DEV Community: Sabiha Ali

Let us open the Gateway Load Balancer

Sabiha Ali — Sat, 28 Jan 2023 17:21:05 +0000

Large enterprises have an established network structure and firewalls, intrusion detection and prevention systems, and deep packet inspection systems. They use tools from various vendors they trust. These tools were great for the customers but on-prem architecture forces us to overprovision and the whole design process is different.

Now with the cloud migration in place many of these awesome vendors are AWS partners and we find in AWS marketplace highly sophisticated, virtualized versions of these software. These partners have tremendous value, decades worth of experience and deep domain expertise. In cloud we have the facility of elasticity, pay as you go and resiliency.

A Gateway Load Balancer acts as an entry point here.

Gateway Load Balancers enable you to deploy, scale, and manage virtual appliances, such as firewalls, intrusion detection and prevention systems, and deep packet inspection systems.

It combines a transparent network gateway (that is, a single entry and exit point for all traffic) and distributes traffic while scaling your virtual appliances with the demand.

Gateway Load Balancers use Gateway Load Balancer endpoints to securely exchange traffic across VPC boundaries.

A Gateway Load Balancer endpoint is a VPC endpoint that provides private connectivity between virtual appliances in the service provider VPC and application servers in the service consumer VPC.

You deploy the Gateway Load Balancer in the same VPC as the virtual appliances. You register the virtual appliances with a target group for the Gateway Load Balancer.

So we can put the security applications in a separate VPC and offer it as a SAAS to other accounts too!!!

Gateway Load Balancer is a transparent layer 3 load balancer and doesn’t produce access logs. Access logging can be done on Gateway Load Balancer target appliances such as firewalls, IDS/IPS, and authentication appliances must be enabled in order to collect access logs.

Cloudwatch,VPC flowlogs and Cloudtrail :)

Some key points to remember in Gateway Load Balancer

Enables you to intercept traffic and route it to a service that you’ve configured using Gateway Load Balancers.
Security groups and endpoint policies are not supported
Endpoints support IPv4 traffic only.

Traffic coming to your applications from the Internet (blue arrows):

Traffic enters the service application VPC through the internet gateway.
Traffic is sent to the Gateway Load Balancer endpoint, as a result of ingress routing.
Traffic is sent to the Gateway Load Balancer for inspection through the security appliance.
Traffic is sent back to the Gateway Load Balancer endpoint after inspection.
Traffic is sent to the application servers (destination subnet).
Traffic from the application to the internet (orange arrows):

Traffic is sent to the Gateway Load Balancer endpoint as a result of the default route configured on the application server subnet.
Traffic is sent to the Gateway Load Balancer for inspection through the security appliance.
Traffic is sent back to the Gateway Load Balancer endpoint after inspection.
Traffic is sent to the internet gateway based on the route table configuration.
Traffic is routed back to the internet.
Happy Learning Guys!!!!

By Sabiha Ali, Solutions Architect, ScaleCapacity

Let us Build the Wall of WAF

Sabiha Ali — Sat, 28 Jan 2023 17:15:15 +0000

AWS WAF- Web Application Firewall

Yes, we do have NACLs, which is a network firewall, but to protect us from the exploits of application layer attack we use WAF. A traffic which seems harmless to the NACL, can be built in with an attack motive like SQL-injection, HTTP flood, Cross site scripting or many many more.

The ultimate motive of any web application is to serve the clients but not all clients are ideal, some are attackers or bots designed to attack the web application.

WAF lets us configure rules that allow, block, or monitor (count) web requests based on conditions that you define.

These conditions can include IP addresses, HTTP headers and body, or custom URIs.

You can set up rules like Rate Based Blocking to automatically block bad traffic, or respond immediately to incidents. Here the WAF keeps a count of how many requests can be allowed for a particular type of client. If they exceed the limit ,they are blocked.

We also have WAF Managed Rules which helps us to deploy pre-configured rules to protect your applications common threats like application vulnerabilities. All Managed Rules are automatically updated by AWS Marketplace security Sellers.

After configuring all the rules, we put them together in a WACL(Web Access Control List)

With WAF we can also configure the response body which the user gets when traffic is blocked for them.

Happy learning guys !!!

Columnar database and Row database — how are they different?

Sabiha Ali — Sat, 28 Jan 2023 17:09:34 +0000

We want to make our databases fast so that the queries which we run should return the results fast.

