Cloud Computing – Different

Aspects I
IT Applications– Session 13

Contents adapted from Jill West, CompTIA Cloud+ Guide to Cloud Computing, 2nd Edition. 2023 Cengage.
 Contents

• Virtual Hardware contd.

• Cloud Migration

• Identity and Access Management

Virtual Hardware contd.
 Memory Management (1 of 4)

• Memory shortage can be handled via several memory management techniques

− One of the most common techniques is called memory paging

• When the capacity of RAM cards is exceeded, data is stored as fixed-sized files called
pages in a section of the hard disk called virtual memory
− Virtual memory is significantly slower than physical memory

• Using virtual memory is a helpful fallback method to handle periods of intense

demand of memory resources
− It can also come in handy when allocating memory resources to VMs on a host
 Memory Management (2 of 4)

• Overcommitment Ratio
− Most type 1 hypervisor allow you to configure RAM settings for each VM, including:
▪ Minimum memory (memory reservation) required to boot up
▪ Maximum memory (memory limit) of physical memory available to a VM
▪ Startup memory is made available to a VM for a short time only when it first
boots
− Dynamic memory allows for an overcommitment of the host’s physical memory
− Memory bursting is a technique where a VM has the ability to temporarily
increase physical memory consumption to a maximum limit
 Memory Management (3 of 4)

• Memory Reclamation
− Ballooning is a way to trick the guest OS into releasing some of its RAM so the
hypervisor can allocate it elsewhere
− Ballooning allows the hypervisor to reclaim overallocated memory on one VM to
other running VMs
− The hypervisor installs a small balloon driver inside each guest OS where
ballooning is enabled
▪ When a high-priority VM needs more memory, the hypervisor identifies a
lower-priority VM that is currently allocated more than its minimum RAM, and
it begins a memory reclamation process
Memory Management (4 of 4)
 Knowledge Check Activity 2-2

Which memory management technique borrows memory from one VM for another?

a. Ballooning

b. Oversubscription

c. Bursting

d. Allocation
 Knowledge Check Activity 2-2: Answer

Which memory management technique borrows memory from

one VM for another?
Answer: a. Ballooning
Ballooning is a way to trick the guest OS into releasing some of its RAM
so the hypervisor can allocate it elsewhere.
 Section 2-3: VMs in the Cloud

• This section discusses virtualization in the cloud

 VM Instance Types

• In the cloud, you can create VM instances using one or more cloud services

• As you create each instance, you’ll have the opportunity to choose its features, such
as number of vCPUs, amount of memory, disk storage type and size, connectivity
options, network placement, and more

• When deploying VM instances in the cloud, CSPs such as AWS, Azure, and GCP offer
preconfigured instance types in which CPU and memory capacity are automatically
allocated in a fixed ratio
 Instance Templates (1 of 2)

• When launching instances of the same configuration, you can use a template to
ensure every instance is configured the same way

• In AWS, an EC2 template determines the following parameters:

− AMI (Amazon Machine Image) ID
− Instance type
− Network and security settings
− Storage volumes

• Additional parameters are also available within the launch template

Instance Templates (2 of 2)
 Affinity (1 of 3)
• CAB (cluster across boxes) is a scenario where several VMs are distributed across
multiple physical hosts in an on-prem LAN

• When creating these clustered hosts you can choose whether certain VMs reside on
the same host or different hosts
− Guest VMs residing on the same host are part of an affinity group
− You accomplish this by setting an affinity rule on the VM instances
− If you prefer VMs not share the same physical host you can set an anti-affinity
rule

• Public cloud platforms offer multiple methods to control the affinity of cloud
instances
− One of the easiest methods is to set a desired geographical location of an
instance
 Affinity (2 of 3)

• Most CSPs automatically attempt to spread instances across physical hosts

− If you need to influence this distribution you can use placement groups, which
are logical groups of instances all hosted in the same AZ

• AWS offers the following three types of placement groups:

− Cluster
− Spread
− Partition
 Affinity (3 of 3)

• Figure 2-13 Cluster placement group

• Figure 2-14 Spread placement group

• Figure 2-15 Partition placement group

 Allocation Factors

• Security
− Cloud environments can complicate security concerns

• High availability is a network’s or service’s maximized potential for being available

consistently over time

• Disaster recovery strategies tend to be greatly simplified with virtualized systems

