1 of 100

Overview

An overview and demo of DuploCloud's comprehensive DevSecOps platform

DuploCloud is a cloud infrastructure automation platform that enables developer self-service with built-in security and compliance for organizations hosting public cloud infrastructure.

You provide high-level application specifications, including cloud services, application containers, packages and configurations, interconnectivity, requirements for multiple environments, and scoped compliance standards. DuploCloud uses these specifications to auto-generate required lower-level configurations, provisioning them securely and compliantly while maintaining ongoing operations.

Further protection is supplied by the DuploCloud Tenant, an isolated workspace that acts as an additional isolation layer, ideal for segregating production workloads or creating extensible developer sandboxes. A Tenant’s architecture is abstracted from its underlying Infrastructure, and you can create as many Tenants as you need with no degradation in performance.

In addition, DuploCloud facilitates logging, monitoring, alerting, and reporting. The following figure shows the platform's various functions.

The customer interfaces with DuploCloud via the browser UI, the DuploCloud Terraform provider, and API calls while the data and configuration stay within the customer's cloud account. All configurations created and applied by DuploCloud can be reviewed and edited in the customer's cloud account.

Demo

Check out a 5-minute video overview of a DuploCloud deployment.

Product Updates

New features and enhancements in DuploCloud

Q3 2024

Azure
- Set max number of Pods for Azure Agent Pools.
- Support for Table, Queue, and Container storage types within Azure Storage Accounts.
GCP
- Specify OS disk size when creating a GCE VM.

Q2 2024

AWS
- Support for Amazon OpenSearch Service domain without EBS (Elastic Block Store).
- Configure admin-only access to the SSH key.
- Support for secondary indexes when using DynamoDB databases.
- Set a maximum RDS instance size in Systems Settings.
- Support for editing in Apache Airflow.
- Set up Billing Alerts.
- Specify a Lambda architecture when creating a Lambda function.
- Support for Instance (Worker Nodes) or IP (Pod IPs) target types when creating an EKS Ingress.
Azure
- Support for Azure VM Disk Controller.
- Specify the cluster type, node VM size, and outbound connectivity source when creating an AKS cluster.
- Support for private DNS zones.
- Configure private endpoints for MSSQL Server databases.
- Support for Azure agent pools with availability zones.
- Configure Redis databases with public network access.
- Support for PostgreSQL Flexible Server databases.
- Support for Azure Application Gateway SSL policies with AKS Ingress for ALB Load Balancers.
- Support for private endpoints with Azure Storage Account.
- Specify the AKS version and Network plugin when enabling the AKS cluster.
- Specify the node resource group when configuring an AKS cluster.
- Specify a computer name when creating a Host.
GCP
- Configure a friendly image name under Plan.
- Select single, or multi-region data location types for GCP Storage buckets.
- Configure the minimum number of ports per VM instance.
Kubernetes
- Integrate DuploCloud-managed K8s clusters with FluxCD.
- Support for migration from Flux v1 to Flux v2 for FluxCD users.
- Configure read-only access to K8s Secrets.
- Create and manually run a K8s Job from a Kubernetes CronJob.
- Configure faults for failed Jobs and CronJobs at the Tenant level.
- Support for DaemonSet with GCP or AWS.
General
- Enhanced access to DuploCloud help options from the DuploCloud Platform.
- Skip faults for stopped Tenant instances.
- Configure user access to multiple Tenants with one step.
- Configure Okta as a user source for the DuploCloud Portal.
- Customize the text on the login button for custom banners.

Q1 2024

AWS
- Conifgure Automatic Failover for Redis.
- Synch AWS Redis with Amazon CloudWatch Logs for automatic log delivery.
- Configure AWS JIT session timeout using an IAM role.
- Enable automatic AWS ACM (SSL) Certificates for a Plan.
- Configure K8s Ingress redirect using a container port name.
- Disable faults for Target Groups without instances.
- Enable UltraWarm Data nodes for OpenSearch domains.
- Support for upgrading EKS components (add-ons).
- Add a Web App Firewall URL when creating or updating a Plan.
- Update or skip a final RDS snapshot.
- Upgrade the EKS Cluster.
- Create an OpenSearch domain.
- Billing option is available per Tenant.
- Scale to or from zero (0) using Auto-Scaling Groups.
- Create Lambdas with Ephemeral Storage.
- Support for Lambda Dead Letter Queues.
- Set a delivery delay for SQS Queues, using increments of seconds.
- Configure Vanta compliance controls for DuploCloud Tenants.
- Support for OpenSearch storage options.
- Security Configurations Settings documentation section added.
- ClusterIP and Worker Node target types are supported when creating EKS Ingress.
GCP
- Additional supported actions for Cloud SQL databases (GCP Console, Edit, Delete, Stop, Restart, or Reset Password)
- GKE Standard mode is supported when creating DuploCloud Infrastructures.
- Support for Firestore databases.
- Support for GCP Hosts and GCE VMs.
- Create Node Pools with support for accelerators and taints.
- Support for GKE Ingress.
CI/CD
- Update a service with a stream-lined, read-to-use GitHub Actions script.
Kubernetes
- Enable real-time alerts for autoscaling Kubernetes nodes.
General
- Support for NIST-800-171 compliance.
- Customize the DuploCloud login screen banner.
- Set Tenants to expire at specified dates and times.
- Configure settings for all new Tenants under a Plan using Tenant Config tab.
- SIEM - Configure agents to install on specific Tenants.

Q4 2023

AWS
- Enable Spot Instances for EKS Autoscaling Groups (ASG).
- Implement Kubernetes Lifecycle Hooks while Adding a DuploCloud EKS/Native Service.
- Enable shared hosts to allow K8s Pods in a Tenant to run on Hosts in another Tenant.
- Set a default automated backup retention period for RDS databases.
- Enable bucket versioning when creating an S3 bucket.
- Create an Amazon Machine Image (AMI).
- Use dedicated hosts to launch Amazon EC2 instances and provide additional visibility and control over how instances are placed on a physical server.
- Automatically reboot a host upon Status Check faults or Host disconnection.
- Support for SNS Topic Alerts, enabling notifications and alerts across different AWS services and external endpoints.
- Establish VPN connections for private endpoints when creating an Infrastructure.
- Restore an RDS to a particular point in time.
- Dynamically change the configuration of a Kafka Cluster.
- Fields for Sort Key and Key Type are now available when creating a DynamoDB.
Azure
- Create a MySQL Flexible Server managed database service.
- Add an Azure Service Bus.
Kubernetes
- Follow logs for K8s containers in real-time.
- Influence Pod scheduling by specifying K8s YAML for Pod Toleration.
- Create Kubernetes Jobs (K8s Jobs) in AWS and GCP to manage short-lived, batch workloads in a Kubernetes cluster.
- Create Kubernetes CronJobs in AWS and GCP to schedule long-term K8s Jobs to run at preset intervals.
General updates
- The DuploCloud UI contains numerous design, navigation, and usability improvements, including new menus for managing an RDS, Containers, and Hosts. These improvements are cross-platform and apply to AWS, Azure, and GCP.
- Quickly search the DuploCloud Portal for any navigation menus or tab labels, such as Kubernetes Secrets and Spend by Month, using the Search box at the top center of the DuploCloud Portal.
- Refer to the Supported Third-Party Tools page for a list of out-of-the-box functionalities DuploCloud supports.
- DuploCloud no longer supports launch configurations. Instead, launch templates are created. If you use launch configurations, DuploCloud automatically converts them to launch templates with no interruption in uptime.

August 2023 and September 2023

AWS
- Hibernate an EC2 host instance.
- Display Taints in ECS hosts on unreachable Nodes.

June 2023 and July 2023

AWS
- Manage Tenant expiration and Tenant session durations.
- Set a monitoring interval for an RDS database.
- Enable or disable logging for an RDS database.
- Add custom Lambda image configurations and URLs.
- Enable Object Lock in S3 Buckets to prevent objects from being deleted or overwritten.
- Configure a custom S3 Bucket for auditing.
- Update Lifecycle Policies for EFS storage.
- Customize a Node Selector for EKS Services to prevent overrides of specific configurations.
- Access ECS container task shells directly from the DuploCloud Portal.
- Ability to designate Essential Containers in Task definitions for ECS Services.
- Automate fault healing on EC2 Hosts that fail a status check.
- Enhanced support for Startup Probes.
GCP
- Support for Redis database instances.
- Support for SQL databases.
- Change Cloud Armour Security Policies.
General updates
- Last Login card available for determining the last user sign-in when viewing user access.
- Grant access to specific databases to non-administrators.

May 2023

AWS
- Enable EKS endpoints in a DuploCloud Infrastructure, in a more cost-effective and secure manner. Enabling endpoints in DuploCloud allows your network communication to remain internal to the network, without using NAT gateways.
- Multiple containers are now supported in the ECS Task Definitions tab.
- Start, stop, and restart up to twenty (20) services at one time.
- Add VPC Endpoints to a DuploCloud Infrastructure to create a private connection to supported AWS services and VPC endpoint services powered by AWS PrivateLink.
- Enable logging for ECS containers.
- Define S3 bucket policies.
- Support for Lambda Layers has been added.
- CloudWatch EventBridge rules and targets are supported.
- The CloudFront feature and associated UI tab have been relocated in the DuploCloud Portal from the Cloud Services -> App Integration menu item to the Cloud Services -> Networking menu item.
Azure
- Support for Redis databases is available.
GCP
- Cloud Armour is supported, to monitor your cloud infrastructures and deployed applications against cyber-attacks.

April 2023

AWS
- Define custom CIDRs for NLB Load Balancers.
- Manage multiple Load Balancer settings using the Load Balancer tab's Other Settings card. Settings include specifying a Web Application Firewall (WAF) Access Control List (ACL), enabling HTTP to HTTPS redirects, enabling Access Logs, setting an Idle Timeout, and an option to drop invalid headers.
- Specify custom public and private EKS endpoints for your DuploCloud Infrastructure during or after creating an Infrastructure.
- Gain Cross-Tenant access to restricted policy-based resources.
- JIT Access to the AWS Console is redesigned with several usability enhancements.
- Enable Control Plane logging for EKS clusters.
- Enable Read-only processing for ECS services.
- Support for Aurora RDS Serverless and MySQL read replicas and ability to modify Serverless replica instance size.
- Improved documentation for upgrading an EKS cluster version.
Azure
- Add a direct link to the Azure Console from the DuploCloud Host page.
General Updates
- Set read-only access to specific Tenants for DuploCloud users.

March 2023

AWS
- Virtual Private Cloud (VPC) peering is supported to facilitate data transfer between VPCs.
- EMR Serverless is supported to run open-source big data analytics frameworks without configuring, managing, and scaling clusters or servers.
- DuploCloud users can obtain Just-In-Time (JIT) access to the AWS Console.
- AWS SQS Standard and FIFO queues are now supported.
- Use the DuploCloud Portal to work with AWS Internet of Things (IoT).
- Support for Redis database versions when creating Elastic Cache (Ecache).
- Enable shell access for ECS, Kubernetes, and Native docker containers using a simplified workflow.
- Reduce storage cost and increase performance by setting GP3 as your default storage class.
- Enable NAT Gateways for High Availability (HA).
- Restart up to twenty DuploCloud Services at once.
GCP
- Updated documentation for supported databases.
CI/CD
- Documentation for Bitbucket Pipelines is available, which allows developers to automatically build, test, and deploy their code every time they push changes to an Atlassian Bitbucket repository.
Terraform
- Added IdleTimeout to duplocloud_aws_load_balancer resource.

February 2023

AWS
- Enable Elastic Kubernetes Service (EKS) for your existing infrastructure. EKS versions 1.22 and 1.23 are supported.
- Timestream databases are now supported.
General updates
- Delete VPN connections for users.

