Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
DuploCloud DevOps-as-a-Service platform is cloud infrastructure automation software that enables developer self-service with continuous security and compliance.
DuploCloud is a platform that enables security and compliance for engineers and operators in organizations that host infrastructure on the public cloud.
You provide high-level application specifications including cloud services, application containers, packages and configurations, interconnectivity, requirements for multiple environments, and scoped compliance standards. DuploCloud uses these specifications to auto-generate required lower-level configurations, provisioning them in a secure and compliant manner, while maintaining their ongoing operations.
In addition, logging, monitoring, alerting, and reporting of the provisioned system are enabled. The following figure shows the various functions provided by the platform.
DuploCloud is a single-Tenant software platform installed in the customer's cloud account. The customer interfaces with DuploCloud via the browser UI, the DuploCloud Terraform provider, and/or API calls while the data and configuration stay within the customer's cloud account. All configurations created and applied by DuploCloud can be reviewed and edited in the customer's cloud account.
Got 5 minutes? Check out a video overview of a DuploCloud deployment:
Popular and frequently asked questions about DuploCloud
See DuploCloud Support for examples of what we do and do not support and how to contact us.
DuploCloud supports the following:
Amazon AWS
Microsoft Azure
Google Cloud
On-Premises
Use these FAQ documents to quickly find answers to popular questions about using AWS, Azure, and GCP with DuploCloud.
We estimate that DuploCloud will increase your company's cloud costs by approximately $100 to $200 per month.
Yes, DuploCloud's On-prem services support companies with private clouds.
No. DuploCloud is a self-hosted solution deployed within the customer's cloud account. This hosted solution provides the customer with a SaaS-like experience. DuploCloud can provide a fully managed service to maintain uptime, provide updates, and supply ongoing support.
DuploCloud creates a private Slack channel so your organization can communicate directly with the DuploCloud Support Staff to resolve any issues and answer questions during onboarding.
Typically clients create a separate AWS account, GCP project, or Azure subscription for DuploCloud, so we don't interfere with any pre-existing AWS accounts and configurations. The goal is to set up a development environment that the client team validates and switches over to, followed by staging and, finally, a Production migration. DuploCloud can also be integrated into an existing environment, or there can be a hybrid where some infrastructure is moved over to a DuploCloud-managed environment that connects to the existing environment.
DuploCloud installs the DuploCloud Portal for you and then schedules a call to orient you to the Portal and do additional configuration, such as creating DuploCloud Services, as required.
During the initial call with DuploCloud, you have the option of completing the set-up yourself, with help from our engineers. You can also create some Services and let our engineers set up the rest for you.
After your DuploCloud Portal has been installed and configured, DuploCloud Infrastructures (VPCs) are running, Kubernetes has been enabled and configured, and logging, monitoring, alerting, CI/CD, and Soc2 Controls have been implemented.
Even though the onboarding process can take thirty to seventy (30-70) hours, the DuploCloud staff performs about 90% of the work for you. Feel free to contact our Support staff anytime with questions or concerns.
In addition, during setup, we perform penetration testing and vulnerability assessments for your applications. Using our SIEM solution, we assess the vulnerabilities of DuploCloud Hosts in the Infrastructure.
DuploCloud is a self-hosted single-tenant solution deployed within the customer's cloud account. The software runs in a virtual machine (VM), and the VM derives permissions to call the cloud provider using the VM's permissions. Specifically, in AWS, DuploCloud utilizes an IAM role, known as an instance profile, to access AWS accounts, ensuring secure access without needing access keys. In Azure, permissions are derived via managed identity and service accounts in GCP.
The DuploCloud VM and DuploCloud Portal are secured, as is any other workload in the cloud. In addition to SSO login for portal access, the VM runs optionally behind a VPN. Therefore, only internal users can load the portal when connected to a VPN.
While you can install DuploCloud in your existing environment, we prefer that we do the setup in a separate account. This does not mean you must migrate all your existing data sources, especially if you have terabytes of files in the S3 bucket. The workload in DuploCloud environments can connect to existing data sources and endpoints over peering and cross-account access. Here are the top reasons why people prefer Duplocloud in a separate account:
It is considered a very safe and non-intrusive way to validate the new setup and, at times, new architecture, like Kubernetes, without touching the existing account.
From a compliance perspective, a new account is a clean slate and is very easy to pass audits as DuploCloud will guarantee all aspects of it. If we were to fit in an existing account, there may be many things that are quite hard and, in some cases, impossible to fix. For example, if things were operated non-compliantly, that history is stored in a cloud trail. This can indicate irregularities to an auditor and creates a lot of questions around scope, leading to exceptions in the report.
Some DuploCloud security features can impact existing non-compliant resources and workloads. While this is rare, it is something to consider.
In summary, while one can deploy the platform in an existing account, even import a VPC and Kubernetes clusters, avoiding it can cause more overhead than benefit than a new account with either data migrated or connected to existing data sources over cross-account access.
DuploCloud is running in your own cloud account, along with your workloads. DuploCloud is a provisioning system, so stopping DuploCloud does not impact any of your applications and cloud services.
The following is a list of automation constructs managed by DuploCloud and a summary of what you need to do to maintain them directly instead of through DuploCloud.
Cloud Provider Configuration (Terraform): This involves various cloud services, IAM roles, Security groups, VPC, etc. DuploCloud can export your latest cloud configuration into native Terraform code and state files. Once exported, you maintain the configuration.
Kubernetes: All applications and configurations that have been deployed in K8s are available in the form of deployments, StatefulSets, DaemonSet, K8s Secrets, ConfigMaps, etc. One can run kubectl
commands to export configurations as YAML files and continue to maintain them in the future.
Compliance monitoring: DuploCloud uses a third-party SIEM solution called Wazuh. Wazuh is an open-source software platform running in an independent VM in your cloud account, and you have full permission to retain it "as-is." However, going forward, you need to integrate any new systems that need compliance monitoring into the SIEM.
Diagnostics tools: These include Prometheus, Grafana, and Elasticsearch. They are all open source and run in your cloud account, so you can continue to manage them directly.
If DuploCloud is down, it's similar to having an unavailable DevOps engineer. If you need to opt out of DuploCloud, you are replacing your DevOps management. DuploCloud is neither a PaaS nor a hosted solution that hosts your workloads.
Absolutely! More than half of our customers have no DevOps team. With our managed service offering, we handle your deployments, act as the first line of defense for any issues, and are constantly involved in daily tasks like CI/CD updates.
The DuploCloud team is your extended DevOps team, assisting with white glove environment setup and daily operations with 24x7 Slack and email support. We cover what is supported in the DuploCloud platform and assist with your cloud provider's requirements.
After the initial onboarding of the platform, we recommend that you engage the DuploCloud team as your second line of defense by setting up an internal triage process of your own. We can assist you in setting up this process.
DuploCloud is your extended DevOps team! We are available 24x7 on your Slack channel, by phone, and by email.
Yes. This is often required because DuploCloud may not support all cloud features or configurations. Direct changes to your cloud account can be categorized within the following groups:
DuploCloud labels the resources and configurations it manages. If independent changes are being made directly with your cloud provider, DuploCloud will not interfere. However, DuploCloud still monitors changes for compliance and alerts you to non-compliant configurations.
For resources that DuploCloud does not manage directly, you change directly in your cloud provider. For example, if you add additional forwarding rules to a load balancer created through DuploCloud, DuploCloud does not interfere with the new configuration that you created.
For resources that DuploCloud manages, DuploCloud automatically detects conflicts and either revert changes or raises an alert about inconsistencies.
DuploCloud provides flexibility when a feature that is not supported by DuploCloud can be programmed directly in your cloud provider. If you are using Terraform, then the DuploCloud provider and the native cloud provider can be used in tandem. For an example of this use case, see https://duplocloud.com/white-papers/devops/#PAAS.
Yes. DuploCloud's Web UI is a no-code interface for DevOps. You do not need to know IaC or have cloud expertise to operate it. However, you should read the product documentation to understand the basic constructs in DuploCloud.
"Click Ops" is when engineers manually create infrastructure resources in the cloud and other UIs. It's often considered bad practice because there are so many components and configurations that it's easy to make mistakes. You can skip past default settings that aren't secure, copy configuration incorrectly between environments, etc. You need hundreds or thousands of clicks and a lot of DevSecOps knowledge.
DuploCloud manages infrastructure resources for you. You pick application-level functionality like "services" and "load balancers," then, DuploCloud creates the complex cloud resources needed to deliver that functionality. It ensures the underlying compute instances, firewall rules, IAM policies, and other components are configured following good practices. You only need a few clicks and don't need to know DevSecOps because DuploCloud knows it for you.
Click Ops is an easy way to make mistakes. DuploCloud's No Code is an easy way to ensure you don't.
The answer depends on the following key factors:
Especially in a rapidly growing company environment, where architecture is constantly evolving and services are constantly updated, there may be a desire to let developers self-service and move fast. This would be a case for no-code. On the other hand, in cases where there is an established operations organization with centralized requirements, a low-code Terraform solution may be a better option.
Note that Terraform is a client-side scripting tool and a single-user system, so the scope of a project is limited to one person operating at one time. This can incur constraints if a project has many components and two people cannot operate simultaneously, even if they deal with completely independent constructs.
Terraform projects typically have a broad scope with multiple components. Sometimes, you must make small targeted changes (for example, a health check URL change). But when the change is being executed, there may be other drifts, and the user may be forced to resolve them. This can be inconvenient, and often, the user will change the UI, resulting in further configuration drifts.
About half of our customer base uses no-code, while the other half uses Terraform. Ironically, software developer-centric companies prefer no-code because it enables engineers to be agile and focus on their application code. By contrast, the low-code Terraform provider is often used in DevOps-centric organizations.
DuploCloud license usage is calculated based on the services managed by DuploCloud. The service usage is counted in terms of units, with a unit defined as below:
A host is counted as 1 unit. (example: EC2 instance, Azure, or GCP VM)
A serverless function or service is counted as 1/4 unit (example: Lambda function)
A serverless application is counted as 1/2 unit (example: AWS ECS Service, Azure Web App, Google GKE Service)
AWS Managed Airflow (MWAA) worker is counted as 1/2 unit. For an MWAA environment, the number of workers is calculated as the average of the minimum and maximum worker count.
Yes.
Yes. Every element in the DuploCloud UI is populated by calling an API.
No. DuploCloud segregates resources into environments called Tenants, which accelerates ramp-up time. For more information about implementation, contact the DuploCloud support team.
You must make control plane modifications before enabling central logging. If logging is enabled, the Service Description cannot be edited.
While creating a Host, click on Show Advanced to display advanced options and select the public subnet from the list of availability zones.
Under each Host, you can click on Connection Details under the Actions dropdown, which will provide the key file and instructions to SSH.
Under Host, click on Connection Details under the Actions dropdown. It will provide the password and instructions on how to connect to RDP.
Under the Services Status tab, find the host where the container is running. SSH into the host (see instructions above), and run sudo docker ps
to get the container ID. Next, run sudo docker exec -it
CONTAINER_ID
bash
. Find your container using the image ID.
Make sure the DNS name is resolved by running ping
on your local machine. Ensure that the application is running running ping
from within the container. SSH into the host, and connect to your Docker container using the Docker exec command sudo docker exec -it
CONTAINER_ID
bash
. From inside the container, curl the application URL using the IP 127.0.0.1 and the port where the application is running. Confirm that this works. CURL the same URL using the container's IP address instead of 127.0.0.1. The IP address can be obtained by running the ifconfig
command in the container.
If the connection from within the container works, exit the container and navigate to the host. Curl the same endpoint from the host (i.e., using container IP and port). If this works, then under the ELB UI in DuploCloud, note down the host port that DuploCloud created for the given container endpoint. This will be in the range of 10xxx or the same as the container port. Now try connecting to the “HostIP,” and DuploMappedHostPort just obtained. If this also works but the service URL fails, contact your enterprise admin or duplolive-support@duplocloud.net.
No, Kubernetes is not required. DuploCloud supports both AWS ECS and Kubernetes, among other Cloud solutions.
The main advantage of Kubernetes is its broad-based, highly customizable, third-party, open-source community that champions and supports it as a delivery platform. For example, Astronomer (managed air flow), Time series database, IsTio Service Mesh, and Kong API Gateway all expect you to have a Kubernetes deployment. However, if your business needs and use cases are met with an AWS solution, you may not need Kubernetes.
Choose the container management software that best meets your use cases and requirements' complexity level. DuploCloud supports AWS, Kubernetes, Azure, and GCP. Many customers use software from multiple vendors to create robust business solutions backed by DuploCloud's compliance assurance and automated low-code/no-code DevOps approach.
Enable Health Check for your service and ensure the API does not return HTTP 200 status until migration is done. Since DuploCloud waits for a complete Health Check on one service before upgrading to the next service, only one instance will run migration at a time.
When you update (e.g., change an image or ENV variable) a service with multiple replicas, DuploCloud makes the change to one container at a time. If an updated container fails to start or the health check URL does not return HTTP 200 status, DuploCloud will pause the upgrade of the remaining containers. This can typically be remedied by updating the service with a newer image with a fix. If no health check URL is specified, DuploCloud only checks to see if an updated container is running before moving on to the next. To specify Health Check, use the Elastic Load Balancer menu to find the Health Check URL suffix.
