SlideShare a Scribd company logo

Elasticsearch on AWS - High Availability and Security best practices

Rafael Lopes
Rafael Lopes

I talk about Elasticsearch on AWS, and on those slides I cover the topics High Availability (HA) and Security best practices.

Technology
1 of 30
ES on AWS Implementing ElasticSearch on AWS ~ High Availability and Best Security practices ~
Who Am I (log nerd AND DevOp AND Infrastructure Manager AND photographer AND .*) XOR (daddy); rafael@psafe.com for company and business purposes; dev@rafalop.es to have a beer and eat something; @bobeirasa; bobeirasa on Freenode IRC; ; You can also find me on Elasticsearch-PT on Google Groups; Tags: bobeirasa, rafalopes, rafael lopes, psafe, mpran, fotografia cotidiana;
About PSafe Tecnologia • Brazilian StartUp focused on security; • More than 12 MM Android Users; • #6 app on Top Free Google Play, Browser, Security Suite for Win/Mac and developing more products; • Infrastructure with more than 200 high-end servers, tons of memory and bandwidth; • 3 offices in Brazil, RJ [headquarters], SP and SC; • LatAm focus with products localized to portuguese and spanish; • We’ve been looking for you, join us! Tags: psafe, qihoo, startup, brazilian, psafe techchrunch, VC investment, series C;
What will be covered • High Availability (HA); • Security; Tags: rafael lopes, meetup, elasticsearch, segundo encontro;
High Availability ~ topics ~ • AWS Region and Availability Zone (AZ); • Multi-AZ environment; • Shard allocation awareness; • unicast or elasticsearch-cloud-aws plugin; • AZ label mismatch regarding your accounts; Tags: rafael lopes slides, meetup Elasticsearch rio, segundo encontro, slides;
High Availability AWS Region and Availability Zone (AZ) Tags: AWS region, AWS availability zone, difference;
High Availability Don’t run your cluster on the same AZ !!! Tags: Elasticsearch Single-AZ, failure, ec2 classic, failover, disaster, downtime, AWS AZ fail;
High Availability Run it on separate Availability Zones Tags: Elasticsearch Multi-AZ, VPC, AWS different Subnet, Multi-AZ advantages, HA, high availability;
High Availability Multi-AZ on Elasticsearch Cluster Tags: Elasticsearch shard allocation awareness, hadoop rack affinity, replica, safe shards;
High Availability Elasticsearch Shard Allocation Awareness Awareness is a keepalive concept, used to make sure primary shards and it’s corresponding replicas don't end up on same place, such as rack, environment or AWS Availability Zones! Tags: shard allocation awareness, hadoop rack affinity, replica, safe shards, raid10 comparison;
High Availability Shard Allocation Awareness configuration node.name = “ES01” node.rack_id: zona-A cluster.routing.allocation.awareness.attributes: rack_id ! node.name = “ES02” node.rack_id: zona-B cluster.routing.allocation.awareness.attributes: rack_id ! node.name = “ES03” node.rack_id: zona-A cluster.routing.allocation.awareness.attributes: rack_id ! node.name = “ES04” node.rack_id: zona-B cluster.routing.allocation.awareness.attributes: rack_id Tags: shard allocation syntax, Elasticsearch shard allocation configuration;
High Availability AWS doesn’t allow multicast/broadcast Tags: elasticsearch ec2 discovery, ec2 broadcast, ec2 ARP, VPC FAQ, VPC limitations, rackspace multicast;
High Availability AWS doesn’t allow multicast/broadcast 2 solutions for that ! Tags: elasticsearch ec2 discovery, ec2 broadcast, ec2 ARP, VPC FAQ, VPC limitations, rackspace multicast;
High Availability Disable multicast, use unicast to specify nodes cluster.name: StarTrek node.name: "Locutus" discovery.zen.ping.multicast.enabled: false discovery.zen.ping.timeout: 5s discovery.zen.ping.unicast.hosts: [“Voyager”] ! cluster.name: StarTrek node.name: "Voyager" discovery.zen.ping.multicast.enabled: false discovery.zen.ping.timeout: 5s discovery.zen.ping.unicast.hosts: [“Locutus”] ! cluster.name: StarTrek node.name: "Enterprise" discovery.zen.ping.multicast.enabled: false discovery.zen.ping.timeout: 5s discovery.zen.ping.unicast.hosts: [“Locutus”, “Voyager” ] Tags: Elasticsearch unicast, Elasticsearch zen, Elasticsearch discovery ping, Elasticsearch manual hosts;
High Availability Use elasticsearch-cloud-aws plugin Tags: elasticsearch-cloud-aws, official plugin, github, Elasticsearch AWS credentials;
High Availability More about the elasticsearch-cloud-aws plugin • Easy installation (as any other plugin): ./plugin -install elasticsearch/elasticsearch-cloud-aws/2.3.0 • Official plugin provided by Elasticsearch; • Uses AWS API ec2-describe-instances to know stuff about your AWS ec2 instances. Smart, huh ? • Compatible with IAM roles (stay with me to see more details about this on Security session); • Uses ec2 tagging; • Check Elasticsearch version and Plugin version for mismatches; • It’s also used for s3 snapshots (which we won’t cover here); Tags: elasticsearch-cloud-aws install, elasticsearch-cloud instance metadata, ec2 discovery, fake multicast;
