Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Aptible Update Webinar Series - January 2017

7ee78ba49eaf26113318ac3597887cc5?s=47 Aptible
January 25, 2017

Aptible Update Webinar Series - January 2017

View the recording at: https://youtu.be/jjlpRuY35VM

The Aptible Update Webinar Series is a quarterly presentation that covers recent features and changes to the Enclave deployment platform and Gridiron security management products.

The Aptible Update Webinar Series is a quarterly presentation that covers recent features and changes to the Enclave deployment platform and Gridiron security management products. These webinars feature technical sessions led by Aptible engineers, live demonstrations, customer examples, and Q&A with the Aptible team.

This Aptible Update Webinar covers:

- A preview of Gridiron, our security management and compliance platform
- Improvements to the Enclave deployment process for reliability, predictability and speed
- Enclave database logging
- The Enclave CLI for Windows
- Continual efforts to strengthen Enclave security

7ee78ba49eaf26113318ac3597887cc5?s=128

Aptible

January 25, 2017
Tweet

Transcript

  1. Aptible Update Webinar January 2017

  2. Agenda Gridiron preview Enclave features and updates General Q&A

  3. Gridiron Preview

  4. Who is Gridiron for? Gridiron is designed for cloud-first engineering

    teams that handle regulated or sensitive data and need to actually take security seriously.
  5. What is Gridiron? Gridiron is a suite of tools to

    help software engineers build and maintain industrial-strength security management programs. • Makes the administrative side of protecting data easy • Helps prep for regulatory audits • Helps prep for customer security reviews Gridiron:data security::Quickbooks:accounting
  6. What is Gridiron not?

  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None
  15. Pricing • Standalone Gridiron: $1,999/month, paid annually • Beta Program:

    Early access + 50% first-year discount
  16. Interested in a demo or learning more? Shah Kader: shah@aptible.com

  17. Gridiron Q&A

  18. What's new on Enclave?

  19. Guiding principles We want Enclave to be the best place

    to deploy your regulated or sensitive projects. As such, Enclave must provide: • A robust hosting platform for your apps. • Good options to store your data in. • Uncompromising security.
  20. What's new on Enclave? Stronger, more secure deployment platform More

    options and control for databases Broader operating system support in the CLI (Windows)
  21. > Deployment Platform < Database Support Windows CLI

  22. Deployment Platform This quarter we: • Overhauled our deployment engine

    to support systematic rollbacks and faster deployments • Rolled out a new, more secure SSH Portal • Automated orphan container deletion
  23. Deployment Platform Engine Overhaul

  24. Dependency-Oriented Deployments As of Q4 2016, we're coordinating deploys using

    a dependency- oriented approach. This breaks up your deployment in little steps and coordinates them (in parallel) as a chain of dependencies. These are the steps you see in the log output when you deploy!
  25. $ aptible restart --app pocket-hercules Restarting app... INFO -- :

    STARTING: Register service web in API INFO -- : COMPLETED (after 0.0s): Register service web in API INFO -- : STARTING: Schedule service web INFO -- : COMPLETED (after 0.06s): Schedule service web INFO -- : STARTING: Import certificate into IAM for endpoint app-2408.on-aptible.com INFO -- : COMPLETED (after 0.0s): Import certificate into IAM for endpoint app-2408.on-aptible.com INFO -- : STARTING: Ensure ALB exists for endpoint app-2408.on-aptible.com INFO -- : COMPLETED (after 2.16s): Ensure ALB exists for endpoint app-2408.on-aptible.com INFO -- : STARTING: Register service cron in API INFO -- : COMPLETED (after 0.0s): Register service cron in API INFO -- : STARTING: Schedule service cron INFO -- : COMPLETED (after 0.05s): Schedule service cron INFO -- : STARTING: Stop old app containers for service cron INFO -- : STARTING: Create new release for service web INFO -- : COMPLETED (after 0.15s): Create new release for service web INFO -- : STARTING: Create new release for service cron INFO -- : COMPLETED (after 0.17s): Create new release for service cron INFO -- : STARTING: Start app containers for service web INFO -- : WAITING FOR: Start app containers for service web, Stop old app containers for service cron INFO -- : COMPLETED (after 2.06s): Start app containers for service web INFO -- : STARTING: Run HTTP health checks for service web ...
  26. None
  27. None
  28. Why is this useful? • Safer Deployments via Systematic Rollbacks

