Forem: Arunasri Maganti

Why Prioritizing Cloud Security Best Practices is Critical in 2024

Arunasri Maganti — Tue, 15 Oct 2024 11:40:36 +0000

In today’s hyper digitalized age, securing cloud infrastructure is no longer just an option. It has become a necessity as more and more organizations migrate workloads to the cloud. Back in 2019, Gartner wrote that, “Through 2025, 99% of cloud security failures will be the customer’s fault.” As 2025 approaches in 3 months, it is now more important than ever to ensure that sensitive data is protected, regulatory compliance is maintained, and that the evolving and dynamic cyber threat landscape is mitigated. Amazon Web Services (AWS) includes a detailed cloud security framework to ensure the safety of cloud-based access and associated systems. Cloud security best practices and cloud security tools are mandatory to leverage the strength of AWS infrastructure.

Security in AWS Cloud is a Shared Responsibility Model

AWS’s shared responsibility model divides the ownership of different security aspects between AWS and the customer. While AWS secures the infrastructure such as the physical servers and networking hardware, customers are responsible for securing the actual information and applications that reside on those servers and maintain access control.
AWS has inbuilt security guardrails, which are a good first line of protection. AWS Identity and Access Management (IAM) grants identity, AWS Key Management Service (KMS) encrypts data, and AWS CloudTrail monitors what’s going on, but putting them in place to match best practices is up to you. The combination of these cloud security tools with the right cloud security policy can make your cloud immune to threats.

Why Security in the Cloud Matters

Cloud security in cloud computing is arguably the most important aspect of your AWS infrastructure. In the year 2023, on average, a data breach around the world cost $4.45 million, according to IBM’s Cost of a Data Breach Report. Cloud security challenges are manifold - causing you to have a data breach or a regulatory fine and tarnish your company’s reputation. By following AWS security best practices, you protect yourself from these risks, and you also help your organization meet certain industry security standards, such as HIPAA for healthcare and PCI-DSS for finance.

Key Reasons to Adopt AWS Security Best Practices

- Data Protection: It has multiple security layers, but you must especially focus on encrypting data at rest and in transit. Using the S3 encryption service of AWS (based in the region), you can prevent serious data exploitation between the connection of the EC2 Server and the S3 Server, making it impossible for anyone other than the official EC2 server to access the memory.

- Compliance: AWS infrastructure and Application running on that infrastructure can comply with regulations like GDPR and SOC 2, but proper configuration is the key.
AWS Security Hub simplifies this by giving you a clear view of your security across all AWS accounts. It automatically checks your environment against standards like CIS, PCI DSS, and ISO 27001, flagging issues so you can address them quickly. It also integrates with other AWS services like GuardDuty, Inspector, and Macie, along with third-party tools, offering a centralized view of all security concerns. With Security Hub, you get continuous monitoring and easy-to-follow reports that make staying compliant and secure much simpler.

- Access Management: You can enact fine-grained access control with AWS IAM. Least privilege is the rule when you define user and group policies to reduce attack surfaces by granting people access to only the resources they truly need.

Strengthening Your AWS Security in Cloud

Here’s how you can bolster your AWS cloud security:

- AWS Native Tools: AWS offers a collection of security capabilities such as AWS GuardDuty for threat detection and AWS Shield for DDoS protection, both built to integrate natively and intelligently with your cloud infrastructure.
- Principle of least privilege: Users are granted only the level of privilege that they need, and IAM roles should be used instead of static credentials to reduce accidents that might lead to exposure of sensitive data.
- Implement Multi-Factor Authentication (MFA): MFA adds an extra layer of protection. Verizon’s 2023 Data Breach Investigations Report states that 61% of data breaches involve credential compromise. MFA could keep unauthorized access from occurring, even when credentials have been compromised.
- Encrypt Everything at rest & in motion: Encrypt everything (data coming and going ) using encryption tools from AWS, including AWS KMS and SSL/TLS certificates so that, even if data is intercepted, it cannot be understood or used without the proper decryption keys.

Conclusion

As the cloud continues its rapid evolutionary path, so do the vulnerabilities and threats. By heeding the best practices on AWS, businesses not only secure their data, but they also build a foundation of credibility with their customers that will help them succeed in the long run. Estimates from Cybersecurity Ventures showing that cybercrime’s global costs will reach $10.5 trillion a year by 2025, no one can afford not to take steps to secure their cloud.

Get Your Free Ultimate AWS Security Guide

Figuring out how to secure your AWS Cloud may seem daunting, but we’ve made it easier. Download your free copy of our Ultimate AWS Security Guide, and you’ll gain practical insight into creating IAM policies, using encryption, writing an incident response plan and more. We’re here to help you secure your cloud infrastructure.

About Techpartner

Techpartner Alliance is an AWS Advanced Partner with 10 years of experience on AWS solutions. It was founded in 2014 by Ravindra Katti (previously Director and Head IT, Gupshup) and Prasad Wani. Being a TechOps organization, we are the go-to partners for businesses for all things technology. We offer more than just individual benefits by blending our specialized cloud security services with AWS’s reliable infrastructure. Our seamless integration future-proofs network infrastructures, enabling businesses to become more efficient, scalable, and innovative. We provide exhaustive cloud security solutions that truly meet all your needs.

AWS recommends conducting Well-Architected Framework Reviews (WAFR) regularly to ensure continued alignment of cloud architectures with best practices and business objectives. Here’s where we come in – Techpartner Alliance is an AWS advanced partner and a certified AWS-Well Architected Review Partner. This is to say, we are fully equipped to conduct the Well Architected Framework Review, especially with the focus on the security pillar of WAFR.

Follow our LinkedIn Page and check out our other Blogs to stay updated on the latest tech trends and AWS Cloud.

