Amazon – Scalable Startups

ECS is Amazon’s Elastic Container Service. That’s greek for how you get docker containers running in the cloud. It’s sort of like Kubernetes without all the bells and whistles.

It takes a bit of getting used to, but This terraform how to, should get you moving. You need an EC2 host to run your containers on, you need a task that defines your container image & resources, and lastly a service which tells ECS which cluster to run on and registers with ALB if you have one.

Join 38,000 others and follow Sean Hull on twitter @hullsean.

For each of these sections, create files: roles.tf, instance.tf, task.tf, service.tf, alb.tf. What I would recommend is create the first file roles.tf, then do:

$ terraform init $ terraform plan $ terraform apply

Then move on to instance.tf and do the terraform apply. One by one, next task, then service then finally alb. This way if you encounter errors, you can troubleshoot minimally, rather than digging through five files for the culprit.

This howto also requires a vpc. Terraform has a very good community vpc which will get you going in no time.

I recommend deploying in the public subnets for your first run, to avoid complexity of jump box, and private IPs for ecs instance etc.

Good luck!

May the terraform force be with you!

First setup roles

Roles are a really brilliant part of the aws stack. Inside of IAM or identity access and management, you can create roles. These are collections of privileges. I’m allowed to use this S3 bucket, but not others. I can use EC2, but not Athena. And so forth. There are some special policies already created just for ECS and you’ll need roles to use them.

These roles will be applied at the instance level, so your ecs host doesn’t have to pass credentials around. Clean. Secure. Smart!

resource "aws_iam_role" "ecs-instance-role" { name = "ecs-instance-role" path = "/" assume_role_policy = "${data.aws_iam_policy_document.ecs-instance-policy.json}" }


data "aws_iam_policy_document" "ecs-instance-policy" {

    statement {

        actions = ["sts:AssumeRole"]
        principals {

            type        = "Service"

            identifiers = ["ec2.amazonaws.com"]

        }

    }

}
resource "aws_iam_role_policy_attachment" "ecs-instance-role-attachment" {

    role       = "${aws_iam_role.ecs-instance-role.name}"

    policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"

}
resource "aws_iam_instance_profile" "ecs-instance-profile" {

    name = "ecs-instance-profile"

    path = "/"

    role = "${aws_iam_role.ecs-instance-role.id}"

    provisioner "local-exec" {

      command = "sleep 60"

    }

}
resource "aws_iam_role" "ecs-service-role" {

    name                = "ecs-service-role"

   path                = "/"

   assume_role_policy  = "${data.aws_iam_policy_document.ecs-service-policy.json}"

}
resource "aws_iam_role_policy_attachment" "ecs-service-role-attachment" {

    role       = "${aws_iam_role.ecs-service-role.name}"

    policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole"

}
data "aws_iam_policy_document" "ecs-service-policy" {

    statement {

        actions = ["sts:AssumeRole"]
        principals {

            type        = "Service"

            identifiers = ["ecs.amazonaws.com"]

        }

    }

}

Setup your ecs host instance

Next you need EC2 instances on which to run your docker containers. Turns out AWS has already built AMIs just for this purpose. They call them ECS Optimized Images. There is one unique AMI id for each region. So be sure you’re using the right one for your setup.

The other thing that your instance needs to do is echo the cluster name to /etc/ecs/ecs.config. You can see us doing that in the user_data script section.

Lastly we’re configuring our instance inside of an auto-scaling group. That’s so we can easily add more instances dynamically to scale up or down as necessary.

# # the ECS optimized AMI's change by region. You can lookup the AMI here: # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html # # us-east-1 ami-aff65ad2 # us-east-2 ami-64300001 # us-west-1 ami-69677709 # us-west-2 ami-40ddb938 #


#

# need to add security group config

# so that we can ssh into an ecs host from bastion box

#
resource "aws_launch_configuration" "ecs-launch-configuration" {

  name                 = "ecs-launch-configuration"

  image_id             = "ami-aff65ad2"

  instance_type        = "t2.medium"

  iam_instance_profile = "${aws_iam_instance_profile.ecs-instance-profile.id}"
  root_block_device {

    volume_type           = "standard"

    volume_size           = 100

    delete_on_termination = true

  }
  lifecycle {

    create_before_destroy = true

  }
  associate_public_ip_address = "false"

  key_name                    = "testone"
  #

  # register the cluster name with ecs-agent which will in turn coord

  # with the AWS api about the cluster

  #

  user_data = <> /etc/ecs/ecs.config

    EOF

}
#

# need an ASG so we can easily add more ecs host nodes as necessary

#

resource "aws_autoscaling_group" "ecs-autoscaling-group" {

  name             = "ecs-autoscaling-group"

  max_size         = "2"

  min_size         = "1"

  desired_capacity = "1"
  #    vpc_zone_identifier         = ["subnet-41395d29"]

  vpc_zone_identifier  = ["${module.new-vpc.private_subnets}"]

  launch_configuration = "${aws_launch_configuration.ecs-launch-configuration.name}"

  health_check_type    = "ELB"
  tag {

    key                 = "Name"

    value               = "ECS-myecscluster"

    propagate_at_launch = true

  }

}

resource "aws_ecs_cluster" "test-ecs-cluster" { name = "myecscluster" }

Setup your task definition

The third thing you need is a task. This one will spinup a generic nginx container. It’s a nice way to demonstrate things. For your real world usage, you’ll replace the image line with a docker image that you’ve pushed to ECR. I’ll leave that as an exercise. Once you have the cluster working, you should get the hang of things.

