty rises significantly. As a veteran of the Certified Solutions Architect Professional and Big Data Specialty exams, I thought I would share my experiences which I believe are applicable to all the certification streams and tracks in the AWS certification program.

First off let me say that I am a self-professed certification addict, having sat more than thirty technical certification exams over my thirty plus year career in technology including certification and re-certification exams. I would put the AWS professional and specialty exams right up there in terms of their level of difficulty.

The AWS Professional and Specialty exams are specifically designed to be challenging. Although they have removed the pre-requisites for these exams (much to my dismay…), you really need to be prepared for these exams otherwise you are throwing your hard-earned money away.

There are very few - if any - “easy” questions. All of the questions are scenario based and require you to design a solution to meet multiple requirements. The question and/or the correct answer will invariably involve the use of multiple AWS services (not just one). You will be tested on your reading comprehension, time management and ability to cope under pressure as well as being tested on your knowledge of the AWS platform.

The following sections provide some general tips which will help you approach the exam and give you the best chance of success on the day. This is not a brain dump or a substitute for the hard work and dedication required to ensure success on your exam day.

Time Management​

Needless to say, your ability to manage time is critical, on average you will have approximately 2-3 minutes to answer each question. Reading the questions and answers carefully may take up 1-2 minutes on its own. If the answer is not apparent to you, you are best to mark the question and come back to it at the end of the exam.

In many cases there may be subsequent questions and answer sets which jog your memory or help you deduce the correct answers to the questions you initial passed on. For instance, you may see references in future questions which put context around services you may not be completely familiar with, this may enable you to answer flagged questions with more confidence.

Of course, you must answer all questions before completing the exam, there are no points for incomplete or unattempted answers.

Recommended Approach to each Question​

Most of the questions on the Professional or Specialty certification exams fall into one of three categories:

• Short-ish question, multiple long detailed answer options
• Long-ish scenario question, multiple relatively short answer options
• Long-ish question with multiple relatively long, detailed answers

The latter scenario is thankfully less common. However, in all cases it is important to read the last sentence in the question first, this will provide indicators to help you read through the question in its entirety and all of the possible answers with a clear understanding of what is “really” being asked. For instance, the operative phrase may be “highly available” or “most cost effective”.

Try to eliminate answers based on what you know, for instance answers with erroneous instance families can be eliminated immediately. This will give you a much better statistical chance of success, even if you have to venture an educated guess in the end.

The Most Complicated Solution is Probably Not the Correct One​

In many answer sets to questions on the Professional or Specialty exams you will see some ridiculously complicated solution approaches, these are most often incorrect answers. Although there may be enough loosely relevant terminology or services to appear reasonable.

Note the following statement direct from the AWS Certified Solutions Architect Professional Exam Blueprint:

“Distractors, or incorrect answers, are response options that an examinee with incomplete knowledge or skill would likely choose. However, they are generally plausible responses that fit in the content area defined by the test objective.”

AWS wants professionals who design and implement solutions which are simple, sustainable, highly available, scalable and cost effective. One of the key Amazon Leadership Principles is “Invent and Simplify”, simplify is often the operative word.

Don’t spend time on dumps or practice exams (other than those from AWS)​

The question pools for AWS exams are enormous, the chances of you getting the same questions and answer sets as someone else are slim. Furthermore, non-AWS sources may not be trustworthy. There is no substitute to AWS white papers, how to’s, and real-life application of your learnings.

Don’t focus on Service Limits or Calculations​

In my experiences with AWS exams, they are not overly concerned with service limits, default values, formulas (e.g. the formula to calculate required partitions for a DynamoDB table) or syntax - so don’t waste time remembering them. You should however understand the 7 layer OSI model and be able to read and interpret CIDR notation.

Mainly, however, they want you to understand how services work together in an AWS solution to achieve an outcome for a customer.

Some Final Words of Advice​

Always do what you think AWS would want you to do! 

It is worthwhile having a quick look at the AWS Leadership Principles (I have already referenced one of these in this article) as these are applied religiously in every aspect of the AWS business.  In particular, you should pay specific attention to the principals around simplicity and frugality.

