Cloud Security Design 1
Workload Security
- Continuously monitor and eliminate threats in cloud workloads to ensure cloud workload security
- protective products
- Enterprise host security HSS
- Container Security Services CGS
- Cloud Bastion Machine CBH
cyber security
- Realize resource isolation on the cloud, network boundary protection, etc. through network layer security service configuration
- protective products
- Cloud Firewall CFW
- DDos high defense server AAD
application security
- Through application layer security service configuration, intercept application layer attacks and protect application service security
- protective products
- Web application firewall WAF
- Application Trust Center ATC
Data Security
- Full statement cycle management of data assets to ensure the safety, visibility, controllability and traceability of the whole process of data use
- protective products
- Data Security Center DSC
- Data encryption service DEW
- Database Security DB SS
- Cloud Certificate Management CC M
safety management
- Manage the cloud environment, reduce the risk of the cloud environment as much as possible, and ensure the security of the cloud
- protective products
- Unified Identity Authentication IAM
- Threat Detection Service MTD
- Management Detection and Response MDR
- Security Operation Center SOC
- Situational Awareness SA
- Compliance Governance Cloud Map Compass
Cloud Security Design II
secure communication network
- DDoS attacks using DDoS protection
- Web attacks are protected by WAF
- Communication encryption using SSL certificates
safe area boundary
- Cloud firewalls are used between Internet borders and VPCs
secure computing environment
- Host security service, container security service;
- Access control in VPC uses network ACL + security group;
- The data security center realizes the security management of data in the whole life cycle;
- Storage enables data encryption by default;
- Deploy DBSS database security services for key databases.
Security Management Center
- Ensure the security of resources on the cloud through situational awareness services;
- Missed scanning regularly scans for resource vulnerabilities on the cloud;
- Use cloud logs, cloud audit, and cloud monitoring to manage resources on the cloud;
- The bastion machine is connected to the operation and maintenance.
The meaning of usability design
The downtime corresponding to different SLA levels is shown in the table below
| SLA | downtime per week | downtime per month | downtime per year |
|---|---|---|---|
| 99% | 1.68 hours | 7.2 hours | 3.65 days |
| 99.90% | 10.1 minutes | 43.2 minutes | 8.76 hours |
| 99.95% | 5 minutes | 21.6 minutes | 4.38 hours |
| 99.99% | 1.01 minutes | 4.32 minutes | 52.56 minutes |
| 99.999% | 6 seconds | 25.9 seconds | 5.26 minutes |
- Only 5.999999999999999999999999999999999999999 years time can only achieve 5.26 minutes of downtime. By analogy, I want to achieve six 9s or even more 9s.
- The requirements for the system are very high, so the higher the system availability, the better
:::warning
The higher the availability, the lower the possibility of downtime, the better the user experience, but it also means higher system requirements, More expensive construction costs.
Availability is strongly related to business requirements, and the importance of business determines the extent to which availability is set.
:::
- The requirements for the system are very high, so the higher the system availability, the better
Availability Design on the Cloud
data backup
- Design backup for data, backup is the basis of data loss prevention
High availability/disaster recovery
Common high-availability design solutions for cloud systems
- Local high-availability solution: high-availability design for a local production center in a single-Az scenario.
- Intra-city high availability and disaster recovery solutions: It is used for intra-city disaster recovery centers and high availability designs in dual-Az scenarios, including active-active data center solutions and active-standby disaster recovery solutions.
- Off-site high-availability/disaster recovery solution: It is used for off-site disaster recovery centers and high-availability designs in cross-region scenarios, including two-site three-center disaster recovery solutions, and active-standby disaster recovery solutions.
Performance Design on the Cloud
The meaning of performance design
- Prevent performance bottlenecks:
- Early detection and resolution of performance problems: high server CPU/MEM utilization, program memory leaks, application access link network congestion, insufficient database connection pools, application process hangs, and low cache hit rate.
- Improve user experience:
- Improve the user experience in advance to prevent: web pages cannot be opened or slow, video freezes, blurred screens, market refreshes are not timely, games are disconnected, and freezes.
