Virtualization

Grid technology

Service-oriented Architectures
Old names
Distributed Computing

Browser as a platform

Abstraction
4 Expanding Security experience
9 We migrated everything to the cloud. Layering
A demystified definition
4 We had to change vendors a few times. Notes from the field Definition Large, optimized, organizations rent you their extra CPU cycles
Contracted
6 We had vendors change contracts. Large, well connected, empty telcos rent you their extra space

1 We had vendors migrate to the cloud without informing us. a pay-per-use model for enabling available,
convenient, on-demand network access to a shared
pool of configurable computing resources that can be
3 Where is the line between SaaS, PaaS, and XaaS? rapidly provisioned and released with minimal
management effort or service provider interaction
4 What effect does outsourcing have on the company? Problems
five key characteristics
4 What do the contracts look like?
This model promotes availability and is comprised three delivery models
Working Definition
four deployment models
Where most of us live
_
7 Hybrid cloud - example 1

2 Economic advantage of hybrid Example Hybrid

Pay per use
2 Hybrid Cloud Computing architecture
On-demand self-service
2 Cross vendor Management
01 Cloud+ Characteristics Ubiquitous network access

5 Self service Concepts Models Location independent resource pooling

5 Operations view Rapid elasticity 4

Original v2 Exam: Build your own cloud
4 Business management view
Non-elastic - old way 3
Cloud Management Platform Capabilities
Non-elastic but load balanced 2

1 Public – renting in the same building as you enemies Elasticity Cloud designed infrastructure 4
Public Vs Private Cloud
1 Private – Owning Cloud Native application 4

Which is better/ Why

1 _ Migration Timeline
Cloud system that is scalable and reliable by construction. 1
Cloud native
Must be able to autonomously detect and mitigate 2
6 Buy
Only Exports Software as a service
Security Reference Model _ 1
No External backups

Shared Responsibility
99+ Platform as a Service
Layers of Management AWS
STAMP ON MARKET
_ 1

Metal- no really, I need a TTY not a VTY

IaaS Provider: AWS 1
Infrastructure as a service
IaaS Provider: Rackspace Open Cloud 1
(c) Dean Bushmiller 2021 1
Is someone missing? 3
 Hard Disk Types 2

Tiered Storage

Storage Configuration RAID Levels

File Systems
Disk Allocation

one or more ferrous oxide coated electromagnetic

disk platters mounted to a center spindle
manage them as a group
container that groups a set of Azure Hard Disk Drive (HDD) _
1
Storage services together
Deleting storage account deletes all of an SSD-consists of a set of microchips and has no moving parts
data stored inside it
Solid State Drive (SSD) _ $40K for 100TB
Only data services from Azure Storage can storage account 1
be included in a storage account (Blobs, Disk Types and Configurations
Files, Queues, and Tables) Drive size
Other data services: SQL and Cosmos DB
Azure IOPS number of read and write operations per second
- cannot be included in a storage account
Vendor Concepts
up to 250 storage accounts in a subscription
Support mission
Throughput number of bits read or written per second
_ Locally redundant storage
1
small files = more overhead per operation
Replicates data across three storage
clusters in a region Mission-critical, frequently accessed, or
Zone-redundant storage Redundancy
_ highly sensitive data
1 Tier 1: Restricted
_ Geographically redundant Financial, infrequently accessed, or
1
confidential data
Tier 2: Private

Whole Disk Encryption Event-driven, rarely accessed,

unclassified data
Amazon Elastic File System (Amazon EFS) Tier 3: Public or transactional
Notes from the field
SMB Azure Files and Azure Blob storage tape or recordable discs
02 Cloud+ Storage Tiers
Disk/Storage requirements for keeping e-mails or data
File System formats Tier 4 Compliance for long periods of time, can be a large
amount of data but does not need to be
instantly accessible.

1 _ SECTORS AND CLUSTERS organize, manage, and make available

value, access levels, retention, and required capacity.

