NPW Insights (Free): Week 2/4 for DevOps Engineer

Top News

New Google Cloud pricing models to boost flexibility

What’s new: Flex Agreements, which will give access to monthly spend discounts, CUD, cloud credits, and professional services without upfront commitments. Standard, Enterprise, and Enterprise Plus pricing tiers, will offer flexibility to choose features and functionality across the portfolio.
What’s changed: Cloud Spanner free trial extended to 90 days and BigQuery auto scaling works more granularly.
Bottomline: Flex agreements will bring pricing incentives based on monthly spend and new pricing tiers will offer feature sets tailored to business needs and your stage of cloud adoption.

2022 VOID report calls for mindset shift in incident reporting

Report finding: The Verica Open Incident Database, which assembles all publicly available security incident reports, has several key insights. Incident length has no correlation to its severity. This means that popular incident metrics like MTTR are highly variable, and offer little to no insight into system reliability.
Implications: Shallow metrics like MTTR and incident count should be used only as a starting point to understand complex systems. New forms of incident reporting, which reveal the costs of coordination or response teams, like socio-technical incident and post-incident review data, and near-misses should be adopted.
Read detailed conversation with Courtney Nash, Safety Systems Analyst, who talks about how organizations can go about adopting these new forms of reporting.

Confidential GKE Nodes now available on C2D VMs

➝ Like Confidential VMs, they leverage Secure Encrypted Virtualization capability of AMD EPYC processors.
➝ Compute-optimized C2D series offers up to 112 vCPUs 896GB memory for performance-intensive workloads.
➝ See pricing, and how a company used it for 5G monetization.

Amazon CloudWatch increases quotas for Logs Insights

➝ Log group quota increased from 20 to 50.
➝ Query timeout increased from 15 min to 60 min.
➝ Concurrency quota increased from 20 to 30.

Amazon Managed Grafana support for network access control

➝ Lets you restrict user access to your Grafana workspaces.
➝ Open access requires authentication with the identity provider, but applies no restrictions on VPC endpoints.
➝ Restricted access lets you specify traffic that is allowed to reach your workspace with prefix lists and IP address ranges.

Must-read: Analysis & Advice

Threat modeling of cloud platform services by cyber expert

Ken Wolstencroft shares details of threat modeling of Google Cloud Storage service as an example using the STRIDE framework.
STRIDE Framework: STRIDE stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege.
What’s inside: He maps all potential weaknesses of Storage Service, provides a list of potential threats with STRIDE threat categorization, and 15 specific steps for threat mitigation.
It’s an exhaustive threat model that details all possible threats by mapping threat actors (internal and external) and their attack goals, to Google Cloud Storage service features.

Mitigating DDoS attacks with Azure Front Door

The CDN service can redistribute both encrypted and unencrypted DDoS traffic away from source systems during an attack, and layer 3, 4, and 7 DDoS protection is included with AFD.
Key takeaways: Integrate Azure Web Application Firewall with AFD, and use rate limiting, bot protection rulesets, custom rules, and geo-filtering to block suspicious traffic. If internet-facing Azure resources don’t use AFD, use the Azure DDoS Protection product. Connect source systems to AFD via Private Link.

Recently released Local SSDs with GKE for high-performance storage for AI/ML

➝ Local SSDs directly attached to the host offer lower latency than PDs and Filestore in exchange for lower durability.
➝ Ephemeral Storage Local SSD API should be used when no data is shared across pods – it is fully integrated with GKE.
➝ Local NVMe SSD Block API ideal when multiple pods need to access the same data, but isn’t fully integrated with Kubernetes scheduler.

A comprehensive guide to platform engineering

It’s the trend that’s on everyone’s mind. And no, it does not mean the end of DevOps. Platform engineering, which reduces cognitive load of application teams through internal developer platforms (IDPs) is an evolution of DevOps and is enabled by SRE (which focuses on infrastructure operations)
Building IDPs: Platform engineering usually begins with a platform engineer embedded within application teams, and scaling to an IDP team, which may decide to build its own platform (which is expensive), or use existing tools like Ambassador, configure8, Crossplane, Humanitec, or Port.
The upside: Platform engineering speeds development, deduplicates work, abstracts complexity, speeds onboarding of new members, boosts compliance, and improves developer experience.
Read this guide - it puts together all the key aspects well.

Other Updates

Caching for Azure Container Registry, which lets users cache container images from Microsoft Artifact Registry and Docker Hub enters public preview.

New data source plugin for Google Cloud Logging lets you add logs to Grafana Explore dashboards.

AWS App Runner adds support for service-level metrics like CPU and memory utilization, and total concurrent requests, and request/response counts in the App Runner console.

Virtualization-based security enclaves, which offers data protection features of Always Encrypted in Azure SQL Database independent of the underlying hardware, is now in public preview.

Serverless for Hyperscale in Azure SQL Database, which scales both compute and storage automatically based on workload demand for databases requiring up to 80 vCores and 100TB, is now in public preview.

AWS Incident Detection and Response now lets you ingest events from New Relic via Amazon EventBridge with new integration.

Now apply stateful firewall rules to tag-based resource groups of EC2 instances and Elastic Network Interfaces in AWS Network Firewall.