Aptible Update Webinar Series - January 2017

Transcript

1. Aptible Update Webinar January 2017

2. Agenda Gridiron preview Enclave features and updates General Q&A

3. Gridiron Preview

4. Who is Gridiron for? Gridiron is designed for cloud-first engineering

   teams that handle regulated or sensitive data and need to actually take security seriously.

5. What is Gridiron? Gridiron is a suite of tools to

   help software engineers build and maintain industrial-strength security management programs. • Makes the administrative side of protecting data easy • Helps prep for regulatory audits • Helps prep for customer security reviews Gridiron:data security::Quickbooks:accounting

6. What is Gridiron not?

7. None
8. None
9. None
10. None
11. None
12. None
13. None
14. None

15. Pricing • Standalone Gridiron: $1,999/month, paid annually • Beta Program:

    Early access + 50% first-year discount

16. Interested in a demo or learning more? Shah Kader: [email protected]

17. Gridiron Q&A

18. What's new on Enclave?

19. Guiding principles We want Enclave to be the best place

    to deploy your regulated or sensitive projects. As such, Enclave must provide: • A robust hosting platform for your apps. • Good options to store your data in. • Uncompromising security.

20. What's new on Enclave? Stronger, more secure deployment platform More

    options and control for databases Broader operating system support in the CLI (Windows)

21. > Deployment Platform < Database Support Windows CLI

22. Deployment Platform This quarter we: • Overhauled our deployment engine

    to support systematic rollbacks and faster deployments • Rolled out a new, more secure SSH Portal • Automated orphan container deletion

23. Deployment Platform Engine Overhaul

24. Dependency-Oriented Deployments As of Q4 2016, we're coordinating deploys using

    a dependency- oriented approach. This breaks up your deployment in little steps and coordinates them (in parallel) as a chain of dependencies. These are the steps you see in the log output when you deploy!

25. $ aptible restart --app pocket-hercules Restarting app... INFO -- :

    STARTING: Register service web in API INFO -- : COMPLETED (after 0.0s): Register service web in API INFO -- : STARTING: Schedule service web INFO -- : COMPLETED (after 0.06s): Schedule service web INFO -- : STARTING: Import certificate into IAM for endpoint app-2408.on-aptible.com INFO -- : COMPLETED (after 0.0s): Import certificate into IAM for endpoint app-2408.on-aptible.com INFO -- : STARTING: Ensure ALB exists for endpoint app-2408.on-aptible.com INFO -- : COMPLETED (after 2.16s): Ensure ALB exists for endpoint app-2408.on-aptible.com INFO -- : STARTING: Register service cron in API INFO -- : COMPLETED (after 0.0s): Register service cron in API INFO -- : STARTING: Schedule service cron INFO -- : COMPLETED (after 0.05s): Schedule service cron INFO -- : STARTING: Stop old app containers for service cron INFO -- : STARTING: Create new release for service web INFO -- : COMPLETED (after 0.15s): Create new release for service web INFO -- : STARTING: Create new release for service cron INFO -- : COMPLETED (after 0.17s): Create new release for service cron INFO -- : STARTING: Start app containers for service web INFO -- : WAITING FOR: Start app containers for service web, Stop old app containers for service cron INFO -- : COMPLETED (after 2.06s): Start app containers for service web INFO -- : STARTING: Run HTTP health checks for service web ...
26. None
27. None

28. Why is this useful? • Safer Deployments via Systematic Rollbacks

    • Faster Deployments via Concurrency

29. Safer Deployments via Systematic Rollbacks With this new engine, rollbacks

    are natively built-in to everything Enclave does. Deploy: [ do A ] => [ do B ] => [ do C ] => [ do D ] Rollback: [undo D] => [undo C] => [undo B] => [undo A] If anything goes wrong at any point, the rollback path is clear.

30. Safer Deployments via Systematic Rollbacks E.g.0: Deploy: [ do A

    ] => [ do B ] => [ do C ] => [ FAIL D ] Rollback: [undo C] => [undo B] => [undo A] 0 Real Enclave deployments aren't that simple: each step may have multiple dependencies.

31. Safer Deployments via Systematic Rollbacks As a result: • Enclave

    handles all errors gracefully, including errors we've never seen before. • You can safely cancel your own deployments at any point (that is a new feature for you that shipped in Q4!). • Aptible support can troubleshoot deployment failures much faster.

32. (Actual Aptible Internal Tooling)

33. None
34. None

35. Faster Deployments via Concurrency This new engine executes deployment steps

    concurrently. [ do A1 ] =\\ [ do A2 ] => => [ do B ] [ do A3 ] =// In some extreme cases (e.g. an app with numerous Endpoints and Log Drains being restarted), we've observed the new Enclave being 5 times faster1! 1 This case was a 10-minute restart turned into a 2-minute restart!

36. Bottom Line • Your deploys are safer and faster than

    they ever were. • The support you receive is better equipped than it ever was. • You didn't have to do anything2. 2 These improvements are for v2 only. If you're on legacy v1 infrastructure, you'll need to upgrade (contact support if that's not done already). If you're unsure, you're almost certainly on v2 already: v2 is the default for new customers since November 2015.

37. Deployment Engine Overhaul Q&A

38. Deployment Platform New SSH Portal

39. What's The SSH Portal? The Enclave SSH Portal is used

    to support aptible ssh, aptible db:tunnel, and aptible logs. It's a SSH server running on your dedicated stack, so it's evidently a sensitive piece of infrastructure.

