Skip to content

lec10.md

Latest commit

Β 

History

History
333 lines (252 loc) Β· 14.6 KB

lec10.md

File metadata and controls

333 lines (252 loc) Β· 14.6 KB
Raw

πŸ“Œ Lecture 10 β€” Cloud Computing: Ship QuickNotes to the Real World

πŸ“ Slide 1 – πŸ’₯ The Day Half the Internet Lived in us-east-1

  • πŸ—“οΈ December 7, 2021, 15:34 UTC β€” an automated AWS internal-network scaling event misbehaves in us-east-1
  • πŸͺ¦ Within minutes, Lambda, Cognito, DynamoDB, Connect, EventBridge are all degraded β€” anything that used those internally is degraded too
  • 🌐 Cascading impact: Netflix, Disney+, Robinhood, Roomba, Slack, parts of AWS's own console. Even AWS engineers couldn't log in to fix the problem (Cognito was down)
  • ⏳ Eight hours of major impact, days of follow-up
  • πŸŽ“ Lesson: "Cloud" doesn't mean "infinite reliability". It means "someone else's reliable" β€” and that "someone else" can have an event that takes you with them

πŸ€” Think: Your QuickNotes deploy this week will run on someone else's infrastructure. What happens to it when that infrastructure has a bad afternoon?

πŸ“ Slide 2 – 🎯 Learning Outcomes

# πŸŽ“ Outcome
1 βœ… Place workloads on the IaaS / PaaS / CaaS / FaaS / SaaS spectrum
2 βœ… Explain the shared responsibility model
3 βœ… Pick a region/zone with intent β€” for latency, data residency, cost
4 βœ… Push the QuickNotes image to a real container registry
5 βœ… Deploy QuickNotes to a hosted container platform with a public URL (the lab uses card-free Hugging Face Spaces + Cloudflare Tunnel β€” same patterns as Cloud Run / Lambda)
6 βœ… Read a cloud bill β€” recognize the 3-4 line items that dominate it

πŸ“ Slide 3 – πŸ—ΊοΈ Lecture Overview

graph LR
    A["☁️ Cloud History"] --> B["πŸ₯ͺ IaaS/PaaS/SaaS"]
    B --> C["🀝 Shared Responsibility"]
    C --> D["🌍 Region / Zone"]
    D --> E["πŸ“¦ Registries"]
    E --> F["πŸš€ Serverless<br/>Cloud Run"]
    F --> G["πŸ’΅ Cost"]
Loading
  • πŸ“ Slides 1-5 β€” Cloud history, the layers, shared responsibility
  • πŸ“ Slides 6-9 β€” Regions, zones, latency, data residency
  • πŸ“ Slides 10-13 β€” Containers in the cloud: registries, Cloud Run
  • πŸ“ Slides 14-17 β€” Cost, incidents, lab, takeaways

πŸ“ Slide 4 – πŸ“œ A Compressed History

  • πŸ›’ March 14, 2006 β€” AWS launches S3. First object storage as a service
  • πŸ–₯️ August 25, 2006 β€” AWS launches EC2 (private beta in 2005). VMs by the hour
  • 🟦 2008-2010 β€” Google App Engine, then Compute Engine; Microsoft Azure GA (Feb 2010)
  • 🎁 2014 β€” AWS Lambda introduces serverless (FaaS): pay per ms of execution
  • 🐳 2017-2019 β€” Managed Kubernetes (GKE, EKS, AKS); container PaaS (Cloud Run 2019 GA)
  • πŸͺ 2024-2026 β€” Most workloads are containers; serverless (Cloud Run / Lambda) dominates burst-y traffic; VMs remain for "needs full Linux" cases
Year Service What it offered
2006 S3 Storage as a service
2006 EC2 Compute by the hour
2008 App Engine Managed runtime
2014 Lambda Per-execution billing
2019 Cloud Run Container-as-a-service

