Choose the Right Cloud Provider
\nCloud infrastructure is increasing day by day. Choosing the right cloud provider is the most important decision for long term success. The big three cloud providers are Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). These three cloud providers are providing mostly services so they might be confused about choosing the right cloud provider. We can easily evaluate the right cloud provider from the following steps
\n- \n
- Compliance \n
- Security \n
- Downtime \n
- Support \n
- Pricing structure \n
- Location wise availability \n
Discounted Instances
\nAll Big Cloud Providers are providing discounted Instances or spot instances. Spot instances are unused instances. Cloud Providers offered up to 90% discount on these instances compared to on-demand or reserved instances. The majority of organizations have some workloads that are not critical, We can reduce the cost for not critical workload by using spot instances. AWS, Azure, and Google (GCP) all provide the option to use Spot Instances.
\n- \n
- AWS Spot Instances \n
- Azure Low Priority VMS \n
- GCP Preemptible VMS \n
Identify Instance Right Size
\nIdentify the right size for the Instance, not an easy task. We need to configure multiple matrices in our cloud service provider. Key metrics to look for are CPU and memory usage. Identify instances with a maximum CPU usage and memory usage of the month.
\nHow to Check Metrics
\nGenerally, people make mistakes during checking metrics. Most of the people prefer averages in monitoring but averages mislead the measurement. Let understand this by example
\nYou are running an online technology tutorial site. Suppose 1million active users on your website in normal days. Now you are hosting weekly technology webinars in your platform. During webinars time your platform traffic should increase. At that time CPU usages and memory usages should be high compared to the rest of the time. Now suppose you have checked the 24 hours average CPU usages and memory usages. It was around 40% and you have decided this is underutilized and scale down the lower size instance. It can impact you 5% - 10% traffic Let’s look at a real-world example. This chart shows the overall CPU usages
\n
First Image showing Average CPU utilization. You can see Maximum CPU was 18.6 %
\nNow, let’s check the CPU 99th percentile:\n
As expected, the 99th percentile is higher than the average. 99th percentile is around 93%
\nThe conclusion is We need to always check the 99th percentile. The average can mislead and it can impact your users.
\nCreating Underutilization Alarm
\nWe can create different types of resources and applications utilization monitoring matrix and based on the data we can configure multiple alarms. You can configure notification or alarms on email, SMS from the Cloud provider dashboard. you can also configure alarms that automatically stop or terminate EC2 instances or VM when instance unused or underutilized according to the configured threshold. During the development or some POC as a developer or devops person we have to create some instances or resources but sometimes we forgot to terminate the instances or resources. You can minimize the this extra cost by creating a group of alarms that sends an email notification to developers whose instances have been underutilized or ideal for some hours, then terminates an instance. It will save the overall infra cost. different cloud providers provide different ways for creating these type alarms
\n- \n
- Amazone (Aws) \n
- Azure \n
- Google Cloud \n
Creating time based actions
\nYou can save around 75% cost for your Non - Production Development, Staging, and QA environment. Non - Production environment generally needed during working days. You can turn off these servers during off-hours. Cost-saving depends on the infrastructure size, it can be hundred, thousands of dollars
\nYou can create automation scripts for infrastructure deployment. Schedule the script in your cloud provider
\nIn-memory cache Storage
\nApplication in-memory cache reduces the cost of transferring data in the network and overall application performance because reduce the traffic between the database servers or any other external application reduce the network level cost in the cloud also caching improves the efficiency and accessibility of data that used repeatedly or frequently accessed. Suppose your application is fetching user configuration or settings in every request from the database server. You can keep this type of configuration, which is not changing frequently in the in-memory cache. it will save a lot network-level cost
\nData Transfer Cost Optimization
\nData Transfer cost mostly hidden or Some time we don't take care of it. Generally, data transfer is free in the same region between different services Storage, Compute service, etc.\nIf you do a lot of cross-region transfer, it will increase your network data transfer cost also if you will deploy multiple services in the same region it will improve application performance
\nCost visibility
\nThis includes knowing what you spend in detail, how specific services are billed, and the ability to display how (or why) you spent a specific amount Here, keep in mind key capabilities such as the ability to create shared accountability, hold frequent cost reviews, analyze trends, and visualize the impact of your actions on a near-real-time basis. You can also use cost controls like budget alerts and quotas to keep your costs in check over time.
