Cloud Security and Virtualization

Introduction to Cloud Computing

Cloud Service Model

IaaS (Infrastructure as a Service): Offers pay-as-you-go access to storage, networking, servers, and other computing resources in the cloud

PaaS (Platform as a Service): A service provider offers access to a cloud-based environment in which users can build and deliver application

SaaS (Software as a Service): A service provider delivers software and applications through the internet

DaaS/DBaaS (Data a s Service/Database as a Service): A service that provides a company’s data product to the user on demand

CaaS (Communications as a Service): A service that provides outsourced communications solutions

XaaS (Anything as a Service): Service providing all the offerings via cloud computing as opposed to on-premise

Resource Groups

Resource Group: Logical grouping of all resources used for a particular setup or project

To create a Resource Group, search for Resource, then select Resource Group

Ensure to disable DDoS protection to avoid cost

Virtual Network

Virtual Network: A collection of virtual machines that can communicate with one another

Virtual Network Requirements:

When creating a network in Azure, it will default with a /16 subnet, which can be broken down into smaller subnets

To create a virtual network:

  1. Search for Virtual Network and select create
  2. Select the default /24 subnet of IP Addresses
  3. Ensure that DDoS protection is Disabled
  4. Select Create

Security Groups

Network Security Group (NSG): Basic firewall used to block and allow traffic to the virtual network

Many resources can be created independently of any particular virtual netwok and then attacked to a vNet after creation, including NSG’s

To create a Network Security Group:

  1. Search for and select Network Security Group
  2. Attach a Resource Group and provide a name
  3. Select Create
  4. Go to All Resource and select the NSG
  5. To create a new Inbound Security Rule:
    1. Select the Inbound Security Rules tab under Settings
    2. Select the Add Icon
    3. Provide the Source, Port Ranges, Destination, Service, and Priority
      1. Priority is set on ascending value
    4. Select Add

Virtual Computing

A virtual computer has software versions of hardware components

How to build a Virtual Machine:

  1. Search and Select Virtual Machine
  2. Select a Resource Group and provide a Name
  3. Select a Size (The “B-series” are the most affordable)
  4. Provide a Username
  5. For the SSH Public Key Source option, select “Use existing public key”
  6. Provide the public key

Cloud System Management

Containers, IaC, and Provisioners

Containers are essentially lightweight VMs that require fewer CPU resources, therefore can be downloaded and distributed more easily

Provisioners: Tools that automatically configure VMs or containers

Infrastructure as Code (IaC): Ideology that the configurations for all VMs, containers and networks in deployment should be defined in text files that can be used by provisioners to automatically recreate machines and networks

Continuous Integration/Continuous Deployment (CI/CD): Concept of automatically updating machines on the network and a change is made to IaC

Continuous Integration (CI) ensures that a new version of that machine is built immediately

Continuous Deployment (CD) ensures the new version is automatically deployed to the live environment

Foundations of Network Architecture

Secure Configuration: Setting secure rules for individual machines and networks

Connects individual machines and networks in safe ways

Secure Architecture: Deters and contains the effects of a breach, ensuring that insecure machines are hard to compromise

Network Redundancy

Fault-Tolerant System: Systems that can keep running even if one or more of its components fail

Redundancy: Duplications of critical components or systems

Redundancy vs. Budget

It is impossible to create a redundant system for every component due to budget

Cloud services allow a company to add resources as needed, scaling infrastructure and only paying for what is needed

Jump Box Administration

Fanning In: Securing and monitoring through a single node configured by placing a gateway router between systems on a network

An example is a jumpbox that is exposed to the public internet and sits in front of other machines that are not accessible via the internet

Virtual Private Network (VPN)

A VPN creates a direct connection between a local network and a remote network

A VPN encrypts all network traffic between local and remote networks

Once connected, access to all resources on a remote network is given

Containers

Containers vs. VMs

Containers are simulated machines that run on a single host, but two VMs running on the same host are completely independent of each other

Containers can share certain files and only have to individually contain the files relevant to their applications:

Stateless vs. Stateful Containers

Containers are stateful, meaning they can not be safely destroyed and be replaced with a new one if it contains data any other containers contain

It is preferable to run containers as stateless, meaning that data has been moved to a central location and extracting server and application data as much as possible

The following example shows architecture in which the containers responsible for Linux/Apache are identical and extract database data from MySQL Database Containers:

Scaling

Horizontal Scaling: Creating more containers

Vertical Scaling: Making an existing machine more powerful by adding more RAM and CPU

Docker

Docker is the most common program used to manage containers

Docker can be used to distribute software rather than installing software directly on the host machine

Infrastructure as Code

Infrastructure as Code (IaC): Concept of defining all equipment and network with code

IaC Change Management

When code containing configurations for a server is created, that code can be version controlled and easily audited

Servers can send logs to a central database so only things needed backing up are small text files of the code that defines the servers

In order to see what changes are made to a server, only the changes in the code need to be monitored

Provisioners

Provisioners: Software application used in IaC setups used to make automated configuration changes to computers

Provisioners focus on bringing a server to a certain state of operation

Load Balancing

Ansible Playbooks

Ansible use YAML files as playbooks to run a set of actions on a server

YAML Syntax:

---
	- name: Playbook name
		hosts: webservers
		become: true
		tasks:

The following will install Apache on the host:

---
  - name: My first playbook
    hosts: webservers
    become: true
    tasks:

    - name: Install apache httpd  (state=present is optional)
      apt:
        name: apache2
        state: present

To run an Ansible playbook:

ansible-playbook [playbook_name]

Load Balancing

A load balancer provides a website an external IP Address that is accessed publicly, then distributes traffic across multiple servers

As more traffic is received, more servers can be added to the group, or pool, of servers the load balancer has access to

The load balancer typically has a health probe, which checks regularly to make sure all of the machines behind the load balancer are functioning before sending traffic

To create and configure a Load Balancer:

Leave a Reply

Your email address will not be published.