Cloud is a delivery model of computing services over remote network. This model is enabled by virtualization technology and features a pay-as-you-go pricing plan for computing services. Public cloud providers are equipped with virtually unlimited capacity and are operating a broad suite of managed services. In the design of a cloud platform, we look at the five pillars in the well-architected framework: operational excellence, security, reliability, performance efficiency, and cost optimization. Through these lens, we mainly look at these areas:
Cloud landing zone
A successful cloud platform enables application teams to focus on business requirement. The backbone of a cloud platform is a landing zone, which typically addresses security, networking and compliance requirement of the organization’s IT footprint in the cloud. Both AWS and Azure have guidelines of multiple options to deploy landing zones.
Storage design
Enterprise applications often have specific requirements on IOPS and throughput. Selecting a storage service in a cloud platform, must also consider the high availability, disaster recovery and cost efficiency.
Networking design
Networking design has profound impact on the security posture and must be well thought out. It sets the foundation of high availability and fault tolerance. Also, how traffic flows in and out the system significantly affect the cost.
Infrastructure as code
There have been three categories of infrastructure as code, those based on markup language (ARM, CloudFormation), those based on general-purpose programming language (Pulumi, AWS CDK), and those based on Domain Specific Language (Terraform, Bicep). They have different levels of flexibility and different skill requirement.
More on cloud platform
- IAM Roles for any workload - Background A few month back a client of mine wanted to use GitLab pipeline to deploy infrastructure on AWS with Terraform. The key question is how to authenticate the Terraform process running in the pipeline to AWS with temporary credential. Having worked it out on GitHub, my proposal at time…
- AWS Systems Manager is an Omnipotent Hodgepodge - Introduction to Systems Manager AWS Systems Manager addresses a lot of SysOps requirements for configuration management, including server automation. In this domain, there is another AWS service called OpsWorks. However, with OpsWorks Stack, OpsWorks Chef and OpsWorks Puppet all coming EOL in 2024, the entire OpsWorks service is mostly deprecated.…
- Istio External Authorization via OIDC - Istio service mesh allows application developers to offload non-core features to infrastructure layer. We explored authentication and authorization with Istio in a basic lab. In this post we continue to explore its capabilities with OIDC integration. This capability is made available thanks to the CUSTOM action in authorization policy, supported…
- AKS Lessons Learned 2 of 2 - Even though Azure Kubernetes Service (AKS) is a managed service, building a cluster is not trivial. For help resources, I would start with the webinar "Configure Your AKS cluster with Confidence" from April 2021, which focuses on a set of working best practices (convention over configuration) but obviously not every…
- AKS Lessons Learned 1 of 2 - In general, troubleshooting Kubernetes is tricky. That is because one has to get in and out of pods. I took two days to troubleshoot some networking issues with private AKS cluster. For the amount of of tricks I had to employ, I need to take some notes. The issue After…
Contact Digi Hunch for Professional Services.