AWS’s re:Invent 2019 doesn’t start until next week but the pre re:Invent announcement keep on coming. Here’s the second part of our round up of the key announcements before the week that is re:Invent.
It’s about all of the things
If you are dealing with distributed edge devices, the chances are IoT is a signifcant part of your world. If it is, there’s been some significant IoT announcements – see https://aws.amazon.com/blogs/aws/welcome-to-aws-iot-day/ – including:
- Secure tunnelling;
- Fleet provisioning at scale;
- Alexa voice and container support;
- Data stream processing at the edge using Greengrass.
Managing access through identity
Centralising access to AWS to an existing identity provider (such as Azure AD) is a common and recommended pattern. AWS has now extended that so that attributes associated with a user in the identity provider can now be used to evaluate access to services. Previously, users would have to be associated with different groups to achieve the same outcome. This new approach simplifies and enhances the flexibility of providing least privileged access to services. https://aws.amazon.com/blogs/aws/new-for-identity-federation-use-employee-attributes-for-access-control-in-aws/.
AWS Managed Rules for WAF
AWS WAF has been available for a number of years. Now, AWS has added managed rules. The AWS Threat Research Team maintains these managed rules. They will also add new rules as additional threats are identified. To get started, simply add a managed rule group to your AWS WAF and it will immediately start to protect against common threats. Best of all, the AWS Managed Rules are free. https://aws.amazon.com/blogs/aws/announcing-aws-managed-rules-for-aws-waf/
CloudWatch updates
CloudWatch is an essential tool for visibility of your AWS environment. Recently, there has been a whole heap of announcements for CloudWatch!
- Synthetics support allows you to monitor endpoints, such as websites and APIs, for availability. It can also monitor the response to ensure nothing unexpected has changed. Synthetics is now available in preview. https://aws.amazon.com/about-aws/whats-new/2019/11/introducing-amazon-cloudwatch-synthetics-preview/
- Anomaly detection provides more sophisticated alerting when metrics break a threshold. Traditionally, the operations team has to set threshold and then constantly tune and tweak them to avoid false positives. With anomaly detection, you receive alerts based on deviations from the “normal” (which automatically adapts over time). We have been using anomaly detection as an essential part of our security managed services for years. Now, you can too with CloudWatch! https://aws.amazon.com/blogs/aws/new-amazon-cloudwatch-anomaly-detection/;
- Would you like to see your application and infrastructure availability and performance in one place? Well, now you can with CloudWatch ServiceLens. It ties together and visualises CloudWatch metrics and X-Ray traces for a single view of your application. That’s massive for application support teams, helping to reduce the time to recovery of issues. https://aws.amazon.com/about-aws/whats-new/2019/11/announcing-amazon-cloudwatch-servicelens/;
- Finally, you can now send RDS for SQL Server logs to CloudWatch, including agent and error logs. Again, it gives you a single place to collate and view logs – less consoles, less touch points. https://aws.amazon.com/blogs/aws/safe-deployment-of-application-configuration-settings-with-aws-appconfig/.
Is AppConfig an alternative to Elastic Beanstalk?
AWS Elastic Beanstalk was actually released at the end of 2010, making it one of the earlier AWS services! To put that into perspective, that’s only shortly after Route 53 and CloudFormation and before IAM! It has gone through many iterations and updates since then and it is still a popular tool for simple infrastructure and application deployment.
Today, AWS has announced a new service in this space, AppConfig. It’s very much aimed at application configuration. As such, although it crosses over with Elastic Beanstalk, it doesn’t replace it. AppConfig is about controlled changes to existing infrastructure. Beanstalk can also deploy the infrastructure for the applications. AppConfig’s mantra is safe and fast deployments, that are not dependent on a code deployment. It also includes auto-rollback based on CloudWatch alarms. It’s a service that certainly will simplify the management of applications. https://aws.amazon.com/blogs/aws/safe-deployment-of-application-configuration-settings-with-aws-appconfig/.
We love a good tag
Tagging is an essential tool in your management kit for Cloud environments. You can use it for managing billing, security, access, all kinds of “ilities”! Implementing a good tagging strategy has always required discipline and a little planning. That hasn’t changed but AWS have just made it a whole lot easier with Tag Policies. This new capability allows you to manage tags across your AWS Organization. It allows you to set rules and provides a dashboard of your tag compliance across accounts. We are excited to add this one to our tagging arsenal! https://aws.amazon.com/blogs/aws/new-use-tag-policies-to-manage-tags-across-multiple-aws-accounts/
Load balancer updates
AWS has provided load balancing capability forever. They have 3 seperate services depending on your needs. This week, AWS announced a bunch of new features for ALB and NLBs – see https://aws.amazon.com/blogs/aws/aws-load-balancer-update-lots-of-new-features-for-you/. These are our favourites.
For ALBs:
- Weighted target groups which is handy for disparate EC2 instance types or for canary style deployments;
- Least outstanding request routing so that traffic can be processed by the endpoint with the smallest queue, offering great efficiency in resource usage. Previously, the ALB only supported round robin.
For NLBs:
- You can now add subnets to an existing NLB. For example, you might want to convert a NLB to be multi-AZ (and you should!);
- Private IP addresses can be defined instead of automatically assigned. This is handy for NLBs where the use case is often a static IP both for public and private endpoints.
Next stop, re:Invent announcements
We will be providing updates from re:Invent during the main event next week so stay tuned for all the action!
To see previous pre re:Invent announcements, check out part 1 at https://www.redbearit.com.au/blog/aws/pre-reinvent-part-1/.