Wednesday, January 28, 2015

Resource Id for CloudTrail to view AWS Config CI logs

AWS Config is an Amazing way to track to the changes and relationship among the various AWS Services. It provides little bit of perspective of CDC - Change Data Capture functionality across the AWS Services used under the account.

Recently when I tried to look for changes in one of the AWS Config's Cousin [ CloudTrail ] to see the information about when CloudTrail logging was initiated etc. The Lookup by Resource ID accepts the CloudTrail Trail's Name -[What is CloudTrail Trail's Name ? ] I tried all possible combinations of CloudTrail, S3Bucket Name, empty; but none of them succeeded.



Turned out it is Default [ D in Upper Case ]; I got this information after contacting the AWS via. AWS Forums.

Hope this helps.

Friday, January 9, 2015

SOLVED : Request could not be satisfied - Amazon Directory Service

You can create a new Amazon Directory Service - AD Connector or Simple AD with/without On-Premises AD Settings. Once done, you need to provide Access URL by choosing a keyword; which will go along with the .awsapps.com. Post that you need to explicitly enable the Apps & Services [ Amazon Workspaces, Amazon Zocalo, AWS Management Console ] individually.



The AWS Management Console can take the URL as https://SimpleADdemo1.awsapps.com/console



While the Access URL and other necessary configurations are done; Nevertheless you would be prompted with error page [ CloudFront Error Page] stating - Request Could Not be Satisfied. as below.

The simple fix to solve that problem is to just wait for another couple of minutes; for the CloudFront to pick your AD apps's web artefacts and distribute it to its edge locations.


Tuesday, January 6, 2015

AWS Directory Service - AD Connector - A Short Overview

I really like the types of Services Amazon is concentrating these days - Directory Services, Zocalo, Containers, Lambda etc.; this clearly shows the length and breadth of Innovation Areas in AWS. Lets look into what is AWS Directory Service AD Connector, this time.

What is AD Connector ?

  • AD Connector is SaaS-like offering - Plug and Play Service; fully managed by Amazon
  • Make use of existing Active Directory Running On-Premises / Cloud to Authenticate and Authorize AWS Console and AWS Resources; this means you don't need to create & manage IAM users from AWS Console, but make use of the AD which is already configured in your data center.
  • Continue using centralized credentials, users, access, policy from the same Corporate Directory; but this time for the AWS Console & AWS Resources.
  • The Directory Synchronization, Availability, Connectivity, Federation are taken care by the service
  • The MFA authentication can also be enabled if required.

What are the Prerequisites ?

  • VPC with 2 Subnets in different Availability Zone
  • Hardware VPN Connection to AWS VPC 
  • Firewall & Ports opened for 53 (DNS), 88 (Kerberos), 389(LDAP) - TCP / UDP appropriately
What are your Responsibilities ?
  • Creation of IAM Roles to map the Active Directory Users / Groups
  • Ensure the Uptime & Connectivity of the On-Premises Active Directory

What are the AWS Resources created by AD Connector in the Account ?

I was able to observer the following automatically created in my account when successfully finished creating & configuring AD Connector.
  • 2 ENIs ( Places in the specified Subnets )
  • 2 Security Groups ( Each having All Traffic enabled between themselves )

Can it be used for AD already running in EC2 ?

  • Yes, Actually this post illustrates that exact use case.

Architecture 



Installation & Setup

  • Once the Active Directory Domain Services are installed in the EC2 instance; you will need the details like user name & password, Net BIOS name, Directory DNS name.
  • The important thing to note here is to use the PRIVATE IP of the EC2 Instance ( for this scenario )
  • Once the the Setup is completed you get to see the status.



The access URL would be configured as the entry point to AWS Console ( and / or Amazon Workspaces, Amazon Zocalo ). Once done, you need explicitly enable the AWS Management Console Access.


You would now be prompted with a dialogue box to start the wizard for IAM Role and AD User Association


Click on New Role - this would be an IAM Role



Both new IAM Role Creation and Modifying existing Role(s) can be done in this step


When choosing on the Create New Role, you would notice similar predefined IAM Role templates as in Identity and Access Control in AWS Management Console.

On Navigation to the next step ; you can search for existing Users / Group which is populated from your Active Directory.



Now, the specified IAM Role and AD User ( or Group ) are associated. With this your AD users can start using AWS Management with the same AD credentails.




https://ADConnectorEndPoint.awsapp.com/console




When you login to the Access URL - you would be prompted to enter the Organization Name (public endpoint - without the .awsapps.com in the URL), user name and password ( from your AD )


AWS Management Console



Saturday, December 20, 2014

Packt $5 eBook Bonanza

Following the success of last year’s festive offer, Packt Publishing will be celebrating the holiday season with an even bigger $5 offer. 




From Thursday 18th December, every eBook and video will be available on the publisher’s website for just $5. Customers are invited to purchase as many as they like before the offer ends on Tuesday January 6th, making it the perfect opportunity to try something new or to take your skills to the next level as 2015 begins.