By changing how we store the data in our database we can make the database respond to the queries and optimize our database to either serve the analytical workload or the transactional workload which we call OLAP and OLTP.

Computers in general, even the databases, read the data from disks, hard disks. We are not talking about the RAM data which gets deleted once the computer is shut down but we are talking about the hard disks where the data is stored permanently.

On these storage disks data is stored in the form of blocks. it is evident that if the computer has to read fewer blocks, it is going to take less time and if the computer is going to read data from more blocks, it is going to take more time.

If the data which we query are on fewer blocks, then the response of the database would be faster.

Let us understand this with an example

This is a sample sales table

Let us see how this data will be stored in a row-based data store.

In the row-based format, the entire record is stored in one block meaning as you can see in the figure, the record of the first customer — — -the customer name, item ID, and sales amount is stored in the first block.

Therefore, if we are looking for the first customers details you can find all that in one single block. This type of data stores will be great for transactional databases where we need the details of a single entity.

If I have to take the average of all the sales then I would have scan through all the five blocks of data, resulting in more IO and more cost.

Let us see how this data will be stored in a row-based data store.

Data in the column stores are stored differently. Here entire columns are written down inside one block so here we have all the customer names in one block all the item IDS in the next block and all the sales amount in the third block.

So, instead of having each customer’s data together we have the whole column of data together.

If I want to access the sum or the average of all the sales amount this database would be fast because everything would be saved in one single block.

I will use this type of database for analytical queries like sum or avarages etc

Columnar database is also very suitable for compression because each block will have the same type of data either numbers or strings etc. so it would be very easy to compress the data in the block efficiently.

How would queries work with these different storage methods
Transactional style query
Eg:

SELECT Customer_name , Sales

FROM data

WHERE Item_ID=3000

This is a transactional style query where we need all details of one person.

In the row database, we need to scan the data from just one block whereas in the columnar database we would have to scan through a lot of blocks.

Analytical style query
Eg:

SELECT Item_ID, count(1)

FROM data

GROUP BY Item_ID

Here we want to count how many observations we have from each Item_ID, which could be done by reading a single block in the Columnar database, whereas in the row database we would have to scan through all the blocks

Happy Databasing !!!!

By, Sabiha Ali, Solutions Architect, ScaleCapacity Inc.

Let Us Decipher the ARN

Sabiha Ali — Thu, 19 Jan 2023 02:44:59 +0000

Let us Understand IPV6

Sabiha Ali — Thu, 19 Jan 2023 02:38:05 +0000

In AWS, when you create a VPC, it's a private space. All AWS resources are not automatically given a public IPV4 address. The resources in the private subnets cannot communicate with the public internet directly, so we use a process called NAT- Network Address Translation. To understand NAT better look into (NAT Gateway).

With IPV6 the poverty of IP addresses have come to an end. There is no realistic challenge of running out of IPV6, so there is no concept of Public and Private IP addresses. No need of NAT. The number of IPV6 addresses are so huge that even if you pin one IPV6 address to every single thing in the world it wont be exhausted. So its no surprise that all IPV6 addresses within AWS are publicly routable.

How do we enable IPV6 in a VPC in AWS?

Step1: We have to enable IPV6 on a VPC. We can either bring our own IPV6 or use the range from AWS( more common approach). AWS allocates a unique /56 range of IPV6. What makes it unique in the range is the hex pair which is used at the end of the IP. The hex pair can range from 00 to ff accounting for 256 separate /64 networks in a VPC.

Step 2: We enable the IPV6 range for the subnets as well.

Step 3: Add proper route entries in the route tables.

Routing of IPV6 is handled separately than IPV4, so we have the same Route tables and same internet gateway but different routes-IPV4 routes and IPV6 routes. So now the IGW( internet gateway of the vpc) can route the traffic both incoming and outgoing.

We had the gift of a NAT gateway while using our IPV4 addresses which would protect our instances from traffic generated outside the VPC. But now we know that IPV6 does not support NAT. But there is an equivalent to the NAT here- Egress only Internet Gateway. This allows the traffic out but not in. You need to make minor changes in the route tables for this.

And yes a single VPC can have both IGW and Egress Only IGW.

Another important point about the Egress only IGW is it is stateful and you cannot associate a security group with it.

