Demystifying the Cloud - Part 2: Understanding cloud core services

This is part of a group of posts that aims to demystify the cloud for non-cloud experts and provide a framework in which to think about the services cloud can provide. In essence, to make cloud simple.

It follows the premise that all the cloud providers have essentially the same types of core services, with various strengths and benefits.  As we progress to a situation where most organisations use multiple clouds for different purposes, it is useful to understand the higher concepts and how they relate to each other.  Only then can you go down to the next level and understand what makes one cloud different to another, and why you might use one cloud provider for one use case and another cloud for a different one.

To recap, in the previous post, we talked about the high level service categories which can be broken down into:

In this post, let’s go down to the next level and understand the service types that fit into the core services category.  That being Compute, Networking, Storage and Security.  We will cover the remaining categories in following posts.

But let's first start where it began - compute.

Compute

The compute is where it all happens.   It is what draws organisations in with the promise of on-demand creation and automatic scalability.  It's the crux of the cloud platform.  The core service types are:

At the very heart is the Virtual Machine (VM), essentially the same as you would find in your own data center.  A bare instance that is ready to go to deploy your own applications on.  Called Infrastructure as a Service (IaaS), you are responsible for security, patches, backups, load balancing, etc.  Virtual Hardened Machines help in the securing.  Given it is a non-trivial task to ensure your VM’s are secure against the latest attacks, the Center for Internet Security (CIS) produce their own pre-hardened images and add a surcharge for them.  Next in the stack is Managed Application Platforms which are Platform as a Service (PaaS) services.  They do all the heavy lifting around security, patching, load balancing, DevOps and just allow you to develop your application.   If you need to develop in a supported language then this is a great option.  It has typically evolved around web-development.

Containers have started to make its mark heavily in the cloud as organisations are drawn to the current trend in portability and microservices.  It allows you to move away from monolithic applications to more piecemeal ones that can be managed and deployed independently, thereby increasing speed.  Nothing comes for free though as it requires a lot of administration and management.  Luckily vendors are starting to come to the party to help with the overhead management.  The final compute option is Serverless Functions where everything is managed for you and you just pay for the time it takes for a function to run.  It is seen as the holy grail but this area is still maturing and isn’t suitable for all workloads.

Networking

The next cab off the rank is: networking.  It is not as eye-catching as compute but it is arguably as important as it holds it all together and keeps the “baddies” out.  The core service types are:

The hub is the Virtual Network which is typically software defined and allows for it to be set up almost instantaneously.  It provides the boundary around your VMs and other services to determine who can access them and who can’t.  This control is achieved by creating security groups that allow you to say what/who can send data to and from the network.

Another key networking service is the Load Balancer.  It manages the load of traffic across the underlying VM’s.  There are typically two types of load balancers - an application level load balancer, that helps control the traffic from the internet to your application interface and contains special features around encryption/decryption (SSL).  And the second, is a network load balancer, that controls the load between network machines at the layer 4 level of the TCP stack.

Finally, there is the Domain Name Server (DNS) and Content Delivery Network (CDN).  They are required to be configured less frequently but are the bridge between the internet and the organisation’s cloud network.  The DNS helps convert the IP addresses to local addresses while the CDN caches data closer to the user in order to speed up retrieval of common items.

Storage

Ah Storage, it seems so easy.  You may be forgiven to think you could just open up a bucket on the cloud and put all your data in there.  But this is far from the case and typically where many of the headlines come from.  An innocent employee may unwittingly store sensitive company data to the cloud, without understanding the security components, and all of a sudden this data is open to the world.  This is a critical area as hackers are known to have sniffers that go through networks searching for open entries and so it won’t be long before it is found.  The core storage service types are:

The most known and potentially common type of storage is Object Storage.  It is a generic bucket where you can put any type of files, from text to videos to images.  It also typically contains an all important switch that says whether the bucket is public, which is open to all, or private, which requires access to be specifically granted.  Object Storage generally also has special features that automatically archive your files to different zones depending on how often you use the data.  This archive storage could be used for occasional, once a month access (Archival Storage) or for circumstances where data won’t be accessed more than once a year e.g. Backups.  Occasional and archive storage is a lot cheaper than standard object storage, but it costs more to access it so it still needs to be managed closely or you could be in for a surprise bill.

The next type of storage is Block Storage which is the type of storage that is attached to your VM.  It costs more but is located closer to your VM and so it will be quicker.  It is not as scalable as object storage though and so is typically used for some databases, caches, local files etc.

File Storage is the last major type of storage and is used like the file servers you would have frequently used to in your organisation for a common directory structure.  Once again this is more expensive than object storage but can easily be accessed from within your corporate network through a file share.

Security

Security is arguably the most important aspect to get right.  The services below don’t generally cost anything but they require a high level of understanding and setup to get right.  Like all security, you can set it up in a lacklustre, sporadic fashion or in an organised top down fashion that ensures all the right access levels are set for the right people.  Giving the right level of security to people not only makes it more secure but is also a key element to speed up the innovation process.  This is done by allowing developers to have enough control to release and migrate, but not enough to go where they are not supposed to and cause unintended consequences.  The core security service types are:

All providers allow you to create organisation type accounts and in those accounts go organisation policies.  Policies such as, ensuring the private setting on the object buckets are set by default, orr what a certain group can or can’t do.  This means that general policies can get set once and do not need to be completed every time you have new developers or groups.  But it does require a bit of foresight and planning to do it right.

Identity and Access Management (IAM) is where users are created.  They can be created on the cloud platform only or linked back to your organisations directory to enable single sign on (SSO).  Access Control is where you can define access at the resource level if required e.g. Bucket or VM.

Business to Consumer (B2C) access allows access authentication to be outsourced to social network providers such as Facebook or Google.  This makes it easier for mobile applications to manage users as they don’t need a seperate account on the cloud provider.  Authorisation or what they can access is still controlled within the platform through IAM.

Key Management is also an important concept as it allows you to manage the companies security based access keys. I.e. You don’t want to store them on the hard disk attached to the VM as people have access to them, such as the notorious hacker.  Key management is useful as it still allows access to the key for developers but without actually giving it to them.  Keys can typically either be encrypted by the cloud provider, which is the easy option, or if necessary, an organisation can encrypt them first and then store them.

Web Firewalls provide an extra layer of security and controls for common web attacks and are generally associated/attached to the application level load balancer.  One of the benefits of the cloud is its scalability.   This helps all organisations with Distributed Denial of Service (DDOS) attacks by allowing the attacks to be distributed over many regions or locations and also auto-scaling of machine groups to increase capacity to absorb it.

Summary

In this post, we have dug a little deeper and explained the different types of core services you will find across most cloud providers.  Understanding which service to use depends on requirements, the level of management abstraction you want vs. vendor lock in.

As mentioned previously, while understanding conceptually what type of services a cloud provider has, the true magic happens when you start integrating them into patterns for devops, microservices, and data & analytics.  We will cover these patterns in later posts.

If you want more information regarding any of our services to help reduce the complexity of the cloud, please contact us at contact@cloudmill.com.au.