Operations
each drive has a designated number of
these elements it can support effective use of tiered storage reduce data storage costs

partitions, cylinders, tracks, and sectors

Creation of disk allocation units data usage, availability, reliability, and storage structures.
Not military
partitions (volumes) is up to user/ administrator
Disk Allocation
structured relational data = adheres to a strict schema
Knows this inside a virtual machine

mount a drive
Operating system fields do not neatly fit into tables, rows, and columns
Before Format Data Classification XML - extensible markup language,
semi-structured
Application data JSON - JavaScript Object Notation
Provides a definition for the naming convention for data files and the logical file and directory/folder organization on the physical hard disk. YAML -YAML Ain’t Markup Language
Knows this inside a VM
Operating system unstructured delivered in files, such as photos or videos
Format a drive File Systems
adds logical data elements required by file
system to allocate and manage disk. Speed only
FORMATTING
applies disk striping only
RAID 0
Inverse fault tolerance

RAID Levels applies disk mirroring only

RAID 1
Cost is double original storage price

implements parity blocks and then stripes

them across at least three hard disk drives
(c) Dean Bushmiller 2021 along with the data 2
RAID 5
 8

Vendor Network Implementations

_
1
Enterprise network looks like
Standard network
_
1
Cloud looks like
one version of which was also known as
Common Internet File System
creates a map of Layer 2 physical addresses (Media
communication protocol for providing Access Control addresses) of nodes located on network
Server Message Block
shared access to files, printers, and serial segment attached to each of its interface ports
ports between nodes on a Local network Network Switching Device examines network traffic and forwards it only to
FTP is one of the common Internet Switching segment of the intended destination
protocols that transfer files from one
network host to another using TCP nodes of a virtual network are virtual machines (VMs)
File Transfer Protocol
Virtual Environments each of which sends and receives data to and from the network
Cloud Switch
client / server support VMkernel network access for VMotion, iSCSI, and NFS

Hypertext Markup Language client is requesting files

Device routers link networks
Hypertext Transfer Protocol
Routers connect LANs to a WAN
requested web page content
server provides in a response message Allowing multiple internal nodes to share a single WAN connection
may contain only status information
Best available routes across every network
electronic mail
Routing Telco = fastest / not cheapest
Post Office Protocol (POP3) Provide a dispatching
Best
Email clients commonly Mission takes $'s into consideration
Internet Message Access Protocol IMAP Simple Mail Transfer Protocol
Underlying physical path is decoupled
SMTPS is the secure version of SMTP
Application Layer Protocols Virtual Environments Much more of an organizing tool
Cloud Routing
DORA Subnets for logical / security issues

DHCP server has a pool of IP addresses

assigned by the network administrator 04 Cloud+ creates a one-to-one mapping between
Networking internal IP addresses and an external (or
length of time until configuration expires Lease Dynamic Host Configuration Protocol routable) IP address
Network address translation (NAT)

Network Address Translation creates a Many-to-ONE mapping between

subnet mask, default gateway Routing parameters Many internal IP addresses and ONE
external (or routable) IP address
Port Address Translation (PAT)
Simple Network Management Protocol
hierarchically arranged system of Most of the time we are doing PAT and calling it NAT
databases and data caches that associate
IP addresses with easily remembered and
logical network of network nodes grouped by software
human-readable names
that shares a common configuration
Uniform Resource Locators (URLs)
creates a separate broadcast domain
Know your top record types Virtual LAN (VLAN) use a 12-bit VLAN ID
Domain Name System
DoH
maximum of 4,096 network IDs
DoT
If 4096 is not enough
DNSSEC
Used in cloud environments to segment different tenants
VLAN and Tagging VXLANs
three addressing modes unicast 24-bit segment ID
broadcast and multicast three addressing modes
Network Protocols 802.1Q standard
IPv4
You must be able to subnet
this port and that data are X
VLAN Tagging
process of tagging Ethernet frames (Layer 2 message units)
Do each now please- if your OS will allow
bridges, switches and routers
The netstat (network status) utility displays the
Used by cloud providers and or Enterprise Virtualization
listening (open) ports on a computer as well as any
active network connections Cloud Consumers typically do subnetting and PAT
Netstat
both incoming and outgoing