Step 4: Configure the IPV6 on the services wherever you want. Also remember not all AWS services support IPV6.

Happy Learning Guys !!!!

Sabiha Ali, Solutions Architect, ScaleCapacity

ALB Vs NLB

Sabiha Ali — Thu, 19 Jan 2023 02:31:57 +0000

Listed below are some features of NLB and ALB which can help us choose the right load balancer in the right scenarios.

Layers and Protocols

Application load balancer is a layer seven load balancer and it listens on HTTP & HTTPS that means it understands the information carried by HTTP or HTTPS protocol, but it will not understand any other layer seven protocols like SMTP, SSH or other custom protocols .

Network load balances function at layer 4 so they are a layer 4 device. This means that they can interpret the TCP,UDP but they cannot understand HTTP or HTTPS

Session Stickiness

Application load balancer is a layer 7 load balancer and it can listen to layer 7 content like custom headers, user location and application behavior, hence Application load balancer can inspect the layer 7 content and make the decisions based on this information. It supports cookies and session stickiness.

NLB cannot understand headers or cookies and they do not have any sessions stickiness because these are a layer 7 entities and NLB works with layer 4.

Unbroken SSL Passthrough

The one thing which we have to take care with ALB is the connection is always always terminated on the ALB, so you cannot have an unbroken SSL from your customers to the application instead every connection will be terminated in the load balancer and then a new connection is made to the application in the back. So an SSL certificate is mandatory for the ALB if you are expecting HTTPS traffic. An unbroken SSL could be very important to security teams and due to this they sometimes tend to leave out the ALB.

Whereas Network load balances can forward the TCP straight to the backend instances which means an unbroken encryption can be done without the load balancer terminating the connection and creating a new one.

Speed

Application load balances are slower than the network load balancers. Why? This is because Network load balancers work in the layer 4 whereas Application load balancers work in layer 7, so more layers or more levels of networks to process for the Application load balancer. So more the processing slower the results. So if you are very keen on the performance then you will have to think about going for Network load balancers. The wonderful thing about Network load balancers is, they are really fast and they can go up to millions of request per second.

Health Checks

Network load balancer and Application load balancer can both do a health check but Network load balancers can merely check the connection health. It will only check the ICMP ping, TCP handshake and it is not application aware, it cannot check the application health. Whereas application load balancer can also evaluate the application health, so in addition to just checking for a successful network connection, it also evaluates the application health.

Static IP Support

Another advantage of network load balancer is it can have a static IP configured which is useful for white listing if you have any corporate client firewalls.

Private link Support

Another important thing about the network load balancer is it can be used with private link to provide services to other VPC

AWS Data Lake

Sabiha Ali — Thu, 19 Jan 2023 02:15:46 +0000

If you want your organization to successfully generate business value from their data, you will be doing some kind of analytics with your data like machine learning over files like log files and click streams and social media or Internet connected devices. Traditional data storage and analytic tools can no longer provide the agility and flexibility required to deliver relevant business insights. That’s why many organizations are shifting to a data lake architecture.

Let us assume you have an organization, which is receiving data from many sources giving you some examples let’s say you are getting some data from on premises you’re also getting some data from your website clicks you are also getting some CSV files to analyze, and you also want to do some machine learning analysis on some of this data.

All this data is essential to be stored for analysis, some of this data could be purged after some time and some must be retained for longer period of time.

Data lakes can be called as a centralized repository that will allow you to store all your structured data and your unstructured data at any scale.

Now can we say that this is the same as data warehouse. that would be a good question, but a data warehouse is a database which is optimized to analyze relational data which is coming in the line of business applications. It already has a data structure which is optimized for fast SQL queries whereas a data lake not only stores relational data but also non-relational data, the schema is never defined when the data is captured.

AWS uses S3 as your data lake foundation. This will also eliminate server management.

When we build a data lake on Amazon S3 we can pair it up or integrate it with other native AWS services to run

· big data analytics

· artificial intelligence

· machine learning

· high performance computing

· media processing applications etc…

To gain the insights from the unstructured data we can couple it with services like

AWS lake formation and AWS glue to simplify the creation of the data lake itself and also to simplify the analysis of the curated data in the data lake

Also services like Amazon Glue, Amazon EMR, Amazon Athena also makes it very easy to query your data lake directly.

Happy Learning!!!!!!

