Author Archives: milexm

Load and Query Data Using BigQuery Browser

To perform the steps described in this section, you must own or have access to a Google Cloud Platform project with BigQuery API enabled.   You need credentials to access APIs.

Enable the APIs you plan to use and then create the credentials they require. Depending on the API, you need an API key, a service account, or an OAuth 2.0 client ID. Refer to the API documentation for details. For more information, see Google Cloud API Common Tasks.

Prerequisites

Prepare and load the sample data.

  1. Obtain the data. The US Government keeps a record of names given to newborn babies for each year going back to 1880. You can download the data from Popular Baby Names. The zip archive contain several comma separated value (CSV) files (one for each year).  The file names are in the format “yobNNNN.txt”.  You can choose any file you like. For this example we’ll use the file yob2010.txt that contains the most popular names for the year 2010.
  2. Unzip the archive. The format for each CSV file is name, gender, count.  Where gender is either “M” or “F”, and count is the number of children given that name.  Remember this format, because you will  use it for the schema when you create your table.
NoteThe sample data is already in comma separated value (CSV) format. One of the formats accepted by BigQuery, the other being JSON. So no data preparation is required before loading it into BigQuery.

Create a Dataset

  1. Launch the Big Query Browser.
  2. In the left panel,  select your project.
  3. Next to your project name, click the down arrow .BQ_Create_Dataset
  4. In the popup menu, click  Create new dataset.
  5. In the dialog box, for the Dataset ID enter the name of the dataset, for example: PopularNames.BQ_Popular_Names_Create
  6. Click OK.
    The new dataset is created and listed under the project in the left panel.

Create and Populate a Table

Now. let’s create the table to hold the data we want to query.

  1. Click the arrow icon on the right side of the name of the dataset just created.
  2. In the popup menu, click Create new table.  A wizard dialog window is displayed.
  3. In the next dialog window, in the Table ID box enter the name of the table. In the picture shown next, the name is Names_1930. Notice that the Dataset ID is PopularNames.
    BQ_Table_Create
  4. Click Next.
  5. In the next dialog window, keep the source format CSV selected.
  6. In the Load data from, click the Choose file button.BQ_Table_Load_Data
  7. From your local drive select the file yob1930.txt.
  8. Click Next.
  9. In the next dialog window, define the Edit Schema. Click the link Edit as text and enter the following schema: name:string,gender:string,count:integer.
  10. Click Next.
  11. In the next dialog window, assure that the field delimiter selection is Comma.
  12. Click Submit.  Wait for the data to load.  If the loading is successful you should see the table name Names_1930 displayed under the PopularNames dataset, in the left panel.

Query the Data

Finally, here the rubber hits the road. Let’s query the table we have just populated. .

    1. In the left panel, click the name of the table just created. You will see the schema information displayed in the main panel as shown in the next picture.BQ_Table_Details
    2. With the Names_1930 table selected, click the Query Table button in the upper right.
    3. In the New Query box enter the following query:
      SELECT name,count FROM PopularNames.Names_1930
      WHERE gender = ‘F’ ORDER BY count DESC LIMIT 5;
    4. Click the Run Query button. You should get the following results:BQ_Table_Query_Results
      … So Mary was the most popular name for baby girls in the US in the year 1930.

Cloud Readiness Design Guidelines

These guidelines help creating cloud ready applications and suggest best practices. Background information and relevant links are included.
The goal is to provide information that can help the transition from a desk-top or a virtual environment to the cloud.

At first, this transition can seem daunting. But, once you have mastered the details, it becomes obvious and natural how to make the “paradigm shift”.
The good news is that the rewards are great. This is because the cloud is not a fad but a solution for real world problems. Problems such as resource availability , resources utilization and provisioning , handling of peak request traffic , failure handling, cost of over-estimation , and so on.

If we have to pinpoint the main architectural principle, we must say that the cloud is predicated on delivering IT services on demand. An extension of this is the concept of application as a service (usually, a REST Web service). The result is software architectures with qualities such as: elasticity, auto-scaling, fault tolerance and administration automation.

Virtualization Versus Cloud

Before diving into the details of the cloud environment, let’s look into the differences with virtualization. The two environments look similar but they are very different in approach and philosophy.

  • Virtualization handles the physical infrastructure which supports many standard applications mainly because physical servers are converted into virtual ones without difference in architecture. Applications that run in a virtual environment scale vertically meaning that to improve their performance, for example, more resources are added to the infrastructure without direct intervention on the part of an application.
  • The cloud handles the logical infrastructure such as resource management, dynamic scaling, and so on which allow flexibility, automation, and massive scaling on demand. Applications that run in the cloud scale horizontally meaning that to improve their performance, for example, more copies of an application are created and, if needed, more commodity servers are provisioned automatically using the cloud API. This scaling is dynamic and requires the intervention on the part of the application.

In virtualization and private cloud the physical infrastructure is a concern for an organization, while in a public cloud the concern is shifted to the cloud service provider. However, in private or public clouds, far reaching implications exist. For example, in a virtualized environment, applications rely on the redundancy of the infrastructure layer for transparent failover. In contrast, in a cloud environment, the applications themselves must recover from failures.
The architectural differences between the two computing environments are highlighted next.

Virtualization

The architecture follows a “hub-spoke” approach where Virtual Machines (VMs) report to a central controller or hub. This implies that there is a single “point of contention” which limits the scale that can be obtained. The following are the main characteristics:

  • Redundancy. It is obtained through clustering of hypervisors for high availability. Also multiple levels of redundancy are achieved via redundant hardware components. Fault tolerance is achieved via live migration(without intervention on the part of the application).
  • Scaling. This is vertical scaling where multiple backup systems in the infrastructure enable redundancy and performance improvement. These systems are expensive to build and there is a limit to the scale that can be obtained.
  • State. The application state can be effectively managed on a single server. The infrastructure such as load balancer can be used to manage stateful connections.

Cloud

The architecture follows a “shared-nothing” approach or “shard” approach. This implies that VMs are independent from each other and no single point of contention exists. This allows massive scale by simply adding commodity hardware. The following are the main characteristics:

  • Redundancy. Redundancy must be built in the application, do not expect it from the infrastructure. Fault tolerance must be a concern and cannot be delegated to the underlying infrastructure.
  • Scaling. This is horizontal scaling obtained by adding or subtracting VMs to affect performance. In theory, there is no limit to scalability. If one machine dies it is simply replaced with a new one. The application should make use of this capability by adding or removing more VMs as needed.
  • State. A cloud environment is not inherently redundant, so an application cannot rely on the infrastructure to handle state information. If a virtual machine dies, for example, an application must allow for a seamless transition.

Virtualized Environment

  • Shared resources
  • VM instances must report to a central hub to operate
  • Failure and performance management via vertical scaling achieved through redundancy of the infrastructure layer via multiple levels of hardware redundancy
  • Support for live migration to handle failure
  • Stateful applications which require the infrastructure, such as the load balancer, to manage stateful connections

Cloud Environment

  • Each VM instance is independent and self-sufficient
  • Failure and performance management via horizontal scaling achieved through redundancy of the application layer across multiple VMs in different regions and availability zones
  • Horizontal scaling at application layer to manage failures: if one application dies it is simply replaced by another
  • Stateless applications that are architected to manage their own state information
  • No ability to change CPU or storage capabilities in a provisioned VM instance
  • VM instance must be terminated and a new one must be created with different configuration
  • Instance re-imaging is not allowed– pre-defined flavors combined with self-service provisioning means an instance can be terminated and re-provisioned with the required OS image
  • Data is not persistent, that is if a VM dies all data stored in its storage area is lost. If data must persist, than external (to the VM) storage must be used.

Notes

Cloud VMs can be created and deleted dynamically (through UI or command line tools).

The redundancy is an attribute of a cloud application and not of the infrastructure, as in the virtualized environment.

The cloud provides a new approach on how to design scalable, high available applications and handle failures.

The architecture of cloud applications follows the Representational State Transfer (REST) guidelines.

 

Elasticity

Traditional virtualized infrastructure generally necessitates predicting the amount of computing resources applications will use over a period of several years. If resources are under-estimated, applications will not have the horsepower to handle unexpected traffic. If over-estimated, money is wasted on superfluous resources.

However, the on-demand and automated elasticity of the cloud enables the infrastructure to be closely aligned (as it expands and contracts) with the actual demand, thereby increasing overall utilization and reducing cost.
Elasticity is one of the fundamental properties of the cloud – the power to scale computing resources up and down easily and with minimal friction. As a software developer building applications for the cloud, one needs to internalize this concept and work it into the application architecture in order to take maximum benefit of the cloud.

Best Practices

Intelligent elastic cloud architecture allows resources to be utilized only when needed. Elasticity should be an application architectural design requirement.

  • Identify what components or layers in an application can be elastic
  • Determine what it takes to make the components elastic and the impact on the application architecture
  • An elastic application must be redundant, which is it must be designed for replication over any number of machines (virtual machines that is) in different availability zones and regions
  • An elastic application must be stateless


Elasticity can be implemented in one of the following ways:

  1. Proactive cyclic scaling. Periodic resource scaling occurs at fixed interval (daily, weekly and so on)
  2. Proactive event based scaling. Resources scaling is planned in relation to specific events such as new product launch, marketing campaigns and so on.
  3. Auto-scaling based on demand. Using a monitoring service, triggers are issued to take appropriate actions to scale resources up or down based on metrics such as utilization of servers, network I/O and so on.