Nslookup (name server lookup) displays the Domain

Name System (DNS) server information for a
particular fully qualified domain name (FQDN) Connectivity Testing
Nslookup / Dig

displays the current TCP/IP configuration and allows

for the management of a host's Dynamic Host
Configuration Protocol (DHCP) or DNS settings
Ipconfig/Ifconfig

The route command displays and allows modifications

(c) Dean Bushmiller 2021 to the contents of a local IP routing table 3
Route
 Virtual Disks

VNIC
Way to abstract applications and their underlying
Virtual Switches components away from the hardware
Virtual Machine
Virtual Memory Supporting them and present a logical or virtual view of these resources
What Is Virtualization
Storage Virtualization _
1
Network function
Guest Tools _ 3

Unified Extensible Firmware Interface _ 1

defines a software interface between an _

1
operating system and platform firmware Model NFV/ SDN

UEFI replaces the legacy Basic Input/ _

1
BIOS is now UEFI Mixing it all
Output System (BIOS)

supports remote diagnostics and repair of

lots of CPU sits idle in enterprise
computers, even with no operating system Higher levels of utilization
installed
Scalability
NIC
Goals of virtualization Reliability/availability
creates two logical CPU cores for each
physical CPU core Agility
Hyperthreading
proprietary technology for Intel CPUs Create a unified management domain

3
_ 05 Cloud+ deployed on a bare metal installation

set of instructions performing VT-x

Virtualization The first thing installed on a type 1
virtualization functions that is built into Type 1 hypervisor is hypervisor software it acts as core operating system
the CPU
CPU and Cores
VMware, Microsoft, Citrix, Oracle, and Red Hat

allow hypervisor to host more virtual Host loaded on top of an already existing
machines than physically possible operating system
CPU usage often decreases significantly
with occasional increases due to Cannot boot until main operating system is
Overcommitment Ratio loaded and operational
utilization.
Type 2
works as long as the actual consumption Oracle Virtual Box
remains lower than physical memory
Hypervisor Vmware: Fusion / Workstation
Virtual machines often require more
memory when starting up or when loading
Hyper-V, vSphere, OVM, and vSphere
processes for the first time. Memory Ballooning Proprietary

Citrix Xen, kernel-based virtual machine (KVM), and OpenVZ.

Open Source
burst values, consider how much the
machine will use at peak levels and then goal is to support computing activities with
add a buffer to that value for the burst/max least amount of hardware to provide
memory Memory Bursting Enterprise sufficient performance and redundancy
RAM
Consumer vs. Enterprise
deduplicates hypervisor memory allocated Testing Great for running multiple O.S.s and versions
to virtual machines Transparent Page Sharing
Consumer
Virtual Desktop Remove need for remote configuration

Paging to disk
(c) Dean Bushmiller 2021 Memory Compression 4
A very bad thing in virtual world
 an organization must fully understand the
impact they will have on existing business
processes

technical and business staff must work

together to determine the impact
Prior to
identifying and understanding
organizational business processes and
their dependencies.

from (CAPEX) to (OPEX)