πŸ“ Slide 5 – πŸ₯ͺ The Service-Model Stack

graph TB
    M["πŸ’» On-prem<br/>everything is yours"] --> I["πŸ—οΈ IaaS<br/>EC2 / Compute Engine"]
    I --> C["πŸ“¦ CaaS<br/>ECS / GKE / Cloud Run"]
    C --> P["πŸ›οΈ PaaS<br/>App Engine / Heroku"]
    P --> F["⚑ FaaS<br/>Lambda / Cloud Functions"]
    F --> S["πŸ“¨ SaaS<br/>Gmail / Salesforce"]
Loading
Layer You manage Cloud provider manages Example
IaaS OS + app + everything Hardware, hypervisor EC2, Compute Engine
CaaS Container image OS, scaling ECS, GKE, Cloud Run
PaaS App code Container, OS, scaling App Engine, Heroku
FaaS A function Everything else Lambda, Cloud Functions
SaaS Configuration The whole product Gmail, Slack, Salesforce
  • 🎯 You're climbing the stack every lab: bare metal (Lab 4-5) β†’ containers (Lab 6) β†’ managed deploy (Lab 7 Ansible to VM) β†’ CaaS (Lab 10 to Cloud Run)

πŸ“ Slide 6 – 🀝 The Shared Responsibility Model

graph TB
    YOU["YOU: data, code, IAM, network config, OS patching (IaaS only)"]
    AWS["AWS / GCP / Azure: hardware, hypervisor, region power+cooling, base service"]
    YOU -. boundary moves up the stack as you go from IaaS β†’ CaaS β†’ FaaS .-> AWS
Loading
What IaaS CaaS FaaS
Data πŸ‘€ πŸ‘€ πŸ‘€
App code πŸ‘€ πŸ‘€ πŸ‘€
Runtime πŸ‘€ πŸ‘€ ☁️
Container image πŸ‘€ πŸ‘€ ☁️
Operating system πŸ‘€ ☁️ ☁️
Hypervisor ☁️ ☁️ ☁️
Hardware ☁️ ☁️ ☁️
  • πŸ›‘οΈ The boundary moves. Your job in CaaS is the image, not the OS. In FaaS, it's the function, not even the image
  • πŸͺ€ But IAM, data, and network configuration are always your responsibility β€” and that's where most cloud breaches happen

πŸ“ Slide 7 – 🌍 Regions, Zones, Edges

graph TB
    R1["🌍 Region: europe-west4 (Netherlands)"]
    R1 --> Z1["🏒 Zone: europe-west4-a"]
    R1 --> Z2["🏒 Zone: europe-west4-b"]
    R1 --> Z3["🏒 Zone: europe-west4-c"]
    R1 --> E1["πŸ›°οΈ Edge: 200+ POPs worldwide<br/>(CDN, Cloud CDN, CloudFront)"]
Loading
Concept Scope What it means
Region A geographic area (Netherlands, Iowa, …) Independent failure domain at the region level
Zone A datacenter within a region Independent power, cooling, network
Edge / POP Global CDN locations Cache static content close to users
  • 🌐 Multi-zone = "survive a datacenter going dark". Multi-region = "survive a region going dark"
  • πŸ’Έ Multi-region is expensive; multi-zone is usually free
  • πŸ‡©πŸ‡ͺ Data residency: GDPR requires EU user data to stay in EU regions β€” choose regions accordingly

πŸ“ Slide 8 – πŸ“¦ Container Registries: Where Your Image Lives

(Recap of Lecture 6, with cloud focus)

Registry Best for Auth
GitHub Container Registry (ghcr.io) Public + private; OIDC from GH Actions GitHub Personal Access Token / OIDC
AWS ECR Pulls into ECS/EKS in same region (cheap egress) IAM (aws ecr get-login-password)
GCP Artifact Registry Pulls into GKE/Cloud Run in same project Workload Identity / gcloud auth
Azure Container Registry AKS, Container Apps Entra ID / Service Principal
Docker Hub Public images, broad reach Login required for higher rate limits 
# βœ… ghcr.io, OIDC-friendly, free for public repos
$ echo $GITHUB_TOKEN | docker login ghcr.io -u USER --password-stdin
$ docker push ghcr.io/inno-devops-labs/quicknotes:v0.1.0

πŸ“ Slide 9 – πŸš€ Cloud Run in 5 Commands

Cloud Run is Google's container-as-a-service β€” fully managed, scale-to-zero, pay-per-request.

