Basic Cloud Operations
This is a guide on basic cloud operations.
Cloud Computing Definitions and Roles
Okay, the first thing we want to do is actually define what cloud computing is or really, more specifically, define what a cloud is. And if you think about it, a cloud is just a bunch of things grouped together. Think about water particles up in the atmosphere. You group them together, they become visible, a cloud. I just watched a TV show called Valley of the Boom. And it was basically back in the 90s during the emergence of Netscape Navigator 2.0, the first big browser, and their battle with Microsoft.
But they talked about America Online. AOL was in New York in the early 1990s, and they basically had cloud computing. It was basically a cloud of thousands upon thousands of racked dial-up modems. So the concept is actually not that new. Now, what we're looking at here is the official NIST, N-I-S-T, definition.
Okay, cloud computing is a model for enabling convenient, on-demand, networked access to a shared pool of configurable computing resources. Anywhere you have connectivity to the Internet, you can get access to this pool of computing resources. For example, networks, servers, storage applications, and various services, like IoT, and blockchain, and graph and document databases. And they're rapidly provisioned and released with minimal management effort or interaction by the service provider.
[Video description begins] Amazon Web Services is abbreviated to AWS. [Video description ends]
So according to Amazon Web Services, cloud computing is the on-demand delivery of compute power, database storage, applications, and other IT resources through a cloud services platform via the Internet with pay-as-you-go pricing. So compute resources can be server based, or they can even be serverless. For example, Amazon Web Services Lambda code or Google Cloud Functions. But if they're server based, typically they're going to be Windows and Linux servers.
You'll also see relational and NoSQL databases, object storage, applications, and other managed services like machine learning, artificial intelligence, and blockchain. Here are some of the advantages of cloud computing. First, you're going to trade capital expense for variable expense. So instead of having to invest a lot of money and resources in your own data center, in your own server farms, before you even know how you're going to use them, or what the capacity is, you can just pay for what you consume.
Pay for what you need on an ad hoc basis at a cloud provider. And you can use the leftover capital expenses for other things. For example, hiring new developers. Cloud computing benefits from massive economies of scale. By using cloud computing, you get a lower variable cost than you'd get on your own. Because basically you're taking advantage of the fact that hundreds of thousands of customers are aggregated in the cloud.
And so Google Cloud Platform and Amazon Web Services get these higher economies of scale. And that translates into lower prices, lower cost for your organization. Also, you can eliminate guessing on your infrastructure capacity needs. If you make a decision based on capacity prior to deploying an application or a service, you either end up sitting on the expensive idle resources or you deal with limited capacity.
When you use cloud computing, these problems are eliminated, because you can access as much or as little as you need. And you can scale up or scale down with elasticity as required in a matter of minutes, and sometimes even seconds. Cloud computing increases speed and agility. In a cloud environment, new IT resources are just a click away.
So you can reduce the time necessary to make those resources available to your developers in just a matter of minutes, instead of days or weeks. This results in a dramatic increase of development agility for the organization, because rapid deployment now truly becomes rapid. You can stop spending money on running and maintaining your data center. That allows you to focus on projects, and components, and solutions that actually give your business an advantage, instead of putting out huge outlays for infrastructure.
You can focus on your own customers instead of the heavy lifting of building out a data center or a server farm, and you can go global in minutes. You can deploy an application or a mobile app in multiple regions around the world with just a few clicks of the graphical interface or a few lines in the console. And it's done with lower latency and a better customer experience at much lower cost. Some of the key enabling technologies are fast and highly available wide-area networking.
You're taking advantage of the fact that organizations like IBM Cloud, Oracle Cloud, Microsoft Azure, Google Cloud Platform, and Amazon Web Services have regions all over the world, on every continent. And within those regions, they have data centers that are connected with high speed networking, with fiber, and emerging 100 gigabit Ethernet.
You get powerful and inexpensive server computing for the consumer. And when I say it's inexpensive, from the customer's side. So for example, this workstation I'm using right now, as I make this training, is a pretty powerful workstation. It's a dual processor, and each processor has six cores. Each one of the processors originally cost about $1,500, so this is about a 45 to $5,000 workstation that I'm using right now.
Well, think about this. If you wanted to roll out a new startup company, and you had to hire ten developers, and you wanted to get ten of them these kinds of machines, that'd be over $40,000. Instead, you can take advantage of the cloud and spend that $40,000 in the cloud or on other resources. For example, advertising and marketing campaigns, or research and development, or other new emerging services and products from your cloud provider.
Cloud computing is enabled by a high performance virtualization for commodity hardware. The cloud providers are going to use Type 1 hypervisors or bare-metal hypervisors, using platforms like Xen, vSphere, KVM, OVM, and others. You also take advantage of the fact that the provider offers a wide variety of visibility tools, monitoring and reporting, advanced automation, and orchestration tools.
All in all, cloud computing is a fantastic solution for almost any application, service, or project. Next, I want to talk about the five key characteristics of cloud computing, and this is according to NIST. The first one, and actually one of the most significant characteristics, is providing on-demand service.
And that's where a customer can get computing resources in a unilateral fashion, in other words, without really having any involvement from a human resources standpoint of the provider. So they can use a graphical interface, for example, to get server time, to get network storage, even serverless functions on an ad hoc basis or as needed without having to have human reaction.