December 2022 and January 2023

AWS
- AWS ElastiCache, a managed caching service for Redis and Memcached, is now supported.
- Monitor Tenant usage in Cost Management for billing with weekly or monthly views. After clicking the Spend by Tenant tab, select the shared card to display tax and support costs.
- Maintain cluster stability with Ingress Health Checks annotations.
- Use the K8s Admin dashboard to monitor StatefulSets.
- Force creation of StatefulSets.
Azure
- Support for Kubernetes Ingress.
- Monitor Tenant usage in the Cost Management for billing feature with weekly or monthly views.
- Edit Azure agent pools, used to run Azure Kubernetes (AKS) workloads.
GCP
- Monitor Tenant usage in the Cost Management for billing feature with weekly or monthly views.
Kubernetes (K8s)
- Support for Kubernetes Ingress in Azure.
- Maintain cluster stability with Ingress Health Checks annotations for AWS.
- Force creation of StatefulSets in AWS.
- Use the K8s Admin dashboard to monitor StatefulSets in AWS.
- Edit Azure agent pools, used to run Azure Kubernetes (AKS) workloads.

November 2022

Ability to add Path-Based Routing rules: Configure path-based routing rules for application load balancers.
Support for Aurora Serverless V2: User can create and manage Aurora Serverless V2 RDS.
Billing License Usage: Overview of DuploCloud License Usage according to current service usage.

October 2022

Ability to add Logging Infra at Tenant Level: Support to configure logging setup other than default tenant.
Support multiple docker registry credentials in a single tenant: The user can configure multiple docker registry credentials from the plan.

September 2022

Support for Amazon Managed Apache Airflow: Ability to configure AWS Managed Airflow
Configure custom prefix for S3: Ability to configure a prefix for S3 bucket names.
Azure Support to add Storage account: Create Storage Accounts, File Shares, and generate Shared Access Signature (SAS).
Multiple Azure User Enhancements were made.

August 2022

Support for Elastic File System (EFS): Support for adding EFS has been added to DuploCloud. You can create and mount a shared filesystem for an Infrastructure in the DuploCloud Portal.
Support for adding Kubernetes Storage Class: Support for Kubernetes Storage Class and Persistent Volumes is now available.
Support for Kubernetes Secret Provider Class: This provides the ability to integrate AWS parameters and secrets to be available as Kubernetes secrets.
Ability to add Lambda using Container Images: Users can now configure an AWS Lambda using Container images.
Support to configure RDS Automatic Backup Retention: Administrators can configure RDS Automatic Backup Retention in days at the system level
Export Terraform from an existing Tenant: Ability to export DuploCloud terraform provider code for an existing DuploCloud Tenant

July 2022

Ability to Automatically generate Alert: Users can now configure automated alarm creation in AWS, to ensure new resources are included in monitoring.
Ability to set resource allocation quotas by an Admin: Administrators would often like to restrict the type of resources that should or should not be provisioned in their environments. This feature allows them to configure those rules via a DuploCloud Plan.
Support for Kubernetes Ingress Controller: Support for the K8s Ingress controller has been added, this is a key piece of functionality for traffic routing to a K8s cluster.
RDS Snapshot Management: Support for RDS database snapshots was added to the DuploCloud Portal, accessible through the RDS page.
Terraform Provider updates: Expanded support for more resources in the DuploCloud terraform provider, specifically for Microsoft Azure.

Getting Started with DuploCloud

An outline of the DuploCloud approach compared to existing DevOps

Existing Approach

Technology organizations today typically have people with two distinct skill sets: Software Engineers and DevOps Engineers. Compliance functions may be managed by these engineers or by a separate team. In startups and smaller companies, engineers may wear all three hats.

Software Engineers design high-level application architectures that typically include multiple environments (Dev, Stage, QA, Production, etc.), CI/CD pipelines, and diagnostics like central logging, monitoring, and alerting. The business dictates specific compliance standards like PCI, HIPAA, SOC 2, etc. All this information is passed to the DevOps team, who translates it into cloud infrastructure configurations.

DevOps Engineers must manually convert requirements into hundreds or thousands of lower-level configurations, best practices, and compliance controls such as IAM Roles, Instance profiles, KMS Keys, PEM keys, vulnerability scanning systems, virus scanners, VPC, Security Groups, Intrusion detection, etc. This translation is usually done based on human knowledge and subject matter expertise and often requires thousands of lines of code using languages like Terraform, Python, and Bash.

A common misconception is that tools like Terraform fully automate DevOps workflows. Terraform is only a programming language. One needs substantial infrastructure know-how to build automation using Terraform. DevOps engineers often lack awareness of compliance nuances beyond best practices and must revisit and redo their work frequently to ensure compliance.

DevOps essentially requires one to be a programmer, an operator, and a compliance expert: three distinct skill sets that have never traditionally co-existed in the IT industry. This is the primary challenge in the DevOps space.

DuploCloud Approach

DuploCloud simplifies and automates cloud infrastructure management by enabling users to deploy and operate applications without knowledge of lower-level DevOps nuances. The platform requires only three high-level inputs:

1. Application architecture

2. Compliance standards (SOC 2, PCI, HIPAA, etc.)

3. Public cloud provider

With these inputs, DuploCloud generates all the lower-level configurations to adhere to DevOps best practices and required compliance standards.

DuploCloud's core approach to security and compliance is out-of-box compliance so users don't have to learn and apply compliance controls. DuploCloud supports PCI, HIPAA, SOC 2, HITRUST, NIST, ISO, GDPR, and more. See the DuploCloud documentation to learn more about how DuploCloud provides unparalleled security and compliance.

Users interact with their applications through the No-Code DuploCloud UI or our Low-Code Terraform provider, operating directly on cloud constructs like S3 buckets, DynamoDB, Lambda functions, and more, without sacrificing flexibility or scalability. The DuploCloud Terraform provider enables users to achieve the same automation with a tenth of the code and significantly fewer DevOps skills than native Terraform.

A common misconception is that DuploCloud generates Terraform behind the scenes to provision the cloud infrastructure. The DuploCloud UI and Terraform (with the DuploCloud Provider) are layered on top of DuploCloud. Behind the scenes, DuploCloud uses the cloud provider Application Programming Interfaces (APIs) as shown in the picture below.

Unlike a PAAS such as Heroku, the DuploCloud platform does not prevent users from consuming cloud services directly from the cloud provider. DuploCloud is a self-hosted platform running in the customer's cloud account and can therefore work in tandem with direct cloud account changes. Complex security details (IAM roles, KMS keys, Azure Managed Identities, GCP service accounts, etc.) are hidden, but remain configurable if needed. See this DuploCloud white paper for more information and examples.

DuploCloud uses APIs to handle tasks in the background (e.g., processing user requests, generating configurations synchronously, and calling the cloud provider). Other operations require asynchronous processing, requiring a state machine with retries that continuously identifies and corrects configuration drift and continuously monitors faults and compliance controls.

DuploCloud eliminates the need for extensive manual coding and drastically reduces the need for specialized DevOps expertise. At the same time, the platform ensures efficient, scalable, and compliant cloud infrastructure deployment and management, making it a superior alternative to traditional methods.

What DuploCloud Does

How DuploCloud is able to provide comprehensive DevSecOps support in a single intuitive tool

DuploCloud is a comprehensive solution for DevOps and SecOps, bringing cloud infrastructure management to businesses, regardless of expertise level.

DuploCloud uses templates to create cloud infrastructures comprising hundreds of scaled, managed components. Microservices can be created in minutes, accelerating time to market. Advanced DevOps users can leverage Kubernetes and Terraform to create custom solutions.

For a flat rate per year, personalized onboarding, cloud migration, SecOps questionnaire completion, and auditing support are included.

If there is a way to do something in the cloud, it can be done faster and more efficiently with DuploCloud.

1. Turbo-charging Infrastructure and workspace creation

Did you know that DuploCloud can create a complete cloud infrastructure comprising virtually hundreds of components and sub-components in ten to fifteen minutes? This usually takes hours to develop in a native cloud portal and even longer when using native Kubernetes (K8s). Individual workspaces () can be created in less than a minute.

This acceleration is critical to many of the business value propositions DuploCloud offers. It is why we can perform cloud migrations at such an advanced pace, minimizing downtime and simultaneously ensuring security and compliance (and peace of mind).

2. Built-in scaling and managed services

Virtually all of the services DuploCloud supports are designed to auto-scale as your cloud environment grows exponentially. These Managed Services include automated "set and forget" configurations that dovetail neatly into developer self-service.

As with creating Infrastructures and Tenants, DuploCloud Services are designed for the most common use cases. They enable users to supply a minimum number of inputs to get their service up and running quickly. At the same time, DuploCloud retains the ability to customize, using native Kubernetes YAML coding and custom scripting if needed.

Turnkey access to scalable Kubernetes constructs and managed services ensures minimal implementation detail, making DuploCloud the DevSecOps platform for the rapidly expanding AI/ML cloud space. In this arena, the power of an automated platform becomes readily apparent, not only in setting up your cloud infrastructure but also in maintaining it.

DuploCloud’s ready-made templatized approach to K8s makes adjustments to Kubernetes parameters, such as Horizontal Pod Autoscalars (HPA) for CPU and RAM requirements, easy to access and adjust.

DuploCloud is an efficient, user-friendly means of helping developers automate their environment, reducing the need for constant monitoring or "babysitting." More information on fewer screens and improved ease of navigation enhance monitoring performance.

3. Intuitive self-service DevOps for developers

DuploCloud's simplified UI guides developers and less savvy DevOps users in creating and managing DevOps components and constructs. Even advanced features such as AWS Batch, CloudFront, or setting up a Lambda function are simplified through a combination of procedural documentation, step-by-step UI panels, and even sample code blocks that can be accessed through info-tips in the UI.

Using a templatized approach, potentially complex Kubernetes constructs such as Ingress and Terraform scripting can be managed by developers with minimal exposure to such functionality. Experts who have invested time and money in creating custom solutions using such tools do not need to discard their work. DuploCloud can help integrate existing solutions and workflows, expediting and often automating them during onboarding, often at no additional cost.

Do you know that one of DevOps and cloud engineers' biggest headaches is complex navigation and workflows? Using DuploCloud, you can minimize the time you typically spend logging in and out of AWS, Azure, and GCP consoles. Every DevOps and SecOps task can be completed from within the DuploCloud portal, often with significantly reduced clicks.

Compare the keystrokes and navigation between DuploCloud and using a native cloud portal. Often, DevOps engineers "get used to the pain" inherent in many daily DevOps tasks, unaware they can gain back minutes, hours, and days by using DuploCloud.

Some commonly used tools that can be accessed directly within DuploCloud include kubectl, shell access, and JIT access to cloud consoles from within DuploCloud.

5. Turn-key compliance and security

When you let DuploCloud manage your DevOps environment, a scalable and robust SecOps framework and implementation strategy are included. Aligned with industry best practices, our staff of SecOps experts analyzes how your data is stored and transmitted, helps identify the standards you must meet, and then constructs a detailed implementation strategy to meet and exceed those requirements, in addition to creating a scalable model that adapts as your customer base and workloads grow.

Using easy-to-access "Single Pane of Glass" dashboards, DuploCloud provides a granular view of all security issues and compliance controls. Completing questionnaires and passing audits is simple, especially with our 24/7 support.

6. Seamless CI/CD pipeline integrations

Some of the tools we support, such as GitHub Actions, include ready-to-run scripts for quickly creating Docker images, updating Services or Lambdas, uploading data to an S3 Bucket, or executing Terraform scripts.

Whatever your tool of choice, our DevOps experts can help you find the best workflow that requires the least effort to build and maintain.

7. Optimizing DevOps Spending

One of the biggest reasons to consider an automated DevSecOps solution comes down to dollars and cents. It's too easy to spend a lot on a public cloud solution without knowing precisely where your money goes. Sometimes, the components and services you've created (and even ones you've forgotten about) cost you more than they're earning you.

DuploCloud provides several billing dashboards that break down your spending by workspace and component. These dashboards are navigable with just a few clicks. Our support team can help you identify redundancies in services and tools and possibly cut costs by suggesting solutions leveraging the many third-party tools built into DuploCloud.

8. Scalable, simplified, faster Terraform scripting

As with most platforms, the work required to set up and configure a Terraform environment can adversely impact accuracy, productivity gains, and effectiveness. Crafting scalable Terraform requires more skills than simply programming. In addition, as with any code base, it requires constant updating, refactoring, and other maintenance tasks.

