A look back at the year 2022 by the team creating the IBM Cloud Solution Tutorials.
Similar to 2021’s review post, it’s once again the time of year to take some time and look at the work done, new experiences gained and interesting things seen. Without further ado, let’s get into it: Four different short views, written by members of the IBM Cloud Solution Tutorials team who you know from previous blog posts.
When was the last time you…?: That’s a question I heard often over the past 12 months. The pandemic caused many changes — in the ways we live, we work and everything in between (think “home office”). When was the last time you were in the office, met a co-worker, a customer or partner? When was the last time you attended a conference in person? When was the last time you heard a similar question?
Fortunately, those questions came often this year. And I was happy to hear them because it was at some in-person events. Being in the home office or traveling implies accessing work-related systems remotely. So, let me ask this question: When was the last time you had to use a VPN (Virtual Private Network) connection to access corporate resources?
Depending on your company and the kind of work you do, the need for VPN access (get within the perimeter) got reduced or eliminated. Many organizations have started to move toward a zero trust architecture. Instead of assuming that everything within the perimeter is secure, a zero trust approach assumes a breach. Hence the motto is “never trust, always validate.” The goal is to enforce accurate, least-privilege-per-request access decisions:
In my cloud account, I have enabled MFA (multi-factor authentication) for all users to tighten security. I also made use of custom roles for more fine-grained access management. Custom roles are useful to implement the principle of least privilege. To quickly and securely onboard/offboard teams and always assign the right set of privileges, I started to use Terraform code to roll out new IAM (Identity and Access Management) access groups combined with other security features.
Moreover, I am actively tracking down inactive identities to reduce risks. Finally, I am adding context-based restrictions to my account to limit which resources and endpoints are exposed. And to prove my security skills, I got certified for the IBM Cloud Security Engineer Specialty.
So, let me ask this question: When was the last time you got certified?
A good way to build up skills for certifications is by going through the provided training material and by hands-on experience. Personally, I learn and grow by going through the IBM Cloud solution tutorials (or creating new ones).
In my latest tutorial, I not only share my experience, but also insights into how to “Share Resources Across Your IBM Cloud Accounts.” So, let me ask this question: When was the last time you read (and tried) one of our IBM Cloud solution tutorials?
I love the cloud. Creating a scalable and highly available architecture in my on-premises data center would be challenging, but making this happen in the IBM Cloud is straight forward. IBM has a collection of multizone regions (MZRs) around the world. Each regional zone has isolated power, network, cooling, etc. Workloads can be balanced across multiple servers in multiple zones. In the event of a server failure or the unlikely event of a zone failure, a workload can remain accessible:
There is no single point of failure since even the global load balancer is a highly available system provided by IBM’s partner Cloudflare. Using Infrastructure as Code in IBM Cloud Schematics allows the infrastructure to be developed and tested in my account before delivering to production through a DevSecOps environment.
A variation of this architecture for on-premises private access to cloud workloads across zones is also possible by layering on Direct Link and using the global load balancer in the IBM Cloud DNS Service:
Automate: Last year, I was referring to a lot of work done around automation. This is my new normal. I have a hard time remembering when I provisioned resources manually. Most of the times it was when playing with a new service or feature, but for any serious work, I go through some form of automation — Terraform being the standard when it comes to cloud. Even my personal projects, my own domains, my Git repos and my laptop configuration, are all captured as-code! There’s no doubt this will continue this year — more automation, more as-code for everything.
Secure: In the face of increasingly sophisticated cyber threats, security is also a critical concern for organizations. One way to improve security is to adopt a zero trust approach. This means that no user or device is automatically trusted, and all access to resources must be authenticated and authorized.
To allow users to connect to cloud resources, a company may deploy services like a bastion, establish a site-to-site VPN connection or deploy a more traditional client-to-site VPN. I had the opportunity to look at our client-to-site VPN and how it can be fully configured with Terraform:
Once you are authenticated and authorized, you want to make sure the system you are accessing is using the latest security fixes. For virtual servers, one approach is to build hardened custom images and to consider them immutable. As new fixes are released, new custom images are built and deployed. And guess what, that is another place for automation because with a tool like Packer can be integrated in a CI/CD pipeline to build custom images:
AI: In the last weeks of 2022, artificial intelligence (AI) dominated the headlines again. The trend is to make it more and more accessible to everyone with use-cases that we can all relate to (e.g., generate your social media avatar, craft nice emails, write a full essay from a bullet list, summarize a long article or a book). This is a trend we will likely see continue in 2023, in many fields:
Disclaimer: This section may or may not have been partially written by an artificial intelligence.
Last year, I described work in progress on a process I was using to manage SSH keys on virtual servers running in a Virtual Private Cloud. I published the “Using Instance Metadata and Trusted Profiles for Managing SSH Keys” post a few weeks later with the steps and source code I am using. I was glad to see a few uses of it as is, as well as some cloning and repurposing of the code for similar requirements (for example, to configure ephemeral storage on a compute resource after a restart).
For parts of 2022, I worked with several technical individuals that interact directly with our clients to help identify and start addressing gaps in our documentation and tooling that would help first-time users of IBM Cloud. As part of that effort, I developed and released a tool to help identify potential conflicts between IP ranges in on-premises environment(s) and IP ranges used in our IBM Cloud classic infrastructure. It is a common requirement, and you can perform a quick search using the IP Ranges Calculator tool. The tool allows you to also download the IP ranges in JSON format.
We also published in our cloud documentation a checklist for getting started on IBM Cloud. This checklist is based on experiences from our field teams on tasks they found are required for most users onboarding to IBM Cloud. It is meant as a one-stop shop, with some links to our existing documentation.
When I write tools like the IP ranges calculator tool, I use the IBM Cloud Code Engine service as my compute environment. With the source code usually available on GitHub, I needed a way to manage updates and validation without too much effort. I wrote a set of small GitHub actions — Set up the IBM Cloud CLI and Create, Update and Delete to IBM Cloud Code Engine — and I now use these to deploy all my apps. I hope you find these as useful as I do.
Engage with us
Use the feedback button on individual tutorials to provide suggestions. Moreover, you can open GitHub issues on our code samples for clarifications. We would love to hear from you.