Sabiha Ali, Solutions Architect, ScaleCapacity

CloudFront Standing In the Front

Sabiha Ali — Sat, 07 May 2022 14:44:38 +0000

What stands in the front of the cloud to take the traffic. Yes, it is the CloudFront.

Let’s say you have built an awesome application and you are running it from your home country, but now people from all around the world are a big fan of your app and they want to access it from the different corners of the world, but your server resides in your home country.

We want people to be able to access this application of yours with high transfer speed and very low latency, but in the world of internet, it has to go through a very long path.

EDGE LOCATIONS:

So how do we reduce this latency. Here CloudFront comes to our rescue. AWS has a network of more than 200 edge locations. What are these edge locations??? They are locations where AWS cashes your data. No, no, no, edge locations are not for you to access but it is a location where the AWS caches the data to be served in a faster way.

REGIONAL EDGE CACHE:

Well, there is another thing called Regional edge cache for things which are not much frequently accessed, but they are required to be cashed and one Regional Edge Cache supports a number of Edge locations in that geographical area.
Regional cash is not supported by S3 origin it is only supported by custom origin (on prem servers, EC2, S3 website ..)

So the story goes like this--- User A asks for your application's content and the edge location is checked for the content. If the edge location does not have it, it's called a cache miss :( Now the edge location asks the regional cash "Do you have this content?" The Regional Edge Cache says "Oh, I don’t have this". Then there is an origin fetch which happens, the Regional Edge Cache goes to the origin, gets the content, stores it and also distributes it to the Edge location. User B comes and asks for the same content now and the edge location is checked for the content. Now the edge location has it, it's called a cache hit :) So, without any latency the content is served and any other future customers asking for this content are served almost immediately without having to go all the way to the other side of the world to fetch this content. This is the magic of CloudFront.

TTL:

When we create a CloudFront distribution, we also define a TTL(Time to live) for that object in the Edge Location. When this time to live is reached then --does the Edge location completely removes the object from it? No, now what it does is, it goes back and asks the origin "Is there is any change in the object" and if there is no change in the object and the Edge location can continue caching it, then the origin returns at 304 Not Modified code and if there is some change then the origin returns a 200 okay code, so that means it has been modified and the Edge Location fetches the object again from the origin.

INVALIDATIONS:

Imagine that one of the pictures in your content is faulty. It is not the picture you meant to be in the content.
Now when the User A comes and asks for the picture the faulty picture is served to them through the edge location after cashing it in the edge location but, now you realize that the picture is faulty so, you immediately go to your origin and you change the image and change it into the correct one. Now the User B comes and asks for the same image. Guess which picture is served to User B. Again the faulty picture is given user because that is the one which is cashed in the edge location.
So even though you have changed it in the origin, it does not reflect in the edge location because, according to cloud front it has some time to live(TTL) in the edge location. Now if you want to remove it from the edge locations you will perform an action called the invalidation. Yes, thankfully there is a process called invalidation which can help us immediately to remove the content from the edge location but mind you this will cost you.

CERTIFICATES:

For a website to be viewed as a secure website, you have to pick a name for it and generate a certificate or have one generated for it.
The certificate is signed and it is used to prove the identity of the website. So the DNS name is attached with the certificate.
When you set up a CloudFront distribution you will get a default a domain name. This default domain name does not make much sense. It starts with the random name and ends in cloudfront.net, but the good thing is this can enable HTTPS access to your distribution by default. So this means that you have enabled HTTPS without any additional requirements. CloudFront distribution is supplied with a default CloudFront certificate. But you would like to use your own domain name with the CloudFront. Won’t you??? You wouldn’t want to use this random name.
And if you want to your domain name then you have to have a certificate matching this domain name. You can generate your own certificate or import a certificate using ACM. Remember that CloudFront is a global service in AWS and the certificate has to be generated in the north Virginia region only.

SNI:

In 2003 and additional extension was added to the TLS protocol and it was called SNI(Server name indication). This will let the client tell the server which domain name it wants to access and all this happens during network TLS handshake itself. So even before reaching the HTTPS layer, in the network layer itself the host is being mentioned. So now a server has a capability to host many HTTPS websites with a single IP address. But if the clients don't support SNI this capability is of no use. If you’re dealing with browsers which do not support SNI you will have to have a dedicated IP at the age location and this will cost money.

Happy Learning Guys!!!!