Sign up for a live Kubernetes or DevSecOps demo

Click here

Sara Jeanes

Over the last 10 years, Sara has held numerous program management, engineering, and operations roles. She has lead multiple team transformations and knows first hand the pain of traditional waterfall development. She is a vocal advocate for DevOps, microservices, and the cloud as tools to create better products and services. Sara is currently a contributor at Fixate.io and can be found on Twitter @sarajeanes.

Posts by Sara Jeanes

Blog

Getting Started with AWS EC2 Container Service (ECS)

Amazon Web Services is the leading Infrastructure as a Service (IaaS) provider. They have over 50+ groups of services that run the gamut from mobile services to services to support Internet of Things (IoT). They are most well known for their EC2 and S3 services, and in leveraging this broad base, they are able to layer additional, more complex services on top. The EC2 Container Service leverages EC2 compute instances to provide a quick way to set up and scale a container cluster. The Basics The EC2 instances backing ECS use all of the supporting features you are familiar with in AWS. When you configure your initial cluster (or any subsequent cluster for that matter), ECS configures EC2 instances as cluster hosts and configures security groups, VPCs, subnets, routes, and gateways to support them. The cluster also comes online with a suite of basic metrics on CPU and memory utilization. EC2 leverages the docker engine as a container primitive. This is different, and not to be confused with any of Docker’s enterprise-geared cluster management offerings like Docker Datacenter. ECS is designed to replace the need for a container cluster manager to manage these Docker containers in production. Another benefit of using ECS as an AWS-aware cluster manager is that if the cluster needs to increase the number of hosts, it can do so as needed. You can also pair scaling your hosts with scaling your service running containerized leveraging Service Auto Scaling and CloudWatch. Head’s up – here are a couple of items to be aware of when you are first getting started. There is currently no Windows support for the ECS CLI. (You will quickly run into a known bug if you try and follow the Getting Started tutorial from a PC.) Also, during the initial configuration of ECS, you will be prompted to create a build repository. This repository will be hosted on S3, and will be used as a source for images used to launch services and tasks. Clusters and Instances EC2 Container Service, as the name describes, runs on EC2 instances. When starting for the first time, you will use a wizard to build your initial cluster. From there, you can modify or build additional clusters on the Clusters tab. These EC2 instances use the AWS-developed open-source “ecs agent” to run the containers. The multiple clusters can be accessed through the Management Console or using different AWS profiles on the command line. Services and Tasks The functions of ECS you will be engaging with the most are services and task definitions. A task definition describes the details of a particular group of containers; what data volumes they should attach at run time; what interfaces should be exposed and how they are addressed; and how they should be operated together. A service is the running state of this task definition. As part of the task, a minimum healthy percentage and maximum percentage can be set. The service will be maintained to those specifications. Additional containers will be launched if needed to maintain the service above the minimum health, and shut down if it exceeds the maximum. A number of task instances running can be set to duplicate the definition a number of times as separate services. The task instance value is set to one by default. The task definition can be revised (everything is version controlled), and a new service will be spun up to match the newly modified definition. ECS will ensure the new service is accessible, and then terminate the old service. A recent addition to the ECS now allows for an Elastic LoadBalancer (ELB) to be placed in front of a service, and dynamic ports to be assigned. This update now lets multiple instances of the same task run on the same host. This update also adds an initial framework to support service discovery. The AWS team blog post on the update can be found here. AWS is great for building and running instances for a cluster, and is slowly accumulating features to effectively manage a cluster running on those instances. If you are looking to run containers in production and already use AWS, ECS is definitely worth checking out. About the Author Over the last 10 years, Sara Jeanes has held numerous program management, engineering, and operations roles. She has led multiple team transformations and knows first-hand the pain of traditional waterfall development. She is a vocal advocate for DevOps, microservices, and the cloud as tools to create better products and services. You can follow Sara on Twitter @sarajeanes. Getting Started with AWS EC2 Container Service (ECS) is published by the Sumo Logic DevOps Community. If you’d like to learn more or contribute, visit devops.sumologic.com. Also, be sure to check out Sumo Logic Developers for free tools and code that will enable you to monitor and troubleshoot applications from code to production.