\nConsider a Multi-Cloud Architecture
\nEnterprises or Mid Level companies are adopting multi-cloud infrastructure. Consider this recent prediction from IDC: “By 2020, over 90% of enterprises will use multiple cloud services and platforms.” Or this one from 451 Research: “The future of IT is multi-cloud and hybrid with 69% of respondents planning to have some type of multi-cloud environment by 2019.”
\nBenefits of multi-cloud Architecture
\n- \n
- Low latency \n
- Competitive Pricing \n
- more compliance options \n
- Enhanced Security \n
Conclusion
\nOrganizations need to develop a cost optimization culture and awareness. Cost optimization is an ongoing activity in the organization. Need to decide someone responsible for the cost optimization it can be an Engineering team or DevOps team. Most cloud providers provide billing alarm’s they can alert you in case of cost increment also we can configure budget in the Cloud provider dashboard.
\n","frontmatter":{"date":"July 09, 2020","updated_date":null,"description":"Optimization of cloud costs lowers spending by recognizing mismanaged capital, reserving higher discount space, and proper sizing.","title":"Cloud Cost Optimization in 2021","tags":["Cloud","Optmization"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.408450704225352,"src":"/static/2300b46e98d3db0ddac0decdc33cf57e/ee604/cloud.png","srcSet":"/static/2300b46e98d3db0ddac0decdc33cf57e/69585/cloud.png 200w,\n/static/2300b46e98d3db0ddac0decdc33cf57e/497c6/cloud.png 400w,\n/static/2300b46e98d3db0ddac0decdc33cf57e/ee604/cloud.png 800w,\n/static/2300b46e98d3db0ddac0decdc33cf57e/f3583/cloud.png 1200w,\n/static/2300b46e98d3db0ddac0decdc33cf57e/5707d/cloud.png 1600w,\n/static/2300b46e98d3db0ddac0decdc33cf57e/c1526/cloud.png 1747w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Vijay Singh Shekhawat","github":"code-vj","avatar":null}}}},{"node":{"excerpt":"Identity management for education has witnessed a dramatic change in the first half of 2020. As the COVID-19 pandemic spread, it resulted in…","fields":{"slug":"/identity/identity-management-for-education/"},"html":"Identity management for education has witnessed a dramatic change in the first half of 2020. As the COVID-19 pandemic spread, it resulted in the shutdown of educational institutes worldwide, with over 1.2 billion children officially out of their physical classrooms.
\nInterestingly, there is a notable increase in e-learning from the last couple of months. Classes are conducted remotely and on digital platforms. Now, that's a massive amount of traffic to keep up with.
\nBecause significant amounts of highly sensitive data are involved, they make profitable targets for hackers—contact details, academic records, Social Security numbers, financial information, and health data.
\nMany educational institutions are already facing security crises and trying their best to sustain. Providing a secure learning environment has become a high priority.
\nRecent Stats of Cyberattack on Students
\n- \n
- According to Darktrace's study cited on Straitstimes.com, more than 100 Singapore-based customers face 16 times more attacks on the educational institution than other healthcare and retail organizations. \n
- In June 2020, hackers attacked the servers at San Francisco School of Drugs College of California. They demanded a ransom of more than $1 million USD to get back the accessibility to their data. \n
- Professional hackers breached the ed-tech platform Unacademy and exposed 22 million user accounts on the dark web. In May 2020, Cyble Inc. stumbled upon a threat actor selling the user database for $2,000. \n
- In May 2020, another online learning application based in Canada, OneClass, suffered a data breach that exposed data from more than 1 million students across North America. \n
- In May 2020, a Spanish e-Learning platform 8Belts suffered a data breach that affected and exposed the data of 150,000 e-learners on the platform. \n
Security Challenges in the Education Industry
\nBy now, it is pretty evident that the education sector has become a lucrative target of cybercriminals.
