For my day 3 recap, please jump here. The fourth day has started and I decided to attend a couple of session. Both are not in my direct field of expertise but promised to be very interesting.

Network architectures for inbound traffic inspection

This by chalk-talk was organized by Alexandra Huides and Tom Adamski, both Senior Architects from AWS. During various phases of an application lifecycle, people want to inspect inbound traffic coming from outer networks like Internet to the VPC of the application. Split into examples and design considerations, they provided lots of useful information.

For inbound traffic inspection, the following needs to be checked beforehand : is the application traffic HTTP or HTTPS ? would you need TCP/IP filtering or inspection up to the application level ? do you have one or multiple VPCs?

Either centralized or distributed, various AWS products or services cover the security of the application. As distributed solutions, meaning the implementation done at the VPC level, there are the AWS Network Firewall and the AWS Gateway Load Balancer. For the second option, all incoming traffic is redirected to a second VPC where a third-party firewall is implemented. As centralized solutions, there are the AWS WAF and what they called the ELB sandwich. The first solution implements the Web application firewall at the ALB level. For the second solution, a third-party firewall reside in a dedicated subnet of a specific VPC. Two implementation examples were then shown to the attendees so we could understand better each product and their pro & cons.

A quick grab & go lunch improvised with my colleague Nicolas, and I switched to the second presentation. This one was related to CloudFormation.

What’s new with AWS CloudFormation and AWS CDK

This session was hosted by Jaswanthi Meganathan and Adam Ruka, from AWS. I had experienced CloudFormation years ago. The purpose of the template I’ve built was to automatically create a VPC and  EC2 instance with a specific set of security groups from a customized AMI. Quite simple, this template was also a reason for me to practice this service.

While CloudFormation is a IaC service (IaC standing for Infrastructure as Code) allowing you to model (either using JSON / YAML templates or using the CloudFormation designer, a GUI tool), provision and manage the infrastructure in AWS, CDK is a framework offering IaC capabilities but using popular programming languages, such as TypeScript, Python, Java, .NET, and Go. AWS CloudFormation is a declarative approach for modeling infrastructure, CDK a the imperative approach.

One of CDK’s main change of v2 over v1 is the consolidation of package libraries. Before, developers had to include almost one dedicated library for each AWS service used by CDK. Now, only one.
The new CDK v2 propose also an improved coverage of AWS services. Are included now : AWS EKS, Amazon CloudFront, Amazon OpenSearch Service (formerly Amazon Elasticsearch Service), AWS AppMesh, Amazon CodeGuru, and Amazon Document DB. Announced GA during the re:Invent, the Construct Hub is an AWS external website, https://constructs.dev/, permitting users and developers to share custom resources templates.

On the other hand, CloudFormation now supports 165 over 174 AWS Services. They also raised the maximum number of stack per account, from 200 to 2000.

Thursday was the last full day of this re:Invent. The morning was very intense : we attended to Werner Vogels’ keynote, CTO of Amazon. Don’t hesitate to jump into my colleague’s post here.
Tomorrow will be a bit more quiet, as the event is closing at 12h30.


Thumbnail [60x60]
by
Jean-Philippe Clapot