Using DuploCloud’s proprietary Terraform provider removes the need to write specifically for one public cloud. You can effectively use the same DuploCloud Terraform code — as it maps to DuploCloud’s constructs, not one specific cloud — with several public clouds. You don’t need to worry about differentiating platform-specific specifications. DuploCloud handles all of this for you in a transparent, replicable manner. You use utilities such as DuploCloud’s Terraform Exporter to quickly clone Tenants and modify configuration details when needed for specific Infrastructures and Tenants.

9. Single Pane of Glass for enhanced observability

Attempting to monitor your cloud infrastructure from the numerous UIs offered by public providers often obscures problems or causes confusion. DuploCloud's monitoring interfaces combine multiple functionalities on one screen; our SIEM dashboard is a primary example of such flexibility and comprehensiveness. Leveraging Wazuh, DuploCloud offers unprecedented insights from a single interface.

Using OpenSearch, Grafana, and Prometheus, you can get single snapshots of logging, auditing, compliance and security vulnerabilities, custom alerting, and fault lists with one click.

10. Cost-reduction leveraging DuploCloud Third-Party tools

DuploCloud Onboarding

What you can expect during the DuploCloud onboarding process

Phase 1. Kickoff and Delivery

During Kickoff and Delivery, your team learns about the DuploCloud onboarding flow and what to expect in each phase. Our team works closely with yours to review your project scope and objectives, technical specifications and information, and important dates and deadlines.

By the end of this phase, DuploCloud engineers will configure a DuploCloud Platform in your company's cloud account. We will ask your team for any feedback about the onboarding approach to improve the process in the future.

Your Team Provides:

Project details, including objectives, technical specifications, and dates/deadlines
A list of project members and roles
A new cloud account with access for DuploCloud engineers
Read-only access to your existing accounts, documents, repositories, and artifacts

DuploCloud Provides:

Introduction to the onboarding process
A DuploCloud Platform in your new cloud account

Phase 2. Assessment and Project Planning

In the Assessment and Project Planning phase, DuploCloud engineers create and review a high-level block diagram of your project architecture, verify your containerization needs, and confirm your service configurations, interdependencies, and data migration requirements. We also complete a compliance assessment to ensure your project meets all required compliance guidelines. Together, our teams choose a working-session cadence that aligns with your project needs and timeline.

By the conclusion of this phase, we will provide you with a DuploCloud Portal your team can access and detailed information about the project plan.

Your Team Provides:

Verification of your project's containerization needs, service configurations, interdependencies, and data migration requirements
Project plan questions or feedback
Input for the creation of a working session plan

DuploCloud Provides:

List of in-scope services and their statuses
Project plan for the initial workload deployment
Confirmation of Tenant structure
A DuploCloud Portal with access for your team
Recurring working session schedule

Phase 3. Initial Workload Deployment

In this phase, DuploCloud engineers deploy your Dev environment, which includes all in-scope services and applications. During deployment working sessions, we provide your team with comprehensive DuploCloud Platform training. Teams discuss and complete any necessary application-level changes and move on to app containerization, secret management, and Kubernetes configuration (where required). Finally, we review the dev deployment and your team's test plan.

Your Team Provides:

Necessary application changes
Dev deployment testing and signoff

DuploCloud Provides:

A complete Dev environment deployment for testing
Training on the DuploCloud Platform during deployment work sessions
Terraform code that can be used as a template for new environments, if needed

Phase 4. CI/CD & Release Management

The CI/CD & Release Management phase involves identifying Services and Tenants to implement pipelines, selecting and agreeing on a pipeline implementation logic, and building the pipelines. DuploCloud builds an operational CI/CD pipeline for each Service and trains your team to add and modify CI/CD pipelines in the future.

Your Team Provides:

Input for CI/CD pipeline development
Participation in information/knowledge sharing, training, and demo

DuploCloud Provides:

An operational CI/CD pipeline for each of the project’s Services
Training so your team can add and modify pipelines

Phase 5. Production Deployment

The fifth phase, Production Development, focuses on the Production environment. During this phase, the DuploCloud team works with your team to confirm your high-availability requirements and apply any needed adjustments. We also review and update infrastructure component scale parameters (e.g., CPU and memory utilization) and monitoring and alerting configurations. Lastly, we review data migration requirements and formulate a production cutover plan.

Shared Responsibilities

Deploy the Production environment
Test the Production environment
Stabilize production applications

Phase 6. Onboarding Signoff

Onboarding Signoff ensures that your team is prepared for the following stages of support and operations, where you’ll receive ongoing maintenance assistance. We review your ongoing support needs, discuss your plans for the next 3 to 6 months, and establish the next steps with the Operations team to ensure a smooth handover and continuity of service. On top of that, the DuploCloud team delivers an updated architecture diagram, providing a clear and current overview of the system's structure. Lastly, we ask you for feedback about the onboarding experience, which is crucial for assessing the process and identifying areas for improvement.

Your Team Provides:

Feedback about the onboarding experience

DuploCloud Provides:

An outline of your next steps with the Operations team
An updated architecture diagram

Application Focused Interface: DuploCloud Architecture

A high-level overview of the building blocks of DuploCloud's infrastructure-based architecture

The DuploCloud Platform is an application-infrastructure-centric abstraction created atop the user's cloud provider account. Users can deploy and operate their applications using DuploCloud's simple, user-friendly UI, or use the Low-Code Terraform provider to consume cloud services like S3, DynamoDB, Lambda functions, GCP Redis, Azure SQL, etc., from their cloud provider.

Since DuploCloud is a self-hosted platform running in the customer's cloud account, it can work in tandem with direct changes on the cloud account. This means, that while some security functions (IAM roles, KMS keys, Azure Managed Identities, GCP service accounts, etc.) are hidden from the end user, they are still configurable. See examples in this DuploCloud Whitepaper.

The following diagram shows the high-level abstractions within which applications are deployed, and users operate.

DuploCloud Tenancy Models

An outline of the tenancy deployment models supported by DuploCloud

DuploCloud supports a variety of deployment models, from basic multi-tenant applications to complex single-Tenant deployments within customer environments. These models cater to different security needs, allowing customers to achieve their desired isolation level while maintaining operational efficiency.

DuploCloud-supported tenancy models, outlined below, include:

Application-Managed Multi-Tenancy
DuploCloud Tenant-per-Customer
DuploCloud Infrastructure-per-Customer
Cloud Account-per-Customer
Hybrid Model
On-Premises

Tenancy Deployment Models

Application-Managed Multi-Tenancy

Description: The application manages tenant isolation with DuploCloud structured pooled tenancy.
Use Case: The most common scenario is where the application logic isolates customer data. DuploCloud Tenants are then used to isolate development environments (i.e., Nonprod and Prod).
Infrastructure:
- Shared DuploCloud Infrastructure (VPC, Tenant, VM/instances, S3 bucket, RDS). Cluster/namespace can also be shared.
- Scaling: Increase compute instances for Kubernetes worker nodes as needed.

DuploCloud Tenant-per-Customer

Description: Each customer gets a separate DuploCloud Tenant.
Use Case: Suitable for older applications not designed for multi-tenancy, or security and compliance needs.
Infrastructure:
- Shared network layer (VPC).
- Separate Tenants per customer with security boundaries (security group, KMS key, SSH key, Kubernetes namespace).
- Kubernetes cluster is shared and boundaries are through the namespace.

DuploCloud Infrastructure-per-Customer

Description: Each customer gets a separate DuploCloud Infrastructure.
Use Case: Provides a higher security boundary at the network layer where customer access and data are separated.
Infrastructure:
- Separate VPC and network resources for each customer.
- Clusters are inherently separate through Tenants isolated in different Infrastructures.
- Higher cost due to duplicated resources and operational overhead.

Cloud Account-per-Customer

Description: Each customer gets a separate cloud account.
Use Case: The least common model, used for customers requiring complete isolation.
Infrastructure:
- Separate accounts with a DuploCloud Platform installed in each.
- Each account then has its own DuploCloud Infrastructure and Tenant.

Hybrid Model

Description: Combination of the above models as needed to meet specific requirements.
Use Case: Diverse customer needs.
Infrastructure:
- A combination of previous models.
- Organization-specific depending on requirements: some organizations may be in a pooled application environment whereas others may be more isolated through Tenant boundaries.

Special Hybrid Case: Single-Tenant Deployment in an External Kubernetes Cluster

Description: DuploCloud imports existing Kubernetes clusters from external environments.
Use Case: A cluster and resources already exist, or customers require the application or services solution running inside their client's cloud account. Customers are comfortable creating their own Kubernetes environments.
Infrastructure:
- Customer's cloud account or On-premises cluster (EKS, AKS, GKE, Oracle, DOKS, etc.) in conjunction with a DuploCloud Infrastructure. This could be any Kubernetes cluster not created by DuploCloud.
- Manages both multi-Tenant and single-Tenant environments from the DuploCloud UI.

Documentation and Support

Documentation: DuploCloud documentation is available to support the development of your DuploCloud tenancy model.
Support: DuploCloud customer support can assist you in designing your deployment model or creating and managing Kubernetes clusters.

DuploCloud Common Components

DuploCloud components common to AWS, GCP, and Azure DuploCloud deployments

Several DuploCloud components are used with AWS, GCP, Azure, and hybrid/On-premises Services. These include Infrastructures, Plans, Tenants, Hosts, and Load Balancers. This section provides a conceptual explanation of the following common DuploCloud components:

For instructions to implement these common components in your DuploCloud account, see the documentation for your cloud provider:

Infrastructure

A conceptual overview of DuploCloud Infrastructures

Infrastructures are abstractions that allow you to create a Virtual Private Cloud (VPC) instance in the DuploCloud Portal. When you create an Infrastructure, a Plan (with the same Infrastructure name) to supply the network configuration that runs your Infrastructure is automatically created and populated with the Infrastructure configuration.

For instructions to create an Infrastructure in the DuploCloud Portal, see:

Each Infrastructure represents a network connection to a unique VPC/VNET, in a region with a Kubernetes cluster. For AWS, it can also include an ECS. An Infrastructure can be created with four basic inputs: Name, VPC CIDR, Number of AZs, Region, and a choice to enable or disable a K8S/ECS cluster.

When you create an Infrastructure, DuploCloud automatically creates the following components:

VPC with two subnets (private, public) in each availability zone
Required security groups
NAT Gateway
Internet Gateway
Route tables
VPC peering with the master VPC, which is initially configured in DuploCloud

Additional requirements like custom Private/Public Subnet CIDRs can be configured in the Advanced Options area.

A common use case is two Infrastructures: one for Prod and one for Nonprod. Another is having an Infrastructure in a different region for disaster recovery or localized client deployments.

Plans and Infrastructures

Once an Infrastructure is created, DuploCloud automatically creates a Plan (with the same Infrastructure name) with the Infrastructure configuration. The Plan is used to create Tenants.

Plan

A conceptual overview of DuploCloud Plans

DuploCloud Plans

When you create an Infrastructure in DuploCloud, a Plan is automatically generated. A Plan is a placeholder or a template for configurations. These configurations are consistently applied to all Tenants within the Plan (or Infrastructure). Examples of such configurations are:

Certificates available to be attached to Load Balancers in the Plan's Tenants
Machine images
WAF web ACLs
Common IAM policies and SG rules to be applied to all resources in the Plan's Tenants
Unique or shared DNS domain names where applications provisioned in the Plan's Tenants can have a unique DNS name in the domain
Resource Quota that is enforced in each of the Plan's Tenants
DB Parameter Groups
Policies and feature flags applied at the Infrastructure level on the Plan's Tenants

The figure below shows a screenshot of the plan constructs:

DuploCloud Plans and DNS Considerations

When creating DuploCloud Plans and DNS names, consider the following to prevent DNS issues:

Plans in different portals will delete each other's DNS records, so each portal must use a distinct subdomain for its Plans.
DuploCloud Plans in the same portal can share a DNS domain without deleting each other's records. Duplo-created DNS names will always include the Tenant name, which prevents collisions.
The recommended practice for most portals is to set all Plans to the same DNS name, including the default Plan.
Ideally, custom subdomains will be set in the Plans before turning on shell, monitoring, or logging. If the DNS is changed later, those services may need to be updated.

