Migrating to Serverless

we’ll look at considerations for migrating existing applications to serverless and common ways for extending the serverless

At a high level, there are three migration patterns that you might follow to migrate your legacy your applications to a serverless model.

Leapfrog

As the name suggests, you bypass interim steps and go straight from an on-premises legacy architecture to a serverless cloud architecture

Organic

You move on-premises applications to the cloud in more of a “lift and shift” model. In this model, existing applications are kept intact, either running on Amazon Elastic Compute Cloud (Amazon EC2) instances or with some limited rewrites to container services like Amazon Elastic Kubernetes Service (Amazon EKS)/Amazon Elastic Container Service (Amazon ECS) or AWS Fargate.

Developers experiment with Lambda in low-risk internal scenarios like log processing or cron jobs. As you gain more experience, you might use serverless components for tasks like data transformations and parallelization of processes.

At some point in the adoption curve, you take a more strategic look at how serverless and microservices might address business goals like market agility, developer innovation, and total cost of ownership.

You get buy-in for a more long-term commitment to invest in modernizing your applications and select a production workload as a pilot. With initial success and lessons learned, adoption accelerates, and more applications are migrated to microservices and serverless.

Strangler

With the strangler pattern, an organization incrementally and systematically decomposes monolithic applications by creating APIs and building event-driven components that gradually replace components of the legacy application.

Distinct API endpoints can point to old vs. new components, and safe deployment options (like canary deployments) let you point back to the legacy version with very little risk.

New feature branches can be “serverless first,” and legacy components can be decommissioned as they are replaced. This pattern represents a more systematic approach to adopting serverless, allowing you to move to critical improvements where you see benefit quickly but with less risk and upheaval than the leapfrog pattern.

Migration questions to answer:

  • What does this application do, and how are its components organized?
  • How can you break your data needs up based on the command query responsibility (CQRS) pattern?
  • How does the application scale, and what components drive the capacity you need?
  • Do you have schedule-based tasks?
  • Do you have workers listening to a queue?
  • Where can you refactor or enhance functionality without impacting the current implementation?

Application Load Balancer vs. API Gateway for directing traffic to serverless targets

Application Load BalancerAmazon API Gateway
Easier to transition existing compute stack where you are already using an Application Load BalancerGood for building REST APIs and integrating with other services and Lambda functions
Supports authorization via OIDC-capable providers, including Amazon Cognito user poolsSupports authorization via AWS Identity and Access Management (IAM), Amazon Cognito, and Lambda authorizers
Charged by the hour, based on Load Balancer Capacity UnitsCharged based on requests served
May be more cost-effective for a steady stream of trafficMay be more cost-effective for spiky patterns
Additional features for API management: 
Export SDK for clients
Use throttling and usage plans to control access
Maintain multiple versions of an APICanary deployments

Consider three factors when comparing costs of ownership:

  • The infrastructure cost to run your workload (for example, the costs for your provisioned EC2 capacity vs. the per-invocation cost of your Lambda functions)
  • The development effort to plan, architect, and provision resources on which the application will run
  • The costs of your team’s time to maintain the application once it is in production

Reference

Cheers

Osama

AWS Site-to-Site VPN and AWS Client VPN

AWS VPN is comprised of two services: 

  • AWS Site-to-Site VPN enables you to securely connect your on-premises network to Amazon VPC, for example your branch office site. 
  • AWS Client VPN enables you to securely connect users to AWS or on-premises networks, for example remote employees. 

AWS Site-to-Site VPN

ased on IPsec technology, AWS Site-to-Site VPN uses a VPN tunnel to pass data from the customer network to or from AWS.

One AWS Site-to-Site VPN connection consists of two tunnels. Each tunnel terminates in a different Availability Zone on the AWS side, but it must terminate on the same customer gateway on the customer side. 

AWS Site-to-Site VPN components

Customer gateway

A resource you create and configure in AWS that represents your on-premise gateway device. The resource contains information about the type of routing used by the Site-to-Site VPN, BGP, ASN and other optional configuration information.

