Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023
1 like286 views
- Azure Spring Apps is a fully managed service for deploying and managing Spring Boot apps in the cloud without having to learn or manage Kubernetes. It provides auto-scaling, security, high availability, and auto-patching capabilities. - Managing software updates and security patches across multiple components like apps, dependencies, JDKs, OSes, Kubernetes, etc. is challenging due to the large volume of updates and need for testing and approvals. Azure Spring Apps reduces this burden through auto-patching which applies critical security updates automatically during scheduled maintenance windows. - Auto-patching helps customers stay ahead of security threats and vulnerabilities by proactively applying patches for exposed issues like Log4j, OpenSSL vulnerabilities,
Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023
- 1. Simplify and scale Enterprise Spring Apps in the cloud Asir Selvasingh Principal Architect, Java on Azure, Microsoft Adib Saikali Principal Solutions Engineer, VMware
- 2. Azure
- 3. Fully managed service for Spring Boot apps
- 4. Note: features covered today only in the Enterprise Tier Enterprise
- 5. You do not have to learn or manage Kubernetes
- 6. Azure Spring Apps Spring Boot apps Service runtime
- 7. Open source client libraries, integration modules and drivers Data Storage Cache Async communications – JMS and Kafka Keys, secrets & certs Data Cache Async communications – JMS and Kafka Keys, secrets & certs Open source client libraries, integration modules and drivers Storage Azure Spring Cloud Monitor – logstream, APM and end-to-end Identities end-users and machines Automation Developer experiences Spring Boot apps Service runtime ... App 1 App 2 App 3 App N Agents Build Service Config Server Service Registry Lifecycle Resiliency Logstream Encryption Diagnostics Domains Developer experiences Monitor – logstream, APM & end-to-end Identities – end-users & machines Automation Data Open sou Stor Monitor – logstream, AP Developer experiences Spring Boot apps ... App 1 App 2 App 3 App N Azure Spring Apps Azure Spring Apps
- 8. az spring create --name ${SPRING_CLOUD_SERVICE} --sku enterprise --resource-group ${RESOURCE_GROUP} --location ${REGION} az spring app create --name ${CUSTOMERS_SERVICE} az spring app deploy --name ${CUSTOMERS_SERVICE} --jar-path ${CUSTOMERS_SERVICE_JAR}
- 9. Enterprise
- 10. Enterprise
- 12. Developers IT Operators Executives Enterprise
- 13. Home for enterprise Spring Boot applications
- 17. Enterprise
- 19. Source Code Configuration Options Enterprise
- 20. Start in a Git repo with source code and configuration files Configure Options and Transformations Rules Publish to Catalog Enterprise
- 21. Quicker way to get started Find and select an Accelerator Specify Option Values Download the generated files & start coding Enterprise
- 22. Popular and easy to get started Confidential │ ©2020 VMware, Inc. • Dockerfiles are the most common way of creating Docker Images • Their flexibility is their power • Run any command, mutate any file • Their flexibility is their weakness • Keeping consistent, ensuring security • Takes a lot of effort for "good" Dockerfiles 5 Creating Docker Images
- 23. When dev teams build images differently, they introduce vulnerabilities and complexity Image updates Security posture Full stack container audits IT governance
- 24. Specification to translate application code to OCI compliant container image
- 25. Enterprise
- 26. Enterprise
- 27. Runtime
- 29. Enterprise
- 30. Easy to leverage cloud native patterns Enterprise
- 31. Let’s start with a route and understand how the gateway helps me with XCCs Link to Spring Cloud Gateway doc
- 32. The logic for executing the cross-cutting concerns Predicates Spring Cloud Gateway filter routes filter Enterprise
- 33. Evaluate conditions to map requests to a route Link to Available Predicates Enterprise
- 34. Allow you to do things with requests/responses Link to Available Filters Enterprise
- 35. Allow you to limit number of requests Link to Rate Limit Filter Enterprise
- 36. Provides several custom filters in addition to those included in the open-source project Link to Commercial Route Filters Enterprise
- 37. Configurable single sign-on (SSO) integration with your preferred identity provider (IDP) Authenticated? No Yes Enterprise
- 38. Enabling Token Relay, Spring Apps Gateway passes currently-authenticated user’s identity token to the app when the user accesses the app’s route Enterprise
- 39. Route filter Link to SSO Filters Enterprise
- 42. Automagically mounted as volumes in the underlying Kubernetes cluster Enterprise
- 43. More productive and cost-efficient by Autoscaling apps out or in Load- or metric-based mode: scaled out and in as needed for the load Scheduled-based mode: scaled out and in based on predefined schedule and limits Never go above or below the maximum and minimum limits defined
- 47. Internal only Line of business application Common scenarios 47 Publicly accessible application App with on-premises data sources Industry compliance App with compliance requirements
- 48. Internal / Line of business application Fast, private connectivity options Easy to set up Single Sign-on Scale as needed On-premises network Hub Virtual Network Network Appliance Express Route Circuit or Site-to-Site VPN Virtual Network Gateway DNS Services Virtual Network Peering Corporate users at office or VPN Spoke Virtual Network Azure Spring Apps Data Services Data Subnet Apps Subnet Network Appliance Ingress to Apps
- 49. Hub Virtual Network Express Route Circuit or Site-to-Site VPN Virtual Network Gateway DNS Services Virtual Network Peering Application Gateway (WAF) Internet Spoke Virtual Network Azure Spring Apps Data Services Data Subnet Apps Subnet On-premises network Network Appliance On Prem resources Ingress to Apps Onprem reachback Public application with on-premises dependencies Protect from common attacks Reach back to on-premises resources Multiple high-availability options
