Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023

Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023
Simplify and scale Enterprise Spring Apps in the cloud Asir Selvasingh Principal Architect, Java on Azure, Microsoft Adib Saikali Principal Solutions Engineer, VMware
Azure
Fully managed service for Spring Boot apps
Note: features covered today only in the Enterprise Tier Enterprise
You do not have to learn or manage Kubernetes
Azure Spring Apps Spring Boot apps Service runtime
Open source client libraries, integration modules and drivers Data Storage Cache Async communications – JMS and Kafka Keys, secrets & certs Data Cache Async communications – JMS and Kafka Keys, secrets & certs Open source client libraries, integration modules and drivers Storage Azure Spring Cloud Monitor – logstream, APM and end-to-end Identities end-users and machines Automation Developer experiences Spring Boot apps Service runtime ... App 1 App 2 App 3 App N Agents Build Service Config Server Service Registry Lifecycle Resiliency Logstream Encryption Diagnostics Domains Developer experiences Monitor – logstream, APM & end-to-end Identities – end-users & machines Automation Data Open sou Stor Monitor – logstream, AP Developer experiences Spring Boot apps ... App 1 App 2 App 3 App N Azure Spring Apps Azure Spring Apps
az spring create --name ${SPRING_CLOUD_SERVICE} --sku enterprise --resource-group ${RESOURCE_GROUP} --location ${REGION} az spring app create --name ${CUSTOMERS_SERVICE} az spring app deploy --name ${CUSTOMERS_SERVICE} --jar-path ${CUSTOMERS_SERVICE_JAR}
Enterprise
Enterprise
aka.ms/spring-cloud-azure
Developers IT Operators Executives Enterprise
Home for enterprise Spring Boot applications
2.7x 2.6x Enterprise
DEMO 1 aka.ms/spring-apps-enterprise
DEMO 2 aka.ms/Application-Accelerators
Enterprise
Source Code Configuration Options Enterprise
Start in a Git repo with source code and configuration files Configure Options and Transformations Rules Publish to Catalog Enterprise
Quicker way to get started Find and select an Accelerator Specify Option Values Download the generated files & start coding Enterprise
Popular and easy to get started Confidential │ ©2020 VMware, Inc. • Dockerfiles are the most common way of creating Docker Images • Their flexibility is their power • Run any command, mutate any file • Their flexibility is their weakness • Keeping consistent, ensuring security • Takes a lot of effort for "good" Dockerfiles 5 Creating Docker Images
When dev teams build images differently, they introduce vulnerabilities and complexity Image updates Security posture Full stack container audits IT governance
Specification to translate application code to OCI compliant container image
Enterprise
Enterprise
Runtime
Acme Fitness aka.ms/fitness-store
Enterprise
Easy to leverage cloud native patterns Enterprise
Let’s start with a route and understand how the gateway helps me with XCCs Link to Spring Cloud Gateway doc
The logic for executing the cross-cutting concerns Predicates Spring Cloud Gateway filter routes filter Enterprise
Evaluate conditions to map requests to a route Link to Available Predicates Enterprise
Allow you to do things with requests/responses Link to Available Filters Enterprise
Allow you to limit number of requests Link to Rate Limit Filter Enterprise
Provides several custom filters in addition to those included in the open-source project Link to Commercial Route Filters Enterprise
Configurable single sign-on (SSO) integration with your preferred identity provider (IDP) Authenticated? No Yes Enterprise
Enabling Token Relay, Spring Apps Gateway passes currently-authenticated user’s identity token to the app when the user accesses the app’s route Enterprise
Route filter Link to SSO Filters Enterprise
Application Configuration Service aka.ms/Application-Configuration-Service Enterprise
Automagically mounted as volumes in the underlying Kubernetes cluster Enterprise
More productive and cost-efficient by Autoscaling apps out or in Load- or metric-based mode: scaled out and in as needed for the load Scheduled-based mode: scaled out and in based on predefined schedule and limits Never go above or below the maximum and minimum limits defined
Internal only Line of business application Common scenarios 47 Publicly accessible application App with on-premises data sources Industry compliance App with compliance requirements
Internal / Line of business application Fast, private connectivity options Easy to set up Single Sign-on Scale as needed On-premises network Hub Virtual Network Network Appliance Express Route Circuit or Site-to-Site VPN Virtual Network Gateway DNS Services Virtual Network Peering Corporate users at office or VPN Spoke Virtual Network Azure Spring Apps Data Services Data Subnet Apps Subnet Network Appliance Ingress to Apps
Hub Virtual Network Express Route Circuit or Site-to-Site VPN Virtual Network Gateway DNS Services Virtual Network Peering Application Gateway (WAF) Internet Spoke Virtual Network Azure Spring Apps Data Services Data Subnet Apps Subnet On-premises network Network Appliance On Prem resources Ingress to Apps Onprem reachback Public application with on-premises dependencies Protect from common attacks Reach back to on-premises resources Multiple high-availability options
High availability options Virtual Network Availability Set Fault Domain 1 Fault Domain 2 Default High Availability Virtual Network Availability Zones Zone 1 Zone 2 Zone 3 Multi-Zone High Availability Virtual Network Availability Set Fault Domain 1 Fault Domain 2 Virtual Network Availability Set Fault Domain 1 Fault Domain 2 Multi-Region High Availability Front Doors Region Region Region 1 Region 2