Customer gateway device

A customer gateway device is a physical device or software application on your side of the AWS Site-to-Site VPN connection. 

Virtual private gateway

A virtual private gateway is the VPN concentrator on the Amazon side of the AWS Site-to-Site VPN connection. You use a virtual private gateway or a transit gateway as the gateway for the Amazon side of the AWS Site-to-Site VPN connection.

Transit gateway

A transit gateway is a transit hub that can be used to interconnect your VPCs and on-premises networks. You use a transit gateway or virtual private gateway as the gateway for the Amazon side of the AWS Site-to-Site VPN connection.

AWS Site-to-Site VPN limitations

  • IPv6 traffic is partially supported. AWS Site-to-Site VPN supports IPv4/IPv6-Dualstack through separate tunnels for inner traffic. IPv6 for outer tunnel connection not supported.
  • AWS Site-to-Site VPN does not support Path MTU Discovery. The greatest Maximum Transmission Unit (MTU) available on the inside tunnel interface is 1,399 bytes.
  • Throughput of AWS Site-to-Site VPN connections is limited. When terminating on a virtual private gateway, only one tunnel out of the pair can be active and carry a maximum of 1.25 Gbps. However, real-life throughput will be about 1 Gbps. When terminating on AWS Transit Gateway, both tunnels in the pair can be active and carry an aggregate maximum of 2.5 Gbps. However, real-life throughput will be 2 Gbps. Each flow (for example, TCP stream) will still be limited to a maximum of 1.25 Gbps, with a real-life value of about 1 Gbps.
  • Maximum packets per second (PPS) per VPN tunnel is 140,000.
  • AWS Site-to-Site VPN terminating on AWS Transit Gateway supports equal-cost multi-path routing (ECMP) and multi-exit discriminator (MED) across tunnels in the same and different connection. ECMP is only supported for Site-to-Site VPN connections activated on an AWS Transit Gateway. MED is used to identify the primary tunnel for Site-to-Site VPN conncetions that use BGP. Note, BFD is not yet supported on AWS Site-to-Site VPN, though it is supported on Direct Connect. 
  • AWS Site-to-Site VPN endpoints use public IPv4 addresses and therefore require a public virtual interface to transport traffic over Direct Connect. Support for AWS Site-to-Site VPN over private Direct Connect is not yet available. 
  • For globally distributed applications, the accelerated Site-to-Site VPN option provides a connection to the global AWS backbone through AWS Global Accelerator. Because the Global Accelerator IP space is not announced over a Direct Connect public virtual interface, you cannot use accelerated Site-to-Site VPN with a Direct Connect public virtual interface.

In addition, when you connect your VPCs to a common on-premises network, it’s recommend that you use nonoverlapping CIDR blocks for your networks. 

Client VPN

Based on OpenVPN technology, Client VPN is a managed client-based VPN service that lets you securely access your AWS resources and resources in your on-premises network. With Client VPN, you can access your resources from any location using an OpenVPN-based VPN client. 

Client VPN components

Client VPN endpoint

Your Client VPN administrator creates and configures a Client VPN endpoint in AWS. Your administrator controls which networks and resources you can access when you establish a VPN connection. 

VPN client application

This is the software application that you use to connect to the Client VPN endpoint and establish a secure VPN connection.

Client VPN endpoint configuration file

This is a configuration file that is provided to you by your Client VPN administrator. The file includes information about the Client VPN endpoint and the certificates required to establish a VPN connection. You load this file into your chosen VPN client application. 