Note the portmappings, memory and CPU. All things you might expect to see in a docker-compose.yml file. So these tasks should look somewhat familiar.

data "aws_ecs_task_definition" "test" { task_definition = "${aws_ecs_task_definition.test.family}" depends_on = ["aws_ecs_task_definition.test"] }


resource "aws_ecs_task_definition" "test" {

  family = "test-family"
  container_definitions = <
Related: Is AWS too complex for small dev teams?
Setup your service definition
The fourth thing you need to do is setup a service.  The task above is a manifest, describing your containers needs.  It is now registered, but nothing is running.
When you apply the service your container will startup.  What I like to do is, ssh into the ecs host box.  Get comfortable.  Then issue $ watch "docker ps".  This will repeatedly run "docker ps" every two seconds.  Once you have that running, do your terraform apply for this service piece.
As you watch, you'll see ECS start your container, and it will suddenly appear in your watch terminal.  It will first show "starting".  Once it is started, it should say "healthy".


resource "aws_ecs_service" "test-ecs-service" {

  name            = "test-vz-service"

  cluster         = "${aws_ecs_cluster.test-ecs-cluster.id}"

  task_definition = "${aws_ecs_task_definition.test.family}:${max("${aws_ecs_task_definition.test.revision}", "${data.aws_ecs_task_definition.test.revision}")}"

  desired_count   = 1

  iam_role        = "${aws_iam_role.ecs-service-role.name}"

  load_balancer {

    target_group_arn = "${aws_alb_target_group.test.id}"

    container_name   = "nginx"

    container_port   = "80"

  }
  depends_on = [

    #  "aws_iam_role_policy.ecs-service",

    "aws_alb_listener.front_end",

  ]

}


Related: Does AWS have a dirty secret?
Setup your application load balancer
The above will all work by itself.  However for a real-world use case, you'll want to have an ALB.  This one has only a simple HTTP port 80 listener.  These are much simpler than setting up 443 for SSL, so baby steps first.
Once you have the ALB going, new containers will register with the target group, to let the alb know about them.  In "docker ps" you'll notice they are running on a lot of high numbered ports.  These are the hostPorts which are dynamically assigned.  The container ports are all 80.


#

#

resource "aws_alb_target_group" "test" {

  name     = "my-alb-group"

  port     = 80

  protocol = "HTTP"

  vpc_id   = "${module.new-vpc.vpc_id}"

}

resource "aws_alb" "main" {

  name            = "my-alb-ecs"

  subnets         = ["${module.new-vpc.public_subnets}"]

  security_groups = ["${module.new-vpc.default_security_group_id}"]

}
resource "aws_alb_listener" "front_end" {

  load_balancer_arn = "${aws_alb.main.id}"

  port              = "80"

  protocol          = "HTTP"
  default_action {

    target_group_arn = "${aws_alb_target_group.test.id}"

    type             = "forward"

  }

}


You will also want to add a domain name, so that as your infra changes, and if you rebuild your ALB, the name of your application doesn't vary.  Route53 will adjust as terraform changes are applied.  Pretty cool.


resource "aws_route53_record" "myapp" {

  zone_id = "${aws_route53_zone.primary.zone_id}"

  name    = "myapp.mydomain.com"

  type    = "CNAME"

  ttl     = "60"

  records = ["${aws_alb.main.dns_name}"]

  depends_on = ["aws_alb.main"]

}

Related: How to deploy on EC2 with vagrant
Get more.  Grab our exclusive monthly Scalable Startups. We share tips and special content.  Our latest Why I don't work with recruiters




		
		Posted on February 12, 2018
Very easy cloudformation template comparison with simple terraform for beginners
	


	
	
		
via GIPHY
If you search a bit on google, you’ll find lots of sample templates for both of these systems.  However I found they had a lot of complexity.
When you’re just starting, you want a very simple example.  So I thought I’d put one together.
Join 38,000 others and follow Sean Hull on twitter @hullsean.
I’m going to compare both terraform & cloudformation.  They get you to the same endpoint, but do it slightly differently.
Very basic terraform template
Ok, you’ve got terraform installed right?  If not there are howtos here.
Now let’s create a server.  
Create a directory “terraform” then cd into it.  Edit this file as main.tf
provider "aws" {
    region = "us-east-1"
}
resource "aws_instance" "example" {
    ami = "ami-40d28157"
    subnet_id = "subnet-111ddaaa"
    instance_type = "t2.micro"
    key_name = "seanKey"
}

Please change the subnet to a valid one for you.  In the real world you would definitely *not* hardcode a subnet like this.  But I wanted to keep this example very simple.  Don’t know what subnet to use?  Navigate your aws dashboard over to “VPC” and dig around.
Also of course edit for your key.
Ok, you’re ready to test.  Let’s first ask terraform what it will do with the “plan” command:
levanter:terraform sean$ terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but
will not be persisted to local or remote state storage.


The Terraform execution plan has been generated and is shown below.
Resources are shown in alphabetical order for quick scanning. Green resources
will be created (or destroyed and then created if an existing resource
exists), yellow resources are being changed in-place, and red resources
will be destroyed. Cyan entries are data sources to be read.

Note: You didn't specify an "-out" parameter to save this plan, so when
"apply" is called, Terraform can't guarantee this is what will execute.

+ aws_instance.example
    ami:                      "ami-40d28157"
    availability_zone:        ""
    ebs_block_device.#:       ""
    ephemeral_block_device.#: ""
    instance_state:           ""
    instance_type:            "t2.micro"
    key_name:                 "seanKey"
    network_interface_id:     ""
    placement_group:          ""
    private_dns:              ""
    private_ip:               ""
    public_dns:               ""
    public_ip:                ""
    root_block_device.#:      ""
    security_groups.#:        ""
    source_dest_check:        "true"
    subnet_id:                "subnet-111ddaaa"
    tenancy:                  ""
    vpc_security_group_ids.#: ""


Plan: 1 to add, 0 to change, 0 to destroy.
levanter:terraform sean$

Related: What is devops and why is it important?
Build & change with Terraform
Next you want to ask terraform to go ahead and do the work.  Because above we only did a dry-run.
levanter:terraform sean$ terraform apply
aws_instance.example: Creating...
  ami:                      "" => "ami-40d28157"
  availability_zone:        "" => ""
  ebs_block_device.#:       "" => ""
  ephemeral_block_device.#: "" => ""
  instance_state:           "" => ""
  instance_type:            "" => "t2.micro"
  key_name:                 "" => "seanKey"
  network_interface_id:     "" => ""
  placement_group:          "" => ""
  private_dns:              "" => ""
  private_ip:               "" => ""
  public_dns:               "" => ""
  public_ip:                "" => ""
  root_block_device.#:      "" => ""
  security_groups.#:        "" => ""
  source_dest_check:        "" => "true"
  subnet_id:                "" => "subnet-111ddaaa"
  tenancy:                  "" => ""
  vpc_security_group_ids.#: "" => ""
aws_instance.example: Still creating... (10s elapsed)
aws_instance.example: Still creating... (20s elapsed)
aws_instance.example: Creation complete

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

The state of your infrastructure has been saved to the path
below. This state is required to modify and destroy your
infrastructure, so keep it safe. To inspect the complete state
use the `terraform show` command.