High Availability AZ label mismatch across different AWS accounts Tags: AWS availability zone mismatch, Elasticsearch on different AWS accounts;
High Availability ~ recap ~ AWS Region and Availability Zone (AZ); Shards are automatically replicated across the cluster, but don’t run your cluster on the same AZ; Use shard allocation awareness to tell ES to assign shards to different AZ’s (like Hadoop rack affinity); AWS doesn’t allow multicast at all, so use unicast instead of multicast, or elasticsearch-cloud-aws plugin; If you want (for any reason) to use the same cluster running different AWS accounts, open a support ticket to check AZ label mismatch regarding your accounts; Tags: rafael lopes slides, meetup Elasticsearch rio, segundo encontro, slides;
Security ~ topics ~ • built-in security credentials and web proxy; • IAM roles; • Kibana; • Bastion server; • Multicast protocol; • External scripting; Tags: rafael lopes slides, meetup elasticsearch rio, segundo encontro, slides;
Security MiTM (man in the middle) • Elasticsearch does not provide native connection strings, passwords or any kind of authentication: traditional DBA’s would say that Elasticsearch is insecure because of this; they say that because they are traditionalists, not DevOps ;) • Change Elasticsearch http port and use a local firewall to close this port to everybody unless localhost; • It must reside on a private subnet with no communication to the public, as any database server; • Use 3 firewalls. In addition to security groups and NACL’s, create local firewall rules to allow traffic just to the consumers (frontend, middletier or internal elb) on the ‘Elasticsearch port’; • Install a web server acting as a proxy, such as nginx or mitmproxy to control requests and passwords; • Jetty plugin also used to implement authentication and encription; Tags: Elasticsearch proxy, Elasticsearch nginx, protecting Elasticsearch, Elasticsearch firewall, NACL,AWS security group, AWS private subnet, iptables, ipfw, linux firewall;
Security nginx example: limit everything but not GET on /_settings, except if the host is 127.0.0.1 location ~ /_settings { proxy_pass http://elasticsearch; limit_except GET { allow 127.0.0.1; deny all; } } Tags: nginx Elasticsearch protect
Security nginx - implement basic password authentication, if the host is 127.0.0.1, this auth can be skipped location ~ /_plugin { satisfy any; allow 127.0.0.1; deny all; auth_basic "Restricted"; auth_basic_user_file /etc/nginx/pwds/file.pwd; proxy_pass http://elasticsearch; } Tags: nginx Elasticsearch protect
Security IAM Roles Tags: IAM roles, codespaces.com, identity steal, access key
Security IAM Roles • Mandatory to security best practices; • Keys expires in 6 hours (James Bond would like to use that); • No access keys in the code or config files; • Uses the ec2 metadata (http layer between ec2 and hypervisor) to get the provisory key; • It just works magically with the elasticsearch-cloud-aws plugin; Tags: AWS security best practices, AWS IAM roles, ec2 instance metadata, AWS STS, MFA
Security Kibana is a frontend tool meant to be used in internal network (VPN). Kibana, like ES should not be exposed to public internet Tags: kibana, protect, node.js, wrapper, kibana frontend danger, close kibana
Security Use a Bastion Server Tags: bastion server, security best practice;
Security Disable Multicast in production environment • Reduces noise on environment; • Safer due to eavesdroppers/sniffers in shared environments; Tags: multicast, production environment, security best practice;
Security ~ recap ~ Elasticsearch does not provide built-in security credentials, connection strings or passwords, so protect yourself using a web proxy such as nginx or mitmproxy to prevent deletes or updates; IAM roles with AWS STS (simple token service) on ec2 instances (also works with cloud plugin), stop copy-pasting access key and secret over there; Kibana is for insiders: use a wrapper to protect if you want to show to the world, or set it up on an private subnet with VPN access; Use a bastion server with 2 factor auth on ssh layer to make the DevOps works; On a shared environment such as a cloud, disable multicast at all; Disable external scripting if you don't use it; Tags: rafael lopes slides, meetup elasticsearch rio, segundo encontro, slides;
Questions ?
Thank you! Coffee Break ? (sorry for make you wait so long) Tags: free food, free bier, elasticsearch rio second meetup, ideais tecnologia, sponsor, happiness;

