I created an application on GAE-standard environment.
Now, I need a static ip address to communicate with an 3th party,
and an optimization of an egress communication via GKE application is on going.
I have tried 2 test.
1) GAE(standard) on project A → GKE on project A
Simple rest communication took about 10 ms.
2) GAE(standard) on project A → GKE on project B
Simple rest communication took about from 1 ms to 80ms.
By optimization, I would like to let the latency shorter.
In the above tests, GAE application is pointing an IP address, which is provided by one of GKE settings as external IP.
At this point, I guess the communication is utilizing an Internet.
In the official site and some other information, I should use the IP of Loadbalancer as internal one.
If I use internal one, does the latency of the communication become shorter
because that it's in google-network?
Or can I use VPC to accomplish the goal.
Any other information is welcome.
Related
Context:
We have a web application written in Java EE on Glassfish + MySQL with JDBC for storage + XMPP connection for GCM CCS upstream messaging + Quartz scheduler library. Those are the main components of the app.
We're wrapping up our app development stage and we're trying to figure out the best option for deploying it, considering future scalability, both in number of users and their geographical location (ex, multiple VMS on multiple continents, if needed). Currently we're using a single VM instance from DigitalOcean for both the application server and the MySQL server, which we can then scale up with some effort (not much, but probably more than GAE).
Questions:
1) From what I understood, Cloud SQL is replicated in multiple datacenters across the world, thus storage-wise, the geographical scalability is assured. So this is a bonus. However, we would need to update the DB interaction code in the app to make use of Cloud SQL structure, thus being locked-in to their platform. Has this been a problem for you ? (I haven't looked at their DB interaction code yet, so I might be off on this one)
2) Do GAE instances work pretty much like a normal VM would ? Are there any differences regarding this aspect ? I've understood the auto-scaling capability, but how are they geographically scalable ? Do you have to select a datacenter location for each individual instance ? Or how can you achieve multiple worldwide instance locations as Cloud SQL does right out of the box ?
3) How would the XMPP connection fare with multiple instances ? Considering each instance is a separate VM, that means each instance will have a unique XMPP connection to the GCM CCS server. That would cause multiple problems, ex if more than 10 instances are being opened, then the 10 simultaneous XMPP connections limit cap will be hit.
4) How would the Quartz scheduler fare with the instances ? Right now we're saving the scheduled jobs in the MySQL database and scheduling them at each server start. If there are multiple instances, that means the jobs will be scheduled on each instance; so if there are multiple instances, the jobs will be scheduled multiple times. We wouldn't want that.
So, if indeed problems 3 & 4 are like I described, what would be the solution to those 2 problems ? Having a single instance for the XMPP connection as well as a single instance for the Quartz scheduler ?
1) Although CloudSQL is a managed replicated RDBMS, you still need to chose a region when creating an instance. That said, you cannot expect the latency to be great seamlessly globally. You would still need to design a proper architecture to achieve that.
2) GAE isn't a VM in any sense. GAP is a PaaS and, therefore, a runtime environment. You should expect several differences: you are restricted to Java, PHP, GO and Python, the mechanisms GAE provide do you out-of-the-box and compatible third-parties libraries. You cannot install a middleware there, for example. On the other hand, you don't have to deal with anything from the infrastructure standpoint, having transparent high-availability and scalability.
3) XMPP is not my strong suit, but GAE offers a XMPP service, you should take a look at it. More info: https://developers.google.com/appengine/docs/java/xmpp/?hl=pt-br
4) GAE offers a cron service that works pretty well. You wouldn't need to use Quartz.
My last advice is: if you want to migrate an existing application, your best choice would probably be GCE + CloudSQL, not GAE.
Good luck!
Cheers!
We are trying to stress test our app and we believe we are running into problems related to Google DDoS protection.
One machine can generate 44,000 requests a second to a script that does nothing (returns HTTP 200).
Two machines generate 23,000+- each (roughly half).
Is there any way to white-list the IPs of the stress-inducing machines / Disable this protection for testing?