State path: terraform.tfstate
levanter:terraform sean$ 

One thing I like is terraform shows us the progress at command line.  Cloudformation isn’t so nicely finished.  🙂
Ok, let’s add a tag name to our server.  We’re going to add just three lines to our main.tf file:
provider "aws" {
    region = "us-east-1"
}

resource "aws_instance" "example" {
    ami = "ami-40d28157"
    subnet_id = "subnet-111ddaaa"
    instance_type = "t2.micro"
    tags {
        Name = "terraform-box"
    }
}


Now we do terraform apply again.  Look how easy that change is to make!
levanter:terraform sean$ terraform apply
aws_instance.example: Refreshing state... (ID: i-0ddd063bbbbce56e2)
aws_instance.example: Modifying...
  tags.%:    "0" => "1"
  tags.Name: "" => "terraform-box"
aws_instance.example: Modifications complete

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

The state of your infrastructure has been saved to the path
below. This state is required to modify and destroy your
infrastructure, so keep it safe. To inspect the complete state
use the `terraform show` command.

State path: terraform.tfstate
levanter:terraform sean$ 


Navigate to the EC2 dashboard and you should see the first column showing your new name.
That was cool!  
Chances are you don’t wanna leave these components sitting around.  Let’s cleanup.  That’s easy too!
levanter:terraform sean$ terraform destroy
Do you really want to destroy?
  Terraform will delete all your managed infrastructure.
  There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes

aws_instance.example: Refreshing state... (ID: i-0ddd063bbbbce56e2)
aws_instance.example: Destroying...
aws_instance.example: Still destroying... (10s elapsed)
aws_instance.example: Still destroying... (20s elapsed)
aws_instance.example: Still destroying... (30s elapsed)
aws_instance.example: Still destroying... (40s elapsed)
aws_instance.example: Still destroying... (50s elapsed)
aws_instance.example: Still destroying... (1m0s elapsed)
aws_instance.example: Destruction complete

Destroy complete! Resources: 1 destroyed.
levanter:terraform sean$ 


Related: Top questions to ask on a devops interview
Very basic CloudFormation template example
Hopefully you wrote down your subnet name & keyname.  So this will be easy.
Let’s create a “cfn” directory and cd into it.
Next edit main.yml
AWSTemplateFormatVersion: '2010-09-09'

Resources:
  EC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType: t2.micro
      SubnetId: subnet-333dfe6a
      KeyName: "iheavy"
      ImageId: "ami-40d28157"

Now let’s build that with cloudformation.  You need to have the awscli installed.  Here’s amazon’s howto.
Now let’s create.  Cloudformation organizes things as “stacks.  
aws cloudformation create-stack --template-body file://sean-instance.yml --stack-name cfn-test

Since I didn’t define “outputs” to keep the yaml simple, the command above should just return without error.
You can go into the aws dashboard, and navigate to “CloudFormation” and see the stack being created.  You can also see under “EC2” a new instance has been created.
Related: How do I migrate my skills to the cloud?
Add an instance name with tags in Cloud Formation
As we did with terraform, let’s add a name to the server.  This is just a tag, not a hostname, so it’s only useful throughout the AWS API.
AWSTemplateFormatVersion: '2010-09-09'

Resources:
  EC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType: t2.micro
      SubnetId: subnet-333dfe6a
      KeyName: "iheavy"
      ImageId: "ami-40d28157"
      Tags:
        - Key: "Name"
          Value: "cfn-box"

Note the three new lines at the bottom.  Ok, let’s apply those changes:
levanter:cfn sean$ aws cloudformation update-stack --template-body file://sean-instance.yml --stack-name cfn-test

Navigate to the EC2 dashboard and you should see the first column showing your new name.
Time to cleanup.  Let’s delete that stack:
levanter:cfn sean$ aws cloudformation delete-stack --stack-name cfn-test12
levanter:cfn sean$ 

Related: Is upgrading Amazon RDS like a sh*t storm that will not end?
Conclusions
Terraform just supports JSON or it’s HCL (hashicorp configuration language).  Actually the latter way of formatting is better supported. 
On the CloudFormation side you can use yaml or json.
However CloudFormation can be clunky and frustrating to work with.  For example to dry-run in terraform is easy.  Just use “plan”.  And isn’t something we’re going to do over and over?  
In CloudFormation there is a “validate-template” option, but this just checks your JSON or YAML.  It doesn’t hit amazon’s API or test things in any real way.  They have added something called Change Sets, but I haven’t tried them too much yet.
Also CloudFormations error messages are really lacking.  They often give you a syntax error or tell you a resource is incomplete without real details on where or how.  It makes debugging slow and tedious.  Sometimes I see errors at create-stack calls.  Other times that succeeds only to find errors within the CloudFormation dashboard.
Terraform is wayyyyy better.
Related: Is Amazon Web Services too complex for small dev teams?
Get more.  Grab our exclusive monthly Scalable Startups. We share tips and special content.  Our latest Why I don’t work with recruiters
	


	



		
		Posted on January 29, 2018
How is automation impacting the dba role?
	


	
	
		
via GIPHY
I was at a dinner party recently, and talking with some colleagues.  I had worked with them years back on Oracle systems.
One colleague Maria said she really enjoyed my newsletter.  
Join 38,000 others and follow Sean Hull on twitter @hullsean.
She went on to say how much has changed in the last decade.  We talked about how the database administrator, as a career role, wasn’t really being hired for much these days.  Things had changed.  Evolved a lot.
How do you keep up with all the new technology, she asked?  
I went on to talk about Amazon RDS, EC2, lambda & serverless as really exciting stuff.  And lets not forget terraform (I wrote a howto on terraform), ansible, jenkins and all the other deployment automation technologies.  







    By the way, I write an article like this every month, covering consulting lessons, tech trends, cloud and startup innovation.  Get the next one via email.