Blog

Getting Started with AWS Config Rules

Keeping track of all of your settings and configuration changes on AWS can be difficult if you try to do it by hand. Fortunately, AWS offers a service to automate the process called AWS Config. This article explains what AWS Config is, and show you how to get started using AWS Config rules. What is AWS Config? The official description of AWS Config reads as follows: AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time. Reading a description like that will really start the wheels turning in any SysOps professional’s head. In the datacenter, many attempts were made, sometimes successfully, to manage inventory and changes. With an AWS account, there is a defined boundary in which to monitor. There is tagging on almost every resource type that can be provisioned, and everything that can be deployed fits neatly into a resource type definition. AWS Config ends up being an ideal tool to provide infrastructure visibility within an AWS account. Getting Started To begin setting up AWS Config, a tutorial is provided in the AWS Management Console. This tutorial walks the user through configuration items and establishes all components needed to begin using AWS Config. The setup allows the user to select resources in the region and configure global resources. An item worth noting is that AWS Config is set up on a region by region basis. The setup will also ask for an S3 bucket in which to store the AWS Config record. At the same time, an Amazon SNS topic can be set to send notifications and an IAM role can be applied to grant permission to interact with Amazon SNS and Amazon S3. The setup provides a number of suggested AWS Config template rules to select, including: Root-account-mfa-enabled – Ensures the root AWS account has multi-factor authentication enabled Cloudtrail-enabled – Checks if AWS CloudTrail (auditing of API calls) is enabled Eip-attached – Looks for unused Elastic IP addresses Encrypted-volumes – Checks to ensure that any EBS volumes that are in use are encrypted All four, at the present time, are very useful in their own way. It is recommended that all be added to the AWS account before confirming changes. Creating Rules Once confirmed, AWS Config will provide two primary navigation items along the left side of the screen—Rules and Resources. The Rules screen is used to configure—as one might expect, rules—to monitor configuration changes to Resources in the AWS account. AWS provides a healthy number of template rules, covering a number of primary use cases for using AWS Config. Three common template rules that should be enabled immediately include: Require-tags – Require specific tags on a resource. This is especially useful in preventing orphaned EC2 instances with unknown purposes. Restrict-SSH – Ensures SSH has not been enabled for a Security Group that should have permit inbound SSH requests Restricted-common-ports – Another rule to ensure common ports are not open to instances that should not be accessible. AWS Config can also leverage custom rules that can be configured in the same menu. Custom rules can be triggered either by a configuration change on the AWS account or on a periodic basis. A resource type or key value pair can be selected as a target of the rule. For even more complex rules logic, an AWS Lambda function can be invoked as well. Reviewing Configuration AWS Config provides two primary ways of consuming the configuration state of the AWS account—the Resources tab in the AWS Config console, and SNS notification. For periodic review, the Resources tab contains a couple of selectors that allow for searching either records associated with resources, or tags. This is also the screen where announcements are made about new resource types being supported in config. The other method is to configure AWS Simple Notification Service (SNS) to send an email or text message when a rule becomes non-compliant. One downside to either method is that it does not take steps to remediate the issue. That falls to the administrator who received the notification. Sumo Logic App for AWS Config AWS Config provides a great way to monitor how an AWS account is configured. For any account that has a lot of individuals, generating a large number of changes, AWS Config is an invaluable tool to provide continuous visibility into the infrastructure. The Sumo Logic App for AWS Config adds to this by presenting notifications containing snapshots of resource configurations and information about the modifications made to a resource. The app also provides predefined Live and Interactive Dashboards and filters that give you a greater level of visibility into your environment for real-time analysis of overall usage. If you don’t already have a Sumo Logic account, sign up for a Free Trial and take the app for a test drive. About the Author Over the last 10 years, Sara Jeanes has held numerous program management, engineering, and operations roles. She has led multiple team transformations and knows first-hand the pain of traditional waterfall development. She is a vocal advocate for DevOps, microservices, and the cloud as tools to create better products and services. Sara is currently a Contributor at Fixate.io and can be found on Twitter @sarajeanes. Getting Started with AWS Config Rules is published by the Sumo Logic DevOps Community. If you’d like to learn more or contribute, visit devops.sumologic.com. Also, be sure to check out Sumo Logic Developers for free tools and code that will enable you to monitor and troubleshoot applications from code to production.

Blog

Role-Based Access and Containers as a Service