All three code platforms AWS, Google Cloud, Azure release features all the time.    However, Google Cloud took a major leap by providing great tool developers by integrating with IntelliJ.   Google did a great job covering the how it works in there Platform blog which is worth reading.

I have used Eclipse since it was released, prior to that I would use Emacs.   However, for my master program over the last 3 years, I have been using IntelliJ.   It’s become my go-to platform for coding work because IntelliJ is easy to use,  and my various class groups typically use it.   IntelliJ makes it free for students, which is a great way to develop a  user base given its price tag.

Providing an easy to use a tool, which has an existing user based was smart by Google Cloud especially as it continues its to close the gap with AWS.

Finally, I’m not a big fan of Cloud9 on AWS.   What do you think?   Are you an IntelliJ or Cloud9 user?

A longtime issue with networking vendors is providing ports at one speed and the throughput at another speed.  I remember dealing with it back in 2005 with the first generation of Cisco ASA’s which primarily replaced the PIX Firewall.   Those firewalls provided 1Gbps ports, but the throughput the ASA could handle was about half that bandwidth.

Some marketing genius created the term wire speed and throughput.

If you’re curious about this go look at Cisco Firepower NGFW firewalls.  The 4100 series have 40Gbps interfaces, but depending on the model throughput is between 10Gbps and 24Gbps with FW+AVC+IPS turned on.

I have referenced several  Cisco devices, but it’s not a specific issue to Cisco.    Take a look at Palo Alto Networks Firewalls specifically the PA-52XX have four 40Gbps ports, but can support between 9Gbps and 30Gbps of throughput with full threat protection on.

The technology exists so why aren’t networking vendors able to provide wire-speed throughput between ports, even with the full inspection of traffic turned on?    I would very like to know your thoughts on this topic please leave a comment.

DDoS attacks are too frequent on the internet. A DDoS attack sends more requests that can be processed. Many times, the requestors machine has been compromised to be part of a more massive DDoS network. This article is not going to explain all the various types as there is a whole list of them here. Let’s discuss a particular type of DDoS attack designed to overwhelm your web server. This traffic will appear as legitimate requests using GET or POST Requests. GET would be for /index.html or any other page at 50 requests per minute. A POST would hit your myApi.php and attempt to post data at 50 plus requests per minute.

This is going to focus on some recommendations using AWS and other technologies to stop a recent HTTP DDoS attacks. The first step is to identify the DDoS attack versus regular traffic. The second question is how does one prevent a DDoS HTTP attack.

Identifying a DDoS attack there various DDoS The first step is to understand your existing traffic, if you have 2,000 requests per day and all of a sudden you have 2,000,000 requests in the morning, its a good indication it’s under a DDoS attack. The easiest way to identify this is to look at the access_log and pull this into a monitoring service like Splunk, AllenVault, Graylog, etc. From there trend analysis in real-time would show the issues. If the Web servers are behind an ALB make sure the ALB is logging requests and that those requests are being analysis instead of the web server access logs. ALB still support the X-Forwarded-For so it can be passed.

Preventing a DDoS attack There is no way to truly prevent an HTTP DDoS attack.  Specifically to deal with this event, the following mitigation techniques the were explored:

1. AWS Shield - this provides advance WAF functions, and there rules to limit.

2. The free-ware would be to use Apache and NGINX have rate limited for specific IP addresses.   In Apache, this is implemented by a number of modules.   ModSecurity is usually at the top of the list, a great configuration example is available on Github which includes the X-Forwarded-For.

3. An EC2 instance in front of the web server can be run as a Proxy. The proxy can be configured to suppress the traffic using ModSecurity or other MarketPlace offerings including other WAF options.

4. The ALB or CloudFront can deploy an AWS WAF.

5. Lastly, the most expensive option is to deploy Auto-scaling groups to absorb all traffic.

Please leave a comment if there other options which should have been investigated.