[Video description begins] Cloud computing provides on-demand self-service with a user-friendly interface. [Video description ends]
Secondly is that you have broad and varied network access to resources. So you have various capabilities over the network. You can use HTTP over the Internet. You can use SSL/TLS. You can use VPN services, either managed from the provider or customer VPN services. Also from a wide variety of different endpoints and client devices or platforms, whether they be thin or thick platforms, mobile phones, tablets, laptops, workstations, basically anywhere where you have a decent level of Internet access.
The cloud provider will also offer solutions, for example, using secure endpoints and other direct connectivity options that bypass Internet altogether, going directly to their edge locations in metropolitan areas or perhaps using one of their partners, like, let's say, AT&T. Another characteristic is rapid elasticity of computing and storage, so basically provisioning and releasing the resources, okay?
This can be done automatically. It can be done based on certain types of events. You can scale rapidly outward and inward based on demand. We often think the most important thing is to be able to scale up or to scale out when we have increased demand, let's say, for example, over the holidays in the United States. But it's just as important to be able to de-provision and de-escalate rapidly in order to avoid cost overruns, or overprovisioning, or exceeding the budget of the department or the organization.
Resource pooling is where the provider's resources are pooled to serve multiple consumers in a multi-tenant model. In other words, taking advantage of the ability for virtual platforms like Xen, KVM, vSphere, OVM and others to support multiple customers. This could be in the public cloud, let's say with Google Cloud Platform or Amazon Web Services. But it could also be in your own private or on-premises cloud, where your customers are different departments or different business units or organizational units, each with their own budget.
Different physical and virtual resources are dynamically assigned and reassigned very quickly according to demand. Typically the customer doesn't have control or knowledge over the exact location of the provided resources. It could be just based on a particular region or zone. And realize that the provider may also provide dedicated resources for larger customers, those who are willing to pay more to get dedicated underlying hardware and software.
And then measured service. Cloud systems will control and optimize resources by using a metering capability with some type of abstraction based on the storage, processing, memory, bandwidth, or even user accounts. Resource usage can be monitored, it can be controlled. It can be visible, it can be transparent, both to the provider and the consumer of the utilized service. And obviously the pay as you go model, only paying for what you use either by the second, by the minute, by the hour, or longer.
Key Cloud Computing Characteristics
Next, you want to know the Cloud Computing Models or make sure that we know the Cloud Computing Models.
[Video description begins] Infrastructure as a service is abbreviated to IaaS. [Video description ends]
First is the Infrastructure as a Service. This is what we think of most commonly when we use a cloud provider, where we're providing the basic building blocks for cloud IT and providing access to networking features, to computers in the form of virtual machines or instances, and data storage space, either block storage or object storage.
IaaS is what many IT departments and developers are familiar with today. With Infrastructure as a Service, there's typically a clear demarcation between what's provided by the service provider and what the customer or the consumer is responsible for. Let's take a look at this diagram based on Amazon Web Services IaaS.
At the very bottom, we have the global infrastructure. And by the way, this is the same infrastructure that you would see with Amazon, Google Cloud Platform, Microsoft Azure, and others, where we have different regions all over the planet. Within those regions, we have one or more availability zones. And some of the providers in certain metropolitan areas will provide Edge locations.
That's for content delivery networking to get content as close to the customer as possible. So for example, companies like Hulu and Netflix would take advantage of Edge locations in certain cities to get that content close to their customers. Often providers have that basic infrastructure. Within that infrastructure, which is typically made up of high speed fiber connectivity between data centers, are the compute resources, server-based Windows and Linux and Unix, and serverless like lambda code or functions at Google.
Storage, both block-based and object-based. Databases, typically in the IaaS model, you're managing your own database, your own SQL database, or MySQL, or NoSQL, and networking services. And then notice endpoint, all the providers have various ways to use SSL TLS to get secure connectivity both to resources that you're managing as a customer, but also manage resources that they provide.
And of course, above that, in the IaaS model, the consumer or the customer's responsible for determining whether data is going to be encrypted in the client-side. Or whether they're going to leverage server-side encryption of the file system or the block storage or the data, implementing their network traffic protection. They're in charge of the operating system, the network, the firewall configuration.
That includes the operating system updates and upgrades and service packs, the platform application management and of course, their customer data. So in IaaS, there's often a strict demarcation between the underlying infrastructure and foundational services and all the other components that the customer's responsible for, above that.
[Video description begins] A diagram of IaaS at Amazon Web Services displays. It has several layers. The first layer at the bottom is the AWS Global Infrastructure, which comprises Regions, Availability zones, and Edge locations. The next layer is Foundation Services, which consists of Compute, Storage, Databases, and Networking. On the left of these two layers are AWS Endpoints and on the right is the AWS IAM. The third layer is made of three parts: Client-side data encryption and data integrity authentication, Server-side encryption, which includes file system and or data, and Network traffic protection, which includes encryption or integrity or identity. The fourth layer includes the operating system, network, and firewall configuration. The fifth layer is platform and application management and the sixth layer is customer data at the top. The third to sixth layers correspond to customer IAM on the right. [Video description ends]
PaaS, or Platform as a Service, has a lot more gray area. It really depends upon the service of the product as to how much responsibility the provider has versus what the consumer has. But PaaS removes the need for companies to manage the underlying infrastructure, the hardware and the operating system. And just allows you to focus on the development, deployment, and management of applications.
So we don't have to worry about resource procurement, capacity planning, maintaining software, often not having to worry about doing patching. Basically, the heavy lifting involved in running the application. So the service provider is offering a platform for rapid development and deployment of .NET, Java, Ruby, Python, GO, JSON and other scripting and programming language environments.