If the current status is Pending and the desired status is Running, wait a few minutes for the image to finish downloading. If it’s been more than five minutes, check the faults from the button below the table. Ensure that your image name is correct and does not have spaces. Image names are case-sensitive, so they should be all lowercase, including the image name in DockerHub.
If the current state is Pending when the desired state is Delete, the container is the old service version. It is still running because the system is being upgraded, and the previous replica has not been upgraded yet. Check the faults in other containers of this service for which the Current State is Pending and the desired state is Running.
A Pending Delete status indicates that DuploCloud intends to remove these containers, indicating that a system update or service upgrade is in progress. This status often appears during rolling upgrades, where DuploCloud systematically replaces old container versions with new ones to ensure service continuity and minimal downtime. The most common cause is that DuploCloud blocked the upgrade because a replica of the service was upgraded but is no longer operational. Some replicas may show a Running status even though the Health Check failed and the rolling upgrade is blocked. To unblock the upgrade, restore the service configuration (image, environment, etc.) to an error-free state.
Could not load credentials from any providers
.Your duplo-jit
local cache must be cleared. To do this, run the following command:
Conditions Unschedulable because 0/N nodes are available: 1 node(s) didn't match pod anti-affinity rules, 1 node(s) were unschedulable....
Two possible reasons for receiving this fault message are:
You are not allocating enough hosts to process your workload.
The allocation tags you assigned to your existing Hosts limit additional Service workloads.
Docker native collection agent Filebeat is not running for Tenant
.Ensure that logging is set up and that you have selected the Tenant for which you want to collect logging information.
No. DuploCloud calls the cloud provider's API directly. Based on user requirements, the software interacts with the cloud provider API asynchronously, maintaining a state machine of operations with built-in retries to ensure robustness. Interacting with the cloud provider continuously monitors any configuration drift, system faults, security, and compliance controls.
The Terraform and DuploCloud Web UIs are layered on top of the DuploCloud platform.
DuploCloud provides an SDK into Terraform called the DuploCloud Terraform Provider. This SDK allows users to configure their cloud infrastructure using DuploCloud constructs rather than lower-level cloud provider constructs. This enables the user to get the benefits of Infrastructure-as-Code while significantly reducing the needed code. The DuploCloud Terraform Provider calls DuploCloud APIs. Our DevOps white paper provides detailed examples.
You should create a separation between your developers and your DevOps team. Allowing developers to use the Web UI in non-production development environments to quickly iterate product changes can create inconsistency.
In both production and critical non-production environments, the cloud services setup and first-time application deployment can be done via Terraform code. CI/CD workflows can be built that only update the application (Docker and Lambda) deployments. The DevOps team should do any cloud service level change via Terraform, and developers should ask the DevOps team to do the same. Developers should still be able to trigger CI/CD for their application rollouts without DevOps involvement.
From the DuploCloud portal, click on your name in the top right corner and select Profile. Click on the VPN URL and enter the required credentials. On the first login, scan the barcode displayed on the screen. Download the profile, and add it to the OpenVPN Connect. The next time you log in with OpenVPN, you will be prompted to enter the authentication code.
CI/CD is the topmost layer of the DevOps stack. DuploCloud should be viewed as a deployment and monitoring solution invoked by your CI/CD pipelines, written with tools such as CircleCI, Jenkins, GitHub Actions, etc. You build images and push them to container registries without involving DuploCloud, but you invoke DuploCloud to update the container image. An example of this is in the CI/CD section. DuploCloud offers its own CI/CD tool.
DuploCloud's out-of-the-box diagnostics stack is optional. To integrate with a third-party toolset like Datadog, you follow the toolset's guidelines and deploy collector agents. You can do this as if you are running an application within the respective DuploCloud tenants.
An overview of the DuploCloud Portal
This Getting Started module describes DuploCloud and its unique constructs and terminology. It also outlines the business value of automating your DevOps and Security Compliance cloud environments in the DuploCloud Portal.
To integrate your identity and access management service logins with your DuploCloud account, reach out to DuploCloud support for assistance. DuploCloud supports logins from these services:
Google SSO
Microsoft login
Azure Active Directory (AD)
Okta SSO
These tutorials are specific to various public cloud environments and demonstrate some of DuploCloud's most common use cases:
Support feature included with the product and how to contact DuploCloud Support
DuploCloud offers hands-on 24/7 Support for all customers via Slack or email as part of your subscription. Automation and Developer Self-Service are at the heart of the DuploCloud platform. We are dedicated to helping you achieve hands-off automation in the fastest time possible, via rapid deployment of managed service or customized Terraform scripts using our exclusive Terraform provider.
Use the customer Slack or Microsoft Teams channel created during the Onboarding process.
Send us an email at support@duplocloud.net.
Some of the ways we support our customers in real-time include, but are not limited to:
Any configuration changes in your public cloud infrastructures and associated Kubernetes (K8s) constructs that are managed by DuploCloud
Hands-on support for setting up CI/CD pipelines
Cloud Migration from any existing platform
Proactive, tailored EKS cluster upgrades designed for minimum downtime impact
Accelerated onboarding of existing Services
Troubleshooting and debugging
Apps and services crashing
OpenSearch or database instances slow or crashing
Proof-of-Concepts (PoCs) for third-party integrations, including roll-out to development environment
Downtime during Rolling Upgrades
Increases in billing by your public cloud provider that need investigation and clarification. Many times DuploCloud can suggest a more cost-effective alternative.
Consolidation of third-party tools for which you currently subscribe that are included with your DuploCloud subscription
Adding a CI/CD pipeline for a new service
We cover most of your DevOps needs, but there are some we do not cover or only partially support. Some examples of these include, but are not limited to:
Patching an application inside a Docker image
Monitoring alerts in a Network Operations Center (NOC)
Troubleshooting of application code
Database configuration
For organizations operating in regulated industries, the infrastructure needs to follow strict compliance guidelines. Some are stricter than others which is typically measured by the number of compliance controls that need to be satisfied. NIST, PCI, HITRUST, and SOC 2 are examples of such compliance standards. It could take companies 6 months to a year to make a 50-node infrastructure compliant with these standards.
The AWS PCI guide is 3400 pages long! Operational Best Practices for PCI DSS 3.2.1 - AWS Config (amazon.com) Even if one were to scope it to 20 commonly used services, the control set is overwhelming!
The application engineers start off by giving a set of requirements to the operations or DevOps team. This typically includes:
High level architecture. Like the AWS example shown in the figure below which depicts the following: - A set of docker containers to be deployed connected to a SQL database along with a Redis instance and an S3 bucket. - Part of the containers needs to be behind a public ELB, part behind an internal LB. - Data science team may want a Spark cluster connected to ES - Lambda functions behind API gateway are to be deployed. One could draw similar examples for other cloud providers
2. Multiple environments might be required: Dev, Stage, QA and Production. In some case there may be a need to deploy a unique copy of the application for each customer (Single Tenant Application).
3. Diagnostics. Central logging, monitoring and alerting must be established.
4. Compliance standards. Specific standards are to be met like PCI, HIPAA, SOC 2 etc.
5. CI/CD is to be established.
New features and enhancements in DuploCloud
AWS
Enable automatic AWS ACM (SSL) Certificates for a Plan.
Configure K8s Ingress redirect using a container port name.
Enable UltraWarm Data nodes for OpenSearch domains.
Support for upgrading EKS components (add-ons).
Add a Web App Firewall URL when creating or updating a Plan.
Create an OpenSearch domain.
Create Lambdas with Ephemeral Storage.
Support for Lambda Dead Letter Queues.
Set a delivery delay for SQS Queues, using increments of seconds.
Configure Vanta compliance controls for DuploCloud Tenants.
Support for OpenSearch storage options.
Security Configurations Settings documentation section added.
GCP
GKE Standard mode is supported when creating DuploCloud Infrastructures.
Support for Firestore databases.
Create Node Pools with support for accelerators and taints.
Support for GKE Ingress.
General
Set Tenants to expire at specified dates and times.
Configure settings for all new Tenants under a Plan using Tenant Config tab.
SIEM - Configure agents to install on specific Tenants.
AWS
Enable Spot Instances for EKS Autoscaling Groups (ASG).
Implement Kubernetes Lifecycle Hooks while Adding a DuploCloud EKS/Native Service.
Enable shared hosts to allow K8s Pods in a Tenant to run on Hosts in another Tenant.
Set a default automated backup retention period for databases.
Enable bucket versioning when creating an S3 bucket.
Create an Amazon Machine Image (AMI).
Use dedicated hosts to launch Amazon EC2 instances and provide additional visibility and control over how instances are placed on a physical server.
Automatically reboot a host upon StatusCheck faults or Host disconnection.
Support for SNS Topic Alerts, enabling notifications and alerts across different AWS services and external endpoints.
Establish VPN connections for private endpoints when creating an Infrastructure.
Restore an RDS to a particular point in time.
Dynamically change the configuration of a Kafka Cluster.
Fields for Sort Key and Key Type are now available when creating a DynamoDB.
Azure
Create a MySQL Flexible Server managed database service.
Add an Azure Service Bus.
Kubernetes
Follow logs for K8s containers in real-time.
Influence Pod scheduling by specifying K8s YAML for Pod Toleration.
Create Kubernetes Jobs (K8s Jobs) in AWS and GCP to manage short-lived, batch workloads in a Kubernetes cluster.
Create Kubernetes CronJobs (K8s CronJobs) in AWS and GCP to schedule long-term K8s Jobs to run at preset intervals.
General updates
The DuploCloud UI contains numerous design, navigational, and usability improvements, including new menus for managing an RDS, Containers, and Hosts. These improvements are cross-platform and apply to AWS, Azure, and GCP.
Quickly search the DuploCloud Portal for any navigation menus or tab labels, such as Kubernetes Secrets and Spend by Month, by using the Search box at the top center of the DuploCloud Portal.
Use the Supported Third-Party Tools page for a list of functionality supported by DuploCloud, out-of-the-box.
DuploCloud no longer supports launch configurations. Instead, launch templates are created. If you use launch configurations, DuploCloud automatically converts them to launch templates with no interruption in uptime.
AWS
Hibernate an EC2 host instance.
AWS
Set a monitoring interval for an RDS database.
Enable or disable logging for an RDS database.
Add custom Lambda image configurations and URLs.
Enable Object Lock in S3 Buckets to prevent objects from being deleted or overwritten.
Configure a custom S3 Bucket for auditing.
Customize a Node Selector for EKS Services to prevent overrides of specific configurations.
Access ECS container task shells directly from the DuploCloud Portal.
Ability to designate Essential Containers in Task definitions for ECS Services.
Automate fault healing on EC2 Hosts that fail a status check.
Enhanced support for Startup Probes.
GCP
Support for Redis database instances.
Support for SQL databases.
Change Cloud Armour Security Policies.
General updates
Last Login card available for determining the last user sign-in when viewing user access.
Grant access to specific databases to non-administrators.
AWS
Enable EKS endpoints in a DuploCloud Infrastructure, in a more cost-effective and secure manner. Enabling endpoints in DuploCloud allows your network communication to remain internal to the network, without using NAT gateways.
Multiple containers are now supported in the ECS Task Definitions tab.
Start, stop, and restart up to twenty (20) services at one time.
Add VPC Endpoints to a DuploCloud Infrastructure to create a private connection to supported AWS services and VPC endpoint services powered by AWS PrivateLink.
Define S3 bucket policies.
Support for Lambda Layers has been added.
CloudWatch EventBridge rules and targets are supported.
The CloudFront feature and associated UI tab have been relocated in the DuploCloud Portal from the Cloud Services -> App Integration menu item to the Cloud Services -> Networking menu item.
Azure
Support for Redis databases is available.
GCP
Cloud Armour is supported, to monitor your cloud infrastructures and deployed applications against cyber-attacks.
AWS
Define custom CIDRs for NLB Load Balancers.
Manage multiple Load Balancer settings using the Load Balancer tab's Other Settings card. Settings include specifying a Web Application Firewall (WAF) Access Control List (ACL), enabling HTTP to HTTPS redirects, enabling Access Logs, setting an Idle Timeout, and an option to drop invalid headers.
Specify custom public and private EKS endpoints for your DuploCloud Infrastructure during or after creating an Infrastructure.
JIT Access to the AWS Console is redesigned with several usability enhancements.
Support for Aurora RDS Serverless and MySQL read replicas and ability to modify Serverless replica instance size.
Improved documentation for upgrading an EKS cluster version.
Azure
Add a direct link to the Azure Console from a DuploCloud Host page Actions Menu.
General Updates
Set read-only access to specific Tenants for DuploCloud users.
AWS
Virtual Private Cloud (VPC) peering is supported to facilitate data transfer between VPCs.
EMR Serverless is supported to run open-source big data analytics frameworks without configuring, managing, and scaling clusters or servers.
DuploCloud users can obtain Just-In-Time (JIT) access to the AWS Console.
