AWS - SSL Offloading with an Application Load Balancer

SSL offloading or SSL termination is removing the SSL based encryption from incoming traffic that a web server receives to eliminate the server from processing the burden of encrypting and decrypting traffic sent through SSL allowing it to focus its resources for serving web content. This also greatly reduces your SSL administration not only during the initial build and ongoing certificate renewals but also simplifies auto scaling configurations in addition to addressing certain types of security attacks away from the web servers, there is also cost savings to be had with certificate renewals and reduced server specifications without the decryption/encryption overhead.

By utilising Amazon Certificate Manager with your ALB, the certificate will be stored securely, regularly rotated and updated automatically by AWS with no action on your part and best of all it is free providing you use the AWS load balancer service. This article shows you to do the SSL offloading on an AWS Application Load Balancer (ALB).

Read more: AWS - SSL Offloading with an Application Load Balancer

AWS - Setup an AWS Client VPN using AWS Managed Microsoft AD

In modern IT environments, high availability and resiliency should be ingrained into everything that is built or developed. One common area that is often overlooked is your VPN client endpoint and the issues for remote staff if there is an issue with your client vpn endpoint, if you have a hybrid on-premise/AWS cloud environment with a greater percentage of your services sitting in AWS it makes sense to move your company's VPN endpoint to a managed AWS offering, it can offer greater security, resiliancy, scalability and remove the requirement of additional licences on your VPN endpoint device.

AWS Client VPN is a managed client-based VPN service that enables you to securely access your AWS resources and resources in your on-premises network. It uses OpenVPN and TLS to provide a secure connection into your AWS environment.

This guide shows you how to configure a AWS Client VPN with AWS Managed Microsoft Active Directory. AWS Directory Service creates two domain controllers in separate subnets for resiliency and adding the DNS service, these run on Windows Server 2012 R2.

Read more: AWS - Setup an AWS Client VPN using AWS Managed Microsoft AD

Azure - Implementing Azure Region Policy to control where your resources are deployed

Understanding exactly where your business resources and data sits within the cloud is an important part of your governance, control and your geo-compliance requirements. It can also assist with reducing latency if the regions are the closest to your end users.

This guide shows you how to implement Azure region policies to only allowing your resources to be deployed in UK locations.

Read more: Azure - Implementing Azure Region Policy to control where your resources are deployed

Search and audit security group changes using AWS CloudTrail & Athena

With the continuous increase of systems being built or migrated into the cloud, getting a grasp on the vast array of audit logs on the operations, governance and security of systems can be a huge undertaking of resource and time. Key controls such as security groups can often be configured on the fly, tested to make sure the change works then forgotten about with these permissions rarely reviewed let alone documented.

By default, CloudTrail records 90 day's worth of API calls along with account activities such as logins and changes, to go past 90 days a trail has to be configured which pushes these logs to S3, the issue is this then takes it away from the searchable options within Cloudtrail for when you need to find out such things as which administrator opened up a port to the world or when this was done. This is where Athena can be used to link into these S3 logs and using structured queries can analyse huge quantities of logs.

Athena is a fast, cost-effective, interactive query service that makes it easy to analyse massive amounts of data in S3 with no data warehouses or clusters to manage.

Read more: Search and audit security group changes using AWS CloudTrail & Athena

Automating EBS snapshots with Lifecycle Manager

Snapshots of Elastic Block Store (EBS) volumes can now be easily configured and automated to provide regular backups using the Data Lifecycle Manager.

Using tags on EBS volumes, you can define backup and retention schedules for snapshots by creating lifecycle policies. This guide shows you how to create the tags on the volumes then create a simple 7 day backup and retention policy using the Data Lifecycle Manager.

Read more: Automating EBS snapshots with Lifecycle Manager

Azure Point to Site Client VPN

A Point-to-Site (P2S) VPN gateway lets you create a secure connection to your Azure virtual network from an individual client computer, Point-to-Site VPN connections are useful when you want to connect to your Azure VNet from remote locations such as your home or hotel. This is very similar to a traditional VPN client but rather than connecting to your office which normally has some sort of single points of failure (such as a single internet connection or 1 firewall) you are utilising the highly available Azure configuration. This guide shows you how to set up a Client VPN connection with certificates to your Azure environment using the portal.

Read more: Azure Point to Site Client VPN

Azure VM Serial Console

The virtual machine serial console in the Azure portal provides access to a text-based console for Windows virtual machines. This serial connection connects to the COM1 serial port of the VM providing access to it, independent of the virtual machine's network or operating system state. Access to the serial console for the VM can be done only by using the Azure portal.

Read more: Azure VM Serial Console

AWS Transfer for SFTP

AWS has recently launched AWS Transfer for SFTP enabling you to easily move your file transfer workloads that use the Secure Shell File Transfer Protocol (SFTP) to AWS without needing to modify your applications or manage any SFTP servers. Traditionally an EC2 with decent storage would have to be configured, regularly updated and maintained or an EC2 Storage gateway implemented to accommodate SFTP transfers. This guide shows you how to create an SFTP server and map your domain to the server endpoint, select authentication for your SFTP clients using service-managed identities (or alternatively you can integrate your own identity provider) and select your Amazon S3 buckets to store the transferred data.

Read more: AWS Transfer for SFTP