The benefits of Platform as a Service, you can get your product to your app to market quicker, the rapid delivery of new capabilities. It also has a pay as you go model. It's a scalable environment. It provides speed, flexibility and agility of application development, and it supports a wide variety of standardized middlewares.
Common platform as a service providers would be Amazon Web Services, let's say Elastic Beanstalk. The Google Cloud Platform, Google App Engine, Microsoft Azure products, Oracle Cloud Platform, IBM Cloud Platform, SalesForce, Red Hat OpenShift PaaS, Mendix, and SAP Cloud Platform.
[Video description begins] Google Cloud Platform is abbreviated to GCP and Oracle Cloud Platform is abbreviated to OCP. Salesforce a PaaS and Mendix a PaaS are some of the common PaaS cloud service providers. [Video description ends]
The third model is Software as a Service. This is where the capability provided to the consumer is the ability to use the provider's applications running on the cloud infrastructure.
[Video description begins] Software as a Service is abbreviated to SaaS. [Video description ends]
These applications are accessible from various client devices through a thin client interface like a web browser. The consumer doesn't manage or control the underlying cloud infrastructure including the networks, operating systems, storage, or even in this model the application capabilities. Now, there are exceptions where the consumer might have limited user-specific application configuration settings or other single sign-on or access control settings.
But basically, software as a service gives us a completed product that's run and managed on the service provider's infrastructure. In most cases, people who refer to Software as a Service are talking about end-user applications, for example, Microsoft Office 365. Common SaaS Solutions will be productivity and customer relationship management CRM tools, blogging, surveys, social networking, open source intelligence. Information and knowledge sharing like Wiki's, communication like webmail and collaboration like e-meeting or web conferencing. And enterprise resource planning, and of course, cloud storage.
[Video description begins] Open Source Intelligence is abbreviated to OSINT and Enterprise Resource Planning is abbreviated to ERP. [Video description ends]
So at the bottom, we have IaaS, where we have our servers, our storage, our networking, the infrastructure and network architects. Above that, we have Platform as a Service. There are application developers, operating systems and application stacks, servers, storage and networking. And then above that, we have SaaS, with our end users accessing various packaged operating systems and applications.
[Video description begins] A diagram of cloud computing service models displays. Its a pyramid with IaaS at the bottom, PaaS in the middle, and SaaS at the top. SaaS includes packaged software, OS and application stacks, servers, storage, and network. [Video description ends]
Nowadays, we have everything or anything as a service. You might have Database as a Service. That's what Google Cloud calls their database services. Communications as a Service, for example cloud mobility solution. Business process as a Service, for example, SalesForce or Workday. Functions as a Service, for example, Google Cloud functions or Amazon Web Services lambda.
Security as a Service, this is provided by companies like Cisco, Advanced Malware Protection, Fortinet, F5, Palo Alto Networks, and others. Malware as a Service, where you can go to the dark web and actually launch campaigns by allowing someone else to provide the malware service for you.
[Video description begins] Everything as a Service is abbreviated to XaaS, Database as a Service is abbreviated to DBaaS, Communications as a Service is abbreviated to CaaS, Business Process as a Service is abbreviated to BPaaS, Functions as a Service is abbreviated to FaaS, Security as a Service is abbreviated to SECaaS, and Malware as a Service to MaaS. [Video description ends]
Finally, we want to understand that generally speaking, there is three cloud computing deployment models. There is the public cloud which is basically the application and services fully deployed in the cloud, all parts of the application running in the cloud at a public provider like IBM, Oracle, Microsoft, Amazon, or Google.
Typically, the applications have been developed in the cloud or migrated into the cloud. This is taking advantage of the cloud service provider's IaaS, PaaS, SaaS, or other managed service solutions. The on-premise cloud is basically deployed in the virtualization and resource management on-site. This is often called a private cloud. On-premise deployment doesn't provide any of the benefits of going to the global cloud, but it's often set up for it's dedicated resources and privacy. It may be necessary for regulations or compliance, or certain mandates like HIPPA or PCIDSS or Sarbanes-Oxley.
A hybrid deployment is a way to connect infrastructure and applications between cloud-based resources in a hybrid fashion. In other words, some of the resources or data or virtualization will exist on premises, some of them will be in the public cloud or a community cloud. The hybrid model is actually the most common model, especially for a migration or a transition to the cloud, and it provides the most flexibility.
Virtualization Building Block Technologies
In this lesson, we're going to look at the building blocks of really what makes cloud computing tick, and that's virtualization technology. Starting with the hypervisor. The hypervisor is software that builds and manages a virtual infrastructure, allowing multiple operating systems and applications to run on a single physical machine.
The system that runs the hypervisor is called the host, and the virtual machines running on the host are called guests. There are proprietary hypervisors, like Hyper-V, vSphere/ESXi, OVM, which is Oracle Virtual Machine, that's what powers Oracle public cloud. And FusionSphere, open stacks commercial release, with a built-in KVM virtualization engine. KVM is an open source hypervisor, along with OpenVZ, Red Hat and Xen. Amazon Web Services runs on Xen, Google Cloud Platform runs on KVM.
Let's talk first about type 1 hypervisors. There's two types of hypervisors, type 1 and type 2. Type 1 hypervisors will run directly on the system hardware.