Set up a complimentary security assessment for your IT infrastructure

IPv6 Migration Simplified: Techpartner's Blueprint for Future-Proofing Your Network

Arunasri Maganti — Mon, 16 Sep 2024 15:12:09 +0000

In the enormous landscape of networking and the internet, migration to IPv6 is a critical evolution. Currently, global IPv6 adoption is at 46% as of Sept, 2024 with India leading the charge at 70% IPv6 adoption. But what, in essence, is the migration to IPv6 and why is it important? If you haven’t yet migrated to IPv6 or you’re facing challenges post migration - dive into this comprehensive blog for more information.

What is IPv6 migration?

IPv6 migration is the transition of the current Internet Protocol version, generally referred to as IPv4, to the new and more advanced Internet Protocol version 6. The IPv4 has a 32-bit address space, which hosts about 4.3 billion addresses on the internet. The unique and new IPv4 addresses have run out as of 2019. Whereas, IPv6 address space is 128-bit, making the number of unique addresses almost infinite. This transition is essential for internet growth and scalability.

Why is IPv6 Adoption Critical?

IPv6 adoption is important for many reasons:
· Address Exhaustion: As IPv4 addresses are running out, it is imperative to utilize IPv6 because of the vast address space it provides to accommodate the rising number of internet-connected devices.
· Better Security: IPv6 has been designed with security in mind and boasts other securities-based features, such embedded IPsec support for end-to-end encryption.
· Better Performance: IPv6 minimizes the size of routing tables, thereby making IPv6 routing more optimal, and thus enhancing the general performance of the network. It is a necessity in the world of high-speed internet.
· Simplified Network Configuration: IPv6 provides Stateless Address Autoconfiguration (IPv6 SLAAC) functionality, where a device can configure IP addresses automatically on its own without manual configuration.

What are the Three Types of IPv6 Migration Techniques?

· Dual Stack: This method gives the running of IPv4 and IPv6 concurrently in usage. It means that the transition is done in such a way that systems can operate with a provision to run in a mode supporting one of the protocols or another; hence, this supports compatibility without much disruption.
· IPv6 Tunneling: In a process known as tunneling, IPv6 packets are encapsulated within IPv4 packets that can move through IPv4 infrastructure. This can be a practical transitional measure allowing IPv6 connectivity even while parts of the network are still using IPv4.
· Translation: This works to translate IPv6 packets to IPv4 and vice versa so that both can communicate with each other. It's quite handy in translating legacy systems, which have to communicate in a world dominated by IPv6.

What are the challenges in IPv6 Migration?

Although the introduction of IPv6 offers various advantages, it is accompanied by a few challenges:
· Compatibility: The process to make all the devices and software compatible with IPv6 is a bit complex and time-consuming.
· Cost: Ensuring IPv6 readiness through infrastructure development is expensive, particularly for large organizations with extensive networks.
· Training and Knowledge: It is important to have technical staff trained for both management and troubleshooting in IPv6 networks.
· Transition Complexity: The coexistence of IPv4 and IPv6 must be dealt with great care and execution of plans during the transition period.
How can IPv6 Migration challenges be addressed?
The following solutions can assist:
· Gradual Transition: The possibility to have a dual-stack approach gives a smooth transition—where disruption is minimized, and compatibility is assured.
· Training Programs: Investment in training for IT personnel to ensure they are well-equipped with the knowledge and skills needed to manage IPv6 networks.
· Cost management: Planning and budgeting can help manage the process of migration. Furthermore, utilizing available infrastructure to the maximum reduces the cost.
· Automated Tools: The automated tools can assist in network configuration and implementation of the transition by reducing the overhead from the technical workforce.

Techpartner Alliance Case Study: IPv6 Migration for a Digital Lending NBFC

Client Profile
This client was a leading NBFC lending to Micro, Small, and Medium Enterprises (MSME). As a Systemically Important, Non-Deposit taking NBFC, they have partnered with over 25,000 enterprises and disbursed loans exceeding $1 billion.

Challenges
The challenges that IPv6 transition posed to the client include a lack of adequate knowledge about IPv6, regulatory compliance requirements, and managing migration costs. They also faced difficulties in configuring dual-stack networks and ensuring compatibility between their head office and branch offices. These issues put their operational efficiency and growth scalability at risk.

Solution
Techpartner's project audited the current IPv4 infrastructure of the client and developed a detailed migration plan, with focus on compliance and cost. Configuration was done for dual-stack support with both IPv4 and IPv6, ensuring secure communication protocol deployment, and thorough training accompanied by continuous support to make sure no bottlenecks through the process.

Benefits
Through Techpartner’s IPv6 migration, the client achieved full compliance with the new regulations. This simultaneously brought down operational costs and improved network compatibility. They also increased their security and future-proofed their infrastructure to provide seamless operations across all office locations.

Key Features of the IPv6 Migration:

- Dual-Stack Configuration: Integration of dual-stack IPv4 and IPv6 support within AWS assured the client of seamless operations across networks. This increased network performance, compliance, and cost efficiency and put them on easier footing to grow.

- IPSec Encrypted Tunnels: The security of the AWS platform was leveraged in building the encrypted IPSec tunnels over IPv6 and provided a method that was secure for communication from the head office to the branch offices. In such a way, network security became higher, and it was much easier to comply, while data exchange across their infrastructure became reliable.
This has, in fact, made the client so much more scalable, secure, and efficient in operations, ensuring long-term success for the firm.

Conclusion

The migration toward IPv6 is a must for the Internet to further develop and grow. While it poses a few challenges, it has turned out to be an indispensable step in view of an improved level of security, better performance, and virtually limitless address space. Transitioning to IPv6 for a business means migrating under careful planning and execution. Businesses are able to migrate to IPv6, thereby, future-proofing their networks. IPv6 may be daunting at first sight, but it is a leap toward a stronger and more scalable internet infrastructure.

