Fundamentals of Azure Internal Load balancers ILBs

Fundamentals of Azure Internal Load balancers by Bruno Terkaly 

  1. Internal load balancing (ILB) enables you to run highly available services behind a private IP address
  2. Internal load balancers are only accessible only within a cloud service or Virtual Network (VNet)
    • This provides additional security on that endpoint.

Some questions I am hearing

  1. I am able to access internal load balancer using IP address but not via load balancer or service name?
    • See Accessing the ILB below
  2. Is there any option on Azure portal to view load balancer configuration?
    • Internal load balancing cannot be configured through the portal as of today, this will be supported in the future
    • However, it can be configured using powershell cmdlets.
      • ILB can be used in a deployment inside a Regional Virtual Network as well in a new deployment that is outside the Virtual Network
  3. How do I monitor the traffic and which server it is redirecting it to?
  4. How do I setup the probing and rules/alerts for it?
    • See the links below

ILB ENABLES THE FOLLOWING NEW TYPES OF LOAD BALANCING:

  1. Between virtual machines within a cloud service.
  2. Between virtual machines in different cloud services that are themselves contained within a virtual network.
  3. Between on-premises computers and virtual machines in a cross-premises virtual network.

Some diagrams

EXAMPLE OF A MULTI-TIER APPLICATION USING WEB SERVERS AS THE FRONT END AND DATABASE SERVERS AS THE BACK END IN A CLOUD SERVICE.

  1. Multi-Tier Web Appimage001

    Figure 1: Architecture for a Multi-Tier Web App

ILB CAN PERFORM LOAD BALANCING FOR TRAFFIC FROM INTRANET CLIENTS

  1. Traffic from clients on the on-premises network get load-balanced across the set of LOB servers running in a cross-premises virtual network
  2. You don’t need a separate load balancer in the on-premises network or in the virtual networkimage002

    Figure 2: Architecture for an Intranet Network

LOAD BALANCING ON-PREMISES SERVER TRAFFIC

  1. ILB also allows traffic from servers on the on-premises network to be load-balanced across virtual machines running in a cross-premises virtual network.image003

    Figure 3: Architecture for an On-Premises Network

FROM ON PREMISES

  1. When used within a Virtual Network the ILB endpoint is also accessible from on-premises and other inter-connected VNets allowing some powerful hybrid scenarios

ACCESSING THE ILB

FROM INSIDE A CLOUD SERVICE

  1. VMs inside a cloud service have private IP address spaces
  2. You can talk to the ILB using this private IP address

FROM WITHIN A VIRTUAL NETWORK

  1. A customer can specify a static VNet IP address
  2. A customer can retrieve the load balanced IP is acquired from a virtual subnet
  3. This allows you to be connected VNets through the secure IP Sec tunnel

Some useful links

Regional Virtual Networks http://azure.microsoft.com/blog/2014/05/14/regional-virtual-networks/#
Internal Load Balancing http://azure.microsoft.com/blog/2014/05/20/internal-load-balancing/#
Configure an internal load-balanced set http://msdn.microsoft.com/en-us/library/azure/dn690125.aspx#
Azure Load Balancer http://msdn.microsoft.com/en-us/library/azure/dn655058.aspx#
Configure a load-balanced set http://msdn.microsoft.com/en-us/library/azure/dn655055.aspx#
Apple Think Different

Researcher Reveals: All iOS Devices Allow Access to All Data Through Hidden Services

Apple Think Different

JONATHAN ZDZIARSKI presented how all iOS devices are running Apple created, undocumented, hidden services, that allow access to all data on your device, even encrypted data.  His slides are available here.  Below I have summarized some of the more interesting parts and tried to put them in less technical terms.

Highlights 

  • Apple has worked hard to make iOS devices reasonably secure against typical attackers
  • Apple has worked hard to ensure that Apple can access data on end-user devices on behalf of law enforcement
  • Almost all native application / OS data is encrypted with a key
  • As of iOS 7, third party documents are encrypted, but Library and Caches folders are usually not
  • Once the device is first unlocked after reboot, most of the encrypted data can be accessed until the device is shut down
  • The undocumented services running on every iOS device help make this possible
  • Your device is almost always at risk of spilling all data, since it’s almost always authenticated, even while locked

Undocumented Services Overview

  • Accessed through lockdownd, requiring pairing authentication
  • iOS 7 trust dialog helps, but third party accessories are making people stupid again
  • Bypasses “Backup Encryption” mechanism provided to users
  • —Can be accessed both via USB and wirelessly (WiFi, maybe cellular); networks can be scanned for a specific target
  • —If device has not been rebooted since user last entered PIN, can access all data encrypted with data-protection (third party app data, etc)
  • —Other (more legitimate) services enable software installation, APN installation (adding proxy servers) for continued monitoring
  • A number of commercial law enforcement forensic manufacturers have started tapping these services:
    Cellebrite
    AccessData (Mobile Phone Examiner)
    Elcomsoft
  • A number of private tools and source are out there as well to take advantage of these services

Ransomware on your iPhone?  Oh my!  Using your own iOS pictures for blackmail? OH MY!!

