28 Jul

AWS Lambda guide part IV – API Gateway and Lambda without S3

AWS Lambda Tutorial, I will show you how to create or import your Python application to Lambda, use S3 bucket, add S3 trigger for Lambda and more!

It is time for some new final tuning of my small certificate signing service. In previous parts, I showed you what AWS Lambda service is and how to import simple Python application into serverless microservice. I also connected Lambda function to S3 storage service where I put certificates and key files. Then I added a trigger to the function, so Lambda function will execute automatically every time someone uploads new CSR file with certificate request to S3 bucket. Now I will show you not only how to make this function serverless but also storageless using API Gateway. It is not standard approach but in some scenarios might be interesting. So we will connect API Gateway and Lambda without S3 backend for keys and certificates.

Read More

07 Jul

How to display HTML page using only AWS API Gateway

API Gateway is a powerful tool you can use to create a frontend for your application hosted on AWS. It let developers create, maintain, secure and monitor API on a large scale. This API is a gateway to access your data, functions, logic or any web application hosted on AWS. Logic is based on RESTful API framework used in an example by web servers and can be used to eliminate physical or virtual servers from infrastructure. API Gateway is a tool for a dynamic and flexible approach for data transformation. Let me show you how to display HTML page using only AWS API Gateway.

Read More

04 Jul

AWS Lambda guide part III – Adding S3 trigger in Lambda function

AWS Lambda Tutorial, I will show you how to create or import your Python application to Lambda, use S3 bucket, add S3 trigger for Lambda and more!

This is third part of the tutorial of AWS Lambda. In previous chapters I presented my small Python app I created for signing certificate requests and imported it to AWS Lambda service (check AWS Lambda guide part I – Import your Python application to Lambda). Then I modified the code so instead of using reference to static local files we can read and write to S3 bucket (check AWS Lambda guide part II – Access to S3 service from Lambda function). Now let’s move forward and add S3 trigger in Lambda function.

We can always execute Lambda function manually either from web panel or using CLI. We can also execute it from our other application if required. But microservices are often triggered by events. In this article I will show you how to automatically sign certificate using my Lambda function when request file is uploaded to S3 bucket. Let me show you how to program S3 trigger in Lambda.

Read More

26 Jun

AWS Lambda guide part II – Access to S3 service from Lambda function

AWS Lambda Tutorial, I will show you how to create or import your Python application to Lambda, use S3 bucket, add S3 trigger for Lambda and more!

In previous chapter I talked a little what is AWS Lambda and idea behind serverless computing. Furthermore I presented small Python application I wrote to sign certificate requests using my CA authority certificate (how to create such you can find in my post How to act as your own local CA and sign certificate request from ASA). Then after importing the sandboxed Python environment (required because of non-standard library used for SSL, whole procedure is described in my post How to create Python sandbox archive for AWS Lambda) and small change in the code we managed to execute it in Lambda. Also I mentioned that we can use other AWS services in our code, in example Access to S3 service from Lambda.

As you remember the initial version of my application have static paths to all files and assume that it can open it from folders on local hard drive. If you run function in Lambda you need a place where you can store files. This place is AWS S3. In this chapter I show you how to use S3 service in function on Lambda. We will use boto3 library that you can locally install on your computer using pip.

Read More

15 Jun

AWS Lambda guide part I – Import your Python application to Lambda

AWS Lambda Tutorial, I will show you how to create or import your Python application to Lambda, use S3 bucket, add S3 trigger for Lambda and more!

I lately started playing with AWS Lambda for few reasons. I become interested in serverless architecture, ways to save money while running apps and I wanted finally to learn Python. I’m a network engineer, not a software developer. I like cloud computing and see it as important part of market now. So that was an opportunity for me to learn something new. Now I want to share my knowledge with you and show you how to import your Python application to Lambda.

In my tutorial I want to show you that Lambda and programming is something interesting that you can use for everyday work whatever you do. Of course Lambda tutorials are already available on Internet but they show you how to make new application from scratch. I want to show you how to import your own small Python application to Lambda, required changes to the code, python environment, testing approach and finally how to expand it using other AWS services. This post is just first chapter!

Read More

09 Jun

How to create Python sandbox archive for AWS Lambda

AWS Lambda and Python

AWS Lambda contain now 1067 Python libraries that we can use in our programs. The number is big and small at the same time. It should give us flexibility in writing apps but same time is limitation – there are many non-standard libraries that are better replacement for default ones. I will show you how to create Python application sandbox and then ZIP archive for AWS Lambda that will contain libraries not available by default so you can use them in your serverless application.