About Techpartner

Techpartner Alliance is an AWS Advanced Partner with 10 years of experience on AWS solutions. It was founded in 2014 by Ravindra Katti (previously Director and Head IT, Gupshup) and Prasad Wani. Being a TechOps organization, we are the go-to partners for businesses for all things technology. We offer more than just individual benefits by blending our specialized services with AWS's reliable infrastructure. This collaboration enhances performance, reliability, and security, ensuring our customers meet regulatory requirements and reduce costs. Our seamless integration future-proofs network infrastructures, enabling businesses to become more efficient, scalable, and innovative. Together we provide a comprehensive solution that truly meets all your needs.

Follow our LinkedIn Page and check out our other Blogs to stay updated on the latest tech trends and AWS Cloud.
Set up a complimentary migration readiness assessment for your IT infrastructure

Eclipse Che on AWS with EFS

Arunasri Maganti — Tue, 27 Aug 2024 10:00:50 +0000

This blog is for Eclipse Che 7 (Kubernetes-Native in-browser IDE) on AWS with EFS Integration.

Eclipse Che makes Kubernetes development accessible for developer teams, providing one-click developer workspaces and eliminating local environment configuration for your entire team. Che brings your Kubernetes application into your development environment and provides an in-browser IDE, allowing you to code, build, test and run applications exactly as they run on production from any machine.

How Eclipse Che Works
One-click centrally hosted workspaces
Kubernetes-native containerized development
In-browser extensible IDE
Here we will go through how to installing Eclipse Che 7 on AWS Cloud, which focuses on simplifying writing, building and collaborating on cloud native applications for teams.

Prerequisites
A running instance of Kubernetes, version 1.9 or higher.
The kubectl tool installed.
The chectl tool installed

Installing Kubernetes on Amazon EC2
Launch a minimum sized linux Ec2 instance, say like t.nano or t3 micro
Set up the AWS Command Line Interface (AWS CLI). For detailed installation instructions, see Installing the AWS CLI.
Install Kubernetes on EC2. There are several ways to have a running Kubernetes instance on EC2. Here, the kops tool is used to install Kubernetes. For details, see Installing Kubernetes with kops. You will also need kubectl to install kops which can be found at Installing kubectl
Create a Role with Admin privileges and attach it to the EC2 instance where kops is installed. This role will be creating kubernetes cluster with master, nodes with autoscaling groups, updating route53, creating load balancer for ingress. For detailed instructions, see Creating Role for EC2

So to summarise, so far we have installed aws cli, kubectl, kops tool and attached AWS admin role to EC2 instance.

Next, We need route53 records which kops can use to point kubernetes api, etcd…

Throughout the document, I will be using eclipse.mydomain.com as my cluster domain.

Now, let’s create public hosted zone for “eclipse.mydomain.com” in Route53. Once done, make a note of zone id which will be used later

Copy the four DNS nameservers on the eclipse.mydomain.com hosted zone and create a new NS record on mydomain.com and update the above copied DNS entries. Note that when using a custom DNS provider, updating the record takes a few hours.

Next, Create the Simple Storage Service (s3) storage to store the kops configuration.

$ aws s3 mb s3://eclipse.mydomain.com
make_bucket: eclipse.mydomain.com
Inform kops of this new service:

$ export KOPS_STATE_STORE=s3://eclipse.mydomain.com
Create the kops cluster by providing the cluster zone. For example, for Mumbai region, the zone is ap-south-1a.

$ kops create cluster --zones=ap-south-1a apsouth-1a.eclipse.mydomain.com

The above kops command will create new VPC with CIDR 172.20.0.0/16 and new subnet to install nodes and master in kubernetes cluster and will use Debian OS by default. Incase you want to use your own existing VPC, Subnet and AMI, then use below command:

$  kops create cluster --zones=ap-south-1a apsouth-1a.eclipse.mydomain.com --image=ami-0927ed83617754711 --vpc=vpc-01d8vcs04844dk46e --subnets=subnet-0307754jkjs4563k0

The above kops command uses ubuntu 18.0 AMI to be used for master and worker nodes. You can add your own AMIs as well.

You can review / update the cluster config for cluster, master and nodes using below commands

For cluster —

$ kops edit cluster — name=ap-south-1a.eclipse.mydomain.com

For master —

$ kops edit ig — name=ap-south-1a.eclipse.mydomain.com master-ap-south-1a

For nodes —

$ kops edit ig — name=ap-south-1a.eclipse.mydomain.com nodes

Once the cluster, master, node config is reviewed and updated , you can create cluster using following command

$ kops update cluster --name ap-south-1a.eclipse.mydomain.com --yes

After the cluster is ready, validate it using:

$ kops validate cluster

Using cluster from kubectl context: ap-south-1a.eclipse.mydomain.com

Validating cluster eclipse.mydomain.com
INSTANCE GROUPS
NAME                ROLE    MACHINETYPE  MIN  MAX  SUBNETS
master-ap-south-1a   Master  m3.medium    1    1    eu-west-1c
nodes               Node    t2.medium    2    2    eu-west-1c

NODE STATUS
NAME                                         ROLE    READY
ip-172-20-38-26.ap-south-1.compute.internal   node    True
ip-172-20-43-198.ap-south-1.compute.internal  node    True
ip-172-20-60-129.ap-south-1.compute.internal  master  True

Your cluster is ap-south-1a.eclipse.mydomain.com ready

It may take approx 10 -12 min for cluster to come up
Check the cluster using the kubectl command. The context is also configured automatically by the kops tool:

$ kubectl config current-context
ap-south-1a.eclipse.mydomain.com
$ kubectl get pods --all-namespaces

All the pods in the running state are displayed.

Installing Ingress-nginx
To install Ingress-nginx:
Install the ingress nginx configuration from the below github location.