Icon

To implement elasticity it is essential to automate the deployment process and streamline the configuration and build process. This assures that a system can scale without human intervention. For more information, see the Scalability and Administering Cloud Resources sections.

Notes

Elasticity refers to the cloud’s ability to scale. The following are examples of elastic applications:

Web Site

A service provider runs a website on the cloud. At beginning, the website runs on a single virtual machine. The site suddenly becomes popular, and more virtual machines are needed to handle the increased load. An elastic system immediately detects this condition and provisions additional virtual machines to handle incoming traffic scaling the service seamlessly.

Payment Gateway

The previous web site allows access to a payment gateway service that suddenly is overloaded by customer requests. The elastic payment gateway service is cloned as many times as needed to handle the spike in the customer requests. Elastic applications can allocate and de-allocate resources (VMs) on demand for specific application components. Moreover, an application must be stateless to allow replication and handling of conditions such as peak traffic.

 

Scaling

The cloud infrastructure provides “unlimited” horizontal scaling. However, to take advantage of this feature, application architectures must also be scalable.

Best Practices

  • Identify monolithic components and bottlenecks
  • Refactor the application to take advantage of the infrastructure scalability
  • Assure that the application architecture is based on loosely coupled components where components interact asynchronously and see each other as black boxes
  • Design every component as follows:
    • Exposes a service interface
    • Is responsible for its own scalability
    • Interacts with other components asynchronously
    • Is stateless and stores session state information externally (in a database, if needed)

Notes

The more loosely coupled the application components are the greater and better the application scales. If components do not have tight dependencies, if one fails or is unresponsive the others continue to work.

Loosely coupled applications can be implemented using cloud messaging queue services. If a queue/buffer is used to connect any two components, it can support concurrency, high availability and load spikes.
In a web application, for example, this implies isolating the app server from the web server and from the database server.

Asynchronous applications and scaling horizontally are key cloud properties. They allow adding more instances of the same component. They also allow the design of innovative hybrid models where a few components continue to run on-premise while others can use the cloud for additional compute power and bandwidth. In this way, you can overflow excess traffic to the cloud through smart load balancing strategy.

Auto-scaling allows automatically launching or terminating compute instances based on user-defined policies, health status checks, and schedules. Compute resources are servers in the cloud. For applications configured to run on a cloud infrastructure, scaling is an important part of resource management and cost control.

 

Failure Handling

An application must be able to handle hardware and software failures. Incorporate this thinking in the application architecture to make it fault-tolerant and optimized for the cloud. The following are some common failures that applications must be able to handle:

Hardware Failure

  • What happens if a VM fails?
  • How to recognize the failure and recover from it?
  • What are the single points of failure?
  • If there are master and worker servers in the system, what happens if the master fails?

Software Failure

  • What happens if the dependent service changes the interface?
  • What happens if the downstream service times out or issues an exception?
  • What happens if the cache grows beyond the memory limit of an instance?

Best Practices

  • Have a coherent backup and restore strategy and automate it.
  • Build process threads that resume on reboot.
  • Allow the system state to be restored by reloading messages from the queues.
  • Have your app deployment process automated.
  • Avoid in memory sessions or stateful user context; move related information to data stores.
  • Assure application high availability by utilizing multiple availability zones.
  • Fail over gracefully.

Notes

An application should be impervious to reboots that is it should be brought up and resume the previous state without any problem.
For example, if the instance on which a controller thread was running dies, it can be brought up and resume the previous state as if nothing had happened. This can be accomplished by the automated application deployment process.

If a VM fails, application traffic will be rerouted to a different machine perhaps in a different region. When auto scaling is enabled, new machines are automatically provisioned if needed. This relies on an automated deployment process.

It is the responsibility of the developer to assure that an application can be distributed.

High Availability

Regions are logically similar to data centers. By deploying an application to multiple regions, its high availability is assured. Regions can support multiple availability zones which are physically separated from each other and can also help achieve high availability for an application within a region.

Graceful Failover

Graceful failover can be achieved through elastic IP addresses. Elastic IP addresses allow handling of instance or availability zone failures by programmatically remapping public IP addresses to any instance associated with an account. In this way, the traffic of a failed application can be gracefully rerouted.

 

Data Location

It is good practice to keep the data as close as possible to the application to reduce access latency. In the cloud, this practice is even more important because of the additional internet latency.

Best Practices

Dynamic Data

  • Data generated in the cloud: The application that consumes the data should also be deployed in the cloud so that it can take advantage of in-cloud free data transfer and lower latency.
  • Data outside the cloud: If a large quantity of data resides outside of the cloud, it might be cheaper and faster to transfer the data to the cloud first and then perform the computation.

Static Data

If the data is static and does not change often (for example, images, video, audio, PDFs, JS, CSS files), it is advisable to use a Content Delivery Network (CDN) so that the static data is cached at an edge location closer to the end-user (requester), thereby lowering the access latency.

Notes

The data location can reduce the cost of the gigabytes of data transfered. The following are some examples of dynamic data location strategies:

  • Data warehouse. It is advisable to move the dataset to the cloud and then perform parallel queries against the dataset.
  • Web app. If the web application stores and retrieves data from relational databases, it is advisable to move the database as well as the app server into the cloud all at once.
  • E-commerce app. In the case of an e-commerce web application that generates logs and clickstream data, it is advisable to run the log analyzer and reporting engines in the cloud.

 

Parallel Processing

Whether requesting, storing or processing data in the cloud. Whenever possible, parallelization and related automation are encouraged. The cloud supports parallel processing in a way that virtualized systems cannot. This is because it can achieve the required computing power by dynamically commissioning (or de-commissioning) VMs using commodity hardware.

Best Practices

Accessing Data

The cloud supports massively parallel operations, when retrieving and accessing data. For example, the operations required to perform analytics on unformatted big data where concurrent processes are used to store or fetch data rather than performing sequential operations (which would be impossible).

Processing Tasks

When processing or executing requests in the cloud, it is even more important to take advantage of parallelization. The following are some examples:

  • Web Application. A general best practice is to distribute the incoming requests across multiple asynchronous servers using a load balancer.
  • Batch Processing. A master VM can spawn multiple worker VMs that process tasks in parallel (as in the distributed Hadoop framework).

Notes

Wherever possible, the processes of a cloud application should be made thread-safe through a shared-nothing philosophy and leveraging multi-threading.
The cloud operates at its best when an application can combine elasticity and parallelization. For example, an application can do the following:

  • Provision, in a few minutes and via simple API calls, a cluster of VM instances.
  • Execute parallel tasks to perform a specific job.
  • Store the results.
  • Terminate all the VM instances.

 

Administering Cloud Resources

When moving to the cloud, a system administrator may not have the ability to specify resources at the level of physical details, as in a virtual environment. For this reason, it is important to understand the concept of abstract resources to be able to handle the actual physical capabilities of the cloud environment and manage them.

Best Practices

An important aspect of using a cloud environment is the ability to use the cloud APIs, the UI or command line tools to automate the deployment process.
An automated and repeatable process will help in reducing errors and facilitate an efficient and scalable update. In fact, automation is essential for scalability to work. This is the area where the cooperation between developers and administrators is crucial if the cloud must operate reliably and effectively.
To automate the deployment process, follow these guidelines:

  • Create a library of recipes. These are small and frequently used scripts for installation and configuration.
  • Manage the configuration and deployment process by using agents bundled with a VM image.
  • Bootstrap the instances. This allows an instance to obtain the necessary resources such as code, script and configuration based on its role and attaches itself to a cluster to perform its function.

Notes

In the last decade a typical business application has evolved from desk-top centric, to client-server, to web services, and on to service oriented architecture (SOA). In this evolution, abstraction of computing resources has become prominent to reduce costs and improve reliability of IT operations.

Abstraction is at the core of the cloud computing paradigm. Within the cloud, organizations can consume shared computing and storage resources rather than building, operating and maintaining infrastructures.

In the traditional enterprise company, application developers may not work closely with the network administrators and network administrators may not have a clue about the application. As a result, several possible optimizations in the network layer and application architecture layer are overlooked. With the cloud, the two roles have merged into one to some extent. When architecting future applications, companies need to encourage more cross-pollination of knowledge between the two roles and understand that they are merging.

In a cloud environment, a system administrator no longer provisions servers, installs software, or wires network devices. Because the underlying infrastructure is programmable, the cloud encourages automation. In this context, the administrator manages the underlying cloud resources while the developer automates server provisioning, software installation, and network “wiring”.

 

Security

Legitimate concerns about security exist in the cloud shared resources (multitenant) environment. Security must be implemented at every layer of the cloud application architecture.

Best Practices

Protect Data in Transit (“Encrypt Everything”)

  • When data is in transit, between a browser and a web server for example, configure Secure Sockets Layer(SSL) on your server instance.
  • Create a Virtual Private Cloud (VPC) to use logically isolated resources within the service provider cloud. Connect those resources directly to your own datacenter using industry standard encrypted IPsec Virtual Private Network (VPN) connections

Protect Data at Rest (“Encrypt Everything”)

  • Encrypt sensitive data (individual files) prior uploading it to the cloud.
  • Encryption depends on the operating system installed on the server instance. A variety of encrypting tools and techniques exist. Select the ones that best satisfy your requirements.
  • Protect your data not only from eavesdropping but also from disaster. Take periodic snapshots of your data to ensure it is highly durable and available. You can use the cloud service provider “endless” storage capabilities where the snapshots are incremental.