[Video description begins] Type 1 Hypervisors include virtual machines. [Video description ends]
These are often referred to as native or bare metal. And the first thing installed is the hypervisor itself, which functions as the operating system for the bare metal physical host. Let me give you an example. This is my production machine that I'm using right now. And actually, even though it doesn't have a lot of RAM, I have a, some RAM ordered, so it's going to have 32 GB of RAM in just a few days.
But other than that, if you look at the processor, it has two processors. And there are two Intel Xeon CPU E52643s version 3. These are type of processors that you would actually borrow or rent or use at a cloud provider. There's two processors, each of them have six cores on them. So they run about $1500 a piece, so this is actually quite indicative. So a machine like this could be a tower, but more likely a rack-mounted server.
You could install KVM or Xen or Hyper-V or vSphere right onto this machine and that would be a bare metal installation. As you can see, this machine already has Windows 10 Pro for workstations on it. So if I wanted this to be a bare metal installation, I'd have to reformat the hard drive, pretty much wipe out Windows 10 Pro.
And go ahead and replace that with one of the hypervisor softwares. Now, if I decide to install some type of product like let's say VMWare Workstation Pro on top of this Windows 10 machine, that would be a type 2 hypervisor. Now, notice something here that says paravirtualization drivers and tools. Early on, you had to use what was called paravirtualization to make up for the fact that the traditional Intel X86 architecture, one of the operating system kernels to have direct CPU access running in Ring 0, the most privileged and protected level.
Well, when you do software virtualization, the guest operating systems can't run in Ring 0 because the hypervisor's there. So the guest operating systems have to run in Ring 1 but that causes a problem. Some X86 instructions only work in Ring 0. So operating systems had to be recompiled, and that is what we called paravirtualization. A paravirtualization is impractical.
[Video description begins] Type 1 Hypervisors include physical host. [Video description ends]
So now, we use what's called Hardware-Assisted Virtualization. So in the left-hand side, we have the host computer system hardware, let's say it's a Dell server. And in Ring 0, we have the VMM, and then Ring 1, the Guest Operating System. But notice under hardware assisted, the host computer system hardware allows the VMM and the guest operating system to run in Ring 0.
And that's possible as long as you're using and most processors are going to support that, Intel has the Intel VT, and AMD has the AMDV. These support virtualization technologies, and they provide a new set of instructions, and critically a new privilege level. So now the guest operating system can run in Ring 0. There's no need for paravirtualization.
[Video description begins] A diagram displays with three defined areas: Full virtualization, Paravirtualization, and Hardware-assisted. The Full virtualization area consists of 5 layers in the following sequence beginning from the bottom: Host computer system hardware, Ring 0 or VMM, Ring 1 or Guest OS, Ring 2, and Ring 3 or User apps. Ring 0 and Ring 3 feed into host computer system hardware. Ring 1 feeds into Ring 0. The Paravirtualization area consists of 6 layers in the following sequence beginning from the bottom: Host computer system hardware, Virtualization layer, Ring 0 or Paravirtualized guest OS, Ring 1, Ring 2, and Ring 3 or User apps. The virtualization layer and Ring 3 feed into host computer system hardware. Ring 0 feeds into the virtualization layer. The Hardware-assisted area consists of 6 layers in the following sequence beginning at the bottom: Host computer system hardware, VMM, Ring 0 or Guest OS, Ring 1, Ring 2, and Ring 3 or User apps. VMM has root mode privilege levels and Rings 0 to 3 have non-root mode privilege levels. VMM and Ring 3 feed into host computer system hardware. Ring 0 feeds into VMM. [Video description ends]
As I said, type 2 hypervisors are like my system here, where I have a Dell workstation, very powerful, needs more RAM. But the Windows 10 operating system has the hypervisor installed, which in my case, is VMWare Workstation Pro. So a type 2 hypervisor is loaded on top of an already installed host operating system, like Windows workstation, Windows server, Linux, Ubuntu, or Debian.
You can use VMware workstation, or VMware player, or Oracle Virtual Box, those are just a couple. Realize that Type 2 are less scalable, because they're running another operating system, particularly more complex to manage. And remember, the security of the underlying operating system that host, can also represent the security vulnerability. But these are fine for consumers and small to medium size businesses.
[Video description begins] Type 2 Hypervisors include virtual machines with the following features: Drivers and tools, Hypervisor, Operating system, and Physical host. An arrow pointing upwards from Physical host to Hypervisor displays. [Video description ends]
Here we see some virtual machine limitations. This is not necessary to remember, really, but we're just showing comparisons between vSpheres/ESXi 6.5, Hyper-V And XenServer 7. And you can see memory limitations, its virtual memory, virtual CPUs, virtual IDE disks, virtual SCSI disks, and virtual NICs. Citrix XenServer Server doesn't emulate SCSI or IDE, it has it's own unique format that has a higher virtual IDE disk capacity.
Compute Building Block Technologies
I think it's safe to say that the main core service of cloud providers is the compute service or the compute products. Vendors like Oracle offer single-core VMs up to 64-core bare metal compute instances deployed in large scale clusters. That would include IBM, Microsoft, Amazon Web Services, Google Cloud Platform. Cloud service provider compute instances are powered by the latest processors and secured by the most advanced network and data center architectures available in the world.
[Video description begins] Cloud Service Provider is abbreviated to CSP and Virtual Machines is abbreviated to VMs. [Video description ends]
They're architected for high durability, high availability, and for enterprise-class governance requirements. Virtual machines can be spun up in minutes. Let's talk about two of the most common CSP compute services. The largest and the most prevalent would be AWS Amazon Web Services' Elastic Cloud Compute, EC2. This is a service that offers secure, resizable compute capacity in the cloud, and it's designed to make web-scale computing easier for developers.