AWS SQS Standard and FIFO queues are now supported.
Use the DuploCloud Portal to work with AWS Internet of Things (IoT).
Support for Redis database versions when creating Elastic Cache (Ecache).
Enable shell access for ECS, Kubernetes, and Native docker containers using a simplified workflow.
Reduce storage cost and increase performance by setting GP3 as your default storage class.
GCP
Updated documentation for supported databases.
CI/CD
Documentation for Bitbucket Pipelines is available, which allows developers to automatically build, test, and deploy their code every time they push changes to an Atlassian Bitbucket repository.
Terraform
Added IdleTimeout
to duplocloud_aws_load_balancer
resource.
AWS
Enable Elastic Kubernetes Service (EKS) for your existing infrastructure. EKS versions 1.22 and 1.23 are supported.
Timestream databases are now supported.
General updates
Delete VPN connections for users.
AWS
AWS ElastiCache, a managed caching service for Redis and Memcached, is now supported.
Monitor Tenant usage in Cost Management for billing with weekly or monthly views. After clicking the Spend by Tenant tab, you can also select the shared card to display tax and support costs.
Maintain cluster stability with Ingress Health Checks annotations.
Azure
Support for Kubernetes Ingress.
Monitor Tenant usage in the Cost Management for billing feature with weekly or monthly views.
Edit Azure agent pools, used to run Azure Kubernetes (AKS) workloads.
GCP
Monitor Tenant usage in the Cost Management for billing feature with weekly or monthly views.
Kubernetes (K8s)
Support for Kubernetes Ingress in Azure.
Maintain cluster stability with Ingress Health Checks annotations for AWS.
Use the K8s Admin dashboard to monitor StatefulSets in AWS.
Edit Azure agent pools, used to run Azure Kubernetes (AKS) workloads.
Ability to add Path-Based Routing rules: Configure path-based routing rules for application load balancers.
Support for Aurora Serverless V2: User can create and manage Aurora Serverless V2 RDS.
Billing License Usage: Overview of DuploCloud License Usage according to current service usage.
Ability to add Logging Infra at Tenant Level: Support to configure logging setup other than default tenant.
Support multiple docker registry credentials in a single tenant: The user can configure multiple docker registry credentials from the plan.
Support for Amazon Managed Apache Airflow: Ability to configure AWS Managed Airflow
Configure custom prefix for S3: Ability to configure a prefix for S3 bucket names.
Azure Support to add Storage account: Create Storage Accounts, File Shares, and generate Shared Access Signature (SAS).
Multiple Azure User Enhancements were made.
Support for Elastic File System (EFS): Support for adding EFS has been added to DuploCloud. You can create and mount a shared filesystem for an Infrastructure in the DuploCloud Portal.
Support for adding Kubernetes Storage Class: Support for Kubernetes Storage Class and Persistent Volumes is now available.
Support for Kubernetes Secret Provider Class: This provides the ability to integrate AWS parameters and secrets to be available as Kubernetes secrets.
Ability to add Lambda using Container Images: Users can now configure an AWS Lambda using Container images.
Support to configure RDS Automatic Backup Retention: Administrators can configure RDS Automatic Backup Retention in days at the system level
Export Terraform from an existing Tenant: Ability to export DuploCloud terraform provider code for an existing DuploCloud Tenant
Ability to Automatically generate Alert: Users can now configure automated alarm creation in AWS, to make sure any new resource added to their environment is not missed from monitoring.
Ability to set resource allocation quotas by an Admin: Administrators would often like to restrict the type of resources that should or should not be provisioned in their environments. This feature allows them a way to configure those rules via a DuploCloud Plan.
Support for Kubernetes Ingress Controller: Support for the K8s Ingress controller has been added, this is a key piece of functionality for traffic routing to a K8s cluster.
RDS Snapshot Management: Support to manage RDS database snapshot was added to the Portal, accessible through the RDS page.
Terraform Provider updates: Expanded support for more resources in the DuploCloud terraform provider, specifically for Microsoft Azure.
The high level application and compliance requirements are passed onto a DevOps team that is the subject matter expert for the Cloud. This team would accept the requirements and translate them into hundreds or thousands of lower level configurations, best practices and compliance controls. These include IAM Roles, Instance profiles, KMS Keys, PEM key, vulnerability scanning system, virus scanners, VPC, Security Groups, Intrusion detection, etc. This translation is usually done based on human knowledge and subject matter expertise in the area. Further, DevOps engineers are usually required to write thousands of lines of code to implement these requirements using programming languages like Terraform, Python and Bash.
A common misconception is that Terraform automates the DevOps workflow. In fact, Terraform is only a programming language. One needs substantial infrastructure know-how to build automation using Terraform. Typically, DevOps engineers are not aware of compliance nuances that go beyond best practices and have to redo a lot of the work on an ongoing basis.
DevOps essentially is a skill that requires one to be a programmer (to write IaC), an operator, and a compliance expert. These are three distinct skill sets that have never traditionally co-existed in the IT industry. This is the #1 challenge in the DevOps space.
DuploCloud is a software platform that essentially takes three high level inputs:
High Level Application Architecture as we explained before.
Compliance Standard that is required, like SOC 2, PCI, HIPAA, etc.
Public Cloud Provider where the application will be deployed.
With the above inputs, the platform is able to automatically generate the required lower level configurations that are compliant and can be used by end users like engineers and DevOps alike. All the best practices and compliance controls are baked in. Standard functions like central logging monitoring and reporting dashboards are available out-of-the-box.
Users interact with the system either using a no-code UI or a low-code Terraform provider. The Terraform provider enables the user to achieve the same automation with 10x less code, requiring little DevOps skills compared to using native Terraform.
The greatest capability of the DuploCloud platform is the application infrastructure centric abstraction created on top of the cloud provider which enables the user to deploy and operate their applications without knowledge of lower level DevOps nuances. Further, unlike a PAAS such as Heroku, the platform does not get in the way of users consuming cloud services directly from the cloud provider, as in a user directly operating on constructs like S3, DynamoDB, Lambda functions, GCP Redis, Azure SQL etc., while offering greater scale and unlimited flexibility.
The following picture shows the high level abstractions within which applications are deployed and users operate.
While there are many concepts in the policy model, the following are the main ones to be aware of:
Infrastructure
Plan
Tenant
App and Cloud Services
Diagnostics
Some concepts relating to security (DevSecOps) are hidden from the end user, for example IAM roles, KMS keys, Azure Managed Identities, GCP service accounts etc. However, even those are configurable for the operator and in any case since this is a self-hosted platform running in the customer's own cloud account, the platform is capable of working in tandem with direct changes on the cloud account by an administrator. This is explained with examples at
Each Infrastructure represents a network connection to a unique VPC/VNET, in a region with a Kubernetes. In case of AWS it can also include an ECS. Infrastructure can be created with 4 basic inputs: Name, VPC CIDR, Number of AZs, Region, and the option to enable or disable a K8S/ECS cluster. Behind the scenes, the system will automatically create the subnets, NAT gateway, routes, and clusters in the given region.
If the Infrastructure requirement includes custom Private/Public Subnet CIDR, it can be achieved using Advanced Options.
A common use for Infrastructure is having two Infrastructures, one for prod and one for non-prod. Another one is having an infrastructure in a different region either for DR or localized deployments for clients in that region.
Corresponding to each Infrastructure is the concept of a Plan. A Plan is a placeholder or a template for configurations. These configurations are consistently applied to all Tenants within the Plan (or Infrastructure). Examples of such configurations are:
Certificates available to be attached to Load Balancers in Tenants of this Plan
Machine images
WAF web ACLs
Common IAM policies and SG rules to be applied to all resources in Tenants within the Plan
Unique or shared DNS domain name where applications provisioned in Tenants within the Plan can have a unique DNS name in this domain
Resource Quota: The plan also has a resource quota that is enforced in each of the Tenants within that Plan
DB Parameter Groups
Several policies and feature flags are to be applied at the infrastructure level on Tenants within the Plan
The figure below shows a screenshot of the plan constructs:
When creating DuploCloud Plans and DNS names, consider the following to prevent DNS issues:
Plans in different portals will delete each other's DNS records, so each portal must use a distinct subdomain for its Plans.
DuploCloud Plans in the same portal can share a DNS domain without deleting each other's records. Duplo-created DNS names will always include the Tenant name, which prevents collisions.
The recommended practice for most portals is to set all Plans to the same DNS name, including the default
Plan.
Ideally, custom subdomains will be set in the Plans before turning on shell, monitoring, or logging. If the DNS is changed later, those services may need to be updated.
Configure settings for all new Tenants under a Plan
You can configure settings to apply to all new Tenants under a Plan using the Config tab. Tenant Config settings will not apply to Tenants created under the Plan before the settings were configured.
From the DuploCloud portal, navigate to Administrator -> Plan.
Click on the Plan you want to configure settings under in the NAME column.
Select the Config tab.
Click Add. The Add Config pane displays.
From the Config Type field, select TenantConfig.
In the Name field, enter the setting that you would like to apply to new Tenants under this Plan. (In the example, the enable_alerting setting is entered.)
In the Value field, enter True.
Click Submit. The setting entered in the Name field (enable alerting in the example) will apply to all new Tenants added under the Plan.
You can check that the Tenant Config settings are enabled for new Tenants on the Tenants details page, under the Settings tab.
From the DuploCloud portal, navigate to Administrator -> Tenants.
From the NAME column, select a Tenant that was added after the Tenant Config setting was enabled.
Click on the Settings tab.
Check that the configured setting is listed in the NAME column. (Enable Alerting in the example.)
Tenant is the most fundamental construct in DuploCloud which is essentially like a project or a workspace and is a child of the infrastructure. While Infrastructure is a VPC level isolation, Tenant is the next level of isolation implemented by segregating Tenants using Security Groups, IAM role, Instance Profile, K8S Namespace, KMS Key, etc., in case of AWS. Similar concepts are leveraged from other cloud providers like resource groups, managed identity, ASG, etc., in Azure.
A Tenant is fundamentally four things, at the logical level:
Container of resources: All resources (except ones corresponding to infrastructure) are created within the Tenant. If we delete the tenant then all resources within that are terminated.
Security Boundary: All resources within the tenant can talk to each other. For example a Docker container deployed in an EC2 instance within the tenant will have access to S3 buckets and RDS instances within the same tenant. RDS instances in another tenant cannot be reached, by default. Tenant can expose endpoints to each other either via ELBs or explicit inter-tenant SG and IAM policies.
User Access Control: Self-service is the bedrock of the DuploCloud platform. To that end, users can be granted Tenant level access. For example John and Jim are developers who can be granted access to Dev tenant, while Joe is an administrator who has access to all tenants, while Anna is a data scientist who has access only to the data science tenant.
Billing Unit: Since Tenant is a container of resources, all resources in the tenant are tagged with the Tenant's name in the cloud provider, making it easy to segregate usage by tenant.
A common use case for Tenant in an organization that contains 4 tenants: Dev and QA are under the non-prod infrastructure, while the Pre-prod and Prod tenants are under the Prod Infrastructure. In larger organizations, one could have tenants by groups as well like a tenant for Data Science, Tenant for web application, etc. We have seen companies creating dedicated tenants for each of their end user clients in cases where the application is single Tenant. Tenant is a logical concept that can be used either way.
Compliance and security is DuploCloud's bread-and-butter. The core approach is out-of-box compliance where the users don't have to explicitly learn and apply compliance controls. Following are some of the white papers on how DuploCloud implements security and compliance
We support several other standards including NIST, ISO, GDPR and so on.
A Service could be a Kubernetes Deployment, Stateful set or a Daemon set. It can also be a Lambda function or an ECS task or service. It essentially captures a microservice. Each service (except Lambda) can be given a load balancer to expose itself and be assigned a DNS name.
DuploCloud Service should not be confused with a Kubernetes or a ECS service. By service we mean application components that can either be Docker-based or serverless.
Below is an image of some properties of a service:
Cloud Services: DuploCloud supports a simple application specific interface to configure dozens of cloud services like S3, SNS, SQS, Kafka, Elasticsearch, Data Pipeline, EMR, Sagemaker, Azure Redis, Azure SQL, Google Redis, etc. Almost all commonly used services are supported and new ones are constantly added. A typical request to support a new service takes the DuploCloud team a matter of days, based on the complexity of the service.
While users specify application level constructs for provisioning cloud resources, all the underlying DevOps and compliance controls are implicitly added by DuploCloud.
IMPORTANT: All services and cloud features are created within a Tenant.
The DuploCloud platform automatically orchestrates three main diagnostic functions:
Central Logging: A shared Elasticsearch cluster is deployed and file beat is installed in all worker nodes to fetch the logs from various applications across tenants. The logs are injected with metadata corresponding to Tenant name, service name, container ID, Host name, etc. Further, each tenant has the central logging dashboard which includes the Kibana view of the logs from applications within the service. See the screenshot below:
Metrics: Metrics are fetched from hosts, containers, and cloud services like ELB, RDS, Redis, etc., and displayed in Grafana. Behind the scenes, for cloud services, these are collected by calling cloud provider APIs like CloudWatch and Azure Mon, while for nodes and containers, this is done using Prometheus, Node Exporter, and cAdvisor. Again, the dashboards are Tenant-centric and segregated per application and cloud service as shown in the picture below:
Alarms and Faults: The platform creates faults for many failures automatically, such as Health check, container crashes, node crashes, deployment failures, etc. Further, users can easily set alarms on cloud services like CPU and Memory on EC2 instances, Free Disk space in RDS database, etc. All failures are displayed as faults per tenant. Sentry and Pager Duty projects can be linked to each tenant and DuploCloud will send these faults there so the user can set notification configurations.
