We have vulnerability scanning software in a shared subnet our on-prem network. We are now adding VMs hosted on the public cloud and need to perform vulnerability scanning on them. One option is to open one-way traffic from on-prem to public cloud so that the scanner can reach all VMs. So all ports will be open to VMs (in one direction). Is this desirable? Would it not be better to run vul scan software within the subnets so that no traffic needs to be allowed at all between on-prem and cloud? The scanner running in the same subnet as VMs could push results to the central scanner server in a dmz for example. How do companies adapting public cloud solve this?
It's becoming more common to leverage existing scanner software in the cloud. On platforms like AWS, many commercial products will also have an AMI for this purpose. For example: https://community.tenable.com/s/article/Amazon-Machine-Image-Deployment-AMI
The real answer here depends on some of the following:
The cloud platform you use.
The vulnerability scanning software you need to use.
The services you use within the cloud.
It's also worth considering adopting a product or toolset that can integrate with your cloud environment to scan new assets as they are created. If your cloud stack use non-VM services (like AWS S3) require their own very specific types of scanning as well.
Related
I would like some clarification on whether Azure VM's are strictly IaaS or can be PaaS depending on the amount responsibilities the creator/user has.
I've seen multiple different website saying VM are ONLY IaaS since you require an operating system, and others saying VM can be PaaS if a specific OS is specified on creation.
Any insight the community can provide will be very helpful, Thanks!
A VM is generally considered Infrastructure-as-a-Service, as you retain responsibility for patching and managing the Virtual Machine Operating System.
And even though there are Marketplace VM offerings that are completely pre-configured and even auto-updating, the responsibility for maintaining those solutions after deployment is the main way IaaS and PaaS are distinguished.
At the end of the day IaaS and PaaS are not precise technical terms. You can have PaaS services that require significant configuration and ongoing maintenance, and IaaS services that are completely managed.
VM's are IAAS (Infrastructure as a service) because on a VM you can manage what operation system runs and what software is installed.
On a PAAS you only manage the software or application that runs in the cloud. (Like app services)
It's both.
Like IaaS, PaaS includes infrastructure—servers, storage, and networking—but also middleware, development tools, business intelligence (BI) services, database management systems, and more. PaaS is designed to support the complete web application lifecycle: building, testing, deploying, managing, and updating.
https://azure.microsoft.com/en-us/overview/what-is-paas/
I've just been through Microsoft's AZ900 training at it states:
Azure Virtual Machines (VM) are software emulations
of physical computers.
Includes virtual processor, memory, storage, and
networking.
IaaS offering that provides total control and
customization.
example Az900 test questions:
VM with installed SQL is PaaS
appears to times
VM with instlled sql server is Iaas - one time
DNS is IaaS according to MS diagram: https://techcommunity.microsoft.com/t5/image/serverpage/image-id/94214iF8738A37E3E44F77
But VM with DNS server installed is PaaS
Also encountered that VM with installed storage is PaaS.
Very confusing,
I am totally new to Cloud Computing. I started learning Cloud computing basics.
I started with Infrastructure as Service and I didnt understand it fully
Please help me with the below questions
1) Does IaaS included the Operating System like (linux or Windows)
2) There are some online article says IaaS includes(network+Storage+servers+Virtualization)
3) In the above 2nd ponint..what is Virtualization..does it mean installing required number of Virtual Machines (VMs) on top of Hypervisor?
4)If the point 3 is true how the VMs are installed without OS
Please help
1) Does IaaS included the Operating System like (linux or Windows)
Infrastructure as a service (IaaS) typically is a cloud offering that grants a user full control over the operating system of a virtual machine (Linux or Windows). There may be some small overlap of traditional adminstrative controls of the VM and services that are provided by the cloud provider; for example, Azure allows you to configure automatic updates on a Windows VM during deployment.
2) There are some online article says IaaS includes(network+Storage+servers+Virtualization)
IaaS is a holistic offering of network, storage and compute where the underlying infrastructure is managed by the cloud provider, but the customer interacts with these elements through software. For example, Azure provides access to a VM running on Hyper-V, networking through Software Defined Networking, and storage through virtual disks. These abstractions grant the customer a high level of control over the resources they purchase without giving them direct hardware level access to the underlying hosting infrastructure.
3) In the above 2nd ponint..what is Virtualization..does it mean installing required number of Virtual Machines (VMs) on top of Hypervisor?
Yes, virtualization is the offering of virtual machines on top of a cloud provider managed hypervisor. You will commonly not have access to the hypervisor in most cloud provider platforms.
4)If the point 3 is true how the VMs are installed without OS
An OS is required in most IaaS platforms, as this is what you are paying for, rather than a blank virtual machine you configure from scratch. That being said, you can bring you own pre-configured OS disk or deploy from a Marketplace of operating system images. For example, Azure provides many versions of Windows, Ubuntu, CentOS, RHEL, etc. from their own repository that allow you to quickly provision a VM and start building your workload.
Great links:
- https://azure.microsoft.com/en-us/overview/what-is-iaas/
- https://gallery.technet.microsoft.com/Shared-Responsibilities-81d0ff91
We're just starting out with Microsoft Azure, and I'm reading through the Azure infrastructure services implementation guidelines (https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-infrastructure-services-implementation-guidelines/). The document talks about Cloud Resources and Cloud Services, but I've found myself confused by the difference between these - (and couldn't find anything much when trying to Google this!). Can someone please enlighten!