Tenant

A conceptual overview of DuploCloud Tenants

Tenant as a Logical Concept

A Tenant, like a project or a workspace and a child of the Infrastructure, is the most fundamental construct in DuploCloud. While Infrastructure is a VPC level isolation, Tenant is the next level of isolation implemented by segregating Tenants using concepts like Security Groups, IAM roles, Instance Profiles, K8S Namespaces, KMS Keys, etc.

For instructions to create a Tenant in the DuploCloud Portal, see:

At the logical level, a Tenant is fundamentally four things:

Container of Resources: All resources (except those corresponding to Infrastructure) are created within the Tenant. If we delete the Tenant, all resources within it are terminated.
Security Boundary: All resources within the Tenant can talk to each other. For example, a Docker container deployed in an EC2 instance within a Tenant will have access to S3 buckets and RDS instances in the same Tenant. By default, RDS instances in other Tenants cannot be reached. Tenants can expose endpoints to each other via ELBs or explicit inter-Tenant SG and IAM policies.
User Access Control: Self-service is the bedrock of the DuploCloud Platform. To that end, users can be granted Tenant-level access. For example, an administrator may be able to access all Tenants while developers can only access the Dev Tenant and a data scientist the data-science Tenant.
Billing Unit: Since a Tenant is a container of resources, all resources in a Tenant are tagged with the Tenant's name in the cloud provider, making it easy to segregate usage by Tenant.
Mechanism for Alerting: Alerts generate faults for all of the resource within a Tenant.
Mechanism for Logging: Each Tenant has a unique set of logs.
Mechanism for metrics: Each Tenant has a unique set of metrics.

Tenants and Kubernetes

Each Tenant is mapped to a Namespace in Kubernetes.

When you create a Tenant in an Infrastructure, a Namespace called duploservices-TENANT_NAME is created in the Kubernetes cluster. For example, if a Tenant is called Analytics in DuploCloud, the Kubernetes Namespace is called duploservices-analytics.

All application components in the Analytics Tenant are placed in the duploservices-analytics Namespace. Since nodes cannot be part of a Kubernetes Namespace, DuploCloud creates a tenantname label for all the nodes launched within the Tenant. For example, a node launched in the Analytics Tenant is labeled tenantname: duploservices-analytics.

Any Pods launched using the DuploCloud UI have an appropriate Kubernetes nodeSelector that ties the Pod to the nodes within the Tenant. Ensure kubectl deployments use the proper nodeSelector.

Tenant Use Cases

DuploCloud customers often create at least two Tenants for their Prod and Nonprod cloud environments (Infrastructures).

You can map Tenants in each (or all) of your production environments.

For example:

Production Infrastructure
- Pre-production Tenant - for preparing or reviewing production code
- Production Tenant - for deploying tested code
Nonproduction Infrastructure
- Development Tenant: For writing and reviewing code
- Quality Assurance Tenant: For automated testing

Some customers in larger organizations create Tenants based on application environments: one tenant for data science applications, another for web applications, etc.

Tenants can also isolate a single customer workload allowing more granular performance monitoring, flexibility scaling, or tighter security. This is referred to as a single-Tenant setup. In this case, a DuploCloud Tenant maps to an environment used exclusively by the end client.

With large sets of applications accessed by different teams, it is helpful to map Tenants to team workloads (Dev-analytics, Stage-analytics, etc.).

Hosts

A conceptual overview of DuploCloud Hosts

Hosts (VMs) are a cornerstone of cloud infrastructure, essential for providing isolated, scalable, and flexible environments for running applications and services. Hosts can exist in various forms and configurations, depending on the environment and the technology stack.

For instructions to create a Host in DuploCloud, see the documentation for your specific cloud provider:

In DuploCloud, Hosts are virtualized computing resources provided by your cloud service provider (e.g., AWS EC2, Google Compute Engine, Azure VMs) or your organization's data center and managed by the DuploCloud Platform. They are used to provision scalable, on-demand infrastructure. DuploCloud abstracts the complexities of provisioning, configuring, and managing these Hosts. DuploCloud supports the following Host contexts:

Public Cloud: VMs provided by cloud providers and managed through the DuploCloud Platform.
Private Cloud: Virtualized environments managed within an organization's data center.
Combination of On-premises and Cloud: A mix of physical hosts, VMs, and cloud-hosted instances.

Services

A conceptual overview of DuploCloud Services

A Service could be a Kubernetes Deployment, StatefulSet, or DaemonSet. It can also be a Lambda function or an ECS task or service, capturing a microservice. Each service (except Lambda) is given a Load Balancer to expose itself and is assigned a DNS name.

DuploCloud Services should not be confused with Kubernetes or ECS services. By Service, we mean application components that can be either Docker-based or serverless.

DuploCloud Supported Services

For information on cloud-specific Services supported by DuploCloud, see:

DuploCloud supports a simple, application-specific interface to configure dozens of cloud services, such as S3, SNS, SQS, Kafka, Elasticsearch, Data Pipeline, EMR, SageMaker, Azure Redis, Azure SQL, Google Redis, etc. Almost all commonly used services are supported, and new ones are constantly added. DuploCloud Engineers fulfill most requests for new services within days, depending on their complexity.

All services and cloud features are created within a Tenant. While users specify application-level constructs for provisioning cloud resources, DuploCloud implicitly adds all the underlying DevOps and compliance controls.

Below is an image of some properties of a service:

Diagnostics

An overview of DuploCloud diagnostics

DuploCloud Diagnostics Functions

The DuploCloud platform automatically orchestrates the following main diagnostic functions:

Central Logging

A shared Elasticsearch cluster is deployed and Filebeat is installed in all worker nodes to fetch logs from various applications across Tenants. The logs are injected with metadata corresponding to the Tenant, Service, container ID, Host, etc. Further, each Tenant has a central logging dashboard which includes the Kibana view of logs from applications within the Service. See the screenshot below:

Metrics

Metrics are fetched from Hosts, containers, and Services and displayed in Grafana. Services metrics are collected behind the scenes by calling cloud provider APIs like CloudWatch and Azure Monitor. For nodes and containers, metrics are collected using Prometheus, Node Exporter, and cAdvisor. The Metrics dashboards are Tenant-centric and segregated per application and Service as shown in the image below:

Alarms and Faults

The platform creates faults for many failures automatically. For example, health check failures, container crashes, node crashes, deployment failures, etc. Further, users can easily set alarms like CPU and memory for EC2 instances or free disk space for RDS databases. Failures are displayed as faults under their respective Tenant. Sentry and Pager Duty projects can be linked to Tenants, and DuploCloud will send faults there so the user can set notification configurations.

Audit Trail

All system changes are logged in an audit trail in Elasticsearch where they can be sorted and viewed by Tenant, Service, change type, user, and dozens of other filters.

Management Portal Scope

Following is the scope of cloud provider resources (accounts) that a single DuploCloud portal can manage:

Azure: A single DuploCloud portal can manage multiple Azure subscriptions. Azure natively has the construct of Active Directory or Entra ID which provides the managed identity which has the ability to have access to multiple subscription. DuploCloud inherits the permissions of the managed Identity
GCP: Similar to Azure, in GCP a single instance of DuploCloud can manage multiple GCP projects.
AWS: In AWS a single DuploCloud portal manages one and only one AWS account. This is inline with the AWS IAM implementation i.e. even in native AWS IAM model the building blocks like IAM role, Instance profiles do not span multiple accounts. The cross account SCP policies are quite light weight. In fact AWS organizations was an after thought and added almost 10 years later since the launch of AWS. A good place to experience the concept is when a user logs in using AWS Identity center, they have to choose an account and the session is scoped to that. See the picture below of IAM login console

Inline to this, while behind the scenes there is one DuploCloud portal per AWS account, we implement the same experience as the identity center and provide an account switcher in both login page and inside the portal as below

User Logins

Logins supported by DuploCloud

To integrate your identity and access-management service logins with your DuploCloud account, reach out to DuploCloud support. DuploCloud supports logins from these services:

Google SSO
Microsoft
Azure Active Directory (AD)
Okta SSO

Okta Identity Management

Configure Okta for identity management in DuploCloud

is a cloud-based identity and access management platform that provides secure Single Sign-On (SSO), multi-factor authentication (MFA), and lifecycle management for users across applications.

DuploCloud supports using Okta as a source for user authentication and authorization. This integration allows you to log in to DuploCloud and manage user roles, permissions, and platform access using Okta. Okta's group-based permissions system can also be mapped to DuploCloud's user management to manage access to various services within DuploCloud.

This page covers the configuration process for integrating Okta with DuploCloud. To manage Okta users and permissions or perform tasks like generating and managing Okta API tokens, follow the guidelines in the relevant sections of the .

Prerequisites

. You will need the domain to integrate Okta with DuploCloud.

Configuring Okta with DuploCloud

Step 1. Integrate Okta with DuploCloud

in the Okta Admin Console to enable Okta to integrate with DuploCloud.

Step 2. Configure DuploCloud Authentication Service for Okta

Edit the Configuration File

Update the Duplo.AuthService.exe.config file with your Okta domain and credentials, enabling DuploCloud to authenticate users through Okta and allow single sign-on (SSO) access.

Add the following list of keys to the C:\Program Files (x86)\Duplo.AuthService\Duplo.AuthService.exe.config file, and restart the service (Duplo.AuthService).

Add the DuploCloud Portal URL to the Okta Allowed Callbacks

Configure Okta login allowing users to access the DuploCloud Portal with their Okta credentials.

Add the following list of keys to the C:\Program Files (x86)\Duplo.AuthService\Duplo.AuthService.exe.config file and restart the service Duplo.AuthService.

Step 4. Define Okta User Groups and Permissions in DuploCloud

Assign Group IDs from the Okta Portal to DuploCloud

OktaAdminGroupId Admin Group: Users assigned to this group in OKTA will be given admin permissions in DuploCloud.
OktaReadOnlyGroupId Read-Only Group: Users assigned to this group will have read-only permissions.
OktaSecurityGroupId Security Group: Users in this group will be given security roles.
OktaSignupGroupId Sign-Up Group: Users in this group will have sign-up privileges.
OktaTenantGroupPrefix Tenant Group Prefix: These groups use Tenant prefixes such as duploservices-. Group names follow a format such as duploservices-tenant1. All users within this group will be assigned to tenant1.
OktaTenantGroupPrefix Read-Only Tenant Group Prefix: Use prefixes like duplo-ro-tenant1. Users in this group will be assigned to tenant1 as read-only users.

How to Find Group IDs in the OKTA Portal

Managing Okta Users, Permissions, and API Tokens

Add and Manage Okta Users:
Assign Roles and Permissions:
Delete Users:
Revoke Permissions:
Generate and Manage Okta API Tokens:

Public Cloud Tutorials

Links to the Quick Start Guide for each cloud provider

These tutorials are specific to various public cloud environments and demonstrate some of DuploCloud's most common use cases:

Getting Help with DuploCloud

Support features included with the product and how to contact DuploCloud Support

DuploCloud offers hands-on 24/7 support for all customers via Slack or email as part of your subscription. Automation and developer self-service are at the heart of the DuploCloud Platform. We are dedicated to helping you achieve hands-off automation as fast as possible via rapid deployment of managed services or customized Terraform scripts using our exclusive Terraform provider. Additionally, you can access various help options, including product documentation and customer support, directly from the DuploCloud Portal. For real-time answers tailored specifically to your organization's needs, ask customer support about Ask DuploCloud, our AI-powered assistant.

How to Contact DuploCloud for Support

Use the customer Slack or Microsoft Teams channel created during onboarding.
Email us at support@duplocloud.net.