Audit Trail: An audit trail of all changes made to the system are logged in Elasticsearch where these can be audited using high level constructs like changes by tenant, by service, by change type, by user and dozens of other such filters.
About DuploCloud's No-Code / Low-Code approach
DuploCloud provides a no-code UI-based approach to building and operating cloud infrastructures. Visit our Video Library for demos.
For an audience that desires to use Infrastructure-as-Code (IaC), we have a Terraform Provider that enables low-code IaC. This provider exposes all DuploCloud abstractions and constructs to be programmed using Terraform. Using the DuploCloud Terraform provider, you build the same infrastructure, using 10 times less code, with all compliance controls built-in. You are not required to have subject matter expertise in DevOps or SecOps. This whitepaper describes the process in detail.
A common misconception is that DuploCloud generates Terraform behind the scenes to provision the cloud infrastructure. The DuploCloud UI and Terraform (with the DuploCloud Provider) are layered on top of DuploCloud. Behind the scenes, DuploCloud uses the cloud provider APIs as shown in the picture below
DuploCloud uses APIs behind the scenes, beyond processing user requests, generating configurations synchronously, and calling the cloud provider. Many more operations require asynchronous processing, requiring a state machine with retries and the ability to continuously detect and fix configuration drift. Faults and compliance controls must be monitored continuously.
Terraform, or any scripting approach, is meant to be run with human supervision. There is no synchronicity and retries --- scripts start and end, processed as single threads.
For more information about No-Code/Low-Code and how it relates to Click Ops, see this FAQ.
Multiple container orchestration technologies for ease of consumption
Most application workloads deployed on DuploCloud are in Docker containers. The rest consist of serverless functions, Big data workloads like Amazon EMR jobs, Airflow and SageMaker. DuploCloud abstracts the complexity of container orchestration technologies, allowing you to focus on the deployment, updating, and debugging of your containerized application.
Among the technologies supported are:
Kubernetes: On AWS, DuploCloud supports orchestration using Elastic Kubernetes Service (EKS). On GCP we support GKE auto pilot and node pool based. On Azure we support AKS and Azure web apps.
Built-in (DuploCloud): DuploCloud platform's Built-in container management has the same interface as the docker run
command, but it can be scaled to manage hundreds of containers across many hosts, providing capabilities such as associated load balancers, DNS, and more.
AWS ECS Fargate: Fargate is a technology you can use with Elastic Container Service (ECS) to run containers without having to manage servers or clusters of EC2 instances.
Use the feature matrix below to compare the features of the orchestration technologies that DuploCloud supports. Whatever option you choose, DuploCloud can help you implement it through the Portal or the Terraform API.
One dot indicates a low rating, two dots indicate a medium rating, and three dots indicate a high rating. For example, Kubernetes has a low ease-of-use rating but a high rating for stateful applications.
Use the definitions below to understand how each feature in the matrix above is rated compared to Kubernetes, Built-in, or ECS Fargate.
Ease of Use:
Kubernetes is extensible and customizable, but not without a cost in ease-of-use. The DuploCloud platform reduces the complexities of Kubernetes, making it comparable with other container orchestration technologies in ease-of-adoption.
DuploCloud's Built-In orchestration mirrors docker run
. You can Secure Shell (SSH) into a virtual machine (VM) and run docker
commands to debug and diagnose. If you have an application with a few stateless microservices or configurations that use environment variables or AWS services such as SSM, S3, or Secret store, consider using DuploCloud's Built-in container orchestration.
ECS Fargate contains proprietary constructs (such as task definitions, tasks, or services) that can be hard to learn. As Fargate is serverless, you have no control over the Host Docker, so commands such asdocker ps and docker restart
are unavailable. This makes debugging a container crash very difficult and time-consuming. DuploCloud simplifies using Fargate with an out-of-the-box setup for logging, shell access, and abstraction of proprietary constructs and behavior.
Features and Ecosystem Tools: Kubernetes is rich in additional built-in features and ecosystem tools, most notably Secrets Management and ConfigMaps. Built-In and ECS rely on native AWS services such as AWS Secrets Manager, SSM, S3, and so on. While Kubernetes features have an equivalent in AWS, third parties tend to publish their software as Kubernetes packages (Helm Charts). Some examples are Influx DB, Time Series DB, Prefect, etc.
Suitability for Stateful apps: Stateful applications should be avoided in AWS. Instead, managed cloud storage solutions should be leveraged for the best availability and SLA compliance. In scenarios where this is undesirable due to cost, Kubernetes offers the best solution. Kubernetes uses StatefulSets and Volumes to implicitly manage Elastic Block Storage (EBS) volumes. With Built-in and ECS, you must use a shared EFS drive, which may not have feature parity with Kubernetes volume management.
Stability and Maintenance: Even though Kubernetes is highly stable, it is an open-source product. The native customizability and extensibility of Kubernetes can lead to points of failure when a mandatory cluster upgrade is needed, for example. This complexity often leads to support costs from third-party vendors. Maintenance can be especially costly with EKS, as versions are frequently deprecated, requiring you to upgrade the control plane and data nodes. While DuploCloud automates this upgrade process, it still requires careful planning and execution.
AWS Cost: While the EKS control plane cost is relatively low, operating an EKS environment without business support (at an additional premium) is not recommended. If you are a small business, you may be able to add the support tier when you need it and remove it when not needed to reduce costs.
Multi-Cloud: For many enterprises and independent software vendors this is, or will soon be, a requirement. While Kubernetes provides this benefit, DuploCloud's implementation is much easier to maintain and implement.
Feature | Kubernetes | Built-In | ECS Fargate |
---|---|---|---|
Ease of use
Features and ecosystem tools
Suitability for stateful apps
Stability and maintenance
AWS cost
Multi-cloud (w/o DuploCloud)
Kubernetes features in the DuploCloud Portal
DuploCloud leverages Kubernetes as a foundational building block behind many of its managed Services.
As DuploCloud supports Kubernetes Cluster enablement on all public cloud platforms, there are many Kubernetes objects and components that you can work with. This includes the flexibility to choose the instance type based on workload characteristics, such as compute or memory-intensive tasks, and AI/ML workloads which may benefit from GPU instances. It's recommended to have a minimum disk capacity of 40GB per host to accommodate image sizes and application data.
Use the topics in this section to implement many Kubernetes features with little or no hard coding, using DuploCloud's no-code/low-code approach. This encompasses configuring autoscaling for your EKS cluster based on CPU/memory usage through Horizontal Pod Autoscaler (HPA) or Auto Scaling Groups (ASG) to efficiently scale your pods or underlying infrastructure as needed.
For information about public-cloud provider-specific Kubernetes container features, see the Kubernetes Containers documentation in AWS EKS, for example. Additionally, DuploCloud can integrate with CloudWatch alarms via the DuploCloud UI for setting up custom alerts for CPU/memory usage, ensuring proactive monitoring and management of resources. This integration supports forwarding alerts to various notification systems like Sentry, PagerDuty, NewRelic, or OpsGenie for immediate action.
Moreover, when managing your Kubernetes clusters, it's possible to add allocation tags to existing nodes with running services. This action modifies a label on the Kubernetes node, influencing future pod scheduling without affecting currently running services. To apply the new allocation tags to existing services, a restart of the services is required, allowing for more granular control over resource allocation and utilization within your cluster.
Accessing kubectl without administrator privileges
If you don't have administrator privileges, use this procedure to access kubeconfig
using the kubectl
token. kubeconfig
is a YAML file that stores cluster authentication information for kubectl. It contains a list of contexts to which kubectl refers when running commands. By default, kubeconfig
is saved in the $HOME/
directory in the Linux operating system.
Add the following code to your AWS profile:
kubectl
tokenThe token that you download is for the selected Tenant only. It is intended for use with a non-human DuploCloud service account.
In the DuploCloud Portal, navigate to Kubernetes -> Services. The Services page displays.
Select the Service from the Name column.
From the KubeCtl item list, select KubeCtl Token. The KubeCtl Token window displays.
Click Copy to copy the kubectl
commands in the Token window to your clipboard.
From the KubeCtl item list, select KubeCtl Shell to launch the shell instance. Paste the copied commands into the shell and run them.
Look at the following individual cloud provider specific DuploCloud docs for a quick start that shows how to quickly launch a Kubernetes cluster, deploy a simple webapp and expose it via load balancer.
Accessing kubectl on your local computer
You can access kubectl
on a local computer to a Kubernetes cluster with cluster-admin
privileges to download and run kubeconfig
.
• Obtaining JIT access, using the UI and CLI.
• Installing duplo-jit
, using various tools.
• Getting credentials for AWS access interactively, or with an API token.
• Accessing the AWS Console.
kubeconfig
In the DuploCloud Portal, navigate to Administrators -> Infrastructure.
In the Name column, select the Infrastructure in which you want to set up kubectl
.
Click the EKS (for AWS) tab, GKE (for GCP) tab, or the AKS (for Azure) tab.
Click Download Kube Config to download the kubeconfig
file.
Run these commands to enable kubectl
to use the downloaded kubeconfig
.
For Linux or macOS:
For Windows:
In the DuploCloud Portal, navigate to Kubernetes -> Containers. Click on the menu icon () in the row of the Infrastructure for which you want to view the shell, and select Container Shell. The bash shell displays.
Before beginning, refer to this article for more information about.
You can obtain Just-In-Time (JIT) access to Kubernetes by using duplo-jit
. See the documentation for detailed information about:
If you don't have Administrator access, you can use duplo-jit
to access Kubernetes. When you click Download Kube Config, the Access to Kubernetes from your Workstation window displays, which provides you the alternative of installing to access your Kubernetes cluster without obtaining permanent access keys.
Use these to install kubectl
locally.
Key terms and concepts in DuploCloud Container Orchestration
The following concepts do not apply to ECS. ECS uses a proprietary policy model, which is explained in a later section.
Familiarize yourself with these DuploCloud concepts and terms before deploying containerized applications in DuploCloud. See use cases for a description of DuploCloud Infrastructures and Tenants.
These are virtual machines (EC2 Instances, GCP Node pools or Azure Agent Pools). By default, apps within a Tenant are pinned to VMs in the same Tenant. One can also deploy Hosts in one Tenant that can be leveraged by apps in other Tenants. This is called the shared host model. The shared host model does not apply to ECS Fargate.
Service is a DuploCloud term and is not the same as a Kubernetes Service. In DuploCloud, a Service is a micro-service defined by a Name, Docker Image, Number of Replicas, and many other optional parameters. Behind the scenes, a DuploCloud Service maps 1:1 to a DeploymentSet or a StatefulSet, based on whether the microservice has stateful volumes. There are many optional Service configurations representing various ways that Docker containers can be run. Among these are:
Environment variables
Host Network Mode
Volume mounts
Entrypoint or command overrides
Resource caps
Kubernetes health checks
If a service needs to be pinned to run only a specific set of hosts, you set an Allocation Tag on both the hosts, as well as the Service. Allocation Tags are case-insensitive substrings. Allocation Tags on a service should be a substring of the tag specified on the host. For example, if a Host is tagged as HighCpu;HighMem, then the service (if it is tagged highcpu) can be allocated on this host. If a service does not have any tag set, it can be placed on any host.
If the host is tagged with a specific value, and you have services with the same tag, the host is available for any service which has no tags. If you want the exclusive assignment of a host to a set of services, ensure every service in the Tenant is tagged.
For Kubernetes deployments the concept of allocation tags is realized by mapping it to labels on nodes and then node selector on the Deploymentset or Statefulset
By default, Docker containers have their network addresses. At times, you may want these containers to reuse the same network interface that the VM uses. This reuse is called Host Network Mode.
Every DuploCloud Service that communicates with other Services, needs to be exposed by a LoadBalancer. DuploCloud supports the following Load Balancers (LBs).
Application Elastic Load Balancer (ELB): When exposed by an ELB, the DuploCloud Service is reachable from anywhere unless it is marked as Internal, in which case it is reachable only from within the VPC (or DuploCloud Infrastructure). Application ELBs allow you to use a certificate for terminating SSL on the LB, which allows you to avoid providing application SSLs and certificates, such as a certificate issued from AWS Amazon Certificate Manager (ACM). In Kubernetes, the platform creates a NodePort pointing to the DeploymentSet and adds the Host IPs of the worker nodes to the ELB. Traffic flows from the client to the external port defined in the ELB (for example, 443), to the ELB's NodePort (for example, 30004 on the Worker Node), and to the Kubernetes Proxy running on each Worker Node. The Worker Node forwards the NodePort to the container.