# 1) auth (one-time)
$ gcloud auth login
$ gcloud config set project YOUR_PROJECT

# 2) push the image
$ gcloud auth configure-docker europe-west4-docker.pkg.dev
$ docker tag quicknotes:v0.1.0 europe-west4-docker.pkg.dev/$PROJECT/qn/quicknotes:v0.1.0
$ docker push                              europe-west4-docker.pkg.dev/$PROJECT/qn/quicknotes:v0.1.0

# 3) deploy
$ gcloud run deploy quicknotes \
    --image europe-west4-docker.pkg.dev/$PROJECT/qn/quicknotes:v0.1.0 \
    --region europe-west4 \
    --port 8080 \
    --memory 256Mi --cpu 1 \
    --max-instances 5 \
    --allow-unauthenticated

# 4) hit it
$ curl https://quicknotes-XXXXXX-ew.a.run.app/health

# 5) tear down
$ gcloud run services delete quicknotes --region europe-west4
  • πŸ’Έ Generous free tier: 2M requests/month, 360k vCPU-seconds. Lab 10 fits inside it
  • ⚑ Cold start ~1-2s for a 15 MB Go image (way better than Java/Node)
  • πŸͺͺ OIDC from GitHub Actions = no service-account JSON to leak

πŸ“ Slide 10 – πŸͺΆ Alternative: Fly.io (no Google account required)

# fly.toml
app = "quicknotes-USERNAME"
primary_region = "ams"

[build]
  image = "ghcr.io/inno-devops-labs/quicknotes:v0.1.0"

[[services]]
  internal_port = 8080
  protocol = "tcp"

  [services.concurrency]
    soft_limit = 200
    hard_limit = 250

  [[services.ports]]
    port = 80
    handlers = ["http"]

  [[services.http_checks]]
    path = "/health"
    interval = "10s"
fly launch --no-deploy        # one-time
fly deploy
fly open                       # opens the URL in your browser
  • 🌍 Fly.io runs your container globally close to users with a generous free tier β€” 3 micro-vms free
  • πŸ‡·πŸ‡Ί Useful when: GCP / AWS account is hard to get (sanctions, payment cards); Fly.io accepts more payment methods

πŸ“ Slide 11 – πŸ’΅ Reading a Cloud Bill

Line item What it is Tactic to reduce
πŸ’Ύ Storage (S3 / GCS) $/GB-month Lifecycle policies; cold storage classes
πŸ“€ Egress $/GB out of the cloud Same-region pulls; CDN
⚑ Compute vCPU-hours / second Right-size; auto-scale; serverless
πŸͺͺ Cross-zone / cross-region $/GB between zones/regions Co-locate chatty services
🌐 Load balancer $/hour + per LCU Consolidate LBs; serverless = no LB
πŸ—ƒοΈ Managed DB $/instance-hour + IOPS Right-size; reserved instances
  • 🚨 Egress will surprise you. S3 β†’ other cloud β†’ other region can be $0.09/GB. A 1TB nightly backup is $90 you didn't budget for
  • πŸ’‘ Cloud Run free tier plus a tiny Go image is the cheapest way to host QuickNotes β€” likely $0 for the duration of this lab

πŸ“ Slide 12 – πŸ›‘οΈ Cloud Security Defaults That Matter

Default Why
No long-lived keys β€” use OIDC (Lecture 3) Stolen short-lived creds expire in 15 min
Least-privilege IAM A QuickNotes deploy service account doesn't need org-admin
No public buckets unless on purpose The classic S3 / GCS breach
Logging on, retained β‰₯ 90 days You'll need them during an incident
VPC + private networking Don't expose the DB to the internet
Budget alerts A runaway loop in CI can cost $1000/h
  • πŸͺ€ Famous Capital One breach (2019): an SSRF + over-permissive IAM role exfiltrated 100M+ customer records. Least-privilege would have stopped it
  • πŸ§ͺ In Lab 10 you'll use least-privilege Cloud Run service accounts β€” not the default Editor role

