NPW V2.0 for DevOps Engineer

NPW V2.0 for DevOps Engineer

Azure contribution to Red Hat MTA, Updates in DDoS Solution for Microsoft Sentinel, Azure Application Gateway, Amazon Cloud Watch and Google Cloud Run

NPW Research

Top News

Azure’s new DDoS Solution for Microsoft Sentinel automatically remediates attacks

How it works: The DDoS solution monitors protected resources for an attack, emits log signals containing attacking source IP addresses to Microsoft Sentinel. This triggers Azure Firewall Remediation IP-Playbook. The firewall blocks the attacking source IP addresses
What is required: Configure analytics rules that define threshold for percent threshold and PPS threshold. Use the automation rule to trigger the playbook, which uses IP groups to block IPs. The groups are attached to rules. This integration enables faster response to L3 and L4 type attacks.

3 new performance metrics for asynchronous event processing in AWS Lambda

➝ AsyncEventsReceived measures total events successfully queued for processing.
➝ AsyncEventAge measures time between successful queuing and function invocation
➝ AsyncEventsDropped measures events dropped without successful execution.

How cloud native security will impact DevOps in 2023

Software supply chain security will be top-of-mind
Growth of APIs will increase the attack surface
DevOps will lead to DevSecOps, with adoption of cloud-native security tools.
Policy-as-Code and Open Policy Agent adoption will gain traction

Azure to contribute to Red Hat Migration Toolkit for Applications

MTA supports large-scale Java app modernization and migration projects by providing line-by-line recommendations for your source code.
Azure’s contributions include rulesets to provide guidance for configuring data sources, using Java Key Store and file systems

Must-read Analysis & Advice

Lessons in calibrated risk-taking for faster MVP through cloud services

Wilco built developer training/upskilling platform service using Heroku’s free-tier
Overlooked scale, app level authorization limitations
Cryptojacking led to $10k bill from Heroku
CTO shares why he would take the same approach again

“Is running any sort of db on a Kubernetes instance a bad idea?”: Twitter discussion

Agenda: Google Cloud’s Kelsey Hightower, who anchored the discussion, based on this user query. Kicked it off by saying it is like running a db on a VM but Kubernetes on PostGres is not the same as Cloud SQL.
What others had to say:
Kubernetes does not provide high availability for applications, it only provides automatic recovery.
Traditional db were not designed with the assumption that machines will fail.
So for proper scaling, backups and upgrades, you will need a Kubernetes expert who is also a db expert.
What that means is having additional knowledge of stateful sets, and a domain-specific understanding of how kubernetes handles storage.
Conclusion: Most thought db on Kubernetes was not such a great idea.

Identity distribution key to implementing zero trust in API services mesh

Using session ID or access token breaks the least privilege principle, and exposes sensitive information beyond the organizational perimeter.
Identity distribution enables continuous data verification by ensuring each service in an API performs informed authorization based on signed certificates or tokens.
Securing all traffic, encrypting connections, using established standards, and token sharing techniques are a few approaches to identity distribution.

How to secure microservice architectures from attacks from the inside

Despite operating in a secured perimeter, compromise of a single service within a microservices architecture can offer an entry point into the entire application.
Authenticating inter-service communications, and encrypting connections between services key to prevent unauthorized access

Guide to implementing FinOps for Kubernetes cost avoidance: CNCF Blog

Abstraction and transient nature of Kubernetes artifacts makes it difficult to differentiate cloud costs and shared resources.
Facilitating conversations between finance and engineering teams, labeling and tagging resources, and leveraging the right tooling crucial to implement FinOps.

CSPs, chip makers taking confidential computing mainstream

Making it available through VM instances, cloud-native software stacks.
Confidential computing specification Caliptra will offload assurance to hardware, Intel’s Project Amber will attest computing environments

Other Updates

Google Cloud adds multi-architecture support to fix the issue of deploying multi-architecture container images to Cloud Run.

Azure Application Gateway adds support for mTLS and online certificate status protocol. See when to use mTLS, and how to verify mTLS setup.

Amazon EC2 now lets you automatically rollback to undo the changes made by the Auto Scaling instance refresh feature when it fails.

Tech layoffs are not the end of the world. Non-tech companies advertising significantly more tech jobs.

Amazon CloudWatch adds support for extracting up to 1-second granularity from structured logs using Embedded Metric Format.

What CSP products got the highest attention. Topics that generated keen interest. Based on what was read by 12,000+ DevOps engineers, software engineers and solution architects the previous week.