With all $5 products available in a range of formats and DRM-free, customers will find great value content delivered exactly how they want it across Packt’s website this Xmas and New Year.
Find out more at http://bit.ly/1w1Vkps

Saturday, November 22, 2014

Amazon Zocalo - The Silver Lining for Enterprises

Introduction


Zocalo is the new and fully managed self-service Document collaboration and Management Service introduced by Amazon Web Services which encompasses administration, mobile / PC apps fully out of the box with support to offline document access. Zocalo also readily allows enterprises to link up their corporate Active Directory for Access and Authentication.



Key Features & Overview


Amazon Zocalo’s key capabilities can be categorized as Storage, Administration, Document Management & Feedback, and PC & Mobile Support.

Storage


All the documents are stored in a reliable infrastructure and is fully managed by Amazon Web Services. There is essentially no limit on the amount of data and number of documents you can
store in Zocalo. The explicit storage limit for each user can be optionally enforced by an administrator.

Administration


The administration of Zocalo site for users and storage comes out of the box. The administration portal is web based and can be accessed from all popular latest browsers. Administrators can create new users or alternatively link up your Corporate Active Directory and sync it to Zocalo, enable / disable the users, set explicit limits to the storage for user’s account.

Document Management & Feedback

The documents can be accessed and reviewed directly out of the Zocalo web portal. The document management features of Zocalo doesn't stop at merely just document access over web or devices; but also leverages the collaboration by allowing the documents to be shared, requesting the documents for comments or review with optionally setting a deadline with reminders. With the built in Versioning Capability in Zocalo, naming the files with v1, v2, v3 would be a distant past and provides easy access to older or other versions. Documents can be uploaded using the web portal or synced via the PC / Mac using Zocalo sync applications.

The documents can also be shared externally outside of the corporate with fine grain control for
each file by setting access control like read-only, download disabled etc. The external access permissions to the documents can be revoked any time.

Any type of file can be stored in Zocalo. Zocalo supports instant access and review support for Microsoft Office files (Word, Excel, and PowerPoint), pdfs, images, text files. The files can be downloaded to your local machine and optionally documents can also include the reviewed comments along with it.

You can create, edit your files as usual using the standard applications,once when the document is ready it can be released as a newer version and notify the contributors.

System & Mobile Support


While the Zocalo portal for file access and review can be accessed through web-portal, Amazon Zocalo Service extends its offering over the major tablet platforms - iPad, Android Tablet and Amazon Kindle Fire; the apps can be downloaded from the respective apps market place for free. Using the mobile apps one can perform the same functionality of document sharing, review and comments which is possible using the web interface; the best part is to have the documents and files available offline; even during no network access and you can still review the documents and it would sync the new reviews as and when the tablet connects back to the internet.

The documents can be uploaded to Zocalo via the portal using the browser, you can also sync the files from your local machine using the Sync application for free. There are sync clients for PC (Windows 7) and Mac (OS X 10.7 +).


Zocalo for Enterprise


There are several reasons why Zocalo makes a good candidate for Enterprise Document Management and Storage viz.

Region Specific

The Zocalo site would be created in the specified Amazon Region like US-East-1 (Virginia), the documents and data would never leave the specific region. This is one of the major requirements
for the data to be stored only in the territory where the business is operated.

Access Logs


Zocalo bring along the reports of the details of the activity of the users in a Zocalo site like document viewed, downloaded, document ownership transfers etc. These types of logs are mandatory for several compliance standards. Integrate with Existing Active Directory Zocalo can be easily linked to the Corporate Active Directory; this solves the problem of not introducing yet another access management.



Make use of Direct Connect to access Corporate Active Directory



Amazon Direct Connect (DX) is a service offering which would enable enterprises to directly connect to Amazon’s Data Centers over a dedicated line, this enables the communication
between Enterprise and Amazon Zocalo to be more secure, faster and reliable with guaranteed bandwidth.

Compliments with Amazon Workspaces

Amazon workspaces is a fully managed desktop computing service (VDI - Virtual Desktop Infrastructure) which provides cloud-based desktops with access to documents, applications over laptops, iPad, Kindle Fire, Android tablet etc. Every Amazon Workspaces account is topped up with a FREE Zocalo account with storage of 50 GB per month; additional storage can always be upgraded for a reduced monthly subscription fee. 

Leverage Enterprise Productivity along with Existing Investment of Office Suite - Microsoft Office


Nothing would change or be removed from the corporate applications and tools ecosystem to bring in Zocalo to the enterprise. Rather Zocalo would form a creamy layer with enhanced collaboration for Microsoft Office Word, Excel, PowerPoint files.

Share Zocalo Documents Contents Externally with ease 

Inviting an external 3rd Party legal firm to review the documents is just a click away for which the access can be read-only / download-disabled. The access can be revoked any time.