$ kubectl apply -f https://raw.githubusercontent.com/binnyoza/eclipse-che/master/mandatory.yaml

Install the configuration for AWS

$ kubectl apply -f https://raw.githubusercontent.com/binnyoza/eclipse-che/master/service-l4.yaml

$ kubectl apply -f https://raw.githubusercontent.com/binnyoza/eclipse-che/master/patch-configmap-l4.yaml

The following output confirms that the Ingress controller is running.

$ kubectl get pods --namespace ingress-nginx
NAME                                        READY   STATUS    RESTARTS   AGE
nginx-ingress-controller-76c86d76c4-gswmg   1/1     Running   0          9m3s

If the pod is not showing ready yet, wait for couple of minutes and check again.

Find the external IP of ingress-nginx.

$ kubectl get services --namespace ingress-nginx -o jsonpath='{.items[].status.loadBalancer.ingress[0].hostname}'
Ade9c9f48b2cd11e9a28c0611bc28f24-1591254057.ap-south-1.elb.amazonaws.com

Troubleshooting: If the output is empty, it implies that the cluster has configuration issues. Use the following command to find the cause of the issue:

$ kubectl describe service -n ingress-nginx ingress-nginx

Now in Route53, create a wildcard record in zone eclipse.mydomain.com with the record as LB url as received in previous kubectl get services command. You can create CNAME record or Alias A record.

The following is an example of the resulting window after adding all the values.

It is now possible to install Eclipse Che on this existing Kubernetes cluster.

Enabling the TLS and DNS challenge
To use the Cloud DNS and TLS, some service accounts must be enabled to have cert-manager managing the DNS challenge for the Let’s Encrypt service.

In the EC2 Dashboard, identify the IAM role used by the master node and edit the same. Add the below inline policy to the existing IAM role of the master node and name it appropriately like eclipse-che-route53.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:GetChange",
                "route53:ListHostedZonesByName"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource": [
                "arn:aws:route53:::hostedzone/<INSERT_ZONE_ID>"
            ]
        }
    ]
}

Update the DNS Zone ID copied earlier while creating zone

Installing cert-manager
To install cert-manager, run the following commands

$ kubectl create namespace cert-manager
namespace/cert-manager created
$ kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
namespace/cert-manager labeled

Set

validate=false

If set to true, it will only work with the latest Kubernetes:

$ kubectl apply \
  -f https://github.com/jetstack/cert-manager/releases/download/v0.8.1/cert-manager.yaml \
  --validate=false

Create the Che namespace if it does not already exist:

$ kubectl create namespace che
namespace/che created

Create an IAM user cert-manager with programatic access and below policy. Copy the Access key and Secret Access key generated for further use. This user is required to manage route53 records for eclipse.mydomain.com DNS validation during certificate creation and certificate renewal.

Policy to be used with cert-manager IAM user

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "route53:GetChange",
            "Resource": "arn:aws:route53:::change/*"
        },
        {
            "Effect": "Allow",
            "Action": "route53:ChangeResourceRecordSets",
            "Resource": "arn:aws:route53:::hostedzone/*"
        },
        {
            "Effect": "Allow",
            "Action": "route53:ListHostedZonesByName",
            "Resource": "*"
        }
    ]
}

Create a secret from the SecretAccessKey content

$ kubectl create secret generic aws-cert-manager-access-key \
  --from-literal=CLIENT_SECRET=<REPLACE WITH SecretAccessKey content> -n cert-manager

To create the certificate issuer, change the email address and specify the Access Key ID.

$ cat <<EOF | kubectl apply -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: che-certificate-issuer
spec:
  acme:
    dns01:
      providers:
      - route53:
          region: eu-west-1
          accessKeyID: <USE ACCESS_KEY_ID_CREATED_BEFORE>
          secretAccessKeySecretRef:
            name: aws-cert-manager-access-key
            key: CLIENT_SECRET
        name: route53
    email: user@mydomain.com
    privateKeySecretRef:
      name: letsencrypt
    server: https://acme-v02.api.letsencrypt.org/directory
EOF

Add the certificate by editing the domain name value
(eclipse.mydomain.com) and in this case, the dnsName and the value:

$ cat <<EOF | kubectl apply -f -
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
 name: che-tls
 namespace: che
spec:
 secretName: che-tls
 issuerRef:
   name: che-certificate-issuer
   kind: ClusterIssuer
 dnsNames:
   - '*.eclipse.mydomain.com'
 acme:
   config:
     - dns01:
         provider: route53
       domains:
         - '*.eclipse.mydomain.com'
EOF

A new DNS challenge is being added to the DNS zone for Let’s encrypt. The cert-manager logs contain information about the DNS challenge.

Obtain the name of the Pods:

$ kubectl get pods --namespace cert-manager
NAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-6587688cb8-wj68p              1/1     Running   0          6h
cert-manager-cainjector-76d56f7f55-zsqjp   1/1     Running   0          6h
cert-manager-webhook-7485dd47b6-88m6l      1/1     Running   0          6h

Ensure that the certificate is ready, using the following command. It takes approximately 4-5 min for the certificate creation process to complete. Once the certificate is successfully created, you will be below output.

$ kubectl describe certificate/che-tls -n che

Status:
  Conditions:
    Last Transition Time:  2019-07-30T14:48:07Z
    Message:               Certificate is up to date and has not expired
    Reason:                Ready
    Status:                True
    Type:                  Ready
  Not After:               2019-10-28T13:48:05Z
Events:
  Type    Reason         Age    From          Message
  ----    ------         ----   ----          -------
  Normal  OrderCreated   5m29s  cert-manager  Created Order resource "che-tls-3365293372"
  Normal  OrderComplete  3m46s  cert-manager  Order "che-tls-3365293372" completed successfully
  Normal  CertIssued     3m45s  cert-manager  Certificate issued successfully

Now that we have Kubernetes cluster, Ingress controller (AWS Load Balancer )and TLS certificate ready, we are ready to install Eclipse Che

Installing Che on Kubernetes using the chectl command

Chectl is the Eclipse Che command-line management tool. It is used for operations on the Che server (start, stop, update, delete) and on workspaces (list, start, stop, inject) and to generate devfiles.

