As we design our cloud infrastructures, we may implement a number of useful technologies. In this video, you’ll learn about infrastructure as code, orchestration, VPC endpoints, VM sprawl, and more.
The cloud has completely changed the way that we implement and design our applications. One significant feature of cloud-based technology is that everything is on demand. You click a button, you’ve got a server. You click another button, you’ve got a switch. You can click a button and create a server or an entire suite of servers instantly.
You can also take an existing series of systems and increase the number of resources available to those systems without anybody even realizing you’re making a change. This is called elasticity. It allows you to scale up or scale down the systems, as you need. This means that you can create exactly the system you need to be able to run an application at any particular time without wasting resources or money.
And because many of these cloud-based infrastructures are accessible from the internet, you can build an entire infrastructure which can be accessed from anywhere in the world. This means that access to your important data can really be available to anyone. And perhaps most importantly, we’re able to do all of this at a relatively reasonable cost.
These costs are kept low because the cloud providers take advantage of multitenancy. This means that they have many customers using this cloud-based infrastructure, and they’ able to separate out all of those users. So from the user’s perspective, it looks like they’re the only one in the data center. But they’re able to scale and manage all of these resources across hundreds, or even thousands, of customers.
Since most of what’s happening inside the cloud is software-based, we should be able to define our entire infrastructure in software. We refer to this as infrastructure as code, where you could create code that defines what a web server looks like, what the routers and configurations for your switches are designed to be, and you can modify and update those versions by simply modifying and updating the code.
This also means that we can use this existing code to create many duplicate instances. So if we need to create another instance of an application, you’re, effectively, copying and pasting to be able to build out an entirely new infrastructure. This ability to define our entire infrastructure as code is a foundation of cloud-based technologies. And it also means that we can build one entire perfect system and then begin duplicating that system automatically.
To be able to really take advantage of infrastructure as code, we need some way to automate everything that happens behind the scenes. We refer to this cloud-based automation as orchestration. This means that we could build out entire application instances, or tear down those application instances, with the code that we’re providing to the cloud.
This gives us instant access to these resources and allows us to manage every aspect of all of these systems. This means that we could automatically follow the sun. As people are becoming active during the day in one country, we could build out systems automatically in that country. And as people are going to sleep, we could tear those systems down and build out new systems in another data center that might be closer to where people are active.
But this is more than simply building out an application and tearing those application instances down. This also involves every other aspect of the infrastructure. For example, we can add security policies. So when we’re building out this new piece of the infrastructure, we can include all of the security components and the security policies to make sure that all of those applications and the data is safe.
If you’ve built a virtual private cloud on a third party provider, but you want that cloud to be private, then you’re going to need some way to connect to that cloud that does not provide access from the rest of the internet. One easy way to do this is by using a Virtual Private Network, or a VPN. Being able to connect from one site to another over this VPN means that you can have encrypted communication into your cloud-based system, but it would prevent any access by anyone else.
There may be times when you’re building out your own virtual private cloud, but you would like to provide access by other folks on the internet. To be able to provide that access, you would create a virtual private cloud internet gateway, and you would connect your internet into that gateway system. This means that anyone on the internet would be able to use that gateway to gain access to all of your virtual machines and application instances.
It’s becoming increasingly common in today’s cloud-based infrastructures to use many different cloud providers. And there may be times when you have virtual systems or application instances with one cloud provider that needs to access data or storage at another cloud provider. To be able to connect those two together, you would use a virtual private cloud endpoint to give that direct connection between those cloud providers.
Here’s an example of using a VPC endpoint. We’ve created a virtual machine in this private subnet within a virtual private cloud on one provider. On a different cloud provider, we have a separate storage network. And we have a bucket, which is a resource containing our files. We need some way to connect this virtual machine to this bucket. In order to do that, we would add a virtual private cloud endpoint, which would then connect to the cloud storage that’s on that separate storage network provider.
We’ve already learned that building out the infrastructure needed in the cloud is a relatively simple process. You click a button, and you can create a service. That means if you click the button many times, you can create many different services. And very quickly, you’ll find that your cloud-based infrastructure is much larger than you were expecting. This can get out of hand very quickly, and you end up having to deal with virtual machine sprawl.
You’ve now created so many different systems, you’re not really sure which virtual machines connect to which applications, and you don’t know which ones you can turn off safely without affecting applications that are running in production.
This means from the very beginning, you should have a formal process in place for provisioning and deprovisioning these services. This way you know exactly what virtual machines are connected to which application instances. And you’ll be able to deprovision or provision new systems based on the information that you’ve already documented.
If you’ve ever built out a virtual machine, then you know the technology is fascinating. It’s its own self-contained world that looks like its own physical device. And it may seem that it’s not possible for someone inside of that virtual machine to have any perspective of what may be going on outside of that VM. But security professionals know that if you’re able to escape that virtual machine and gain access to what is, effectively, the outside world, then you may have access to data that was never intended.
This means that attackers that escape the VM might have access to data, applications, or other VMs on that system. This would, obviously, be a significant security concern, and that’s why security professionals know to always be looking for anyone who’s trying to perform a VM escape.
An example of a VM escape occurred in 2017 at a security conference where there was a Pwn2Own competition. It’s, effectively, a hacking contest, where if you can control that system and gain access, then you get to take that system home with you.
A user was able to perform a VM escape by going through a number of different steps and combining exploits together. The first exploit was a JavaScript engine bug in Microsoft Edge that allowed for code execution in the sandbox of the Edge browser. From there, they were able to take advantage of a kernel bug inside of Windows 10 and that compromised the guest operating system on that virtual machine.
From there, they were able to take advantage of a hardware simulation bug in the VMware software, and they were able to escape to the host. Obviously, this was a significant security concern and this particular bug was patched very quickly after it was discovered at this Pwn2Own competition.