Secure the Application

Security Groups

A server instance is protected by security groups whose rules specify which incoming network traffic can be delivered to the instance. TCP and UDP ports can be specified as long as ICMP types and codes and source addresses. Security groups provide basic firewall-like protection for running instances.

Software-Based Firewalls (aka. Host-Based Firewalls)

Another way to restrict traffic to a server instance is via software-based firewalls. Windows instances can use the built-in firewall. Linux instances can use netfilter and iptables.

Notes

Physical Security

This is typically handled by the cloud service provider.

Network and Application Security

  • This is the responsibility of the developer that uses the cloud service and the application designer
  • Tools created by cloud services providers can help to implement basic security
  • Best practices as they apply to the business must be followed

 

Glossary

Cloud Computing

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. The cloud model of computing promotes availability (NIST).

Elasticity

In cloud computing, elasticity is defined as the degree to which a system is able to adapt to workload changes by provisioning and de-provisioning resources in an autonomic manner, such that at each point in time the available resources match the current demand as closely as possible .

Horizontal Scaling

Horizontal scaling, or increasing the number of servers in the cluster, reduces the responsibilities of each server. The capacity of each server does not change, but its load is decreased. Reasons to scale horizontally include increasing I/O concurrency, reducing the load on existing servers, and increasing disk capacity.

Hybrid Cloud

Hybrid Clouds combine both public and private cloud models. With a Hybrid Cloud, service providers can utilize third party cloud providers in a full or partial manner thus increasing the flexibility of computing. The Hybrid cloud environment is capable of providing on-demand, externally provisioned scale. The ability to augment a private cloud with the public cloud can be used to manage any unexpected surges in workload.

Live Migration

Live migration is the relocation of a virtual machine from one physical host to another while continuously powered-up. When properly carried out, this process takes place without any noticeable effect from the point of view of the end user. Live migration allows an administrator to take a virtual machine offline for maintenance or upgrading without subjecting the system’s users to downtime.
Live migration can also be used for load balancing, in which work is shared among computers in order to optimize the utilization of available CPU resources.

REST

The majority cloud services (and related APIs) are designed using an architectural style known as

Representational State Transfer (REST).This style is widely used and is a simpler alternative to SOAP and related Web Services Description Language (WSDL).
Capitalizing on the Web success and based on its semantics, REST formalizes a set of principles by which you can design cloud services to access system’s resources, including how resource states are addressed and transferred over HTTP by a wide range of clients. As first described by Roy Fielding in his seminal thesis Architectural Styles and the Design of Network-based Software Architectures, REST is a set of software architectural  principles that use the Web as a platform for distributed computing . Since then, REST has emerged as the predominant Web service design model.

Scalability

It is the ability of a system, network, or process to handle a growing amount of work in a capable manner or its ability to be enlarged to accommodate that growth. For example, it can refer to the capability of a system to increase its total output under an increased load when resources (typically hardware) are added.

Private Cloud

Private clouds are built exclusively for a single enterprise. They aim to address concerns on data security and offer greater control, which is typically lacking in a public cloud. There are two variations to a private cloud:

  1. On-premise Private Cloud. On-premise private clouds, also known as internal clouds are hosted within an organization’s own data center. This model provides a more standardized process and protection, but is limited in aspects of size and scalability. IT departments would also need to incur the capital and operational costs for the physical resources. This is best suited for applications which require complete control and configurability of the infrastructure and security.
  2. Externally hosted Private Cloud. This type of private cloud is hosted externally with a cloud provider, where the provider facilitates an exclusive cloud environment with full guarantee of privacy. This is best suited for enterprises that don’t prefer a public cloud due to sharing of physical resources.

Public Cloud

Public clouds are owned and operated by third parties; they deliver superior economies of scale to customers, as the infrastructure costs are spread among a mix of users, giving each individual client an attractive low-cost, “Pay-as-you-go” model. All customers share the same infrastructure pool with limited configuration, security protections, and availability variances. These are managed and supported by the cloud provider. One of the advantages of a Public cloud is that they may be larger than an enterprises cloud, thus providing the ability to scale seamlessly, on demand.

Virtual Machine

A virtual machine (VM) is a software implementation of a computing environment in which an operating system or program can be installed and run.
The virtual machine typically emulates a physical computing environment, but requests for CPU, memory, hard disk, network and other hardware resources are managed by a virtualization layer which translates these requests to the underlying physical hardware.
VMs are created within a virtualization layer, such as a hypervisor or a virtualization platform that runs on top of a client or server operating system. This operating system is known as the host OS. The virtualization layer can be used to create many individual, isolated VM environments.

Vertical Scaling

Vertical scaling gives greater capacity (CPUs, memory and so on) to a server but does not decrease its overall load. Reasons to scale vertically include increasing IOPS, increasing CPU/RAM capacity, and increasing disk capacity.

Virtualization

Virtualization refers to the creation of a virtual resource such as a server, desktop, operating system, file, storage or network. The main goal of virtualization is to manage workloads by radically transforming traditional computing to make it more scalable. Virtualization has been a part of the IT landscape for decades now, and today it can be applied to a wide range of system layers, including operating system-level virtualization, hardware-level virtualization and server virtualization.

 

References

  1. Virtualization versus Cloud
    1. Architectural Styles and the Design of Network-based Software Architectures
    2. Cloud and Virtualization
  2. Elasticity
    1. Elasticity in Cloud Computing: What It Is and What It Is Not
    2. Amazon Elastic Compute Cloud (Amazon EC2)
    3. Elastic Cloud Infrastructure (OpenStack)
  3. Scalability
    1. Designing and Deploying Internet-Scale Services
    2. Building Scalable Databases
    3. How To Design a Scalable Cloud Application
    4. What is Auto Scaling?
  4. Failure Handling
    1. Amazon RDS Multi-AZ Deployments
    2. Designing and Deploying Internet-Scale Services
    3. Amazon EC2 Elastic IP Addresses
  5. Data Location
    1. AWS Import/Export
    2. Sneakernet
  6. Parallel Processing
    1. Hadoop
    2. Mapreduce
    3. Cloud Architectures
  7. Administering Cloud Resources
    1. Administering and Monitoring an IaaS Cloud
    2. Scalr Administrator Reference
    3. 3 Tier Web Application Deployment
  8. Security
    1. AWS Security Whitepaper
    2. The Encrypting File System
    3. How to Keep AWS Credentials
    4. Escaping Restrictive Untrusted Networks

Cloud Introduction

Overview

The Cloud is a computing model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. For more information, see  The NIST Definition of Cloud Computing .

This is a technological breakthrough compared to the traditional approach where resources had to be allocated in advance with the danger of overestimating (or underestimating) the needs.

But, most importantly, in the cloud the allocation is done automatically and in real-time. This is the elasticity attribute of the cloud. The cloud main architectural principle is predicated on delivering IT services on demand. The result is software architectures with qualities such as: elasticityauto-scaling,  fault tolerance and administration automation.

An extension of this is the concept of application as a service usually, a REST web service.For more information about designing for the cloud, see  Cloud Ready Design Guidelines .

From a hardware point of view, three aspects are new in cloud computing:

  • The “infinite” computing resources available on demand, thereby eliminating the need for users to plan far ahead for provisioning
  • The elimination of an up-front commitment by the users, thereby allowing companies to start small and increase hardware resources only when there is an increase in their needs
  • The ability to pay for use of computing resources on a short-term basis as needed (e.g., processors by the hour and storage by the day) and release them as needed, thereby rewarding conservation by letting machines and storage go when they are no longer useful.

You may want to take a look at the following video to understand the difference between cloud and traditional virtualization: Cloud and Virtualization.

Cloud Deployment and Service Models

Deployment models define different types of ownership and distribution of the resources used to deliver cloud services to different customers.

Deployment Models

Cloud environments may be deployed over a private infrastructure, public infrastructure, or a combination of both.

The most common deployment models as defined by the National Institute of Standards and Technology (NIST) include the following:

  • Private cloud. The cloud infrastructure is operated solely for a single organization (client). It may be managed by the organization itself or a third-party provider, and may be on-premise or off-premise. However, it must be solely dedicated for the use of one entity.
  • Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community with shared requirements or concerns (for example, business model, security requirements, policy, or compliance considerations). It may be managed by the organizations or a third party, and may be on-premise or off-premise.
  • Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by a cloud provider (an organization selling cloud services). Public cloud infrastructure exists on the premises of the cloud provider.
  • Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by technology to enable portability. Hybrid clouds are often used for redundancy or load-balancing purposes. For example, applications within a private cloud could be configured to utilize computing resources from a public cloud as needed during peak capacity times.