To solve this specific issue, an AWS WAF was deployed on the ALB.   One thing to consider is to make sure to prevent attacks from directly hitting the website.   This is easily accomplished by allowing HTTP/HTTPS from anywhere only to the ALB.    ALB and EC2 instance sharing a security group which allows HTTPS/HTTP to everything in that security group.

To my disappointment having completely read the CCNP Routing and Switching ROUTE 300-101 Official Cert Guide and the Implementing Cisco IP Routing (ROUTE) Foundation Learning Guide (CCNP ROUTE 300-101) for the CCNP Route Exam, these books are not aligned with the exam blueprint.

Looking at the exam blueprint, topics like CHAPv2 and Frame-Relay are still covered but are not used as much.   CHAPv2 is not mentioned in either book.   Secondly, technologies like IPSec VPN and MPLS get little coverage in the books but are prevalent in deployments today.   Additionally there no real configuration examples for DMVPN.

Cisco Press claims to be the official certification guides for the exams, it gives me great concern that the exam blueprint and the official certification guide are not in sync.  Wendell Odom [https://www.certskills.com/]. who wrote a number of the original certification guides always did a great job in matching the book to the exam blueprint and providing exercises to reinforce learning.  He no longer the author on the CCNP certification guides as Wendell focuses on the CCNA Routing and Switching.

The last time I went thru CCNP certification I used the Cisco Press Exam Certification Guides and Sybex CCNP books which included exercises.   Sybex no longer publishes CCNP books.

Before taking the test, I think I’ll find a lab workbook and execute the exercises on VIRL.

Starting a new position today as Consultant - Cloud Architect with Taos.   Super excited to for this opportunity.

I wanted a position as a solution architect working with the Cloud, so I couldn’t be more thrilled with the role.   I am looking forward to helping Taos customers adopt the cloud and a Cloud First Strategy.

It’s an amazing journey for me, as Taos was the first to offer me a Unix System administrator position when I graduated from Penn State some 18 years ago, and I passed on the offer and went to work for IBM.

I am really looking forward to working with the great people at Taos.

Amazon released AWS Well Architected Framework to help customers Architect solutions within AWS.   The amazon certifications require detailed knowledge of 5 white papers which make up the Well Architected Framework.   Given I have recently completed 6 Amazon certifications, I decided I was going to write a blog which pulled my favorite lines from each paper.

Operational excellence pillar The whitepaper says on page 15, “When things fail you will want to ensure that your team, as well as your larger engineering community, learns from those failures.”   It doesn’t say “If things fail”, it says “When things fail” implying straight away things are going to fail.

security pillar On page 18, “Data classification provides a way to categorize organizational data based on levels of sensitivity. This includes understanding what data types are available, where is the data located and access levels and protection of the data”.  This to me sums up how security needs to be defined. Modern data security is not about firewalls and having a hard outside shell or malware detectors.  It about protecting the data based on its classification from both internal (employees, contractors, vendors) actors and hostile actors.

reliability pillar The document is 45 pages long and the word failure appears 100 times and the word fail exists 33 times. The document is really about how to architect an AWS environment to respond to failure and what portion of your environment based on business requirements should be over-engineered to withstand multiple failures.

performance efficiency pillar Page 24 the line, “When architectures perform badly this is normally because of a performance review process has not been put into place or is broken”.   When I first read this line, I was perplexed.  I immediately thought this implies a bad architecture can perform well if there is a performance review in place.  Then I thought when has a bad architecture ever performed well under load?   Now I get the point this is trying to make.

cost optimization On page 2, is my favorite line from this white paper, “A cost-optimized system will fully utilize all resources, achieve an outcome at the lowest possible price point, and meet your functional requirements.”   It made me immediately think back to before the cloud, every solution had to have a factor over the life of hardware for growth it was part of the requirements.    In the cloud you need to support capacity today, if you need more capacity tomorrow, you just scale. This is one of the biggest benefits of cloud computing, no more guessing about capacity.