Included DuploCloud Support Features

Some of the things we support our customers with in real time include:

Configuring changes in your public cloud infrastructures and associated Kubernetes (K8s) constructs managed by DuploCloud
Setting up CI/CD pipelines
Cloud Migration from any existing platform
Proactive, tailored EKS cluster upgrades designed for minimum downtime impact
Accelerated onboarding of existing Services
Troubleshooting and debugging for:
- Apps and Services crashing
- OpenSearch or database instances slow or crashing
- Proof-of-Concepts (PoCs) for third-party integrations, including roll-out to the development environment
- Downtime during rolling Upgrades
- Investigation and clarification of public cloud provider billing increases. Many times DuploCloud can suggest a more cost-effective alternative
- Consolidation of third-party tools for which you currently subscribe that are included with your DuploCloud subscription
- Adding a CI/CD pipeline for a new service

What DuploCloud Does Not Support or Supports Conditionally

We cover most of your DevOps needs, but there are some. Examples of needs we do not or only partially support include, but are not limited to:

Patching an application inside a Docker image
Monitoring alerts in a Network Operations Center (NOC)
Troubleshooting application code
Database configuration

How to get help from within the DuploCloud Portal

What's New: Stay informed about the latest features and updates in the DuploCloud platform.
FAQs: Access frequently asked questions to quickly find answers to common inquiries.
Documentation: Browse through our comprehensive product documentation to help you navigate the platform and optimize your usage.
Contact Us: Reach out to us via an email form for further assistance through this option.

Container Orchestrators

Multiple container orchestration technologies for ease of consumption

Most application workloads deployed on DuploCloud are in Docker containers. The rest consist of serverless functions, and big data workloads like Amazon EMR jobs, Airflow, and Sagemaker. DuploCloud abstracts the complexity of container orchestration technologies, allowing you to focus on deploying, updating, and debugging your containerized application.

Among the technologies DuploCloud supports are:

Kubernetes: On AWS, DuploCloud supports orchestration using Elastic Kubernetes Service (EKS). On GCP we support GKE auto pilot and node-pool based. On Azure we support AKS and Azure web apps.
Built-in (DuploCloud): DuploCloud platform's Built-in container management has the same interface as the docker run command, but it can be scaled to manage hundreds of containers across many hosts, providing capabilities such as associated load balancers, DNS, and more.
AWS ECS Fargate: Fargate is a technology you can use with Elastic Container Service (ECS) to run containers without having to manage servers or clusters of EC2 instances.

Container Orchestration Feature Matrix

You can use the feature matrix below to compare the features of the orchestration technologies that DuploCloud supports. DuploCloud can help you implement whatever option you choose through the DuploCloud Portal or the Terraform API.

Feature

Kubernetes

Built-In

ECS Fargate

One dot indicates a low rating, two dots a medium rating, and three dots a high rating. For example, Kubernetes has a low ease-of-use rating but a high rating for stateful applications.

Feature Definitions

See the sections below for a detailed explanation of the cloud orchestrator's feature matrix ratings.

Ease of Use

Kubernetes is extensible and customizable, but not without a cost in ease of use. The DuploCloud Platform reduces the complexities of Kubernetes, making it comparable with other container orchestration technologies in ease of use/adoption.

ECS Fargate contains proprietary constructs (such as task definitions, tasks, or services) that can be hard to learn. As Fargate is serverless, you can't control the host Docker, so commands such as docker ps and docker restart are unavailable. This makes debugging a container crash very difficult and time-consuming. DuploCloud simplifies Fargate with an out-of-the-box setup for logging, shell access, and abstraction of proprietary constructs and behavior.

Features and Ecosystem Tools

Kubernetes is rich in additional built-in features and ecosystem tools like Secrets and ConfigMaps. Built-in and ECS rely on native AWS services such as AWS Secrets Manager, SSM, S3, and others. While Kubernetes features have AWS equivalents, third parties like Influx DB, Time Series DB, Prefect, etc. tend to publish their software as Kubernetes packages (Helm charts).

Suitability for Stateful Apps

Stability and Maintenance

Although Kubernetes is highly stable, it is an open-source product. Kubernetes' native customizability and extensibility can lead to points of failure. For example, when a mandatory cluster upgrade is needed. This complexity often leads to support costs from third-party vendors. Maintenance can be especially costly with EKS, as versions are frequently deprecated, requiring you to upgrade the control plane and data nodes. DuploCloud automates this upgrade process but still requires careful planning and execution.

AWS Cost

EKS control plane is fairly inexpensive, but operating an EKS environment without business support (at an additional premium) is not recommended. Small businesses may reduce costs by adding the support tier only when needed.

Multi-Cloud

For many enterprises and independent software vendors, multi-cloud capabilities are, or will soon be a requirement. While Kubernetes provides this benefit, DuploCloud's implementation is much easier to maintain and implement.

Terminologies in Container Orchestration

Key terms and concepts in DuploCloud container orchestration

The following concepts do not apply to ECS. ECS uses a proprietary policy model, which is explained in a .

Familiarize yourself with these DuploCloud concepts and terms before deploying containerized applications in DuploCloud. See the section for a description of DuploCloud Infrastructures, Tenants, Hosts, and Services.

Hosts

These are virtual machines (EC2 Instances, GCP Node pools, or Azure Agent Pools). By default, apps within a Tenant are pinned to VMs in the same Tenant. One can also deploy Hosts in one Tenant that can be leveraged by apps in other Tenants. This is called the shared-host model. The shared-host model does not apply to ECS Fargate.

Services

Service is a DuploCloud term and is not the same as a Kubernetes Service. In DuploCloud, a Service is a micro-service defined by a name, Docker Image, number of replicas, and other optional parameters. Behind the scenes, a DuploCloud Service maps 1:1 to a Deployment or StatefulSet, based on whether it has stateful volumes. There are many optional Service configurations for Docker containers. Among these are:

Environment variables
Host Network Mode
Volume mounts
Entrypoint or command overrides
Resource caps
Kubernetes health checks

Allocation Tags

A Service can be configured to run only a specific set of Hosts by setting allocation tags on the Hosts and Service. Allocation tags are case-insensitive substrings. On a Service, allocation tags should be a substring of the Host tag. For example, if a Host is tagged HighCpu;HighMem, a Service tagged highcpu can be placed on it. Services without allocation tags can be placed on any Host.

If a Host has a specific tag and there are Services with the same tag, the Host can also be used by any Service that doesn’t have a tag. To ensure a Host is only used by a specific set of Services, ensure all Services in the Tenant are tagged.

For Kubernetes Deployments, allocation tags are implemented using labels on nodes and then applying node selectors in your Deployment or StatefulSet configurations.

Host Networking

By default, Docker containers have network addresses. Sometimes, containers share the VM network interface. This reuse is called host networking mode.

Load Balancer

A DuploCloud Service that communicates with other Services, must be exposed by a Load Balancer. DuploCloud supports the following Load Balancers (LBs).

Application Elastic Load Balancer (ELB)

Classic ELB (Only applicable to Built-in container orchestration)

Cluster IP (Kubernetes only)

AWS User Guide

Initial steps for AWS DuploCloud users

The DuploCloud platform installs in an EC2 instance within your AWS account. It can be accessed using a web interface, API, or Terraform provider.

You can log in to the DuploCloud portal, using single sign-on (SSO), with your GSuite or O365 login.

Before You Begin

Before getting started, complete the following steps:

Read the and learn about DuploCloud terms like , , and
Set up the DuploCloud Portal
Read the section and ensure at least one person has administrator access
Connect to the DuploCloud Slack channel for support from the DuploCloud team

Prerequisites

Tasks to perform before you use AWS with DuploCloud

Route 53 Hosted Zone

Create a Route 53 Hosted Zone to program DNS entries

The DuploCloud Platform needs a unique Route 53 hosted zone to create DNS entries for Services that you deploy. The domain must be created out-of-band and set in DuploCloud. The zone is a subdomain such as apps.[MY-COMPANY].com.

Never use this subdomain for anything else, as DuploCloud owns all CNAME entries in this domain and removes all entries it has no record of.

Creating a Route 53 Hosted Zone Using AWS Console

Log in to AWS Console.
Navigate to Route 53 and Hosted Zones.
Create a new Route53 Hosted Zone with the desired domain name, for example, apps.acme.com.
Access the Hosted Zone and note the name server names.
Go to your root domain provider's site (e.g., acme.com), and create an NS record that references the domain name of the Hosted Zone you created (apps.acme.com). Add the zone name to the name servers that you noted above.

Once this is complete, provision the Route53 domain in every DuploCloud Plan, starting with the DEFAULT Plan. Add the Route53 Hosted Zone ID and domain name, preceded with a dot (.).

Do not forget the dot (.) at the beginning of the DNS suffix, in the form as shown below.

Note that this domain must be set in each new Plan you create in your DuploCloud Infrastructure.

ACM Certificate

Create an AWS Certificate Manager certificate

The DuploCloud Platform needs a wild character AWS Certificate Manager (ACM) certificate corresponding to the domain for the Route 53 Hosted Zone.

For example, if the Route 53 Hosted Zone created is apps.acme.com, the ACM certificate specifies *.apps.acme.com. You can add additional domains to this certificate (for example, *.acme.com).

The ACM certificate is used with AWS Elastic Load Balancers (ELBs) created during DuploCloud application deployment. Follow this AWS guide to issue an ACM certificate.

Once the certificate is issued, add the Amazon Resource Name (ARN) of the certificate to the DuploCloud Plan (starting with the DEFAULT Plan) so that it is available to subsequent configurations

Adding an ACM Certificate with ARN to a DuploCloud Plan

In the DuploCloud Platform, navigate to Administrator -> Plans. The Plans page displays.
Select the default Plan from the NAME column.
Click the Certificates tab.
Click Add.
In the Name field, enter a certificate name.
In the Certificate ARN field, enter the ARN.
Click Create. The ACM Certificate with ARN is created.

Note that the ARN Certificate must be set for every new Plan created in a DuploCloud Infrastructure.

Enabling Automatic AWS ACM Certificate Creation

Configure DuploCloud to automatically generate Amazon Certificate Manager (ACM) certificates for your Plan's DNS.

From the DuploCloud portal, navigate to Administrator -> Systems Settings.
Select the System Config tab, and click Add. The Add Config pane displays.
From the Config Type list box, select Flags.
From the Key list box, select Other.
In the Key field that displays, enter enabledefaultdomaincert.
In the Value list box, select True.
Click Submit. DuploCloud automatically generates Amazon Certificate Manager (ACM) certificates for your Plan's DNS.

Shell Access for Containers

Access the shell for your Native Docker, EKS, and ECS containers

Enable and access shells for your DuploCloud Docker, EKS, and ECS containers directly through the DuploCloud Portal. This provides quick and easy access for managing and troubleshooting your containerized environments.

Native Docker Shell Access

Enabling the Shell for Docker

In the DuploCloud Portal, navigate to Docker -> Services.
From the Docker list box, select Enable Docker Shell. The Start Shell Service pane displays.

In the Platform list box, select Docker Native.
From the Certificate list box, select your certificate.
From the Visibility list box, select Public or Internal.
Click Update. DuploCloud provisions the dockerservices-shell Service, enabling you to access your Docker container shell.

Accessing the Shell for Docker

From the DuploCloud portal, navigate to Docker -> Containers.
Select Container Shell. A shell session launches directly into the running container.

EKS Shell Access

Enabling the Shell for Kubernetes

In the Tenant list box, select the Default Tenant.
In the DuploCloud Portal, navigate to Docker -> Services.
Click the Docker button, and select Enable Docker Shell. The Start Shell Service pane displays.

In the Platform list box, select Kubernetes.
In the Certificate list box, select your certificate.
In the Visibility list box, select Public or Internal.
Click Update. DuploCloud provisions the dockerservices-shell Service, enabling you to access your Kubernetes container shell.

Accessing the Shell for Kubernetes

From the DuploCloud Portal, navigate to Kubernetes -> Services.
Click the KubeCtl Shell button. The Kubernetes shell launches in your browser.

ECS Shell Access

Accessing the Shell for ECS

From the DuploCloud Portal, navigate to Cloud Services -> ECS. The ECS Task Definition page displays.
Select the name from the TASK DEFINITION FAMILY NAME column.
Select the Tasks tab.
In the row of the task you want to access, click the actions icon (>_).
Select the Task Shell option. The ECS task shell launches in your browser.

VPN Setup

Accept OpenVPN, provision the VPN, add VPN users, and manage connection limits

DuploCloud integrates with OpenVPN by provisioning VPN users that you add to the DuploCloud Portal. OpenVPN setup is a comprehensive process that includes accepting OpenVPN, provisioning the VPN, adding users, and managing connection limits to accommodate a growing team.