Install chectl cli tool to manage eclipse che cluster. For installation instructions see, Installing chectl

You will also need Helm and Tiller. To install Helm you can follow instructions at Installing Helm

Once chectl is installed, you can install and start the cluster using below command.

chectl server:start --platform=k8s --installer=helm --domain=eclipse.mydomain.com --multiuser --tls

If using without authentication, you can skip — multiuser and start cluster as below

chectl server:start --platform=k8s --installer=helm --domain=eclipse.mydomain.com --tls
✔ ✈️  Kubernetes preflight checklist
    ✔ Verify if kubectl is installed
    ✔ Verify remote kubernetes status...done.
    ✔ Verify domain is set...set to eclipse.mydomain.com.
  ✔ 🏃‍  Running Helm to install Che
    ✔ Verify if helm is installed
    ✔ Check for TLS secret prerequisites...che-tls secret found.
    ✔ Create Tiller Role Binding...it already exist.
    ✔ Create Tiller Service Account...it already exist.
    ✔ Create Tiller RBAC
    ✔ Create Tiller Service...it already exist.
    ✔ Preparing Che Helm Chart...done.
    ✔ Updating Helm Chart dependencies...done.
    ✔ Deploying Che Helm Chart...done.
  ✔ ✅  Post installation checklist
    ✔ PostgreSQL pod bootstrap
      ✔ scheduling...done.
      ✔ downloading images...done.
      ✔ starting...done.
    ✔ Keycloak pod bootstrap
      ✔ scheduling...done.
      ✔ downloading images...done.
      ✔ starting...done.
    ✔ Che pod bootstrap
      ✔ scheduling...done.
      ✔ downloading images...done.
      ✔ starting...done.
    ✔ Retrieving Che Server URL...https://che-che.eclipse.mydomain.com
    ✔ Che status check
Command server:start has completed successfully.

Now you can open Eclipse Che portal using URL —
https://che-che.eclipse.mydomain.com/

Eclipse che has 3 components — Che , plugin-registry and devfile-registry

Challenges

Each of these component have same versioning that goes hand in hand. For eclipse che cluster to function correctly, image used for che, plugin registry and devfile registry must have same version. The current latest version is 7.13.1.

However chectl have command line option to specify only che image version. Incase if you want to use higher version of Che cluster implementation, you will need to upgrade chectl to the respective version. For example, you will need chectl version 7.12.1 to install Che, plugin-registry and devfile-registry of version 7.12.1 and so on.

Advanced Eclipse Che Configuration

By default, Eclipse che uses “common” PVC strategy which means all workspaces in the same Kubernetes Namespace will reuse the same PVC

CHE_INFRA_KUBERNETES_PVC_STRATEGY: common

Hence the challenge posed is that while using multiple worker node cluster, when the workspace pods is launched on multiple worker node, it fails as it is not able to get the EBS volume which is already mounted on other node.

Other option is to use ‘unique’ or ‘per-workspace’ which will create multiple EBS volumes to manage. Here the best solution would be to use a shared file system where we can use ‘common’ PVC strategy so that all workspaces are created under same mount.

We have used EFS as our preferred choice of its capabilities. More on EFS here

Integrating EFS as shared storage for use as eclipse che workspaces

Make EFS accessible from Node Instances. This can be done by adding node instances SG (this is created by KOPS cluster already) to SG of EFS

$ kubectl create configmap efs-provisioner --from-literal=file.system.id=fs-abcdefgh --from-literal=aws.region=ap-south-1 --from-literal=provisioner.name=example.com/aws-efs

Download EFS deploy file from below location using wget –

$ wget https://raw.githubusercontent.com/binnyoza/eclipse-che/master/efs-master.yaml

Edit efs-master.yaml to use your EFS ID (edit is at 3 places). Also update the storage size for EFS to say 50Gi and apply using below command

kubectl create --save-config -f efs-master.yaml

Apply below configurations

kubectl apply -f https://raw.githubusercontent.com/binnyoza/eclipse-che/master/aws-efs-storage.yaml
kubectl apply -f https://raw.githubusercontent.com/binnyoza/eclipse-che/master/efs-pvc.yaml

Verify using

kubectl get pv
kubectl get pvc -n che

Edit che config using below command and add below line

$ kubectl edit configmap -n che
   CHE_INFRA_KUBERNETES_WORKSPACE_PVC_STORAGEClassName: aws-efs

Save and exit. Restart che pod using below command. Whenever any changes made to che configmap, restarting che pod is required.

$ kubectl patch deployment che -p   "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"date\":\"`date +'%s'`\"}}}}}" -n che

Check the pod running status using

$ kubectl get pods -n che

Now, you can start creating workspaces and your IDE Environment from URL —

https://che-che.eclipse.mydomain.com

Limitations

Eclipse Che version 7.7.1 and below is unable to support more than 30 workspaces
In case of multiple Che clusters, creating them in same VPC leads to failure of TLS certificate creation. These seems due to rate limits imposed by Lets Encrypt

About Techpartner Alliance
Techpartner Alliance is a team of seasoned developers and IT industry leaders. Techpartner specializes in AWS and was established in 2017 by Ravindra Katti, an AWS ex-seller, and Prasad Wani, an AWS cloud architect. Follow our LinkedIn page for regular updates on latest tech trends and AWS cloud!
For more blogs visit: https://www.techpartneralliance.com/blogs/

Eclipse Che on AWS with EFS

Arunasri Maganti — Thu, 08 Aug 2024 10:17:21 +0000

This blog is for Eclipse Che 7 (Kubernetes-Native in-browser IDE) on AWS with EFS Integration.