Recommended

Julie Van den Steen en Maarten Verhulst richten firma op
Julie Van den Steen en Maarten Verhulst richten firma opJulie Van den Steen en Maarten Verhulst richten firma op
Julie Van den Steen en Maarten Verhulst richten firma opThierry Debels
 
Understanding Camouflage
Understanding CamouflageUnderstanding Camouflage
Understanding CamouflageEmily Kissner
 
'Living Lab' for HCI - presentation made at HCI International 2009
'Living Lab' for HCI - presentation made at HCI International 2009'Living Lab' for HCI - presentation made at HCI International 2009
'Living Lab' for HCI - presentation made at HCI International 2009Ed Chi
 
Projectmanagement en systemisch werken
Projectmanagement en systemisch werkenProjectmanagement en systemisch werken
Projectmanagement en systemisch werkenOkke Jan Douma
 
Cassandra Talk: Austin JUG
Cassandra Talk: Austin JUGCassandra Talk: Austin JUG
Cassandra Talk: Austin JUGStu Hood
 
codeless/serverless develop
codeless/serverless develop codeless/serverless develop
codeless/serverless develop Tomoyuki Obi
 
Open Source Monitoring Tools Shootout
Open Source Monitoring Tools ShootoutOpen Source Monitoring Tools Shootout
Open Source Monitoring Tools Shootouttomdc
 
How OpenTable uses Big Data to impact growth by Raman Marya
How OpenTable uses Big Data to impact growth by Raman MaryaHow OpenTable uses Big Data to impact growth by Raman Marya
How OpenTable uses Big Data to impact growth by Raman MaryaData Con LA
 

Recommended

Julie Van den Steen en Maarten Verhulst richten firma op
Julie Van den Steen en Maarten Verhulst richten firma opJulie Van den Steen en Maarten Verhulst richten firma op
Julie Van den Steen en Maarten Verhulst richten firma opThierry Debels
 
Understanding Camouflage
Understanding CamouflageUnderstanding Camouflage
Understanding CamouflageEmily Kissner
 
'Living Lab' for HCI - presentation made at HCI International 2009
'Living Lab' for HCI - presentation made at HCI International 2009'Living Lab' for HCI - presentation made at HCI International 2009
'Living Lab' for HCI - presentation made at HCI International 2009Ed Chi
 
Projectmanagement en systemisch werken
Projectmanagement en systemisch werkenProjectmanagement en systemisch werken
Projectmanagement en systemisch werkenOkke Jan Douma
 
Cassandra Talk: Austin JUG
Cassandra Talk: Austin JUGCassandra Talk: Austin JUG
Cassandra Talk: Austin JUGStu Hood
 
codeless/serverless develop
codeless/serverless develop codeless/serverless develop
codeless/serverless develop Tomoyuki Obi
 
Open Source Monitoring Tools Shootout
Open Source Monitoring Tools ShootoutOpen Source Monitoring Tools Shootout
Open Source Monitoring Tools Shootouttomdc
 
How OpenTable uses Big Data to impact growth by Raman Marya
How OpenTable uses Big Data to impact growth by Raman MaryaHow OpenTable uses Big Data to impact growth by Raman Marya
How OpenTable uses Big Data to impact growth by Raman MaryaData Con LA
 
