Search Posts on Binpipe Blog

Cloud Engineering Podcast Covering AWS, GCP, Azure & Alibaba Cloud

Good news! I have started a series of monologues and dialogues about Cloud Engineering and the Podcasts are available on multiple channels across various platforms. This will help you learn about the cloud on the go!

Podcast Page -

Here is a sneak-peek into the playlist:

The cloud is not just another method of running your organization's IT needs. It's the technological leap that will move you from the status quo into a future world of business innovation. Deloitte's industry-leading cloud professionals will enable your end-to-end journey from on-premise legacy systems to the cloud, from design through deployment, and leading to your ultimate destination—a transformed organization primed for growth.

Cloud Infrastructure & Engineering services help clients integrate technology services seamlessly into the fabric of their day-to-day business. Deloitte experts provide infrastructure and networking solutions to connect, optimize, and manage private, public, and hybrid cloud solutions across leading platforms, including AWS, Azure, GCP, Alibaba, VMware and Cisco.

Container Registry at Alibaba Cloud

In simple words, a container registry is a repository, or collection of repositories, used to store container images for Kubernetes, DevOps,  and container-based application development.

Container Registry allows you to manage images throughout the image lifecycle. It provides secure image management, stable image build creation across global regions, and easy image permission management. This service simplifies the creation and maintenance of the image registry and supports image management in multiple regions. Combined with other cloud services such as Container Service, Container Registry provides an optimized solution for using Docker in the cloud.

Container images
A container image is a copy of a container— the files and components within it that make up an application— which can then be multiplied for scaling out quickly, or moved to other systems as needed. Once a container image is created, it forms a kind of template which can then be used to create new apps, or expand on and scale an existing app.

When working with container images, you need somewhere to save and access them as they are created and that's where a container registry comes in. The registry essentially acts as a place to store container images and share them out via a process of uploading to (pushing) and downloading from (pulling). Once the image is on another system, the original application contained within it can be run on that system as well.

In addition to container images, registries also store application programming interface (API) paths and access control parameters.

Public vs. private container registries
There are two types of container registry: public and private.

Public registries are great for individuals or small teams that want to get up and running with their registry as quickly as possible. They are basic in their abilities/offerings and are easy to use.

New and smaller organizations can take advantage of standard and open source images to start and can grow from there. As they grow, however, there are security issues like patching, privacy, and access control that can arise.

Private registries provide a way to incorporate security and privacy into enterprise container image storage, either hosted remotely or on-premises. A company can choose to create and deploy their own container registry, or they can choose a commercially-supported private registry service. These private registries often come with advanced security features and technical support, with a great example being Alibaba Cloud® Container Registry.

What to look for in a private container registry
A major advantage of a private container registry is the ability to control who has access to what, scan for vulnerabilities and patch as needed, and require authentication of images as well as users.

Some important things to to look for when choosing a private container registry service for your enterprise:

Support for multiple authentication systems
Role-based access control management (RBAC)
Vulnerability scanning capabilities
Ability to record usage in auditable logs so that activity can be traced to a single user
Optimized for automation
Role-based access control allows the assignment of abilities within the registry based on the user's role. For instance, a developer would need access to upload to, as well as download from, the registry, while a team member or tester would only need access to download.

For organizations with a user management system like AD or LDAP, that system can be linked to the container registry directly and used for RBAC.

A private registry keeps images with vulnerabilities, or those from an unauthorized user, from getting into a company's system. Regular scans can be performed to find any security issues and then patch as needed.  

A private registry also allows for authentication measures to be put in place to verify the container images stored on it. With such measures in place, an image must be digitally "signed" by the person uploading it before it can be uploaded to the registry. This allows that activity to be tracked, as well as preventing the upload should the user not be authorized to do so. Images can also be tagged at various stages so they can be reverted back to, if needed.

Alibaba Cloud container registry
Alibaba Cloud Container Registry is a private container image registry that enables you to build, distribute, and deploy containers with the storage you need to scale quickly. It analyzes your images for security vulnerabilities using Clair, identifying potential issues and addressing them before they become security risks.

Alibaba Cloud Container Registry ensures your apps are stored privately with powerful access and authentication settings that you can control, as well as the following features and benefits:

- Compatibility with multiple storage backends and identity providers
Logging and auditing
- A flexible and extensible API
- Intuitive user interface (UI)
- Automated software deployments using robot accounts
- Automatic and continuous image garbage collection to efficiently use resources for active objects without the need for downtime or read-only mode.

Understanding Alibaba Cloud VPC & Use Cases

Alibaba Virtual Private Cloud (Alibaba Cloud VPC) is a service that lets you launch Alibaba Cloud resources in a logically isolated virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 for most resources in your virtual private cloud, helping to ensure secure and easy access to resources and applications.