\nOne of the critical reasons schools are targeted, is the extensive data they maintain about students and staff, including personally identifiable information (PII), health details, and financial data. These records are a hot commodity on the dark web and are sold in millions for identity theft and fraud.
\nOther security challenges faced by schools, universities, and colleges in the education sector include:
\nLimited to no dedicated IT resources
\nA cybersecurity challenge faced by most educational institutions when defending their networks from threats is a shortage of dedicated IT resources—possibly pointing to the lack of funds to invest in cybersecurity.
\nAnother area that could put schools at risk of attack is the legacy IT infrastructure. IT departments must ensure that older equipment and software have the most recent upgrades, or that if manufacturers no longer support them, institutes should voluntarily install new versions.
\nThe unsettling BYOD culture
\nInstitutes allow students to store data on their own devices, tablets, or laptops. Since they work on the same project in laboratories, in classrooms and at their residences, they carry their data on portable drives and connect to whichever computer is available.
\nMost students don't invest in paid antivirus software or anti-malware versions. Also, they download free, pirated apps. So, every time they plug their infected USB into the institute's network, the whole system gets affected.
\n\nPotential open network vulnerabilities
\nMany educational institutions advocate a culture of an open network for students and allow any device to connect within the premises. It is done to promote freedom of free information.
\nBut then, it has its downside too. Open network means that access is not monitored correctly, making it an easy target for cybercriminals to enter the network and wreak havoc.
\nLack of privileged access management
\nThe majority of educational institutions lack a proper privileged access management system. Role-based access controls (RBAC) offer employees their access to different systems and data sources according to their responsibilities within the institution.
\nPrivileged accounts, like administrative accounts in schools, provide access to specific users that hold liability for critical systems and student's sensitive information.
\nThe ever-changing student lifecycle
\nWith each passing year, the specific role of students in the organization changes. They are promoted to the next class, some become alumni, and some may become assistants to teachers or become teachers themselves. Some students may also hold multiple responsibilities at the same time.
\nEducational institutions should authenticate these new identities as soon as they transition to the new role to avoid the burden of a security breach.
\nType of Cyber Attacks Faced by the Edtech Sector in Managing Identities
\nHigher educational institutes like colleges and universities store higher volumes of sensitive data related to research and other assignments. Moreover, all institutions (—for that matter) store critical alumnus, faculty, and students' data. These are gold mines for intruders to penetrate the networks and pose cyberthreats.
\nFollowing are a few significant ways hackers attack the Edtech sector:
\nSpoofing
\nA spoofing attack, in context to cybersecurity, happens when someone pretends to be someone else to gain trust to access sensitive network data and spread malware in the process. Spoofing attacks can occur in many different ways, like the widespread email spoofing attacks usually deployed as part of phishing campaigns or caller ID spoofing attacks that are also used to commit fraud.
\nIn educational institutions, attackers target IP address, Domain Name System ( DNS) servers, or Address Resolution Protocol (ARP) services.
\nPassword Hijacking
\nPassword hijacking, as the term suggests, is a type of attack where hackers gain unauthorized access to the user's login credentials. What's intriguing is hackers do not always adopt a highly technical and sophisticated approach to hack accounts. In many cases, they guess common phrases, such as \"qwerty,\" which ranks high on the list of worst passwords.
\nThe rest of the time, hackers make use of other methods like brute force attacks, dictionary attacks, credential stuffing attacks, etc. to hack into the educational institute's network.