Budget
return on investment organization’s financial processes
profitability Culture and Business Changes

fundamental changes in expectations that

accompany new technologies Aligning cloud deployments with
organizational goals
inherently better protected
more readily available locally hosted resources are Identifying the impact of cloud adoption to
Strategies for Cloud Adoption business processes
more rapidly brought back online
Understanding the importance of service-
If you cannot touch your data, you do not own your data level agreements
local personnel provide expertise in all of
these areas to a greater degree than cloud
provider derive from overconfidence metrics used to measure said service
receive from a service provider
A service-level agreement (SLA) roles and responsibilities
same legal and regulatory protections are
provided by the hosting company as when Impact of Cloud Adoption to Business Processes A breakdown of services provided and excluded
data resources are stored in local data
centers Costs for services

legal constraints and transfers penalty Duration of the agreement

costs for noncompliance Protections against external exposure
Responsibilities of the customer and the service provider
part of the organization’s risk management process
Availability and performance requirements
proprietary lock-in
Business risks SLA includes Service monitoring and reporting
resource exhaustion

vendor services and facilities and monitoring Remediation and liability (or lack thereof)
for service disruption
included in contracts and SLAs
Dispute resolution procedures
Audits
multitenancy issues
A mechanism for reviewing and updating
penetration testing and scanning the SLA, including a change control
process
Service-Level Agreements
organization must include changes to
infrastructure, service, financial, and service-level targets, are quality-of-service
vendor/partner management practices as measurements used to measure service
well. provider performance.
Service-level objectives (SLOs)

infrastructural management changes terms of service

Service management critical or confidential information

Management Changes What should not go in the cloud
Noncustomizable SLA? regulatory compliance
Financial management
legal counsel
Client access license (CAL) models
Data location
One of the most important factors when Service multitenancy
deciding which vendor to use as a cloud
service vendor is the ability to negotiate
Transparency (data breach notification)
the legal terms of the service agreement.
Cloud Service-Level Agreements (SLAs)
Disaster process recovery notification
Service agreement must include a list of
roles and responsibilities for both the
customer and the cloud service vendor. Legal data release notification

Contract renewals Data ownership

Contractual protection
Insurance 06 Cloud+ Physical to Virtual
P2V
When negotiating
Data loss Cloud Migration Migration types
Virtual to Cloud
Data location V2C
Data ownership
The complexity of your infrastructure.

Certifiable code of practice for the cloud industry. Identifying vendor roles and responsibilities The skills of your team.
Widespread adoption based upon the trust Strategy depends on
and assurance that can be achieved Stage of the application development cycle.
through the code of practice. Cloudindustryforum.org
Information security levels
To support other appropriate cloud-based
initiatives that complement the purpose of Go fast
the code of practice
Push the boundaries
Choice of law
Make data-driven decisions (Microservices design and Messaging)
Data control Cloud Migration Principles
Service availability best practices for negotiating a cloud service contract Simplify
Liabilities and indemnities
Communicate to succeed
Deletion of data
Rehost – Lift and shift
Customer may not be required to maintain
expertise on the technology used to create Refactor – repackage your app with no major code changes
and maintain SaaS applications
Approaches Rearchitect – modernizing your code, breaking
Must understand how the applications monoliths into microservices
work and their limitations.
Rebuild – completely rebuild your application for cloud-native
Technical
Project management
Software as a Service (saas) skills Cloud service rollout Virtual Machine Templates
Vendor management
Manage expectations for changes in the system Date at which support ends
Transformation of physical into vms organized based on
On power consumption.

Using solution for service desk and Physical to Virtual (P2V) Migration will take four weeks
training purposes
Ensure the SaaS solution is accessible to end users Monitoring skills Technical skills Platespin migrate for P2V migration Instead of vmware converter
Identifying organizational skill requirements
Migrate data Virtual to Virtual (V2V)

Virtual to Physical (V2P)

training and adoption plan
Resource Migrations Virtual Machine Cloning
data migration plan Create and implement Project management skills
a pilot program Virtual Machine Snapshots

Clones vs. Snapshots

At contract: Service terms and SLA’s Storage Migration
Communicate efficiently
Host Clustering and HA/DR
Monitoring metrics Vendor management skills
Daily activities
Problem management CPU Effect on HA/DR
Change requests Cloud Provider Migrations
Transitioning to live environments
Extending Cloud Scope
Data integration and analysis skills

Business and financial skills

Manage expectations for changes in the system
Security and compliance management skills

Typical IR

IR with vendor

IR cloud multi-vendor

service description
Preparing for incident management
service-level agreement Define clearly with each vendor
support agreement maintained Incident management for cloud
who is responsible for each line of support
(c) Dean Bushmiller 2021 Must specify 5
how data is to be integrated between systems
 input/output operations per second, are
the standard measurement for disk
IOPS performance.