Classic ELB (Only applicable to Built-In Container Orchestration): Classic ELBs can be used when the application is exposing non-HTTP ports and they operate on any TCP port. When exposed by an ELB, the Service is reachable from anywhere unless it is marked as Internal, in which case it is reachable only from within the VPC (or DuploCloud infrastructure). Classic ELBs allow you to use a certificate for terminating SSL on the LB. which allows you to avoid providing application SSLs and certificates, such as a certificate issued from AWS Amazon Certificate Manager (ACM).
Cluster IP (Kubernetes only): Kubernetes ClusterIP load balancers can be used if you are required to expose the application only within the Kubernetes Cluster.
Using K8s Secrets with Azure Storage Accounts
Refer to steps to configure the new Storage Account and FileShare in Azure.
Copy Storage Account Key and FileShare Name from DuploCloud Portal for creating Kubernetes Secrets in the next step.
Navigate to Kubernetes -> Secrets. Create a Kubernetes Secret Object using an Azure Storage Account.
For more information, see Kubernetes Configs and Secrets.
While creating a deployment, under Other Pod Config and Other Container Config, provide the configuration below to create and mount the storage volume for your service. In the configuration below, shareName
attribute should be the File Share name which you can get from the Storage Account screen.
Create Kubernetes Jobs in AWS and GCP from the DuploCloud Portal
In Kubernetes, a Job is a controller object that represents a task or a set of tasks that runs until successful completion. It is designed to manage short-lived, batch workloads in a Kubernetes cluster. You use a Job when you need to run a task or a set of tasks once, to completion, rather than continuously, as in other types of controllers such as Deployments.
Refer to the Kubernetes Job documentation for use cases and examples of when to use jobs.
Pods are the smallest deployable units of computing that you can create and manage in Kubernetes. A Pod is a group of one or more containers, with shared storage and network resources, including a specification that dictates how to run the containers. A Pod's contents are always co-located and co-scheduled, and run in a shared context. A Pod models an application-specific "logical host": it contains one or more application containers that are tightly coupled.
In the DuploCloud Portal, you can create K8s Jobs to create one or more Pods. The Job continues to retry execution of the Pods until a specified number of them successfully terminate. The K8s Jobs tracks the successful terminations. When the specified number of successful terminations completes, the Job is marked as completed
in Kubernetes. Deleting a Job cleans up the Pods that the job created. Suspending a Job delete the Job's active Pods until the Job is resumed again.
You typically create one Job object to reliably run one Pod to completion. The Job object starts a new Pod if the first Pod fails or is deleted (for example, in case of a node hardware failure or a node reboot).
You can also use a Job to run multiple Pods in parallel. If you want to run a Job (either a single task, or several in parallel) on a schedule, see CronJobs.
In the DuploCloud Portal, select the Tenant you are working with from the Tenant list box at the top-left of the DuploCloud Portal.
Navigate to Kubernetes -> Job.
Click Add. The Add Kubernetes Job page displays.
In the Basic Options step, specify the Kubernetes Job Name.
In the Container - 1 area, specify the Container Name and associated Docker Image.
In the Command field, specify the command attributes for Container - 1. Click the Info Tip icon for examples. Select and Copy commands as needed.
In the Init Container - 1 area, specify the Container Name and associated Docker Image.
Click Next to open the Advanced Configuration step.
In the Other Spec Configuration field, specify the Job spec (in YAML) for Init Container - 1. Click the Info Tip icon for examples. Select and Copy commands as needed.
Click Create. The job is created and displayed on the Job page with a status of Active.
In the DuploCloud Portal, navigate to Kubernetes -> Job.
Select the job you want to view and click the Overview, Containers, and Details tabs for more information about the job status and job history.
You can view K8s Jobs linked to Containers by clicking the Container Name on the Containers page (Kubernetes -> Containers).
You can filter Container names by using the search field at the top of the page, as in this example:
In the DuploCloud Portal, navigate to Kubernetes -> Job.
Select the K8s job you want to edit.
You can edit a job in the DuploCloud Portal and modify the following fields:
Cleanup After Finished in Seconds
Other Spec Configuration
Metadata Annotations
Labels
In the DuploCloud Portal, navigate to Kubernetes -> Job.
Select the K8s job you want to delete.
To run the Job to completion, you must specify a Kubernetes Init Container. Click the Add Container button and select the Add Init Container option. The Init Container - 1 area displays.
You can also view details of a job by clicking the menu icon ( ) icon to the left of the job name and selecting View.
Click the options menu ( ) icon to the left of the job you want to edit and select Edit.
Click the job options menu ( ) icon to the left of the job name and select Delete.
Set Kubernetes Secrets in the DuploCloud Portal and manage them effectively.
To securely manage sensitive information in your deployment, set and reference Kubernetes secrets in the DuploCloud Portal.
In the DuploCloud Portal, navigate to Kubernetes -> Secrets. The Kubernetes Secrets page displays.
Click Add.
Fill in the fields (Secret Name, Secret Type, Secret Details, Secret Labels, and Secret Annotations).
Click Add. The Kubernetes Secret is set.
To enhance the security and management of Kubernetes secrets, consider the following strategies:
Utilize Centralized Secret Management Tools: Centralize the management of secrets to streamline access and control.
Implement Access Controls: Define who can access or modify secrets to minimize risk.
Regularly Rotate Secrets: Change secrets periodically to reduce the impact of potential breaches.
Audit Access Logs: Keep track of who accesses secrets and when, to detect unauthorized access or anomalies.
By integrating these practices, you can ensure a more secure and efficient handling of secrets within your Kubernetes environment.
Set EVs from the Kubernetes ConfigMap
In Kubernetes, you populate environment variables from application configurations or secrets.
In the DuploCloud Portal, navigate to Kubernetes -> Config Maps.
Click Add. The Add Config Map pane displays.
Name the ConfigMap you want to create, such as my-config-map
.
Add a Data key/value pair for each file in your ConfigMap, separated by a colon (:
). The key is the file name, and the value is the file's contents.
Click Create.
In the DuploCloud Portal, navigate to Kubernetes -> Services.
Select the Service you want to modify from the Name column.
Click the Actions menu and select Edit.
You can import the entire ConfigMap as Environment Variables or choose specific keys to import as environment variables.
The most straightforward approach is to import the entire ConfigMap as environment variables. Using this approach, your service will recognize each key in the ConfigMap defined as an environment variable.
On the Edit Service: service_name Basic Options page, click Next to navigate to the Advanced Options page.
On the Advanced Options page, in the Other Container Config field, enter the configuration YAML to import environment variables from a ConfigMap. For example, to import all environment variables from a ConfigMap named my-env-vars
, use the following YAML:
To import from additional ConfigMaps, duplicate the YAML from lines 2 and 3 in the above example for each config map that you want to import from.
Another approach is to select which keys to import from the ConfigMap as environment variables. This method gives you complete control over each environment variable as well as its name, but it requires you to perform more manual configuration.
On the Edit Service: service_name Basic Options page, in the Environment Variables field, enter the configuration for choosing environment variables to import from a ConfigMap. For example, to set a single environment variable (ENV_VAR_ONE)
to the value of the MY_ENV_VAR
key in the my-env-vars
config map, use the following YAML:
To add additional environment variables, duplicate the YAML from lines 2 through 5 in the above example for each environment variable that you want to add.
You can import Kubernetes Secrets as Environment Variables.
In the DuploCloud Portal, navigate to Kubernetes -> Secrets.
Click Add. The Add Kubernetes Secret page opens.
Create a Secret Name, such as my-env-vars
.
From the Secret Type list box, select Opaque.
In the Secret Details field, Add Data key/value pairs for each Environment Variable in your ConfigMap, separated by a colon (:
). The key is the Environment Variable name, and the value is the Environment Variable's value.
Click Add to create the secret.
Before you configure Environment Variables, you must create a DuploCloud Service.
The most straightforward approach is to import the entire Secret as environment variables. Using this approach, your service will recognize each key in the Secret defined as an environment variable.
On the Edit Service: service_name Basic Options page, click Next to navigate to the Advanced Options page.
On the Advanced Options page, in the Other Container Config field, enter the configuration YAML to import environment variables from a Secret. For example, to import all environment variables from a secret named my-env-vars
, use the following YAML:
To import from additional secrets, duplicate the YAML from lines 2 and 3 in the above example for each secret that you want to import.
Another approach is to select which keys to import from the Secret as environment variables. This method gives you complete control over each environment variable as well as its name, but it requires you to perform more manual configuration.
On the Edit Service: service_name Basic Options page, in the Environment Variables field, enter the configuration for choosing specific environment variables to import from a Secret. For example, to set a single environment variable (ENV_VAR_ONE)
to the value of the SECRET_ENV_VAR
key in the my-env-vars
secret, use the following YAML:
To import from additional secrets, duplicate the YAML from lines 2 and 5 in the above example for each secret that you want to import.
Set up Kubernetes Ingress and Load Balancer with K8s NodePort
Ingress controllers abstract the complexity of routed Kubernetes application traffic, providing a bridge between Kubernetes services and services that you define.
See the Containers topic for steps on how to create Tenants, Hosts, and Services.
Once your service is deployed, you are ready to add and configure Kubernetes Ingress by enabling the AWS Application Load Balancer.
Your administrator needs to enable the AWS Application Load Balancer controller for your infrastructure before you can use Ingress.
In the DuploCloud Portal, navigate to Administrator -> Infrastructure and select the Infrastructure name from the NAME column. Select the Settings tab.
Click Add. The Infra - Custom Data pane displays.
From the Setting Name list box, select Enable ALB Ingress Controller.
Select Enable.
Click Set. In the Settings tab, the Enable ALB Ingress Controller setting displays a Value of true.
Add a load balancer listener that uses Kubernetes (K8s) NodePort. Kubernetes Health Check and Probes are enabled by default. To specifically configure the settings for Health Check, select Additional Health Check configs when you add the Load Balancer.
In the DuploCloud Portal, navigate Kubernetes -> Services.
On the Services page, select the Service name in the Name column.
Click the Load Balancers tab.
Click Configure Load Balancer. The Add Load Balancer Listener pane appears.
In the Select Type field, select K8S Node Port.
Complete the other required fields in the Add Load Balancer Listener pane and click Add. The Load Balancer displays in the Load Balancers tab.
Once Services are deployed, add Ingress:
Select Kubernetes -> Ingress from the navigation pane.
Click Add. The Add Kubernetes Ingress page displays.
You must define rules to add a Kuberenetes Ingress. Continue to the next section to add rules to Kubernetes Ingress and complete the Ingress setup.
In the Add Kubernetes Ingress page, configure Ingress by clicking Add Rule. The Add or Edit Ingress Rule pane displays.
Specify the Path (/ in the example above).
To use a container port name (optional), use the toggle switch to enable Use Container Port Name.
If you enabled Use Container Port Name in step 3., type a Service name in the Service Name field (redirect:use-annotation in the example) and a container port name in the Container Port field (use-annotation in the example).
If you did not enable Use Container Port Name in step 3., from the Service Name list box, select the Service exposed through the K8S Node Port. The Container Port field is completed automatically.
Click Add Rule. The rule is displayed on the Add Kubernetes Ingress page. Add additional rules by repeating the preceding steps.
On the Add Kubernetes Ingress page, specify the Ingress Name.
From the Ingress Controller list box, select the Ingress Controller that you defined previously.
From the Visibility list box, select either Internal Only or Public.
From the Certificate ARN list box, select the appropriate ARN.
Click Add Redirect Config. The Add Redirect Config pane displays.
Fill the fields as shown in the example above.
Click Add to add the Kubernetes Ingress with defined rules. The Ingress you added displays in the K8S Ingress tab.
DuploCloud Platform supports defining multiple paths in Ingress. For example, you could define an Ingress rule with an Exact Path Type to route requests to /path1/
for js-service1, add a rule with a Prefix Path Type to route requests to /path2/
for testsvc2. Additionally, you could add a rule with a Prefix Path Type to route requests via a BYOH Host (Bring-Your-Own-Host) named example.com, for a third service, testsvc3.
When Ingress is configured, you can access Services based on the rules for each DNS, displayed on the Kubernetes -> Ingress page.
In this example, we display the output for three services with Path Type rules and different DNS names. See the previous example for detailed steps to create Ingress rules.
By executing curl
commands, you can see the difference in the output for each service in this example. Configured services are accessed based on the DNS name specified in the DuploCloud Portal and the paths that you specified when you added Ingress rules.
>curl http://ig-nev-ingress-ing-t2-1-duplopoc.net/
path-x
/ this is service1 >curl http://ing-doc-ingress-ing-t2-1-duplopoc.net/
path-y
/ this is service2
>curl http://ing-public-ingress-ing-t2.1.duplopoc.net/
path-z
/
this is ING2-PUBLIC
Ingress controllers abstract the complexity of routed Kubernetes application traffic, providing a bridge between Kubernetes services and services that you define.
Once your service is deployed, you are ready to add and configure Kubernetes Ingress. There are slightly different steps to create ingress in each of the cloud.
Schedule a Kubernetes Job in AWS and GCP by creating a CronJob in the DuploCloud Portal
In the DuploCloud Portal, navigate to Kubernetes -> CronJob.