\nCredential Cracking
\nCracking of passwords occurs when a hacker deliberately targets a user or a business. They usually send a significant amount of time devising the right kind of attack to break into the victims' network.
\nSpeaking of which, while the victim of credential cracking can be any random user, the effort behind it also means that the victim has been deliberately targeted. It might be a business account, a company's social media accounts, or a premium educational institute with famous alumni.
\nPhishing
\nPhishing is a malware attack that tricks victims into revealing their valuable and often sensitive data. Also referred to as a \"phishing scam,\" attackers target login credentials of users, financial data (such as credit cards and bank account details), business data, and everything that could be of high value to hackers.
\nPremium educational institutions have forever been at the risk of phishing attacks, primarily because of their high-value sensitive research data, student-critical data, faculty, or alumni data.
\nMan-in-the-middle
\nA man-in-the-middle attack happens when the cybercriminal intercepts a conversation between the user and the application. You can portray it as the cyber equivalent of eavesdropping done to impersonate one of the hosts.
\nThe hacker may, in this case, plant requests that seem to come from a legitimate source. For example, ask for alumni data that is otherwise deemed confidential.
\nData Risk and Vulnerabilities in Online Education Apps and Websites
\nTherefore, there will always be a danger looming when new technologies and applications are widely implemented across campuses, and every student or lecturer is expected to use them. A lot of these educational apps may be useful. The school, college, or university faculty may use a few of those as supplemental instructional resources or advocate for additional skills practice. There is a catch, though! Newbie techies or tech start-ups build most of the new applications and courses launched with little to no background in children's privacy laws. Free apps are more likely to collect user data and monitor children's behaviors to deliver targeted advertising. Moreover, there have been instances where even paid apps were accused of monitoring and using child data for unethical purposes. They collect PII and track precise location information, creating a severe threat to privacy. Then again, apps that claim to be specially designed for educational purposes are not immune either. Some of these apps make money by selling advertising directly on the platform or trading students and faculties' sensitive data such as ethnicity, affluence, religion, lifestyle, etc. to third parties. With massive personal intellectual property at stake, hackers are willing to work even harder to break into educational institutions than other organizations. Failures in compliance can be extremely damaging, particularly with increased media attention. Following are a few international compliance regulations that keep students' data safe amidst the volatile criminal backdrop. The optimal digital experience for education institutions is the need of the hour. Delivering top-notch experiences to students puts the pressure on customer identity and access management (CIAM) providers to provide a secure platform for their data. Here how identity management for education enhances the user experience of students and faculty. Off late, there has been an amplified need for identity and access management in the education industry. LoginRadius, as a leading provider in its space, offers a number of a scalable, highly integrative set of tools to meet the growing requirement of the modern higher education sector. A few of the particular ones include: The identity management platform allows institutes to create a central identity across all channels through single sign-on for students and faculty. It also offers modern and robust authentication methods such as multi factor authentication (MFA) with one-time passwords or security questions and more. LoginRadius