Leveraging the Cloud - Getting the Most Bang for your Buck ( presentation by Salesforce on...
-
Upload
cloudyn -
Category
Technology
-
view
108 -
download
2
description
Transcript of Leveraging the Cloud - Getting the Most Bang for your Buck ( presentation by Salesforce on...
Leveraging the cloud Getting the most bang for your buck
Nate Lindstrom Director of Network Operations
in/nwlindstrom
salesforce desk
We make it easy for
you to support
customers right from
the browser, via email,
phone, chat, web,
Facebook, and Twitter
We provide a hosted,
cloud-based SaaS
help desk platform for
SMB
Cloudy
Change
Management Trust but verify
Process requirements
Formal, documented
change management
ISO 27001 compliance
SOX section 404
compliance
Safe Harbor
certification
Single file change process
Changes can be made rapidly and safely
Unauthorized changes reverted by the CMS or
flagged by CloudPassage Halo FIM
RFC
create
d
Make
pull
request
SME
reviews
request
Change
applied to
staging
Effects
observed
Change
applied to
production
FIM
updated
RFC
Close
d
✓
Under the hood
Chicken-and-egg
problem for new
instances
Puppet determines
role based on
hostname
Hostname isn’t set on
new instances
How we start instances
Scri
pt
ip-10-20-30-40.us-west-1.compute.internal
AMI
Pupp
et
Name=web01.desk
.com
web01.desk.com
node /^web\d+\.desk\.com$/
inherits production_app { include
web}
nginx
How we monitor instances
web01.desk.com cron
S3
Buck
et
Effective monitoring
Icinga is the most
comprehensive open
source monitoring
solution available
Secret change process
“Secret” as in production secrets, like passwords
RFC
create
d
Make
pull
request
SME
reviews
request
Change
applied to
production
FIM
updated
RFC
Close
d
Under the hood
Storing production
secrets in plain text is
bad
Sending decryption
key over same
channel as encrypted
data is bad
Secure repositories
TechO
ps
Everyo
ne
Puppet
git
Repo
Prod
Credentials
Non-Prod
Credentials
Full Access Pull Request Only
GnuPG GnuPG
Secure distribution
Instance
Puppet Credentials
Puppet
git
Repo Secrets
GnuPG
Key
AMI
git
What the
cloud
means to us More typing, less
driving
Physical asset tracking
If you came to doubt
the accuracy of your
CMDB, you could
always fall back on a
physical inventory
Almost always,
anyway
Virtual asset tracking
When you don’t have any physical assets it’s even
easier to “lose” instances
“Lost” instances can silently consume big $$$
How an instance can be
lost
Provisioning
Script
Instance
S3
Buck
et
CMDB
Launches Updates
Uploads
Provisioning script loses connectivity during launch
Instance fails to upload existence information to S3
Minimizing lost instances
Your CMDB may not
see your lost
instances consuming
$$$, but Cloudyn does
Cloudyn makes it easy
to maintain an efficient
and lean cloud
presence
JIT capacity Let your servers
order more servers
Auto Scale architecture
Everything should scale horizontally
Auto Scale in action Loosely-coupled tiers provide greatest flexibility
Scale up quickly, scale down slowly
Web Web Web Web Web Web Web
App App App App App App
ELB
ELB
Tra
ffic
Incre
asin
g
Tra
ffic D
ecre
asin
g
Auto Scaling control
Scalr makes
managing dynamic
environments in the
cloud easy and
painless
Whole-unit
troubleshooting Don’t sweat the
small stuff
Think in clusters
If one instance is having problems, replace it
If many instances are having problems, dig deeper
Use the 1, 2, 3 rule for determining response
Instanc
e
Instanc
e
Instanc
e
Instanc
e
Instanc
e
ELB
Architecting
for failure Build it to land
gracefully
Expect failure
Make use of regions and availability zones
Avoid storing sessions on any one server
The cloud is inherently unreliable, but your app
doesn’t need to be
AWS us-west-1 us-east-1
us-west-1a us-west-1b
Security
awareness False security is
worse than no
security
Cloud isn’t private
Multitenancy means the cloud is never truly private
Build security in from the very beginning
Apply defense in depth
Web ELB ELB App DB
Internet
App DB
Security groups are limited
An instance’s security
groups cannot ever be
changed
Security groups can
only limit inbound
(ingress) traffic
Security groups
cannot restrict
outbound (egress)
traffic
Comprehensive security
CloudPassage Halo
allows the
implementation of
comprehensive
security with minimal
effort
The cloud...
Is not a data center
Is only as secure as
you make it
Is very expensive if not
managed well
Works best with lots
and lots of little servers
Will occasionally fail
Thank you!