Disk
how quickly files and directories can be
Metadata Performance created, removed, or checked.

measurement of available or consumed

data communication resources on a
Bandwidth network

amount of data that can be realized

Performance Concepts Throughput between two network resources

delays experienced during the processing

Network Network Latency of any network data

specific traffic classes that can be

prioritized according to defined service
Canary or Rolling Updates Quality of Service (QoS) levels.
_ Deployment Methodologies
5
Blue-Green Deployment
defining and controlling redundant
Multipathing physical paths to I/O devices
Rollback
Hotfixes 08 Cloud+
Patch Management place SWAP space on solid state drive
Dependency Considerations Performance Tuning
balloon driver communicates to hypervisor
Component Updates to reclaim memory inside guest
If physical host begins to run low on
Memory
1 Bigger one memory, it will grow the balloon driver to
Vertical Scaling (Scaling Up) Ballooning
reclaim memory from the guest.
Scaling
More same size reduces chance that physical host will
Horizontal Scaling (Scaling Out) start to utilize virtualized memory

threads from a specific virtual machine are

tied to a specific processor or core, and all
subsequent requests from that process or
thread are executed by that same
Processor processor or core.
CPU Affinity optimize cache performance
Configuration Best Practices
Test CPU affinity before implementing it in production.
counter that provides administrators with
the best indicator of when a resource is
Disk latency experiencing degradation

analyzing what type of I/O traffic is

taking place across the defined disk
Disk resources
moving data to most appropriate set of resources.
Tuning Virtualization management platforms move
applications, storage, databases, and
(c) Dean Bushmiller 2021 virtual machines among disk arrays with 6
no downtime
 14 Examples Cloud management functions 7

9 Cloud+
Systems Management

(c) Dean Bushmiller

20 2021
Resource Monitoring Techniques Systems Management Best Practices7 8
server in a DMZ tied into Directory
Services for user authentication traditional application
Identity & Access Management Changes in a cloud environment.
cloud application will consume identity from external sources Defense in depth

Do you control the account? Access control

Identity, Entitlement & Access Management in the Cloud Security Practices
To what degree of control? Auditing/monitoring
Users, Devices, Code,
Maintenance
Organizations ,Agents entity types will have identity
Isolated data channels
Identity provides ability to repeatedly
identify an unique entity Tamper-warning labels on each side of KVM
When cloud needs to use identity information
strength with which an identity can be asserted Housing intrusion detection

Identity plus attributes Fixed firmware

Entities operate with Persona
need to be consumed from multiple sources Secure KVM design criteria
Tamper-proof circuit board
Interconnection of disparate Directory Services
Safe buffer design
use of SAML
Selective USB access
transitive trusts exist?
trust relationship PHYSICAL - Push-button control
bi-direction trust relationships?
Federation of Identity
Network Isolation

Facebook, Yahoo or Google Protecting VLANs

Identity Management (IdM) Virtualization Security
provide low grade identity Public identity providers
Transport Layer Security (TLS)
no guarantees of federating to other providers
Network Configuration
Using a central/external Policy Enforcement point Domain Name System (DNS)
Embedded as part of Cloud application entitlement process is performed Domain Name System Security Extensions (DNSSEC)
Where
Identity-aaS or Persona-aaS
Using Internet Protocol Security (IPSec)
hub-and-spoke
free-form types Multiple VLANs on a single physical switch port
802 1Q tagging
use of a cloud service Impact reduce number of physical NICs needed in a host