Oracle integration cloud service (ICS) best practices learned from the field ...
Oracle integration cloud service (ICS) best practices learned from the field ...Oracle integration cloud service (ICS) best practices learned from the field ...
Oracle integration cloud service (ICS) best practices learned from the field ...Phil Wilkins
 
Plan de transport 2014: le Brabant Flamand
Plan de transport 2014: le Brabant FlamandPlan de transport 2014: le Brabant Flamand
Plan de transport 2014: le Brabant FlamandSNCB
 
Elk Reporting Ii
Elk Reporting IiElk Reporting Ii
Elk Reporting Iimwmiller12
 
Workshop 2: Building a streaming data platform on AWS
Workshop 2: Building a streaming data platform on AWSWorkshop 2: Building a streaming data platform on AWS
Workshop 2: Building a streaming data platform on AWSAmazon Web Services
 
Big Data Commercialization and associated IoT Platform Implications by Ramnik...
Big Data Commercialization and associated IoT Platform Implications by Ramnik...Big Data Commercialization and associated IoT Platform Implications by Ramnik...
Big Data Commercialization and associated IoT Platform Implications by Ramnik...Data Con LA
 
소셜 코딩 GitHub & branch & branch strategy
소셜 코딩 GitHub & branch & branch strategy소셜 코딩 GitHub & branch & branch strategy
소셜 코딩 GitHub & branch & branch strategyKenu, GwangNam Heo
 
Intel and Big Data
Intel and Big DataIntel and Big Data
Intel and Big DataAmazon Web Services LATAM
 
A1 keynote oracle_infrastructure_as_a_service_move_any_workload_to_the_cloud
A1 keynote oracle_infrastructure_as_a_service_move_any_workload_to_the_cloudA1 keynote oracle_infrastructure_as_a_service_move_any_workload_to_the_cloud
A1 keynote oracle_infrastructure_as_a_service_move_any_workload_to_the_cloudDr. Wilfred Lin (Ph.D.)
 
PaaS for Dummies
PaaS for DummiesPaaS for Dummies
PaaS for Dummiesbram hurkmans
 
Cwin16 tls-s2-0945-going cloud native
Cwin16 tls-s2-0945-going cloud nativeCwin16 tls-s2-0945-going cloud native
Cwin16 tls-s2-0945-going cloud nativeCapgemini
 
Grade 3 text structure assessment teaching guide
Grade 3 text structure assessment teaching guideGrade 3 text structure assessment teaching guide
Grade 3 text structure assessment teaching guideEmily Kissner
 
What's new in Hortonworks DataFlow 3.0 by Andrew Psaltis
What's new in Hortonworks DataFlow 3.0 by Andrew PsaltisWhat's new in Hortonworks DataFlow 3.0 by Andrew Psaltis
What's new in Hortonworks DataFlow 3.0 by Andrew PsaltisData Con LA
 
Production testing and disaster recovery
Production testing and disaster recoveryProduction testing and disaster recovery
Production testing and disaster recoveryBizTalk360
 
Lifehacking met Evernote
Lifehacking met EvernoteLifehacking met Evernote
Lifehacking met EvernotePatrick Mackaaij
 
Emerging Technologies: Heroku for ISVs (October 13, 2014)
Emerging Technologies: Heroku for ISVs (October 13, 2014)Emerging Technologies: Heroku for ISVs (October 13, 2014)
Emerging Technologies: Heroku for ISVs (October 13, 2014)Salesforce Partners
 
High Availability Architecture for Legacy Stuff - a 10.000 feet overview
High Availability Architecture for Legacy Stuff - a 10.000 feet overviewHigh Availability Architecture for Legacy Stuff - a 10.000 feet overview
High Availability Architecture for Legacy Stuff - a 10.000 feet overviewMarco Amado
 
Rio Cloud Computing Meetup 25/01/2017 - Lançamentos do AWS re:Invent 2016
Rio Cloud Computing Meetup 25/01/2017 - Lançamentos do AWS re:Invent 2016Rio Cloud Computing Meetup 25/01/2017 - Lançamentos do AWS re:Invent 2016
Rio Cloud Computing Meetup 25/01/2017 - Lançamentos do AWS re:Invent 2016Filipe Barretto
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

More Related Content

Viewers also liked

Oracle integration cloud service (ICS) best practices learned from the field ...
Oracle integration cloud service (ICS) best practices learned from the field ...Oracle integration cloud service (ICS) best practices learned from the field ...
Oracle integration cloud service (ICS) best practices learned from the field ...Phil Wilkins
 
