Presentation is loading. Please wait.

Presentation is loading. Please wait.

AppSec USA 2014 Denver, Colorado Auto Scaling Web Application Security in the Cloud Misha Govshteyn Alert Logic.

Published byAna Sandler Modified over 10 years ago

Similar presentations

Presentation on theme: "AppSec USA 2014 Denver, Colorado Auto Scaling Web Application Security in the Cloud Misha Govshteyn Alert Logic."— Presentation transcript:

1 AppSec USA 2014 Denver, Colorado Auto Scaling Web Application Security in the Cloud Misha Govshteyn Alert Logic

2 Misha Govshteyn Founder & Chief Strategy Officer Introduction

3 Topics We’ll Cover High-scale web app architecture components Auto scaling principles Common tools and approaches Implications on security infrastructure Architecting security infrastructure for auto scaling Q&A – What about PaaS?

4 Majority of applications in cloud environments are now using high-scale architecture Most operational functions are automated – Deployments are bootstrapped from Chef, Puppet, CloudFormation, Ansible – Scaling is driven programmatically Security is largely left behind Cloud Architecture is Evolving

5 Security vs DevOps role based organizationsrole based infrastructure management UIsAPIs command line promptsorchestration templates deployment docs & run books recipes & containers appliances & softwareservices change management windowscontinuous deployment scale upscale out deployment projectsauto-scaling

6 Amazon ELB with Auto Scaling groups Health monitoring – CloudWatch Bootstrapping/configuration automation – AWS CloudFormation – Chef/Puppet/Cfengine Basic Auto Scaling Tools Orchestrator on Google App Engine Auto Scale on Rackspace Cloud

7 Manage unhealthy EC2 compute instances Ensure minimum number instances are always running Launched new instances in event of failure or performance degradation (assume 30-120 seconds in most conditions) Seamlessly attach auto scaled compute instances to load balancer (ELB) Basic Auto Scaling Capabilities

8 AWS ELB provides load balancing service with thousands of EC2 servers behind them AWS ELB will automatically Scale up /down the load balancing servers in backend The theoretical maximum response rate of AWS ELB is limitless It can handle 20,000+ concurrent requests easily Elastic Load Balancer

9 Configuring Auto Scaling in AWS Launch Configuration Parameters for launching instances Auto Scaling Groups Post-launch parameters Auto Scaling Policy Scaling triggers Scaling EventAct of scaling itself

10 Configuring Auto Scaling in AWS Launch Configuration Set of parameters used to launch EC2 instances – AMI, instance size, security groups Auto Scaling Groups Defines the post-launch parameters Auto Scaling Policy Rules for scaling or terminating autoscaled instances Scaling EventAct of scaling itself AMI ID Instance size Block devices Key pairs Security groups

11 Configuring Auto Scaling in AWS Launch Configuration Set of parameters used to launch EC2 instances – AMI, instance size, security groups Auto Scaling Groups Defines the post-launch parameters - AZ, ELB, min & max servers to run Auto Scaling Policy Rules for scaling or terminating autoscaled instances Scaling Event Act of scaling itself Minimum & maximum number of EC instances to run Cooldown parameters AZ & VPC ids where these instances will run

12 Configuring Auto Scaling in AWS Launch Configuration Set of parameters used to launch EC2 instances – AMI, instance size, security groups Auto Scaling Groups Defines the post-launch parameters Auto Scaling Policy Rules for scaling or terminating autoscaled instances Scaling EventAct of scaling itself Initiate scaling activity Use CloudWatch metrics as triggers – EC2: CPU, dish, memory, network – ELB: healthy instances, HTTP code, latency, request count – RDS: CPU, database connections, memory, latency

13 Configuring Auto Scaling in AWS Launch Configuration Set of parameters used to launch EC2 instances – AMI, instance size, security groups Auto Scaling Groups Defines the post-launch parameters Auto Scaling Policy Rules for scaling or terminating autoscaled instances Scaling EventAct of scaling itself Act of scaling up/down Notification of scaling activity

14 as-create-auto-scaling-group my-appsec-asg --launch-configuration my-test-config --availability-zones us-east-1b --min-size 1 --max-size 40 --default-cooldown 420 --desired- capacity 1 --load-balancers my-waf-elb1 Creating an Auto Scaling Group group name launch config min/max instances temporarily suspends time between scaling activities while new instances warm up

