Model your access rules and let AMP implement them for you
An important part of the production deployment of an application is locking down access to all components of the application to just the clients which should be able to access them. Typically this is done using something like Security Groups, or networking rules. It can be time consuming to design, create and manage these rules.
Application Network Security is an upcoming AMP feature currently in beta that allows designers to model these security requirements simply and directly in blueprints. AMP then takes care of applying the rules for you, using the security mechanisms of the underlying cloud.
The way it works is that you specify access groups to which entities belong, and entities can then grant whatever access they need to members of those groups. Think of drawing a boundary around a group of hosts, and then writing some rules that say who can connect to them and how.
Take a look at the diagram below. It shows a conventional three-tier application, with a load balancer, a web cluster, and a database tier. The green circles are our access groups, and the green lines are the access rules. Nodes inside each green zone have their access restricted so that only connections specified in the access rules are allowed. The load balancer additionally has the special group “public”, which means connections to it from the external internet are allowed.
The load balancer can access the members of the web cluster, but only on the port published in the”http.port” sensor. The web cluster can access the database on the “db.port”, but no other access was configured to the database machines, so nothing else, including the load balancer, can access them.
AMP takes care of creating an implementation enforcing these restrictions using the mechanisms of the underlying cloud. What this actually means in terms of how these restrictions are physically implemented on the underlying machines may vary from cloud to cloud. The desired restrictions may be achieved using concepts such as Security Groups on clouds that support this, or through IP network configuration, IPTables, or other means, or indeed a combination of any or all of these.
The rules are applied on a per-application basis, so an access group name from one application can be reused in another without causing problems. Everything can be specified in YAML as this demo shows
Application Network Security will be available in AMP Early Access shortly, to ease the burden for designers and administrators in an important area of application management. If you’d like to be included in this program please get in touch with us.