Good luck!

if you have enjoyed this post, please consider buying me a coffee ☕ to help me keep writing!

GCP and AWS share many similarities, they both provide similar services and both leverage containerization, virtualization and software defined networking.

There are some significant differences when it comes to their respective implementations, networking is a key example of this.

Before we compare and contrast the two different approaches to networking, it is worthwhile noting the genesis of the two major cloud providers.

Google was born to be global, Amazon became global​

By no means am I suggesting that Amazon didn't have designs on going global from it's beginnings, but AWS was driven (entirely at the beginning) by the needs of the Amazon eCommerce business. Amazon started in the US before expanding into other regions (such as Europe and Australia). In some cases the expansion took decades (Amazon only entered Australia as a retailer in 2018).

Google, by contrast, was providing application, search and marketing services worldwide from its very beginning. GCP which was used as the vector to deliver these services and applications was architected around this global model, even though their actual data centre expansion may not have been as rapid as AWS’s (for example GCP opened its Australia region 5 years after AWS).

Their respective networking implementations reflect how their respective companies evolved.

AWS is a leader in IaaS, GCP is a leader in PaaS​

This is only an opinion and may be argued, however if you look at the chronology of the two platforms, consider this:

• The first services released by AWS (simultaneously for all intents and purposes) were S3, SQS and EC2
• The first service released by Google was AppEngine (a pure PaaS offering)

Google has launched and matured their IaaS offerings since as AWS has done similarly with their PaaS offerings, but they started from much different places.

With all of that said, here are the key differences when it comes to networking between the two major cloud providers:

GCP VPCs are Global by default, AWS VPCs are Regional only​

This is the first fundamental difference between the two providers. Each GCP project is allocated one VPC network with Subnets in each of the 18 GCP Regions. Whereas each AWS Account is allocated one Default VPC in each AWS Region with a Subnet in each AWS Availability Zone for that Region, that is each account has 17 VPCs in each of the 17 Regions (excluding GovCloud regions).

It is entirely possible to create VPCs in GCP which are Regional, but they are Global by default.

This global tenancy can be advantageous in many cases, but can be limiting in others, for instance there is a limit of 25 peering connections to any one VPC, the limit in AWS is 125.

GCP Subnets are Regional, AWS Subnets are Zonal​

Subnets in GCP automatically span all Zones in a Region, whereas AWS VPC Subnets are assigned to Availability Zones in a Region. This means you are abstracted from some of the networking and zonal complexity, but you have less control over specific network placement of instances and endpoints. You can infer from this design that Zones are replicated or synchronised within a Region, making them less of a direct consideration for High Availability (or at least as much or your concern as they otherwise would be).

All GCP Firewall Rules are Stateful​

AWS Security Groups are stateful firewall rules – meaning they maintain connection state for inbound connections, AWS also has Network ACLs (NACLs) which are stateless firewall rules. GCP has no direct equivalent of NACLs, however GCP Firewall Rules are more configurable than their AWS counterparts. For instance, GCP Firewall Rules can include Deny actions which is not an option with AWS Security Group Rules.

Load Balancers in GCP are layer 4 (TCP/UDP) unless they are public facing​

AWS Application Load Balancers can be deployed in private VPCs with no external IPs attached to them. GCP has Application Load Balancers (Layer 7 load balancers) but only for public facing applications, internal facing load balancers in GCP are Network Load Balancers. This presents some challenges with application level load balancing functionality such as stickiness. There are potential workarounds however such as NGINX in GKE behind

Firewall rules are at the Network Level not at the Instance or Service Level​

There are simple firewall settings available at the instance level, these are limited to allowing HTTP and HTTPS traffic to the instance only and don’t allow you to specify sources. Detailed Firewall Rules are set at the GCP VPC Network level and are not attached or associated with instances as they are in AWS.

Hopefully this is helpful for AWS engineers and architects being exposed to GCP for the first time!

if you have enjoyed this post, please consider buying me a coffee ☕ to help me keep writing!