Click Add. The Add Kubernetes CronJob page displays.
In the Basic Options step, specify the Kubernetes CronJob Name.
In the Container - 1 area, specify the Container Name and associated Docker Image.
In the Command field, specify the command attributes for Container - 1. Click the Info Tip icon for examples. Select and Copy commands as needed.
In the Init Container - 1 area, specify the Container Name and associated Docker Image.
Click Next to open the Advanced Configuration step.
Click Create. The K8s CronJob is created and displayed on the CronJob page and will be run according to the schedule you specified.
In the DuploCloud Portal, navigate to Kubernetes -> CronJob.
Select the CronJob you want to view and click the Overview, Schedule, and Details tabs for more information about the job schedule and job history.
You can also view CronJobs linked to containers by clicking the container Name on the Containers page (Kubernetes -> Containers).
You can filter container names by using the search field at the top of the page, as in this example:
In the DuploCloud Portal, navigate to Kubernetes -> CronJob.
Select the K8s CronJob you want to edit.
You can edit a Kubernetes Job in the DuploCloud Portal and modify the following fields:
Cleanup After Finished in Seconds
Other Spec Configuration
Metadata Annotations
Labels
In the DuploCloud Portal, navigate to Kubernetes -> CronJob.
Select the K8s CronJob you want to delete.
Optionally, complete Path Type and Host. In this example, we specify a Path Type of Exact. Clicking the Info Tip icon ( ) provides more information for these optional fields.
See the topic for steps on how to create , Hosts, and .
A CronJob is a variant of a , with the exception that you can schedule a CronJob to run at periodic intervals.
See the Kubernetes documentation on for more information.
In the Schedule field, specify the Cron Schedule in Cron Format. Click the Info Tip icon for examples. When specifying a Schedule in Cron Format, ensure you separate each value with a space. For example, 0 0 * * 0
is a valid Cron Format input; 00**0
is not. See the for detailed information about Cron Format.
To run the CronJob to completion, you must specify a Kubernetes . Click the Add Container button and select the Add Init Container option. The Init Container - 1 area displays.
In the Other Spec Configuration field, specify the job spec (in YAML) for Init Container - 1. Click the Info Tip icon ( ) for examples. Select and Copy commands as needed
You can also view details of a Kubernetes CronJob by clicking on the menu icon ( ) icon to the left of the job name and selecting View.
Click the options menu ( ) icon to the left of the CronJob name and select Edit.
Click the Job Options Menu ( ) icon to the left of the Job name and select Delete.
Support for specifying K8s YAML for Pod Toleration
DuploCloud supports the customization of many Kubernetes (K8s) YAML operators, such as tolerations
. If you are using a Docker container, you can specify the tolerations
operator configuration in the Other Container Config field in the container definition in DuploCloud
In the DuploCloud Portal, navigate to Kubernetes -> Services or Docker -> Services. The Services page displays.
Select the Service from the NAME column.
From the Actions menu, select Edit. The Edit Service page displays.
Click Next to proceed to the Advanced Options page.
In the Other Container Config field, add the tolerations
operator YAML you have customized for your container.
Click Update. Your container has been updated with your custom specification for the tolerations operator.
tolerations
operator YAMLIn this example:
If a Pod is running and a taint matching key1
exists on the node, then the Pod will not schedule the node (NoSchedule
).
If a Pod is running and a taint matching example-key
exists on the node, then the Pod stays bound to the node for 6000
seconds, and then is evicted (NoExecute
). If the taint is removed before that time, the Pod will not be evicted.
Create a GKE Ingress using the DuploCloud Portal
GCP's Ingress Controller for GKE automatically manages traffic routing to Kubernetes services, integrating Kubernetes workloads with Google Cloud's load-balancing infrastructure. It simplifies external access to applications, handling SSL termination and global load distribution.
GCP offers its own Ingress Controller, specifically created for Google Kubernetes Engine (GKE), to seamlessly integrate Kubernetes services with Google Cloud's advanced load balancing features.
Container-native load balancing on Google Cloud Platform (GCP) allows load balancers to directly target Kubernetes Pods instead of using a node-based proxy. This approach improves performance by enabling more efficient routing, reducing latency by eliminating extra hops and providing better health-checking capabilities.
It leverages the network endpoint groups (NEGs) feature to ensure that traffic is directed to the appropriate container instances, enabling more granular and efficient load distribution for applications running on GKE.
See the Containers topic for steps on how to create Tenants, and Services.
Once your services are deployed, you are ready to add and configure a GKE Ingress controller in GCP.
Add a load balancer listener that uses Kubernetes (K8s) ClusterIP type service. Kubernetes Health Check and Probes are enabled by default. To specifically configure the settings for Health Check, select Additional Health Check configs when you add the Load Balancer.
In the DuploCloud Portal, navigate Kubernetes -> Services.
On the Services page, select the Service name in the Name column.
Click the Load Balancers tab.
Click Configure Load Balancer. The Add Load Balancer Listener pane appears.
From the Select Type list box, select K8S Cluster IP.
Complete the other required fields in the Add Load Balancer Listener pane and click Add. The Load Balancer displays in the Load Balancers tab.
Click Advanced Kubernetes Settings and enable Set Health Check annotations for Ingress. (This will add required annotations in Kubernetes Service to be recognized by the GKE Ingress Controller)
Click Add.
In order to enable SSL, you can create a GCP-managed certificate resource in the application namespace.
Once Services are deployed, add an Ingress:
Select Kubernetes -> Ingress from the navigation pane.
Click Add. The Add Kubernetes Ingress page displays.
You must define rules to add a Kubernetes Ingress. Continue to the next section to add rules to Kubernetes Ingress and complete the Ingress setup.
In the Add Kubernetes Ingress page, configure Ingress by clicking Add Rule. The Add Ingress Rule pane displays.
Specify the Path (/samplePath/ in the example above).
From the Service Name list box, select the Service exposed through the K8S ClusterIP (nginx-test in the example above). The Container port field is completed automatically.
Click Add Rule. The rule is displayed on the Add Kubernetes Ingress page. Add additional rules by repeating the preceding steps.
On the Add Kubernetes Ingress page, specify the Ingress Name.
From the Ingress Controller list box, select gce.
From the Visibility list box, select Internal Only or Public.
If you have created a GCP managed certificate, add the following annotations in the Annotations field to link the Ingress with your GCP managed certificate
Click Add to add the Kubernetes Ingress with defined rules. The Ingress you added displays in the Ingress page.
When Ingress is configured, you can access Services based on the rules for each DNS, displayed in the K8S Ingress tab.
In this example, we display the output for three Services with Path Type rules and different DNS names. See the previous example for detailed steps to create Ingress rules.
The Ingress creation will take a few minutes. Once the IP is attached to the ingress, you are ready to use your path- or host-based routing defined via ingress!
Adding an Ingress for DuploCloud Azure load balancers
Ingress controllers abstract the complexity of routed Kubernetes application traffic, providing a bridge between Kubernetes services and services that you define.
To add an SSL certificate to a service using Kubernetes Ingress, see Using the SSL certificate for Ingress in DuploCloud in the Import SSL Certificates prerequisite for Azure in DuploCloud.
Before you add an Ingress rule, you need to enable the Ingress Controller for the application gateway.
In the DuploCloud Portal, navigate to Administrator -> Infrastructure.
Select the Infrastructure from the Name column.
Click the Settings tab.
Click Add. The Infra-Set Custom Data pane displays.
In the Setting Name field, select Enable App Gateway Ingress Controller. Click Enable and Set. In the Settings tab, the Enable App Gateway Ingress Controller setting contains the true value.
Add a load balancer listener that uses the Kubernetes NodePort (K8S NodePort).
Using Kubernetes Health Check allows AKS's Application Load Balancer to determine whether your service is running properly.
You must create Services to run the load balancers. In this example, we name these services s1-alb and s4-nlb, respectively.
In the DuploCloud Portal, navigate DevOps -> Containers -> AKS/Native.
On the Services page, select the Service name in the Name column.
Click the Load Balancers tab.
Click Configure Load Balancer. The Add Load Balancer Listener pane appears.
In the Select Type field, select K8S Node Port.
In the Health Check field, add the Kubernetes Health Check URL for this container.
Complete the other fields in the Add Load Balancer Listener and click Add.
Add an Ingress rule to listen on port 80 (in this example) using both load balancers.
If you use a port other than 80, you must define an additional Security Group rule for that port. See this section for more information.
DuploCloud Platform supports defining multiple paths in Ingress.
In the DuploCloud Portal, navigate to DevOps -> Containers -> AKS / Native.
Click the K8S Ingress tab.
Click Add. The Add Kubernetes Ingress page displays.
Supply the Ingress Name, select the Ingress Controller azure-application-gateway, and set Visibility to Public.
Click Add Rule. The Add Ingress Rule pane displays. Specify a unique Path identifier.
In the Service Name field, select s1-alb:80. Click Add Rule to add the load balancer.
Add another rule by clicking Add Rule. The Add Ingress Rule pane displays. In the Service Name field, select s4-nlb:80. Click Add Rule to add the load balancer.
On the Add Kubernetes Ingress page, Add to finish setting up the load balancer rules.
Port 80 is configured by default when adding Ingress. If you want to use a custom port number other than 80, set up an additional Security Group Rule for the custom port using this procedure.
In the DuploCloud Portal, navigate to Administrator -> Infrastructure.
Select the Infrastructure from the Name column.
Click the Security Group Rules tab.
Click Add. The Add Infrastructure Security pane displays.
Define the rule and click Add. The rule is added to the Security Group Rules list.
Once Ingress is configured, you can access Services based on the rules for each DNS.
By executing curl
commands, you can see the difference in the output for each service. Configured services are accessed based on the DNS name specified in the DuploCloud Portal and the paths that you configured when you added Ingress rules.
>curl http://ig-nev-ingress-ing-t2-1.duplopoc.net/
this is IG-NEV >curl http://ing-doc-ingress-ing-t2-1.duplopoc.net/
this is ING-DOC
>curl http://ing-public-ingress-ing-t2.1.duplopoc.net/
this is ING2-PUBLIC
Support Kubernetes Horizontal Pod Autoscaler in the DuploCloud Portal
Optionally, complete Path Type and Host. In this example, we specify a Path Type of Exact. Clicking the Info Tip icon ( ) provides more information for these optional fields.
See the topic in the AWS DuploCloud documentation.
A triggers events to run at different stages of a Container's lifecycle. These hooks run scripts or commands before or after a specific event, such as a container being created, started, or stopped. Lifecycle hooks perform tasks like starting services, or initializing, configuring, or verifying containers.
You can implement Kubernetes Lifecycle Hooks while by adding the YAML like the example below to the Other Container Config field.
AWS-specific cloud provider deployments
Before you begin, read through the DuploCloud Platform Overview and are familiar with DuploCloud terms such as Infrastructure, Plan, and Tenant.
The DuploCloud platform installs in an EC2 instance within your AWS account. It can be accessed using a web interface, API, and a Terraform provider.
Log in to the DuploCloud portal, using single sign-on (SSO), with your GSuite or O365 login.
Before getting started:
Set up the DuploCloud Portal and ensure that you have access to it.
Connect to the DuploCloud Slack channel for support from the DuploCloud team.
Tasks to perform before you use AWS with DuploCloud
Before using DuploCloud, ensure the following prerequisites are met.
Read the Access Control section to ensure at least one person has administrator access.
Creating a Route 53 hosted zone to program DNS entries
The DuploCloud platform needs a unique Route 53 hosted zone to create DNS entries for services that you deploy. The domain must be created out-of-band and set in DuploCloud. The zone is a subdomain such as apps.[
MY-COMPANY
].com
.
Never use this subdomain for anything else, as DuploCloud owns all CNAME
entries in this domain and removes all entries it has no record of.
To create the Route53 hosted zone using the AWS Console:
Log in to the AWS console.
Navigate to Route 53 and Hosted Zones.
Create a new hosted zone with the desired domain name, for example, apps.acme.com
.
Access the hosted zone and note the name server names.
Go to your root Domain Provider's site (for acme.com
, for example), and create a NS
record that references the domain name of the hosted zone you created (apps.acme.com
) and add the zone name to the name servers that you noted above.
Once this is complete, provision the Route53 domain in every DuploCloud Plan, starting with the default plan. Add the Route53 hosted zone ID and domain name, preceded with a dot (.).
Do not forget the dot (.) at the beginning of the DNS suffix, in the form as shown below.
Note that this domain must be set in each new Plan you create in your DuploCloud Infrastructure.
Get up and running with DuploCloud inside an AWS cloud environment; harness the power of generating application infrastructures.
This Quick Start tutorial shows you how to set up an end-to-end cloud deployment. You will create AWS infrastructure and tenants and, by the end of this tutorial, you can view a deployed sample web application.
Estimated time to complete tutorial: 75-95 minutes.
When you complete the AWS Quick Start Tutorial, you have three options or paths, as shown in the table below.
Using EKS - You create a service in DuploCloud using AWS Elastic Kubernetes Service and expose it using a load balancer within DuploCloud.
