Blogs

What is CI CD?

Continuous Integration

Developers work on the code which is stored in a code repository.  Code repository can be GitHub, AWS CodeCommit etc. As developers keep making changes to the code and push to the code repository, a build server builds the code and runs the tests. Build Server can be AWS CodeBuild, Jenkins etc.

This process is called continuous integration. Developers focus on developing code and not building and running tests. It helps to identify and fix bugs faster and have code available for frequent releases.

Continuous Delivery and Deployment

With Continuous integration, you have automated the code build and testing. The next step is to deploy the code. For this, you can use a deployment server which can be AWS CodeDeploy, Jenkins etc. The deployment server will take the code from the build server and push the code to the test/prod environment.

With Continuous delivery, you will have a manual step to approve the deployment. The deployment will be automated and repeatable. With Continuous deployment, no manual steps are required, and deployment will be fully automated.

In practical scenarios, continuous deployment can be used to push the deployment to test & UAT servers while manual approval can be used for production deployment.

Also Read:- Breakout Rooms and Its Usage – Microsoft Teams

AWS Technology Stack for CI CD

Code Commit can be used as a private code repository for version control for collaboration, backup and audit. It includes all the benefits of AWS i.e., Scale, Security, Compliance and integration with other services including AWS Code Build, Jenkins etc. You can use GIT to integrate your local repository with the Code Commit repository. You can configure role-based access, notifications and triggers. For e.g. You can configure a trigger to execute a lambda function for automation.

Code Build A fully managed build service can be an alternative to tools like Jenkins. It has all the benefits of a managed service i.e., scale, security and no maintenance overhead and power of integration with services like Cloud Watch for notifications & alerts and Lambda for automation. It uses Docker containers under the hood (you can use your own docker image as well), is serverless and pure Pay as You Go (PAYG).

Code Deploy managed service by AWS is to deploy code on EC2 instances or on-premises machines. Code deploy can be used instead of tools like terraform, ansible etc. if it meets your requirement of continuous deployment. You can group the environment such as prod, dev etc. Code deploy will not provide resources for you. Code deploy agent will be running on the server/EC2 instance and will perform the deployment.

Code Pipeline to orchestrate the whole deployment. It supports code repositories such as GitHub, Code Commit, build tools such as Code Build, Jenkins, deployment tools such as Code Deploy, Terraform, and load testing tools. It creates artefacts for each stage.

All these services can easily use powerful management and monitoring tools like CloudWatch for logging and monitoring.

Azure Firewall is a managed, cloud-based network security service that protects your Azure virtual network resources.

You can centrally create, enforce the network connectivity policies across subscriptions and virtual networks.

Firewall features

Built-in high availability: No additional load balancers are required because High availability is built-in so, you don’t need to configure anything.

Availability Zone:  Azure firewall can be configured during deployment to span multiple Availability Zones to increase the availability, availability Zones increases the availability up to 99.99% uptime.

There is no additional cost for a firewall deployed in the availability Zone, However, there are additional costs for inbound and outbound data transfer associated with availability Zones.

Unrestricted  Cloud Scalability:  Azure Firewall can scale up as much as you need to accommodate changing network traffic flows, so you don’t need to budget for your peak traffic.

Application FQDN  filtering rules:  you can limit outbound HTTP and HTTPS traffic or Azure  SQL traffic to a specified list of fully qualified Domain names (FQDN) including wild cards. This feature doesn’t require TLS terminations

Network traffic filtering rules: you can centrally create allow or deny network filtering rules by source and destination IP address, port, and protocol. The Azure Firewall is fully stateful, so it can distinguish legitimate packets for different types of connections.  Rules are enforced and logged across multiple subscriptions and virtual networks.

FQDN tags: make it easy for you to allow well–known Azure Service network traffic through your firewall. For example, say you want to allow windows to update the network through your firewall. You create an application rule and include the windows update tag. Now network traffic from windows update can flow through your firewall.

Service tags:  A service tag represents a group of IP address prefixes to help minimize complexity for security rule creation. You can’t create your own service tag, nor specify which IP address is included within a tag. Microsoft manages the address prefixes encompassed by the service tag, and automatically updates the service tag as addresses change.

Threat intelligence:  Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/known malicious IP addresses and domains. The IP Addresses and Domains are sourced from the Microsoft Threats intelligence feed.

Outbound SNAT support: All outbound virtual network traffic IP addresses are translated to the azure Firewall public IP (Source Network address translation). You can identify and allow traffic originating from your virtual network to remote internet destinations. Azure Firewalls doesn’t SNAT when the destination IP is a private IP range per IANA-RFC-1918. If your organization uses a public IP  address range of private network, Azure Firewall will SNAT  the traffic to one of the firewall private IP  addresses in AzureFirewallSubnet. You can configure Azure Firewall to not SNAT your public IP address range.