Next in line would be Google Compute Engine, which delivers virtual machines running in Google's data centers and worldwide fiber networking, and it's tooling and workflow support scaling from single instances to global, load-balanced cloud computing. Both Amazon and Google will offer pre-defined machine types, Windows and Linux up to 160 virtual CPUs and 3.75 terabytes of memory. They offer custom machine types, persistent disks, and ephemeral disks. Transparent maintenance in the data centers.
Global load balancing. Support for a wide variety of operating systems, Debian, Syntos, CoreOS, SUSE Linux, Ubuntu Linux, Red Hat Enterprise Linux, FreeBSD. Different variance of Windows Server, 2008, 2012, 2016, and soon, 2019. Both offer tons of support for compliance and security and regulations. Google bills in second level increments, or per second, both have automatic discounts.
For example, you can bid for additional compute time and get the lowest rate, and they both support containers. For example, at Google Cloud you can run, manage, and orchestrate Docker containers on compute engine VMs with Google Kubernetes Engine. Some common compute services are auto-scaling, Amazon's Elastic Container Service, ECS and Container Registry, Google Cloud Container Registry, Amazon Elastic Container Service for Kubernetes, EKS.
The aforementioned Google Kubernetes Engine, GCP Cloud Functions and AWS Lambda for serverless computing. Google App Engine, including a wide variety of marketplace solutions from a number of vendors. AWS Elastic Beanstalk, which is basically an easy to use service for deploying and scaling web applications and services that you develop with Java, .NET, PHP, Node.js, Python, Ruby, GO and Docker.
Amazon Lightsail is designed to be the easiest way to launch and manage your virtual private server. In Amazon Web Services, it plans everything you need to jump start your project. Gives you a virtual machine, SSD-based storage, data transfer, DNS management, and a public static IP address, and it does this at a low predictable price. And of course, all the CSPs will offer things like batch solutions or batch services to allow developers, scientists, and engineers to easily and efficiently run hundreds of thousands of batch computing jobs on the cloud platform.
Storage Building Block Technologies
Now, before we start talking about the storage technologies and the storage options available at the cloud service provider, realize that the cloud solution that you're involved with, may be an on-premises cloud or a private cloud within your own organization.
So you might be responsible for having different disk management tiers, involving two or three different types of SSD drives, maybe some hard disk drives for archiving information, you may be involved with tape or DVDs. But I want to show you the advantages here of SSD versus hard disk drives, it's going to be superior in almost every way.
[Video description begins] Solid Sate Drive is abbreviated to SSD and Hard Disk Drive is abbreviated to HDD. [Video description ends]
And if you use Google Cloud, you use Amazon Web Services, for example, it's going to be different tiers of SSD drives that you're using. They may be ephemeral, where they live and die with the instance, or they may be detachable, okay? You can actually take an SSD drive and take it from one instance and attach it to another. In almost every category, SSD is going to be superior to hard disk drives.
[Video description begins] A table with six rows and three columns displays. The first row has the following values: Attribute, Solid State Drive, and Hard Disk Drive. The first column has the following values: Startup time, Noise, Fragmentation, Temperature control, and Failure vulnerability. For Solid State Drive, the startup time is nearly instantaneous due to no moving parts whereas for hard disk drive, the disk spin-up can take minutes. For Solid State drive, there is virtually no noise whereas the Hard Disk Drive has varying noise levels between drives. For Solid State Drive, the fragmentation is very little, which can cause wear due to additional memory writes. For Hard Disk Drive, fragmentation is common over time and defragmentation is necessary. Solid State Drive tolerates higher temperatures without cooling whereas in Hard Disk Drive, temperature greater than 98 degree Fahrenheit can shorten life and cooling may be needed. Solid State Drive is shock an vibration resistant whereas Hard Disk Drive is highly susceptible. [Video description ends]
They're more reliable, better power consumption, like half the power of hard disk drives. The only disadvantage, really, is they're more expensive, okay? So, some cloud providers may still provide low cost hard disk drive options for maybe longer term storage, or non-transactional or non mission critical data. So just keep that in mind when you're planning out your storage tiers.
[Video description begins] A table with six rows and three columns displays. The first row has the following values: Attribute, Solid State Drive, and Hard Disk Drive. The first column has the following values: Reliability and lifetime expectations, Power consumption, Cost, Installation, and Data transfer rate. For Solid State Drive, reliability varies but failure is much less likely whereas Hard Disk Drive has the potential for mechanical failure, hence it uses RAID. Solid State Drive is usually flash-based and uses half the power of HDD, except high-performance DRAM is the same. The power consumption of Hard Disk Drive is from 0.35 watts to 20 watts depending on size and performance. Solid State Drive is more expensive per GB whereas Hard Disk Drive is less expensive per GB. Solid State Drive has no sensitivity with no exposed circuitry whereas in Hard Disk Drive, circuits can be exposed and it needs to be mounted to protect against vibration. Solid State Drive delivers consistent read and write speed with improved sleep recovery whereas Hard Disk Drive has slower response time due to constant read seeks. [Video description ends]
Let's look at block storage in the cloud. With block storage, the files are split up and stored in fixed-size blocks, either on detached or attached volumes. Often they host databases, they support random read/write operations, they may keep the system files of the running virtual machines. You increase the block storage capacity by simply adding more nodes. And again, it's suitable for apps that need high input/output per second, IOPS, for databases, and transactional data. It's also a common location for the root volumes.