Plan de transport 2014: le Brabant Flamand
Plan de transport 2014: le Brabant FlamandPlan de transport 2014: le Brabant Flamand
Plan de transport 2014: le Brabant FlamandSNCB
 
Elk Reporting Ii
Elk Reporting IiElk Reporting Ii
Elk Reporting Iimwmiller12
 
Workshop 2: Building a streaming data platform on AWS
Workshop 2: Building a streaming data platform on AWSWorkshop 2: Building a streaming data platform on AWS
Workshop 2: Building a streaming data platform on AWSAmazon Web Services
 
Big Data Commercialization and associated IoT Platform Implications by Ramnik...
Big Data Commercialization and associated IoT Platform Implications by Ramnik...Big Data Commercialization and associated IoT Platform Implications by Ramnik...
Big Data Commercialization and associated IoT Platform Implications by Ramnik...Data Con LA
 
소셜 코딩 GitHub & branch & branch strategy
소셜 코딩 GitHub & branch & branch strategy소셜 코딩 GitHub & branch & branch strategy
소셜 코딩 GitHub & branch & branch strategyKenu, GwangNam Heo
 
A1 keynote oracle_infrastructure_as_a_service_move_any_workload_to_the_cloud
A1 keynote oracle_infrastructure_as_a_service_move_any_workload_to_the_cloudA1 keynote oracle_infrastructure_as_a_service_move_any_workload_to_the_cloud
A1 keynote oracle_infrastructure_as_a_service_move_any_workload_to_the_cloudDr. Wilfred Lin (Ph.D.)
 
Cwin16 tls-s2-0945-going cloud native
Cwin16 tls-s2-0945-going cloud nativeCwin16 tls-s2-0945-going cloud native
Cwin16 tls-s2-0945-going cloud nativeCapgemini
 
Grade 3 text structure assessment teaching guide
Grade 3 text structure assessment teaching guideGrade 3 text structure assessment teaching guide
Grade 3 text structure assessment teaching guideEmily Kissner
 
What's new in Hortonworks DataFlow 3.0 by Andrew Psaltis
What's new in Hortonworks DataFlow 3.0 by Andrew PsaltisWhat's new in Hortonworks DataFlow 3.0 by Andrew Psaltis
What's new in Hortonworks DataFlow 3.0 by Andrew PsaltisData Con LA
 
Production testing and disaster recovery
Production testing and disaster recoveryProduction testing and disaster recovery
Production testing and disaster recoveryBizTalk360
 
Emerging Technologies: Heroku for ISVs (October 13, 2014)
Emerging Technologies: Heroku for ISVs (October 13, 2014)Emerging Technologies: Heroku for ISVs (October 13, 2014)
Emerging Technologies: Heroku for ISVs (October 13, 2014)Salesforce Partners
 
High Availability Architecture for Legacy Stuff - a 10.000 feet overview
High Availability Architecture for Legacy Stuff - a 10.000 feet overviewHigh Availability Architecture for Legacy Stuff - a 10.000 feet overview
High Availability Architecture for Legacy Stuff - a 10.000 feet overviewMarco Amado
 
Rio Cloud Computing Meetup 25/01/2017 - Lançamentos do AWS re:Invent 2016
Rio Cloud Computing Meetup 25/01/2017 - Lançamentos do AWS re:Invent 2016Rio Cloud Computing Meetup 25/01/2017 - Lançamentos do AWS re:Invent 2016
Rio Cloud Computing Meetup 25/01/2017 - Lançamentos do AWS re:Invent 2016Filipe Barretto
 

Viewers also liked (17)

Oracle integration cloud service (ICS) best practices learned from the field ...
Oracle integration cloud service (ICS) best practices learned from the field ...Oracle integration cloud service (ICS) best practices learned from the field ...
Oracle integration cloud service (ICS) best practices learned from the field ...
 