Where customers have their identity Architectures for interfacing to Identity providers Assigning at least two physical NICs to a virtual switch
Virtual Switches Redundancy
capability of cloud service Each NIC connecting to a different physical switch
based on
capability of enterprise to provide
assertion based identity and attributes Network Isolation Security tools…
link to human resources
Asset management system with configuration management
Provisioning of Identity and Attributes
Provisioning other entities
Baselines to enforce configuration management
Any authentication service implemented
Server Threats
by the cloud provider should be OATH Robust change management system
compliant. With an OATH-compliant
solution, companies can avoid becoming Exception reporting system
locked into one vendor’s authentication
credentials.
Current best practices for selecting authentication services Service can move

Serverless
Encryption mechanisms should reflect the
business/usage requirements. B Cloud+
Ephemeral everything
Enable secure access and collaboration Goal Security How have these changed in cloud?
while protecting against unauthorized Configuration stored on device?
access.
Configuration part of CSP?
Unprotected information may trigger an enforcement
action to encrypt the data. Traditional Devices VPN
Encryption
WAF
Interoperable encryption
Firewall
Encryption keys should be held by the data owners
IPS
Data should be encrypted before it moves to the cloud IDS
and attached with appropriate usage permissions.
DLP
Securing the Client
Client-side Encryption FIM

Endpoint Devices and Applications best practice guidelines for managing

cryptographic keys:
Protection of Keys Threats = everybody, everything & everywhere
Key Management Data Confidentiality
Policy and Enforcement Encrypted all communications
Data Integrity
Complex passwords
Remote Access
ensure that data cannot be accessed by Authentication Secure login Certificate-based login
anybody in future Controls
Destruction Two-factor authentication
Encryption of metadata
Log and audit of all connections
Trust and integrity of data through digital signature use.

refers to data while it is being transferred Controls put in place by an organization to ensure that
from one data repository to another. Data data (structured and unstructured ) of value to remains
in transit includes data sent by back-end under authorized use and care.
servers, applications and databases over
the network. Data in transit As it resides, moves and departs
Where?
from a cloud service provider offering a security as a
Concept
service (SecaaS) solution.
data while it is inside persistent storage Data at Rest
is an important element of a broader security strategy
Data in Transit around data protection.

Information classification
Change management only faster
What is the nature of the information?
Vulnerability detection and evaluation Data Loss Prevention
Who is allowed to access this information?
Subscription mechanism to vendor patch notifications
Where is this information allowed to be used/sent?
Settings matches Policy
Internal severity assessment of patch
What is the severity of exposure?
Applicability assessment of patch on target systems
Notification and alerts
Opening of tracking records in case of patch applicability
Patch Management Process
System Integrity
Detection of policy violation
Customer notification of applicable patches
Alert, Log, Reroute & Pass
Successful patch application verification
Block / Quarantine
Actions
Issue and risk management due to conflicting actions
Delete
Closure of tracking records with all auditable artifacts
(c) Dean Bushmiller 2021 8
Problem VM Suspension / Snapshot / Rollback on patch
 bathtub curve life cycle

amount of time a computer system or

Reliability component part will continue to perform
Locality
before requiring maintenance or replacement
Cause
Identification measurement states how long it should
Duration MTTR take to fix a failed component

Effect

Once you identify the root cause of a failure total time allowed for making a repair / replacement
Reliability Availability Serviceability RTO whatever needs to be done to get the
it's best to isolate the failing component from the rest Component Availability
component or system back up and running
Isolation
of the system to avoid causing a chain reaction of
failures
is commonly at the point of a failure
an entire subsystem must be isolated from the system RPO
to contain the effect of the failure time needed to restore the system
Containment
ease and speed of repairing or
passive fault tolerance maintaining a system
uses fault masking to mitigate the occurrence of a Static Recovery
fault by hiding the fault from the system diagnostic time to troubleshoot and
Serviceability
determine the cause and location of a
failure and to affect its correction
active fault tolerance
uses detection and diagnostics to Dynamic Recovery Will work properly when it is required
identify a fault and affect a recovery Availability
Not downtime

is the action of a redundant device taking over for a failing device

Failover (HA)
heartbeat cable
Desired condition of a system or component to be operational
process that restores the primary device to operations Failover and Failback High Availability without fault or maintenance for an extended length of time
after a failover action removes the primary device from C Cloud+
operations Failback Recovery 99.999% uptime
Continuity and Recovery