Accepting OpenVPN

Accept OpenVPN Free Tier (Bring Your Own License) in the AWS Marketplace:

Log into your AWS account. In the console, navigate to: https://aws.amazon.com/marketplace/pp?sku=f2ew2wrz425a1jagnifd02u5t.
Accept the agreement. Other than the regular EC2 instance cost, no additional license costs are added.

Provisioning the VPN

In the DuploCloud Portal, navigate to Administrator -> System Settings.
Select the VPN tab.
Click Provision VPN.

After the OpenVPN is provisioned, it is ready to use. DuploCloud automates the setup by launching a CloudFormation script to provision the OpenVPN.

The OpenVPN admin password can be found in the CloudFormation stack in your AWS console.

Managing VPN Connection Limits

To support a growing team, you may need to increase the number of VPN connections. This can be achieved by purchasing a larger license from your VPN provider. Once acquired, update the license key in the VPN's web user interface through the DuploCloud team's assistance. Ensure the user count settings in the VPN reflect the new limit and verify team access to manage these changes efficiently.

Adding or Deleting a VPN User

For instructions to add or delete a VPN user, refer to the DuploCloud User Administration documentation.

Opening a VPN Port

To enable users connected to the VPN to access various services, including databases and ElastiCache, specific ports must be opened:

In the DuploCloud Portal, navigate to Administrator -> Tenants.
Select the Tenant from the NAME column.
Click the Security tab.
Click Add. The Add Tenant Security pane displays.
From the Source Type list box, select IP Address.
From the IP CIDR list box, select your IP CIDR.
Click Add.

This comprehensive guide ensures your VPN setup is not only up and running but also scalable to meet the needs of your growing team.

Connect to the VPN

Obtain VPN credentials and connect to the VPN

DuploCloud integrates natively with OpenVPN by provisioning VPN users in the Duplocloud Portal. As a DuploCloud user, you can access resources in the private network by connecting to the VPN with the OpenVPN client.

The OpenVPN Access Server only forwards traffic destined for resources in the DuploCloud-managed private networks. Traffic accessing other resources on the internet does not pass through the tunnel.

Obtaining VPN Credentials

You can find your VPN credentials on your user profile page in the DuploCloud Portal. It can be accessed by clicking Profile in the user menu on the upper right of the page or through the User menu option on the left.

Setting up the OpenVPN User Profile and Client App

Click on the VPN URL link in the VPN Details section of your user profile. Modern browsers will call the link unsafe since it uses a self-signed certificate. Make the necessary selections to proceed.
Log into the OpenVPN Access Server user portal using the username and password from the VPN Details section of your DuploCloud user profile page.

Click on the OpenVPN Connect Recommended for your device icon to install the OpenVPN Connect app for your local machine.

Navigate to your downloads folder, open the OpenVPN Connect file you downloaded in the previous step, and follow the prompts to finish the installation.
In the OpenVPN access server dialog box, click on the blue Yourself (user-locked profile) link to download your OpenVPN user profile.
Navigate to your Downloads folder and click on the .ovpn file downloaded in the previous step. The Onboarding Tour dialog box displays.
In the Onboarding Tour dialog box, click the > button twice. Click Agree and OK as needed to proceed to the Import .ovpn profile dialog box, and click OK.

Click OK, and select Connect after import. Click Add in the upper right. If prompted to enter a password, use the password in the VPN Profile area of your user profile page in the DuploCloud Portal. You are now connected to the VPN.

AWS Quick Start

Get up and running with DuploCloud inside an AWS cloud environment; harness the power of generating application infrastructures.

This Quick Start tutorial shows you how to set up an end-to-end cloud deployment. You will create DuploCloud Infrastructure and Tenants and, by the end of this tutorial, you can view a deployed sample web application.

Estimated time to complete tutorial: 75-95 minutes.

AWS Tutorial Roadmap

When you complete the AWS Quick Start Tutorial, you have three options or paths, as shown in the table below.

EKS (Elastic Kubernetes Service): Create a Service in DuploCloud using AWS Elastic Kubernetes Service and expose it using a Load Balancer within DuploCloud.

ECS (AWS Elastic Container Service): Create an app and Service in DuploCloud using AWS Elastic Container Service.

Native Docker: Create a Service in Docker and expose it using a Load Balancer within DuploCloud.

Optional steps in each tutorial path are marked with an asterisk in the table below. While these steps are not required to complete the tutorials, you may want to perform or read through them, as they are normally completed when you create production-ready services.

For information about the differences between these methods and to help you choose which method best suits your needs, skills, and environments, see this and documentation.

Step

EKS

ECS

Native Docker Services

* Optional

AWS Video Demo

Click the card below to watch DuploCloud video demos.

Step 1: Create Infrastructure and Plan

Create a DuploCloud Infrastructure and Plan

Each DuploCloud Infrastructure is a connection to a unique Virtual Private Cloud (VPC) network that resides in a region that can host Kubernetes clusters, EKS or ECS clusters, or a combination of these, depending on your public cloud provider.

After you supply a few basic inputs, DuploCloud creates an Infrastructure within AWS and DuploCloud. Behind the scenes, DuploCloud does a lot with what little you supply, generating the VPC, subnets, NAT Gateway, routes, and or clusters.

With the Infrastructure as your foundation, you can customize an extensible, versatile platform engineering development environment by adding Tenants, Hosts, Services, and more.

Estimated time to complete Step 1: 40 minutes. Much of this time is consumed by DuploCloud's creation of the Infrastructure and enabling your EKS cluster with Kubernetes.

Prerequisites

Before starting this tutorial:

Learn more about DuploCloud , , and .
Reference the documentation to create User IDs with the Administrator role. To perform the tasks in this tutorial, you must have Administrator privileges.

Creating a DuploCloud Infrastructure

In the DuploCloud Portal, navigate to Administrator -> Infrastructure.
Click Add. The Add Infrastructure page displays.
Enter the values from the table below in the corresponding fields on the Add Infrastructure page. Accept default values for fields not specified.
Select either the Enable EKS or Enable ECS Cluster option. You will follow different paths in the tutorial for creating Services with , , or .
Click Create to create the Infrastructure. It may take up to half an hour to create the Infrastructure. While the Infrastructure is being created, a Pending status is displayed in the Infrastructure page Status column, often with additional information about what part of the Infrastructure DuploCloud is currently creating. When creation completes, a status of Complete displays.

DuploCloud begins creating and configuring your Infrastructure and EKS/ECS clusters using Kubernetes.

It may take up to forty-five (45) minutes for your Infrastructure to be created and Kubernetes (EKS/ECS) enablement to be complete. Use the Kubernetes card in the Infrastructure screen to monitor the status, which should display Enabled when complete. You can also monitor progress using the Kubernetes tab, as DuploCloud generates your Cluster Name, Default VM Size, Server Endpoint, and Token.

Verifying That a Plan Exists for Your Infrastructure

Before proceeding, confirm that a Plan exists that corresponds to your newly created Infrastructure.

In the DuploCloud Portal, navigate to Administrator -> Plans. The Plans page displays.
Verify that a Plan exists with the name NONPROD: the name of the Infrastructure you created.

Checking Your Work

You previously verified that your Infrastructure and Plan were created. Now verify that Kubernetes is enabled before proceeding to create a Tenant.

In the DuploCloud Portal, navigate to Administrator -> Infrastructure. The Infrastructure page displays.
From the Name column, select the NONPROD Infrastructure.
Select the EKS or ECS tab. When Kubernetes has been Enabled for EKS or ECS, details are listed in the respective tab. For EKS, Enabled is displayed on the Kubernetes card. For ECS, the cluster name is listed in the ECS tab.

Step 2: Create a Tenant

Creating a DuploCloud Tenant that segregates your workloads

Now that the exist and a Kubernetes EKS or ECS cluster has been enabled, create one or more Tenants that use the configuration DuploCloud created.

in DuploCloud are similar to projects or workspaces and have a subordinate relationship to the Infrastructure. Think of the Infrastructure as a virtual "house" (cloud), with Tenants conceptually "residing" in the Infrastructure performing specific workloads that you define. As Infrastructure is an abstraction of a Virtual Private Cloud, Tenants abstract the segregation created by a , although Kubernetes Namespaces are only one component that Tenants can contain.

In AWS, cloud features such as IAM Roles, security groups, and KMS keys are exposed in Tenants, which reference these feature configurations.

Estimated time to complete Step 2: 10 minutes.

Tenant Use Cases

DuploCloud customers often create at least two Tenants for their production and non-production cloud environments (Infrastructures).

For example:

Production Infrastructure
- Pre-production Tenant - for preparing or reviewing production code
- Production Tenant - for deploying tested code
Non-production Infrastructure
- Development Tenant - for writing and reviewing code
- Quality Assurance Tenant - for automated testing

In larger organizations, some customers create Tenants based on application environments, such as one Tenant for Data Science applications, another for web applications, and so on.

Tenants are sometimes created to isolate a single customer workload, allowing more granular performance monitoring, scaling flexibility, or tighter security. This is referred to as a single-Tenant setup.

Prerequisites

Before creating a Tenant, verify that you accomplished the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:

Creating a Tenant

Create a Tenant for your Infrastructure and Plan:

In the DuploCloud Portal, navigate to Administrator -> Tenants.
Click Add. The Create a Tenant pane displays.
Enter dev01 in the Name field.
Select the Plan that you created in the previous step (NONPROD).
Click Create.

Checking Your Work

Navigate to Administrator -> Tenants and verify that the dev01 Tenant displays in the list.
Navigate to Administrator -> Infrastructure and select dev01 from the Tenant list box. Ensure that the NONPROD Infrastructure appears in the list of Infrastructures with a status of Complete.

Step 3: Create an RDS Database (Optional)

Creating an RDS database to integrate with your DuploCloud Service

Creating an RDS database is not essential to running a DuploCloud Service. However, as most services also incorporate an RDS, this step is included to demonstrate the ease of creating a database in DuploCloud. To skip this step, proceed to creating an EKS or ECS Service.

An AWS RDS is a managed Relational Database Service that is easy to set up and maintain in DuploCloud for AWS public cloud environments. RDSs support many databases including MySQL, PostgreSQL, MariaDB, Oracle BYOL, or SQL Server.

See the DuploCloud AWS Database documentation for more information.

Estimated time to complete Step 3: 5 minutes.

Prerequisites

Before creating an RDS, verify that you accomplished the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:

An Infrastructure and Plan exist, both with the name NONPROD.
The NONPROD infrastructure has Kubernetes (EKS or ECS) Enabled.
A Tenant with the name dev01 has been created.

Creating an RDS Database

In the Tenant list box, select the dev01 Tenant that you created.
Navigate to Cloud Services -> Database.
Select the RDS tab, and click Add. The Create a RDS page displays.
From the table below, enter the values that correspond to the fields on the Create a RDS page. Accept default values for fields not specified.
Click Create. The database displays with a status of Submitted in the RDS tab. Database creation takes approximately ten (10) minutes.

DuploCloud prepends DUPLO to the name of your RDS database instance.

Validating RDS Database Creation

You can monitor the status of database creation using the RDS tab and the Status column.

When the database status reads Available on the RDS tab on the Database page, the database's endpoint is ready for connection to a DuploCloud Service, which you create and start in the next step.

Troubleshooting Database Creation Failures

Invalid passwords - Passwords cannot have special characters like quotes, @, commas, etc. Use a combination of uppercase and lowercase letters and numbers.
Invalid encryption - Encryption is not supported for small database instances (micro, small, or medium).

Verifying Database Endpoints

In the RDS tab, select the DUPLODOCS database you created.
Note the database endpoint, the name, and credentials. For security, the database is automatically placed in a private subnet to prevent access from the internet. Access to the database is automatically set up for all resources (EC2 instances, containers, Lambdas, etc.) in the DuploCloud dev01 Tenant. You need the endpoint to connect to the database from an application running in the EC2 instance.

When you place a DuploCloud Service in a live production environment, consider passing the database endpoint, name, and credentials to a DuploCloud Service using AWS Secrets Manager, or Kubernetes Configs and Secrets.