Client VPN limitations

  • Client VPN supports IPv4 traffic only. IPv6 is not supported.
  • Security Assertion Markup Language (SAML) 2.0-based federated authentication only works with an AWS provided client v1.2.0 or later. 
  • SAML integration with AWS Single Sign-On requires a workaround. Better integration is being worked on. 
  • Client CIDR ranges must have a block size of at least /22 and must not be greater than /12. 
  • A Client VPN endpoint does not support subnet associations in a dedicated tenancy VPC. 
  • Client VPN is not compliant with Federal Information Processing Standards (FIPS).
  • Client CIDR ranges cannot overlap with the local CIDR of the VPC in which the associated subnet is located. It also cannot overlap any routes manually added to the Client VPN endpoint’s route table.
  • A portion of the addresses in the client CIDR range is used to support the availability model of the Client VPN endpoint and cannot be assigned to clients. Therefore, we recommend that you assign a CIDR block that contains twice the number of required IP addresses. This will ensure the maximum number of concurrent connections that you plan to support on the Client VPN endpoint. 
  • The client CIDR range cannot be changed after you create the Client VPN endpoint. 
  • The subnets associated with a Client VPN endpoint must be in the same VPC.
  • You cannot associate multiple subnets from the same Availability Zone with a Client VPN endpoint. 
  • AWS Certificate Manager (ACM) certificates are not supported with mutual authentication because you cannot extract the private key. You can use an ACM server as the server-side certificate. But, to add a client certificate to your customer configuration, you cannot use a general ACM certificate because you can’t extract the required private key details. So you must access the keys in one of two ways. Either generate your own certificate where you have the key or use AWS Certificate Manager Private Certificate Authority (ACM PCA), which gives the private keys. If the customer is authenticating based on Active Directory or SAML, they can use a general ACM-generated certificate because only the server certificate is required.

Cheers
Osama

Use "sudo" Command without password Prompt

Sometimes you need to run Linux command without password prompt using sudo command.

to learn more about this command read the link here.

For Example i need to run the following command without password prompt, However there are three sudo commands I want to run without entering password:

  • sudo reboot
  • sudo shutdown -r now
  • sudo shutdown -P now
to do this follow the below steps :-
  • edit the following /etc/sudoers file.
  • you find the following lines depend on the username and hostname for the server.

user host = (root) NOPASSWD: /sbin/shutdown
user host = (root) NOPASSWD: /sbin/reboot

This will allow the user user to run the desired commands on host without entering a password. All other sudoed commands will still require a password.

Notes:

  • Always use the command visudo to edit the sudoers file to make sure you do not lock yourself out of the system for example 

sudo visudo -f /etc/sudoers.d/shutdown

  • Using /etc/sudoers.d instead of modifying /etc/sudoers, you could add the two lines to a new file in /etc/sudoers.d for example  /etc/sudoers.d/shutdown.
  • If you did not use visudo to edit your files and then accidentally messed up /etc/sudoers or messed up a file in /etc/sudoers.d then you will be locked out of sudo.to fix it use command pkexec.
Cheers
Osama Mustafa

My Days As an Oracle ACED : BGOUG

12 – 14 June save the date because it’s Bulgarian Oracle User group Events, this is my first time in Bulgaria and my first time as an oracle ACE director in any events :).

My Trip Planned to be from Jordan to Bulgaria – Sofia  and as usual i need to stop in one of world airport to reach my destinations first which i really hate because it’s wasting of time and tiring me.
my stop was in Frankfurt airport and to be there i had to spent 5-6 hours in the plane to reach there and then wait another 5 hours in the airport and reach Sofia 3 hours in the plane. but lucky me the plane is delayed in Jordan and i waited for 2 hours only :).
I reach Sofia but i was really exhaust and tired from traveling because my trip started early morning and it’s took us 2 hours to reach the hotel from the airport but even with this i have to thanks one of the best organizer i ever seen Milena Gerova She organized everything very well the hotels, the taxi, the appreciation events & sessions.
I had 2 presentation there about Fusion middleware and like usual i organized RAC ATTACK On Saturday, The audience was really amazing and asking very good questions. 
I had so much fun in Bulgaria and one of the best events i attended, simply it’s really Green every where you look it’s green, and I learned some Bulgarian dance  because i knew everyone in Bulgaria should dance 🙂 Even Tom Kyte was dancing,Svetoslav and Heli as well so why not ? 
It’s really nice to meet old friends and meeting new one  🙂 

Cheers
Osama Mustafa 

Dealing with Crontab

Schedule tasks under Linux is an powerful procedure which is used by almost everyone, and to do this using program called cron. more about it here .