• Energy savings
− On-prem virtualization and cloud provide significant energy savings

• Cost considerations
− Rates charged for VM instances are often determine by number and type of vCPUs
 Knowledge Check Activity 2-3

Which selection determines the amount of RAM a cloud VM can use?

a. Instance type

b. Image

c. Storage volume

d. Network bandwidth
 Knowledge Check Activity 2-3: Answer

Which selection determines the amount of RAM a cloud VM

can use?
Answer: a. Instance type
The instance type determines the instance’s virtual hardware resources,
including vCPUs, RAM, and storage space.
 Section 2-4: VM Alternatives

• This section covers alternatives to VMs for hosting applications and other services
 Serverless Computing

• When running a serverless application, the CSP offers short-term use of a server only
when application needs to run
− This reduces overall costs to consumer and transfers server management
responsibility to the CSP
− This is sometimes called FaaS (Function as a Service)

• Examples of serverless services include AWS, Azure, and GCP

• Serverless computing is ideal for many databases, backup or data transfer tasks, and
apps that do not need to run continuously
 Knowledge Check Activity 2-4

Who manages the server behind a serverless compute service?

a. The end user

b. The CSP

c. The cloud customer

d. The ISP
 Knowledge Check Activity 2-4: Answer

Who manages the server behind a serverless compute service?

Answer: b. The CSP
Despite the name, servers are still involved with serverless computing.
However, the cloud customer doesn’t have to bother with configuring or
managing the server – the CSP does this part.
Cloud Migration
 Section 3-1: Migration Planning

• This section explores the actual process of migrating into the cloud as well as the
following skills:
− How to validate the outcomes
− How to prepare for problems
− How to adapt to changing needs
Cloud Migration Phases
 Transition Assessment

• A company should first assess whether the cloud is a good fit for the company
− Thorough research and testing are required before migration to avoid costly
mistakes

• Some of the other decisions to make include the following:

− Which cloud is the right cloud for you? Which CSP is the best fit for your needs?
− What are your needs? Is your focus more on developing and hosting applications,
running servers, storing accessible databases, or something else?
− How well will your existing applications and processes work in the cloud?
− What new skills must your staff need to learn?
− What will the cost be?
 Migration Plans

• A well-laid plan will help to ensure the migration proceeds smoothly

• An effective plan contains thorough information on the following topics:

− Baselines
− Business continuity
− Existing systems
− Target hosts
− Cloud architecture
− Legal restrictions
− Order of operations
 Migration Strategies (1 of 2)
• Rehost – this strategy refers to moving the application, server, or data into the cloud
as it is

• Revise or replatform – this approach makes some relatively minor changes to the
application or data before moving it to the cloud

• Repurchase or replace – this strategy refers to replacing the product with an existing
cloud-native product

• Refactor, rearchitect, or rebuild – in this approach, the changes are more significant,
such as recoding portions of an application

• Retain – the organization keeps using an application or data as it is, without any
changes

• Retire – the organization stops using the application or data

Migration Strategies (2 of 2)
 Timing (1 of 2)

• Once your overall mitigation plan is ready, you will need to consider the timing of the
actual workload migration

• Factors to consider include the following:

− Impact of downtime
− Work hour restrictions
− Time zones
− Peak time frames and costs
Timing (2 of 2)
 Knowledge Check Activity 3-1

Which cloud migration strategy requires the most work to perform?

a. Retain

b. Revise

c. Refactor

d. Rehost
 Knowledge Check Activity 3-1: Answer

Which cloud migration strategy requires the most work to

perform?
Answer: c. Refactor
Refactoring requires the most significant changes to a resource, such as
recoding portions of an application.
Identity and Access Management
 Section 7-1: Cloud Accounts

• You can set up cloud user accounts using the IAM (identity and access management)
services built into most major cloud platforms

• Once these user accounts are established, the root account should not be used again
except when absolutely necessary
 Identity (1 of 2)

• Logical access control contrasts with physical access control, such as door locks, and
often refers to remote access