Thanks in Advance
Cloud Services are ways to combine a set of stateful virtual machines (or web/worker role instances, which are stateless virtual machines) into its own private network, sitting behind a public virtual IP address. The Cloud Service also provides optional load-balancing between the virtual machines). Cloud Services have been around since the beginning of Azure, and are considered part of the "classic" compute model. All classic virtual machines (whether stateful or stateless) live within a Cloud Service.
I don't know what you mean by Cloud Resources, but... Azure now has the Azure Resource Manager (ARM), which is a newer way to create virtual machines. There is no notion of a Cloud Service with ARM; the approach is to build out a set of resources (such as virtual machines, networks, NICs, IP addresses, etc) and dependencies, as a single managed set of resources.
The Azure site has documentation for classic Cloud Services here.
And documentation for ARM is here.
Azure service is simply a computing 'service' provided through the internet (cloud) than on-premises servers.
Docs:
Simply put, cloud computing is the delivery of computing
services—servers, storage, databases, networking, software, analytics,
intelligence and more—over the Internet (“the cloud”)...
Webopedia
A cloud service is any service made available to users on demand via
the Internet from a cloud computing provider's servers as opposed to
being provided from a company's own on-premises servers
Azure resource is an instance of the Cloud service(Or its components.) When you pay for a service and use it for something it becomes a 'resource' for you.
Docs
A manageable item that is available through Azure.
You can also see the difference on the Azure portal when you click 'Azure Services' (It lists what they can provide) and 'All Resources' (It lists what you already have)
Azure gives you services like Compute, Networking, Storage etc.
Within each service are resource types, such as Virtual Machine, Virtual Network, Storage Accounts etc
When you create a Virtual Machine, it is a Resource.
AWS Direct Connect allows physical connections and BGP setup to connect AWS cloud with on-premise DC or customer's private cloud. I wonder if there's anything like this in MS Azure cloud. Not VPN based..
Kind-of.
It is announced as a future plan to support, but not yet accessible to customers. I believe this is what you are asking for: http://www.microsoft.com/en-us/news/press/2013/sep13/09-18msattpr.aspx
Hopefully we can see this announcements moving forward in the next year. Offering this solution to regions other than USA will also be interesting development of this solution, but currently nothing can be found on the internet.
As the cloud continues to be embraced by customers and partners around the world we are seeking to help them connect to their off-premise investments. Today, providers such as TW Telecom, AT&T, and Level 3 grant their clients the ability to connect to AWS or Windows Azure with scalable and flexible connectivity. Recently, Level 3 released ExpressRoute; a new service that allows customers to utilize a private connection from an Equinox Data Center to the Windows Azure Cloud. This service is similar in nature to the AWS direct connect service that was released a few years ago, providing a private network route to hosted cloud services that bypasses the public Internet.
ExpressRoute aims to reduce latency, and increase the speed in which clients can access their applications. To achieve this goal, Level 3 provides the client with 1 gigabit or 10 gigabit connection from an Equinox Data Center in San Jose to Windows Azure increasing your network throughput for large workloads. Today, Windows Azure does not offer multiple VPN’s into their cloud. To compensate for this issue, consolidating and connecting to the Azure cloud with a private connection ensures the transfer of your data.
Ref. from http://fastblue.com/cloud-connectivity-aws-direct-connect-and-windows-azure-express-route/
We are on the process of choosing a Cloud provider to run our VMs, and we would like to better understand the differences between AWS and the new Azure.
Does anyone know if Azure Cloud (IaaS) have an equivalent for the AWS Route53 and Elastic Load Balancer?
If it has, how does it work? Do they also have several different zones across the globe capable of providing High-Availability with minimum impact on the latency?
Thank you
Microsoft doesn't have a DNS service like Route53. But does support common DNS operations such as c-name routing/forwarding to various Windows Azure services. As for zones, there are currently 8 locations that MSFT offers for hosting of Windows Azure, 2 in Europe, 2 in Asia, 4 in the US, and Fujistsu offers hosting of some Windows Azure services in Japan. With the possible exception of Fujitsu (I don't know the details of their SLA), all Windows Azure Services are at least 99.9% (the definition of "highly available" is subjective). Additionally, Microsoft has the Content Delivery Network with more than 24 nodes spread across the globe to help speed delivery and reduce the latency of content being delivered to almost any geography.
For the most part yes, there is equivalence. Windows Azure has always had a load balancer on any external endpoint (exposed over the VIP). It is not a super programmable firewall at this point (you cannot do more than simply remove yourself from rotation), but it works very well for web farm scenarios.
Cloud Traffic Manager works very well for geo-locating your services in Windows Azure. Just deploy your service in multiple datacenters, configure a few settings in traffic manager, and you are done. Most folks use it for 'best performance' (i.e. closest DC to customer), but also you can use it for 'failover'.
In terms of DNS, there is no equivalent service today for handling external DNS names. You handle DNS today with your own servers. That is one point where AWS is ahead.