AWS Well-Architected Framework Review: Empowering Healthcare Industry

Arunasri Maganti — Tue, 02 Jul 2024 14:45:09 +0000

Technology is quintessential in the evolving field of healthcare and life sciences to elevate patient care, automate operations and in medical research. It can be daunting to handle and enhance these technological systems. This is where the AWS Well Architected Framework with a Healthcare lens becomes extremely beneficial.

The AWS Well Architected Framework Review (WAFR) is a cloud infrastructure design and review methodology that helps you leverage the unique advantages of cloud and to secure, optimize and maintain your cloud environments. The WAFR defines six pillars: Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization and Sustainability. Each of these six pillars consist of design principles which are the best practices of cloud infrastructure. The six pillars are the criteria for evaluating cloud-based infrastructures and identifying areas that require enhancement.

During the execution of the Well-Architected Framework Review for healthcare companies, the "Healthcare Lens" incorporates industry specific guidelines, design principles and best practices customized to address the distinctive requirements of the healthcare and life sciences sector. It focuses on – compliance with healthcare regulations, data security, optimizing efficacy in delivering patient care services and managing costs. It also nurtures innovation in medical research endeavors and treatment practices.

AWS Well-Architected Framework: Healthcare Lens

Operational Excellence:

Automate processes to reduce human error, ensure compliance, and maintain availability of critical healthcare services.
Key Points to review: Continuous improvement, operational monitoring, quick issue resolution.

Security:

Protect patient data with HIPAA, GDPR and other compliance frameworks, strong access controls, and encryption.
Key Points to review: Multi-factor authentication, regular security assessments, updated security protocols.

Reliability:

Ensure system resilience and quick recovery to minimize patient care disruption.
Key Points to review:
Redundancy, automated recovery, regular disaster recovery drills
RPO (Recovery Point Objective): The maximum acceptable amount of data loss measured in time.
RTO (Recovery Time Objective): The maximum acceptable time to restore the system after a failure.

Performance Efficiency:

Optimize application performance for variable workloads, especially during peak times.
Key Points to review: Auto-scaling, right-sizing, performance metric reviews.

Cost Optimization:

Manage cloud costs effectively to avoid resource wastage while maintaining quality patient care.
Nearly a third of cloud spend is wasted, highlighting the need for effective cost management (Flexera 2024 State of the Cloud Report).
Key Points to review: FinOps practices, cost allocation tags, regular resource review.

Sustainability:

Support climate goals by reducing the carbon footprint of cloud operations.
Key Points to review: Optimize energy consumption, use energy-efficient instances, leverage renewable energy.

Impact of WAFR Healthcare Lens on various Healthcare Services

Here are some key examples where applying Healthcare Lens can significantly enhance healthcare services:

1. Electronic Health Record (EHR) Systems:

Benefits: Enhances data integrity, availability, and security while ensuring compliance with healthcare regulations like HIPAA. Improves scalability and performance to handle large volumes of patient data.

2. Telemedicine and Remote Patient Monitoring:

Benefits: Increases accessibility to healthcare services, particularly in remote areas, and enables continuous health monitoring. Supports timely medical interventions and better chronic disease management.

3. Health Information Exchanges (HIE):

Benefits: Facilitates secure, real-time data sharing across different healthcare providers, enhancing interoperability and coordination of patient care. Reduces duplication of tests and procedures.

4. Clinical and Research Data Lakes:

Benefits: Centralizes clinical and research data, supporting advanced analytics and machine learning. Ensures data privacy and compliance, accelerating medical research and improving data-driven decision-making.

5. Genomic Data Processing and Analysis:

Benefits: Provides scalable compute resources for high-throughput sequencing, ensuring secure storage and compliance. Accelerates genetic research and personalized medicine initiatives.

6. AIML in Healthcare:

Benefits: Generative AI and Machine Learning is being applied to many workflows in healthcare such as predicting health outcomes, improving patient access to care, revenue cycle operations and provider workflows. Healthcare lens oversees best practices to adhere to regulatory oversight, design control obligations, and interpretability requirements.

For detailed information on these and other scenarios, refer to the AWS documentation.

The Grave Consequences of Misconfigurations in Cloud Architectures

1. Data Breaches: Misconfigurations in cloud storage and database settings has led to breaches of millions of patient records causing significant harm, particularly in the healthcare field. According to IBM Security 'Cost of a Data Breach’ report in 2023 found that the average cost of a data breach in healthcare has surged to $11 million, a 53% increase from 2020. This figure surpasses the average of $4.45 million for data breaches across industries.

2. Compliance Violations: Misconfigurations in deploying cloud architectures in the right regions can result in violation of regulations like HIPAA and GDPR. These violations can be levied very huge sums of money for fines and permanently damage an organization’s credibility and public image. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) resolved several cases of HIPAA violations leading to significant penalties in the year 2023. (HHS.gov)

3. Disruptions in Services: Downtime due to improper set up of cloud resources can affect patient care which is a crucial factor for the healthcare sector. A survey conducted by LogicMonitor revealed that 96% of participants encountered one cloud outage in the last three years with an average downtime period lasting around 7 hours.

Deliverables of the AWS Well Architected Framework Review

1. Gap Analysis Report: Detailed report on issues in cloud infrastructure and deviations from AWS best practices and compliance requirements.
2. Recommendations: Suggested actions based on their impact on the AWS six pillars, with prioritization in terms of level of risk.
3. Roadmap to Fix Issues: Outlines actions needed to fix the gaps, including timelines and resource requirements while highlighting possible dependencies.
4. Visibility on Risks: Provides clear visibility into risks associated with misconfigurations and non-compliance. This ensures one is fully aware of the consequences and is mindful of these risks.
5. Continuous Improvement Plan: Establishes processes for continuous monitoring, review, and betterment of cloud architecture.

