Auto Scaling Web Application Security in the Cloud
Misha Govshteyn, Founder & Chief Strategy Officer of Alert Logic, covers high scale web app architecture components, auto scaling principles, common tools and approaches, security infrastructure implications, and architecting security infrastructure for auto scaling. Includes Q&A and PaaS considerations. Presented at AppSec USA 2014 in Denver, Colorado.
- Uploaded on | 2 Views
- danielylitalo
About Auto Scaling Web Application Security in the Cloud
PowerPoint presentation about 'Auto Scaling Web Application Security in the Cloud'. This presentation describes the topic on Misha Govshteyn, Founder & Chief Strategy Officer of Alert Logic, covers high scale web app architecture components, auto scaling principles, common tools and approaches, security infrastructure implications, and architecting security infrastructure for auto scaling. Includes Q&A and PaaS considerations. Presented at AppSec USA 2014 in Denver, Colorado.. The key topics included in this slideshow are . Download this presentation absolutely free.
Presentation Transcript
Slide1AppSec USA 2014 AppSec USA 2014 Denver, Colorado Denver, Colorado Auto Scaling Web Application Security in the Cloud Misha Govshteyn Alert Logic
Slide2Misha GovshteynFounder & Chief Strategy Officer Introduction
Slide3Topics We’ll Cover• High-scale web app architecture components • Auto scaling principles • Common tools and approaches • Implications on security infrastructure • Architecting security infrastructure for auto scaling • Q&A – What about PaaS?
Slide4•Majority of applications in cloud environments are now using high-scale architecture • Most operational functions are automated – Deployments are bootstrapped from Chef, Puppet, CloudFormation, Ansible – Scaling is driven programmatically • Security is largely left behind Cloud Architecture is Evolving
Slide5Security vs DevOpsrole based organizations role based infrastructure management UIs APIs command line prompts orchestration templates deployment docs & run books recipes & containers appliances & software services change management windows continuous deployment scale up scale out deployment projects auto-scaling
Slide6•Amazon ELB with Auto Scaling groups • Health monitoring – CloudWatch • Bootstrapping/configuration automation – AWS CloudFormation – Chef/Puppet/Cfengine Basic Auto Scaling Tools Orchestrator on Google App Engine Auto Scale on Rackspace Cloud
Slide7•Manage unhealthy EC2 compute instances • Ensure minimum number instances are always running • Launched new instances in event of failure or performance degradation (assume 30-120 seconds in most conditions) • Seamlessly attach auto scaled compute instances to load balancer (ELB) Basic Auto Scaling Capabilities
Slide8•AWS ELB provides load balancing service with thousands of EC2 servers behind them • AWS ELB will automatically Scale up /down the load balancing servers in backend • The theoretical maximum response rate of AWS ELB is limitless • It can handle 20,000+ concurrent requests easily Elastic Load Balancer
Slide9Configuring Auto Scaling in AWSLaunch Configuration Parameters for launching instances Auto Scaling Groups Post-launch parameters Auto Scaling Policy Scaling triggers Scaling Event Act of scaling itself
Slide10Configuring Auto Scaling in AWSLaunch Configuration Set of parameters used to launch EC2 instances – AMI, instance size, security groups Auto Scaling Groups Defines the post-launch parameters Auto Scaling Policy Rules for scaling or terminating autoscaled instances Scaling Event Act of scaling itself • AMI ID • Instance size • Block devices • Key pairs • Security groups
Slide11Configuring Auto Scaling in AWSLaunch Configuration Set of parameters used to launch EC2 instances – AMI, instance size, security groups Auto Scaling Groups Defines the post-launch parameters - AZ, ELB, min & max servers to run Auto Scaling Policy Rules for scaling or terminating autoscaled instances Scaling Event Act of scaling itself • Minimum & maximum number of EC instances to run • Cooldown parameters • AZ & VPC ids where these instances will run
Slide12Configuring Auto Scaling in AWSLaunch Configuration Set of parameters used to launch EC2 instances – AMI, instance size, security groups Auto Scaling Groups Defines the post-launch parameters Auto Scaling Policy Rules for scaling or terminating autoscaled instances Scaling Event Act of scaling itself • Initiate scaling activity • Use CloudWatch metrics as triggers – EC2: CPU, dish, memory, network – ELB: healthy instances, HTTP code, latency, request count – RDS: CPU, database connections, memory, latency