Using ECS - You create an app and service in DuploCloud using AWS Elastic Container Service.
Using Native Docker Services - You create a service in Docker and expose it using a load balancer within DuploCloud.
There are optional steps in each tutorial path, in the table below, marked with an asterisk ( * ). While these steps are not needed to complete each tutorial, you may want to perform or read through them, as they are tasks that are normally completed when you create production-ready services.
For information about the differences between these methods, to help you choose which method best suits your needs, skills, and environments, see this AWS blog and the Docker documentation.
* - Optional Step
Click the card below to open the DuploCloud video page to watch a number of DuploCloud demos.
Creating K8s PVCs and StorageClass constructs in the DuploCloud Portal
You can configure the Storage Class and Persistent Volume Claims (PVCs) from the DuploCloud Portal.
Click Add. The Add Kubernetes Persistent Volume Claim page displays.
Define the PVC Name, Storage Class Name, Volume Name, Volume Mode, and other details such as volume Access Modes.
Click Add.
On the Kubernetes Storage page, select the Storage Class option.
Click Add. The Add Kubernetes Storage Class page displays.
Define the Storage Class Name, Provisioner, Reclaim Policy, and Volume Binding Mode. Select other options, such as whether to Allow Volume Expansion.
Click Add.
In the DuploCloud Portal, navigate to Kubernetes -> Storage.
Click Add. The Add Kubernetes Storage Class page displays.
Create a Storage Class, as in the example below.
Step | EKS | ECS | Native Docker Services |
---|---|---|---|
In the DuploCloud Portal, navigate to Kubernetes -> Storage. The Kubernetes Storage page displays. From this page, you define your Kubernetes and . The Persistent Volume Claims option is selected by default.
For information on using Native Azure StorageClasses, .
1
Create Infrastructure and Plan
Create Infrastructure and Plan
Create Infrastructure and Plan
2
Create Tenant
Create Tenant
Create Tenant
3
Create RDS *
Create RDS *
Create RDS *
4
Create Host
Create a Task Definition for an application
Create Host
5
Create Service
Create the ECS Service and Load Balancer
Create app
6
Create Load Balancer
Test the app
Create Load Balancer
7
Enable Load Balancer Options *
Test the App
8
Create Custom DNS Name *
9
Test the App
Creating the DuploCloud Infrastructure and a Plan
Each DuploCloud Infrastructure is a connection to a unique Virtual Private Cloud (VPC) network that resides in a region that can host Kubernetes clusters, EKS or ECS clusters, or a combination of these, depending on your public cloud provider.
After you supply a few basic inputs DuploCloud creates an Infrastructure for you, within AWS and within DuploCloud, with a few clicks. Behind the scenes, DuploCloud does a lot with what little you supply — generating the VPC, Subnets, NAT Gateway, Routes, and EKS or ECS cluster.
With the Infrastructure as your foundation, you can customize an extensible, versatile Platform Engineering development environment by adding Tenants, Hosts, Services, and more.
Estimated time to complete Step 1: 40 minutes. Much of this time is consumed by DuploCloud's creation of the Infrastructure and enabling your EKS cluster with Kubernetes.
Before starting this tutorial:
Learn more about DuploCloud Infrastructures, Plans, and Tenants.
Reference the Access Control documentation to create User IDs with the Administrator role. To perform the tasks in this tutorial, you must have Administrator privileges.
In the DuploCloud Portal, navigate to Administrator -> Infrastructure. The Infrastructure page displays.
Click Add. The Add Infrastructure page displays.
From the table below, enter the values that correspond to the fields on the Add Infrastructure page. Accept all other default values for fields not specified.
Select either Enable EKS or Enable ECS Cluster option. You will follow different paths in the tutorial for creating Services with EKS, ECS, or DuploCloud Docker.
Click Create to create the Infrastructure. It may take up to half an hour to create the Infrastructure. While the Infrastructure is being created, a Pending status is displayed in the Infrastructure page Status column, often with additional information about what part of the Infrastructure DuploCloud is currently creating. When creation completes, a status of Complete displays.
DuploCloud begins creating and configuring your Infrastructure and EKS/ECS clusters using Kubernetes.
It may take up to forty-five (45) minutes for your Infrastructure to be created and Kubernetes (EKS/ECS) enablement to be complete. Use the Kubernetes card in the Infrastructure screen to monitor the status, which should display as Enabled when completed. You can also monitor progress by using the Kubernetes tab, as DuploCloud generates your Cluster Name, Default VM Size, Server Endpoint, and Token.
Every DuploCloud Infrastructure generates a Plan. Plans are sets of templates that are used to configure the Tenants or workspaces, in your Infrastructure. You will set up Tenants in the next tutorial step.
Before proceeding, confirm that a Plan exists that corresponds to your newly created Infrastructure.
In the DuploCloud Portal, navigate to Administrator -> Plans. The Plans page displays.
Verify that a Plan exists with the name NONPROD, the name that you gave to the Infrastructure you created.
You previously verified that your Infrastructure and Plan were created. Now verify that Kubernetes is enabled before proceeding to Create a Tenant.
In the DuploCloud Portal, navigate to Administrator -> Infrastructure. The Infrastructure page displays.
From the Name column, select the NONPROD Infrastructure.
Click the EKS or ECS tabs. When Kubernetes has been Enabled for EKS or ECS, details are listed in the respective tab. The Infrastructure page displays the Enabled status on the Kubernetes card for EKS clusters. For ECS, the Cluster Name is listed in the ECS tab.
Create an Certificate for AWS Certificate Manager
For example, if the Route 53 Hosted Zone created is apps.acme.com
, then the ACM certificate specifies *.apps.acme.com
. You can add additional domains to this certificate (for example, *.acme.com
.
Once the certificate is issued, add the Amazon Resource Name (ARN) of the certificate in the DuploCloud Plan so that it is available to subsequent configurations, starting with the DuploCloud default plan.
In the DuploCloud Platform, navigate to Administrator -> Plans. The Plans page displays.
Select the DEFAULT Plan from the Name column.
Click the Certificates tab.
Click Add.
In the Name field, enter a certificate name.
In the Certificate ARN field, enter the ARN.
Click Create. The ACM Certificate with ARN is created.
Note that the ARN Certificate must be set for every new Plan created in a DuploCloud Infrastructure.
Configure DuploCloud to automatically generate Amazon Certificate Manager (ACM) Certificates for your Plan's DNS.
From the DuploCloud portal, navigate to Administrator -> Systems Settings.
Select the System Config tab, and click Add. The Add Config pane displays.
From the Config Type list box, select Flags.
From the Key list box, select Other.
In the Key field that displays, enter enabledefaultdomaincert
.
In the Value list box, select True.
Click Submit.
Add Infrastructure page field | Value |
---|---|
The DuploCloud platform needs a wild character AWS Certificate Manager (ACM) certificate that corresponds to the domain you created for the .
The ACM certificate is used with AWS Elastic Load Balancers (ELBs) that are created as part of DuploCloud application deployment. Follow this .
Name
nonprod
Region
YOUR_GEOGRAPHIC_REGION
VPC CIDR
10.221.0.0/16
Subnet CIDR Bits
24
Enabling shell access using native Docker or ECS
DuploCloud allows shell access into the deployed containers. Shell access is enabled differently, depending on whether you use native Docker or ECS.
To enable shell access for the DuploCloud Docker Native container system:
In the DuploCloud Portal, navigate to Docker -> Services, displaying the Services page.
From the Docker list box, click Enable Docker Shell. The Start Shell Service pane displays.
From the Certificate list box, select a certificate name.
From the Visibility list box, select Public.
Click Update.
A provisioned service named dockerservices-shell is created, enabling you to access the Service containers using SSH.
Optionally, DuploCloud provides just-in-time (JIT) access to both the container shell and the kubectl
shell directly from your browser.
In the DuploCloud Portal:
In the Tenant list box, on the upper-left side of the DuploCloud Portal, select the Default Tenant.
Navigate to Docker -> Services, displaying the Services page.
Click Enable Docker Shell. The Start Shell Service pane displays.
From the Platform list box, select Kubernetes.
From the Certificate list box, select a certificate name.
From the Visibility list box, select Public.
Click Update.
Now you can begin using the Kubernetes (K8s) shell from the DuploCloud Portal for K8s services.
Navigate to Kubernetes -> Services. The Service page displays.
From the KubeCtl list box, click KubeCtl Shell.
In the DuploCloud Portal, navigate to Kubernetes -> Containers.
Select Container Shell or Host Shell from the Actions menu. The container or host shell launches in AWS Systems Manager.
You can also view the ECS task shell and select the container shell to which you want to connect.
In the DuploCloud Portal, navigate to Cloud Services -> ECS, displaying the ECS Task Definition page.
Select the name from the TASK DEFINITION FAMILY NAME column.
Select the Tasks tab.
To display the ECS task shell for any task, click on the (>_) icon in the Actions column of the appropriate row. Click on Console for AWS Console access, Logs for log data, or a container task shell of your choice. A browser launches to give you access to the resource you select.
Click the options menu () icon in the appropriate row.
Creating a DuploCloud Tenant that segregates your workloads
Now that the Infrastructure and Plan exist and a Kubernetes EKS or ECS cluster has been enabled, create one or more Tenants that use the configuration DuploCloud created.
Tenants in DuploCloud are similar to projects or workspaces and have a subordinate relationship to the Infrastructure. Think of the Infrastructure as a virtual "house" (cloud), with Tenants conceptually "residing" in the Infrastructure performing specific workloads that you define. As Infrastructure is an abstraction of a Virtual Private Cloud, Tenants abstract the segregation created by a Kubernetes Namespace, although Kubernetes Namespaces are only one component that Tenants can contain.
In AWS, cloud features such as IAM Roles, security groups, and KMS keys are exposed in Tenants, which reference these feature configurations.
Estimated time to complete Step 2: 10 minutes.
DuploCloud customers often create at least two Tenants for their production and non-production cloud environments (Infrastructures).
For example:
Production Infrastructure
Pre-production Tenant - for preparing or reviewing production code
Production Tenant - for deploying tested code
Non-production Infrastructure
Development Tenant - for writing and reviewing code
Quality Assurance Tenant - for automated testing
In larger organizations, some customers create Tenants based on application environments, such as creating one Tenant for Data Science applications and another Tenant for web applications, and so on.
Tenants are sometimes created to isolate a single customer workload, allowing more granular performance monitoring, scaling flexibility, or tighter security. This is referred to as a single-Tenant setup.
Before creating a Tenant, verify that you accomplished the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:
An Infrastructure and Plan exist, both with the name NONPROD.
The NONPROD infrastructure has Kubernetes (EKS or ECS) Enabled.
Create a Tenant for your Infrastructure and Plan:
In the DuploCloud Portal, navigate to Administrator -> Tenants.
Click Add. The Create a Tenant pane displays.
Enter dev01 in the Name field.
Select the Plan that you created in the previous step (NONPROD).
Click Create.
Navigate to Administrator -> Tenants and verify that the dev01 Tenant displays in the list.
Navigate to Administrator -> Infrastructure and select dev01 from the Tenant list box at the top left in the DuploCloud Portal. Ensure that the NONPROD Infrastructure appears in the list of Infrastructures with the Status Complete.
Creating an RDS database to integrate with your DuploCloud Service
Estimated time to complete Step 3: 5 minutes.
Before creating an RDS, verify that you accomplished the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:
In the Tenant list box, on the upper-left side of the DuploCloud Portal, select the dev01 Tenant that you created.
In the DuploCloud Portal, navigate to Cloud Services -> Database. The Database page displays.
In the RDS tab, click Add. The Create a RDS page displays.
From the table below, enter the values that correspond to the fields on the Create a RDS page. Accept all other default values for fields not specified.
Click Create. The DUPLODOCS database displays in the RDS tab with a Status of Submitted. Database creation takes approximately ten (10) minutes.
DuploCloud prepends DUPLO to the name of your RDS database instance.
You can monitor the status of database creation using the RDS tab and the Status column.
Invalid passwords - Passwords cannot have special characters like quotes, @, commas, etc. Use a combination of upper and lower-case letters and numbers.
Invalid encryption - Encryption is not supported for small database instances (micro, small, or medium).
In the RDS tab, select the DUPLODOCS database you created.
Note the database Endpoint, the database name, and the database credentials. For security, the database is automatically placed in a private subnet to prevent all access from the internet. Access to the database is automatically set up for all resources (EC2 instances, containers, Lambdas, etc) in the DuploCloud dev01 Tenant. You need the Endpoint to connect to the database from an application running in the EC2 instance.
Not sure what kind of Duplcloud Service you want to create? Consider the following:
Creating an RDS database is not essential to running a DuploCloud Service. However, as most services also incorporate an RDS, this step is included to demonstrate the ease of creating a database in DuploCloud. To skip this step, proceed to the .
An is a managed Relational Database Service that is easy to set up and maintain in DuploCloud for AWS public cloud environments. RDSs support many databases including MySQL, PostgreSQL, MariaDB, Oracle BYOL, or SQL Server.
See the for more information.
An exist, both with the name NONPROD.
The NONPROD infrastructure has .