Procedure :

make a new text file, and enter this line in that text file like the below :-

crontab myfirstjob

Formatting crontab file :-

what this file contains

Number
Meaning
Allowed range
1
Minutes
0-59
2
Hours
0-23
3
Days
1-31
4
Months
1-12 OR First 3 letters of the Month name
5
Days of the week
0-7 OR First 3 letters of the Day name
6
Name of the program
Any program

Some useful command can be used with cron :-

Show all the task running under cron.

crontab -l

edit the crontab

crontab -e

Some example from crontab file :-

# Minute   Hour      Day of Month       Month                 Day of Week        Command  
# (0-59)     (0-23)     (1-31)             (1-12 or Jan-Dec)    (0-6 or Sun-Sat)              
    0               12           *                             *                         *            /u01/backup.sh

For more example about crontab press here

Cheers
Osama Mustafa

soft limit maximum user processes/Oracle Linux

As Root User access to
[root@EM12C Packages]# vi /etc/security/limits.conf

Then add the below line or modify it :

oracle              soft    nproc   2047
oracle              hard    nproc   16384
oracle              soft    nofile  4096
oracle              hard    nofile  65536
oracle              soft    stack   10240

Thank you
Osama Mustafa 

Configure Linux NFS File System

NFS : Network File System

Before Start Configure NFS you have to Understand When to use it ? and What is it ?

NFS file system usually read from Source Called Server , If this server goes down, it will not be available for the other resource, From this we understand that i should configure NFS On both Side Server and Client.

Read More About it Here.

Note : 

Server IP : 192.168.1.100
Client IP : 192.168.1.101

In this Blog I will Use NFSV4 

1- You need to install two Package ( as root user )
**nfs-ultis-lib
**portmap ( if you are asking nfs4 this is not needed anymore )

2-  As Root Run the below Command to Start nfs Serivces :

[root@TEST share]# /etc/init.d/nfs start
Starting NFS services:                                     [  OK  ]
Starting NFS quotas:                                       [  OK  ]
Starting NFS mountd:                                      [  OK  ]
Stopping RPC idmapd:                                    [  OK  ]
Starting RPC idmapd:                                      [  OK  ]
Starting NFS daemon:                                     [  OK  ]

3- Create folder under /u01/app/shared , give permission to oracle and chmod 775 
4- on NFS Server ( you will own the folder ) , vi /etc/exports add the below line :

/u01/app/shared [Client-IP] (rw,sync,no_root_squash) 

5- NFS Server is done , Go to NFS Client ( Node 2 )  as root user run the below command :

#/etc/init.d/nfs start
#showmount -e 192.168.1.101

The Output Will be like the below :

Export list for 192.168.1.100:
/u01/app/shared 192.168.1.101

6-On Node 2 ( As Root User ) –> #  mount -t nfs 192.168.1.100:/u01/app/shared/ /u01/app/shared/
7- Check using df -h 

**Remove:-

8- umount /u01/app/shared ( on Node 2 ) 

Important Command :
showmount -e : Shows the available shares on your local machine
exportfs -v : Displays a list of shares files and options on a server

Thank you
Osama Mustafa

Enable Docker On Linux

Oracle Linux Released Before 2 week, i already blogged about this and mean while i was testing new features for Oracle Linux 6.5 which is simply amazing i will start writing about it.

Enable Docker , What is the Docker you can check the official Website to take look what i mean by Docker here .

