Aws

My day job requires me to do a lot of work with VMware Cloud on AWS. If I plan on doing any real work with the virtual machines, kubernetes clusters, or applications I really need a VPN tunnel to securely access those resources. My problem has been setting up my aging Ubiquiti USG firewall with BGP. This post will show how I setup a route based VPN tunnel with my Ubiquiti USG. Big shoutout to Brian Beach for his work setting up the USG with an AWS Transit Gateway. ...

The way you deploy Kubernetes (k8s) on AWS will be similar to how it was done in a previous post on vSphere. You still setup nodes, you still deploy kubeadm, and kubectl but there are a few differences when you change your cloud provider. For instance on AWS we can use the LoadBalancer resource against the k8s API and have AWS provision an elastic load balancer for us. These features take a few extra tweaks in AWS. ...

We’re getting into the habit of tagging everything these days. It’s been drilled into our heads that we don’t care about names of our resources anymore because we can add our own metadata to resources to later identify them, or to use for automation. But up until June 6th, AWS wouldn’t let us tag one of the most important resources of all, our accounts. On June 6th though, our cloud world changed when AWS announced that we can now add tags to our accounts through organizations. ...

Whenever I talk cloud with a customer, there is inevitably a discussion around how much the cloud costs vs what is in the data center. The conversation usually starts with one of several declarations. “The Cloud is more expensive than on-premises but we want the capabilities anyway.” “We need the Cloud so we can drive down our costs.” Well yes, if you’ve paid attention, those are two different arguments about why you need cloud, and both of them came to different conclusions about whether or not the public cloud is more expensive or less expensive than running your own data center. ...

Amazon Web Services has released yet another service designed to improve the lives of people administering an AWS environment. There is a new backup service, cleverly named, AWS Backup. This new service allows you to create a backup plan for Elastic Block Store (EBS) volumes, Elastic File System (EFS), DynamoDB, Relational Database Services (RDS), and Storage Gateway. Now we can build plans to automatically backup, tier and expire old backups automatically based on our own criteria. ...

Okay, I’m scared of change just like everyone else. I have been building Visios for a pretty long time and know where all the menus are so I’m pretty fast with it. But I do use a Macbook when I travel and firing up Fusion just to run Visio is frustrating. I thought since it’s a new year I should try Lucidchart and see what I though. Now I’m still kind of fond of Visio, but the Integrations feature with Lucidchart on top of the web interface allowing me to use it anywhere, is enough to make me drop Visio for the long haul. ...

A primary concern for companies moving to the cloud is whether or not their workloads will remain secure. While that debate still happens, AWS has made great strides to assuage customer’s concerns by adding services to ensure workloads are well protected. At re:Invent 2018 another service named AWS Security Hub was added. Security Hub allows you to setup some basic security guardrails and get compliance information for multiple accounts within a single service. Amazon seems to have realized that enabling customers to very easily see their security recommendations for all environments in a single place has great value to their businesses. ...

Amazon announced a new service at re:Invent 2018 in Las Vegas, called the AWS Transit Gateway. The Transit Gateway allows you to connect multiple VPCs together as well as VPN tunnels to on-premises networks through a single gateway device. As a consultant, I talk with customers often, about how they will plan to connect their data center with the AWS cloud, and how to interconnect all of those VPCs. In the past a solution like Aviatrix or a Cisco CSR transit gateway was used which leveraged some EC2 instances that lived within a VPC. You’d then connect spoke VPCs together via the use of VPN tunnels. With this new solution, there is a native service from AWS that allows you to do this without the need for VPN tunnels between spoke VPCs and you can use the AWS CLI/CloudFormation or console to deploy everything you need. This post takes you through an example of the setup of the AWS Transit Gateway in my own lab environment. ...

At AWS re:Invent this year in Las Vegas, Amazon announced a ton of services, but one that caught my eye was the AWS Resource Access Manager. This is a service that facilitates the sharing of some resources between AWS accounts so that they can be used or referenced across account boundaries. Typically, an AWS account is used as a control plane boundary (or billing boundary) between environments, but even then resources will need to communicate with each other occasionally. Now with AWS Resource Access Manager (RAM) we can shared Hosted DNS zones, Transit Gateways and other objects. This list will undoubtedly grow over time. This post will show you how you can share another new service, the AWS Transit Gateway, across multiple accounts within your organization. ...

If you’re getting started with VMware Cloud on AWS then you should be aware of all the points in which you can block traffic with a firewall. Or, if you look at it another way, the places where you might need to create allow rules for traffic to traverse your cloud. This post is used to show where those choke points live both within your VMware Cloud on AWS SDDC, as well as the Amazon VPC in which your SDDC lives. ...