Cloud Infrastructure Flashcards
Key Drivers for Virtualization
- SHARING underlying resources to enable more efficient and agile use of hardware
- Easier management through REDUCED personnel and maintenance
Why is virtualization a key enabling technologies for cloud computing?
virtualization enables multitenancy and scalability; it separates compute environments from the physical hardware so that multiple operating systems and applications can run on a single machine
Virtualization System Controls (Primary Features)
- Traffic Isolation - by using a specific security group and transmission encryption
- Guest Security - provided through ISOLATION concepts of hypervisor
- File and Volume Encryption
- Control of Image Provenance - image creation, distribution, storage, use, retirement and destruction
hypervisor
hypervisor is a computing layer that allows multiple operating systems to run simultaneously on the same piece of hardware, with each operating system seeing the machine’s resources as its own dedicated resources
In other words, hypervisors virtually divide a computer’s resources amongst several virtual machines (VMs) and manages the sharing of those resources between each VM.
Guest VMs are isolated software instances
List and describe the types of Hypervisors?
Type 1 hypervisors (also called bare metal hypervisors) run directly on the hardware
Type 2 hypervisors are software-based and run on an operating system
What type of Hypervisor is generally more vulnerable and why?
What makes other Hypervisor(s) more secure?
Type 2 hypervisors
OS and application vulnerabilities can be exploited and used to attack Type 2 hypervisors and their virtual machines
Type 1 hypervisors, however, generally have embedded operating systems that are tightly controlled by the vendor. This control lends itself to creating hardened operating systems that only have functionality necessary to operate the hypervisors.
What are security considerations with containers?
- Access to containers must be tightly controlled
- Images must be validated to ensure integrity (not tampered with)
- Have a process to patch and routinely update containers
Cloud Orchestration
The end to end automation workflow or process that coordinates multiple lower level automations to deliver a resource or set of resources
Software Defined Network (SDN)
System that allows VIRTUALIZATION of the network configuration and infrastructure
Allows reconfiguring the network through software
Layers/Planes of Software Defined Network
Management Plane
Control Plane
Data or Forwarding Plane
Software Defined Network Management Plane
Used to provision, configure, and de-provision all cloud resources external and internal CSP customers
Integrates authentication, access control, while also monitoring and logging of resources used
The business applications that manage the underlying Control plane are exposed with northbound interfaces (e.g. exposes control plane to applications that will consume via API)
If compromised then the whole infrastructure could be compromised
Software Defined Network Control Plane
Connects provisioned resources to each other as specified by each individual tenant into segregated networks
Used to interface with devices in the Data plane through southbound interfaces
Software Defined Network Data/Forwarding Plane
Used to transfer individual tenant data to and from the specific tenants provisioned virtual compute and storage resources
Software Defined Wide Area Network (SD-WAN)
What are the benefits of SD-WAN
An extension of SDN that tis used to connect entities via the internal network (internet)
Benefits:
- Minimizes on-premise hardware procurement and management
- Micro-segmentation of traffic types (broadband, MPLS, customer/corporate facing, etc.) for greater performance
- Support for security integration
What are compute resources of a CSP
Number of CPUs
Amount of RAM
What can be used to help administrators allocate compute resources to a host? How does it/they do so?
Reservation - guarantees MINIMUM for resources allocation
Limit - MAXIMUM ceiling for resource allocation, this can be fixed or expandable
Shares - a way to manage issues with computer resources during contention situations by using PRIORITIZATION
Network Attached Storage (NAS)
Storage array/enclosure to allow USERS to store and retrieve data LOCALLY (on the LAN)
Uses common data transfer protocols such as SMB and CIFS