15 Create Auto Scaling Policy Use AWS CloudFormation templates to set defaults Allow admins to tune for specific requirements

16 Auto Scaling In Action

17 1.DESIGN FOR FAILURE 2.MULTIPLE AVAILABILITY ZONES 3.SCALING 4.SELF-HEALING 5.LOOSE COUPLING Designing for Scale

18 Architecture Principles Designed for failure – Horizontally scaled – Fast bootstrap – Health/load conditions as scaling triggers Loosely coupled – Independent components – As stateless as possible – Minimal interactions web tier is easiest to scale if you make right design decisions if you make right design decisions …security infrastructure is another matter …security infrastructure is another matter

19 Simple auto-scaling stack – 2 layers of Elastic Load Balancers (ELB) – WAF Proxies – Web server tier Problems – Extremely slow bootstrap – Tightly coupled Auto Scaling Web App Firewalls? ELB WAF ELB HTTP

20 Make your security application stack stateless – Every component is a black box – Decouple interactions between management and data processing planes – Use cloud infrastructure to make interactions asynchronous Abstracting Application Security Components ELB WAF ELB HTTP WAF Master ELB S3/EBS

21 ASG Group 1 - Master Controller Min-size 1 Max-size 1 ELB health checks to ensure an instance is up Will recreate itself from configuration data in S3 ASG Group 2 - Processing Workers Min-size 2 Max-size (depends) Use Auto Scaling policy to scale on-demand 1.Separate Processing & Control Planes

22 Store instance configuration data in S3 – Master instance stores data in Amazon S3 – Worker instances retrieve configuration as they spin up – Simple way to make resource instantiation asynchronous 2. Reduce and Abstract Interactions

23 3. Store Persistent Data on EBS Amazon EBS Log Volume Store all log and statistics data for master instance Persist data in case of master instance termination If master has to be restarted, persisted data remains intact – nothing stops working – nothing stops working

24 Web Traffic Flow Browser clients connect to worker Amazon ELB Traffic is load balanced to WAF workers WAF workers proxy traffic Amazon ELB that scales web server instances

25 Complete Stack – Prior to Automation Amazon Web Services Amazon ELB Master Group Amazon ELB Worker Group Amazon S3 Buckets NAT Instances WAF Master Instance Amazon EBS Log Volumes WAF Worker Instances

26 Using CloudFormation Templates 1 2 3

27 Command Line Example $ cfn-create-stack test-backend --template-file wsm-test-backend-only.cloudformation.template --parameters "sshKeyName=wsm-dev" arn:aws:cloudformation:us-east-1:355864928133:stack/test-backend/26028db0-0352-11e3-895a-500162a66ca8 Use cfn-create-stack to start creation.cfn-create-stack $ watch cfn-describe-stack-events test-backend Every 2.0s: cfn-describe-stack-events test-backend Mon Aug 12 08:23:44 2013 STACK_EVENT test-backend test-backend AWS::CloudFormation::Stack 2013-08-12T13:24:20.321Z CREATE_COMPLETE STACK_EVENT test-backend eipNAT2 AWS::EC2::EIP 2013-08-12T13:24:17.802Z CREATE_COMPLETE STACK_EVENT test-backend eipNAT1 AWS::EC2::EIP 2013-08-12T13:24:17.769Z CREATE_COMPLETE STACK_EVENT test-backend routeNAT2 AWS::EC2::Route 2013-08-12T13:24:01.615Z CREATE_COMPLETE STACK_EVENT test-backend routeNAT1 AWS::EC2::Route 2013-08-12T13:24:01.144Z CREATE_COMPLETE You can use cfn-describe-stack-events along with watch to view the stack creation.cfn-describe-stack-events Once complete, cfn-describe-stacks will return the cloud formation stack outputs.cfn-describe-stacks $ cfn-describe-stacks test-backend STACK test-backend CREATE_COMPLETE Cloud Formation for Auto Scaling Alert Logic Web Security Manager vpc=vpc-591b9337;elbBackend=test-back- elbBacke-17N275T20CGQ9-1608750954.us-east-1.elb.amazonaws.com;routeTableNAT1=rtb-e71b9389;routeTableNAT2=rtb- e61b9388;paramsForWSM=vpc=vpc-591b9337;elbBackend=test-back-elbBacke-17N275T20CGQ9-1608750954.us-east- 1.elb.amazonaws.com;routeTableNAT1=rtb-e71b9389;routeTableNAT2=rtb-e71b9389;subnetPublic1=subnet-fd1b9393;subnetPublic2=subnet-e21b938c 2013-08-12T13:21:51.116Z

