Cloud Engineering & Architecture - Landing Zone

===================

EN

===================

Hello all

In my last MBA Cloud Engineering & Architecture class, we have had a discuss about Landing Zones and your importance in the Journey 2 Cloud process.

We have been talking about the Gartner’s Cloud Adoption Framework also.

One of many challenges for customer to Journey 2 Cloud is the moment of start of provisioning and deployment. It's between the step 4 and step 5 on the Framework.

At this moment we have many challenges of architecture, security & deployment problems to solve and many customers & Cloud Engineers make mistakes. They don't think in a pre-architecture and best practices for a Cloud environment because they have many tasks to do, many setups to plan and little time. 

One of many errors is to start the provisioning & deployment without Landing Zone.

Use the Landing Zone definitions can be helping to simplify and ensure the necessary security for the start of your project.

 

What is Landing Zone?

Landing Zone are a solution that helps the customers to create and configure a Secure Cloud Environment with many accounts where them can operate efficiently based on best practices for a Cloud Architecture to security, network, compartments, gateways, among others.

As we have many options of design, services & deploy options, the environment settings with many accounts can use much time and require a big knowledge about Cloud, besides being able to have many security issues.

 

For example, it's very important think in Tenancy, Policies, 2factor authentication, Compartments, Virtual Cloud Network (VCN) and subnets, Internet & NAT gateway, security groups, Firewall, DDoS, WAF, Infrastructure As A Code, notifications, automation, among other things. 

The Landing Zone Services can help you in these tasks.

Below, the links with the Landing Zone Rules & definitions in the Big Four Cloud Providers:

But just remember:

1) This work for me, but it might not work for you.

2) This post is just for study. The real world can be different - and it is, probably.

Regards

Mario

===================

PTB

===================

Fala pessoal

Em minha última aula do MBA Cloud Engineering & Architecture, nós falamos sobre Landing Zones e sua importância para o processo de Journey 2 Cloud.

Nós estamos falando também sobre o Gartner’s Cloud Adoption Framework.

Um dos muitos desafios para o cliente no Journey 2 Cloud é o momento de começar o provisionamento e o deployment. Isso fica entre o step 4 e o step 5 no Framework.

Neste momento nós temos muitos desafios com a arquitetura, segurança e problemas de deploy para rersolver e muitos clientes e Cloud Engineers cometem erros. Eles não pensam na pre-arquitetura e nas best practices para ambientes em Cloud porque eles tem muitas tarefas a fazer, muitos deploys a planejar, e pouco tempo para isso

Um dos muitos erros é começão o provisionamento e deployment sem usar Landing Zone.

Usar as definições de Landing Zone pode ajudar a simplificar e garantir a segurança necessária para o início do seu projeto.

O que é Landing Zone?

Landing Zone é uma solução que ajuda os clientes a criar e configurar um Ambiente Cloud Seguro com muitas contas onde eles podem operar de forma eficiente com base nas best practices de uma Arquitetura Cloud para segurança, network, compartiments, gateways, entre outros.

Como temos muitas opções de design, serviços e opções de implantação, as configurações do ambiente com muitas contas podem consumir muito tempo e exigir um grande conhecimento sobre Cloud, além de poder ter muitas falhas de segurança.

 

Por exemplo, é muito importante pensar em 

Tenancy, Policies, 2factor authentication, Compartments, Virtual Cloud Network (VCN) and subnets, Internet & NAT gateway, security groups, Firewall, DDoS, WAF, Infrastructure As A Code, notifications, automation, entre outras coisas.

Os Serviços da Landing Zone podem ajudá-lo nessas tarefas.

Acima, os links com as regras e definições da Landing Zone nos quatro grandes Cloud Providers.

Mas lembre-se:

1) Isso funciona para mim, mas pode não funcionar para você.

2) Esse post é apenas para aprendizado. O mundo real pode ser diferente - e provavelmente é.

Abraço

Mario

Cloud Engineering & Architecture - Install Docker-compose & Kong for API Management (Instalando o Docker-compose e o Kong para gerenciamento de APIs)

====================

EN

====================

Hello all...

 

Yesterday for my MBA API Management class, I have needed use the Docker and Kong for a Hands-On.

If you don't know, the Kong is a API Gateway and it's one of many Open Source tools for API management.

We have had a Hands-On using Konga that it's an administration UI fot Kong API Gateway. On Konga, we have defined the API source, routes and everything that we needed for call 3 simples APIs.