Service Models

Service models identify different control options for the cloud client and cloud provider. For example, SaaS clients simply use the applications and services provided by the provider, where IaaS clients maintain control of their own environment hosted on the provider’s underlying infrastructure. The following are the most commonly used service models:

  1. Software as a Service (SaaS).  It   enables the end user to access applications that run in the cloud. The applications are accessible from various client devices through a thin interface such as a web browser. Some examples are:
    1. gmail
    2. Google docs
    3. Microsoft Office 360
  2. Platform as a Service (PaaS). It enables the deployment of applications in the cloud. These applications are created using programming languages and tools supported by the cloud provider. Some examples are:
    1. Google App Engine
    2. AWS Elastic Beanstalk
  3. Infrastructure as a Service (IaaS). It enables the provisioning of compute processing, storage, networks and other computing resources to deploy and run applications. You cannot control the underlying physical infrastructure though.Some examples are:
    1. Google App Engine
    2. Amazon S3
    3. Google Compute Engine
    4. Google Cloud Storage
    5. Google Big Query

The following picture depicts the service models and the way they stack up:

You can find the above picture and more information at NIST Cloud Computing Reference Architecture.The next picture shows the control and responsibilities for cloud clients and providers across the service models:

Cloud Logical Architecture

The cloud architecture is structured in layers. Each layer abstracts the one below it and exposes interfaces that layers above can build upon. The layers are loosely coupled and provide horizontal scalability (they can expand) if needed. As you can see in the next picture, the layers map to the service models described earlier.

As shown in the previous picture, the cloud architecture contains several layers, as described next.

  • Hosting Platform. Provides the physical, virtual and software components. These components include servers, operating system, network, storage devices and power control and virtualization software. All these resources are abstracted as virtual resources to the layer above.The virtual machine (VM) is at the core of the cloud virtualization. It represents a software implementation of a computing environment in which an operating system and other apps can run. The virtual machine typically emulates a physical computing environment, but requests for CPU, memory, hard disk, network and other hardware resources are managed by a virtualization layer which translates these requests to the underlying physical hardware.
    VMs are created within a virtualization layer, such as a hypervisor that runs on top of a client or server operating system. This operating system is known as the host OS. The virtualization layer can be used to create many individual, isolated VM environments.
  • Infrastructure Services. The important function of this layer is to abstract the hosting platform as a set of virtual resources and to manage them based on scalability and availability. The layer provides three types of abstract resources: compute, storage and network. It also exposes a set of APIs to access and manage these resources. This enables a user to gain access to the physical resources without knowing the details of the underlying hardware and software and to control them through configuration. Services provided by this layer are known as Infrastructure as a Service (IaaS).
  • Platform Services. Provides a set of services to help integrating on-premise software with services hosted in the cloud. Services provided by this layer are known as Platform as a Service (PaaS).
  • Applications. Contains applications built for cloud computing. They expose web interfaces and services and enable multitenant hosting. Services provided by this layer are known as Software as a Service (SaaS).

The vertical bars in the picture represent components that apply to all layers with different degrees of scope and depth. Mainly they support administrative functions, handling of security and cloud programmability (the later supporting the most common programming languages).

OAuth in a Nutshell

To access a web service through its REST API, a client application must first be authenticated. OAuth client libraries, such as Google OAuth Java client library com.google.api.client.auth.oauth2, provide functions a client can use to be authenticated and authorized to access a Google Cloud service using the related REST API. For additional information, see:  OAuth 2.0 and the Google OAuth Client Library for Java.

Background

To understand how OAuth works, we first need to understand the following:

  • OAuth 2.0. Standard specification for allowing end users to securely authorize a client to access protected server-side resources.
  • OAuth 2.0 bearer token. Specification which explains how to access those protected resources using an access token granted during the cient authorization process.

OAuth 2.0

The OAuth 2.0 authorization framework enables a third-party application (client) to obtain limited access to a web service in one of the following ways:

  • On behalf of a resource owner by orchestrating an approval interaction between the resource owner and the web service.
  • By allowing the application to obtain access on its own behalf.

 The information in this section has been extrapolated from the OAuth 2.0 specification.

OAuth 2.0 Roles

OAuth 2.0 defines the following roles:

  1. Client. An application making protected resource requests on behalf of the resource owner and with its authorization.  The term client does not imply any particular implementation characteristics (e.g. whether the application executes on a server, a desktop, or other devices).
  2. Resource owner. An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user.
  3. Authorization server. The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
  4. Resource server. The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.

The authorization server may be the same server as the resource server or a separate entity. A single authorization server may issue access tokens accepted by multiple resource servers.

OAuth 2.0 Protocol Flow

The following diagram shows the interactions between the various roles (actors) involved in the authentication and authorization process.

OAuth Flow

Fig 1  OAuth 2.0 Protocol Flow

  1. The client requests authorization from the resource owner.  The authorization request can be made directly to the resource owner (as shown), or preferably indirectly via the authorization server as an intermediary.
  2. The client receives an authorization grant, which is a credential representing the resource owner’s authorization, expressed using one of four grant types defined in the OAuth 2.0 specification or using an extension grant type.  The authorization grant type depends on the method used by the client to request authorization and the types supported by the authorization server.
  3. The client requests an access token by authenticating with the authorization server and presenting the authorization grant.
  4. The authorization server authenticates the client and validates the authorization grant, and if valid issues an access token.
  5. The client requests the protected resource from the resource server and authenticates by presenting the access token.
  6. The resource server validates the access token, and if valid, serves the request.

Terminology

Before moving ahead, let’s define some terms.

  • Authorization Grant. An authorization grant is a credential representing the resource owner’s authorization to access its protected resources. A client uses the grant to obtain an access token. The OAuth 2.0 specification defines the following grant types:
    • Authorization code. The authorization code is obtained by using an authorization server as an intermediary between the client and the resource owner.
    • Implicit.The implicit grant is a simplified authorization code flow optimized for clients implemented in a browser using a scripting language such as JavaScript.
    • Resource owner password credentials. The resource owner password credentials (i.e. username and password) can be used directly as an authorization grant to obtain an access token.
    • Client credentials.The client credentials (or other forms of client authentication) can be used as an authorization grant when the authorization scope is limited to the protected resources under the control of the client, or to protected resources previously arranged with the authorization server.
  • Access Token. Access tokens are credentials used to access protected resources. An access token is a string representing an authorization issued to the client. The string is usually opaque to the client. Tokens represent specific scopes and durations of access, granted by the resource owner, and enforced by the resource server and authorization server.
  • Refresh Token. Refresh tokens are credentials used to obtain access tokens. Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires, or to obtain additional access tokens with identical or narrower scope (access tokens may have a shorter lifetime and fewer permissions than authorized by the resource owner). Issuing a refresh token is optional at the discretion of the authorization server.

More About Refresh Token

If the authorization server issues a refresh token, it is included when issuing an access token. A refresh token is a string representing the authorization granted to the client by the resource owner. The string is usually opaque to the client. The token denotes an identifier used to retrieve the authorization information. Unlike access tokens, refresh tokens are intended for use only with authorization servers and are never sent to resource servers.

OAuth Flow Refresh Token

Fig 2  OAuth 2.0 Protocol Flow with Refresh Token

  1. The client requests an access token by authenticating with the authorization server, and presenting an authorization grant.
  2. The authorization server authenticates the client and validates the authorization grant, and if valid issues an access token and a refresh token.
  3. The client makes a protected resource request to the resource server by presenting the access token.
  4. The resource server validates the access token, and if valid, serves the request.
  5. Steps 3 and 4 repeat until the access token expires. If the client knows the access token expired, it skips to step 7, otherwise it makes another protected resource request.
  6. Since the access token is invalid, the resource server returns an invalid token error.
  7. The client requests a new access token by authenticating with the authorization server and presenting the refresh token. The client authentication requirements are based on the client type and on the authorization server policies.
  8. The authorization server authenticates the client and validates the refresh token, and if valid issues a new access token (and optionally, a new refresh token).

Build GCP Storage Client (Python)

This post demonstrates how to build a Google Cloud Storage JSON API Python application. The application interacts with the storage service via the JSON API (and the Python client library). It uses a simple interface which allows you to perform tasks such as: list the buckets in a project, list objects in a bucket, create a bucket, create an object and so on. The intent of the application is educational. It should help you to understand the API syntax (and semantics) when interacting with Google Cloud Storage..

JSON API Python Client Library

JSON API Python Client Library

To build the application, you will use Eclipse as shown next. Before you can perform the shown steps, assure that you have satisfied the requirements described here:

  1. Google Cloud Storage Python Applications Prerequisites.
  2. Getting Started with JSON API Client Library in Python

Create the Application Project

  1. Activate Eclipse.
  2. From the File menu, select New->PyDevProject. The PyDev Project window is displayed.
  3. In the Project name: enter PythonJsonApi.
  4. Accept the user default workspace; for example: /Users/[your username]/[your work directory]/PythonJsonApi. This is the directory where the program will be stored.
  5. If you have more than one Python version installed perform the following steps:
    • In the Grammar Version selection list select 2.7.
    • In the Interpreter selection list select the desired Python interpreter. For more information, see Configure PyDev.
    PythonJsonApi Project

    PythonJsonApi Project

  6. Click Finish. The PythonJsonApi project is created and displayed in the Package Explorer.
  7. If the PyDev perspective is not selected yet, click on the Open Perspective icon in the upper right corner of Eclipse. From the pop-up menu select PyDev and click OK.
  8. In the Package Explorer, expand the PythonJsonApi project node.
  9. Right-click the src folder.
  10. Select New->PyDev Module.
  11. In the pop-up dialog window enter the following information:
    • In the Package box enter gcs_examples.
    • In the Name box enter PythonJsonApiMain.
  12. Click Finish.
  13. Select Module Main and  click OK.
    An empty PythonJsonApiMain.py is created. Actually the module contains the standard Python check for main because the template chosen. You’ll enter the code needed to interact with Google Cloud Storage in the next sections.

