Slide 1

Slide 1 text

No content

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

IT’S DANGEROUS TO GO ALONE! TAKE THIS.

Slide 4

Slide 4 text

PHILOSOPHY Keep things as simple as possible While maintaining: Performance Observability Stability Security

Slide 5

Slide 5 text

Hosting Configuration Web Server Assets (static and media) OVERVIEW Additional Considerations: Performance Security Observability

Slide 6

Slide 6 text

HOSTING

Slide 7

Slide 7 text

PLATFORM AS A SERVICE (PAAS) Heroku PythonAnywhere Platform.sh Google App Engine Google Cloud Run

Slide 8

Slide 8 text

PROS CONS PLATFORM AS A SERVICE (PAAS) Managed Monitored Secured Supported Backing services may be included Performance Less flexibility Cost*

Slide 9

Slide 9 text

FUNCTIONS AS A SERVICE (FAAS OR SERVERLESS) AWS Lambda (with Zappa) Google Cloud Functions Azure Functions ZEIT

Slide 10

Slide 10 text

PROS CONS FUNCTIONS AS A SERVICE (FAAS OR SERVERLESS) Managed Monitored Secured Less expensive* New = rough edges Performance and cold starts Management commands

Slide 11

Slide 11 text

KUBERNETES (MANAGED) Google Kubernetes Engine (GKE) DigitalOcean Kubernetes Amazon Elastic Kubernetes Service (EKS) Azure Kubernetes Service (AKS)

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

PROS KUBERNETES (MANAGED) Managed Monitored Secured Requires k8s knowledge Probably overkill CONS

Slide 14

Slide 14 text

UNMANAGED/SELF-HOST Flexible Cost* Security Monitoring Management Documentation/training TLS Certificates PROS CONS

Slide 15

Slide 15 text

HOSTING (CONT) BACKING SERVICES AND APPLICATION STATE

Slide 16

Slide 16 text

USE MANAGED SERVICES

Slide 17

Slide 17 text

MANAGED SERVICES Database (Amazon RDS, Cloud SQL, Heroku Postgres, etc.) Object Storage (Amazon S3, Google Cloud Storage, etc.) SMTP (Amazon SES, Sendgrid, Mailgun, etc.) Elasticsearch Redis

Slide 18

Slide 18 text

Additional Considerations: Performance Security Observability OVERVIEW Hosting Configuration Web Server Assets (static and media)

Slide 19

Slide 19 text

CONFIGURATION

Slide 20

Slide 20 text

12 FACTOR Deployment Application Config

Slide 21

Slide 21 text

CONFIGURATION Environment Variables Configuration File Django settings (prod.py, staging.py, etc.)

Slide 22

Slide 22 text

CONFIGURATION Environment Variables Configuration File Django settings (prod.py, staging.py, etc.)

Slide 23

Slide 23 text

SECRETS API KEYS, SECRET_KEY, SERVICE CREDENTIALS, ETC. Never in your code repository
 (unencrypted)

Slide 24

Slide 24 text

CONFIGURATION PaaS Configuration Amazon SSM and Chamber Kubernetes Secrets Encrypted in configuration mangagement Hashicorp Vault

Slide 25

Slide 25 text

GOODCONF

Slide 26

Slide 26 text

GOODCONF Configuration via file or environment variables Type casting for environment variables Auto-generate documentation Auto-generate commented sample configs

Slide 27

Slide 27 text

No content

Slide 28

Slide 28 text

No content

Slide 29

Slide 29 text

Additional Considerations: Performance Security Observability OVERVIEW Hosting Configuration Web Server Assets (static and media)

Slide 30

Slide 30 text

WEB SERVER

Slide 31

Slide 31 text

WEB SERVER

Slide 32

Slide 32 text

GUNICORN

Slide 33

Slide 33 text

UWSGI

Slide 34

Slide 34 text

Additional Considerations: Performance Security Observability OVERVIEW Hosting Configuration Web Server Assets (static and media)

