Posts
DNS Resolution for Private EKS Cluster
I have been working on a project to deploy Elastic Kubernetes Service (EKS) at an Academic Medical Center. They want to deploy a private cluster that does not have internet acess. EKS supports this, but DNS resolution can be tricky. There is an AWS blog post that explains how do it.
Ultimately, we need an inbound R53 resolver ENI in the EKS VPC. When you configure EKS with a private endpoint it configures DNS to only respond to requests from within the VPC.
read more
Posts
Writing unit tests for Chalice
Chalice is a Python serverless microframework for AWS that enables you to quickly create and deploy applications that use Amazon API Gateway and AWS Lambda. In this blog post, I discuss how to create unit tests for Chalice. I’ll use Chalice local mode to execute these tests without provisioning API Gateway and Lambda resources.
Creating a new project Let’s begin by creating a new Chalice project using the chalice command line.
read more
Posts
Elastic Beanstalk Worker Environment Timeouts
I have been working with Worker Environments in AWS Elastic Beanstalk. I found all the timeouts confusing at first, so I share my findings here.
The instances in your Worker Environment have a demon that reads messages from an SQS Queue. That queue has a Default Visibility Timeout and Message Retention Period. In addition, the Elastic Beanstalk Worker Configuration has its own Visibility Timeout and Retention Period in addition to a Connection Timeout, Error Visibility Timeout and Inactivity Timeout.
read more
Posts
EBS Snapshots with Microsoft VSS and EC2 Systems Manager.
Early in my career, I learned an important lesson: backup is easy, but restore is hard. Too often we take our backup and recovery for granted. We assume that if the backup completed successful, the restore will work when we need it. Anyone who has been through a disaster recovery exercise, whether simulated or real, knows this is seldom the case.
In this post I discuss creating consistent backups of Windows Servers using the Volume Shadow Copy Service (VSS) and Elastic Block Store (EBS) snapshots.
read more
Posts
Simple Email Service (SES) Sample Application
I could not find a simple example to send email using SES in Python. Turns out it is really easy. If you have a MIME formatted message you can simply call send_raw_message.
1 2 client = boto3.client("ses") client.send_raw_email(RawMessage = {'Data': mime_formatted_message}) Of course the tricky part is the MIME formatting. Turns out that is really easy in Python. Here is a simple example.
1 2 3 4 5 message = MIMEText("Testing 123\nTesting 123\nTesting 123") message['From'] = "sender@domain.
read more
Posts
Linked Account Template
It is common for an AWS customer to have many accounts. Often a central IT team will own the payer account and have oversight over all accounts. The IT team will create a linked account for each project or business unit. When you create a new linked account, it's helpful to have a template Cloud Formation template to ensure the configuration of the linked accounts are all identical. This template takes the account number of the payer account and a bucket to write CloudTrail logs to (Note: best practice is to write logs to the payer account to ensure separation of duties.
read more
Posts
CloudWatch Logs Trace Listener
I added a new Cloud Watch Logs Trace Listener to the .Net API for AWS. The API team plans to add support for Log4Net, but in the meantime I have been using this. https://github.com/brianjbeach/aws-dotnet-trace-listener
read more
Posts
My Cloud EX2 Backup to Amazon S3
With all the devices in the house it was finally time to invest in a NAS. I settled on the Western Digital My Cloud EX2. I picked this specifically because it supported back up to Amazon S3. In practice, the backup software sucks and I had to work around a few issues to get it working reliably and inexpensively. Overall I really like the EX2. It has great features for the price.
read more
Posts
Configuring an AWS Customer Gateway Behind a NAT
I have been wanting to configure a VPN Connection from AWS to my house, but my cheap Netgear router does not support IPSec. So, I picked up an old Cisco 871 router that does. I didn’t want to sacrifice the speed (it supports 802.11ac while the 871 is an old 802.11g device) and features of my Netgear router, so I put the 871 behind the Netgear and modified the VPN configuration for NAT traversal.
read more
Posts
Discovering Windows Version on EC2 Instances
Windows Server 2003 end of life is less than six months away. As I start to think about upgrading, I was looking for an easy way to identify what version of Windows is running on each EC2 instance. I would like to do this without having to log into each instance. One solution is to use the System log. If the instance has the EC2 Config service running on it it will report the OS version (along with a few key driver versions to the console).
read more
Posts
Configuring a Linux Swap Device with Cloud-Init
Cloud-Init is a set of Python scripts used to configure Linux instances when they boot in AWS. Cloud-Init is included on Ubuntu and Amazon Linux AMIs.
You can think of a Cloud Init script as a bare-bones Configuration Management solution like Chef or Puppet. A Cloud-Init script is passed as user data. If you have ever passed a shell script as user data, it was Cloud-Init that queried the meta-data service and executed the script.
read more
Posts
CloudWatch Logs Push
In my last post I used the awslogs daemon to push tcpdump events to AWS CloudWatch logs. At the time it felt silly to use a file on disk and a daemon to push events from an interactive session. Well I had some time to dig and I found a much cleaner way to do it without the daemon. It turns out that CloudWatch logs is implemented as a plugin to the AWS CLI.
read more
Posts
CloudWatch Logs and TCPDump
I was recently debugging an issue with a fleet of Apache web servers. I needed to watch for some low level network events we felt might be causing an issue (TCP resets, etc.). I thought CloudWatch Logs would be a cool, albeit unnecessary, solution. NOTE: I found a much cleaner way to do this presented here.