[Video description begins] A block storage diagram displays. Two file are shown, each connected to two blocks. [Video description ends]
Now, object storage in the cloud is different, it's virtually unlimited file storage. And it has three major components, the data or the content object, which is typically stored in a bucket. A unique identifier, which actually can be accessed through an API call or a URL. And then metadata, extensible, virtually unlimited tagging or metadata about the object.
Another advantage of object storage is the ability to maintain file revisions. There's no hierarchy of relationships like you see in a file system and block storage. It uses HTTP and TLS interfaces for access, and the files are distributed in different physical nodes.
[Video description begins] A diagram displays HTTPS interface above Object storage. The object storage points to different physical nodes. [Video description ends]
Now, let me give you an example of a difference between an object storage and block storage. Let's say you have a report and it's a Word document, and you take that Word document and maybe you've got some Windows server spun up in a VM instance, in AWS or GCP, and you store that either on an ephemeral or a persistence storage in block storage. Let's say you go back to that report, you make a change to one of the paragraphs.
What's going to happen is the file system is going to go and find the block where that paragraph is stored, and it'll make the change to just that block. But if you were to store that Word document up in a bucket as an object, if you wanted to make a change to that particular paragraph, you would actually override and replace the original object with the option of having another version.
And that versioning is part of the metadata that's attached to those objects. So typically object storage is good for things like video files and audio files, other types of static content, photographs, PDF documents. Whereas block storage is good for transactional information, database information, operating system root volumes, and system files. Here's an example of storage in the cloud at Amazon Web Services.
So notice we have an instance, instance A, that's a Ubuntu Linux server. Let's say instance B is a Windows 2016 server. Below that we have volumes that ephemeral0 through ephemeral3, those are going to live and die with the instance. So if you terminate the Linux instance A or you stop it, you're going to lose the ephemeral volume. Any by the way, both Amazon and Google have these types of ephemeral volumes.
The advantage, though, is that they're directly attached. So they're not going be residing on some network access storage or storage area network. So you're going to have much lower latency, much quicker access to the information on the ephemeral drive. However, realize it's going to live and die with the instance. Now, the instance may also access a file system. So Amazon has EFS, which is a managed elastic file system. It may take advantage of that service, it may use the elastic block storage.
EBS are going to be detachable volumes, and typically you're going to have at least two EBS volumes. One volume will be the root volume where the system files are, the boot files are, and then data will be stored on one or more EBS volumes. They're elastic, because you can expand the number of volumes, you can rapidly provision them or de-provision them as needed. And then, we can take a snapshot of those volumes and store those in a bucket as object data in Amazon S3. All of the CSPs will offer these types of options.
Networking Building Block Technologies
In this next lesson, we're going to focus on networking. And actually networking is at the heart of securing your solutions, especially your virtual private cloud that you create. It's based on the choices you make in designing your network, that determine if your sub-networks are going to be public sub-networks or they're going to be private sub-networks. If you're going to be have instances that are sandboxed and basically air gapped from the Internet or other connectivity options, or are you going to make things public?
And you have quite a variety of ways to connect resources to your virtual private clouds and VPCs to other VPCs. Now remember, as we look at this diagram, the cloud service providers, the large ones like Microsoft Azure, GCP, AWS, are basically deployed in regions, which are the colored circles, throughout the planet. So for example, with AWS you're using type-1 Xen hypervisors deployed within AWS data centers, okay?
And those data centers are located in 60 plus availability zones, within 20 geographic regions around the world. And they're constantly adding more availability zones and more regions. For example, by the time you get this training, they probably have another region in Bahrain, Cape Town, Hong Kong, and Milan, Italy. The availability zones are connected to each other with fast fiber optic networking. The best way to think of an availability zone is one or more data centers. These are nondescript buildings that you could be driving by in a metropolitan area and not even know that it's Google or Amazon. They're connected with high-speed private fiber optic networking.
And this is part of the infrastructure that you're leveraging that can automatically fail over between availability zones without interruption. If it's in your budget, you can decide to increase redundancy and fault tolerance by replicating data between geographic regions. This is what the large, multinational companies do.
And you can do this with both private high-speed networks and using the public Internet to increase your continuity of operations or business continuity. Now, along with the regions, and then the data centers or availability zones within the regions, companies like Google and Amazon will have what are called edge locations.
Edge locations are really part of content delivery networking, which is how companies like Netflix and Hulu and others get their content as close to the customer as possible. So these edge locations are in metropolitan areas, like for example, Virginia, or Atlanta, Georgia, or Boston. There's five of them in Dallas Fort Worth, near where I'm coming from right now.
[Video description begins] The world map displays. It marks geographic regions for cloud data centers and availability centers. In the west, particularly the US sub-continent, Oregon, North California, West US, US Government Iowa, Central US, Central US 2, AWS GovernmentCloud, North Central US, North Virginia, East US, East US 2, US Government Virginia, and South Central US are marked. In addition, Canada Central and Canada East are marked. In the south, Sao Paulo and Brazil South are marked. Moving towards UK and Europe, UK West, Ireland, UK South, North Europe, West Europe, and Frankfurt are marked. In the Asian sub-continent, West India, Central India, Mumbai, South India, Singapore, Southeast Asia, East Asia, China East, China North, Beijing, Seoul, Japan East, Tokyo, and Japan West are marked. In the Australian sub-continent, Australia East, Sydney, and Australia Southeast are marked. [Video description ends]
So a key aspect of security is understanding kind of the networking infrastructure. Now, this is not a course on networking, okay? So we can't really spend a lot of time on this. But realize if you take a look, let's just say, down here at the bottom left, we have an instance. So we've spun up an instance in a subnet, it could be Windows, it could Linux, doesn't matter.