Download the Application Code

You can download the archived project from this location: storage-xmlapi-python-client. Then import it into Eclipse. The project contains the following modules:

  1. main.py. This is the main entry point of the application which allows you to
    interact with Google Cloud Storage (GCS) using XML API. It contains the main function which is called when the application is executed.
  2. simple_ui.py.  Contains the GCS_SimpleUI class which provides a simple UI to interact with Google Cloud Storage.
  3. commands.py.  Contains the GCS_Command class which provides the entry point for
    processing user’s selection. Based on the user’s selection, the related Google Cloud Storage
    operation is executed.
  4. authentication.py.  It contains the class that generates an authenticated HTTP client object.
  5. bucket_commands.py. Contains the GCS_Bucket class which handles Google Cloud Storage bucket operations.
  6. object_commands.py. Contains the GCS_Object class which handles Google Cloud Storage object operations.
  7. config.py.   Contains data shared by all the modules.

PythonXmlApi Implementation

The PythonXmlApi main function performs the preliminary initialization and starts the application. A set of classes then perform the actual tasks such as: creating a simple UI, processing user’s input, interacting with the storage service and so on. The following picture shows the classes and their hierarchy.

PythonXmlApi Workflow

The first time you start the application, the main function instantiates GCS_SimpleUI andGCS_Command classes then initializes a simple user interface which accepts the user’s input. You will be asked to authenticate the application which uses OAuth2.0 and stores the credentials in a local file called stored_credentials.json. Also, you will be asked to enter the project ID which will be stored in a local file called project.dat.

Every time you make a selection a command call is issued which in turn calls a GCS_Bucket orGCS_Object method. This method executes the actual Google Cloud Storage bucket or object request. The storage service’s response is then displayed for your information. If the request fails, an error is displayed. Finally, depending on the debugging level, the application displays what goes on the “wire”. This is to help you understand the actual HTTP request and response content as explained by the Google Cloud Storage documentation Reference Methods. The following picture depicts the workflow just described.

 

Python

 

Code here

Java

 

Code here

Using Github in Eclipse

Using Github in Eclipse is the subject of this topic.  For more information about both tools, see version control system Git and Eclipse. The EGit plugin allows to use Git in the Eclipse IDE. The plugin is based on the JGit library which implements the Git functionality in Java. See also, Git version control with Eclipse (EGit).

Installing EGit in Eclipse

The EGit plugin can be installed into every Eclipse IDE installation. Usually EGit supports the last two Eclipse releases. Most Eclipse 4.2 (Juno) and Eclipse 4.3 (Kepler) downloads from Eclipse.org contain EGit in their default configuration. In this case no  installation is required. If the EGit plugin is missing in your Eclipse installation, you can install it via the Eclipse installation manager as described next.

  1. Start the manager via the Help → Install new Software menu entry. You can install EGit from the following URL: http://download.eclipse.org/egit/updates.
  2. Select Eclipse->Preferences->Team node.
  3. Click the Gift node and define the Git repository local path.
    Git Config
  4. Select Eclipse → Preferences →Team → Git → Configuration to see the current configuration and to change it.
    • In the configuration, among other things, you set the path to the .gitignore file, usually  /Users/<username>/.gitignore.
    • The file contains the list of files and/or artifacts  to ignore when publishing to github.  Tos see an exhaustive list of elements to ignore for various platforms, see github/gitignore.
  5. You can add entries to the Git configuration by clicking the Add Entries button on the Git Preferences page.
  6. To add the user, select the user.name as key and the name value.

Set Egit Views

It is helpful to set some Egit views as follows:

  1. Select Eclipse (Windows)->ShowViews-Other…
  2. Expand the Git folder.
  3. Select Git Repositories and Git Staging.
  4. Click OK.
  5. Rearrange the views by moving the Git Repositories view at the bottom of the Project Explorer pane.

Create a Remote GitHub Repository

  1. Go to Github.
  2. Go to your repositories location. Click the Repository tab.
  3. Click the New button.
  4. In the Repository name box enter [your project name]. Notice this folder will contain the subfolder where the project files will reside. Potentially, you can add other sub folders containing files from other projects.
  5. Check the box by “Initialize this repository with a README“.
  6. Click the Create repository button.

Notice the URL of the repository, we’ll use it for synchronization with the local Github repository, which we are going to create now.

Create a Local GitHub Repository

The following steps show how to create a local GitHub repository for a project in Eclipse. These steps are equal to the get init command.

  1. In the Package Explorer right click on the project name just created.
  2. Select Team->Share Project. The Configure Git Repository dialog is displayed.
  3. Click the Create button.
  4. Select (create) the Repository Directory.
  5. Click the Finish button.
    It is recommended to separate your Git repository from any additional meta-data which Eclipse might create. Place your Git repositories outside the Eclipse work space. Placing Git repositories directly in the work space may cause performance issues since the Git support in Eclipse then may need to scan many of files reachable under the work space.

Upload Project Files to Github

This is a two steps process: first committing the files to upload, then actually pushing them to the Github remote repository.

Push Operation

Next we must push the project files to the remote Github repository, as follows:

  1. In the Package Explorer, right-click the project name.
  2. Select Team->Show in Repository View. The Git Repositories window is displayed.Git Repositories
  3. In this window, right-click on the Remotes node.
  4. In the pop-up dialog window, click Create Remote. The New Remote dialog window is displayed.
    Github New Remote
  5. Accept the default selections. Click OK. The Configure push for remote ‘origin’ dialog window is displayed.
  6. Click the Change button by the URI box. The Select a URI dialog window is displayed.
  7. In the URI box enter the remote http location of your Github repository. When using an HTTP address for the location, you must also enter your Github username and password for authentication purposes.
  8. Select the https Protocol.
  9. In the Authentication section, check Store in Secure Store.
  10. Click Finish.
  11. Click the Save button. Under the Remotes node the origin folder is created
    which contains the Fetch and Push entities.

Merge Remote Repository

To avoid issues between local and remote repository, you must assure they are in sync. A particular issue  Egit rejected non-fast-forward  is quite nasty. Here the steps to perform (Read this Stackoverflow answers, it really works).

  1. In the Remotes,node under origin, look for the green arrow pointing down, this is the Fetch arrow. Right click on the Fetch entry and select Configure Fetch in the popup window. You should see the URI, assure that it points to the remote repository.
  2. Look in the Ref mappings section of the popup. It might be empty. You must indicate which remote references you want to fetch. Click Add.
  3. Type in the branch name you need to fetch from the remote repository. Usually is master.
  4. Continue through the wizard.  Ignore the warning Remote tracking branch ‘refs/remotes/origin/master’ not found in local repository. Click the  Finish button.
  5. In the last popup window, click Save and Fetch.  This will fetch the remote reference
  6. Click OK.
  7. Look in the Branches folder of your local repository. You should now see the remote branch in the Remote Tracking folder. You should see something similar to the following:
  8. You should have a list of un-staged files, Stage all the project files but one (we need a second staging later to push all the committed files).
  9. Enter a comment such as “first commit”. Click the Commit button.This puts the project under configuration control.  in the Local folder, you should see something similar to the following:

  10. Expand the Local folder of Branches, right click on the node named master. Select Merge
  11. In the Remote Tracking folder, select the remote branch named origin/master.
  12. Click the  Merge button.
  13. Follow the merge wizard steps.
  14. Now stage the remaining file. Add comment “first commit”.
  15. Click the Commit and Push button.
  16. Go through the Wizard steps. You should see all the steps you did, similar to the following:
  17. Click the Finish button.
  18. Wait for the push operation to be configured and then click the OK button.
  19. Verify that your project files have been stored into the GitHub remote repository. 
  20. Go have a tasty beverage, congratulating yourself. Take the rest of the day off.
    You might want to see the following post in case you get a similar error: Egit rejected non-fast-forward.

Cloud Computing Services Taxonomy

In this topic you will learn about cloud computing services taxonomy. For each category of services, links and quick summaries are provided. This should give you a road map that might help to untangle a web (pun intended) of words and acronyms. So, brace yourself for this wide dive in a fascinating topic.

Category Description
Compute Services Provide dynamically scalable compute capacity
Storage Services Allow storage and retrieval of any data, at any time from anywhere
Database Services Allow to configure and operate relational or non-relational databases.
Application Services Provide services such as application runtimes and frameworks, queuing, email, notification and media services.
Content Delivery Services Serve content to end users with high availability and performance.
Analytics Services Allow analyzing massive data sets stored either in cloud storages or cloud databases.
Deployment and Management Services Allow to deploy and manage applications in the cloud.
Idendity and Access Management Services Allow managing authentication and authorization of users in order to provide secure access to cloud resources.

Compute Services

The compute services provide dynamically scalable compute capacity which allow the following:

  • Creation of virtual machines from standard images, provided by the compute service provider, such as Ubuntu image, Windows image and so on. Custom images can also be created. A machine image is a template for an operating system, application server and applications.
  • Service access via a Web interface for provisioning, managing and monitoring tasks.
  • Interaction with the service via various programming language APIs.

The following are some of the most common compute services and their main characteristics.

