TLDR: here are my study notes.
Over the last few months I’ve been studying for the AWS Certified Advanced Networking Specialty Exam. This is my sixth AWS certification and so far the most challenging. When deciding which of the specialty exams to do the Advanced Networking seemed the most applicable to my career. In a previous article I covered the process of studying for the DevOps professional exam and went over my background.
[Read More]
Useful Squid Proxy Command Reference
Recently I’ve been working with Squid as a proxying solution to protect AWS VPCs, I wrote a short quick reference to get started with that provides simple site whitelist functionality.
The instance hosting Squid can be put into a public subnet with an internet gateway such that instances in other subnets with access to the public subnet can reference it1 for controlled internet egress to allowed sites. This is great for AMI baking, querying external APIs (such as Amazon services that don’t have a VPC endpoint) and generally any stateful outbound access.
[Read More]
KMS Encryption of Autoscaled Instance Volumes
A lot of effort is put into securing the file system of your servers, and security can be brought into question if volumes are not being encrypted. This can be a challenge with autoscaled instance groups and encrypted AMIs. Whenever I created an autoscaled application, I would apply the necessary permissions to the launch configuration through a role1, only to have instances go into a starting stage and then shut down.
[Read More]
Persisting IPs With AWS ENIs in RHEL 7.4
I spent some time on this in the week and there was some wrestle involved in setting up an Elastic Network Interface to be used with an autohealing EC2 instance, I thought it would be worth sharing the pattern if someone has to design a service in a similar fashion. If designed correctly, a new instance will reassociate to the address in the event of an instance termination and the consuming entities can keep querying the newly instantiated service on the instance.
[Read More]
Useful JMESPath in AWS CLI
Thought I’d take the time to consolidate some of the learnings I’ve made along the way when making queries against an AWS account using the command line interface. Originally I came from a development background and did most of my automation scripts as a combination of Python 2.7, Boto3 and Fabric. While I still see these as having their place when managing complex objects or performing heavier string manipulation I’ve found you can get a long way with a combination of Bash scripting, AWS CLI and Cloudformation templates.
[Read More]
AWS Administration Cookbook
Big shout-out to Rowan Udell and Lucas Chan who have released their new book AWS Administration Cookbook today. I had the pleasure of reviewing it; if you’re in development or ops and want to know how to professionally build infrastructure at scale in AWS I highly recommend purchasing this book. The guys provide clear recipes that are backed by Cloudformation templates so that you can create the projects easily, understanding exactly what is going on and have you managing groups of AWS accounts concurrently.
[Read More]
AWS Devops Engineer Professional Certification: How I got there
In my off-time I’ve been studying for the AWS DevOps Engineer Professional Certification (exam blueprints can be found here). I have the SysOps Associate Certification and I wanted to keep pushing and learn as much as I could about the world’s leading cloud platform. Finally, last Monday I sat the exam and passed! Given this I’ll go over my exam preparation and tips, the impressions I had of it and hopefully yield some useful insights for anyone in preparation mode for this exam.
[Read More]
Boto sessions and AWS multi-account
Generally when I’m writing an automation script for AWS resources, the action is isolated to the one account. Recently, I worked on a script that manipulated resources across multiple accounts. It’s good practice and a common pattern to host separate environments and resources in different accounts, unifying them then by creating a third. Users are assigned limited permissions in the third account, they can then take the step of assuming an IAM role to access the secure environments through a trust relationship with it.
[Read More]
Vegas, re:Invent and great breakout sessions
It’s been a while since re:Invent happened, but in my defense it has been a very busy three months. Other than Christmas, New Years, taking some time off and working with clients I had the opportunity to attend the recent re:Invent held in Las Vegas. Going to re:Invent in Vegas was an excellent way to catch what’s been happening in cloud technologies and what to keep an eye out from the eponymous service provider.
[Read More]
Lambda Pattern: Hopper
Reusable patterns for Lambda
Hopper:
A container for a loose bulk material such as grain, rock, or rubbish, typically one that tapers downward and is able to discharge its contents at the bottom. A person or thing that hops. A simple pattern I’ve been using lately when working with serverless architecture is what I’ve been calling a hopper, i.e. a Lambda function that takes as argument a path to some semi-structured data that can be iterated over then passed onto another Lambda function with the purpose of performing some well defined and isolated task.
[Read More]