Inbound DNAT Support: Inbound internet network traffic to your firewall public IP address is translated (Destination Network address translation) and filtered to the private IP addresses on your virtual networks.

Multiple Public IP addresses:  You can associate multiple public Ip addresses (up to 250) with your firewall.

This enables the following scenarios:

DNAT – you can translate multiple standard port instances to your backend servers. For example, if you have two public IP addresses, you can translate TCP Port 3389 (RDP) for both IP Addresses

SNAT- Additional Ports are Available for outbound SNAT connections, reducing the potentials for SNAT port exhaustion. At this time, Azure Firewall randomly selects the source Public IP address associated with your firewall. Consider using a public IP address prefix.

Azure Monitor logging:  All events are integrated with Azure Monitor, allowing you to archive logs to a storage account, stream, events to your event hub, or send them to Azure Monitor logs.

Forced Tunnelling: you can Configure  Azure Firewall to route all internet–bound traffic to a designated next hop instead of going directly to the internet.

For more details, contact us!

The AWS Directory Service provides several ways to use the Microsoft Active Directory (AD) with other AWS utilities. Information regarding users, groups, & devices can be stored in directories, & the administrators use them to retrieve the information & resources. AWS Directory Service offers many directory alternatives for clients who wish to utilize the current Microsoft AD or Lightweight Directory Access Protocol (LDAP)–aware applications in the cloud. There is also a provision of the same alternatives to developers who seek a directory to manage users, groups, devices, & access.

What to select?

I want Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) for applications in my cloud: Choose AWS Directory Service for Microsoft Active Directory

I develop SaaS applications: The developers of upscale SaaS applications can use Amazon Cognito.

AWS Directory Service for Microsoft AD

Also known by the name AWS managed Microsoft AD, the AWS Directory Service for Microsoft AD is backed by a verified Microsoft Windows Server AD, overseen by AWS in the AWS Cloud. AWS managed AD permits a wide range of AD–aware applications to be migrated to the AWS Cloud. 

The AWS Managed Microsoft AD can be used with Microsoft SharePoint, Microsoft SQL Server, & several .NET applications. It is also compatible with AWS managed services such as Amazon WorkDocs, Amazon WorkSpaces, Amazon Connect, Amazon QuickSight, Amazon Chime, & Amazon Relational Database Service for Microsoft SQL Server (Amazon RDS for SQL Server, Amazon RDS for Oracle, & Amazon RDS for PostgreSQL).

AWS Managed Microsoft AD is present in 2 editions: Standard & Enterprise.

Standard Edition: AWS Managed Microsoft AD (Standard Edition) has been optimized to be a central directory for small-scale & midsize businesses with as many as 5,000 employees. Enough storage capacity is allotted to support up to 30,000 directory objects, like computers, users & groups.

Enterprise Edition: AWS Managed Microsoft AD (Enterprise Edition) has been created to back firms with up to 500,000* directory objects.

Security in AWS Directory Service

Cloud security at AWS is of the utmost priority. As a customer of AWS, you can avail several benefits from a data centre & network architecture that has been modelled to match the needs of organizations, for whom top-notch security of their data is a priority.

You and the AWS have to share the charge of security. This is described under the shared responsibility model as ‘the security of the cloud & security in the cloud’:

Security of the cloud – AWS is in charge of handling & protecting the fundamentals that run AWS services in the AWS Cloud. AWS also gives you services that are absolutely safe. Third-party auditors are regulated to continuously evaluate the level of our security as a part of the AWS compliance program.

Security in the cloud – The AWS service you use is your responsibility. The sensitivity of your data, your company’s needs, & applicable laws & regulations are also in your own hands.

Infrastructure Security in AWS Directory Service

Since it is a managed service, the AWS Directory Service is protected by the AWS global network security protocols.

Identity & Access Management for AWS Directory Service

Credentials are required to get access to the AWS Directory Service, which the AWS can use to authenticate your requests. Those credentials should have valid permission to gain access to the AWS resources, like an AWS Directory Service directory.

Contact us to know more!

Deploying applications to end-user Windows machines has never been easier if you are a Microsoft Intune administrator. Earlier what used to be a painstaking process of installing each application and its required dependencies one by one, has evolved into a professional solution where you can package all the applications along with their required dependencies into one complete “.intunewin” package for a simplified solution.

The concept of modern management or modern device management takes this a step further by providing IT administrators an even simpler way of installing, managing, updating & uninstalling applications using package managers.

Linux adopted early the practice of maintaining a centralized location where users could find and install the software.

What is a “Package Manager”?

A package manager or package management system is a collection of software tools that automates the process of installing, upgrading, configuring, and removing computer programs for a computer’s operating system in a consistent manner. It keeps track of what software is installed on the computer and allows us to easily install new software, upgrade the software to newer versions, or remove software that was previously installed.