• Users and resources can have an identity, which is a digital entity to which you can
attach roles and permissions

• Accounts assigned to resources (server) are sometimes called service accounts, while
a human user is given a user account

• You can create accounts through the IAM dashboard in your cloud platform

• These identities and their credentials are stored in a repository called an identity
vault
Identity (2 of 2)
 Account Management

• Effective account management policies can help ensure that the following tasks
occur:
− Accounts are set up, or provisioned, in a timely manner for new users
− Compromised accounts are locked out for protection
− Privilege creep, the gradual increase of disorganized and unmonitored privileges, is
limited
− Unused accounts are closed to further activity, or deprovisioned

• Another consideration in managing accounts is whether and when users should be

given multiple accounts
 Privileged Access Management (PAM)

• PAM (privileged access management) is a subset of IAM that applies stricter rules
and safety precautions specifically to users who are given elevated permissions to do
their jobs

• Security precautions that might be taken for these accounts include the following:
− Limited use
− Limited location
− Limited duration
− Limited access
− Limited privacy
 Knowledge Check Activity 7-1

What is a goal of successful account management?

a. Limit users to one account each

b. Expand a blast radius

c. Limit privilege creep

d. Increase time for account provisioning

 Knowledge Check Activity 7-1: Answer

What is a goal of successful account management?

Answer: c. Limit privilege creep
Account management policies can help ensure that privilege creep is
limited and monitored.
 Section 7-2: Authentication

• Authentication is part of a three-tiered approach to NAC (network access control)

call AAA
− Authentication gets you into a system
− Authorization lets you do things while you’re there
− Accounting tracks what you’re doing for later review
 Authentication Processes

• Authentication is a process usually managed by a server that proves the identity of a

client and determines whether that client is allowed to access a secured system

• To confirm a client’s identity, some sort of directory service must maintain a

database of account information (Microsoft’s Active Directory is an example)

• Authentication in the cloud also often relies on REST APIs

− REST (REpresentational State Transfer) is an architecture standard that requires
certain characteristics for HTTP or HTTPS communications
− Client and server systems run independently of each other
− The server saves no client data
 Password Policies (1 of 2)

• Password policies can require that passwords meet certain requirements, such as the
following:
− Complexity
− Length
− Expiration
− Lockout
Password Policies (2 of 2)
 Multifactor Authentication (MFA)

• MFA (multifactor authentication) requires two or more pieces of information – called

factors – from across two or more categories of authentication factors

• The following is a list of primary MFA factor categories:

− Something you know – A password, PIN, or biographical data
− Something you have – An ATM card, ID badge, key, or smartphone with
authentication app
− Something you are – Your fingerprint, facial pattern, or iris pattern
− Somewhere you are – Your location in a specific geopolitical area, a company’s
building
− Something you do – The specific way you type, speak, or walk
 Certificate-Based Authentication

• A digital certificate is a small file containing verified identification information and

the public key of the entity whose identity is being authenticated
− If the public key can successfully decrypt data contained within the certificate,
the entity has proven possession of both the public and private keys

• The use of certificate authorities to associate public keys with certain users is known
as PKI (public key infrastructure)

• Digital certificates are primarily used to certify and secure websites where financial
and other sensitive information is exchanged
 Single Sign-On (SSO)

• SSO (single sign-on) is a form of authentication in which a client signs in one time to
access multiple systems or resources
− Users do not have to remember several passwords and might not need to
complete the authentication process multiple times for every new resource they
need to access

• Many applications are designed to support SSO functionality through the use of
standards such as SAML (Security Assertion Markup Language) or OpenID Connect

• SSO offers the simplicity of using a single source of truth so user data isn’t
duplicated through multiple systems

• Federation is the process of managing user identities across organizations on the

foundation of the trust relationship
 Knowledge Check Activity 7-2

Which protocol defines how most authentication directories work?

a. LDAP

b. OCSP

c. HTTPS

d. MFA
 Knowledge Check Activity 7-2: Answer

Which protocol defines how most authentication directories

work?
Answer: a. LDAP
The mechanisms of LDAP dictate some basic requirements for any
directory it accesses. Therefore, directory servers are configured and
function in similar ways, regardless of the software used.
Thank You!