For this, I have configured an EC2 Instance running Red Hat 8 on AWS Free Tier.

The step-by-step to Docker-compose and Kong installation are bellow, if it helps.

But remember:

1) This worked for me, but might not work for you.

2) This installation is just for academic learn. The real world can be a little bit different.

===================

PTB

===================
Fala pessoal, beleza?

Ontem para uma das aulas de Grenciamento de APIs do MBA, precisei subir o Docker e o Kong para um dos Hands-on.

Para quem não conhece, o Kong é um Gateway API e é uma das várias ferramentas para gerenciamento de APIs open source disponíveis no mercado.

Fizemos o Hands-on através do Konga que é uma UI para administrar o Kong API Gateway. Lá definimos o source, rotas e tudo mais que precisamos para chamar 3 simples APIs.

Para isso, subi uma EC2 instance no Free Tier da AWS rodando Red Hat 8.                

Os passos para instalação do Docker-compose e do Kong estão abaixo, caso ajude alguém.

Lembrando sempre que:
1) O que funcionou para mim pode não funcionar para você.
2) Essa instalação é para fins acadêmicos somente.

====================================
-- Docker-compose Install
====================================
[ec2-user@ip-xxx-xx-xx-xxx ~]$ sudo yum update

[ec2-user@ip-xxx-xx-xx-xxx ~]$ sudo dnf config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo

[ec2-user@ip-xxx-xx-xx-xxx ~]$ sudo dnf repolist -v

[ec2-user@ip-xxx-xx-xx-xxx ~]$ sudo dnf install --nobest docker-ce --allowerasing

[ec2-user@ip-xxx-xx-xx-xxx ~]$ sudo dnf install https://download.docker.com/linux/centos/7/x86_64/stable/Packages/containerd.io-1.2.6-3.3.el7.x86_64.rpm

[ec2-user@ip-xxx-xx-xx-xxx ~]$ sudo dnf install docker-ce

[ec2-user@ip-xxx-xx-xx-xxx ~]$ sudo systemctl enable --now docker

[ec2-user@ip-xxx-xx-xx-xxx ~]$ systemctl is-active docker

[ec2-user@ip-xxx-xx-xx-xxx ~]$ curl -L "https://github.com/docker/compose/releases/download/1.23.2/docker-compose-$(uname -s)-$(uname -m)" -o docker-compose

[ec2-user@ip-xxx-xx-xx-xxx ~]$ sudo mv docker-compose /usr/local/bin && sudo chmod +x /usr/local/bin/docker-compose

[ec2-user@ip-xxx-xx-xx-xxx ~]$ sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose

[ec2-user@ip-xxx-xx-xx-xxx ~]$ docker-compose -v
docker-compose version 1.23.2, build 1110ad01

Even with everything apparently OK, when I called the APIs, it gave me the error bellow:

[ec2-user@ip-xxx-xx-xx-xxx ~] docker-compose -f docker-compose-deps.yml up -d
ERROR: Couldn't connect to Docker daemon at http+docker://localunixsocket - is it running?

If it's at a non-standard location, specify the URL with the DOCKER_HOST environment variable.

I corrected by following the procedure below:

[ec2-user@ip-xxx-xx-xx-xxx apigateway-kong]$ sudo docker version

Client: Docker Engine - Community

Version:           20.10.18

API version:       1.41

Go version:        go1.18.6

Git commit:        b40c2f6

Built:             Thu Sep  8 23:11:56 2022

OS/Arch:           linux/amd64

Context:           default

Experimental:      true

Server: Docker Engine - Community

Engine:

  Version:          20.10.18

  API version:      1.41 (minimum version 1.12)

  Go version:       go1.18.6

  Git commit:       e42327a

  Built:            Thu Sep  8 23:10:04 2022

  OS/Arch:          linux/amd64

  Experimental:     false

containerd:

  Version:          1.6.8

  GitCommit:        9cd3357b7fd7218e4aec3eae239db1f68a5a6ec6

runc:

  Version:          1.1.4

  GitCommit:        v1.1.4-0-g5fd4c4d

docker-init:

  Version:          0.19.0

  GitCommit:        de40ad0

[ec2-user@ip-xxx-xx-xx-xxx apigateway-kong]$ docker-compose --version

docker-compose version 1.23.2, build 1110ad01

[ec2-user@ip-xxx-xx-xx-xxx apigateway-kong]$ ps aux | grep docker
root       60800  0.6  7.6 1283712 63108 ?       Ssl  02:10   0:00 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
ec2-user   60923  0.0  0.1 221936  1116 pts/0    R+   02:10   0:00 grep --color=auto docker

[ec2-user@ip-xxx-xx-xx-xxx apigateway-kong]$ sudo chown $USER /var/run/docker.sock

[ec2-user@ip-xxx-xx-xx-xxx apigateway-kong]$ sudo service docker stop
Redirecting to /bin/systemctl stop docker.service
Warning: Stopping docker.service, but it can still be activated by:
  docker.socket

[ec2-user@ip-xxx-xx-xx-xxx apigateway-kong]$ sudo mv /var/lib/docker /var/lib/docker.bak

[ec2-user@ip-xxx-xx-xx-xxx apigateway-kong]$ sudo service docker start
Redirecting to /bin/systemctl start docker.service

[ec2-user@ip-xxx-xx-xx-xxx apigateway-kong]$ ps aux | grep docker
root       60800  0.6  7.6 1283712 63108 ?       Ssl  02:10   0:00 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
ec2-user   60923  0.0  0.1 221936  1116 pts/0    R+   02:10   0:00 grep --color=auto docker

====================================
-- Up Kong images
====================================

[ec2-user@ip-xxx-xx-xx-xxx apigateway-kong]$ docker-compose up -d

Creating network "kong-net" with driver "bridge"
Pulling servicea (wesleywillians/kong-service:latest)...
latest: Pulling from wesleywillians/kong-service
6c83e83883df: Pull complete
fe092a9d933b: Pull complete
Pulling serviceb (wesleywillians/kong-service:latest)...
latest: Pulling from wesleywillians/kong-service
Creating apigateway-kong_servicec_1 ... done
Creating apigateway-kong_servicea_1 ... done
Creating apigateway-kong_serviceb_1 ... done

[ec2-user@ip-xxx-xx-xx-xxx apigateway-kong]$ cd docker-kong  

[ec2-user@ip-xxx-xx-xx-xxx docker-kong]$ docker-compose up -d
Creating volume "docker-kong_kong_data" with default driver
Pulling db (postgres:9.5)...
9.5: Pulling from library/postgres
fa1690ae9228: Pull complete
a73f6e07b158: Pull complete
973a0c44ddba: Pull complete
07e5342b01d4: Pull complete
578aad0862c9: Pull complete
a0b157088f7a: Pull complete
6c9046f06fc5: Pull complete
ae19407bdc48: Pull complete
e53b7c20aa96: Pull complete
a135edcc0831: Pull complete
fed07b1b1b94: Pull complete
18d9026fcfbd: Pull complete
4d2d5fae97d9: Pull complete
d419466e642d: Pull complete
Pulling kong (kong:2.3.2-alpine)...
2.3.2-alpine: Pulling from library/kong
e95f33c60a64: Pull complete
dab3768d001d: Pull complete
e24fc8c85ed2: Pull complete
96136c04ffee: Pull complete
Pulling kong-migrations-up (kong:2.3.2-alpine)...
2.3.2-alpine: Pulling from library/kong
Pulling konga-prepare (pantsel/konga:latest)...
latest: Pulling from pantsel/konga
cbdbe7a5bc2a: Pull complete
8f3938f7d3bd: Pull complete
6e3c12f5dc10: Pull complete
ce0cb7a9eeee: Pull complete
a87657869d4f: Pull complete
891b0102e38b: Pull complete
Creating docker-kong_db_1 ... done
Creating konga-prepare                    ... done
Creating docker-kong_kong-migrations_1    ... done
Creating konga                            ... done
Creating docker-kong_kong-migrations-up_1 ... done
Creating docker-kong_kong_1               ... done

====================================
-- List Docker services
====================================
[ec2-user@ip-xxx-xx-xx-xxx docker-kong]$ docker ps

The last steps were to configure the inbound ports on AWS Security panel. 

These links can be help you.

https://help.hcltechsw.com/bigfix/10.0/mcm/MCM/Config/install_docker_ce_docker_compose_on_rhel_8.html

https://docs.docker.com/engine/install/rhel/

https://stackoverflow.com/questions/34532696/docker-compose-cant-connect-to-docker-daemon

I hope it helps you.

Regards
Mario