Considering Google Compute Engine to supplement our AWS stack, some comparison questions - ruby

We're exploring using GCE alongside out AWS deployment and I've a few questions coming from AWS.
It doesn't seem like the GCE Load Balancers support SSL (as in encrypting http traffic into https via the load balancer). I saw in the docs that its something that's coming .. does anyone know any good workarounds and possibly the timelines for actual support of this?
We use SQS on AWS a fair bit, and would like to use something simillar on GCE. There looks like there is Task Queues, but we've had a lot of trouble making them work in Ruby, for various issues, the docs seem somewhat lacking even trying to test them out in the builtin "try it out" tool. Does anyone have experience with having them work that could point us to a) a working ruby client library for it b) perhaps more complete docs (we have not even been able to issue a single authenticated request to them)
PubSub, we use SNS on AWS, and would like something simillar on GCE. Is PubSub the answer? It seems like its in invitation only beta right now? Any idea how we can get in and play with it?
Thank you.

Related

How to provide mutual TLS (mTLS) with Spring application in Kubernetes?

I have an interesting problem, maybe you could help me out.
There are given two spring applications, called app1 and app2. There is plenty of REST calls are happening to both of the services. I need to implement a security solution where both of them can communicate with each other on REST but it is protected by mutual TLS (mTLS where both app has its own cert for each other)
Implementing it the standard way its not that hard, Spring has solutions for it (with keystores and etc.), but the twist is, I have to create it in a Kubernetes environment.
The two app is not in the same cluster, so app1 is in our cluster but app2 deployed in one of our partner's system.
I am pretty new to k8s and not sure what is the best method to achieve this. Should I store the certs or the keystore(s) as secrets? Use and configure nginx ingress somehow, maybe Istio would be useful? I would really want to find the optimal solution but I don't know the right way.
I would really like if I could configure it outside my app and let k8s take care about it but I am not sure if it is the right thing to do.
Any help would be really appreciated, some guidance to find the right path or some kind of real life examples.
Thank you for your help!
Mikolaj has probably covered everything but still let me add my cent
i don't have much experience working with Istio, however i would also suggest checking out the Linkerd service mesh.
Step 1.
Considering if you are on multi could GKE & EKS or so still it will work.
Multicluster guide details and installation details
Linkerd will use the Trust anchor between the cluster so traffic can flow encrypted and not get open to the public internet.
You have to generate the certificate which will form a common base of trust between clusters.
Each proxy will get copy of the certificate and use it for validation.
The answer to your problem will be more complex as there is no one-size-fits-all solution that turns out to be the best. It all depends on what exactly you want to do and what tools you have for it. suren mentioned it very well in the comment:
if you are still in the stage of PoC, then note that there are couple of ways of achieving what you want. Istio would be a valid way, for example. You could have the other service in a ServiceEntry, enable mTLS and there you go. You don't have to even manage secrets for this specific scenario, as it is automatic. But there are other ways. Even with Istio there are other ways. If you are on any cloud provider, you might have some managed services as well
This is a very good comment and I would also recommend an istio based solution to you. First of all check the official mTLS documentation for istio first. You will also find specific usage examples and sample configuration files there.
You also mentioned in the question that your application will run between two clusters. Take a look at this tutorial, which shows exactly how to solve this situation:
Istio injects an envoy sidecar to every pod and makes sure all the traffic goes through the envoy proxy. Envoy proxies compose the data plane. The control plane manages the Envoy sidecars. In previous versions of Istio, the control plane used to have other components, such as Pilot, Citadel, and Galley. These components got consolidated into a single binary called “istiod”. The control plane also deals with the configurations, certificates, secrets, and health checking.
For more information look also at related problem on stackoverflow and another tutorial.
Take into account that in addition to istio itself, you will be able to use ready-made cloud solutions, for example available at GKE i.e. Configuring TLS and mTLS on the Istio ingress .
Another way might be to use a tool Anthos Service Mesh by example: mTLS.

How to properly determine Amazon AWS Heroku subnets?