Internet Hub Virtual Network Express Route Circuit or Site-to-Site VPN Virtual Network Gateway DNS Services Virtual Network Peering Spoke Virtual Network Azure Spring Apps Data Services Data Subnet Apps Subnet On-premises network Network Appliance On Prem resources Application Gateway (WAF) NVA or Azure Firewall Ingress to Apps Egress to Internet Onprem reachback Regulatory Compliance (ex. PCI-DSS) Access Control / Least privilege Encrypt storage and network traffic Control, log, inspect connections HTTPS everywhere Mutual TLS Storage encryption Database encryption
Component Frequency of Maintenance Updates Security Patches Container Image App dependencies Every few weeks Vary APM – Application Performance Monitoring Every few weeks Vary JDK Every 3 months Vary Base image (operating system and runtime) Monthly Vary Kubernetes K8S Quarterly Vary Host OS – underlying operating system that runs on each node in a K8S cluster Monthly Vary Unceasing barrage of software updates Must keep your system up-to-date – regularly update your apps, dependencies, JDK, OS, K8S and Host OS
A record 26,448 software security flaws were reported in 2022, with the number of critical vulnerabilities up 59% on 2021 to 4,135, according to analysis by The Stack of Common Vulnerabilities and Exposures (CVEs) data. https://thestack.technology/analysis-of-cves-in-2022-software-vulnerabilities-cwes-most-dangerous/
Component Frequency of Maintenance Updates Security Patches Container Image App dependencies Every few weeks Vary APM – Application Performance Monitoring Every few weeks Vary JDK Every 3 months Vary Base image (operating system and runtime) Monthly Vary Kubernetes K8S Quarterly Vary Host OS – underlying operating system that runs on each node in a K8S cluster Monthly Vary What are the challenges with patching? Must keep your system up-to-date – regularly update your apps, dependencies, JDK, OS, K8S and Host OS • Volume of patches & updates • Securing approvals for delaying • Scaling coordination between • App development teams • DevOps teams • Re-run pipelines for every change to container image • Testing • Certification • Staging and • Deploy to production • Are pipelines stateless and reproducible?
Manage risk - fresh CVE created every 20 minutes • Prioritize. Robust vulnerability management program • Monitor. Conduct regular security assessments • Vulnerability assessment and penetration testing • Patch Management. Stay up-to-date with security patches • Awareness. Foster a security-focused culture https://thestack.technology/analysis-of-cves-in-2022-software-vulnerabilities-cwes-most-dangerous/
Sick of the never-ending cycle of server software updates
Break the endless cycle of software updates Focus on what really matters - driving innovation and growth Through auto patching in Azure Spring Apps Component Frequency of Maintenance Updates Security Patches Container Image App dependencies Every few weeks Vary APM – Application Performance Monitoring Every few weeks Vary JDK Every 3 months Vary Base image (operating system and runtime) Monthly Vary Kubernetes K8S Quarterly Vary Host OS – underlying operating system that runs on each node in a K8S cluster Monthly Vary Customer updates apps any time Azure Spring Apps • Autopatch runs every 6 weeks • Planned maintenance windows • Hotfix deployed for critical updates
Case 1 – Apache Log4j2 exposure CVE-2021-44228 - aka.ms/cve-log4j Customers updated Spring apps if they had switched logging framework to Log4j 2 Azure Spring Apps • Hotfix deployed for New Relic and AppDynamics Java agents • If these APMs were activated in apps, Azure automatically protected by re-starting them Component Frequency of Maintenance Updates Security Patches Container Image App dependencies Every few weeks Vary APM – Application Performance Monitoring Every few weeks Vary JDK Every 3 months Vary Base image (operating system and runtime) Monthly Vary Kubernetes K8S Quarterly Vary Host OS – underlying operating system that runs on each node in a K8S cluster Monthly Vary
Case 2 – openssl exposure CVE-2022-3602 - aka.ms/cve-openssl Customers - no action was necessary Azure Spring Apps • Autopatch successfully resolved the software vulnerability identified • Similarly, resolved for service instances with planned maintenance windows during those times Component Frequency of Maintenance Updates Security Patches Container Image App dependencies Every few weeks Vary APM – Application Performance Monitoring Every few weeks Vary JDK Every 3 months Vary Base image (operating system and runtime) Monthly Vary Kubernetes K8S Quarterly Vary Host OS – underlying operating system that runs on each node in a K8S cluster Monthly Vary
Auto patching Stay ahead of the game with auto patching - the proactive shield against known security threats and vulnerabilities in your systems and software.
DEMO 6
Source https://opengitops.dev/
Enterprise
Enterprise
Unlock Spring’s full potential Get 24/7 support Enterprise
2.7x 2.6x Enterprise
Azure Spring Apps Application Suitability Workshop Bring Your Own App Free rapid app assessment workshop with our experts, to power your modernization journey to the cloud. We have limited slots, so sign up early! 68
aka.ms/Start-Spring aka.ms/Learn-Spring aka.ms/Spring-Playlist aka.ms/Spring-Boot aka.ms/LearnJava aka.ms/Spring-Cloud-Azure
aka.ms/spring-apps enterprise
Thank You! Contact the Azure Spring Apps Enterprise Team at asa-e-contact@vmware.com
Appendix
Logging Health Checks Metrics Four types of observability Distributed Tracing
Demo 7 aka.ms/Fitness-Store
Demo 7 aka.ms/Fitness-Store

Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023

Check these out next

Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023

Recomendados

Mais conteúdo relacionado

Similar a Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023(20)

Mais de VMware Tanzu(20)

Último(20)

Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023