Plan de transport 2014: le Brabant Flamand
Plan de transport 2014: le Brabant FlamandPlan de transport 2014: le Brabant Flamand
Plan de transport 2014: le Brabant Flamand
 
Elk Reporting Ii
Elk Reporting IiElk Reporting Ii
Elk Reporting Ii
 
Workshop 2: Building a streaming data platform on AWS
Workshop 2: Building a streaming data platform on AWSWorkshop 2: Building a streaming data platform on AWS
Workshop 2: Building a streaming data platform on AWS
 
Big Data Commercialization and associated IoT Platform Implications by Ramnik...
Big Data Commercialization and associated IoT Platform Implications by Ramnik...Big Data Commercialization and associated IoT Platform Implications by Ramnik...
Big Data Commercialization and associated IoT Platform Implications by Ramnik...
 
소셜 코딩 GitHub & branch & branch strategy
소셜 코딩 GitHub & branch & branch strategy소셜 코딩 GitHub & branch & branch strategy
소셜 코딩 GitHub & branch & branch strategy
 
Intel and Big Data
Intel and Big DataIntel and Big Data
Intel and Big Data
 
A1 keynote oracle_infrastructure_as_a_service_move_any_workload_to_the_cloud
A1 keynote oracle_infrastructure_as_a_service_move_any_workload_to_the_cloudA1 keynote oracle_infrastructure_as_a_service_move_any_workload_to_the_cloud
A1 keynote oracle_infrastructure_as_a_service_move_any_workload_to_the_cloud
 
PaaS for Dummies
PaaS for DummiesPaaS for Dummies
PaaS for Dummies
 
Cwin16 tls-s2-0945-going cloud native
Cwin16 tls-s2-0945-going cloud nativeCwin16 tls-s2-0945-going cloud native
Cwin16 tls-s2-0945-going cloud native
 
Grade 3 text structure assessment teaching guide
Grade 3 text structure assessment teaching guideGrade 3 text structure assessment teaching guide
Grade 3 text structure assessment teaching guide
 
What's new in Hortonworks DataFlow 3.0 by Andrew Psaltis
What's new in Hortonworks DataFlow 3.0 by Andrew PsaltisWhat's new in Hortonworks DataFlow 3.0 by Andrew Psaltis
What's new in Hortonworks DataFlow 3.0 by Andrew Psaltis
 
Production testing and disaster recovery
Production testing and disaster recoveryProduction testing and disaster recovery
Production testing and disaster recovery
 
Lifehacking met Evernote
Lifehacking met EvernoteLifehacking met Evernote
Lifehacking met Evernote
 
Emerging Technologies: Heroku for ISVs (October 13, 2014)
Emerging Technologies: Heroku for ISVs (October 13, 2014)Emerging Technologies: Heroku for ISVs (October 13, 2014)
Emerging Technologies: Heroku for ISVs (October 13, 2014)
 
High Availability Architecture for Legacy Stuff - a 10.000 feet overview
High Availability Architecture for Legacy Stuff - a 10.000 feet overviewHigh Availability Architecture for Legacy Stuff - a 10.000 feet overview
High Availability Architecture for Legacy Stuff - a 10.000 feet overview
 
Rio Cloud Computing Meetup 25/01/2017 - Lançamentos do AWS re:Invent 2016
Rio Cloud Computing Meetup 25/01/2017 - Lançamentos do AWS re:Invent 2016Rio Cloud Computing Meetup 25/01/2017 - Lançamentos do AWS re:Invent 2016
Rio Cloud Computing Meetup 25/01/2017 - Lançamentos do AWS re:Invent 2016
 

Recently uploaded

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 

Recently uploaded (20)