    

    







We talked about Redshift too.  It seems to be everywhere these days and starting to supplant hadoop as the warehouse of choice for analytics.
It was a great conversation, and afterward I decided to summarize my thoughts.   Here’s how I think automation and the cloud are impacting the dba role.
My career pivots
Over the years I’ve poured all those computer science algorithms, coding & hardware skills into a lot of areas.  Tools & popular language change.  Frameworks change.  But solid deductive reasoning remains priceless.  
o C++ Developer
Fresh out of college I was doing Object Oriented Programming on the Macintosh with Codewarrior & powerplant.  C++ development is no joke, and daily coding builds strength in a lot of areas.  Turns out he application was a database application, so I was already getting my feet wet with databases.
o Jack of all trades developer & Unix admin
One type of job role that I highly recommend early on is as a generalist.  At a small startup with less than ten employees, you become the primary technology solutions architect.  So any projects that come along you get your hands dirty with.  I was able to land one of these roles.  I got to work on Windows one day, Mac programming another & Unix administration & Oracle yet another day.
o Oracle DBA 
The third pivot was to work primarily on Oracle.  I attended Oracle conferences & my peers were Oracle admins.  Interestingly, many of the Oracle “experts” came from more of a business background, not computer science.  So to have a more technical foundation really made you stand out.  
For the startups I worked with, I was a performance guru, scalability expert.  Managers may know they have Oracle in the mix, but ultimately the end goal is to speed up the website & make the business run.  The technical nuts & bolts of Oracle DBA were almost incidental.
o MySQL & Postgres 
As Linux matured, so did a lot of other open source projects.  In particular the two big Open Source databases, MySQL & Postgres became viable.  
Suddenly startups were willing to put their businesses on these technologies.  They could avoid huge fees in Oracle licenses.  Still there were not a lot of career database experts around, so this proved a good niche to focus on.
o RDS & Redshift on Amazon Cloud
Fast forward a few more years and it’s my fifth career pivot.  Amazon Web Services bursts on the scene.  Every startup is deploying their applications in the cloud.  And they’re using Amazon RDS their managed database service to do it.  That meant the traditional DBA role was less crucial.  Sure the business still needed data expertise, but usually not as a dedicated role.
Time to shift gears and pour all of that Linux & server building experience into cloud deployments & migrating to the cloud.
o Devops, data, scalability & performance
Now of course the big sysadmin type role is usually called an SRE or Devops role.  SRE being site reliability engineer.  New name but many of the same responsibilities.
Now though infrastructure as code becomes front & center.  Tools like CloudFormation & Terraform, plus Ansible, Chef & Jenkins are all quite mature, and being used everywhere.  
Checkout your infrastructure code from git, and run terraform apply.  And minutes later you have rebuilt your entire stack from bare metal to fully functioning & autoscaling application.  Cool!
Related: 30 questions to ask a serverless fanboy
How I’ve steered DBA skills
There’s no doubt that data expertise & management skills are still huge.  But the career role of database administrator has evolved quite a bit. 
Related: 5 surprising features of Amazon Lambda serverless computing
Pros of automation & managing databases
For DBAs who are looking at the cloud from the old way of doing things, there’s a lot to love about it.
Automation brings repeatability to work & jobs.  This is great.  It raises the bar & makes us more professional, reducing manual processes & mistakes.
Infrastructure as code is self documenting.  It means we have a better idea of day-to-day processes, and can more easily handoff to new folks as we change roles or companies.
Related: Why generalists are better at scaling the web
Cons of automation & databases
However these days cloud, automation & microservices have brought a lot of madness too!  Don’t believe me check out this piece on microservice madness.
With microservices you have more databases across the enterprise, on more platforms.  How do you restore all at the same time?  How do you do point-in-time recovery?  What if your managed service goes down?
Migration scripts have become popular to make DDL changes in the database.  Going forward (adding columns or tables) is great.  But should we be letting our deployment automation roll *BACK* DDL changes?   Remember that deletes data right?  🙂
What about database drop & rebuild?  Or throwing databases in a docker container?  No bueno.  But we’re seeing this more and more.  New performance problems are cropping up because of that.
What about when your database upgrades automatically?  Remember when you use a managed service, it is build for 1000 users, not one.  So if your use case is different you may struggle.
In my experience upgrading RDS was a nightmare.  Database as a service upgrades lack visibility.  You don’t have OS or SSH access so you can’t keep track of things.  You just simply wait.  
No longer do we have “zero downtime”.  With amazon RDS you have guarenteed downtime upgrades.  No seriously.
As the field of databases fragments, we are wearing many more hats.  If you like this challenge & enjoy being a generalist, you may feel at home here.  But it is a long way from one platform one skill set career path.
Also fragmented db platforms means more complex recovery.  I can’t stress this enough.  It would become practically impossible to restore all microservices, all their underlying databases & all systems to one single point in time, if you need to.
Related: Is upgrading Amazon RDS like a sh*t storm that will not end?
DBAs, it’s time to step up and pivot
As the DBA role evolves, it also brings great opportunity.  For those with solid database & data skills are sorely in need at startups  and many fortune 500 organizations.
What I’m seeing is that organizations have lost much of the discipline they had as separate dba or operations departments.  Schemaless databases have proliferated, and performance has suffered.  
All these are more complex now, but strong DBA, performance & troubleshooting skills are needed now more than ever.
Related: The art of resistance in tech consulting
Get more.  Grab our exclusive monthly Scalable Startups. We share tips and special content.  Our latest Why I don’t work with recruiters
	


	



		
		Posted on September 12, 2017
Is maintenance as sexy as innovation?
	


