By Ronnie Quan

Overview

In this article we will explore AWS CloudFront and AWS WAF. We will discuss security, logging and monitoring, resilience and availability, and configuration management.

WAF Multi-Layer Web Application Security

The edge network is the first layer of policy enforcement and should be used for broad security policy enforcement. This is the ideal place for rules such as AWS Managed Rules Core rule set (CRS), geographical location blocks, IP reputational lists, anonymous IP lists, and basic rate limits enforcement.

The next level of enforcement should be an application load balancer in a public subnet with another/regional web ACL at the CloudFront origin. …


By Ronnie Quan

Overview

This blog post is the lab steps for the other blog post Zone Apex and Webserver Redirect. By Ronnie Quan | by Cloud Journey | Sep, 2021 | Medium

We will list steps to configure resources in multiple AWS accounts, including AWS global accelerator, AWS ALB for redirection, AWS NLB and hosting a website in EC2.

At the end, we will cover Azure configuration.

Create ALB and Global Accelerator

We create an AWS Global Accelerator pointing to an Application Load Balancer (can be private or public facing), but ALB associated VPC needs to have IGW.

So we create internal ALB with two…


By Ronnie Quan

Overview

When you host your website in the cloud infrastructure or by third party, it comes with vendor specific DNS name, e.g *.amazonaws.com. You will typically want to create alias in your DNS zone, for example, alias www.xyz.com points to canonical name <sth.sth>.amazonaws.com.

Your customer might also expect to access your site using xyz.com.

With Amazon Route 53, this is possible, because Amazon Route 53 supports the alias record set. Alias record sets let you map your zone apex DNS name to the DNS name of some AWS services.

While not explicitly prohibited, with many DNS service providers…


By Ronnie Quan

Overview

Cloud computing technology brings new opportunity to you, you wouldn’t have to be in the enterprise infrastructure team, you can manage your own virtual machine, you can do network design for your solution, you can deploy your compute, storage and load balancer components.

There is endless learning opportunity, it’s really exciting.

In this article, we are going to talk about AWS direct connect and compare with Azure ExpressRoute Direct.

Feature Summary Side by Side:

Direct Connect

Many organizations use hybrid networks to connect on-premises data centers to the cloud. In the same data center location, CSP has a cage…


By Ronnie Quan

Overview

In this article, we summarize Route 53 features and compare with Azure services. Seems to me AWS invested more in its Route 53 product.

We will discuss some of the features in more detail, including

  • public and private hosted zones
  • DNS query logging
  • DNSSEC
  • Route 53 resolver
  • Centralized DNS management in hybrid network
  • Scaling DNS Management Across Multiple Accounts and VPCs
  • CloudWatch Contributor Insights and Anomaly Detection

Public Hosted Zone

You could use Route53 for zone management only, or you could use route53 for both domain registration and zone management.

In case you register domain with other domain registrar, update…


By Ronnie Quan

Overview

In hybrid architecture of mixed cloud solution, you might face situations where you must migrate digital content from one cloud platform to another. In this article, we will explore the options to securely copy data out of Azure blob storage.

We will focus on managed services with out of box features, we won’t cover developing your own code option.

List of potential design:

  • AWS data pipeline or glue
  • Snowflake external stage
  • Snowflake cross account replication
  • Azure Data Factory S3 Connector
  • Azure Data Factory Rest Connector
  • Azure Data Factory SFTP Connector

AWS data pipeline or glue

Based on AWS doc, data pipeline works…


By Ronnie Quan

Overview

AWS Transfer Family is a secure transfer service that enables you to transfer files into and out of AWS storage services.

Below is the summary of AWS transfer family endpoint type:

  • Public endpoint
  • VPC endpoint for internal access
  • VPC endpoint with internet facing access and
  • VPC_ENDPOINT

Except public endpoint, all other patterns are backed by AWS PrivateLink.

Early 2021, AWS provided new VPC endpoint type for PrivateLink integration. Sharing data using AWS transfer family over internet is simplified. …


By Ronnie Quan

Overview

In this blog post, we continue to explore AWS networking, meanwhile start to learn the security around network components.

We will share transit gateway within Organization, explore RAM managed permission and how AWS RAM works with IAM.

Off course, at the end, we will compare with Azure product feature.

Configure Organization

Create Organization

From AWS console, select organizations service, then click “create organization”.

A Root organization is created, and current AWS account joined as the management account.


By Ronnie Quan

Overview

In the past, when we talk about Azure policy, we typically say it’s Azure unique feature, however it does not necessarily mean AWS can not do preventative control to enforce guardrails.

AWS Organizations provide central governance and management across AWS accounts. AWS Organization has two type of policy, SCP and management policy.

you can use SCPs (Service Control Policy) to set permission guardrails with the fine-grained control supported in the AWS Identity and Access Management (IAM) policy language.

We will explore couple of sample policies, compare between Azure and AWS. …


By Ronnie Quan

Overview

It’s quite common to call your IaaS workload via DNS name, and you could also have application from other account or other VPC to access the workload hosted in your EC2.

In this blog post, I plan to explore more about EC2 public DNS name, private DNS name, route53 private hosted zone. The goal is to access EC2 workload from other region VPC via private DNS name, we will experiment with both default private DNS name and custom DNS name.

For VPC connectivity, we will include both direct VPC peering and transit gateway scenarios.

Through prior articles…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store