Checking your work

When your database is available and you have verified the endpoint, choose one of these three paths to create a DuploCloud Service and continue this tutorial.

Creating an AWS EKS Service in DuploCloud running Docker containers
Creating an AWS ECS Service in DuploCloud running Docker containers
Creating a DuploCloud native Docker Service

Not sure what kind of Duplcloud Service you want to create? Consider the following:

AWS EKS is a managed Kubernetes service. AWS ECS is a fully managed container orchestration service using AWS technology. For a full discussion of the benefits of EKS vs. ECS, consult this AWS blog.
Docker Containers are ideal for lightweight deployments and run on any platform, using GitHub and other open-source tools.

Creating an EKS Service

Finish the Quick Start Tutorial by creating an EKS Service

So far in this DuploCloud AWS tutorial, you created a VPC network with configuration templates (Infrastructure and Plan), an isolated workspace (Tenant), and an RDS database instance (optionally).

Now you need to create a DuploCloud Service on top of your Infrastructure and configure it to run and deploy your application. In this tutorial path, we'll deploy an application using Docker containers and leveraging AWS Elastic Kubernetes Service (EKS).

Alternatively, you can finish this tutorial by:

Creating an AWS ECS Service in DuploCloud running Docker containers
Creating a DuploCloud native Docker Service

For a deeper comparison of EKS and ECS, consult this AWS blog.

Estimated time to complete remaining tutorial steps: 30-40 minutes

Deploying an AWS EKS Service in DuploCloud

For the remaining steps in this tutorial, you will:

Create a Host (EC2 Instance) to serve as an AWS EKS worker node.
Create a Service and application using the premade Docker image: duplocloud/nodejs-hello:latest.
Expose the Service by creating and sharing a Load Balancer and DNS name.
Test the application.
Obtain access to the container shell and kubectl for debugging.

Network Architecture and Configurations

The topology that DuploCloud creates behind the scenes resembles this low-level configuration in AWS.

Step 4: Create a Host

Creating a Host that acts as an EKS Worker node

Creating an AWS EKS Service uses technologies from AWS and the Kubernetes open-source container orchestration system.

Kubernetes uses worker nodes to distribute workloads within a cluster. The cluster automatically distributes the workload among its nodes, enabling seamless scaling as required system resources expand to support your applications.

Estimated time to complete Step 4: 5 minutes.

Prerequisites

Before creating a Host (essentially a Virtual Machine), verify that you completed the previous tutorial steps. Using the DuploCloud Portal, confirm that:

An Infrastructure and Plan exist, both named NONPROD.
The NONPROD infrastructure has EKS Enabled.
A Tenant named dev01 has been created.

Select the Tenant You Created

In the Tenant list box, select the dev01 Tenant that you created.

Creating a Host

In the DuploCloud Portal, navigate to Cloud Services -> Hosts. The Hosts page displays.
In the EC2 tab, click Add. The Add Host page displays.
In the Friendly Name field, enter host01.
In the Instance Type list box, select 2 CPU 4 GB - t3.medium.
Select the Advanced Options checkbox to display advanced configuration fields.
From the Agent Platform list box, select EKS Linux.
From the Image ID list box, select any Image ID with an EKS prefix (for example, EKS-Oregon-1.23).
Click Add. The Host is created, initialized, and started. In a few minutes, when the Status displays Running, the Host is available for use.

The EKS Image ID is the image published by AWS specifically for an EKS worker in the version of Kubernetes deployed at Infrastructure creation time. For this tutorial, the region is us-west-2, where the NONPROD Infrastructure was created.

If there is no Image ID with an EKS prefix, copy the AMI ID for the desired EKS version following this AWS documentation. Select Other from the Image ID list box and paste the AMI ID in the Other Image ID field. Contact the DuploCloud Support team via your Slack channel if you have questions or issues.

Checking Your Work

In the DuploCloud Portal, navigate to Cloud Services -> Hosts.
Select the EC2 tab.
Verify that the Host status is Running.

Step 5: Create a Service

Creating a Service to run a Docker-containerized application

DuploCloud supports three container orchestration technologies to deploy Docker-container applications in AWS:

Native EKS
Native ECS Fargate
Built-in container orchestration in DuploCloud using EKS/ECS

You don't need experience with Kubernetes to deploy an application in the DuploCloud Portal. However, it is helpful to be familiar with the Docker platform. Docker runs on any platform and provides an easy-to-use UI for creating, running, and managing containers.

To deploy your own applications with DuploCloud, you’ll choose a public image or provide credentials for your private repository and configure your Docker Registry credentials in DuploCloud.

This tutorial will guide you through deploying a simple Hello World NodeJS web app using DuploCloud's built-in container orchestration with EKS. We’ll use a pre-built Docker container and access Docker images from a preconfigured Docker Hub.

Estimated time to complete Step 5: 10 minutes.

Prerequisites

Before creating a Service, verify that you completed the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:

An Infrastructure and Plan exist, both named NONPROD.
The NONPROD infrastructure has EKS Enabled.
A Tenant named dev01 has been created.
A host named host01 has been created.

Adding a Service

In the Tenant list box, select the dev01 Tenant.
In the DuploCloud Portal, navigate to Kubernetes -> Services.
Click Add. The Add Service page displays.
From the table below, enter the values that correspond to the fields on the Add Service page. Accept all other default values for fields not specified.
Click Next. The Advanced Options page is displayed.
At the bottom of the Advanced Options page, click Create. In about five (5) minutes, the Service will be created and initialized, displaying a status of Running in the Containers tab.

Use the Containers tab to monitor the Service creation status, between Desired (Running) and Current.

Using Spot Instances (optional)

Follow the steps in Creating Services using Autoscaling Groups. In the Add Service page, Basic Options, Select Tolerate spot instances.

Checking your work

Verify that your DuploCloud Service, demo-service, has a status of Running.

In the Tenant list box, select the dev01 Tenant.
In the DuploCloud Portal, navigate to Kubernetes -> Services.
Click on the Service name (demo-service).
On the Containers tab, verify that the current status is Running.

Step 6: Create a Load Balancer

Creating a Load Balancer to configure network ports to access the application

Now that your DuploCloud Service is running, you have a mechanism to expose the containers and images in which your application resides. However, since your containers are inside a private network, you need a Load Balancer listening on the correct ports to access the application.

In this step, we add a Load Balancer Listener to complete the network configuration.

Estimated time to complete Step 6: 10 minutes.

Prerequisites

Before creating a Load Balancer, verify that you completed the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:

An Infrastructure and Plan exist, both named NONPROD.
The NONPROD infrastructure has EKS Enabled.
A Tenant named dev01 has been created.
A Host named host01 has been created.
A Service named demo-service has been created.

Creating a Load Balancer

In the Tenant list box, select the dev01 Tenant.
In the DuploCloud Portal, navigate to Kubernetes -> Services.
From the NAME column, select demo-service.
Click the Load Balancers tab.
Click the Configure Load Balancer link. The Add Load Balancer Listener pane displays.
From the Type list box, select Application LB.
In the Container Port field, enter 3000. This is the configured port on which the application inside the Docker Container Image duplocloud/nodejs-hello:latest is running.
In the External Port field, enter 80. This is the port through which users will access the web application.
From the Visibility list box, select Public.
From the Application Mode list box, select Docker Mode.
Type / (forward-slash) in the Health Check field to indicate that the cluster we want Kubernetes to perform Health Checks on is located at the root level.
In the Backend Protocol list box, select HTTP.
Click Add. The Load Balancer is created and initialized. Monitor the LB Status card on the Services page. The LB Status card displays Ready when the Load Balancer is ready for use.

Checking your work

In the Tenant list box, select the dev01 Tenant.
In the DuploCloud Portal, navigate to Kubernetes -> Services.
From the NAME column, select demo-service.
Verify that the LB Status card displays a status of Ready.
Note the DNS Name of the Load Balancer that you created.
In the LB Listeners area of the Services page, note the configuration details of the Load Balancer's HTTP protocol, which you specified, when you added it above.

Step 7: Enable Additional Load Balancer Options (Optional)

Add a security layer and enable other Load Balancer options

This step is optional and unneeded for the example application in this tutorial; however, production cloud apps require an elevated level of protection.

To set up a Web Application Firewall (WAF) for a production application, follow the steps in the Web Application Firewall procedure.

In this tutorial step, for the Application Load Balancer (ALB) you created in Step 6, you will:

Enable access logging to monitor HTTP message details and record incoming traffic data. Access logs are crucial for analyzing traffic patterns and identifying potential threats, but they are not enabled by default. You must manually activate them in the Load Balancer settings.
Protect against requests that contain invalid headers.

Estimated time to complete Step 7: 5 minutes.

Prerequisites

Before securing a Load Balancer, verify that you accomplished the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:

An Infrastructure and Plan exist, both named NONPROD.
The NONPROD infrastructure has EKS Enabled.
A Tenant named dev01 has been created.
A Host named host01 has been created.
A Service named demo-service has been created.
An Load Balancer has been created.

Securing the Load Balancer

In the Tenant list box, select the dev01 Tenant.
In the DuploCloud Portal, navigate to Kubernetes -> Services.
From the NAME column, select the Service (demo-service).
Click the Load Balancers tab.
In the Other Settings card, click Edit. The Other Load Balancer Settings pane displays.

In the Web ACL list box, select None, because you are not connecting a Web Application Firewall.
Select the Enable Access Logs and Drop Invalid Headers options.
Accept the Idle Timeout default setting and click Save. The Other Settings card in the Load Balancers tab is updated with your selections.

Checking Your Work

Verify that the Other Settings card contains the selections you made above for:

Web ACL - None
HTTP to HTTPS Redirect - False
Enable Access Logs - True
Drop Invalid Headers - True

Enabling access logs enhances the security and monitoring capabilities of your Load Balancer and provides insights into the traffic accessing your application, for a more robust security posture.

Step 8: Create a Custom DNS Name (Optional)

Changing the DNS Name for ease of use

After you create a Load Balancer Listener you can modify the DNS Name for ease of use and reference by your applications. It isn't necessary to run your application or complete this tutorial.

To skip this step, proceed to test your application and complete this tutorial.

Once the Load Balancer is created, DuploCloud programs an autogenerated DNS Name registered to demo-service in the Route 53 domain. Before you create production deployments, you must create the Route 53 Hosted Zone domain (if DuploCloud has not already created one for you). For this tutorial, it is not necessary to create a domain.

Estimated time to complete Step 8: 5 minutes.

Prerequisites

Before securing a Load Balancer, verify that you completed the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:

An Infrastructure and Plan exist, both named NONPROD.
The NONPROD infrastructure has EKS Enabled.
A Tenant named dev01 has been created.
A Host named host01 has been created.
A Service named demo-service has been created.
An HTTPS ALB Load Balancer has been created.

Creating a Custom DNS Name

In the Tenant list box, select the dev01 Tenant.
Navigate to Kubernetes -> Services. The Services page displays.
From the Name column, select demo-service.
Click the Load Balancers tab. The ALB Load Balancer configuration is displayed.

In the DNS Name card, click Edit. The prefix in the DNS Name is editable.
Edit the DNS Name and select a meaningful DNS Name prefix.
Click Save. A success message briefly displays at the top center of the DuploCloud Portal.

An entry for your new DNS name is now registered with demo-service.

Checking Your Work

Navigate to Kubernetes -> Services.
From the Name column, select demo-service.
Select the Load Balancers tab and verify that the DNS Name card displays your modified DNS Name.

Step 9: Test the Application

Test the application to ensure you get the results you expect

You can test your application directly from the Services page using the DNS status card.

Estimated time to complete Step 9 and finish tutorial: 10 minutes.

Prerequisites

Before testing your application, verify that you accomplished the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:

An exist, both named NONPROD.
The NONPROD infrastructure has EKS.
A Tenant named .
A Host named .
A Service named .
An has been created.

Select the Tenant you created

Testing the Application

Note that if you skipped and/or , the configuration in the Other Settings and DNS cards appears slightly different from the configuration depicted in the screenshot below. These changes do not impact you in testing your application, as these steps are optional. You can proceed to test your app with no visible change in the output of the deployable application.