	
	
		 
via GIPHY
A recent NYT piece on our aging american infrastructure got me thinking.  It seems that roads, bridges, airports & city sewer systems are all in need of repair.  Sadly as budgets to maintain these systems in good repair are often short, they become larger problems to fix as their status becomes critical.
Join 37,000 others and follow Sean Hull on twitter @hullsean.
“Americans have an impoverished and immature conception of technology, one that fetishizes innovation as a kind of art and demeans upkeep as a mere drudgery.”
I’m not sure this is an American-only phenomenon.  However I do see it a lot with technology companies & startups.  
1. Do we have to manage ops in the cloud?
The cloud has enabled infrastructure automation in some pretty phenomenal ways.  Code pipelines can deliver changes to a repo, through automated unit testing, and out to customers all without human intervention.  This makes teams more agile, and ultimately businesses faster & more profitable.  
We might be distracted enough to stop worrying about operations altogether.  After all Amazon knows how to manage broken servers & alert us right?  I write do we have to manage operations in the cloud previously, as this sentiment seems to be growing.
Modern applications have a ton of interdependencies.  Even with decent integration testing, the full stack is complex, and requires monitoring.  Co-tenancy can complicate your performance tuning efforts as neighboring customers may directly affect your application.  Third party services may be delivered from smaller or less experienced companies, whose SLA may be limiting besides.  And hey if Amazon goes down, I can just tell my customers it was their fault, right?
Also: Is Amazon too big to fail?
2. Do you know Dustin Moskovitz?
Chances are I’m guessing you’ll say no.  He was part of the original Facebook team alongside Zuckerberg.  You don’t know his name?  He had the sexy job of, you guessed it maintenance!  He was the operations guy.  Did he write the application code?  More than likely he knew that code very well as he had to fix & maintain it.  Along with the infrastructure to scale & support Facebook’s massive growth.  
Read: Is AWS too complex for small dev teams?  The growing demand for Cloud SRE
3. Is a little technical debt ok?
Ward Cunningham has an excellent interview about technical debt.  Is a little bit ok?  Maybe.  But each amount is kicking the can down the road.  As the NYT article on maintenance makes clear, you can move the responsibility on to the next administration, the next term, or someone else, but eventually you’ll have a critical problem on your hands, which will be much more expensive to fix.  
Related: How to build an operational datastore on Amazon Redshift with S3
Get more.  Grab our exclusive monthly Scalable Startups. We share tips and special content.  Our latest Why I don’t work with recruiters
	


	



		
		Posted on July 6, 2017
What does the fight between palantir & nypd mean for your data?
	


	
	
		
via GIPHY
In a recent buzzfeed piece, NYPD goes to the mat with Palantir over their data.  It seems the NYPD has recently gotten cold feet.
Join 35,000 others and follow Sean Hull on twitter @hullsean.
As they explored options, they found an alternative that might save them a boatload of money.   They  considered switching to an IBM alternative called Cobalt.  
And I mean this is Silicon Valley, what could go wrong?  
Related: Will SQL just die already?
Who owns your data?
In the case of Palantir, they claim to be an open system.  And of course this is good marketing.  Essential in fact to get the contract.  Promise that it’s easy to switch.  Don’t dig too deep into the technical details there.  According to the article, Palantir spokeperson claims:
“Palantir is an open platform.  As with all our customers, their data & analysis are available to them at all times in an open & nonproprietary format.”


And that does appear to be true.  What appears to be troubling NYPD isn’t that they can’t get the analysis, for that’s available to them in perpetuity.  Within the Palantir system.  But getting access to how the analysis is done, well now that’s the secret sauce.  Palantir of course is not going to let go of that.  
And that’s the devil in the details when you want to switch to a competing service.  
Also: Top serverless interview questions for hiring aws lambda experts
Who owns the algorithms?
Although the NYPD can get their data into & out of the Palantir system easily, that’s just referring to the raw data.  That’s the data they ingested in the first place, arrest records, license plate reads, parking tickets, stuff like that.  
“This notion of how portable your data is when you engage in a contract with a platform is really, really complex, and hasn’t really been tested” – Tal Klein
Palantir’s secret sauce, their intellectual property, is finding the needle in the haystack.  What pieces of data are relevant & how can I present the detectives the right information at the right time.  
Analysis *is* the algorithms.  It’s the big data 64 million dollar question.  Or in this case $3.5 million per year, as the contract is reported to be worth!
Related: Which engineering roles are in greatest demand?
The nature of software as a service
The web is bringing us great platforms, like google & amazon cloud.  It’s bringing a myriad of AI solutions to our fingertips.  Palantir is providing a push button solution to those in need of insights like the NYPD.  
The Cobalt solution that IBM is offering goes the other way.  Build it yourself, manage it, and crucially control it.  And that’s the difference.
It remains to be seen how the rush to migrate the universe of computing to Amazon’s own cloud will settle out.  Right now their in a growth phase, so it’s all about lowering prices.  But at some point their market muscle will mean they can go the Oracle route a la Larry Ellison.  That’s why customers start feeling the squeeze.
If the NYPD example is any indication, it could get ugly!
Read: Can on-demand consulting save startups time & money?
Get more.  Grab our exclusive monthly Scalable Startups. We share tips and special content.  Our latest Why I don’t work with recruiters
	


	



		
		Posted on June 1, 2017June 1, 2017
Do we have to manage ops in the cloud?
	


	
	