If you tried to install Docker Directly you will get the below error :

[root@OEL6 u01]# rpm -ivh docker-io-0.7.0-14.el6.x86_64.rpm

warning: docker-io-0.7.0-14.el6.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
error: Failed dependencies:
lxc is needed by docker-io-0.7.0-14.el6.x86_64

and if you need to install lxc package :

[root@OEL6 Packages]# rpm -ivh lxc-0.9.0-2.0.5.el6.x86_64.rpm 

warning: lxc-0.9.0-2.0.5.el6.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID ec551f03: NOKEY
error: Failed dependencies:
libvirt is needed by lxc-0.9.0-2.0.5.el6.x86_64

So Let’s Start :

root@OEL6 Packages]# rpm -ivh libvirt-0.10.2-29.0.1.el6.x86_64.rpm 

warning: libvirt-0.10.2-29.0.1.el6.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID ec551f03: NOKEY
error: Failed dependencies:
/usr/bin/qemu-img is needed by libvirt-0.10.2-29.0.1.el6.x86_64
ebtables is needed by libvirt-0.10.2-29.0.1.el6.x86_64
libnetcf.so.1()(64bit) is needed by libvirt-0.10.2-29.0.1.el6.x86_64
libnetcf.so.1(NETCF_1.0.0)(64bit) is needed by libvirt-0.10.2-29.0.1.el6.x86_64
libnetcf.so.1(NETCF_1.2.0)(64bit) is needed by libvirt-0.10.2-29.0.1.el6.x86_64
libnetcf.so.1(NETCF_1.3.0)(64bit) is needed by libvirt-0.10.2-29.0.1.el6.x86_64
libnetcf.so.1(NETCF_1.4.0)(64bit) is needed by libvirt-0.10.2-29.0.1.el6.x86_64
lzop is needed by libvirt-0.10.2-29.0.1.el6.x86_64
numad is needed by libvirt-0.10.2-29.0.1.el6.x86_64
radvd is needed by libvirt-0.10.2-29.0.1.el6.x86_64

First:

[root@OEL6 Packages]# rpm -ivh lzo

lzo-2.03-3.1.el6.x86_64.rpm       lzop-1.02-0.9.rc1.el6.x86_64.rpm
[root@OEL6 Packages]# rpm -ivh lzop-1.02-0.9.rc1.el6.x86_64.rpm 
warning: lzop-1.02-0.9.rc1.el6.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID ec551f03: NOKEY
Preparing…                ########################################### [100%]
   1:lzop                   ########################################### [100%]

Second :

[root@OEL6 Packages]# rpm -ivh numa

numactl-2.0.7-8.el6.i686.rpm
numactl-2.0.7-8.el6.x86_64.rpm
numactl-devel-2.0.7-8.el6.i686.rpm
numactl-devel-2.0.7-8.el6.x86_64.rpm
numad-0.5-9.20130814git.el6.x86_64.rpm

[root@OEL6 Packages]# rpm -ivh numad-0.5-9.20130814git.el6.x86_64.rpm 

warning: numad-0.5-9.20130814git.el6.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID ec551f03: NOKEY
Preparing…                ########################################### [100%]
   1:numad                  ########################################### [100%]

Third:
[root@OEL6 Packages]# rpm -ivh radvd-1.6-1.el6.x86_64.rpm 
warning: radvd-1.6-1.el6.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID ec551f03: NOKEY
Preparing…                ########################################### [100%]
   1:radvd                  ########################################### [100%]
Fourth :

[root@OEL6 Packages]# rpm -ivh augeas-libs-1.0.0-5.el6.x86_64.rpm
warning: augeas-libs-1.0.0-5.el6.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID ec551f03: NOKEY
Preparing…                ########################################### [100%]
   1:augeas-libs            ########################################### [100%]

[root@OEL6 Packages]# rpm -ivh netcf-libs-0.1.9-4.el6.x86_64.rpm
warning: netcf-libs-0.1.9-4.el6.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID ec551f03: NOKEY
Preparing…                ########################################### [100%]
   1:netcf-libs             ########################################### [100%]

Now you need to enable qemu-img like the below :

