DEV Community: CodingPanda

Balancing cost and Resilience

CodingPanda — Thu, 20 Jun 2024 16:06:52 +0000

Resilience in Cloud Architecture

Resilience refers to an infrastructure's ability to recover quickly from failures or disruptions and continue operating smoothly. In cloud computing, resilience patterns are designed to ensure that applications remain available and performant even in the face of challenges⁶. When architecting workloads for resilience, several factors come into play:

Design Complexity: As system complexity increases, so do the emergent behaviors. Each individual workload component must be resilient, and single points of failure across people, processes, and technology elements should be eliminated. Consider whether increasing system complexity or using a disaster recovery (DR) plan is more effective for meeting your resilience requirements.
Cost to Implement: Higher resilience often involves new software and infrastructure components, which can increase costs. However, these costs should be offset by potential savings from future loss. Shifting mission-critical workloads to the cloud can avoid expensive capital investments in hardware replacement.
Operational Effort: Continuously optimizing deployments, scripting processes, and keeping things simple contribute to operational excellence. Efficiently creating resources and deploying code is crucial for resilience.
Effort to Secure: Resilience also involves securing your systems. Implementing security measures without compromising availability is essential. Consider encryption, access controls, and monitoring.
Environmental Impact: Architecting for resilience affects the environment. Evaluate the trade-offs between resource usage, energy consumption, and sustainability.

Achieving Resilience with Cost Efficiency

To achieve sweet resilience with minimal cost, consider the following strategies:

Operational Excellence: Continuously optimize deployments, script processes, and keep things simple. The key question is how quickly you can create resources and deploy code.
Identify Critical Resources: Determine which resources are critical for your application. Configure failover and replication for these resources. Most resources can be replicated in a secondary region, ensuring availability even during disasters.

Remember, achieving the right balance between cost and resilience depends on your specific product and business needs. Assess whether the 4x cost increase for maximum resilience is truly worth it, or if a more cost-effective approach can still provide adequate protection.

Balancing cost and Resilience

CodingPanda — Thu, 20 Jun 2024 16:06:32 +0000

Resilience in Cloud Architecture

Design Complexity: As system complexity increases, so do the emergent behaviors. Each individual workload component must be resilient, and single points of failure across people, processes, and technology elements should be eliminated. Consider whether increasing system complexity or using a disaster recovery (DR) plan is more effective for meeting your resilience requirements.
Cost to Implement: Higher resilience often involves new software and infrastructure components, which can increase costs. However, these costs should be offset by potential savings from future loss. Shifting mission-critical workloads to the cloud can avoid expensive capital investments in hardware replacement.
Operational Effort: Continuously optimizing deployments, scripting processes, and keeping things simple contribute to operational excellence. Efficiently creating resources and deploying code is crucial for resilience.
Effort to Secure: Resilience also involves securing your systems. Implementing security measures without compromising availability is essential. Consider encryption, access controls, and monitoring.
Environmental Impact: Architecting for resilience affects the environment. Evaluate the trade-offs between resource usage, energy consumption, and sustainability.

Achieving Resilience with Cost Efficiency

To achieve sweet resilience with minimal cost, consider the following strategies:

Operational Excellence: Continuously optimize deployments, script processes, and keep things simple. The key question is how quickly you can create resources and deploy code.
Identify Critical Resources: Determine which resources are critical for your application. Configure failover and replication for these resources. Most resources can be replicated in a secondary region, ensuring availability even during disasters.

0 downtime is a myth with deployment slots

CodingPanda — Mon, 10 Jun 2024 09:54:43 +0000

Are you using Azure App service deployment slots? Is it really zero downtime?

The answer might vary, but my response is both “yes” and “no.” It’s “yes” if you have a SPA (Single Page Application). However, if you’re dealing with a complex project that has interdependencies among multiple web applications or services, the answer is “no.”

In my case, we had multiple web services with interdependencies. Our product was a single instance for each customer. Additionally, there were post-deployment jobs to run. Azure App Service takes more time to perform a swap over direct deployment, and the warm-up time for slots can vary. The Infrastructure as Code (IaC) also becomes increasingly complex.

Our product consisted of around five core components, and we had a database along with custom configurations (not AppSettings or connection strings) that couldn’t be moved to App Service due to legacy support. To update the components, we first had to update the database, which would temporarily bring down the service endpoint. Unfortunately, all workarounds failed to achieve true “zero downtime,” and the custom configurations introduced additional downtimes.

we were using the staged slots for around 2+ years and we realized the following on slots based deployments

Overhead and Management:
While deployment slots provide flexibility, managing multiple slots can introduce additional overhead. Each slot may require separate DNS records, network rules, SSL certificates, and other configurations.
If you choose separate app services instead of slots, you avoid this overhead but lose some benefits like seamless swapping and prewarming.
Complexity in Pipelines:
When using deployment slots in DevOps pipelines, be cautious about swapping across environments. Improper use can lead to unexpected results.
It’s essential to understand the behavior of slots during swaps and ensure proper testing to avoid downtime and longer deployments3.
Increased Cost\Time\IaC complexity.
Stage slots demand unique resources apart from prod but that will end up in increasing cost and deployment time.

Considering all these challenges, we decided not to use slots. As a result, we observed a drastic increase in deployment speed by 4X, and we reduced costs by almost 1.2X. Instead, we now create a new test infrastructure, test the product, and deploy directly to production

Trick to get Free SSL certificate for azure application gateway

CodingPanda — Mon, 20 May 2024 06:06:21 +0000

"We all know that SSL Certificates come with an expiry of 1 year or less. This is because certificates can also be breached or cloned, and it’s a best practice to change the certificate every month. However, if you are purchasing from well-known providers, the minimum duration will be 1 year, and it can be expensive.

While trying to configure the App Service Certificate, I discovered an impressive solution to this recurring cost - the App Service Managed Certificate. This certificate is managed by the app service and is free, but it has some limitations. It doesn’t allow wildcard certificates, and we can’t export it outside of the app service. This is suitable when we only have an app service, but in our architecture, we also have an application gateway that requires a TLS/SSL certificate.

Upon further research, I found a solution for this. The application gateway can be created with a private certificate, but browsers will not trust this certificate from an unknown CA provider. To avoid this, one has to install this certificate to the trusted root on local machines to allow browsers to trust this certificate.

Later, I found that there are better, free, automated, and open Certificate Authority (CA) providers, and the best one I found was LetsEncrypt.

Provided by the Internet Security Research Group (ISRG),
It can be easily integrated with our Azure Application Gateway.
Certificate renewal can be automated,

giving us full control over certificate expiry. By this, we can set SSL expiry to 90 days and renew every 60 days or even during every product release, so we never fall into the trap of expiry. Also, the younger the SSL/TLS certificate, the more immune it is against security attacks.

The App Service Managed Certificate is now in General Availability for both apex domains and sub-domains. This feature allows customers to secure their custom domains on Linux and on Windows with an SSL certificate.