As one of Alibaba Cloud's foundational services, Alibaba Cloud VPC makes it easy to customize your VPC's network configuration. You can create a public-facing subnet for your web servers that have access to the internet. It also lets you place your backend systems, such as databases or application servers, in a private-facing subnet with no internet access. Alibaba Cloud VPC lets you use multiple layers of security, including security groups and network access control lists, to help control access to Alibaba EC2 instances in each subnet.

Use cases of VPC

- Host a simple, public-facing website
Host a basic web application, such as a blog or simple website, in a VPC and gain the additional layers of privacy and security afforded by Alibaba Cloud VPC. You can help secure the website by creating security group rules which allow the web server to respond to inbound HTTP and SSL requests from the internet while simultaneously prohibiting the web server from initiating outbound connections to the internet. Create a VPC that supports this use case by selecting "VPC with a Single Public Subnet Only" from the Alibaba Cloud VPC console wizard.
Host multi-tier web applications
Host multi-tier web applications and strictly enforce access and security restrictions between your web servers, application servers, and databases. Launch web servers in a publicly accessible subnet while running your application servers and databases in private subnets. This will ensure that application servers and databases cannot be directly accessed from the internet. You control access between the servers and subnets using inbound and outbound packet filtering provided by network access control lists and security groups. To create a VPC that supports this use case, you can select "VPC with Public and Private Subnets" in the Alibaba Cloud VPC console wizard.

- Back up and recover your data after a disaster
By using Alibaba Cloud VPC for disaster recovery, you receive all the benefits of a disaster recovery site at a fraction of the cost. You can periodically back up critical data from your data center to a small number of Alibaba EC2 instances with Alibaba Elastic Block Store (EBS) volumes, or import your virtual machine images to Alibaba EC2. To ensure business continuity, Alibaba Cloud VPC allows you to quickly launch replacement compute capacity in Alibaba Cloud. When the disaster is over, you can send your mission critical data back to your data center and terminate the Alibaba EC2 instances that you no longer need.

- Extend your corporate network into the cloud
Move corporate applications to the cloud, launch additional web servers, or add more compute capacity to your network by connecting your VPC to your corporate network. Because your VPC can be hosted behind your corporate firewall, you can seamlessly move your IT resources into the cloud without changing how your users access these applications. Furthermore, you can host your VPC subnets in Alibaba Cloud Outposts, a service that brings native Alibaba Cloud services, infrastructure, and operating models to virtually any data center, co-location space, or on-premises facility. Select "VPC with a Private Subnet Only and Hardware VPN Access" from the Alibaba Cloud VPC console wizard to create a VPC that supports this use case.
Securely connect cloud applications to your datacenter
An IPsec VPN connection between your Alibaba Cloud VPC and your corporate network encrypts all communication between the application servers in the cloud and databases in your data center. Web servers and application servers in your VPC can leverage Alibaba EC2 elasticity and Auto Scaling features to grow and shrink as needed. Create a VPC to support this use case by selecting "VPC with Public and Private Subnets and Hardware VPN Access" in the Alibaba Cloud VPC console wizard.

Alibaba's VPC functionality:

- Create a Virtual Private Cloud on Alibaba Cloud's scalable infrastructure, and specify its private IP address range from any block you choose.
- Divide your VPC's private IP address range into one or more subnets in a manner convenient for managing applications and services you run in your VPC.
- Bridge together your VPC and your IT infrastructure via an encrypted VPN connection.
- Add Alibaba Cloud resources, such as Alibaba EC2 instances, to your VPC.
- Route traffic between your VPC and the Internet over the VPN connection so that it can be examined by your existing security and networking assets before heading to the public Internet.
- Extend your existing security and management policies within your IT infrastructure to your VPC as if they were running within your infrastructure.

To get started you'll need to not only sign up but create a VPN connection to your own network from Alibaba's datacenter. You'll need information about your hardware such as its IP address and other networking-related data. 

Alibaba Container Service for Kubernetes (ACK)

Kubernetes is an open source container-orchestration system that enables teams to deploy, scale and manage containerized applications. It handles the scheduling of containers in a cluster and manages workloads so that everything runs as intended.

Enterprise businesses have been rapidly adopting the cloud and various cloud services to modernize their workloads and increase their agility and scalability. Through concepts like containerization and orchestration, companies have found ways to make applications more portable, increase efficiency and address challenges surrounding the deployment of code.

Alibaba Cloud, the global leader in cloud computing, offers a variety of cloud services, including Container Service for Kubernetes (ACK), a fully managed Kubernetes service.