40. What changed? We now require a temporary SSH Key in

    addition to the Aptible Access Token we always required on the SSH Portal. The key is valid for 15 minutes, and tied to a single operation and a single user: # Logs from the SSH Portal: this ID tells us this is Thomas Orozco (me!) connecting for a DB tunnel. Accepted publickey for ... from ... port ... ssh2: RSA-CERT ID SshPortalConnection-a4b45ad8-2f88-4560-8607-28ac8cfa57fb (serial 0) CA RSA SHA256:Z7jFMLP7HNw9i1Yii/LbX2TOinmrfOoAdZv5MpRuXYU

41. Bottom line This gives you: • Defense in depth on

    your dedicated Enclave infrastructure. • Strong auditing capabilities (via Aptible).

42. Upgrade your CLI! This new portal requires using a newer

    CLI (v0.8.0+), all you have to do is upgrade. $ aptible version aptible-cli v0.8.4 toolbelt Older CLIs will be deprecated soon to protect you and your dedicated Enclave infrastructure. Download the latest CLI: https://aptible.com/support/toolbelt

43. Deployment Platform Orphan Container Deletion

44. Orphan Container Deletion In some edge cases, Enclave is not

    able to stop some existing app containers when re-deploying your app (e.g. because the EC2 instance the container is hosted on temporarily went offline). In this case, Enclave proceeds with your deployment: • It's a good thing because you don't want to block your deployment due to an unresponsive instance. • But it can leave orphan containers behind!

45. Orphan Container Deletion Orphan containers can: • Waste system resources

    • Break background processes like Sidekiq or Celery (when an orphaned worker container accepts new jobs but runs an old version of your codebase!) Enclave now automatically cleans these up for you.

46. Deployment Platform Q&A

47. Deployment Platform > Database Support < Windows CLI

48. Database Support We're striving to give you more options and

    control over your sensitive data. • Database logs so you can audit what your database is doing. • SSL Support for Redis so you can use it for PHI. • RabbitMQ management interface for control over your tasks.

49. Database Support Database Logs

50. Database Logs Aptible now collects database logs in Log Drains,

    just like for apps. • Create a new Log Drain to set this up if you haven't already! • Use aptible logs --database $HANDLE to review recent and live logs3. 3 Here again, you will need to upgrade your CLI to v0.8.0+!

51. Configure your database for logging • Most databases don't log

    all queries by default. If that's what you need, refer to your database documentation, or reach out to Aptible support, we're happy to help! • For MySQL specifically, only databases launched after January 19, 2017 may log queries to a Log Drain4. 4 If you have an older MySQL database and would like access to these logs, just let us know and we'll reload this database for you off-hours. The database will be unavailable for approximately 30 seconds.

52. Database Logs Q&A

53. Database Support Redis + SSL

54. SSL is available for all new Redis databases New Redis

    databases deployed on Aptible now support SSL5. This lets you store PHI in Redis. 5 In addition to the plaintext Redis protocol.

55. The SSL credentials are found in your Aptible Dashboard6 6

    Redis instances launched before January 19, 2017 don't have SSL. If you don't see a SSL credential, that's why. You can request enabling this via support (just like for MySQL logs).

56. Most Redis clients support SSL out of the box SSL

    is not a standard feature of Redis itself, but most Redis clients do support it out of the box. The Redis SSL connection URL Enclave provides uses the rediss:// protocol (with two s), which most clients recognize as SSL. If needed, consult your client documentation.

57. CLI Support (v0.8.4+) When tunnelling to your Redis database, use

    the --type flag to connect over the SSL endpoint: bash-3.2$ aptible db:tunnel big-redis --type redis+ssl Creating redis+ssl tunnel to big-redis... Connect at rediss://:[email protected]:51513 Or, use the following arguments: * Host: localhost.aptible.in * Port: 51513 * Password: REDACTED Connected. Ctrl-C to close connection. This only affects traffic from the SSH Portal to your Redis instance: traffic from your workstation to the SSH Portal is of course always encrypted.

58. Database Support RabbitMQ Management Interface

59. Database Support We now expose the RabbitMQ Management Interface7. This

    lets you manage your RabbitMQ instance via rabbitmqadmin or the web UI: $ ./rabbitmqadmin \ --user=aptible --password="$PASSWORD" --host="$HOST" --port="$PORT" \ --ssl --ssl-ca-cert-file=/etc/ssl/certs/ca-certificates.crt list vhosts +------+----------+ | name | messages | +------+----------+ | / | | | db | | +------+----------+ 7 Here again, RabbitMQ instances launched before January 19, 2017 need to be reloaded. If you can't find your RabbitMQ management credentials, contact support and we'll reload your RabbitMQ instance for you.

60. Access the RabbitMQ management interface via a tunnel aptible db:tunnel

    $HANDLE --type management

61. Database Support Q&A

62. Deployment Platform Database Support > Windows CLI <

63. The Aptible CLI is now available on Windows Download it

    if you're using Windows and haven't done so yet! https://aptible.com/support/toolbelt • Desktop: Windows 8.1 64 bits and greater • Server: Windows 2012r2 64 bits and greater

64. All mainstream operating systems now supported via the Toolbelt8 OSX,

    Windows, Ubuntu, Debian, Red Hat CentOS 8 The Aptible Toolbelt is a package containing the Aptible CLI. It bundles all of the CLI's system dependencies to make installation a breeze.

65. Enclave Q&A

66. Thank you! Aptible Update Webinar January 2017