allows smooth and seamless integration into systems through industry-approved standards like OpenID Connect, OAuth2, and SAML2.0. Define the roles and permissions on who can access what content and when with LoginRadius. Colleges and universities can delegate admins to teachers, lecturers, and staff and assign their respective roles. Besides, they can work with other faculties by adding users to their groups. Also, professors can divide their students into groups and assign permissions based on their projects. Strengthen security and protect resources with a secure interface (APIs). It detects suspicious behavior within the system, and when the need arises demands a second factor of authentication. Furthermore, it offers excellent user experience, and with SSO on the hook, it encourages users to choose a strong password for their accounts. As a cloud-based identity management platform, LoginRadius is always updated with the latest security mechanisms. The identity platform is compliant with all major international data regulation policies, including the EU's GDPR and California's CCPA. To meet the high identity management of education requirements, it offers more transparency about accepted consents, secured access, and excellent user experience. The identity management solution is compatible with major security programs. Major certifications include OpenID for end-user identity verification, PCI DSS PCI SSC administered standard for fee and salary transactions, ISO 27001:2013, 2015 for information security, AICPA SOC 2 (Type II) for system-level privacy control, and ISAE 3000 for the protection of non-financial information. Other certifications include ISAE 3000, NIST Cybersecurity Framework, CSA CCM Level 1, Level 2, CIS Critical Security Controls, US Privacy Shield Complaint, and ISO/IEC 27018:2019. Given this rapid upgrade in the classroom environment, experts are curious whether acceptance of online learning would continue to exist in the post-pandemic world, and whether such a move will affect the pressure of identity management on educational institutions. If it does (which sure, will), LoginRadius will certainly complement the complex, and unique CIAM needs for schools, colleges, and universities across the globe. This post will cover a demo working setup of a service mesh architecture using Envoy using a demo application. In this service mesh architecture, we will be using Envoy proxy for both control and data plane. The setup is deployed in a Kubernetes cluster using Amazon EKS. We will be deploying an echo-grpc test application provided by Google in their article related to gRPC load balancing and was used as a reference to test the service mesh setup with Envoy. The article covers setting up Envoy as an edge proxy only.\nThis is a simple gRPC application that exposes a unary method that takes a string in the content request field and responds with the content unaltered.\nRepo: grpc-gke-nlb-tutorial Configuration of envoy for the sidecar deployment: envoy-echo.yaml: A couple things to note here. Run:\n Deployment of echo-grpc application with 3 replicas. The config contains two containers, one for application and another being the Envoy image. Here, echo-grpc is test application and envoy is being deployed in the same pod. Config volumes are mounted so that the envoy can read the configmaps. Run:\n We are using headless service for echo-grpc. Using service as headless will expose the Pods IP to the DNS server of kubernetes which will be used by Envoy to do service discovery for the pods. echo-service.yaml In the above config file, we are exposing two ports, one for envoy sidecar (this is the same port we mentioned in the config map of sidecar envoy) and one for the service itself. Run:\n Creating a service of type LoadBalancer so that client can access the backend service. envoy-service.yaml: Run:\n Since we are deploying front envoy LoadBalancer on port 443, we have to create a self-signed certificate to make it terminate SSL/TLS connection. Configuration for the edge Envoy: envoy-configmap.yaml Since we will be offloading HTTPS, we are using port_value of 443. Most of the configurations are same as of sidecar envoy except for three things: Run:\n envoy-deployment.yaml Run:\n Proto file for the echo-grpc service: ccho.proto: Run the following command to call the server:\n The output will be similar to something like this: Run the above command multiple times and check the value of the hostname field every time which will contain the pod name of one of the 3 pods deployed. Identity is evolving, and developers are at the forefront of this transformation. Every day brings a new learning—adapting to new standards and refining approaches to building secure, seamless experiences. We’re here to support developers on that journey. We know how important simplicity, efficiency, and well-structured documentation are when working with identity and access management solutions. That’s why we’ve redesigned the LoginRadius website—to be faster, more intuitive, and developer-first in every way. The goal? Having them spend less time searching and more time building. LoginRadius’ vision is to give developers a product that simplifies identity management so they can focus on building, deploying, and scaling their applications. To enhance this experience, we’ve spent the last few months redesigning our interface— making navigation more intuitive and reassuring that essential resources are easily accessible. Here’s a closer look at what’s new and why it’s important: Developers spend long hours working in dark-themed IDEs and terminals, so we’ve designed the LoginRadius experience to be developer-friendly and align with that preference. The new dark mode reduces eye strain, enhances readability, and provides a seamless transition between a coding environment and our platform. Our new design features a clean, modern aesthetic with a consistent color scheme and Barlow typography, ensuring better readability. High-quality graphics and icons are thoughtfully placed to enhance the content without adding visual clutter. So, whether you’re navigating our API docs or configuring authentication into your system, our improved interface will make those extended development hours more comfortable and efficient. We’ve restructured our website to provide a straightforward breakdown of our customer identity and access management platform capabilities, helping you quickly find what you need: This structured layout ensures you can quickly understand each capability and how it integrates into your identity ecosystem. We’ve been analyzing developer workflows to identify how you access key resources. That’s why we redesigned our navigation with one goal in mind: to reduce clicks and make essential resources readily available. The new LoginRadius structure puts APIs, SDKs, and integration guides right at the menu bar under the Developers dropdown so you can get started faster. Our Products, Solutions, and Customer Services are also clearly categorized, helping development teams quickly find the right tools and make informed decisions. Developers now have a clear view of the tech stack available with LoginRadius, designed to support diverse business needs. Our platform offers pre-built SDKs for Node.js, Python, Java, and more, making CIAM integration seamless across popular programming languages and frameworks. Check out our revamped LoginRadius website and see how the improved experience makes it easier to build, scale, and secure your applications. Do not forget to explore the improved navigation and API documentation, and get started with our free trial today. We’re excited to see what you’ll build with LoginRadius!Compliance Regulations for the Education Sector
\n\n
\nHow IAM Improves the Educational Experience for Students
\n\n
\nHow Higher Education Sector Can Resolve Data Security Risk by Using the LoginRadius Identity Management Platform
\nNew-age onboarding
\nA clear control of permissions
\nRobust API security
\nData compliance management
\nIndustry-specific security certifications
\nConclusion
\nPre-requisites
\n\n