- 50. High availability options Virtual Network Availability Set Fault Domain 1 Fault Domain 2 Default High Availability Virtual Network Availability Zones Zone 1 Zone 2 Zone 3 Multi-Zone High Availability Virtual Network Availability Set Fault Domain 1 Fault Domain 2 Virtual Network Availability Set Fault Domain 1 Fault Domain 2 Multi-Region High Availability Front Doors Region Region Region 1 Region 2
- 52. Internet Hub Virtual Network Express Route Circuit or Site-to-Site VPN Virtual Network Gateway DNS Services Virtual Network Peering Spoke Virtual Network Azure Spring Apps Data Services Data Subnet Apps Subnet On-premises network Network Appliance On Prem resources Application Gateway (WAF) NVA or Azure Firewall Ingress to Apps Egress to Internet Onprem reachback Regulatory Compliance (ex. PCI-DSS) Access Control / Least privilege Encrypt storage and network traffic Control, log, inspect connections HTTPS everywhere Mutual TLS Storage encryption Database encryption
- 53. Component Frequency of Maintenance Updates Security Patches Container Image App dependencies Every few weeks Vary APM – Application Performance Monitoring Every few weeks Vary JDK Every 3 months Vary Base image (operating system and runtime) Monthly Vary Kubernetes K8S Quarterly Vary Host OS – underlying operating system that runs on each node in a K8S cluster Monthly Vary Unceasing barrage of software updates Must keep your system up-to-date – regularly update your apps, dependencies, JDK, OS, K8S and Host OS
- 54. A record 26,448 software security flaws were reported in 2022, with the number of critical vulnerabilities up 59% on 2021 to 4,135, according to analysis by The Stack of Common Vulnerabilities and Exposures (CVEs) data. https://thestack.technology/analysis-of-cves-in-2022-software-vulnerabilities-cwes-most-dangerous/
- 55. Component Frequency of Maintenance Updates Security Patches Container Image App dependencies Every few weeks Vary APM – Application Performance Monitoring Every few weeks Vary JDK Every 3 months Vary Base image (operating system and runtime) Monthly Vary Kubernetes K8S Quarterly Vary Host OS – underlying operating system that runs on each node in a K8S cluster Monthly Vary What are the challenges with patching? Must keep your system up-to-date – regularly update your apps, dependencies, JDK, OS, K8S and Host OS • Volume of patches & updates • Securing approvals for delaying • Scaling coordination between • App development teams • DevOps teams • Re-run pipelines for every change to container image • Testing • Certification • Staging and • Deploy to production • Are pipelines stateless and reproducible?
- 56. Manage risk - fresh CVE created every 20 minutes • Prioritize. Robust vulnerability management program • Monitor. Conduct regular security assessments • Vulnerability assessment and penetration testing • Patch Management. Stay up-to-date with security patches • Awareness. Foster a security-focused culture https://thestack.technology/analysis-of-cves-in-2022-software-vulnerabilities-cwes-most-dangerous/
- 57. Sick of the never-ending cycle of server software updates
- 58. Break the endless cycle of software updates Focus on what really matters - driving innovation and growth Through auto patching in Azure Spring Apps Component Frequency of Maintenance Updates Security Patches Container Image App dependencies Every few weeks Vary APM – Application Performance Monitoring Every few weeks Vary JDK Every 3 months Vary Base image (operating system and runtime) Monthly Vary Kubernetes K8S Quarterly Vary Host OS – underlying operating system that runs on each node in a K8S cluster Monthly Vary Customer updates apps any time Azure Spring Apps • Autopatch runs every 6 weeks • Planned maintenance windows • Hotfix deployed for critical updates
- 59. Case 1 – Apache Log4j2 exposure CVE-2021-44228 - aka.ms/cve-log4j Customers updated Spring apps if they had switched logging framework to Log4j 2 Azure Spring Apps • Hotfix deployed for New Relic and AppDynamics Java agents • If these APMs were activated in apps, Azure automatically protected by re-starting them Component Frequency of Maintenance Updates Security Patches Container Image App dependencies Every few weeks Vary APM – Application Performance Monitoring Every few weeks Vary JDK Every 3 months Vary Base image (operating system and runtime) Monthly Vary Kubernetes K8S Quarterly Vary Host OS – underlying operating system that runs on each node in a K8S cluster Monthly Vary
- 60. Case 2 – openssl exposure CVE-2022-3602 - aka.ms/cve-openssl Customers - no action was necessary Azure Spring Apps • Autopatch successfully resolved the software vulnerability identified • Similarly, resolved for service instances with planned maintenance windows during those times Component Frequency of Maintenance Updates Security Patches Container Image App dependencies Every few weeks Vary APM – Application Performance Monitoring Every few weeks Vary JDK Every 3 months Vary Base image (operating system and runtime) Monthly Vary Kubernetes K8S Quarterly Vary Host OS – underlying operating system that runs on each node in a K8S cluster Monthly Vary
- 61. Auto patching Stay ahead of the game with auto patching - the proactive shield against known security threats and vulnerabilities in your systems and software.
- 62. DEMO 6
- 64. Enterprise
- 65. Enterprise
- 66. Unlock Spring’s full potential Get 24/7 support Enterprise
- 68. Azure Spring Apps Application Suitability Workshop Bring Your Own App Free rapid app assessment workshop with our experts, to power your modernization journey to the cloud. We have limited slots, so sign up early! 68
- 69. aka.ms/Start-Spring aka.ms/Learn-Spring aka.ms/Spring-Playlist aka.ms/Spring-Boot aka.ms/LearnJava aka.ms/Spring-Cloud-Azure
- 71. Thank You! Contact the Azure Spring Apps Enterprise Team at asa-e-contact@vmware.com
- 72. Appendix
- 73. Logging Health Checks Metrics Four types of observability Distributed Tracing