The undocumented and hidden services your i-device is running that Apple never told you about

First service: com.apple.mobile.file_relay

  • Completely bypasses Apple’s backup encryption for end-user security
  • Very intentionally placed by Apple and intended to send data from the device by request
  • Can collect data from the phone that user has deleted but still remains on the device because the memory has not been reused yet
  • This undocumented, hidden service can collect and send any and all data on your device, including data you probably didn’t know your device even kept but the list is too long to include

Second Service: com.apple.mobile.house_arrest

  • Allows access to the Library, Caches, Cookies, Preferences folders as well
  • These folders provide highly sensitive account storage, social/Facebook caches, photos and other data stored in “vaults”, and much more

Additional services:

com.apple.iosdiagnostics.relay Provides detailed network usage per-application on a per-day basis

com.apple.mobile.installation_proxy Given an enterprise certificate, can use this to load custom software onto the device (which can run invisibly and in the background)

com.apple.syslog_relay Syslog, provides a lot of details about what the device is doing, and often leaks user credentials from 3rd party apps via NSLog()

Already documented and fairly public method of using these undocumented services 

DROPOUTJEEP – a software implant for iPhones that allows for the ability to remotely copy or place files on a device, retrieve text messages, contacts, voicemail, location information, turn on mic, camera, cell tower location.  Requires “close access” for implant, which means they don’t need to physically touch the device bluetooth or WiFi might be ‘close enough’.  Data extraction is done over GPRS (cellular essentially) or through text messaging.  Ironically all communication with the implant is “covert and encrypted”.

If you want to prevent some of these attack surfaces there is a simple and free solution from Apple called Apple Configurator that will allow you to prevent it from pairing with other devices.

Breach at Goodwill Industries

Breach at Goodwill Industries

Credit card and ATM card info stolen

Financial institutions across the country report that they are tracking what appears to be a series of credit card breaches involving Goodwill locations nationwide. For its part, Goodwill Industries International Inc. says it is working with the U.S. Secret Service on an investigation into these reports. According to sources in the financial industry, multiple locations of Goodwill Industries stores have been identified as a likely point of compromise for an unknown number of credit and debit cards. In a statement sent to KrebsOnSecurity, Goodwill Industries said it first learned about a possible incident last Friday, July 18. The organization said it has not yet confirmed a breach, but that it is working with federal authorities on an investigation into the matter. “Goodwill Industries International was contacted last Friday afternoon by a payment card industry fraud investigative unit and federal authorities informing us that select U.S. store locations may have been the victims of possible theft of payment card numbers,” the company wrote in an email. It remains unclear how many Goodwill locations may have been impacted, but sources say they have traced a pattern of fraud on cards that were all previously used at Goodwill stores across at least 21 states, including Arkansas, California, Colorado, Florida, Georgia, Iowa, Illinois, Louisiana, Maryland, Minnesota, Mississippi, Missouri, New Jersey, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia, Washington and Wisconsin.

 

Azure Gallery Adds Virtual Machines

Microsoft announced today the availability of virtual machines in the Azure gallery.

Azure customers can now use preconfigured VM’s or customize the VM’s from the gallery without having to build their own and upload it into Azure.

Some of the VM’s available include:

 

zocalo-central-hub

Amazon Newest Service – Zocalo – Secure Document and File Storage

Amazon Zocalo

“Amazon Zocalo is a fully managed, secure enterprise storage and sharing service with strong administrative controls and feedback capabilities that improve user productivity. Users can comment on files, send them to others for feedback, and upload new versions without having to resort to emailing multiple versions of their files as attachments. Users can take advantage of these capabilities wherever they are, using the device of their choice, including PCs, Macs, and tablets. Amazon Zocalo offers IT administrators the option of integrating with existing corporate directories, flexible sharing policies, audit logs, and control of the location where data is stored.”

They are offering a free trial for 30 days, 200 GB and 50 users.

Features include

  • Single console for all files
  • Commenting on files
  • Sending files to others for feedback
  • Uploading new versions without emailing files as attachments
  • Teammates can leave comments by highlighting a section of a file, or specific text, and typing feedback
  • Users can set optional deadlines for feedback
  • Track files that are out for review
  • Be notified by email when they have been asked to provide feedback
  • Automatic version control
  • Overlay technology that displays all comments from all users
  • Automatically sync files across all the users devices using encryption at rest and in transit
  • Tablet optimized experience across iPad, Android and Kindle
  • Active Directory integration
  • Auditing
  • Integration with Amazon Workspaces

zocalo-central-hub

Magic Quadrant for Security Information and Event Management

Magic Quadrant for Security Information and Event Management.

 

Gartner Magic Quadrant for SIEM 2014

Gartner has published its annual Magic Quadrant report for Security Information and Event Management (SIEM) Technology and rated 15 vendors on how their products fit within thier definition of SIEM.

“The security information and event management (SIEM) market is defined by the customer’s need to analyze security event data in real time for internal and external threat management, and to collect, store, analyze and report on log data for incident response, forensics and regulatory compliance. The vendors included in our Magic Quadrant analysis have technologies that have been designed for this purpose, and they actively market and sell these technologies to the security buying center.