Slide 35

Slide 35 text

SERVING ASSETS

Slide 36

Slide 36 text

WHITENOISE pip install whitenoise

Slide 37

Slide 37 text

UWSGI

Slide 38

Slide 38 text

NODE.JS Source files in version control Webpack/Parcel to generate static files during build Add build destination to STATICFILES_DIRS django-webpack-loader if bundle-splitting

Slide 39

Slide 39 text

MEDIA Use django-storages with your preferred backend (Amazon, Google, Azure, etc.) Be careful of public vs. private AWS_DEFAULT_ACL AWS_QUERYSTRING_AUTH AWS_QUERYSTRING_EXPIRE

Slide 40

Slide 40 text

Additional Considerations: Performance Security Observability OVERVIEW Hosting Configuration Web Server Assets (static and media)

Slide 41

Slide 41 text

GO LIVE!

Slide 42

Slide 42 text

PERFORMANCE

Slide 43

Slide 43 text

USE AN APM Third-party: NewRelic, Scout, Datadog Provider: AWS X-Ray, Google Stackdriver Trace Self-hosted: Elastic

Slide 44

Slide 44 text

DATABASE Don't be surprised if your laptop performs better Network latency Size of dataset

Slide 45

Slide 45 text

DATABASE Use Postgres (unless you have a good reason not to) CONN_MAX_AGE Reduce queries select_related prefetch_related Indexes db_index index_together

Slide 46

Slide 46 text

TEMPLATE FRAGMENT CACHING

Slide 47

Slide 47 text

TEMPLATE FRAGMENT CACHING

Slide 48

Slide 48 text

CDN

Slide 49

Slide 49 text

CDN Third Party: Cloudflare, Fastly Provider: Amazon Cloudfront, Google Cloud CDN

Slide 50

Slide 50 text

CDN Cache static files forever (far-future expires) Cache Django responses if possible

Slide 51

Slide 51 text

Additional Considerations: Performance Security Observability OVERVIEW Hosting Configuration Web Server Assets (static and media)

Slide 52

Slide 52 text

SECURITY

Slide 53

Slide 53 text

CODE Monitor dependencies for vulnerabilities
 (GitHub Security Alerts) Use a lockfile (pipenv, poetry, pip-compile) Consider an external audit

Slide 54

Slide 54 text

ENVIRONMENT DEBUG = False ... ALWAYS! manage.py check --deploy https://observatory.mozilla.org

Slide 55

Slide 55 text

AUTHENTICATION (ESPECIALLY THE ADMIN) MFA django-two- factor-auth External provider (G- Suite, AWS Cognito, etc.) Rate limiting (Cloudflare, Nginx, AWS WAF, Django) Firewall/VPN

Slide 56

Slide 56 text

ADDITIONAL ATTACK VECTORS SSH Platform web console (use MFA!) Domain registrar Email Backing services APIs

Slide 57

Slide 57 text

Additional Considerations: Performance Security Observability OVERVIEW Hosting Configuration Web Server Assets (static and media)

Slide 58

Slide 58 text

OBSERVABILITY

Slide 59

Slide 59 text

ERROR REPORTING Emails don't scale Use Sentry or Rollbar

Slide 60

Slide 60 text

LOGGING Third-party: Datadog, LogDNA, Splunk, Sumo Logic Provider: AWS Cloudwatch, Google Stackdriver Self-hosted: ELK, Graylog

Slide 61

Slide 61 text

MONITORING & ALERTING Third-party: Internal: Datadog External: Pingdom, StatusCake, Datadog Alerts: PagerDuty, OpsGenie, Slack Provider: Cloudwatch, Stackdriver Self-hosted: Prometheus, Grafana

Slide 62

Slide 62 text

Additional Considerations: Performance Security Observability OVERVIEW Hosting Configuration Web Server Assets (static and media)

Slide 63

Slide 63 text

IT’S DANGEROUS TO GO ALONE! TAKE THIS. GAME OVER

Slide 64

Slide 64 text

PETER BAUMGARTNER [email protected] SAVE SLIDE DESIGN BY YUPGUP