πŸ“ Slide 13 – 🌐 Multi-Region & Disaster Recovery in 60 Seconds

Strategy RTO RPO Cost
Backup only 24h+ 24h $
Pilot light (cold standby) 1-4h minutes $$
Warm standby 5-30 min seconds $$$
Multi-region active-active 0 0 $$$$
  • 🎯 RTO = Recovery Time Objective (how long until you're back)
  • 🎯 RPO = Recovery Point Objective (how much data you can lose)
  • πŸͺΆ For QuickNotes intro deploys, backup only is fine. Multi-region is SRE-Intro territory

πŸ“ Slide 14 – ❌ Cloud Antipatterns

πŸ”₯ Antipattern βœ… Better
One huge instance because "VMs are cheap" Right-size; auto-scale on CPU/req-rate
0.0.0.0/0 ingress because "it just works" Restrict to known CIDR or behind LB+WAF
Service-account JSON committed to Git OIDC; secret manager; rotation policy
One AWS root account for everything Org + accounts per environment; IAM Identity Center
No tags, no budgets Mandate cost tags; alerts at 50/80/100% of budget
Multi-region "because that's what big companies do" Multi-AZ first; multi-region only if you actually need it

πŸ“ Slide 15 – πŸ§ͺ Lab 10 Preview: Deploy QuickNotes to the Cloud

πŸ’‘ The lab uses two platforms that are truly free β€” no credit card required β€” so Innopolis students aren't blocked by payment-card friction. The concepts (registry, CaaS, scale-to-zero, public URL, edge) are identical to Cloud Run / Lambda / Fargate.

  • πŸ“¦ Task 1 (6 pts): Build the QuickNotes container image in your Lab 3 CI, push it to ghcr.io on a Git-tag trigger. Verify a fresh docker pull works from a clean machine
  • πŸš€ Task 2 (4 pts): Deploy that image to Hugging Face Spaces (Docker SDK) β€” free hosted container, public URL, sleeps after ~30 min idle (real scale-to-zero, slower than Cloud Run). Measure cold vs warm latency
  • 🎁 Bonus (2 pts): Expose the same QuickNotes through a Cloudflare Tunnel (cloudflared, no account / no domain / no card required) and compare hosted-container latency vs local-via-edge latency
  • πŸ“œ Deliverable: submissions/lab10.md β€” registry push log, HF Spaces URL, cold-start measurements, (Bonus) cross-platform comparison table

πŸ“ Slide 16 – 🧠 Key Takeaways

  1. ☁️ Cloud is "someone else's reliable" β€” read every provider's SLA and shared-responsibility doc
  2. πŸ₯ͺ The stack is a spectrum β€” IaaS β†’ CaaS β†’ FaaS β†’ SaaS β€” pick what matches your team's responsibility budget
  3. 🌍 Regions are independent; zones aren't always; edges are caches β€” design with the boundary in mind
  4. πŸ“¦ Push to a registry, deploy a container β€” the modern minimum viable cloud workflow
  5. πŸ’Έ Egress is what surprises you β€” budget for it; alert on overruns
  6. πŸ›‘οΈ Least-privilege IAM + OIDC β€” the two settings that prevent most cloud breaches

πŸ“ Slide 17 – πŸš€ What's Next + πŸ“š Resources

graph LR
    P["πŸ›‘οΈ Week 9<br/>DevSecOps"] --> Y["πŸ“ You Are Here<br/>Cloud Computing"]
    Y --> N["🎁 Reading 11<br/>Nix"]
    N --> M["🎁 Reading 12<br/>WASM"]
Loading

🎯 Remember: "It's running in the cloud" is not an outcome. The outcome is: users can reach it; it's monitored; it scales; it's secure; it doesn't break the budget. The 10 lectures of this course are what gets you there.