As the name suggests, package managers deal with packages: collections of files that are bundled together and can be installed and removed as a group. Often, a package is just a particular program. A software package is an archive file containing a computer program as well as necessary metadata for its deployment. The computer program can be in source code that has to be compiled and built first. Package metadata includes package description, package version, and dependencies (other packages that need to be installed beforehand).

Package managers are charged with the task of finding, installing, maintaining, or uninstalling software packages upon the user’s command. Typical functions of a package management system include:

• Working with file archivers to extract package archives
• Ensuring the integrity of the package by verifying their checksums and digital certificates, respectively
• Looking up, downloading, installing, or updating existing software from a software repository or app store
• Grouping packages by function to reduce user confusion
• Managing dependencies to ensure a package is installed with all packages required

Package Managers differ based on the packaging system as well as the operating systems for which they are used. For example, RPM-based Linux, Yum, and DNF are package managers. For DEB-based Linux, we have apt-get, aptitude command line-based package managers. For Windows, the two most used package managers are Winget & Chocolatey. Over the next couple of weeks, I am going to do a deep dive on how to leverage these platforms along with Microsoft Intune to make applications management easier.

In this part 1 of the 4-part series, we will investigate Chocolatey and what it does. In the next installment, I will walk you through steps to get it set up in your organization using Microsoft Intune and how you can use this to manage application installment & management. In parts 3 & 4 we will look into how the same can be achieved via Winget.

Chocolatey

Chocolatey is a machine-level, command-line package manager and installer for Windows software. It uses the NuGet packaging infrastructure and Windows PowerShell to simplify the process of downloading and installing software.

Some well known features of chocolatey:

• Deploy Anywhere: chocolatey supports all Windows versions after Windows 7. It requires PowerShell v2+ and Microsoft .NET Framework 4.x. You can deploy on-prem, to Azure, AWS, or any cloud provider you might be looking at
• Deploy with Everything. Anything that can manage endpoints or do remote deployments can either direct Chocolatey through commands, batches, or scripts. Full configuration management solutions like Ansible, Chef, PowerShell DSC, Puppet or Salt typically have providers/modules that allow you to work within their languages to manage both Chocolatey installation/configuration and software
• Packages are Independent and Portable. When you deploy through multiple systems or want to migrate from one to another, you can take the work you have done with Chocolatey with you. How is that for some major time-savings
• Completely Offline and Secure. You can step up your own local repositories and start using them without the need for an internet connection
• Create Your Own Deployment Packages and use them internally
• Manage Dependencies With Ease. You can build specific installation paths for your applications

One of the most time-consuming tasks with Microsoft Intune is the application portion, where you package applications up to deploy. Currently, if the application is bundled as an executable (exe), the steps are as follows:

• Grab the installation executable
• Find the install switches – most common one is the silent switch
• Find the install directory or registry key to tell Microsoft Intune if it installed correctly or not
• Find the uninstall executable and any switches it has as well
• Wrap the executable in an ‘INTUNEWIN’ format
• Import file into Microsoft Intune
• Configure the application with the install and uninstall switches as well as the directory it creates to Microsoft Intune knows if it installed correctly or not

With Chocolatey, the process gets reduced and we only need to do the following:

• Find any install switches
• Grab the installation executable
• Find the uninstall process and switches
• Configure the application with any install switches, or uninstall switches within the Intune blade

Stay tuned for part 2, where we install Chocolatey as a Win32 app using Microsoft Intune and install subsequent software.

Read more blogs!

This is one of the major cloud concerns for many companies, but it is irrational. Your IT team manages access, sets rights and restrictions, and provides smartphone access and options & your corporation remains the sole owner of the venture. You maintain your rights, title, and interest in the data contained in Office 365.

When safeguarding your data, we operate under several key principles:

•  We may not use your data for advertising purposes or for any reason other than supporting you with services that you have paid for.
•  If you want to change providers, you will be taking your data with you.
• Privacy controls enable you to configure who has access to and what they can access in your company.
•  Extensive auditing and monitoring avoid admins from getting inappropriate access to your files.
•  Customer Lockbox for Office 365 leaves customers with clear power in unusual cases where a Microsoft developer could perhaps need to access customer data to tackle an IT problem.

Strict safeguards and architecture elements preclude your data from mingling with those of other organizations, and our data centre workers will never have unprivileged access to your data which is one of the major cloud concerns. 

The standard establishes a uniform, international approach to protecting privacy for personal data stored in the cloud. It reinforces that:

• You are in control of your data.

• You are aware of what is happening with your data.

• We provide strong security protection for your data.

• Your data will not be used for advertising.

• Microsoft encourages government inquiries to be made directly to you unless legally prohibited and will challenge attempts to prohibit disclosure in court.

Follow us on Quora for Cloud related queries!