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 

Elasticsearch on AWS - High Availability and Security best practices

  • 1. ES on AWS Implementing ElasticSearch on AWS ~ High Availability and Best Security practices ~
  • 2. Who Am I (log nerd AND DevOp AND Infrastructure Manager AND photographer AND .*) XOR (daddy); rafael@psafe.com for company and business purposes; dev@rafalop.es to have a beer and eat something; @bobeirasa; bobeirasa on Freenode IRC; ; You can also find me on Elasticsearch-PT on Google Groups; Tags: bobeirasa, rafalopes, rafael lopes, psafe, mpran, fotografia cotidiana;
  • 3. About PSafe Tecnologia • Brazilian StartUp focused on security; • More than 12 MM Android Users; • #6 app on Top Free Google Play, Browser, Security Suite for Win/Mac and developing more products; • Infrastructure with more than 200 high-end servers, tons of memory and bandwidth; • 3 offices in Brazil, RJ [headquarters], SP and SC; • LatAm focus with products localized to portuguese and spanish; • We’ve been looking for you, join us! Tags: psafe, qihoo, startup, brazilian, psafe techchrunch, VC investment, series C;
  • 4. What will be covered • High Availability (HA); • Security; Tags: rafael lopes, meetup, elasticsearch, segundo encontro;
  • 5. High Availability ~ topics ~ • AWS Region and Availability Zone (AZ); • Multi-AZ environment; • Shard allocation awareness; • unicast or elasticsearch-cloud-aws plugin; • AZ label mismatch regarding your accounts; Tags: rafael lopes slides, meetup Elasticsearch rio, segundo encontro, slides;
  • 6. High Availability AWS Region and Availability Zone (AZ) Tags: AWS region, AWS availability zone, difference;
  • 7. High Availability Don’t run your cluster on the same AZ !!! Tags: Elasticsearch Single-AZ, failure, ec2 classic, failover, disaster, downtime, AWS AZ fail;
  • 8. High Availability Run it on separate Availability Zones Tags: Elasticsearch Multi-AZ, VPC, AWS different Subnet, Multi-AZ advantages, HA, high availability;
  • 9. High Availability Multi-AZ on Elasticsearch Cluster Tags: Elasticsearch shard allocation awareness, hadoop rack affinity, replica, safe shards;
  • 10. High Availability Elasticsearch Shard Allocation Awareness Awareness is a keepalive concept, used to make sure primary shards and it’s corresponding replicas don't end up on same place, such as rack, environment or AWS Availability Zones! Tags: shard allocation awareness, hadoop rack affinity, replica, safe shards, raid10 comparison;
  • 11. High Availability Shard Allocation Awareness configuration node.name = “ES01” node.rack_id: zona-A cluster.routing.allocation.awareness.attributes: rack_id ! node.name = “ES02” node.rack_id: zona-B cluster.routing.allocation.awareness.attributes: rack_id ! node.name = “ES03” node.rack_id: zona-A cluster.routing.allocation.awareness.attributes: rack_id ! node.name = “ES04” node.rack_id: zona-B cluster.routing.allocation.awareness.attributes: rack_id Tags: shard allocation syntax, Elasticsearch shard allocation configuration;
  • 12. High Availability AWS doesn’t allow multicast/broadcast Tags: elasticsearch ec2 discovery, ec2 broadcast, ec2 ARP, VPC FAQ, VPC limitations, rackspace multicast;
  • 13. High Availability AWS doesn’t allow multicast/broadcast 2 solutions for that ! Tags: elasticsearch ec2 discovery, ec2 broadcast, ec2 ARP, VPC FAQ, VPC limitations, rackspace multicast;
  • 14. High Availability Disable multicast, use unicast to specify nodes cluster.name: StarTrek node.name: "Locutus" discovery.zen.ping.multicast.enabled: false discovery.zen.ping.timeout: 5s discovery.zen.ping.unicast.hosts: [“Voyager”] ! cluster.name: StarTrek node.name: "Voyager" discovery.zen.ping.multicast.enabled: false discovery.zen.ping.timeout: 5s discovery.zen.ping.unicast.hosts: [“Locutus”] ! cluster.name: StarTrek node.name: "Enterprise" discovery.zen.ping.multicast.enabled: false discovery.zen.ping.timeout: 5s discovery.zen.ping.unicast.hosts: [“Locutus”, “Voyager” ] Tags: Elasticsearch unicast, Elasticsearch zen, Elasticsearch discovery ping, Elasticsearch manual hosts;
  • 15. High Availability Use elasticsearch-cloud-aws plugin Tags: elasticsearch-cloud-aws, official plugin, github, Elasticsearch AWS credentials;
  • 16. High Availability More about the elasticsearch-cloud-aws plugin • Easy installation (as any other plugin): ./plugin -install elasticsearch/elasticsearch-cloud-aws/2.3.0 • Official plugin provided by Elasticsearch; • Uses AWS API ec2-describe-instances to know stuff about your AWS ec2 instances. Smart, huh ? • Compatible with IAM roles (stay with me to see more details about this on Security session); • Uses ec2 tagging; • Check Elasticsearch version and Plugin version for mismatches; • It’s also used for s3 snapshots (which we won’t cover here); Tags: elasticsearch-cloud-aws install, elasticsearch-cloud instance metadata, ec2 discovery, fake multicast;