		
via GIPHY
One of the things that is exciting about the cloud is the reduced need for operations staff.  There seem to be two drivers of this trend.  One is devops, and all the automation that comes with it.  As we formalize configurations, things become repeatable, and fewer people can manage greater armies of servers.
The second is by moving to a cloud hosting provider, we essentially outsource the operations to their team.
1. Pretty abstractions?  still hardware buried somewhere
That’s right, beneath all the virtual EC2 instances & VPCs there is physical hardware.  Huge datacenters sit in North Virginia, Oregon, Ireland, London and many other cities.  Within them there are racks upon racks of servers.  The hypervisor layer, the abstraction built on top of that, orchestrates everything.  
Although we outsource the management of those datacenters to Amazon, there are still responsibilities we carry.  Let’s dig into those more.
Also: Top serverless interview questions to ask an expert
2. Full-stack dev – demand for generalists?
These days we see the demand for a full stack developer.  That is someone who does not only front end dev, but also backend.  In turn, they are often asked to wear the had of ops.  Spinup EC2 instance, decide on the capacity & size, choose proper disk I/O, place it within the right subnet & vpc & then configure the security groups properly.  
All of these tasks would previously been managed by a dedicated ops team, but now those responsibilities are being put on developers shoulders.  In some cases, such as with microservices, devs also carry the on-call duties of their applications.  
Lastly there is likely ops to handle automation.  Devops will formalize configurations, into ansible playbooks or chef recipes, so they can be checked into version control.  At this point infrastructure can even be unit tested.
Read: Build an operational datastore on aws S3 with Spectrum
3. Design, resiliency, instrumentation, debugging
In previous eras, ops teams would be heavily involved with design of applications & architecture to support that.  Now that may be handed to devs, but it still needs to happen.  
Furthermore resiliency is said to be the customers responsibility.  In the pre-cloud days, hardware was more reliable.  It had a slower failure rate.  With virtual machines, they’re expected to fail, and all the components to make your applications resilient are given to you.  But it’s your job to architect them together.  
That means your applications need to be self-healing.  Failures need to be detected, taken out of autoscaling groups, and replaced.  All automatically.  Code or not, that is certainly operations.
Check this: Which engineering roles are in top demand?
4. It’s amazon’s fault we’re down!
I’ve seen quite a few outages in the past year, from Dropbox to Airbnb, and DYN themselves.  Ultimately these outages could be tied back to a failure with Amazon.  But when your business customers are relying on your service, it is *YOUR* business that answers to it’s own SLA.  
In the news we see many of these firms pointing the finger at Amazon, “hey it’s not our fault, our cloud provider went down!”.  Ultimately your customers don’t care.  They don’t want excuses.  If using multiple regions in AWS is not sufficient, you’ll need to build your application to be multi-cloud. 
Also: 30 questions to ask a serverless fanboy
5. It’s hard to outsource your expertise
Remember, while you outsource your operations to Amazon, you’re getting very professional management of those systems.  However they will optimize for their many customers.  Your particular problems are less of a concern.  
Read this: What can startups learn from the DYN DNS outage?
6. Only you can thinking holistically about interdependancies
Your application more than likely uses a number of APIs to capture data, perhaps do single sign on or even a third party database like Firebase.  It’s your responsibility to do integration testing.  All that becomes more complex in the cloud.
Also: How to lock down systems from outgoing employees
7. How do services complicate things?
SaaS solutions are everywhere now.  auth0, firebase and an infinite variety of third party apis complicate reliability, security, storage, performance, integration testing & debugging?
Security is a traditional responsibility held by the operations hat.  Much of that becomes more complex in the cloud.  With serverless applications for example you may use a few APIs, plus an authentication broker, and a backend database.  As this list of services grows, the code you write may decrease.  But testing & securing it all becomes much more complex.
With more services like this, the attack vector or surface area becomes greater.  Each of those services, can and will have bugs.  What if a zero day is found in the authentication broker, allowing a hacker to break into a broad cross section of applications across the internet?  How do you discover this?  What if your vendor hasn’t found out yet?
Read: Is Amazon cloud too complex for small dev teams?
8. How does co-tenancy impact performance tuning?
Back to point #1 above, all these virtual servers sit on real physical servers.  That affects customers in two ways.  One  you may be sharing the same host.  That is if you use a very small vm, it may sit along side another customer with a small vm.  If those eat up CPU cycles or network on that box, neighbors or co-tenants will suffer.
There are many other instance types where you get your own dedicated hardware.  With those you have your own nic as well, so no competition.  Except wait there’s network storage!  That’s right all the machines in the AWS environment use EBS now, which is all co-tenant.  So your data is sitting alongside other customers, and you are all fighting for usage of the same disk read heads.  
One way to mitigate this is to configure specific provisioned IOPS for your servers.  But that costs more.  It’s normally reserved for database instances where disk I/O is really crucial.
Granted the NewRelics of the world will certainly help us with this process.  But they’re not giving us a hypervisor or global view of those servers, network or storage.  So we can’t see how the overall systems performance may be impacted.
Related: Is AWS a patient that needs constant medication?
9. Operations can be invisible
When security is done well, you don’t have breakins, you don’t have data stolen, everything just runs smoothly.  Operations is like that too.  When it is done well it can be invisible.  
It can also be invisible in a different way.  When you deploy your application on serverless, all the servers & autoscaling is completely abstracted away.  So when you get some weird outage because the farm of servers is offline, or because you hit some account limit in the number of functions you can run at once, then it quickly comes into focus.  
Beware of invisible operations, because it’s harder to see what to monitor, and know how to stay ahead of outages.
Read: Is amazon too big to fail?
10. We can’t oursource true ownership
At the end of the day you can’t outsource ownership of your application or your business.  The holistic view of your application in totality can only be understood by your engineers.  
And that in the end is what operations is all about, no matter who’s wearing the hat!
Also: 5 reasons to move data to amazon redshift
Get my monthly newsletter for more thoughts on data, startups & innovation.  Scalability.  Automation.  Amazon cloud.
	


	



		
		Posted on April 24, 2017
Is Amazon about to disrupt your data warehouse?
	


	
	
		
via GIPHY
Amazon is about to launch a product called glue.  As you can see below, this is the last piece in the data warehousing puzzle.  With that in place, Amazon will own you!    Or at least have push button products to meet all of enterprises varying needs.  
Even if you’re a small startup, you can do big-shot big enterprise data warehousing.  That means everyone can use cutting edge data driven techniques for product & business decisions.  
Join 33,000 others and follow Sean Hull on twitter @hullsean.