\nkubectl create namespace envoygo get github.com/fullstorydev/grpcurlSidecar Deployment
\n
\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: envoy-echo\ndata:\n envoy.yaml: |\n static_resources:\n listeners:\n - address:\n socket_address:\n address: 0.0.0.0\n port_value: 8786\n filter_chains:\n - filters:\n - name: envoy.http_connection_manager\n config:\n access_log:\n - name: envoy.file_access_log\n config:\n path: "/dev/stdout"\n codec_type: AUTO\n stat_prefix: ingress_https\n route_config:\n name: local_route\n virtual_hosts:\n - name: https\n domains:\n - "*"\n routes:\n - match:\n prefix: "/api.Echo/"\n route:\n cluster: echo-grpc\n http_filters:\n - name: envoy.health_check\n config:\n pass_through_mode: false\n headers:\n - name: ":path"\n exact_match: "/healthz"\n - name: "x-envoy-livenessprobe"\n exact_match: "healthz"\n - name: envoy.router\n config: {}\n clusters:\n - name: echo-grpc\n connect_timeout: 0.5s\n type: STATIC\n lb_policy: ROUND_ROBIN\n http2_protocol_options: {}\n load_assignment:\n cluster_name: echo-grpc\n endpoints:\n - lb_endpoints:\n - endpoint:\n address:\n socket_address:\n address: "127.0.0.1"\n port_value: 8081\n health_checks:\n timeout: 1s\n interval: 10s\n unhealthy_threshold: 2\n healthy_threshold: 2\n grpc_health_check: {}\n admin:\n access_log_path: "/dev/stdout"\n address:\n socket_address:\n address: 127.0.0.1\n port_value: 8090\n
\n*, allowing all domains to pass-through.kubectl apply -f envoy-echo.yaml -n envoy
\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: echo-grpc\nspec:\n replicas: 3\n selector:\n matchLabels:\n app: echo-grpc\n template:\n metadata:\n labels:\n app: echo-grpc\n spec:\n containers:\n - name: echo-grpc\n image: <hub-username>/echo-grpc\n imagePullPolicy: Always\n resources: {}\n env:\n - name: "PORT"\n value: "8081"\n ports:\n - containerPort: 8081\n readinessProbe:\n exec:\n command: ["/bin/grpc_health_probe", "-addr=:8081"]\n initialDelaySeconds: 1\n livenessProbe:\n exec:\n command: ["/bin/grpc_health_probe", "-addr=:8081"]\n initialDelaySeconds: 1\n - name: envoy\n image: envoyproxy/envoy:v1.9.1\n resources: {}\n ports:\n - name: https\n containerPort: 443\n volumeMounts:\n - name: config\n mountPath: /etc/envoy\n volumes:\n - name: config\n configMap:\n name: envoy-echokubectl apply -f echo-deployment.yaml -n envoyHeadless Service Configuration
\n
\napiVersion: v1\nkind: Service\nmetadata:\n name: echo-grpc\nspec:\n type: ClusterIP\n clusterIP: None\n selector:\n app: echo-grpc\n ports:\n - name: http2-echo\n protocol: TCP\n port: 8786\n - name: http2-service\n protocol: TCP\n port: 8081kubectl apply -f echo-service.yaml -n envoyFront Envoy Configuration
\n
\napiVersion: v1\nkind: Service\nmetadata:\n name: envoy\nspec:\n type: LoadBalancer\n selector:\n app: envoy\n ports:\n - name: https\n protocol: TCP\n port: 443\n targetPort: 443Creating self-signed certificates
\nkubectl apply -f envoy-service.yaml -n envoy\n
\nkubectl describe svc/envoy -n envoynslookup <your load balancer aadess>openssl req -x509 -nodes -newkey rsa:2048 -days 365 -keyout privkey.pem -out cert.pem -subj \"/CN=<ip-address>\"kubectl create secret tls envoy-certs --key privkey.pem --cert cert.pem --dry-run -o yamlEdge Envoy configuration
\n
\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: envoy-conf\ndata:\n envoy.yaml: |\n static_resources:\n listeners:\n - address:\n socket_address:\n address: 0.0.0.0\n port_value: 443\n filter_chains:\n - filters:\n - name: envoy.http_connection_manager\n config:\n access_log:\n - name: envoy.file_access_log\n config:\n path: "/dev/stdout"\n codec_type: AUTO\n stat_prefix: ingress_https\n route_config:\n name: local_route\n virtual_hosts:\n - name: https\n domains:\n - "*"\n routes:\n - match:\n prefix: "/api.Echo/"\n route:\n cluster: echo-grpc\n http_filters:\n - name: envoy.health_check\n config:\n pass_through_mode: false\n headers:\n - name: ":path"\n exact_match: "/healthz"\n - name: "x-envoy-livenessprobe"\n exact_match: "healthz"\n - name: envoy.router\n config: {}\n tls_context:\n common_tls_context:\n