Using this application I’ve generated list of available libraries for Python 2.7 and you can check the list here.

Serverless applications idea is that we don’t have access to operating system. We just run our code in own sandbox. Therefor we can’t just install new package if we miss it. Solution is providing ZIP archive with code of our application and python environment that have all non-standard libraries inside. Let me show you how to do this.

Read More

01 Jun

How to manage simulation in VIRL from local network

Cisco and VIRL logos

I’ve been using Cisco VIRL for over two years for both learning technologies and testing new solutions as PoC. Accessing devices in simulation via embedded console link is easy but not efficient. I always wanted to manage simulation in VIRL from my laptop not desktop PC. Also in many scenarios you  may want to connect external servers like netflow collector or IPAM software you wanna test. Also it’s quite handy to have access to running simulation form Internet, isn’t it?

Let me show you how I connect Cisco VIRL running simulation to other devices in my network and to Internet. In this tutorial I assume that you didn’t change default VIRL networking configuration.

Read More

26 May

Why having cloud load-balancer for on-premises services is not a good idea?

Cloud load-balancer for on-premise services is not a good idea

We were thinking about redundancy options for CCIE.PL today. There are few restrictions we have there, both came either from policy or our personal thoughts about several aspects of paid services and sharing admin access. But simply we are thinking how to automate failover in case our primary server or database have problems. Easiest solution would be to use Cloudflare free tier service but let’s say we don’t want to do this now. So we were looking on the other options and there was an idea that maybe we can use cloud load-balancer for on-premise services. First thought – it’s brilliant. On second thought – definitely that idea was wrong. Let me show you why.

Read More

18 May

Upgrading SourceFire module from 5.x to 6.x and recovery procedure

SFR Firmware packages download

Hardware failures happens. If you have active service contract you’ll get new device from Cisco with same hardware parameters. One thing you don’t know is which version of software will be installed. In almost all cases it’s not the one you are using. Installing new firewall firmware on ASA is not a problem but what if you’re running SourceFire Management Center version 6.2 but your device came with 5.x or 6.0 firmware on SFR module? Well, prepare for process that will take few hours – you need to perform recovery procedure which is one of the ways of upgrading SourceFire.

Most common cases when we have to use recovery procedure for SFR are:

  • Problems with booting the SFP module after upgrade performed from Firesight Management Center
  • First software installation on SFR (in example when we just put SSD drives in our ASA to get benefits from Sourcefire NGIPS)
  • Need to upgrade firmware but our module cannot be registered in Firesight Management Center due to firmware mismatch

Last case is the one usually happening when we get new device during RMA process. Each Firesight Management Center have list of compatible firmwares that are supported on modules and unfortunatelly backward compatibility is not full. If you run one of the most common version 6.1 or 6.2 you need to have your modules in at least 6.1 version. Recovery process require that whole memory is erased and new firmware installed.

Read More

12 May

Interfaces are important in ASAv failover on VIRL

Failover link on ASAv must be created using interface GigabitEthernet0/8

One reader asked me few days ago following question when he had problem establishing the failover in his lab: “I’ve tried to create ASA failover pair on VIRL and it was not working. I’ve looked through manual and VIRL forum for the solution. I believe that failover is supported configuration on VIRL. I think my configuration is correct, nodes can ping each other but I still cannot establish failover relationship”. Configuration he made was correct except he forgot about one thing – interfaces numbers are important when you setup failover using ASAv.

Cisco VIRL uses ASAv image for virtual firewalls. This is same image that you use in production on ESXi. That means all restrictions applies also to virtual firewall if you run it on VIRL. In this image we must configure failover link using interfaces GigabitEthernet0/8. It’s clearly stated in documentation. If we use any other interface the configuration will be accepted but failover never established.

failover lan unit primary
failover lan interface Fail-link GigabitEthernet0/8
failover replication http
failover link State-link GigabitEthernet0/7
failover interface ip Fail-link 192.168.255.253 255.255.255.252 standby 192.168.255.254
failover interface ip State-link 192.168.254.253 255.255.255.252 standby 192.168.254.254
failover ipsec pre-shared-key 0 FailoverKey
failover

We also need to remember we can’t configure Active-Active failover. This mode is not supported so we have to stick to Active-Standby model. It’s direct result of lack of support for virtual contexts so remember about it as well.