Multiple instances of the same system Recover as a Service (RaaS)

process tasks or requests in parallel
Cloud Disaster Recovery Disaster Recovery as a Service (DRaaS)
voter chooses the forwarded response or Fault focus
result based on the most common Replication Cloud Recovery Services (CRS)
response from the system's devices or
processes
Including the possible duplication of data to a system
Space redundancy consists of hardware redundancy
multiple instances of the same devices
running in parallel Software redundancy
one could fail and the others could Redundancy
Data or information redundancy
continue processing
Hardware fault tolerance 0
space
1
more about ensuring the correctness of an action
RAID
Time redundancy involves the repetition of every action 5
such as a computation or a data transmission
NO to 6
and comparing the results of the repeated
action to a stored copy of the original
Redundancy
action Time Mirror
If the two results differ Hot
the action repeats Site types
Warm
The administrator's configuration settings
determine how long this goes on before Cold
the system issues an alert

Component Diversity Preventive

system Disaster planning controls Detective

components anticipation all failure events that could happen to Corrective
environment
Fault-Tolerant Design
identified the most-likely-to-fail
most-costly-to-lose components
Process
(c) Dean Bushmiller 2021 elimination of as many single points of 9
failure as possible
 preserve agility by “de-penalizing” the
rollback of failed changes

must be willing to roll back changes that

have adverse business consequences

build automation to make this happen

Change philosophy
flow through an unchanged pipeline
Regular scheduled and unscheduled changes ensures all best practices are met
before implementing a change in production

minimizing the possibility of human error

automation that optimizes business risk enabling creation of identical environments
Representative test environment
predictable and testable outcomes to changes
Test cases aimed at specific bottlenecks
End user host machines removing requirement to submit changes
Change Management in the Cloud
Including cloud aspects in test cases scale infrastructure to meet business demand
Network connections

Setting up operational profiles automatically recovering from failure

Step 1: Identify the initiators of operations Process rolling back failed changes

Step 2: List operations apply a fix

engineer is tasked to investigate
deploy a new server
Step 3: Review listed operations Setting up test cases if an application suffers a fault
Either require an emergency change
Step 4: Determine the frequency of operations business is at risk for a significant amount of time

Step 5: Determine the likelihood of each

operation occurring failures can be automatically detected using predefined health checks
automate this process
Configuration Items in Cloud vs traditional IT environment servers can be automatically replaced with exactly the same configuration.
Determines response times and checks Cloud Change
the correct functioning of service. AWS Auto Scaling groups human error is eliminated
Measurement tool.
configuration drift is eliminated
https://flood.io/load-generators
business risk is minimized for a limited amount of time
Image Load generator.
Simulate users by means of virtual users.
Performance any manual approval steps required to
technical load recover introduce risk to the business

correct generation of error messages changes can be made more frequently

measure aspects of the infrastructure and with more confidence in the rollback
use of memory, network load and
Image Monitors. plan
processor use
needed to determine the limiting factors of bottlenecks roll backs should be considered to be part
D Cloud+ of the normal process
Adapting Change Management to the Cloud
Testing
whether the service reacts with sufficient Smaller change approval can be part of SOP
speed and whether errors do or do not
occur Changes should not be approved without
Load
considering the consequences of a failure
determines the behavior of a service
beyond the peak load there will be a back-out plan
Stress
which will restore the organization to its initial situation
After a certain volume is processed,
performance drops or the service stops
completely make a change to a workload by
deploying an identical copy (green)
test as much volume as possible is input Remediation of the live environment (blue) with the
Endurance or volume configuration change
in a short amount of time to get results
more quickly blue-green deployments Users can then be switched to the new
cloud allows for instant rollback
whether the performance of the service environment (green)
meets the requirements across the entire Types while the old live environment (blue)
load spectrum remains available, but idle.