And what determines if that instance is going to be connecting to other resources besides other instances in its subnet, which it can do by default, if you use the default security group, is the route table. So in the route table, if there's an entry in the route table that gets to the IGW, the Internet gateway, then that instance is exposed to the Internet with a publicly writable IP address.
That instance can also connect, let's say, back to your corporate headquarters, or to a branch office, or an extranet partner, through the VPG on the right. That's the virtual private gateway, that's for the VPN. At Amazon Web Services, for defense and depth security, and we'll talk more about this coming up later. We have security groups which is a Layer 3, 4 stateful whitelisting firewall.
And we also have network access control lists, or NACLs. Those are static or stateless packet filters or access control lists they can permit and deny traffic based on the metadata in the Layer 3, 4 headers for IPv4. So obviously, planning your network is very important.
[Video description begins] A network diagram of a Virtual Private Cloud or VPC displays. There are two subnets. Subnet 1 consists of three instances, each instance connects to a security group with bi-directional arrows. Above Subnet 1, there is NACL Subnet 1, which connects to a Route table with a bi-directional arrow. The Route table consists of three different IP addresses. It connects to a Router with a bi-directional arrow. Subnet 2 consists of two instances, which connect to a single security group with bi-directional arrows. Above Subnet 2, there is NACL Subnet 2, which connects to a Route table. The Route table consists of three different IP addresses. It connects to the Router with a bi-directional arrow. The Router connects to Internet Gateway (IGW) on the left and to Virtual Private Gateway (VPG) on the right. [Video description ends]
A very important part of networking is elastic load balancing. If we use AWS, for example, the reason why elastic load balancing is so important is because on the load balancer, we can actually have an SSL listener. So the elastic load balancer can be that single point of contact for everybody on the Internet. So when somebody types in a URL or an IP address, they're actually coming to our elastic load balancer, which has the SSL/TLS listener on it so it can decrypt the TLS session.
And then if it wants to, send it in the clear back to your instances, or it can send it back with the re-encryption applied to it. The load balancer will also connect to auto scaling groups. So you connect to target groups that can auto scale from one instance to many instances practically instantaneously. The load balancer also provides health checks, flow logs.
And you can apply a WAF, a web application firewall or a Layer 5,7 deep packet inspection firewall, on the load balancer for HTTP and HTTPS traffic. So the load balancer, whether it's with Google or Microsoft or Amazon is a very important component of the provider's infrastructure that you're going to use in protecting your virtual private clouds.
[Video description begins] A diagram displays. The AWS environment consists of VPC, which contains two VPC subnets and their availability zones. One of the VPC subnets connects to a router. The router and VPC connect to a Virtual private gateway. The customer network consists of a customer gateway. A VPN connection connects to the customer gateway on one side and to the virtual private gateway on the other side. [Video description ends]
VPNs are very popular, and we're going to look more at VPNs in the next course, but you have choices. You can use a managed VPN from the service provider, which is typically going to use border gateway protocol or static routing. And so that virtual private gateway will be what you have on your side in the VPC.
And then you'll have a customer gateway at your head in, which could be a Cisco router, maybe an ISR generation two, or an ASR router, or some other product from some other vendor, okay? And then you can very quickly and easily use a graphical interface to spin up a VPN, which by the way, will be two redundant tunnels with automatic failover built in.
Or you can have your own solution, and we'll talk about that, your own customer managed VPN. For example, if I go with a managed VPN or a site-to-site VPN from AWS, I have to use IKEv1 of IPsec and BGP or static routing. If I want to maintain my own existing EIGRP or OSPF cloud or GETVPN or IPsec over GRE tunnels. Maybe I want to use IKEv2 in Suite B Cryptography, I have to manage my own VPN.
Database Building Block Technologies
Well, obviously being a security practitioner, you need to be well aware of the different Database Building Block Technologies that are offered by your cloud provider. And these are typically going to be in four categories. They'll be Relational databases. Those can be Microsoft SQL, MySQL, PostgreSQL, things like that that you spin up in your own virtual Private cloud part of an IaaS solution or you could use managed solutions from the providers where they provide the actual databases and do the upgrades and the updates and the patching for you, and all you do is just deal with the data.
It could be Data warehousing and big data solutions including Bigquery like Amazon Redshift or Google Cloud Platform BQ Bigquery. There's Document or NoSQL databases that are excellent for large database solutions. Without the limitations of structured Relational databases and then newer Graph databases and ledger databases, let's go take a look at Amazon and Google and see some of the database offerings that they have.
OK, I'm up at Google Cloud Platform and we're going to go to the Navigation menu in the upper left hand corner, click on Navigation menu icon. As you scroll down, you're going to see the Storage category. I realize that you have several storage options that transcend these different products and services.