Note: The two machines have a different public IP but share a subnet X.X.. [X.X is shared]
We're looking at moving off our Hosted company and onto Azure.
We're not sure what type of network setup we need to do with Azure. Eg. availability sets, etc
We currently have
1x VM IIS Website (main site)
1x VM IIS Website (totally separate site with different UI/content etc).
1x VM IIS Webiste (json api).
1x dedicated Sql Server 2012 box all tricked out big time with RAID 10, SSD, 24Gig Ram.
(no IIS VM's are load balanced or scaled).
We're not doing -anything- special with IIS (eg. custom sections unlocked, etc) so we're hoping to move these over to WAWS so we can scale when needs be. (eg. add more instances).
SQL Server 2012 uses FTS (oh! le sigh!) so we'll probably go and get an A6 2012 R1 VM with SQL Standard (we need to be able to profile if a failure happens in production).
So, what we're hoping to setup is something like the following
SQL Server in Azure. IP Whitelist it for a) the Azure website private VLAN thingy (is this possible? and b) about 3 public IP's.
3x WAWS for our IIS sites.
But we want to be able to update. Say, the main website and not incur any downtime for the users. (NOTE: Lets assume we're not doing any DB maintenance).
So, is there something special we can do here to have .. say .. 1 instance up, the 2nd get's auto updated, then it does the other one? Do we need to worry about load balancing?
eg. Put webs on one subnet . 192.168.1.x, DB on a 2nd subnet 192.168.2.x ... and then do this and that, etc.
Incidentally, I'm not sure if that's possible.
Lastly, I'm hoping to avoid using VMs for the websites or web workers for the websites, because I've found using WAWS so nice and less support/maintenance required.
You loaded that up with a lot of questions. I'll avoid the opinion-based ones (such as what you should do to set this up), and tackle the objective ones:
Azure Web Sites: Very easy to push code to, and simple to update without downtime, assuming you have more than one instance running (the changes are propagated, and not all at the exact same time to all instances). However: Azure Web Sites does not offer dedicated outbound IP addresses (only dedicated incoming, if you purchase an ssl cert). Therefore, you cannot include a site hosted in WAWS within a virtual network, nor can you add it to an IP whitelist on a VM's endpoint ACL.
Web Sites will take care of load-balancing for you, assuming you scale to multiple instances. By the way: those same instances would host all of your websites. Just like, with Cloud Services, you can deploy multiple websites to the same Web Role.
If you want to IP-whitelist your website, you'd need to go with cloud services (web role), or VM. Web Roles are fairly straightforward to construct; underneath, they're just Windows Server VMs. You have no OS maintenance to worry about; you just maintain the code project in Visual Studio, and push up a deployment package when it's time to update the app.
Also keep this in mind: with either Web Sites or Cloud Services (or VMs, for that matter), if you have static content such as CSS, images, Javascript, etc., you can store that in blob storage and update this content independent of your deployed code (assuming you've adjusted your app to point to blob storage for the source of such content).
Regarding availability sets: This is a mechanism for combining multiple virtual machines into a high-availability configuration: the VMs are spread out across racks, removing single-point-of-failure (e.g. top-of-rack router fails; you don't want all your VMs knocked out because of that). VMs in an availability set are also updated separately when it comes time for Host OS update (the OS running beneath the VMs). Otherwise, they'd all have the potential to be updated simultaneously.
Is there a Platform as a Service (PaaS, e.g. Google App Engine or Windows Azure) that for a reasonable cost can be used to run a server for relaying peer to peer "real time" communication between clients?
This system will in my case be used to relay (small amounts of) network traffic to and from small home automation gadgets with limited resources programmed in embedded C, to Android and iOS apps. In a few years I expect several tens of thousands of simultaneous connections.
The reason I am looking for a PaaS solution and not IaaS is that I would like to minimize the time and expertise needed for virtual computer, OS and server application maintenance.
Because of the resource constraints of the home automation gadget, a solution like PubNub is not possible. I have a few thousand bytes of available program flash for my embedded C code, so the protocol used would have to be pretty basic (e.g. raw TCP or UDP, HTTP or WebSockets).