Service Name Description
Amazon Elastic Compute Cloud (EC2) This is a web service that provides resizable compute capacity in the cloud allows to perform the following:

  • Create a virtual machine instance and select your Amazon Machine Image (AMI).
  • Specify the instance size: micro, small, medium, large and so on.
  • Establish the number of instances to launch based on the AMI and zone availability.
  • Define the metadata tags to simplify the administration of the of EC2 instances.
  • Select a key pairs to securely connect to an instance.

An EC2 instance has one public Domain Name System (DNS) and Internet Protocol (IP) address and one private DNS and IP. The public DNS can be used to connect securely to an instance via Secure Shell (SSH).

Google Compute Engine This is a web service that enables users to create and manage compute instances. It allows the following:

  • Create a virtual machine instance and select a machine image for the instance.
  • Select a zone in which the instance must be activated.
  • Provide instance name, instance tags and metadata.

Every instance has a disk resource and depending on the instance the disk can be:

  1. A scratch disk which is deleted when the machine instance terminates.
  2. A persistent disk which persists beyond the life of an instance.

Network options allow to control instance traffic. By default, traffic between instances in the same network is enabled. You can enable other connections, using additional firewall rules.

Windows Azure Virtual Machines This is a web service that enables users to create and manage compute instances. It allows the following:

  • Create a virtual machine instance and select machine image and instance type.
  • Provide user name and password or upload a certificate for securely connecting to the instance.

Any changes made to a virtual machine are persistently stored. New virtual machines can be created from previously stored machine images.

Storage Services

The storage services allow storage and retrieval of any data, at any time from anywhere. The majority of the services organize the data in buckets (containers) which store objects (individual pieces of data).

The following are some of the most common storage services and their main characteristics.

Service Name Description
Amazon Simple Storage Service (S3) This web service provides a cloud based infrastructure for storing and retrieving any amount of data. The following are its main characteristics:

  • Highly reliable, scalable, fast and fully redundant affordable storage.
  • Data stored on S3 is organized in buckets. You must create a bucket before storing any data.
  • Ability to upload any kind of file.
  • Support for redundancy, encryption options and access permissions.
Google Cloud Storage This is a web service for storing and retrieving any amount of data. The following are its characteristics:

  • The service uses Google’s proprietary network and datacenter technology. Google spent several years building proprietary infrastructure and technology to power Google’s sites, When you use the service, the same network goes to work for your data.
  • The service replicates data to multiple data centers and serves end-user’s requests from the nearest data center that holds a copy of the data. You have a choice of regions (currently U.S. and Europe) to allow you to keep your data close to where it is most needed. Data is also replicated to different disaster zones to ensure high availability.
  • When you upload an object and mark it as cacheable (by setting the standard HTTP Cache-Control header), The service automatically figures out how best to serve it using Google’s broad network infrastructure, including caching it closer to the end-user if possible.
Windows Azure Storage This web service provides various storage capabilities such as blob storage, table and queue services. The blobs have the following properties:

  • They are organized into containers.
  • There are two kinds of blobs: block and page blobs.
  • A block blob can be divided into some number of blocks.
  • If failure occurs while transferring a blob, retransmission can resume with the most recent block.
  • Page blobs are divided into some number of pages, which are designed for random access.

Database Services

The database services allow to operate relational and non-relational databases in the cloud. An important advantage is that they relieve an application developer from time consuming administration tasks. The following are some of the database services provided:

  1. Relational databases. They include MySQL, Oracle, SQL Server and so on.
  2. Non-relational databases. They include mostly proprietary solutions. They are fully managed to deliver seamless throughput and scalability.

The following are some of the most common database services and their main characteristics.

Service Name Description
Amazon Relational Data Store (RDS) Relational database web service. It enables the user to easily configure, operate and scale a relational database in the cloud. The related console allows the following:

  • Select the type of database to create such as MySQL, Oracle, or SQL Server.
  • Define database size, allocated storage, database identifier.
  • Define user name and password.

The database instance has an end point that the user can use to securely connect to the instance.

 Amazon DynamoDB Non-relational database service. It includes tables, items and attributes. The following are its main characteristics:

  • A table is a collection of items.
  • Each item is a collection of attributes.
  • To store data you must create one or more tables and specify how much throughput must be provisioned for reading and writing operations.
  • The service is fully managed and automatically distributes the data and the traffic over a number of servers to meet the throughput requirements.
  • All the stored data is automatically replicated across multiple zones to allow for durability.
 Google Cloud SQL Relational database service which allows the user to host MySQL database in the cloud. The following are its main characteristics:

  • Synchronous and asynchronous geographic replication.
  • Ability to import and export databases.
  • Selection of a region, database tier, billing plan and replication modality.
  • Scheduling daily backups and restoring backups.
 Google Cloud Datastore Fully managed non-relational database service. The following are its main characteristics:

  • ACID transactions and high availability of read and write operations.
  • Data model consists of entities.
  • Each entity has one or more properties.
  • Properties (key-value pairs) can be of one supported data types.
  • Each property has a kind and a key. The key uniquely identifies the entity, while the kind is used to categorize the entity for query purposes.
 Windows Azure SQL Database  Relational database service which is based on the SQL server. The following are its main characteristics:

  • The SQL database is a multi-tenant service.
  • Each customer has a logical SQL server assigned.
 Windows Azure Table Service  Non-relational database service which consists of tables having multiple entities. The following are its characteristics:

  • The tables are divided in a number of partitions.
  • Each partition can be stored on a different machine.
  • A partition holds a specified number of entities each containing several properties.
  • Each property can be one of the several supported data types.
  • Tables do not have a fixed schema, so different entities in table can have different properties.

Application Services

The application services provide services such as application runtimes and frameworks, queuing, email, notification and media services.

The following are some of the most common application services and their main characteristics.

Service Name Description
Application Runtimes and Frameworks services allow developers to build and host apps in the cloud. The runtimes provide the following:

  • Support for programming languages such as Java, Python, Ruby and so on.
  • Automatically allocate resources.
  • Handle scaling without the need to run and maintain servers.
Google App Engine This platform as a service (PaaS) includes an application runtime and a web framework. Its main characteristics include:

  • Runtimes. App Engine provides runtime environments for Java, Python, PHP, Go programming languages.
  • Sandbox. Applications run in a secure sandbox environment isolated from other applications. Limited access to the underlying OS is allowed.
  • Web Frameworks. App Engine provides a simple Python web application framework called webapp2. It also supports frameworks written in Python that use WSGI, which include Django, CherryPy, Pylons, web.py and web2py.
  • Datastore. A no-SQL data storage service is provided.
  • Memcache. High performance in-memory key-value cache service is provided.
  • Tasks. App Engine provides task queues to allow work in the background. It also provides a cron service for scheduling.
Windows Azure Web Sites This platform as a service (PaaS) allows hosting of web applications in the cloud. Its main characteristics include:

  • Shared and standard options.
  • In the shared option, a web site runs on virtual machines that can contain multiples sites by multiple users.
  • In the standard option, a web site runs on virtual machines that belong to a single user.
  • Applications written in ASP.NET, PHP, Node.js and Python are supported.
  • Multiple copies of an application can run on different virtual machines and requests are automatically load-balanced among them.
Queuing Services allow the decoupling of application components by enabling them to communicate through messages queues. The following are the main queues advantages:

  • They allow for asynchronous processing.
  • Provide overflow buffers to handle temporary volume spikes or to handle the mismatch between message generation and consumption.

Messages can be queued and read from queues simultaneously. The message latency can go from a couple of days to a couple of weeks.

Amazon Simple Queue Service (SQS) Amazon Simple Queue Service (SQS) is a fast, reliable, scalable, fully managed message queuing service. SQS makes it simple and cost-effective to decouple the components of a cloud application. You can use SQS to transmit any volume of data, at any level of throughput, without losing messages or requiring other services to be always available. With SQS, you can offload the administrative burden of operating and scaling a highly available messaging cluster, while paying a low price for only what you use.To assure high availability for message delivery, SQS performs a trade-off on FIFO capability and does not guarantee that messages are delivered on first in first out (FIFO) order.
Google Task Queue Service Tasks queues are an efficient and powerful tool for background processing; they allow your application to define tasks, add them to a queue, and then use the queue to process them in aggregate. You name queues and configure their properties in a configuration file named queue.xml.Push queues function only within the App Engine environment. These queues are the best choice for applications whose tasks work only with App Engine tools and services. With push queues, you simply configure a queue and add tasks to it. App Engine handles the rest. Push queues are easier to implement, but are restricted to use within App Engine. For more information about push queues and examples of how to use them, see Using Push Queues.
Windows Azure Queue Service Windows Azure Queue allows decoupling of different parts of a cloud application, enabling cloud applications to be easily built with different technologies and easily scale with traffic needs.

Windows Azure Queues

Windows Azure Queues

The figure above illustrates a simple but common scenario for cloud applications. There are a set of web servers hosting the frontend logic of handling web requests. There are a set of backend processing servers implementing the business logic of the application. The web server frontend nodes communicate with the backend processing nodes via a set of queues. Persistent state of the application can be stored in Windows Azure Blob storage and Windows Azure Table storage.