Slide13Configuring Auto Scaling in AWSLaunch Configuration Set of parameters used to launch EC2 instances – AMI, instance size, security groups Auto Scaling Groups Defines the post-launch parameters Auto Scaling Policy Rules for scaling or terminating autoscaled instances Scaling Event Act of scaling itself • Act of scaling up/down • Notification of scaling activity
Slide14as-create-auto-scaling-group my-appsec-asg--launch-configuration my-test-config --availability-zones us-east-1b --min-size 1 --max-size 40 --default-cooldown 420 --desired- capacity 1 --load-balancers my-waf-elb1 Creating an Auto Scaling Group group name launch config min/max instances temporarily suspends time between scaling activities while new instances warm up
Slide15Create Auto Scaling Policy• Use AWS CloudFormation templates to set defaults • Allow admins to tune for specific requirements
Slide16Auto Scaling In Action
Slide171.DESIGN FOR FAILURE 2. MULTIPLE AVAILABILITY ZONES 3. SCALING 4. SELF-HEALING 5. LOOSE COUPLING Designing for Scale
Slide18Architecture Principles• Designed for failure – Horizontally scaled – Fast bootstrap – Health/load conditions as scaling triggers • Loosely coupled – Independent components – As stateless as possible – Minimal interactions web tier is easiest to scale web tier is easiest to scale if you make right design decisions if you make right design decisions …security infrastructure is another matter …security infrastructure is another matter
Slide19•Simple auto-scaling stack – 2 layers of Elastic Load Balancers (ELB) – WAF Proxies – Web server tier • Problems – Extremely slow bootstrap – Tightly coupled Auto Scaling Web App Firewalls? ELB WAF WAF ELB HTTP HTTP HTTP HTTP
Slide20Make your securityapplication stack stateless – Every component is a black box – Decouple interactions between management and data processing planes – Use cloud infrastructure to make interactions asynchronous Abstracting Application Security Components ELB WAF WAF ELB HTTP HTTP HTTP HTTP WAF Master ELB S3/EBS
Slide21ASG Group 1 -Master Controller • Min-size 1 • Max-size 1 • ELB health checks to ensure an instance is up • Will recreate itself from configuration data in S3 ASG Group 2 - Processing Workers • Min-size 2 • Max-size (depends) • Use Auto Scaling policy to scale on-demand 1. Separate Processing & Control Planes
Slide22•Store instance configuration data in S3 – Master instance stores data in Amazon S3 – Worker instances retrieve configuration as they spin up – Simple way to make resource instantiation asynchronous 2. Reduce and Abstract Interactions
Slide233. Store Persistent Data on EBSAmazon EBS Log Volume • Store all log and statistics data for master instance • Persist data in case of master instance termination • If master has to be restarted, persisted data remains intact – nothing stops working – nothing stops working
Slide24Web Traffic Flow• Browser clients connect to worker Amazon ELB • Traffic is load balanced to WAF workers • WAF workers proxy traffic Amazon ELB that scales web server instances
Slide25Complete Stack – Prior to AutomationAmazon Web Services Amazon ELB Master Group Amazon ELB Worker Group Amazon S3 Buckets NAT Instances WAF Master Instance Amazon EBS Log Volumes WAF Worker Instances
Slide26Using CloudFormation Templates1 1 2 2 3 3
Slide27Command Line Example$ cfn-create-stack test-backend --template-file wsm-test-backend-only.cloudformation.template --parameters "sshKeyName=wsm-dev" arn:aws:cloudformation:us-east-1:355864928133:stack/test-backend/26028db0-0352-11e3-895a-500162a66ca8 Use cfn-create-stack to start creation. $ watch cfn-describe-stack-events test-backend Every 2.0s: cfn-describe-stack-events test-backend Mon Aug 12 08:23:44 2013 STACK_EVENT test-backend test-backend AWS::CloudFormation::Stack 2013-08-12T13:24:20.321Z CREATE_COMPLETE STACK_EVENT test-backend eipNAT2 AWS::EC2::EIP 2013-08-12T13:24:17.802Z CREATE_COMPLETE STACK_EVENT test-backend eipNAT1 AWS::EC2::EIP 2013-08-12T13:24:17.769Z CREATE_COMPLETE STACK_EVENT test-backend routeNAT2 AWS::EC2::Route 2013-08-12T13:24:01.615Z CREATE_COMPLETE STACK_EVENT test-backend routeNAT1 AWS::EC2::Route 2013-08-12T13:24:01.144Z CREATE_COMPLETE You can use cfn-describe-stack-events along with watch to view the stack creation. Once complete, cfn-describe-stacks will return the cloud formation stack outputs. $ cfn-describe-stacks test-backend STACK test-backend CREATE_COMPLETE Cloud Formation for Auto Scaling Alert Logic Web Security Manager vpc=vpc-591b9337;elbBackend=test-back- elbBacke-17N275T20CGQ9-1608750954.us-east-1.elb.amazonaws.com;routeTableNAT1=rtb-e71b9389;routeTableNAT2=rtb- e61b9388;paramsForWSM=vpc=vpc-591b9337;elbBackend=test-back-elbBacke-17N275T20CGQ9-1608750954.us-east- 1.elb.amazonaws.com;routeTableNAT1=rtb-e71b9389;routeTableNAT2=rtb-e71b9389;subnetPublic1=subnet-fd1b9393;subnetPublic2=subnet-e21b938c 2013-08-12T13:21:51.116Z
Slide28Base WAF Stack Ready
Slide2910gbps Environment Test
Slide30Questions?misha@alertlogic.com Thank you