tls_certificates:\n - certificate_chain:\n filename: "/etc/ssl/envoy/tls.crt"\n private_key:\n filename: "/etc/ssl/envoy/tls.key"\n clusters:\n - name: echo-grpc\n connect_timeout: 0.5s\n type: STRICT_DNS\n lb_policy: ROUND_ROBIN\n http2_protocol_options: {}\n load_assignment:\n cluster_name: echo-grpc\n endpoints:\n - lb_endpoints:\n - endpoint:\n address:\n socket_address:\n address: echo-grpc.envoy.svc.cluster.local\n port_value: 8786\n health_checks:\n timeout: 1s\n interval: 10s\n unhealthy_threshold: 2\n healthy_threshold: 2\n grpc_health_check: {}\n admin:\n access_log_path: "/dev/stdout"\n address:\n socket_address:\n address: 127.0.0.1\n port_value: 8090\n
\nkubectl apply -f envoy-configmap.yaml -n envoyDeployment Configuration
\n
\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: envoy\nspec:\n replicas: 2\n selector:\n matchLabels:\n app: envoy\n template:\n metadata:\n labels:\n app: envoy\n spec:\n containers:\n - name: envoy\n image: envoyproxy/envoy:v1.9.1\n resources: {}\n ports:\n - name: https\n containerPort: 443\n volumeMounts:\n - name: config\n mountPath: /etc/envoy\n - name: certs\n mountPath: /etc/ssl/envoy\n readinessProbe:\n httpGet:\n scheme: HTTPS\n path: /healthz\n httpHeaders:\n - name: x-envoy-livenessprobe\n value: healthz\n port: 443\n initialDelaySeconds: 3\n livenessProbe:\n httpGet:\n scheme: HTTPS\n path: /healthz\n httpHeaders:\n - name: x-envoy-livenessprobe\n value: healthz\n port: 443\n initialDelaySeconds: 10\n volumes:\n - name: config\n configMap:\n name: envoy-conf\n - name: certs\n secret:\n secretName: envoy-certskubectl apply -f envoy-deployment.yaml -n envoyTesting
\n
\nsyntax = "proto3";\n\npackage api;\n\nservice Echo {\n rpc Echo (EchoRequest) returns (EchoResponse) {}\n}\n\nmessage EchoRequest {\n string content = 1;\n}\n\nmessage EchoResponse {\n string content = 1;\n}grpcurl -d '{\"content\": \"echo\"}' -proto echo.proto -insecure -v <load_balancer_or_external_ip>:443 api.Echo/Echo
\nResolved method descriptor:\nrpc Echo ( .api.EchoRequest ) returns ( .api.EchoResponse );\n\nRequest metadata to send:\n(empty)\n\nResponse headers received:\ncontent-type: application/grpc\ndate: Wed, 27 Feb 2019 04:40:19 GMT\nhostname: echo-grpc-5c4f59c578-wcsvr\nserver: envoy\nx-envoy-upstream-service-time: 0\n\nResponse contents:\n{\n "content": "echo"\n}\n\nResponse trailers received:\n(empty)\nSent 1 request and received 1 responseReferences
\n\n","frontmatter":{"date":"July 06, 2020","updated_date":null,"description":null,"title":"Service Mesh with Envoy","tags":["Service Mesh","Envoy","Microservices"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.834862385321101,"src":"/static/f5fbebaefd091eb3f33c225fa71b0814/14b42/front-image.jpg","srcSet":"/static/f5fbebaefd091eb3f33c225fa71b0814/f836f/front-image.jpg 200w,\n/static/f5fbebaefd091eb3f33c225fa71b0814/2244e/front-image.jpg 400w,\n/static/f5fbebaefd091eb3f33c225fa71b0814/14b42/front-image.jpg 800w,\n/static/f5fbebaefd091eb3f33c225fa71b0814/47498/front-image.jpg 1200w,\n/static/f5fbebaefd091eb3f33c225fa71b0814/0e329/front-image.jpg 1600w,\n/static/f5fbebaefd091eb3f33c225fa71b0814/6ed45/front-image.jpg 2100w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Piyush Kumar","github":"kpiyush17","avatar":null}}}}]},"markdownRemark":{"excerpt":"Identity is evolving, and developers are at the forefront of this transformation. Every day brings a new learning—adapting to new standards…","fields":{"slug":"/identity/developer-first-identity-provider-loginradius/"},"html":"What’s New and Improved on the LoginRadius Website?
\nA Developer-Friendly Dark Theme
\n![\"This](\"/f46881583c7518a93bb24e94c32320de/a-developer-friendly-dark-theme.webp\")
Clear Categorization for LoginRadius Capabilities
\n![\"This](\"/e5358b82be414940f3fb146013845933/capabilities.webp\")
\n
\nDeveloper-First Navigation
\n![\"This](\"/a8c155c2b6faf3d5f4b4de4e2b14d763/developers-menu.webp\")
Quick Understanding of Integration Benefits
\n![\"This](\"/b2f9a964a2da0ea83e2f8596b833bba7/we-support-your-tech-stack.webp\")
Over to You Now!
\n