Email Services allow applications hosted in the cloud to send emails.
Amazon Simple Email Service Amazon Simple Email Service (Amazon SES) is a cost-effective outbound-only email-sending service built on the reliable and scalable infrastructure that Amazon.com has developed to serve its own customer base. With Amazon SES, you can send transactional email, marketing messages, or any other type of high-quality content and you only pay for what you use.Along with high deliverability, Amazon SES provides easy, real-time access to your sending statistics and built-in notifications for bounces and complaints to help you fine-tune your email-sending strategy.SES service can be accessed and used from the console, the Simple Mail Transfer Protocol (SMTP) interface, or the SES API.
Google Email Service This service is part of the App Engine platform, which allows applications to send email messages on behalf of the app’s administrators, and on behalf of users with Google Accounts. Apps can receive email at various addresses. Apps send messages using the Mail service and receive messages in the form of HTTP requests initiated by App Engine and posted to the app. Apps can send messages using the Mail service and receive messages in the form of HTTP requests initiated by the App Engine and posted to the app.
Notification Services allow applications to push messages to Internet connected devices such as smartphones, tablets and so on.
test test
Media Services provide various media service types used by applications to transform or transcode images, videos and so on.
test test

Content Delivery Services

The content delivery services include Content Delivery Networks (CDNs). A CDN is a distributed system of servers located across multiple geographic locations to serve content to users with high availability and performance. CDNs are useful to serve static content and have a number of edge locations deployed in multiple locations. CDNs cache popular content on the edge servers which helps in reducing bandwidth costs and improving response time.

The following are some of the most common content delivery services and their main characteristics.

Service Name Description
Amazon CloudFront Amazon CloudFront is a content delivery web service. It integrates with other Amazon Web Services to give developers and businesses an easy way to distribute content to end users with low latency, high data transfer speeds, and no commitments.
Windows Azure Content Delivery Network The Microsoft Azure Content Delivery Network (CDN) offers developers a global solution for delivering high-bandwidth content that’s hosted in Azure. The CDN caches publicly available objects at strategically placed locations to provide maximum bandwidth for delivering content to users.

Analytics Services

The analytics services allow to analyze massive amount of data stored either in cloud storages or in cloud databases using programming models such as MapReduce. Applications can perform data intensive tasks such as data mining, log file analysis, machine learning, web indexing and so on.

The following are some of the most common analytics services and their main characteristics.

Service Name Description
Amazon Elastic MapReduce

Amazon Elastic MapReduce (Amazon EMR) is a web service that makes it easy to quickly and cost-effectively process vast amounts of data.

Amazon EMR uses Hadoop, an open source framework, to distribute your data and processing across a resizable cluster of Amazon EC2 instances. Amazon EMR is used in a variety of applications, including log analysis, web indexing, data warehousing, machine learning, financial analysis, scientific simulation, and bioinformatics. Customers launch millions of Amazon EMR clusters every year.

Google MapReduce Service

Google MapReduce service is an open-source library that is built on top of App Engine services, including Datastore and Task Queues. You must download the MapReduce library and include it with your application. The library provides:

  • A programming model for large-scale distributed data processing
  • Automatic parallelization and distribution within your existing codebase
  • Access to Google-scale data storage
  • I/O scheduling
  • Fault-tolerance, handling of exceptions
  • User tunable settings to optimize for speed/cost
  • Tools for monitoring status

There are no usage charges associated with the MapReduce library. As with any App Engine application, you will be charged for any App Engine resources that the library or your MapReduce code consumes (beyond the free quotas) while running your job. These can include instance hours, Datastore and Google Cloud Storage usage, network, and other storage.

Google BigQuery

Querying massive datasets can be time consuming and expensive without the right hardware and infrastructure. Google BigQuery solves this problem by enabling super-fast, SQL-like queries against append-only tables, using the processing power of Google’s infrastructure. Simply move your data into BigQuery and let us handle the hard work. You can control access to both the project and your data based on your business needs, such as giving others the ability to view or query your data.

You can access BigQuery by using a browser tool or a command-line tool, or by making calls to the BigQuery REST API using a variety of client libraries such asJavaPHP or Python. There are also a variety of third-party tools that you can use to interact with BigQuery, such as visualizing the data or loading the data.

Get started now with creating an apprunning a web query or using the command-line tool, or read on for more information about BigQuery fundamentals and how you can work with the product.

Windows Azure HDInsight

HDInsight is a Hadoop-based service from Microsoft that brings a 100 percent Apache Hadoop solution to the cloud. A modern, cloud-based data platform that manages data of any type, whether structured or unstructured, and of any size, HDInsight makes it possible for you to gain the full value of big data.

With HDInsight you can seamlessly process data of all types through Microsoft’s modern data platform, which provides simplicity, ease of management, and an open Enterprise-ready Hadoop service all running in the cloud. You can analyze your Hadoop data with PowerPivot, Power View and other Microsoft BI tools, thanks to integration with Microsoft data platform.

Deployment and Management Services

The deployment and management services allow to manage and deploy application in the cloud. They allow to perform tasks such as capacity provisioning, load balancing, auto-scaling and application health monitoring.

The following are the most common analytics services and their main characteristics.

Service Name Description
Amazon Elastic Beanstalk Amazon Elastic Beanstalk is an easy way for you to quickly deploy and manage applications in the cloud. You simply upload your application, and Elastic Beanstalk automatically handles the deployment details of capacity provisioning, load balancing, auto-scaling, and application health monitoring. At the same time, with Elastic Beanstalk, you retain full control over the resources powering your application and can access the underlying resources at any time. Elastic Beanstalk leverages services such as Amazon Elastic Cloud Compute (Amazon EC2), Amazon Simple Storage Service (Amazon S3), Amazon Simple Notification Service (Amazon SNS), Elastic Load Balancing, and Auto Scaling to deliver the same highly reliable, scalable, and cost-effective infrastructure that hundreds of thousands of businesses depend on today. 
Amazon CloudFormation

Amazon CloudFormation gives developers and systems administrators an easy way to create and manage a collection of related AWS resources, provisioning and updating them in an orderly and predictable fashion.

You can use AWS CloudFormation’s sample templates or create your own templates to describe the AWS resources, and any associated dependencies or runtime parameters, required to run your application. You don’t need to figure out the order for provisioning AWS services or the subtleties of making those dependencies work. CloudFormation takes care of this for you. After the AWS resources are deployed, you can modify and update them in a controlled and predictable way, in effect applying version control to your AWS infrastructure the same way you do with your software.

You can deploy and update a template and its associated collection of resources (called a stack) by using the AWS Management Console, AWS Command Line Interface, or APIs. CloudFormation is available at no additional charge, and you pay only for the AWS resources needed to run your applications.

Identity and Access Management Services

The identity and access management services provide the following:

The following are some of the most common identity and access management services and their main characteristics.

Service Name Description
Amazon Identity and Access Management

AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources for your users. Using IAM, you can create and manage AWS users and groups and use permissions to allow and deny their access to AWS resources.

To get started using IAM, click on the Create New Account; or if you have already registered with AWS, sign into the AWS Management Console and get started with these IAM Best Practices.

IAM is free so start using it today!

Windows Azure Active Directory Azure Active Directory is a comprehensive identity and access management cloud solution that provides a robust set of capabilities to manage users and groups and help secure access to applications including Microsoft online services like Office 365 and a world of non-Microsoft SaaS applications. Azure Active Directory is offered in two tiers: Free and Premium.

 

Zabaglione

Zabaglione

Zabaglione

Ingredients

  1. 4 large egg yolks
  2. 1/3 cup granulated sugar
  3. 1/3 cup dry Marsala
  4. Pinch fine sea salt

Directions

  1. In a large pan bring 2 or 3 inches of water to a slow simmer over medium heat.
  2. In a metal bowl combine egg yolks, sugar, Marsala and salt.
  3. Put the bowl on the simmering water.
  4. Whisk vigorously, avoiding that the eggs scramble, until the mixture is thick and foamy. This may take about 8 minutes or so.
  5. Remove the bowl from the heat and whisk for 30 more seconds.

Serve the Zabaglione warm or chilled.

Enjoy!!

Notes

The way the Italian say it: Zabaglione. The legend says that Captain Giovanni Baglioni who in the 16th Century, while camping in Reggio Emilia, sent his soldiers to seek food. They came back with what they found in the nearby area: eggs, sugar and wine. They mixed everything and found the result delicious so the cream was named after the Captain. Some instead want the cream to be from Venice, where in the 17th century it was common to drink “zabaja”, from Illira (Dalmatia), a drink aromatized with sweet wine from Cyprus.

Marsala is a liquor kind of wine with a Controlled Name of Origin (DOC) produced in Sicily in the Trapani province.

Build a Google Cloud Storage XML API – Python Application

This post demonstrates how to build a Google Cloud Storage XML API Python application. The application interacts with the storage service via the XML API (and the httplib2 library).  It uses a simple interface which allows you to perform tasks such as: list the buckets in a project, list objects in a bucket, create a bucket, create an object and so on. The intent of the application is educational. It should help you to understand the API syntax (and semantics) when interacting with Google Cloud Storage.

Application Contextual Environment

Application Contextual Environment

Prerequisites

To build the application, you will use Eclipse as shown next. Before you can perform the next steps, assure that you have satisfied the requirements described here: Google Cloud Storage Python Applications Prerequisites.