The awslogs package/daemon can be configured to upload any log file. Just add a new configuration block to /etc/awslogs/awslogs.
read more
Posts
Decoding Your AWS Bill (Part 3) Loading a Data Warehouse
In the last two posts (part 1, part 2) in this series we used PowerShell to gleam information from our monthly AWS billing report. While you can use those scripts to learn a great amount of information from about your AWS usage, you will eventually outgrow PowerShell. In this post I will show you how to load the bill into SQL Server for more detailed analysis. In the prior posts we used the monthly reports.
read more
Posts
Decoding Your AWS Bill (Part 2) Chargeback with Tags
It took 6 months but I finally got time to continue the series on Decoding Your AWS bill. In the last post, we used PowerShell to download and query the monthly bill. In this post we use tags to create a cost allocation report. In the next, and final post in this series, I will show you how to load the hourly detail report into SQL Server.
Let's assume that we have multiple project teams at our company and they all have servers running in the same AWS account.
read more
Posts
Bulk Importing EC2 Instances
I have been testing a a preview of a new PowerShell command, Import-EC2Instance, that will be added to the AWS PowerShell API next week. The new command allows you to import a VM from VMware or Hyper-V. I covered this in my book, but at the time the functionality was not available in PowerShell and I had to use the Java API. While the new command will upload and convert your VM, you can also do the upload and convert independently.
read more
Posts
Writing to the EC2 Console
I have been building a bunch of Windows AMIs for EC2 recently. If the instance fails to build it can be a real bear to diagnose issues. You don't have access to the console to watch what's happening. It would be great if I could log to the EC2 Console (also called the System Log on the web site) so I knew what was happening. So I hacked the EC2Config Service to see how it was writing to the console.
read more
Posts
Setting the Hostname in a SysPreped AMI
When you create an Windows AMI (Amazon Machine Image) it is configured to generate a random server name. Often this name does not meet your needs. Maybe your company has a specific naming convention (e.g US-NYC-1234) or you just want to use a descriptive name (e.g. WEB01). Whatever the reason, let's look at how to set the name when you launch the machine.
In this post we will use PowerShell to read the name from a Tag on the instance.
read more
Posts
Decoding Your AWS Bill (Part 1)
As you begin to adopt AWS you will likely be asked to report on both usage and cost. One way to do this is using the Monthly Billing report. In this post I will show you how to download your bill and analyze it using PowerShell.
AWS offers a feature called Programmatic Billing Access. When programmatic billing access is enabled, AWS periodically saves a copy of your bill to an S3 bucket.
read more
Posts
Fun with AWS CloudTrail and SQS
CloudTrail is new service that logs all AWS API calls to an S3 bucket. While the obvious use case is creating an audit trail for security compliance, there are many other purposes. For example, we might use the CloudTrail logs to keep a Change Management Database (CMDB) up date by looking for all API calls that create, modify or delete an instance. In this exercise I’ll use CloudTrail, Simple Storage Service (S3), Simple Notifications Services (SNS), Simple Queue Service (SQS) and PowerShell to parse CloudTrail logs looking for new events.
read more
Posts
Using Fiddler with an iPhone/iPad
If you have ever user Fiddler to debug a web application, you know what a invaluable tool it can be. If you have also tried to debug that application from an iPhone or iPad, you also know how difficult it can be to figure our what's going wrong from the web server logs. Below I will explain how to configure Fiddler to proxy the iPhone/iPad.
HTTP Traffic First, you need to enable connections from remote devices.
read more
Posts
SSL, IIS, and Host Headers
There is a lot of confusion about how IIS handles SSL. With all the confusion out there, I thought I should put together a quick post. This post will also explain the error message: At least one other site is using the same HTTPS binding and the binding is configured with a different certificate.
My discussions this week were specific to SharePoint, but the confusion is with host headers in IIS.
read more
Posts
SharePoint 2010: Full Trust Proxy
If you’re using the multi-tenant features of SharePoint, you will want tenants to use the sandbox. But, you will quickly find limitations. For example, developers cannot call a web service, read data from a external database, or write to the event log. One solution is for the farm administrator to deploy a full trust proxy that developers can use. Microsoft has a good description here, but there are no good examples.
read more
Posts
Multi-Tenant TCO
I recently presented an overview of multi-tenancy in one of my MBA classes. I discussed how multi-tenant applications allow cloud vendors to achieve economies of scale. As an example, I showed the effect on total cost of ownership for the infrastructure if a cloud vendor moved from physical to virtual and then to a multi-tenant architecture. The multi-tenant architecture cuts cost by 80%.
Current State
Imagine that you work at a midsize company that develops and hosts a SaaS (Software as a Service) solution.
read more