    • Faster Deployments via Concurrency
  29. Safer Deployments via Systematic Rollbacks With this new engine, rollbacks

    are natively built-in to everything Enclave does. Deploy: [ do A ] => [ do B ] => [ do C ] => [ do D ] Rollback: [undo D] => [undo C] => [undo B] => [undo A] If anything goes wrong at any point, the rollback path is clear.
  30. Safer Deployments via Systematic Rollbacks E.g.0: Deploy: [ do A

    ] => [ do B ] => [ do C ] => [ FAIL D ] Rollback: [undo C] => [undo B] => [undo A] 0 Real Enclave deployments aren't that simple: each step may have multiple dependencies.
  31. Safer Deployments via Systematic Rollbacks As a result: • Enclave

    handles all errors gracefully, including errors we've never seen before. • You can safely cancel your own deployments at any point (that is a new feature for you that shipped in Q4!). • Aptible support can troubleshoot deployment failures much faster.
  32. (Actual Aptible Internal Tooling)

  33. None
  34. None
  35. Faster Deployments via Concurrency This new engine executes deployment steps

    concurrently. [ do A1 ] =\\ [ do A2 ] => => [ do B ] [ do A3 ] =// In some extreme cases (e.g. an app with numerous Endpoints and Log Drains being restarted), we've observed the new Enclave being 5 times faster1! 1 This case was a 10-minute restart turned into a 2-minute restart!
  36. Bottom Line • Your deploys are safer and faster than

    they ever were. • The support you receive is better equipped than it ever was. • You didn't have to do anything2. 2 These improvements are for v2 only. If you're on legacy v1 infrastructure, you'll need to upgrade (contact support if that's not done already). If you're unsure, you're almost certainly on v2 already: v2 is the default for new customers since November 2015.
  37. Deployment Engine Overhaul Q&A

  38. Deployment Platform New SSH Portal

  39. What's The SSH Portal? The Enclave SSH Portal is used

    to support aptible ssh, aptible db:tunnel, and aptible logs. It's a SSH server running on your dedicated stack, so it's evidently a sensitive piece of infrastructure.
  40. What changed? We now require a temporary SSH Key in

    addition to the Aptible Access Token we always required on the SSH Portal. The key is valid for 15 minutes, and tied to a single operation and a single user: # Logs from the SSH Portal: this ID tells us this is Thomas Orozco (me!) connecting for a DB tunnel. Accepted publickey for ... from ... port ... ssh2: RSA-CERT ID SshPortalConnection-a4b45ad8-2f88-4560-8607-28ac8cfa57fb (serial 0) CA RSA SHA256:Z7jFMLP7HNw9i1Yii/LbX2TOinmrfOoAdZv5MpRuXYU
  41. Bottom line This gives you: • Defense in depth on

    your dedicated Enclave infrastructure. • Strong auditing capabilities (via Aptible).
  42. Upgrade your CLI! This new portal requires using a newer

    CLI (v0.8.0+), all you have to do is upgrade. $ aptible version aptible-cli v0.8.4 toolbelt Older CLIs will be deprecated soon to protect you and your dedicated Enclave infrastructure. Download the latest CLI: https://aptible.com/support/toolbelt
  43. Deployment Platform Orphan Container Deletion

  44. Orphan Container Deletion In some edge cases, Enclave is not

    able to stop some existing app containers when re-deploying your app (e.g. because the EC2 instance the container is hosted on temporarily went offline). In this case, Enclave proceeds with your deployment: • It's a good thing because you don't want to block your deployment due to an unresponsive instance. • But it can leave orphan containers behind!
  45. Orphan Container Deletion Orphan containers can: • Waste system resources