In the Tenant list box, select the dev01 Tenant.
In the DuploCloud Portal, navigate to Kubernetes -> Services. The Services page displays.
From the Name column, select demo-service.
Click the Load Balancers tab.
In the DNS status card, click the Copy Icon ( ) to copy the DNS address displayed to your clipboard.

Open a browser instance and Paste the DNS in the URL field of your browser.
Press ENTER. A web page with the text Hello World! is displayed, from the JavaScript program residing in your Docker Container running in demo-service, which is exposed to the web by your Load Balancer.

It can take from five to fifteen (5-15) minutes for the DNS Name to become active once you launch your browser instance to test your application.

Congratulations! You have just launched your first web service on DuploCloud!

Reviewing What You Learned

In this tutorial, your objective was to create a cloud environment to deploy an application for testing purposes, and to understand how the various components of DuploCloud work together.

The application rendered a simple web page with text, coded in JavaScript, from software application code residing in a Docker container. You can use this same procedure to deploy much more complex cloud applications.

In the previous steps, you:

Cleaning Up Your Tutorial Environment

In this tutorial, you created many artifacts for testing purposes. Now that you are finished, clean them up so others can run this tutorial using the same names for Infrastructure and Tenant.

The NONPROD Infrastructure is deleted and you have completed the clean-up of your test environment.

Creating an ECS Service

Finish the Quick Start Tutorial by creating an ECS Service

This section of the tutorial shows you how to deploy a web application with .

For a full discussion of the benefits of using EKS vs. ECS, consult.

Instead of creating a DuploCloud Service with AWS ECS, you can alternatively finish the tutorial by:

running Docker containers or
.

Deploying an AWS ECS Service in DuploCloud

Unlike AWS EKS, creating and deploying services and apps with ECS requires creating a , a blueprint for your application. Once you create a Task Definition, you can run it as a Task or as a Service. In this tutorial, we run the Task Definition as a Service.

To deploy your app with AWS ECS in this ECS tutorial, you:

Create a Task Definition using ECS.
Create a DuploCloud Service named webapp, backed by a Docker image.
Expose the app to the web with a Load Balancer.
Complete the tutorial by testing your application.

Estimated time to complete remaining tutorial steps: 30-40 minutes

Network Architecture and Configurations

Behind the scenes, the topology that DuploCloud creates resembles this low-level configuration in AWS.

Step 5: Create the ECS Service and Load Balancer

Create an ECS Service from Task Definition and expose it with a Load Balancer

Now that you've created a Task Definition, create a Service, which creates a Task (from the definition) to run your application. A Task is the instantiation of a Task Definition within a cluster. After you create a task definition for your application within Amazon ECS, you can specify multiple tasks to run on your cluster, based on your performance and availability requirements.

Once a Service is created, you must create a Load Balancer to expose the Service on the network. An Amazon ECS service runs and maintains the desired number of tasks simultaneously in an Amazon ECS cluster. If any of your tasks fail or stop, the Amazon ECS service scheduler launches another instance based on parameters specified in your Task Definition. It does so in order to maintain the desired number of tasks created.

Estimated time to complete Step 5: 10 minutes.

Prerequisites

Before creating the ECS Service and Load Balancer, verify that you accomplished the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:

An exist, both named NONPROD.
The NONPROD infrastructure has .
A Tenant named .
A has been created.

Creating an ECS Service and Load Balancer

In the DuploCloud Portal's Tenant list box, select dev01.
Navigate to Cloud Services -> ECS.
In the Task Definitions tab, select the Task Definition Family Name, DUPLOSERVICES-DEV01-SAMPLE-TASK-DEF. This is the prepended by a unique identifier, which includes your Tenant name (DEV01) and part of your Infrastructure name (ECS-TEST).
In the Service Details tab, click the Configure ECS Service link. The Add ECS Service page displays.

In the Name field, enter sample-httpd-app as the Service name.
In the LB Listeners area, click Add. The Add Load Balancer Listener pane displays.
From the Select Type list box, select Application LB.
In the Container Port field, enter 3000.
In the External Port field, enter 80.
From the Visibility list box, select Public.
In the Heath Check field, enter /, specifying root, the location of Kubernetes Health Check logs.
From the Backend Protocol list box, select HTTP.
From the Protocol Policy list box, select HTTP1.
Select other options as needed and click Add.
On the Add ECS Service page, click Submit.

Checking Your Work

In the Service Details tab, information about the Service and Load Balancer you created is displayed. Verify that the Service and Load Balancer configuration details in the Service Details tab are correct.

Creating a Native Docker Service

Finish the Quick Start Tutorial by running a native Docker Service

This section of the tutorial shows you how to deploy a web application with a DuploCloud Docker Service, by leveraging DuploCloud platform in-built container management capability.

Instead of creating a DuploCloud Docker Service, you can alternatively finish the tutorial by:

Creating an AWS EKS Service in DuploCloud running Docker containers.
Creating an AWS ECS Service in DuploCloud running Docker containers.

Deploying a DuploCloud Docker Service

Instead of creating a DuploCloud Service using EKS or ECS, you can deploy your application with native Docker containers and services.

To deploy your app with a DuploCloud Docker Service in this tutorial, you:

Create an EC2 host instance in DuploCloud.
Create a native Docker application and Service.
Expose the app to the web with an Application Load Balancer in DuploCloud.
Complete the tutorial by testing your application.

Estimated time to complete remaining tutorial steps: 30-40 minutes

Network Architecture and Configurations

Behind the scenes, the topology that DuploCloud creates resembles this low-level configuration in AWS.

Step 4: Create an EC2 Host

Create an EC2 Host in DuploCloud

Before you create your application and service using native Docker, create an EC2 Host for storage in DuploCloud.

Estimated time to complete Step 4: 5 minutes.

Prerequisites

Before creating a Host (essentially a Virtual Machine), verify that you completed the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:

An Infrastructure and Plan exist, both named NONPROD.
A Tenant named dev01 has been created.

Creating a Host

In the Tenant list box, select dev01.
In the DuploCloud Portal, navigate to Cloud Services -> Hosts. The Hosts page displays.
In the EC2 tab, click Add. The Add Host page displays.
In the Friendly Name field, enter host01.
From the Instance Type list box, select 2 CPU 4 GB - t3.medium.
Select the Advanced Options checkbox to display advanced configuration fields.
From the Agent Platform list box, select Linux/Docker Native.
From the Image ID list box, select any Docker-Duplo or Ubuntu image.
Click Add. The Host is created, initialized, and started. In a few minutes, when the Status displays Running, the Host is available for use.

Checking your work

Verify that host01 has a Status of Running.

Step 5: Create a Service

Create a native Docker Service in the DuploCloud Portal

You can use the DuploCloud Portal to create a native Docker service without leaving the DuploCloud interface.

Estimated time to complete Step 5: 10 minutes.

Prerequisites

Before creating a Service, verify that you completed the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:

An Infrastructure and Plan exist, both named NONPROD.
A Tenant named dev01 has been created.
An EC2 Host named host01 has been created.

Creating a Service with Native Docker

In the Tenant list box, select dev01.
Navigate to Docker -> Services.
Click Add. The Add Service Basic Options page displays.
In the Service Name field, enter demo-service-d01.
From the Platform list box, select Linux/Docker Native.
In the Docker Image field, enter duplocloud/nodejs-hello:latest.
From the Docker Networks list box, select Docker Default.
Click Next. The Advanced Options page displays.
Click Create.

On the Add Service page, you can also specify optional Environment Variables (EVs) such as databases, Hosts, ports, etc. You can also pass Docker credentials using EVs for testing purposes.

Checking Your Work

In the Tenant list box, select dev01.
Navigate to Docker -> Services.
In the NAME column, select demo-service-d01.
Check the Current column to verify that demo-service-d01 has a status of Running.

Step 6: Create a Load Balancer

Create a Load Balancer to expose the native Docker Service

Now that your DuploCloud Service is running, you have a mechanism to expose the containers and images in which your application resides. Since your containers are in a private network, you need a Load Balancer to make the application accessible.

In this step, we add a Load Balancer Listener to complete this network configuration.

Estimated time to complete Step 6: 15 minutes.

Prerequisites

Before creating a Load Balancer, verify that you completed the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:

An Infrastructure and Plan exist, both named NONPROD.
A Tenant named dev01 has been created.
An EC2 Host named host01 has been created.
A Service named demo-service-d01 has been created.

Creating a Load Balancer using Native Docker

In the Tenant list box, select dev01.
Navigate to Docker -> Services.
Select the Service demo-service-d01 that you created.
Click the Load Balancers tab.
Click the Configure Load Balancer link. The Add Load Balancer Listener pane displays.
From the Select Type list box, select Application LB.
In the Container Port field, enter 3000: the port on which the application running inside the container image (duplocloud/nodejs-hello:latest) is running.
In the External Port field, enter 80.
From the Visibility list box, select Public.
From the Application list box, select Docker Mode.
In the Health Check field, enter /, indicating that you want the Kubernetes Health Check logs written to the root directory.
From the Backend Protocol list box, select HTTP.
Click Add.

When the LB Status card displays Ready, your Load Balancer is running and ready for use.

Securing the Load Balancer

If you want to secure the load balancer created, you can follow the steps specified here.

Creating a Custom DNS Name

You can modify the DNS name by clicking Edit in the DNS Name card in the Load Balancers tab. For additional information see this page.

AWS Use Cases

Use Cases supported for DuploCloud AWS

This section details common use cases for DuploCloud AWS.

Organization of use cases

Topics in this section are covered in the order of typical usage. Use cases that are foundational to DuploCloud such as Infrastructure, Tenant, and Hosts are listed at the beginning of this section; while supporting use cases such as Cost management for billing, JIT Access, Resource Quotas, and Custom Resource tags appear near the end.

Supported use cases for DuploCloud AWS

and
and
and
link

Creating an Infrastructure and Plan for AWS

Use the DuploCloud Portal to create an AWS Infrastructure and associated Plan

Creating an Infrastructure

From the DuploCloud Portal, navigate to Administrator -> Infrastructure.
Click Add.
Define the Infrastructure by completing the fields on the Add Infrastructure form.
Select Enable EKS to enable EKS for the Infrastructure, or select Enable ECS Cluster to enable an ECS Cluster during Infrastructure creation.
Optionally, select Advanced Options to specify additional configurations (such as Public and Private CIDR Endpoints).
Click Create. The Infrastructure is created and listed on the Infrastructure page. DuploCloud automatically creates a Plan (with the same Infrastructure name) with the Infrastructure configuration.

Cloud providers limit the number of Infrastructures that can run in each region. Refer to your cloud provider for further guidelines on how many Infrastructures you can create.

Viewing Infrastructure settings

In the DuploCloud Portal, navigate to Administrator -> Infrastructure. The Infrastructure page displays.
From the Name column, select the Infrastructure containing settings that you want to view.
Click the Settings tab. The Infrastructure settings display.

Up to one instance (0 or 1) of an EKS or ECS is supported for each DuploCloud Infrastructure.

Configuring EKS features (optional)

You can customize your EKS configuration:

Add VPC endpoints.
Enable EKS endpoints, logs, Cluster Autoscaler, and more. For information about configuration options, see these EKS Setup topics.

Configuring ECS features (optional)

You can customize your ECS configuration. See the ECS Setup topic for information about configuration options.

EKS Setup

Enable Elastic Kubernetes Service (EKS) for AWS by creating a DuploCloud Infrastructure

In the DuploCloud platform, a Kubernetes Cluster maps to a DuploCloud Infrastructure.

Start by creating a new Infrastructure in DuploCloud. When prompted to provide details for the new Infrastructure, select Enable EKS. In the EKS Version field, select the desired release.

Optionally, and .

The worker nodes and remaining workload setup are described in the topic.

Up to one instance (0 or 1) of an EKS is supported for each DuploCloud Infrastructure.

When the Infrastructure is in the ready state, as indicated by a Complete status, navigate to Kubernetes -> Services and select the Infrastructure from the NAME column to view the Kubernetes configuration details, including the token and configuration for kubectl.

When you create Tenants in an Infrastructure, a namespace is created in the Kubernetes cluster with the name duploservices-TENANT_NAME