Skip to main content

Posts

Amazon EventBridge - Resource-based Policies and Lambda

Refer AWS Documentation here When a rule runs in EventBridge, all of the targets associated with the rule are invoked.  Rules can invoke AWS Lambda functions, publish to Amazon SNS topics or relay the event to Kinesis streams. To make API calls against the resources you own, EventBridge needs appropriate permissions. EventBridge uses Resource-based policies for: 1. Lambda 2. Amazon SNS 3. Amazon SQS 4. Amazon CloudWatch Logs  EventBridge uses Identity-based policies for: Kinesis streams  AWS Lambda Permissions will look something like below: {   "Effect": " Allow ",   "Action": " lambda:InvokeFunction ",   "Resource": "arn:aws:lambda:region:account-id:function:function-name",   "Principal": {     "Service": " events.amazonaws.com "   },   "Condition": {     "ArnLike": {       "AWS:SourceArn": "arn:aws:events:region:account-id:rule/rule-name"     }   },   ...

Kubernetes - Concepts, Components & Use-Cases

Kubernetes (K8s) is an open-source container-orchestration platform for automating application deployment, management and scaling. Concepts 1. Kubernetes uses the concepts of pods - an object that consists of one or more containers which share network namespace 2. Kubernetes automates deploying, scaling and managing containerized application on a group (cluster) of (bare metal or virtual) servers, such as ensuring that in case a container within a pod crashes, it will be restarted. Use case: A developer needs 5 application containers on a host. The way he can do it using docker is type the command: "docker run <application_name>" individually 5 times, to create 5 containers on the host machine. What if a production environment requires 200 containers? If you have an automation script that does run the above command 200 times to create 200 containers, how do you monitor them? How do you ensure the underlying host resources aren't stretched or depleted? K8s to the res...

Container Concepts

Container = Namespaces + CGroups + Layered Filesystem Namespaces A namespace wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource. Changes to the global resource are visible to other processes that are members of the namespace but are invisible to other processes. Namespaces limit how much you can see and therefore use: 1. PID 2. Network 3. UTS 4. Mount 5. IPC 6. User CGroups (Control Groups) Control groups are a Linux kernel feature which allows processes to be organized into hierarchical groups whose usage of various types of resources can then be limited and monitored. CGroups limit how much you can use: 1. CPU 2. Memory Layered Filesystem Different files and directory structures are layered in order and on top of each other to be reflected as one directory tree.      Layered Filesystem allows reuse and push/pull deltas. It's an advanced multilayered...

Tejas Jain - GCP Constraints & Random Facts

1.  Google Cloud Interconnect Security Cloud Interconnect does not encrypt the connection between your on-premises network and Google's network. Cloud VPN cannot be used with Dedicated Interconnect For additional security, use application-level encryption or your own VPN 2. While using Cloud CDN, the default time-to-live (TTL) for content caching is 3600 seconds = 60 mins 3. Cloud NAT sends only the translation logs and error logs to Cloud Logging service. 4. GCP Dedicated Interconnect - On Premises network device requirements:     10-Gbps circuits, single mode fiber or 100-Gbps circuits, single mode fiber     IPv4 link local addressing     LACP, even if you are using single circuit     EBGP-4 with multi-hop     802.1Q VLANs 5. While using Cloud VPN, the recommended MTU to be configured on the peer VPN  gateway = 1460 bytes 6. Each instance must have at least one network interface. The maximum number of network instances per ...

Tejas Jain - GCP Notes#2

Virtual Private Cloud (VPC) VPC Networks Global resources (not associated with any zone) and include subnets, routes and firewall rules VPC Networks do not have any IP addresses associated with them (unlike AWS) Resources within a VPC can communicate with one another using the internal IP addresses By default, resources in two different VPCs cannot communicate with each other. The communication can be facilitated by VPC Network Peering VPC networks support IPv4 unicast traffic only. They do not support broadcast, multicast or IPv6 traffic within the network   VPC Subnets Subnets represent VPC Network partitions using one or more useful IP address ranges Subnets are regional resources. Each subnet comprises of a range of IP addresses. These can be primary IP ranges or secondary IP ranges (alias) A network must have at least one subnet before it can be used More than one subnet per region can be created VPC Network supports following modes of subnet creation:     Auto Mode...

Tejas Jain - GCP Notes#1

Google Cloud Network Constructs VPC VPC Routes Firewall Rules VPC Peering Shared VPC Internal and External IPs Static and Ephemeral IPs VPC Subnets Private Access  VPC Flow Logs Hybrid Connectivity Cloud VPN Cloud Interconnect Cloud Router Cloud NAT Cloud Peering Cloud Load Balancing Cloud CDN Cloud DNS

Tejas Jain - AWS Notes #1

AWS Organizational Hierarchy AWS Organizations "must" be the starting point of your AWS deployment. (unless you are absolutely sure that it won't scale.. highly unlikely!!) An AWS Organization comprises of multiple "Organizational Units (OUs)". OUs comprise of other OUs or member "AWS Accounts".  Image credits : Here Tip : Design the OUs such that they complement with your organizational hierarchy and businesses and sub-divisions. For eg.  Company XYZ maps to an AWS Organization,     --  Finance maps an OU,         --   Investment Banking within Finance maps to a sub-OU               -- Investment Banking Prod environment maps to an AWS Account               -- Investment Banking Non-Prod environment gets another AWS Account               -- Investment Banking Dev environment gets another AWS Account ...