What is Redshift
Redshift is like the OLAP databases of years past, the Oracle’s of the world purpose built for warehousing data.  Obviously without the crazy licensing model Oracle was famous for.  With Amazon you can get enterprise class data warehouse for modest hourly prices.  
If my recent conversations with recruiters about Redshift demand are any indication, there’s been a sudden uptick in startups looking for redshift expertise.  
Also: Top serverless interview questions for hiring aws lambda experts
What is Spectrum?
Spectrum is a very new extension of Redshift allowing you to access & query S3 file data directly.  This means you can have petabytes of data that you can access pre-load time.  So you will ETL and load portions of it, but with Spectrum you can still access the offline data too.
In the old Oracle days this was called an EXTERNAL TABLE.  I mention this only to say that Amazon isn’t doing anything that hasn’t been done before.  Rather they’re bringing these advanced features within reach of everyday startups.  That’s cool. 
Related: Which engineering roles are in greatest demand?
What is glue?
Glue is still in beta, but if the RE:Invent talk above is any indication, it’s set to disrupt an entire industry.  Wow!
Glue first catalogs your data sources.  What does this mean, it scans them & models their schemas.  
It then generates sample python ETL code.  Modify it, or write your own.  Share your code on Git.  Or borrow other open source pieces, that already address your specific ETL use case!
Lastly it includes a job scheduler which handles dependencies.  Job A must be completed before B can run and so forth.  Error handling & logging are also all included.
Since these are native Amazon services, of course they’re going to integrate with their dangerously fast Redshift warehouse.
Read: Can on-demand consulting save startups time & money?
What is serverless?
I’ve written about how to throw fastballs at a serverless fanboy and even how to hire a serverless expert.  But really what is it?
Serverless means deploying functions directly into the cloud.  No servers, no configuration.  All the systems administration & automation is hidden.  No more devops to argue with!  Amazon’s own offering is called  Lambda.
Also: 30 questions to ask a serverless fanboy
What is Quicksight?
Amazon’s even jumped into the fray at the presentation layer.  Quicksight is a BI tool along the lines of mode, domo, looker or Tableau.
Now it’s possible to stay completely within the cozy Amazon ecosystem even for business insight and analytics.
Also: What can startups learn from the DYN DNS outage?
Get more.  Grab our exclusive monthly Scalable Startups. We share tips and special content.  Our latest Why I don’t work with recruiters
	


	



		
		Posted on April 20, 2017April 20, 2017
Top questions to ask a devops expert when hiring or preparing for job & interview
	


	
	
		Strip by Randall Munroe; xkcd.com
Whether your a hiring manager, head of HR or recruiter, you are probably looking for a devops expert.  These days good ones are not easy to find.  The spectrum of tools & technologies is broad.  To manage today’s cloud you need a generalist.
Join 33,000 others and follow Sean Hull on twitter @hullsean.
If you’re a devops expert and looking for a job, these are also some essential questions you should have in your pocket.  Be able to elaborate on these high level concepts as they’re crucial in todays agile startups.
Check out: 8 questions to ask an aws ec2 expert
Also new: Top questions to ask on a devops expert interview
And: How to hire a developer that doesn’t suck
1. How do you automate deployments?
A. Get your code in version control (git)
Believe it or not there are small 1 person teams that haven’t done this.  But even with those, there’s real benefit.  Get on it!
B. Evolve to one script push-button deploy (script)
If deploying new code involves a lot of manual steps, move file here, set config there, set variable, setup S3 bucket, etc, then start scripting.  That midnight deploy process should be one master script which includes all the logic.
It’s a process to get there, but keep the goal in sight.
C. Build confidence over many iterations (team process & agile)
As you continue to deploy manually with a master script, you’ll iron out more details, contingencies, and problems.  Over time You’ll gain confidence that the script does the job.
D. Employ continuous integration Tools to formalize process (CircleCI, Jenkins)
Now that you’ve formalized your deploy in code, putting these CI tools to use becomes easier.  Because they’re custom built for you at this stage!
E. 10 deploys per day (long term goal)
Your longer term goal is 10 deploys a day.  After you’ve automated tests, team confidence will grow around developers being able to deploy to production.  On smaller teams of 1-5 people this may still be only 10 deploys per week, but still a useful benchmark.
Also: Top serverless interview questions for hiring aws lambda experts
2. What is microservices?
Microservices is about two-pizza teams.  Small enough that there’s little beaurocracy.  Able to be agile, focus on one business function.  Iterate quickly without logjams with other business teams & functions.  
Microservices interact with each other through APIs, deploy their own components, and use their own isolated data stores.  
Function as a service, Amazon Lambda, or serverless computing enables microservices in a huge way.   
Related: Which engineering roles are in greatest demand?
3. What is serverless computing?
Serverless computing is a model where servers & infrastructure do not need to be formalized.  Only the code is deployed, and the platform, AWS Lambda for example, takes care of instant provisioning of containers & VMs when the code gets called.
Events within the cloud environment, such a file added to S3 bucket, trigger the serverless functions.  API Gateway endpoints can also trigger the functions to run.
Authentication services are used for user login & identity management such as Auth0 or Amazon Cognito.  The backend data store could be Dynamodb or Google’s Firebase for example.
Read: Can on-demand consulting save startups time & money?
4. What is containerization?
Containers are like faster deploying VMs.  They have all the advantages of an image or snapshot of a server.  Why is this useful?  Because you can containerize your microservices, so each one does one thing.  One has a webserver, with specific version of xyz.  
Containers can also help with legacy applications, as you isolate older versions & dependencies that those applications still rely on.  
Containers enable developers to setup environments quickly, and be more agile.  
Also: 30 questions to ask a serverless fanboy
5. What is CloudFormation?
CloudFormation, formalizes all of your cloud infrastructure into json files.  Want to add an IAM user, S3 bucket, rds database, or EC2 server?  Want to configure a VPC, subnet or access control list?  All these things can be formalized into cloudformation files.  
Once you’ve started down this road, you can checkin your infrastructure definitions into version control, and manage them just like you manage all your other code.  Want to do unit tests?  Have at it.  Now you can test & deploy with more confidence.
Terraform is an extension of CloudFormation with even more power built in.
Also: What can startups learn from the DYN DNS outage?
Get more.  Grab our exclusive monthly Scalable Startups. We share tips and special content.  Our latest Why I don’t work with recruiters
	


	



		
		Posted on March 2, 2017March 2, 2017
Some irresistible reading for March – outages, code, databases, legacy & hiring
	