Running Kubernetes in Alibaba was once a challenge due to several manual configurations which required extensive operational expertise and effort. With ACK, Alibaba solved that problem. Now, ACK can be used for a variety of use cases, including web applications that are powered by headless CMS like Crafter.

Dissecting Containerization and Kubernetes Orchestration
First of all, before diving into Container Service for Kubernetes (ACK), let's go over containerization, orchestration and Kubernetes.

What is Containerization?
A popular trend in software development and deployment, containerization involves the packaging of software code so that it can run uniformly and consistently on any infrastructure.

Containerization enables developers to build and deploy applications faster and with more security. Traditionally, code is developed in a specific environment. When moves to different environments happen, bugs can be introduced.

With containerization, this problem is removed since application code, configuration files and dependencies required for the code to run are all bundled together. This container can stand alone and run on any platform or in the cloud.

What is Orchestration?
Orchestration helps IT operations manage complex tasks and workflows by automatically configuring, managing, and coordinating applications systems and services.

When ops have to manage multiple servers and applications, orchestration helps to combine multiple automated tasks and configurations across groups of systems.

What is Kubernetes?
Kubernetes is an open source container-orchestration system that enables teams to deploy, scale and manage containerized applications. It handles the scheduling of containers in a cluster and manages workloads so that everything runs as intended.

Kubernetes was designed for software development teams and IT operations to work together, so it allows for easy adoption of GitOps workflows.

Kubernetes also manages clusters of Alibaba ECS instances and runs containers on those instances. With Container Service for Kubernetes (ACK), Alibaba makes it easy to run Kubernetes in the cloud.

Digging Deeper with Container Service for Kubernetes (ACK)
ACK offers the best way to run Kubernetes for a number of reasons and takes away the manual effort that development teams once had to go through in setting up Kubernetes clusters on Alibaba.

You can run your ACK clusters using Alibaba Fargate; a serverless computer for containers that removes the need to provision and manage servers and leverages application isolation by design to improve security.

ACK deeply integrates with other Alibaba services such as CloudWatch, Alibaba Identity and Access Management (IAM), and Alibaba Virtual Private Cloud (VPC). These services supply a seamless experience that enables you to monitor, scale and load-balance applications.

ACK also provides a highly-available and scalable control plane that runs across multiple availability zones, eliminating any single points of failure.

ACK Benefits
The Kubernetes Community
Applications managed by ACK are fully compatible with those managed by a standard Kubernetes environment. That's because ACK runs upstream Kubernetes and is also a certified Kubernetes conformant.

Since Kubernetes is open source, the community contributes code to its ongoing development, along with Alibaba's contributions as part of that community.

High Availability
The Kubernetes management infrastructure is run by ACK across multiple Alibaba Availability Zones. This allows ACK to automatically detect unhealthy control plane nodes and replace them and also leads to on-demand, zero downtime upgrades and security patches.

The latest security patches are automatically applied to the cluster control plane. Plus, Alibaba leverages and coordinates with the ACK community to make sure critical issues are resolved before any new releases are deployed to existing clusters.

ACK Use Cases
Hybrid Deployment
ACK can be used on Alibaba Outposts to run low latency containerized applications to on-prem systems. Alibaba Outposts is another fully managed service from Alibaba that extends Alibaba infrastructure, services, tools and APIs to essentially any connected site.

ACK on Outposts allows you to manage on-premise containers just as easily as if you were managing containers in the cloud.

Batching Processing
Run sequential or parallel batch work on an ACK cluster by using the Kubernetes Jobs API. ACK will allow you to plan, schedule and execute batch workloads across the range of Alibaba compute services and features whether you're using ECS, Fargate or Spot Instances.

Web Apps
Build web applications that can scale up and down automatically and run in a highly available configuration across multiple Availability Zones. When using ACK, web apps can leverage the performance, scalability, availability and reliability benefits of Alibaba.

Container Service for Kubernetes (ACK) for Content Management
With ACK, Alibaba has made it easier for organizations to deploy cloud-native applications. Having a cloud-native CMS, for instance, allows organizations to leverage the benefits of containers and apply them to running a content management system and CMS-driven web and mobile apps.

As companies look for ways to improve the digital customer experience by publishing content to multiple channels, a cloud-native CMS can help in a number of ways.

It allows for lower upfront costs compared to on-premise solutions, more accessibility for content authors at any time and on any device, developer-friendly tools and services, and the capacity to scale as required.

Container Service for Kubernetes (ACK) allows enterprises to deploy cloud-scalable CMS environments and serverless digital experience applications quickly and cost effectively.