- Reasonable allocation of resources
- Reasonably allocate resources based on performance indicators: cloud service resource specifications. Targeted resource expansion and shrinkage management such as the number of cluster nodes.
design one
The performance of cloud applications is affected by many factors, including things that happen on the data path and software and hardware, because these may affect performance, which makes performance evaluation extremely complicated.
The factors that affect the performance of cloud applications are mainly delay, throughput, IOPS, concurrency and computing resources, network data, storage resources, database resources and related
computing resources: sharing large-scale infrastructure means that there will be resource competition. The resources are allocated reasonably, which can balance the variability of various loads
- Computing resources will affect the delay performance factors of the application
Network resources: The nature of public cloud infrastructure outside of corporate data centers dictates that it must leverage wide area networks, introducing bandwidth and latency issues. Multi-peer networks, encryption offloading and compression are factors that must be considered in the design process.
Network resources are one of the factors that affect the throughput of applications.
Storage resources: read and write performance of storage products with different performance characteristics, and disks with unpredictable elastic block storage I/O
storage resources will affect the performance factors of application data transmission capabilities.
Database resources: If the application uses a database, the capacity of database resources is a performance factor that affects the application's concurrency capabilities.
Cloud infrastructure may produce unpredictable performance. Variable loads can affect available CPU, network, and disk I/O resources, resulting in unpredictable performance of concurrently working applications
design two
The overall design of the architectural system is equally important. ex: Avoid data transmission in different places, deploy resources at the nearest business point, select CDN service products, etc. Can effectively reduce access delay
design three
Scalability on the cloud
Significance of scalable design
Scalability is a design index for the computing and processing capabilities of software systems. High scalability represents a kind of flexibility. During the process of system expansion and growth, software can ensure vigorous vitality through few changes or even the addition of hardware devices. , can realize the linear growth of the processing capacity of the whole system, and realize high throughput and low latency high-performance horizontal
expansion: also known as horizontal expansion, which refers to the feature of being able to connect multiple hardware and software, so that multiple servers can be viewed logically into an entity. The system can scale horizontally as the system expands by adding new nodes with the same functionality, thereby redistributing the load across all nodes. Systems and servers scale by adding more servers to the load-balanced network so that incoming requests can be distributed across all of these networks.
Vertical Scaling: Vertical scaling occurs when an existing IT resource is replaced by a resource with a larger or smaller capacity. That is to expand and shrink the CPU performance of the current server in situ. When the system expands by adding processors, main memory, storage or network interfaces to nodes, the system can be expanded vertically or upward to meet the needs of each system. Many requests. Scale by increasing the number of processors or main memory to host more virtual servers.
The scalability of cloud computing enables users to scale up resource consumption as load increases, and developers create scalable architectures.
For example, microservices and container-based architectures naturally encourage independent scaling.
Latency and throughput are a pair of indicators to measure scalability, and we hope to obtain a system architecture with low latency and high throughput. The so-called low latency refers to the system response time that users can feel. For example, the shorter a webpage is opened within a few seconds, the lower the latency, and the throughput indicates how many users can enjoy this low latency at the same time. If the number of concurrent users When it is too large, the user feels that the opening speed of the webpage is very slow, which means that the throughput of the system architecture needs to be improved
design one
design two
cost design
Significance of cost design
design one
- On-demand billing: respond to demand fluctuations, flexible and elastic expansion, development/testing environment.
- Yearly/monthly subscription: stable resource demand and long-term use discounts.
design two
- HUAWEI CLOUD provides functions such as budgeting and billing, visualized tariff management, and helps customers achieve cost optimization
- Current bills: include billing information for each order and each billing cycle (the cloud service billing cycle includes hourly settlement, daily settlement, and monthly settlement).
Terms and Abbreviations
Refer to learning materials
https://connect.huaweicloud.com/courses/learn/Learning/sp:cloudEdu_?courseNo=course-v1:HuaweiX+CBUCNXCX050+Self-paced&courseType=1