So you can do zonal standard persistent disk which is basically in a single zone. Remember, a zone is 1 or more data centers. You can use standard persistent disk and zonal SSD persistent disk. That's your block storage solution. You also have Regional persistent disk and Regional SSD persistent disk. This is regional block storage replicated in two zones. There's also Local SSD, which is high performance transient local block Storage. Local SSD is the equivalent of the ephemeral volumes or ephemeral storage at Amazon Web Services. It lives and dies with the instance.
And then of course we have Cloud Storage buckets. OK, now click on Bigtable. You can see that Cloud Bigtable is a fully managed NoSQL or NoSQL database supporting popular open-source Apache HBase 1.0 API. So this is your document oriented database. Click on Datastore. The next generation of Datastore is called Cloud Firestore can be done in Native mode or Datastore mode. If you go to Storage this is going to be your Google Cloud Storage Object Oriented Storage.
OK simple, secure, durable, highly available Object Storage where you go and you create your buckets. GCP also offers SQL solutions supporting MySQL and PostgreSQL databases. These are fully managed. There's Spanner, a fully managed, mission-critical relational database service designed for transactional consistency at global scale.
And then we also can wrap up the storage services by thinking about Memorystore, which is a caching service and a Filestore, which is a fully managed file system service in the cloud. If you go to AWS and go up to the Services on the main menu, you can also go down and see some of the storage services that we have at AWS S3 is their object storage database like Google Cloud Storage, it's your object storage. highly durable, highly available with several different options, different tiers and different retrieval options.
You also have an Elastic File Service, S3 Glacier is for long term storage. They have different database services. They separate the storage and database. OK Relational Database Services which is fully managed MySQL, PostgreSQL and others. DynamoDB we click on that. DynamoDB is their fast and flexible NoSQL database service. A great fit for mobile, web, gaming, ad-tech, IoT, and other applications. ElasticCache is a real popular caching service to use you with your public web services.
Amazon Redshift is a clustering service. Neptune, let's click on that. Neptune is a fast, reliable graph database. OK, so using new type of technology, a graph database service. Optimized for leading graph query languages, Apache TinkerPop, Gremlin and the W3C's RDF SPARQL. So Neptune is a fully managed graph database instance in the cloud. There you go. An exploration of different storage and database services at cloud providers like Amazon and Google.
Comparisons of Common Public CSP Products
Okay, this will be a short video as I give you a table that you can use as a reference going forward. To kind of help you understand the comparison of different categories of common cloud service provider products across, really, the three major providers. Amazon Web Services, which is the number one, and probably almost five times bigger than the next would be Google Cloud Platform.
And then also very popular, especially with homogenous Microsoft environments, active directory environments, Microsoft Azure. So you can see in the first category, we have our compute service. So at Amazon Web Services, it's going to be EC2, Google Compute Engine and Azure Virtual Machines. Of course, these are the virtual machine images and marketplace images that are spun up, typically, versions of Windows server and different builds of Linux.
And then application deployment services, so this is our Platform as a Service. Application services would be Elastic Beanstalk with AWS, Google App Engine at Google, and Azure App Services at Microsoft. Large object storage would be Amazon S3, Google Cloud Storage and Azure Blob Storage. For containers like Dockers and Kubernetes, you've got Amazon EC2 Containers, you've got Kubernetes Engine at Google and Azure Container Service.
For your large NoSQL document-oriented database, your scalable solution for a wide variety of mobile, web, IoT, and other development projects. You've got Dynamo DB, which is their fully managed, NoSQL database, Google Cloud Bigtable, and Azure Cosmos DB. Data warehousing and clustering would be Amazon Redshift, Google BigQuery, BQ, and Azure SQL Data Warehouse or WH. For functions or serverless compute or running serverless code in the cloud, you have Amazon Lambda, Google Cloud Functions, and Azure Functions.
If you want to bypass the Internet and connect directly to the cloud with a partnership of one of the major cloud providers or you can use one of their partners. You can use AWS Direct Connect, Google Cloud Interconnect or Azure ExpressRoute. With Direct Connect, you're going to get one gigabyte or ten gigabyte connectivity, bypassing the Internet altogether. If you want to get some SLA in between one gig and ten gig, you can go with one of their mini partners.
It depends upon what metropolitan area you're in and their Edge locations. And then for monitoring and visibility and reporting, you've got AWS CloudWatch. You've got Stackdriver Monitoring, which by the way, is an excellent tool to monitor all of your CSP solutions. So if you have both Amazon Web Services and Google Cloud Platform resources at your large company, you can use Stackdriver for both. And then Microsoft Azure has Application Insights.
Describing Cloud Computing Technologies
All right, let's do a brief exercise. In this exercise, you'll list four advantages of cloud computing. List four common software as a service solutions. And list four database building block technologies. Pause the video, go get your answers and come back and we'll compare.
First I asked you to list four advantages of cloud computing. If you said any four of these. Exchange capital expenses for variable expenses. Take advantage of mass economies of scale. Eliminate guessing on infrastructure capacity needs. Optimize speed and agility. Focus on projects that differentiate your business. Or go global in minutes. Any four of those, you got it right.
Next I ask for four common SaaS solutions. If you said any four of these. Productivity and Customer-relationship management, CRM. Blogging, surveys, social network, open source intelligence. Information, knowledge sharing such as a Wiki. Communication through webmail, collaboration with e-meeting and e-conferencing. Or Enterprise Resource Planning, ERP. Or maybe you have your own SaaS solution you want to add to the list. Any four, you got it right.
Next, I asked you to list four database building block technologies. I was looking for relational databases, document or NoSQL databases, data warehousing and graph and ledger databases, excellent.