Also make sure to satisfy the following :

  1. Install the required software as listed next:
  2. Update the information contained in the client_secrets.json file. Use your client id and secret available in the Google API Console.

Create the Application Project

  1. Activate Eclipse.
  2. From the File menu, select New->PyDevProject. The PyDev Project window is displayed.
  3. In the Project name: enter PythonXmlApi.
  4. Accept the user default workspace; for example: /Users/[your username]/[your work directory]/PythonXmlApi. This is the directory where the program will be stored.
  5. If you have more than one Python version installed perform the following steps:
    • In the Grammar Version selection list select 2.7.
    • In the Interpreter selection list select the desired Python interpreter. For more information, see Configure PyDev.
  6. Click Finish. The PythonXmlApi project is created and displayed in the Package Explorer.
  7. If the PyDev perspective is not selected yet, click on the Open Perspective icon in the upper right corner of Eclipse. From the pop-up menu select PyDev and click OK.
  8. In the Package Explorer, expand the PythonXmlApi project node.
  9. Right-click the src folder.
  10. Select New->PyDev Module.
  11. In the pop-up dialog window enter the following information:
    • In the Package box enter gcs_examples.
    • In the Name box enter main.
  12. Click Finish.
  13. Select Module Main and  click OK.
    An empty main.py is created. Actually the module contains the standard Python check for main because the template chosen. You’ll enter the code needed to interact with Google Cloud Storage in the next section.

Download the Application Code

You can download the archived project from this location: storage-xmlapi-python-client. Then import it into Eclipse. The project contains the following modules:

  1. main.py. This is the main entry point of the application which allows you to
    interact with Google Cloud Storage (GCS) using XML API. It contains the main function which is called when the application is executed.
  2. simple_ui.py.  Contains the GCS_SimpleUI class which provides a simple UI to interact with Google Cloud Storage.
  3. commands.py.  Contains the GCS_Command class which provides the entry point for
    processing user’s selection. Based on the user’s selection, the related Google Cloud Storage
    operation is executed.
  4. authentication.py.  It contains the class that generates an authenticated HTTP client object.
  5. bucket_commands.py. Contains the GCS_Bucket class which handles Google Cloud Storage bucket operations.
  6. object_commands.py. Contains the GCS_Object class which handles Google Cloud Storage object operations.
  7. config.py.   Contains data shared by all the modules.

PythonXmlApi Implementation

The PythonXmlApi main function performs the preliminary initialization and starts the application. A set of classes then perform the actual tasks such as: creating a simple UI, processing user’s input, interacting with the storage service and so on. The following picture shows the classes and their hierarchy.

PythonXmlApi Class Hierarchy

PythonXmlApi Class Hierarchy

PythonXmlApi Workflow

The first time you start the application, the main function instantiates GCS_SimpleUI and GCS_Command classes then initializes a simple user interface which accepts the user’s input. You will be asked to authenticate the application which uses OAuth2.0 and stores the credentials in a local file called stored_credentials.json. Also, you will be asked to enter the project ID which will be stored in a local file called project.dat.

Every time you make a selection a command call is issued which in turn calls a GCS_Bucket or GCS_Object method. This method executes the actual Google Cloud Storage bucket or object request. The storage service’s response is then displayed for your information. If the request fails, an error is displayed. Finally, depending on the debugging level, the application displays what goes on the “wire”. This is to help you understand the actual HTTP request and response content as explained by the Google Cloud Storage documentation Reference Methods. The following picture depicts the workflow just described.

PythonXmlApi Work Flow

PythonXmlApi Work Flow

Usage

In a terminal window activate the program as follows:

python main.py  --logging_level [DEBUG | INFO | WARNING | ERROR | CRITICAL] 

Have Fun!!

Getting Started with JSON API Client Library in Python

The following are the preliminary steps to access Google Cloud Storage by using the JSON API client library in Python.  Basically, you must do the following:

  • Download and install the Python JSON API client library. In a terminal window execute the following command:
    [sudo] pip install --upgrade google-api-python-client
    
  • Enable the use of the JSON API for your Google Cloud Storage project.
  • Set the client authorization information.

See the Quickstart steps described below.

Background

Before an application can use the JSON API, the user must allow access to her Google Cloud Storage private data. Therefore, the following steps must be performed:

  • The application must be authenticated.
  • The user must grant access to the application.
  • The user must be authenticated in order to grant that access.

All of this is accomplished with OAuth 2.0 and libraries written for it.

Important Concepts

  • Scope. JSON API defines one or more scopes that declare a set of operations permitted. When an application requests access to user data, the request must include one or more scopes. The user needs to approve the scope of access the application is requesting.
  • Refresh and Access Tokens.  When a user grants an application access, the OAuth 2.0 authorization server provides the application with refresh and access tokens. These tokens are only valid for the scope requested. The application uses access tokens to authorize API calls. Access tokens expire, but refresh tokens do not. Your application can use a refresh token to acquire a new access token.
    Warning: Keep refresh and access tokens private. If someone obtains your tokens, they could use them to access private user data.
  • Client ID and Client Secret. These strings uniquely identify an application and are used to acquire tokens. They are created for your Google APIs Console project on the API Access pane of the Google APIs Console. There are three types of client IDs, so be sure to get the correct type for your application:
    • Web application client IDs
    • Installed application client IDs
    • Service Account client IDs
    Keep your client secret private. If someone obtains your client secret, they could use it to consume your quota, incur charges against your Google APIs Console project, and request access to user data.

Building and Calling the Service

The following steps describe how to build an API-specific service object, make calls to the service, and process the response.

  1. Build the Service. You use the build() function to create a service object. It takes an API name and API version as arguments. You can see the list of all API versions on the Supported APIs page. The service object is constructed with methods specific to the given API. The following is an example:
    from apiclient.discovery import build as discovery_build
    service = discovery_build('storage', 'v1beta2', ....)
    
  2. Create the Request. Methods are defined by the API. After calling a method, it returns an HttpRequest object. The following is an example:
    request = service.buckets().insert(
                    project=project_id, 
                    body={'name': bucket_name})
    
  3. Get the Response. Creating a request does not actually call the API. To execute the request and get a response, call the execute() function as follows:
    response = request.execute()
    

Quickstart

To best way to get started is to access the documentation Google Cloud Storage JSON API Client Library for Python. Follow the steps in the Quickstart section to create a starter application to get you up and running.  In particular, perform these steps:

  1. Select the platform you want to use. For simplicity, select Command Line.
    Command Line Application

    Command Line Application

  2. Click the Configure Project button. A dialog window is displayed.
  3. In the dropdown list select the name of the project for which you want to enable the JSON API.
  4. Click the Continue button. An instruction list is displayed. For convenience the instructions are repeated below.
    • Install Python 2 (if not installed yet).
    • Download the starter application and unzip it. Notice, you must download the application from the link shown in the instruction list.
    • Download the client secrets file. Use it to replace the file included in the starter application. Notice, you must download the client secrets file from the link shown in the instruction list.
  5. In a terminal window, from within the application directory, run the application as follows:
    python sample.py
    
    The first time you run the application, a Web page is displayed asking you to allow access to your Google Cloud Storage. Click the Accept button,
    Allow Project Access

    Allow Project Access

    The first time you will get the following output:

    Authentication successful.
    Success! Now add code here.

You are up and running! At this point you will want to add Cloud Storage API calls to the sample.py file as shown below.

Analyzing Sample.py

In this section we analyze the sample.py code to highlight the key points. In essence sample.py shows how to set up the OAuth 2.0 credentials to access a project. Notice the code shown is slightly different from the downloaded one. This is to make it more readable.

The following line obtains the path to the client_secrets.json. This file contains the credentials (OAuth 2.0 information) the sample.py needs to access your project. You can download this file from the Cloud Console at this location: <https://cloud.google.com/console#/project/[your project ID]/apiui>

CLIENT_SECRETS = os.path.join(os.path.dirname(__file__), 'client_secrets.json')

Next you set the Flow object to be used for authentication. The example below add two scopes, but you should add only the scope you need. For more information on using scopes. see Google+ API Best Practices.

RW_SCOPE = 'https://www.googleapis.com/auth/devstorage.read_write'
RO_SCOPE = 'https://www.googleapis.com/auth/devstorage.read_only'
FC_SCOPE = 'https://www.googleapis.com/auth/devstorage.full_control'

FLOW = client.flow_from_clientsecrets(
  CLIENT_SECRETS,
  scope=[RW_SCOPE, RO_SCOPE], 
  message=tools.message_if_missing(CLIENT_SECRETS))

The following lines are critical. If the credentials (storedcredentials.json) don’t exist or are invalid the native client flow runs. The Storage object will ensure that if successful the good credentials will get written back to the file.

storage = file.Storage('storedcredentials.json')
credentials = storage.get()
if credentials is None or credentials.invalid:
  credentials = tools.run_flow(FLOW, storage, flags)

Customization

Add the following function to list the objects contained in a bucket.

from json import dumps as json_dumps

def listObjects(bucketName, service):
    print 'List objects contained by the bucket "%s".' % bucketName
    fields_to_return = 
      'nextPageToken,items(bucket,name,metadata(my-key))'
    request = service.objects().list(bucket=bucketName, 
                fields=fields_to_return)
    response = request.execute()
    print json_dumps(response, indent=2)

Call the function from main as follows:

listObjects('myBucket', service)

RELATED ARTICLES