Zocalo Cost overview


The charges are prorated for average usage for the month, if a user is removed / disabled / added in the middle of a given month. Beyond 200GB the pricing works out in a pay as you go model per GB per month for that particular user.



If you use Amazon Workspaces, you will get Zocalo free for every account of 50GB per month, additional storage can be added in the pay as you go model.

Friday, November 21, 2014

Features I wish are supported in AWS CloudFormation

There is a specific set of people who love CloudFormation and few use cases like DR network setup / restoration, redundant hadoop cluster which work the best for CloudFormation. When I personally tried to create a 3 tier application stack with Private / Public Subnet with EC2 it was an amazing experience, slowly when I tried to do this over and over again the excitement started to fade off - then I found CloudFormation and to compose a text file which will literally translate a bunch of Clicks,Configurations, attachments, launches, reconfigurations was enlightening. I was very proud to tell or enable people to "Version Control the Infrastructure now".

I really enjoyed when I first wrote a 3 tier VPC stack with multiple Subnets and Security Groups and was able to answer / proclaim to the team that - I can run this template in any Region with Option of selection of AZ ( Thanks to the Mapping Entity in CloudFormation )

Over the period of time, I felt the necessity of few features, better to put it as ways to add more glory to CloudFormation; these are my wishes for this Christmas from Amazon CloudFormation team.

1. Online IDE


2. Ordering of Parameters 
  • Now :
    • CloudFormation empowers flexibility and the principal way how we achieve that is by dynamically having the ability to "key in" the parameters  - the real power was that the parameters can be made used to create the NETBIOS name of the AD in the stack or the AZ of the stack or the selection of the Instance size based on that value; I can go on.
    • Lot of time we end up having nearly 20 parameters ( effect of uttering the word flexibility to your boss :) ) - and the ordering would be in no particular format ( most of the time is in Alphabetical) it would be really hard to look into each and every parameter and the chances of missing to change the key value like CIDR range will backfire you. 
  • Nice if:
    • The logical or best way to solve this issue is to put the key Parameters like CIDR - Range - AZ in the top followed by name of the Instance Tag towards the end, so essentially a way to specify the order / defined sequence of the Parameters.

3. Inbuilt Error Check based on Values Type
  • Now :
    • This is again with respect to Parameters. Chances are both the VPC CIDR and Subnet CIDR are accepted as parameters by your template.
    • There is very high probability that the User ( certainly during demo ) for the user to enter the CIDR for VPC as 10.10.0.0/16 and the subnets' to be in the range of 10.0.10.0/24
  • Nice if:
    • We can chain the parameter lists to check for use cases like CIDR ranges and sub net CIDR ranges. We have an option to check for the format of CIDR range / IP range using Regular Expressions but we can't specify if the subnet range is a valid range inside a VPC
4. Drop Down List of Available Values ( Valid Values ) - Improved GUI
  • Now :
    • The easiest way to restrict the user from not entering the dumb values like i1.mini just because there is iPad Mini is to restrict the allowed values like ["m1.small", "m1.large", "t2.micro"] etc.
    • When we launch the template the user can change the values and CFN will check if the user entered value is among the allowed values before proceeding for launch ( cool ! )
  • Nice if:
    • There was a clear drop down list to show the list of allowed values - chances are one will choose t1.micro rather than t2.micro in doubt. If the drop down list showed the t2.micro it is easy and intuitive.


5. Improved Error ( Static / Syntax ) Check 
  • Now :
    • When we upload the CFN template for deployment there are several Syntax checks like missing comma, colon, improper nesting etc.
    • There is one type of check which can still be performed in the compilation state - the data type of the property - especially between a direct parameter and the parameter between [ ] (a list)  i.e. for example the ELB can have n number of Security Groups but chances are during the unit testing phase we tend to put a { "Ref" : "ELBSG" } and run it but, the CFN starts deploying and then after launching the subnets, instances, VPC, SGs etc. then when CFN tries to materialize the ELB then it would tell that - it would like the parameter like [ { "Ref" : "ELBSG" } ].  - Works like Interpretation / Interpretor. 
  • Nice if :
    • Here we can completely agree about the syntax to be with [ ] but if the same was checked along with JSON "well-formed" error - it would save a bunch of unwanted launches - roll back - delete stack by extension money.

Tuesday, August 19, 2014

Heroku Cloud Application Development - Book Review

This book does really good level of hand-holding for developers who are new to Cloud platform and / or Heroku platform alone. Dedicating a separate chapter for introduction of Cloud Development explains how the Cloud can be put to practice is a good take off for complete beginners. Every single terminology and bare basics has been explained extensively which makes a smooth transition to more advanced topics.

The setup and environment configurations are illustrated clearly which is generally the initial learning curve for any new beginner.  The best thing which I like in this book is that, there is enough coverage of explanation which has been concentrated in architectural topics, deployment like loose coupling,  source control, GIT, High Availability etc. rather than merely emphasizing just APIs and services offered. 




 Inclusion of Best Practices is clearly the key reasons why one can chose this book to get started with Heroku.