The Well Architected Framework Review helps healthcare and life sciences organizations identify gaps and offers a plan to address security, compliance and operational issues in their cloud setups. In an industry where the stakes are high, proactive measures to mitigate risks and optimize cloud architectures are essential for long-term success.

AWS recommends conducting Well-Architected Framework Reviews (WAFRs) regularly to ensure continued alignment of cloud architectures with best practices and business objectives. Reviews should be conducted at least annually or after significant changes to the architecture. Here’s where we come in – Techpartner Alliance is an AWS advanced partner and a certified AWS-Well Architected Review Partner. This is to say, we are fully equipped to conduct the Well Architected Framework Review, especially with the Healthcare lens for your technological infrastructure. We will partner with you on your journey to build cloud infrastructure in line with the design principles of the six pillars of the Well-Architected Framework. Follow our LinkedIn Page and check out our other Blogs to stay updated on the latest tech trends and AWS Cloud.

Schedule your complimentary AWS Well-Architected Framework Assessment Now

AWS Graviton Migration - Embracing the Path to Modernization

Arunasri Maganti — Mon, 10 Jun 2024 13:03:44 +0000

Usually, companies tend to associate the idea of application modernization with drastic transformations such as migrating from large monolithic applications into microservices. Being cognizant of obsolete technology and modernizing through advanced architectures such as AWS Graviton architecture (Arm processor), makes it possible to reveal more nuanced problems. This helps keep your systems current and in tune for the performance and cost optimization actions that AWS Graviton migration provides.

Trapped with Legacy x86: Between Comfort and Opportunity

Inertia and Stability: This is because people are inclined to believe that the x86 environments are steadfast and easy to comprehend, hence many organizations are reluctant to move to the new operating environments. When everything is functioning smoothly, the urgency for change isn't felt.
Backward Compatibility: This type of argument can be referred to as the ‘double-edged sword’ since it often serves two masters; the purpose behind it is usually achieved at the cost of another. Backward compatibility is also one of the key assets that can be attributed to x86 architectures. This makes it possible to use older software to operate on newer machines despite the lack of changes. Although this can be useful in the short-term, this creates a vicious cycle where organizations and firms can remain bound to outdated software, inhibit the process of improving and enhancing these applications, and expose themselves to risks. Here's an example of how you might inventory current versions and evaluate the need for upgrades:

Resistance to Change: Changing from Intel x86 processor to Arm processor core means that users enter unknown space. Compatibility challenges, performance and operation issues combined with the fear of possible slowdowns can be quite a discouraging and daunting element to anyone willing to engage in change. Nonetheless, the move to AWS Graviton processor is a well-established process by now, with many businesses having already experienced this transition. Subject to comprehensive support from AWS and specialist partners, the migration can be smooth, thus, while reducing these risks greatly.

Risks of Outdated Architectures Lurking in the Shadows

Security Vulnerabilities: The continued use of old software versions on x86 architecture entails a considerable security risk for any organization experiencing cyber-attacks and data leakage. Exposed flaws give attackers the liberty to exploit such vulnerabilities.
Performance Degradation: This trend showcases that the longer the time between the creation of the legacy x86 architectures and modern options, the larger the performance difference becomes. Old version software is heavy and requires a lot of shop space, time, and system resources that cause slow down.
Compatibility Challenges: This incompatibility stems from the fact that as technology progresses, original x86 applications are less compatible with today’s architectural structures and specific programming languages. This results in dependencies that are difficult to overcome and stagnate the progress of technological innovations and advancement.

Journey to Modernization with AWS Graviton

Architectural Paradigm Shift: AWS Graviton requires an uncomplicated switch to Amazon’s chips with actual application modifications to deal with new architecture. Incorporating Arm processor architecture opens up extra capabilities of performance and power conservation.
Leveraging ARM's Power: Arm architecture which has logged itself as energy efficient and sound performer gives us a peep into the latest options of computing. Ultimately, AWS Graviton instances enable companies to unlock the full potential of Arm and place them on the cutting edge.
Security Fortification: Graviton use in AWS not only improves the performance of the processors but also increases security. One must seek solace in the core security measures hard-wired within the Arm architectures which comprise robust defense against cyber threats.

A Cost-Effective Modernization Solution

Distinct from other application modernization projects that could be costly and time-consuming, the migration to AWS Graviton offers an opportunity for organizations to undertake a cost-effective strategy. Effectiveness and productivity can be achieved through the means of improved migratory tendencies also not only to save costs and minimize non-essential expenditures but also to help liberate resources. AWS Graviton price and effort for migration pays for itself in the costs that you will save! AWS Graviton processors offer up to a 40% better price performance than x86 processors and help you reach your sustainability goals.

Conclusion: When it comes to application modernization, organizations face a pivotal choice: fall back to familiar x86 designs or unlock the full potential of AWS Graviton. While x86 can give a sense of security and stick with the tried-and-true, AWS Graviton shows a way for greater advancement, and optimization along with safety. Thus, to pursue AWS Graviton transformation, a company undertakes an optimization process based on technological perspectives and future opportunities to be safer and more efficient.

As a premier organization for technology partner partnerships, Techpartner Alliance is committed towards providing optimum customer support throughout your modernization process. Techpartner Alliance is an AWS certified Graviton Service Delivery Partner and an Arm partner. If you require more information or have any questions as to whether AWS Graviton would work for your organization, we provide consultation services for free. Start the journey towards the modern future with an increase in productivity now.

Follow Techpartner’s LinkedIn Page for regular updates on latest tech trends and AWS cloud!