Using "long polling" with Google App Engine (GAE) would be too expensive, as they bill for the whole duration of the connection even if almost no traffic is transfered. GAE supports Sockets, but only outgoing sockets and not listening sockets on the server. Is it possible to get around this limitation somehow by e.g. sending a UDP packet to GAE first (to punch a hole in the user's firewall, and having GAE then initiating an outgoing socket back to the home automation gadget or Android/iOS app?
Or do you see any other possible solutions using the PaaS aspects of Windows Azure or other PaaS providers?
Any tips or possible solutions are greatly appreciated!
AMQP seems like it would fit your protocol needs and the Apache Qpid/Proton project has some client libraries, their C code might meet your needs. On the service side you could test things out using Azure ServiceBus since it speaks AMQP. If that didn't meet your needs you could host a worker role and run one of the AMQP clients in there.
Another option to consider is ZeroMQ. They have a lot of very simple client APIs and building a relay service that ran in a Worker role would be a trivial amount of code. Java Sample C# Sample Those samples are using an "inproc" transport and I'm guessing you want to switch that to TCP.
I have a client-server application which use a firebird server 2.5 over internet.
I have met the problem of given a secure access to FB databases and as a first approch a tried to solve this problem by integrating a tunnel solution in the application (STunnel software more exactly). BUT, this approch suffer from many aspects :
- this add more resource consumption (CPU, memory, threads) at both client/server side,
- sotware deployment become a serious problem because STunnel software is writen as a WinNT Service, not a Dll or a Component (WinNT Service need administrator privileges for install)
and my client application need to run without installation !
SO, i decided to take the bull by the horn (or the bird by the feathers as we talk about Firebird). I have downloaded the Firebird 2.5 source code and injected secure tunnelization code directly in his low level communication layer (the INET socket layer).
NOW, encryption/decryption is done directly by the firebird engine for each TCP/IP packet.
What do you think about this approach vs external tunnelization ?
I would recommend to wrap data exchange in SSL/TLS stream, from both sides. This is proven standard.
While custom implementations, with static keys, can be insecure.
For instance, CTR mode with constant IV can reveal a lot of information, since it only encrypts incremented vector and XORes it with data, so XORing two encrypted packets will show the xored version of unencrypted packets.
In general, my view of security critical code is this, "you want as many eyes on the code in question as possible and you do not want to be maintaining it yourself." The reason is that we all make mistakes and in a collaborative environment these are more likely to be caught. Additionally these are likely to be better tested.
In my view there are a few acceptable solutions here. All approaches do add some overhead but this overhead could, if you want, be handled on a separate server if that becomes necessary. Possibilities include:
stunnel
IPSec (one of my favorites). Note that with IPSec you can create tunnels, and these can then be forwarded on to other hosts, so you can move your VPN management onto a computer other than your db host. You can also do IPSec directly to the host.
PPTP
Cross-platform vpn software like tinc and the like.
Note here in security there is no free lunch and you need to review your requirements very carefully and make sure you thoroughly understand the solutions you are working with.
The stunnel suggestion is a good one, but, if that's not suitable, you can run a true trusted VPN of sorts, in a VM. (Try saying that a few times.) It's a bit strange, but it would work something like this:
Set up a VM on the firebird machine and give that VM two interfaces,
one which goes out to your external LAN (best if you can actually
bind a LAN card to it) and one that is a host-only LAN to firebird.
Load an openvpn server into that VM and use both client and server
certificates
Run your openvpn client on your clients
Strange, but it ensures the following:
Your clients don't get to connect to the server unless BOTH the
client and server agree on the certificates
Your firebird service only accepts connections over this trusted VPN
link.
Technically, local entities could still connect to the firebird
server outside of the VPN if you wanted it -- for example, a
developer console on the same local LAN.
The fastest way to get things done would not be to improve firebird, but improve your connection.
Get two firewall devices which can do SSL certificate authentication and put it in front of your DB server and your firebird device.
Let the firewall devices do the encryption/decryption, and have your DB server do its job without the hassle of meddling with every packet.