[root@OEL6 Packages]# rpm -ivh libgfortran-4.4.7-4.el6.x86_64.rpm
warning: libgfortran-4.4.7-4.el6.x86_64.rpm: Header V3 RSA/SHA256 Signature, key                                                                              ID ec551f03: NOKEY
Preparing…                ########################################### [100%]
        package libgfortran-4.4.7-4.el6.x86_64 is already installed

[root@OEL6 Packages]# rpm -ivh qemu-img-0.12.1.2-2.415.el6.x86_64.rpm
warning: qemu-img-0.12.1.2-2.415.el6.x86_64.rpm: Header V3 RSA/SHA256 Signature,                                                                              key ID ec551f03: NOKEY
error: Failed dependencies:
        libgfapi.so.0()(64bit) is needed by qemu-img-2:0.12.1.2-2.415.el6.x86_64
        libusbredirparser.so.1()(64bit) is needed by qemu-img-2:0.12.1.2-2.415.e                                                                             l6.x86_64
[root@OEL6 Packages]# rpm -ivh glusterfs-api-3.4.0.36rhs-1.0.1.el6.x86_64.rpm
warning: glusterfs-api-3.4.0.36rhs-1.0.1.el6.x86_64.rpm: Header V3 RSA/SHA256 Si                                                                             gnature, key ID ec551f03: NOKEY
Preparing…                ########################################### [100%]
   1:glusterfs-api          ########################################### [100%]
[root@OEL6 Packages]# rpm -ivh qemu-img-0.12.1.2-2.415.el6.x86_64.rpm
warning: qemu-img-0.12.1.2-2.415.el6.x86_64.rpm: Header V3 RSA/SHA256 Signature,                                                                              key ID ec551f03: NOKEY
error: Failed dependencies:
        libusbredirparser.so.1()(64bit) is needed by qemu-img-2:0.12.1.2-2.415.e                                                                             l6.x86_64
[root@OEL6 Packages]# rpm -ivh usbredir-0.5.1-1.el6.x86_64.rpm
warning: usbredir-0.5.1-1.el6.x86_64.rpm: Header V3 RSA/SHA256 Signature, ke ID                                                                              ec551f03: NOKEY
Preparing…                ########################################### [100%]
   1:usbredir               ########################################### [100%]

[root@OEL6 Packages]# rpm -ivh qemu-img-0.12.1.2-2.415.el6.x86_64.rpm
warning: qemu-img-0.12.1.2-2.415.el6.x86_64.rpm: Header V3 RSA/SHA256 Signature,                                                                              key ID ec551f03: NOKEY
Preparing…                ########################################### [100%]
   1:qemu-img               ########################################### [100%]

Finally the last Package :

[root@OEL6 Packages]# rpm -ivh ebtables-2.0.9-6.el6.x86_64.rpm
warning: ebtables-2.0.9-6.el6.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID ec551f03: NOKEY
Preparing…                ########################################### [100%]
   1:ebtables               ########################################### [100%]

[root@OEL6 Packages]# rpm -ivh libvirt-0.10.2-29.0.1.el6.x86_64.rpm

warning: libvirt-0.10.2-29.0.1.el6.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID ec551f03: NOKEY
Preparing…                ########################################### [100%]
   1:libvirt                ########################################### [100%]

we have to download two more package 

[root@OEL6 Packages]# rpm -ivh lxc-0.9.0-2.0.5.el6.x86_64.rpm

warning: lxc-0.9.0-2.0.5.el6.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID ec551f03: NOKEY
Preparing…                ########################################### [100%]
   1:lxc                    ########################################### [100%]

[root@OEL6 u01]# rpm -ivh docker-io-0.7.0-14.el6.x86_64.rpm
warning: docker-io-0.7.0-14.el6.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
Preparing…                ########################################### [100%]
   1:docker-io              ########################################### [100%]

Now you Can Use Docker 🙂 I will post more blog about this Package and how to use.
Thank you 
Osama Mustafa