SIEM technology aggregates event data produced by security devices, network infrastructures, systems and applications. The primary data source is log data, but SIEM technology can also process other forms of data, such as NetFlow and packet capture. Event data is combined with contextual information about users, assets, threats and vulnerabilities. The data is normalized, so that events, data and contextual information from disparate sources can be correlated and analyzed for specific purposes, such as network security event monitoring, user activity monitoring and compliance reporting. The technology provides real-time security monitoring, historical analysis and other support for incident investigation and compliance reporting.”

IBM has taken the top spot this year.

Medium Database Server Memory Test

Comparing Cloud Compute Services

Comparing Cloud Compute Services.

Jason Read at CloudHarmony does a great job sorting through all of the different cloud computer offerings by vendors and then compares their performance in a like-to-like benchmark.  This is no small task and most reports I have read comparing cloud compute do not do a good enough job of comparing similar services when conducting their performance tests.  You can obtain a copy of the full report from here which is 100+ pages long.

Below are some the test results along with my own comments as well.

Compute Service Provider  
Web Server Comparison Small Web Server Medium Web Server Large Web Server
Amazon EC2 (Instance Types Explained) c3.large + t2.medium c3.xlarge c3.2xlarge
DigitalOcean (Types Explained) 4 GB / 2 Cores 8 GB / 4 Cores 16 GB / 8 Cores
Google Compute Engine (Types Explained) n1-highcpu-2 n1-highcpu-4 n1-highcpu-8
Microsoft Azure (Tiers Explained) Medium (A2) Large (A3) Extra Large (A4)
Rackspace (Types Explained) Performance 1 2GB Performance 1 4GB Performance 1 8GB
SoftLayer (Types Explained) 2 GB / 2 Cores 4 GB / 4 Cores 8 GB / 8 Cores
Database Server Comparison Small Database Server Medium Database Server Large Database Server
Amazon EC2 c3.xlarge c3.2xlarge c3.4xlarge
DigitalOcean 8 GB / 4 Cores 16 GB / 8 Cores 48 GB / 16 Cores
Google Compute Engine n1-standard-4 n1-standard-8 n1-standard-16
Microsoft Azure Large (A3) Extra Large (A4) A9
Rackspace Performance 2 15GB Performance 2 30GB Performance 2 60GB
SoftLayer 8 GB / 4 Cores 16 GB / 8 Cores 32 GB / 16 Cores

Test Results

CPU Performance Results

In the web server test Amazon EC2 was a little better than the rest of the competition.  And in the database server test Rackspace was slightly better until the testing of large database servers where Azure’s new A9 server won out.

Also included in this test was CPU variability.  In these multi-tenant, shared resource environments the performance over time can be a risk to a customers if that is the case this test should be taken into consideration as well as the other variable tests included in the report.  For this test the lower the score the better, ideally you want the same performance over the life of the service.

In both tests Amazon had the best overall score across all server types.  The changing CPU types as testing across different server types should be considered when looking at these two scores as well.

Disk Performance Testing

In these tests Amazon EC2 and Rackspace were consistently faster and more reliable.  Since they are SSD based storage they should be faster and more consistent than the other services.  DigitalOcean is also SSD based but their performance was not on par with the other SSD based services and also had the highest rate of variability.  SoftLayer is not SSD based but their overall disk performance and consistency were very good.  This could be from using SSD caching but no matter how they are doing it the performance speaks for itself.  Microsoft Azure and Google do not offer SSD storage which is reflected in their testing.

 Web Server Tests

 

Memory Performance

In these test they conduct them only on the database servers and because of Azure’s older hardware based on AMD CPU and MOBO they did not perform well until the large database server test where they are using the newer Intel Sandy Bridge based platform.  Amazon and Google both perform well through all testing and outperformed the others.  Newer hardware is always going to win in these types of tests and that is reflected here.

External and Internal Network Performance

Network testing is always subjective and by testing cloud service providers networking throughput it just adds to the complexity of the configuration as some add additional ways to improve performance through different setups.  Amazon, Google and Rackspace seem to provide higher throughput then Microsoft Azure, DigitalOcean and Softlayer.  Also throughput by some vendors is limited depending on the size of the compute instance your purchase.

They also cover the value of each provider in their report which ultimately should be the deciding factor in choosing which cloud computing provider to use for your solution. After all there is no need to overspend on a service if you can accomplish everything you need with a cheaper solution.

You can download the full report here.

New Practice Exams for AWS Certification

As the old saying goes, practice makes perfect!

AWS Exam Question Example

In order to help you to study and prepare for the AWS Certification Exams, we have released four practice exams. These practice exams supplement the blueprint guides associated with each exam and are designed to help you to test your knowledge before you take the final exam.

The Associate practice exams are available for $20 USD and include 20 questions within a 30 minute period. The Professional practice exam costs $40 USD and has 40 questions within 1 hour. Practice exams can be accessed online and on-demand through our testing partner Kryterion.

To learn more about the full suite of AWS Exams, visit the AWS Certification page.

via New Practice Exams for AWS Certification.