AWS Network Firewall is a high-available and scalable firewall service that provides network protections for VPC, which is a supplement to the existing security services.
There are quite a few use cases for AWS Network Firewall, e.g VPC-to-VPC inspection, VPC-to-Onprem/VPN inspecton, VPC-to-Internet inspection. Different use cases have different deployment models.
I have done two AWS Network Firewall deployments recently, which I think are the typical use cases.
First example: Workload VPC uses…
If you use S3 endpoint not NAT/Proxy to access the Amazon yum repository, then this post should be helpful to you.
We use S3 endpoint to access Amazon repositories, and we noticed that any yum operations failed with the ‘ HTTPS Error 403 — Forbidden ‘ error in the EC2 instances that are launched from the latest Amazon Linux 2 in Sydney region (ami-007b2c28096a63f37).
It turns out that AWS has made some changes to the yum configurations in the latest Amazon Linux 2 AMI in Sydney region. And I have not found any offical documents from AWS so far.
I assume you already knew what the EC2 instance profile is. Basically, the instance profile defines the permissions that a EC instance has. As it is associated with an IAM role which has a bunch of IAM policies attached. And the AWS credential in the EC2 metadata is automatically rotated by the instance profile.
In a hybrid environment (e.g on-prem + AWS cloud), it is not uncommon to run some AWS related tasks from on-prem servers (e.g deploy Cloudformation stack from on-prem Bamboo server). How do you normally manage the AWS credentials on those on-prem servers? The common practice that…
I was working on a new Lambda function a couple days ago. It took me a while to deploy it successfully via CloudFormation. It was all due to some required IAM policies were missed in the deployment role. So I had to delete the stack then create again for a couple of times.
When I tested the Lambda function, it complains that Lambda was unable to decrypt the environment variables because KMS access was denied. But I was 100% sure the Lambda execution role has the right permission to use the KMS key (aws/lambda) to decrypt.
It turns out that…
Simply speaking ACM (AWS Certificate Manager) uses KMS (Key Management Service) to protects the private key. What drew my attention into this topic is that a user get denied (no permission to describe kms key) when trying to request a ACM certificate in a region where KMS is explicitly denied.
This diagrams explains how ACM use KMS:
With the increasing demands and the advantages of Cloud technologies, moving Jira to Cloud is definitely inevitable regardless it is self-hosted Jira in Cloud (IaaS) or Atlassian Jira Cloud (SaaS). As our current project is to migrate Jira to AWS cloud, I will be focus on the challenges vs solutions to run Jira in AWS.
Here is the typical Atlassian Data Centre application infrastructure (Confluence, Jira, Crowd, BitBucket).
When mapping it to AWS, we found the perfect AWS services for each layer of the architecture. By adopting the following AWS services, all layers are highly scalable and highly available.
I wrote a blog about How Confluence Data Center Manages Index Files. Now let’s have a quick look how Jira manages index files. Comparing to Confluence, Jira manages index files in a quite different way.
In a multiple nodes Jira Data Center cluster, each node keeps the index files locally and tries to reach eventual consistency. When a change is made on one of the node (e.g a new issue is created), the node adds index for that change and also adds an entry to the database replicatedindexoperation table and will remove it after two days. So that other nodes…
We are all apprentices in a craft where no one ever becomes a master.