28 Base WAF Stack Ready

29 10gbps Environment Test

30 Questions? misha@alertlogic.com Thank you

31 What happens when applications look like this?

Download ppt "AppSec USA 2014 Denver, Colorado Auto Scaling Web Application Security in the Cloud Misha Govshteyn Alert Logic."

Similar presentations

Running Your Startup on Amazon Web Services Alex Iskold Founder/CEO AdaptiveBlue Feature Writer ReadWriteWeb.

Running Your Startup on Amazon Web Services Alex Iskold Founder/CEO AdaptiveBlue Feature Writer ReadWriteWeb.
2013 Trend Micro 25th Anniversary 2014/6/11 Amazon Web Service AWS Technical Professional.

2013 Trend Micro 25th Anniversary 2014/6/11 Amazon Web Service AWS Technical Professional.
Leverage Amazon Web Services to build Elastic IT-Infrastructure Architectures…

Leverage Amazon Web Services to build Elastic IT-Infrastructure Architectures…
Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
The Platform as a Service Model for Networking Eric Keller, Jennifer Rexford Princeton University INM/WREN 2010.

The Platform as a Service Model for Networking Eric Keller, Jennifer Rexford Princeton University INM/WREN 2010.
Ivan Pleština Amazon Simple Storage Service (S3) Amazon Elastic Block Storage (EBS) Amazon Elastic Compute Cloud (EC2)

Ivan Pleština Amazon Simple Storage Service (S3) Amazon Elastic Block Storage (EBS) Amazon Elastic Compute Cloud (EC2)
B. Ramamurthy 4/17/20151. Overview of EC2 Components (fig. 2.1) 10..* 1 1 1 1 4/17/20152.

B. Ramamurthy 4/17/ Overview of EC2 Components (fig. 2.1) 10..* /17/20152.
University of Notre Dame

University of Notre Dame
© 2010 VMware Inc. All rights reserved Amazon Web Services.

© 2010 VMware Inc. All rights reserved Amazon Web Services.
Clouds are like cotton candy, and irons … make shirts flat? Barney Boisvert

Clouds are like cotton candy, and irons … make shirts flat? Barney Boisvert
Futures – Alpha Cloud Deployment and Application Management.

Futures – Alpha Cloud Deployment and Application Management.
Using ArcGIS for Server in the Amazon Cloud

Using ArcGIS for Server in the Amazon Cloud
1 NETE4631 Cloud deployment models and migration Lecture Notes #4.

1 NETE4631 Cloud deployment models and migration Lecture Notes #4.
Infrastructure as a Service (IaaS) Amazon EC2

Infrastructure as a Service (IaaS) Amazon EC2
Amazon EC2 Quick Start adapted from EC2_GetStarted.html.

Amazon EC2 Quick Start adapted from EC2_GetStarted.html.
Introduction to Amazon Web Services (AWS)

Introduction to Amazon Web Services (AWS)
What’s New with AWS Jeff Barr- Chief

What’s New with AWS Jeff Barr- Chief
A Brief Overview by Aditya Dutt March 18 th ’ 2014 1Aditya Inc.

A Brief Overview by Aditya Dutt March 18 th ’ Aditya Inc.
Experiences with AWS and RightScale By: Max Gribov Presented at New York PHP, March 22, 2011

Experiences with AWS and RightScale By: Max Gribov Presented at New York PHP, March 22, 2011
Cloud Computing for the Enterprise November 18th, 2011. This work is licensed under a Creative Commons.

Cloud Computing for the Enterprise November 18th, This work is licensed under a Creative Commons.

Similar presentations

Ads by Google