  • 17. High Availability AZ label mismatch across different AWS accounts Tags: AWS availability zone mismatch, Elasticsearch on different AWS accounts;
  • 18. High Availability ~ recap ~ AWS Region and Availability Zone (AZ); Shards are automatically replicated across the cluster, but don’t run your cluster on the same AZ; Use shard allocation awareness to tell ES to assign shards to different AZ’s (like Hadoop rack affinity); AWS doesn’t allow multicast at all, so use unicast instead of multicast, or elasticsearch-cloud-aws plugin; If you want (for any reason) to use the same cluster running different AWS accounts, open a support ticket to check AZ label mismatch regarding your accounts; Tags: rafael lopes slides, meetup Elasticsearch rio, segundo encontro, slides;
  • 19. Security ~ topics ~ • built-in security credentials and web proxy; • IAM roles; • Kibana; • Bastion server; • Multicast protocol; • External scripting; Tags: rafael lopes slides, meetup elasticsearch rio, segundo encontro, slides;
  • 20. Security MiTM (man in the middle) • Elasticsearch does not provide native connection strings, passwords or any kind of authentication: traditional DBA’s would say that Elasticsearch is insecure because of this; they say that because they are traditionalists, not DevOps ;) • Change Elasticsearch http port and use a local firewall to close this port to everybody unless localhost; • It must reside on a private subnet with no communication to the public, as any database server; • Use 3 firewalls. In addition to security groups and NACL’s, create local firewall rules to allow traffic just to the consumers (frontend, middletier or internal elb) on the ‘Elasticsearch port’; • Install a web server acting as a proxy, such as nginx or mitmproxy to control requests and passwords; • Jetty plugin also used to implement authentication and encription; Tags: Elasticsearch proxy, Elasticsearch nginx, protecting Elasticsearch, Elasticsearch firewall, NACL,AWS security group, AWS private subnet, iptables, ipfw, linux firewall;
  • 21. Security nginx example: limit everything but not GET on /_settings, except if the host is 127.0.0.1 location ~ /_settings { proxy_pass http://elasticsearch; limit_except GET { allow 127.0.0.1; deny all; } } Tags: nginx Elasticsearch protect
  • 22. Security nginx - implement basic password authentication, if the host is 127.0.0.1, this auth can be skipped location ~ /_plugin { satisfy any; allow 127.0.0.1; deny all; auth_basic "Restricted"; auth_basic_user_file /etc/nginx/pwds/file.pwd; proxy_pass http://elasticsearch; } Tags: nginx Elasticsearch protect
  • 23. Security IAM Roles Tags: IAM roles, codespaces.com, identity steal, access key
  • 24. Security IAM Roles • Mandatory to security best practices; • Keys expires in 6 hours (James Bond would like to use that); • No access keys in the code or config files; • Uses the ec2 metadata (http layer between ec2 and hypervisor) to get the provisory key; • It just works magically with the elasticsearch-cloud-aws plugin; Tags: AWS security best practices, AWS IAM roles, ec2 instance metadata, AWS STS, MFA
  • 25. Security Kibana is a frontend tool meant to be used in internal network (VPN). Kibana, like ES should not be exposed to public internet Tags: kibana, protect, node.js, wrapper, kibana frontend danger, close kibana
  • 26. Security Use a Bastion Server Tags: bastion server, security best practice;
  • 27. Security Disable Multicast in production environment • Reduces noise on environment; • Safer due to eavesdroppers/sniffers in shared environments; Tags: multicast, production environment, security best practice;
  • 28. Security ~ recap ~ Elasticsearch does not provide built-in security credentials, connection strings or passwords, so protect yourself using a web proxy such as nginx or mitmproxy to prevent deletes or updates; IAM roles with AWS STS (simple token service) on ec2 instances (also works with cloud plugin), stop copy-pasting access key and secret over there; Kibana is for insiders: use a wrapper to protect if you want to show to the world, or set it up on an private subnet with VPN access; Use a bastion server with 2 factor auth on ssh layer to make the DevOps works; On a shared environment such as a cloud, disable multicast at all; Disable external scripting if you don't use it; Tags: rafael lopes slides, meetup elasticsearch rio, segundo encontro, slides;
  • 30. Thank you! Coffee Break ? (sorry for make you wait so long) Tags: free food, free bier, elasticsearch rio second meetup, ideais tecnologia, sponsor, happiness;