I need to be able to enable access through a firewall to a server for an app that is built atop Heroku. Unfortunately the IP's coming from Heroku's AWS instances seem to vary quite a bit. Is there a "correct" way of determining what subnet to expect from Heroku's AWS platform for an app?
As unfortunate as this is -- there isn't a good way to continuously get this information. On the AWS forums, however, the EC2 engineers tend to occasionally post their IP ranges (here is a recent example: https://forums.aws.amazon.com/ann.jspa?annID=1701).
The downside to this, however, is that it requires a lot of manual work.
There is no reliable way to accept Heroku public IPs in firewalls. Even if there was, you would be compromising your application and opening up an attack vector via other apps on Heroku.
The solution is to have an adequate authentication layer in your exposed services.
This question was asked a few years ago back when services like Proximo didn’t exist -- or weren’t known within the Heroku community.
Today, if you want your outbound traffic to come through a static IP which you can whitelist in your firewall, you can use a proxy service like Proximo (Fixie is another example).
There are a few downsides for using these services:
1) Intrusive Setup
Although the setup of these addons is relatively simple, it’s important to understand how they affect the application.
In case of Proximo, for example, you’ll be required to wrap your processes in a special utility.
This utility will “automatically forward outbound TCP connections made by the wrapped process over your proxy.”
2) Latency
To make your outbound traffic come from a static IP, these services route the traffic through a proxy. This means you’ll add another hop to your outbound communication.
I know that applications that run on Heroku usually aren’t very sensitive to network latency, but it’s important to take this issue into a consideration.
3) Uptime
Although these services are relatively stable, it should be noted that routing the traffic through a specialized third-party proxy adds another point of failure and may affect the overall stability of your applications.
To summarize, these services will help you solve the problem. However, I would consider using them as a temporary workaround, not a complete solution.
Rest assured that these kinds of fixes can hold for a very long time, but if security becomes increasingly more important for the applications you’re running on Heroku, it can be a good idea to start planning a migration to AWS.
If you’re wondering when can be the best time for your team to make the transition to AWS, I’ve shared a few notes here: “Will Heroku always be perfect?”
Hope that helps.

Can Amazon actually read my code stored at AWS?

I don't know if this is the right place to ask, but I'm developing a web application, and I suggested using AWS. Nevertheless, my bosses are concerned about Amazon being able to read/steal our code. I don't know why Amazon would want to get my code, but it's not me the one which is worried about that.
I guess there should be some kind of encryption, or at least a legal clause at the AWS user contract where it says that Amazon won't do that or you will be able to sue them. The thing is I haven't been able to find this information so far.
Does anyone know where to find this information? I really want them to let me use AWS, since I think it is a great opportunity to learn about this technology.
Bonus: I know there are similar services, such as Heroku, or Openstack. I will also accept the kind of information resource I'm searching for any other similar services. But unless anyone can point that AWS is not the best option out there, I'd rather stick to AWS.
A) You should assume they can read your code B) you should also assume they don't care about your code.
Edit: Possibly more useful resources w/regards to AWS security
http://aws.amazon.com/articles/1697
http://aws.amazon.com/compliance/

Communication between Heroku apps

I've build a distributed system consisting of several web-services and some web applications consuming them.
They are all hosted on Heroku.
Is there some way for request between these applications to be done "inside heroku" without going through the web.
Something analog to using localhost.
You are maybe in luck: such a feature has currently reached the experimental phase.
Let me take a moment to underscore that: this feature may disappear or change at any time. It's not supported, but bug reports are appreciated. Don't build a bank with it. Don't get yourself in a position to be incredibly sad if severe problems are found that render it unshippable and it's aborted.
However, it is still cool, and here it is: containerized-network
You can use, for example, the pub-sub interface of any of the hosted Redis solutions. Or any of the message brokers (IronMQ, RabbitMQ) to pass messages.

What gem should I use to work with AWS

I'm currently writing an application in ruby on rails that uses AWS. I see two options for gems, aws-sdk and fog. Fog seems to support almost all of the AWS services except for sns(which I wanted to use :/) and has mock services for testing not to mention you can change out for rackspace or a different provider rather easily. Is there any big reason why I should use AWS's sdk? It supports sns, but not rds and does not come with mocking.
If I'm missing something please let me know as I am new to this.
Thanks in advance.
You may also want to checkout rightaws though unfortunately it doesn't have support for sns either. It was one of the first libraries available and provides support for most of the functionalities. However, fog is releasing new versions more often and is catching up quickly and is a bit more high level. The aws_sdk was only released recently and the main reason to go with it is that it comes from Amazon itself and will likely become the standard. This is why we included it in rubystack. We expect that people will provide higher level libraries that will build on top of it.
aws-sdk supports SNS but does not mock the services. It does hoever provide basic stubbing:
AWS.stub!
This causes all service requests to "do nothing" and return "empty responses". It is used extensively inside the specs provided with the gem. This is is not the same as mocking a service but it can be a useful testing aid.

Resources