Schedule Your Complimentary Assessment Now

AWS Cost Optimization: Top 5 Best Practices & Tools

Arunasri Maganti — Fri, 31 May 2024 13:03:33 +0000

In order to get the most return on your cloud investment, AWS cost optimization is essential. AWS continues to gain popularity and importance for the flexible and scalable infrastructure it provides to many firms out there; as a result, managing and optimizing costs plays a significant role in its organizations’ objectives of sustaining and increasing profitability while also increasing operational performance. It is crucial for your cost optimization to run through your approaches from time to time in order to save money, become more flexible, and choose the right instances for your range of business. In this blog, we dive into the top 5 AWS cost reduction strategies and AWS cost optimization tools to enable you to get the most out of your investment in AWS cloud.

Top 5 AWS Cost Optimization Best Practices

1. Right-Sizing Your Instances
Right sizing deals with the careful assessment of your usage of different resources to fit your actual requirements. This means that it is possible to avoid over-provisioning risks and save money by choosing the right instance types for services such as EC2, RDS and Redshift among others. You will need to first locate underutilized instances and then eliminate or scale back these instances, either by de-provisioning or shrinking them.

2. Save money by using savings plans & reserved instances
AWS Savings Plans provides up to 72% more cost savings than on-demand pricing on AWS EC2 instances, Fargate, and Lambda. This is because the more you commit to using it, either for 1 or 3 years consistently, you will qualify for more savings. AWS EC2 Reserved Instances are 1 or 3 year term commitments getting up to 75% off the on-demand price but for specific instances in specific regions and mostly useful for predictable loads. But you can’t decrease the instance during this period, and increasing the instance will be charged at on-demand pricing.

3. Leveraging Spot Instances
AWS EC2 Spot instances are unused AWS instances available at a bid level thus achieving discounts of 90% on an on-demand instance price. These are best used in batch processes, stateless website services, high-performance computing tasks, or big data applications and applications that can be interrupted. However, AWS can allow someone else to bid and take the instance back within two minutes if the someone has bid higher than you.

4. Optimize Storage Costs
A number of measures used in AWS S3 cost optimization ensure that storage costs are kept as low as possible while still ensuring that data is readily accessible. Store production files in S3/GLACIER and activity based storage tier migration to move production files between different storage tiers. This involves using the Amazon S3 Intelligent-Tiering option that enables the automatic moving of data based on their access. For long-term storage, principally use Amazon S3 Glacier and, even more cost-efficient, Amazon S3 Glacier Deep Archive to archive infrequently accessed data. Select the EBS volume type based on the requirement of the application and make sure that ‘Delete on termination’ checkbox is checked in order to prevent further charges when the EC2 instances are terminated.

5. AWS Auto Scaling for Cost Optimization
Use AWS Auto Scaling Groups (ASGs) to control the size of your EC2 instances rendering them either larger or smaller depending on your utilization and defined scaling policies. optimizing both performance and cost with ASGs by regularly reviewing the policies and updating them.

Top 5 AWS Cloud Cost Optimization Tools

1. AWS Cost Explorer
AWS Cost Explorer is a tool that enables users to analyze, review, control, and contain their expenditures and usage patterns on the platform over time. You can generate various reports, customize them and filter or group by various dimensions and costs. Cost Explorer forecasts future costs using historical data and alerts you to cost anomalies.

2. AWS Budgets
AWS Budgets lets you create cost and usage budgets, and informs you when a budgetary ceiling has been breached. Some of the features include having set maximum allowed cost, maximum allowed usage, maximum allowed utilization on Reserved Instance/Savings Plan, and a notification when the budgets have been surpassed. This tool can be integrated with AWS Cost Explorer, for richer visual cost analysis.

3. AWS Trusted Advisor
AWS Trusted Advisor is an on-demand resource that helps you to maximize your AWS usage by giving real-time recommendations. Cost Controller includes Unused Capacity which helps in identifying underutilized or idle resources. Reserved Instance Purchase Recommendations provide a guide to the appropriate purchase of Reserved Instances, and lastly Cost Saving Suggestions for identifying more savings.

4. Amazon Web Services Cost and Usage Report (CUR)
The AWS Cost and Usage Report is a summary of AWS costs and usage metrics that offer detailed information on the company’s expenses. Some of the main ones that appeal to most users are for example the ability to get cost and usage information precisely and in the smallest detail possible; the ability to be able to design a report in a way that the end user would need it to be designed.

5. AWS Compute Optimizer
AWS Compute Optimizer is a service that enables you to identify the optimal AWS services to use for your instances, thereby minimizing cost and improving efficiency. This includes daily and weekly usage analytics, proposing the most suitable EC2 instance types, Auto Scaling Groups, and Lambda functions optimization.

About Techpartner Alliance

Techpartner Alliance specializes in AWS and was established in 2017 by Ravindra Katti, an AWS ex-seller, and Prasad Wani, an AWS cloud architect. In our capacity as a reviewed partner of the Well-Architected Framework Review (WAR), we can perform the WAR which seeks to evaluate various architectural weaknesses in your ecosystem and then establish and implement a WAR for AWS cost management. Additionally, in our capacity as a certified service delivery partner of AWS Graviton, we can assess your workloads to migrate Graviton processors which provide up to a 40% price-performance saving compared to Intel x86 processors.

Follow our LinkedIn page for regular updates on latest tech trends and AWS cloud!

Citations:
[1] https://spot.io/resources/aws-cost-optimization/8-tools-and-tips-to-reduce-your-cloud-costs/
[2] https://www.cloudzero.com/blog/aws-cost-optimization-tools/
[3] https://www.nops.io/blog/aws-cost-optimization-tools/
[4] https://aws.amazon.com/aws-cost-management/cost-optimization/
[5] https://docs.aws.amazon.com/whitepapers/latest/cost-optimization-laying-the-foundation/reporting-cost-optimization-tools.htm