whether the appointed service capacity Elasticity manual scalability if a failure is discovered users can be instantly redirected back to blue
scales with the service load

two situations: Security

one in which scaling up and scaling down Manageability

happens automatically (true elasticity)
Not Testing Continuity
one in which capacity needs to be Migration
configured (and released) manually Elasticity (automatic scalability)
Regulations
Load profile
Boundary values For both A baseline can be compared with actual performance metrics at any point following
Process collection of the baseline to determine if activity represents the norm.
Performance testing evaluates the ability of a system to service requests in a timely
manner. It uses performance metrics to track utilization of resources based on demand.
Demand is simulated in load testing, stress testing, and remote transactional monitoring.
Configuration testing allows an administrator to test and verify that the cloud
environment is running at optimal performance levels.
Techniques
Testing in the cloud landscape utilizes cloud resources as a sandbox to test new
applications or new versions of applications without affecting the performance or even
the security of the production landscape. Testing should also confirm that the application
or system can effectively perform the functions it was designed for.
Testing should also confirm that SLA objectives can be met; that HA is implemented
(c) Dean Bushmiller 2021
correctly; that sizing, replication, and load balancing have been correctly implemented; 10
and that data integrity is not harmed by the application.
 ACL
Network security group misconfigurations
Inheritance

Peering

Incorrect subnet

Incorrect IP address
Step 1: Identify the problem.
Incorrect IP space Step 2: Establish a theory of probable causes.

Default Step 3: Test the theory to determine the cause.

Methodology CompTIA
Static Routes Step 4: Establish a plan of action to resolve the problem and implement the solution.
Dynamic Step 5: Verify full system functionality and, if applicable, implement preventative measures.
Step 6: Document findings, actions, and outcomes.
Incorrectly administered
Firewall
micro-segmentation
Resource utilization
CPU
VPN
GPU
Source Network address translation
Destination Common networking configuration issues Memory
I/O

Methods Storage
Capacity
Headers Network bandwidth
Protocols Performance
Load balancers Network latency
Encryption
Replication
Back ends
Front ends Connectivity Scaling
Application
DNS records
Memory management
VLAN/VXLAN/GENEVE
Service overload
Proxy Incorrectly configured or failed load balancing

Maximum transmission unit (MTU)

Missing
Quality of service (QoS)
Incomplete
Time synchronization issues
ping Escalation

tracert/traceroute Keys
E Cloud+ Trou-
flushdns bleshooting Privilege
Authentication

ipconfig/ifconfig/ip Authorization
Network troubleshooting tools
nslookup/dig Security groups

netstat/ss Network security groups

route Directory security groups

arp Expired

Curl Revoked
Packet capture
Trust
Keys and certificates
Packet analyzer
Compromised
OpenSSL client
Security
Misconfigured
Connectivity issues Misconfigured or misapplied policies

Infrastructure outages Unencrypted data

Performance degradation Data breaches

Latency
Misclassification
Configurations
Data security issues
Lack of encryption in protocols
Scripts
Misconfigured templates Insecure ciphers

Applications in containers Exposed endpoints

Missing or incorrect tags
Insufficient capacity IPS
Compute
Deployment IDS
Storage Misconfigured or failed security appliances
NAC
Scaling configurations
Bandwidth issues
WAF
Oversubscription Unsupported protocols
Licensing issues External/internal attacks
Vendor-related issues
Migrations of vendors or platforms
Integration of vendors or platforms
API request limits
(c) Dean Bushmiller 2021 11
Cost or billing issues