    • Break background processes like Sidekiq or Celery (when an orphaned worker container accepts new jobs but runs an old version of your codebase!) Enclave now automatically cleans these up for you.
  46. Deployment Platform Q&A

  47. Deployment Platform > Database Support < Windows CLI

  48. Database Support We're striving to give you more options and

    control over your sensitive data. • Database logs so you can audit what your database is doing. • SSL Support for Redis so you can use it for PHI. • RabbitMQ management interface for control over your tasks.
  49. Database Support Database Logs

  50. Database Logs Aptible now collects database logs in Log Drains,

    just like for apps. • Create a new Log Drain to set this up if you haven't already! • Use aptible logs --database $HANDLE to review recent and live logs3. 3 Here again, you will need to upgrade your CLI to v0.8.0+!
  51. Configure your database for logging • Most databases don't log

    all queries by default. If that's what you need, refer to your database documentation, or reach out to Aptible support, we're happy to help! • For MySQL specifically, only databases launched after January 19, 2017 may log queries to a Log Drain4. 4 If you have an older MySQL database and would like access to these logs, just let us know and we'll reload this database for you off-hours. The database will be unavailable for approximately 30 seconds.
  52. Database Logs Q&A

  53. Database Support Redis + SSL

  54. SSL is available for all new Redis databases New Redis

    databases deployed on Aptible now support SSL5. This lets you store PHI in Redis. 5 In addition to the plaintext Redis protocol.
  55. The SSL credentials are found in your Aptible Dashboard6 6

    Redis instances launched before January 19, 2017 don't have SSL. If you don't see a SSL credential, that's why. You can request enabling this via support (just like for MySQL logs).
  56. Most Redis clients support SSL out of the box SSL

    is not a standard feature of Redis itself, but most Redis clients do support it out of the box. The Redis SSL connection URL Enclave provides uses the rediss:// protocol (with two s), which most clients recognize as SSL. If needed, consult your client documentation.
  57. CLI Support (v0.8.4+) When tunnelling to your Redis database, use

    the --type flag to connect over the SSL endpoint: bash-3.2$ aptible db:tunnel big-redis --type redis+ssl Creating redis+ssl tunnel to big-redis... Connect at rediss://:REDACTED@localhost.aptible.in:51513 Or, use the following arguments: * Host: localhost.aptible.in * Port: 51513 * Password: REDACTED Connected. Ctrl-C to close connection. This only affects traffic from the SSH Portal to your Redis instance: traffic from your workstation to the SSH Portal is of course always encrypted.
  58. Database Support RabbitMQ Management Interface

  59. Database Support We now expose the RabbitMQ Management Interface7. This

    lets you manage your RabbitMQ instance via rabbitmqadmin or the web UI: $ ./rabbitmqadmin \ --user=aptible --password="$PASSWORD" --host="$HOST" --port="$PORT" \ --ssl --ssl-ca-cert-file=/etc/ssl/certs/ca-certificates.crt list vhosts +------+----------+ | name | messages | +------+----------+ | / | | | db | | +------+----------+ 7 Here again, RabbitMQ instances launched before January 19, 2017 need to be reloaded. If you can't find your RabbitMQ management credentials, contact support and we'll reload your RabbitMQ instance for you.
  60. Access the RabbitMQ management interface via a tunnel aptible db:tunnel

    $HANDLE --type management
  61. Database Support Q&A

  62. Deployment Platform Database Support > Windows CLI <

  63. The Aptible CLI is now available on Windows Download it

    if you're using Windows and haven't done so yet! https://aptible.com/support/toolbelt • Desktop: Windows 8.1 64 bits and greater • Server: Windows 2012r2 64 bits and greater
  64. All mainstream operating systems now supported via the Toolbelt8 OSX,

    Windows, Ubuntu, Debian, Red Hat CentOS 8 The Aptible Toolbelt is a package containing the Aptible CLI. It bundles all of the CLI's system dependencies to make installation a breeze.
  65. Enclave Q&A

  66. Thank you! Aptible Update Webinar January 2017