	
	
		
via GIPHY
I decided this week to write a different type of blog post.  Because some of my favorite newsletters are lists of articles on topics of the day.   
Join 32,000 others and follow Sean Hull on twitter @hullsean.
Here’s what I’m reading right now.
1. On Outages
While everyone is scrambling to figure out why part of the internet went down … wait is S3 is part of the internet, really?  While I’m figuring out if it is a service of Amazon, or if Amazon is so big that Amazon *is* the internet now…
Let’s look at s3 architectural flaws in depth.
Meanwhile Gitlab had an outage too in which they *gasp* lost data.  Seriously?  An outage is one thing, losing data though.  Hmmm…
And this article is brilliant on so many levels.  No least because Matthew knows that “post truth” is a trending topic now, and uses it his title.  So here we go, AWS Service status truth in a post truth world.  Wow!
And meanwhile the Atlantic tries to track down where exactly are those Amazon datacenters?
Also: Is Amazon too big to fail?
2. On Code
Project wise I’m fiddling around with a few fun things.
Take a look at Guy Geerling’s Ansible on a Mac playbooks.  Nice!
And meanwhile a very nice deep dive on Amazon Lambda serverless best practices.
Brandur Leach explains how to build awesome APIs aka ones that are robust & idempotent
Meanwhile Frans Rosen explains how to 0wn slack.  And no you don’t want this.  🙂
Related: 5 surprising features in Amazon’s serverless Lambda offering
3. On Hiring & Talent
Are you a rock star dev or a digital nomad?  Take a look at the 12 best international cities to live in for software devs.
And if you’re wondering who’s hiring?  Well just about everyone!
Devs are you blogging?  You should be.
Looking to learn or teach… check out codementor.
Also: why did dev & ops used to be separate job roles?
4. On Legacy Systems
I loved Drew Bell’s story of stumbling into home ownership, attempting to fix a doorbell, and falling down a familiar rabbit hole.  With parallels to legacy software systems… aka any older then oh say five years?
Ian Bogost ruminates why nothing works anymore… and I don’t think an hour goes by where I don’t ask myself the same question!
Also: Are we fast approaching cloud-mageddon?
5. On Databases
If you grew up on the virtual world of the cloud, you may have never touched hardware besides your own laptop.  Developing in this world may completely remove us from understanding those pesky underlying physical layers.  Yes indeed folks containers do run in “virtual” machines, but those themselves are running on metal, somewhere down the stack.
With that let’s not forget that No, databases are not for containers… but a healthy reminder ain’t bad..
Meanwhile Larry’s mothership is sinking…(hint: Oracle)  Does anybody really care?  Now’s the time to revisit Mike Wilson’s classic The difference between god and Larry Ellison.
Read: Are SQL Databases Dead?
Get more.  Grab our exclusive monthly Scalable Startups. We share tips and special content.  Our latest Why I don’t work with recruiters
	


	



		
		Posted on June 7, 2016June 7, 2016
Does AWS have a dirty little secret?
	


	
	
		
I was recently talking with a colleague of mine about where AWS is today.  Obviously there companies are migrating to EC2 & the cloud rapidly.  The growth rates are staggering.  
Join 32,000 others and follow Sean Hull on twitter @hullsean.
The question was…
“What’s good and bad with Amazon today?”
It’s an interesting question.  I think there some dirty little secrets here, but also some very surprising bright spots.  This is my take.
1. VPC is not well understood  (FAIL)
This is the biggest one in my mind.  Amazon’s security model is all new to traditional ops folks.  Many customers I see deploy in “classic EC2”.  Other’s deploy haphazerdly in their own VPC, without a clear plan.
The best practices is to have one or more VPCs, with private & public subnet.  Put databases in private, webservers in public.  Then create a jump box in the public subnet, and funnel all ssh connections through there, allow any source IP, use users for authentication & auditing (only on this box), then use google-authenticator for 2factor at the command line.  It also provides an easy way to decommission accounts, and lock out users who leave the company.
However most customers have done little of this, or a mixture but not all of it.  So GETTING TO BEST PRACTICES around vpc, would mean deploying a vpc as described, then moving each and every one of your boxes & services over there.  Imagine the risk to production services.  Imagine the chances of error, even if you’re using Chef or your own standardized AMIs.
Also: Are we fast approaching cloud-mageddon?
2. Feature fatigue (FAIL)
Another problem is a sort of “paradox of choice”.  That is that Amazon is releasing so many new offerings so quickly, few engineers know it all.  So you find a lot of shops implementing things wrong because they didn’t understand a feature.  In other words AWS already solved the problem.
OpenRoad comes to mind.  They’ve got media files on the filesystem, when S3 is plainly Amazon’s purpose-built service for this.  
Is AWS too complex for small dev teams & startups?

Related: Does Amazon eat it’s own dogfood? Apparently yes!
3. Required redundancy & automation  (FAIL)
The model here is what Netflix has done with ChaosMonkey.  They literally knock machines offline to test their setup.  The problem is detected, and new hardware brought online automatically.  Deploying across AZs is another example.  As Amazon says, we give you the tools, it’s up to you to implement the resiliency.
But few firms do this.  They’re deployed on Amazon as if it’s a traditional hosting platform.  So they’re at risk in various ways.  Of Amazon outages.  Of hardware problems under the VMs.  Of EBS network issues, of localized outages, etc.
Read: Is Amazon too big to fail?
4. Lambda  (WIN)
I went to the serverless conference a week ago.  It was exiting to see what is happening.  It is truely the *bleeding edge* of cloud.  IBM & Azure & Google all have a serverless offering now.  
The potential here is huge.  Eliminating *ALL* of the server management headaches, from packages to config management & scaling, hiding all of that could have a huge upside.  What’s more it takes the on-demand model even further.  YOu have no compute running idle until you hit an endpoint.  Cost savings could be huge.  Wonder if it has the potential to cannibalize Amazon’s own EC2 …  we’ll see.
Charity Majors wrote a very good critical piece – WTF is Operations? #serverless

WTF is operations? #serverless
Patrick Dubois 

  
  From serverless to Service Full – How the mindset of devops is evolving  from Patrick Debois 
Also: Is the difference between dev & ops a four-letter word?
5. Redshift  (WIN)
Seems like *everybody* is deploying a data warehouse on Redshift these days.  It’s no wonder, because they already have their transactional database, their web backend on RDS of some kind.  So it makes sense that Amazon would build an offering for reporting.
I’ve heard customers rave about reports that took 10 hours on MySQL run in under a minute on Redshift.  It’s not surprising because MySQL wasn’t built for the size servers it’s being deployed on today.  So it doesn’t make good use of all that memory.  Even with SSD drives, query plans can execute badly.
Also: Is there a better way to build a warehouse in 2016?
Get more.  Grab our exclusive monthly Scalable Startups. We share tips and special content.  Our latest Why I don’t work with recruiters
	


	

    

	
		Posts navigation
		Page 1
Page 2
Page 3
Next page