A Tenant with the name .
Create a RDS page field | Value |
---|
In the DuploCloud Portal Database page, in the RDS tab, when the database Status is Available, the database's endpoint is ready for connection to a DuploCloud Service, which you create and start in the .
Faults are shown in the DuploCloud Portal by clicking the Fault/Alert ( ) Icon. Common database faults that may cause database creation to fail include:
When you place a DuploCloud Service in a live production environment, consider passing the database endpoint, name, and credentials to a DuploCloud Service using , or .
When your and you have , choose one of these three paths to create a DuploCloud Service and continue this tutorial.
in DuploCloud running Docker containers
in DuploCloud running Docker containers
AWS EKS is a managed service. AWS ECS is a fully managed container orchestration service using AWS technology. For a full discussion of the benefits of EKS vs. ECS, consult this .
are ideal for lightweight deployments and run on any platform, using GitHub and other open-source tools.
RDS Name |
|
User Name |
|
User password |
|
Rds Engine |
|
Rds Engine Version |
|
Rds Instance Size |
|
Storage size in GB |
|
Finish the Quick Start Tutorial by creating an EKS Service
In this tutorial for DuploCloud AWS, you have so far created a VPC network with configuration templates (Infrastructure and Plan), an isolated workspace (Tenant), and optionally, an RDS database instance.
Now you need to create a DuploCloud Service on top of your Infrastructure and configure the Service to run and deploy your application. In this tutorial path, we'll deploy using Docker containers, leveraging AWS Elastic Kubernetes Service (EKS).
Alternatively, you can finish this tutorial by:
Creating an AWS ECS Service in DuploCloud running Docker containers
For a full discussion of the benefits of EKS vs. ECS, consult this AWS blog.
Estimated time to complete remaining tutorial steps: 30-40 minutes
For the remaining steps in this tutorial, you will:
Create a Host (EC2 Instance), which serves as an AWS EKS worker node.
Create a Service and applications (webapp) using the premade Docker image duplocloud/nodejs-hello:latest.
Expose the Service by creating and sharing a load balancer and DNS name.
Test the application.
Obtain access to the container shell and kubectl
for debugging.
Behind the scenes, the topology that DuploCloud creates resembles this low-level configuration in AWS.
Creating a Host that acts as an EKS Worker node
When you create an AWS EKS Service, you are using a combination of technologies from AWS and the Kubernetes open-source container orchestration system.
Kubernetes uses worker nodes to distribute workloads within a cluster. The cluster automatically distributes the workload among its nodes, enabling seamless scaling as required system resources expand to support your applications.
Estimated time to complete Step 4: 5 minutes.
Before creating a Host (essentially a Virtual Machine), verify that you accomplished the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:
An Infrastructure and Plan exist, both with the name NONPROD.
The NONPROD infrastructure has EKS Enabled.
A Tenant with the name dev01 has been created.
In the Tenant list box, on the upper-left side of the DuploCloud Portal, select the dev01 Tenant that you created.
In the DuploCloud Portal, navigate to Cloud Services -> Hosts. The Hosts page displays.
In the EC2 tab, click Add. The Add Hosts page displays.
In the Friendly Name field, enter host01.
From the Instance Type list box, select 2 CPU 4 GB - t3.medium.
Select the Advanced Options checkbox to display advanced configuration fields.
From the Agent Platform list box, select EKS Linux.
From the Image ID list box, select any Image ID that is prefixed by EKS (for example, EKS-Oregon-1.23).
Click Add. The Host is created, initialized, and started. In a few minutes, when the Status displays Running, the Host is available for use.
The EKS Image ID is the image published by AWS specifically for an EKS worker in the version of Kubernetes deployed at Infrastructure creation time. For this tutorial, the region is us-west-2, where the NONPROD Infrastructure was created.
If no Image ID is available with a prefix of EKS, copy the AMI ID for the desired EKS version by referring to this AWS documentation. Select Other from the Image ID list box and paste the copied AMI ID in the Other Image ID field. Contact the DuploCloud Support team via your Slack channel if you have questions or issues.
Verify that the Host you created has a Status of Running.
Adding a security layer and enabling other options for your Load Balancer
This step is optional and not necessary to run the example application in this tutorial.
However, while it's not as important to secure a load balancer for a small web application in a tutorial, your production cloud apps require an elevated level of protection.
To set up a Web Application Firewall (WAF) for a production application, follow the steps in the Web Application Firewall procedure. You won't set up a WAF in this tutorial.
Otherwise, to skip this step, proceed to the next page in this tutorial.
In this tutorial step, for the Application Load Balancer (ALB) you created in Step 6, you will:
Enable access logging to monitor HTTP message details.
Protect against requests that contain invalid headers.
Estimated time to complete Step 7: 5 minutes.
Before securing a Load Balancer, verify that you accomplished the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:
An Infrastructure and Plan exist, both with the name NONPROD.
The NONPROD infrastructure has EKS Enabled.
A Tenant with the name dev01 has been created.
A Host with the name host01 has been created.
A Service with the name demo-service has been created.
An HTTPS ALB Load Balancer has been created.
In the Tenant list box, on the upper-left side of the DuploCloud Portal, select the dev01 Tenant that you created.
In the DuploCloud Portal, navigate to Kubernetes -> Services. The Services page displays.
From the Name column, select the Service to which your Load Balancer is attached (demo-service).
Click the Load Balancers tab.
In the Other Settings card, click Edit. The Other Load Balancer Settings pane displays.
In the Web ACL list box, select None, because you are not connecting a Web Application Firewall.
For this tutorial, select only the Enable Access Logs and Drop Invalid Headers options.
Accept the Idle Timeout default setting and click Save. The Other Settings card in the Load Balancers tab is updated with your selections.
Verify that the Other Settings card contains the selections you made above for:
Web ACL - None
HTTP to HTTPS Redirect - False
Enable Access Logs - True
Drop Invalid Headers - True
Creating a Service to run a Docker-containerized application
DuploCloud supports three container orchestration technologies to deploy containerized applications in AWS:
Native EKS
Native ECS Fargate
Built-in container orchestration in DuploCloud using EKS/ECS Kubernetes
You can use any of these methods, which all employ Docker containers. This tutorial uses DuploCloud's built-in container orchestration using EKS and Kubernetes
You don't have to have experience with Kubernetes to deploy an application in the DuploCloud Portal. However, it is helpful to be familiar with the Docker platform. Docker runs on any platform and provides an easy-to-use UI for creating, running, and managing containers, in which your application code resides.
This tutorial will access a pre-built Docker container to deploy a simple Hello World NodeJS
web app. When you run the application, DuploCloud accesses Docker images in a preconfigured Docker Hub.
When you run your own applications, you will choose a public image or provide credentials to access your private repository. Before you deploy your own applications, configure your Docker Registry credentials in DuploCloud.
Estimated time to complete Step 5: 10 minutes.
Before creating a Service, verify that you accomplished the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:
An Infrastructure and Plan exist, both with the name NONPROD.
The NONPROD infrastructure has EKS Enabled.
A Tenant with the name dev01 has been created.
A host with the name host01 has been created.
In the Tenant list box, on the upper-left side of the DuploCloud Portal, select the dev01 Tenant that you created.
In the DuploCloud Portal, navigate to DevOps -> Containers -> EKS/Native. The Services page displays.
Click Add. The Add Service page displays.
From the table below, enter the values that correspond to the fields on the Add Service page. Accept all other default values for fields not specified.
Click Next. The Advanced Options page is displayed.
At the bottom of the Advanced Options page, click Create. Your Service is created and initialized. In about five (5) minutes, in the Containers tab, your DuploCloud Service displays a Current status of Running.
From the table below, enter the values that correspond to the fields on the Add Service page. Accept all other default values for fields not specified.
Click Next. The Advanced Options page is displayed.
At the bottom of the Advanced Options page, click Create. Your Service is created and initialized. In about five (5) minutes, in the Containers tab, your DuploCloud Service displays a Current status of Running.
Use the Containers tab to monitor the Service creation status, between Desired (Running) and Current.
Follow the steps in Creating Services using Autoscaling Groups. In the Add Service page, Basic Options, Select Tolerate spot instances.
Verify that your DuploCloud Service, demo-service, has a Current status of Running.
Add a Service page field | Value |
---|---|
Service Name
demo-service
Docker Image
duplocloud/nodejs-hello:latest
Finish the Quick Start Tutorial by creating an ECS Service
This section of the tutorial shows you how to deploy a web application with AWS Elastic Container Service (ECS).
For a full discussion of the benefits of using EKS vs. ECS, consult this AWS blog.
Instead of creating a DuploCloud Service with AWS ECS, you can alternatively finish the tutorial by:
Creating an AWS EKS Service in DuploCloud running Docker containers or
Unlike AWS EKS, creating and deploying services and apps with ECS requires creating a Task Definition, a blueprint for your application. Once you create a Task Definition, you can run it as a Task or as a Service. In this tutorial, we run the Task Definition as a Service.
To deploy your app with AWS ECS in this ECS tutorial, you:
Create a Task Definition using ECS.
Create a DuploCloud Service named webapp, backed by a Docker image.
Expose the app to the web with a Load Balancer.
Complete the tutorial by testing your application.
Estimated time to complete remaining tutorial steps: 30-40 minutes
Behind the scenes, the topology that DuploCloud creates resembles this low-level configuration in AWS.
Changing the DNS Name for ease of use
It is possible to modify the DNS Name after you create a Load Balancer Listener for ease of use and reference by your applications, but it isn't necessary to run your application or complete this tutorial.
Estimated time to complete Step 8: 5 minutes.
Before securing a Load Balancer, verify that you accomplished the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:
In the Tenant list box, on the upper-left side of the DuploCloud Portal, select the dev01 Tenant that you created.
In the DuploCloud Portal, navigate to Kubernetes -> Services. The Services page displays.
From the Name column, select demo-service.
Click the Load Balancers tab. The ALB Load Balancer configuration is displayed.
In the DNS Name card, click Edit. The prefix in the DNS Name is editable.
Edit the DNS Name and select a meaningful DNS Name prefix.
Click Save. A Success message briefly displays at the top center of the DuploCloud Portal.
An entry for your new DNS name is now registered with demo-service.
The DNS Name card displays your modified DNS Name.
To skip this step, proceed to .
Once the load balancer is created, DuploCloud programs an autogenerated DNS Name registered to demo-service in the domain. Before you create production deployments, you must Hosted Zone domain, if the DuploCloud staff has not already created one for you. For this tutorial, it is not necessary to create the domain.
An exist, both with the name NONPROD.
The NONPROD infrastructure has .
A Tenant with the name .
A Host with the name .
A Service with the name .
An has been created.
Create an ECS Service from Task Definition and expose it with a Load Balancer
Now that you've created a Task Definition, you create a Service, which creates a Task (from the definition) to run your application. A Task is the instantiation of a Task Definition within a cluster. After you create a task definition for your application within Amazon ECS, you can specify multiple tasks to run on your cluster, based on your performance and availability requirements.
Once a Service is created, you must create a Load Balancer to expose the Service on the network. An Amazon ECS service runs and maintains the desired number of tasks simultaneously in an Amazon ECS cluster. If any of your tasks fail or stop for any reason, the Amazon ECS service scheduler launches another instance based on parameters specified in your Task Definition. It does so in order to maintain the desired number of tasks created.
Estimated time to complete Step 5: 10 minutes.
Before creating the ECS Service and Load Balancer, verify that you accomplished the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:
An Infrastructure and Plan exist, both with the name NONPROD.
The NONPROD infrastructure has ECS Enabled.
A Tenant with the name dev01 has been created.
A Task Definition named sample-task-def has been created.
Tasks run until an error occurs or a user terminates the Task in the ECS Cluster.
In the DuploCloud Portal's Tenant list box. select Tenant dev01.
Navigate to Cloud Services -> ECS.
In the Task Definitions tab, select the Task Definition Family Name, DUPLOSERVICES-DEV01-SAMPLE-TASK-DEF. This is the Task Definition Name that you created prepended by a unique identified, which includes your Tenant name (DEV01) and part of your Infrastructure name (ECS-TEST).
In the Service Details tab, click the Configure ECS Service link. The Add ECS Service page displays.
In the Name field, enter sample-httpd-app as the Service name.
In the LB Listeners area, click Add. The Add Load Balancer Listener pane displays.
From the Select Type list box, select Application LB.
In the Container Port field, enter 3000.
In the External Port field, enter 80.
From the Visibility list box, select Public.
In the Heath Check field, enter /, specifying root
, the location of Kubernetes Health Check logs.
From the Backend Protocol list box, select HTTP.
From the Protocol Policy list box, select HTTP1.
Select other options as needed and click Add.
On the Add ECS Service page, click Submit.
In the Service Details tab, information about the Service and Load Balancer you created is displayed. Verify that the Service and Load Balancer configuration details in the Service Details tab are correct.
Test the application to ensure you get the results you expect
You can test your application directly from the Services page using the DNS status card.
Estimated time to complete Step 9 and finish tutorial: 10 minutes.
Before testing your application, verify that you accomplished the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:
An Infrastructure and Plan exist, both with the name NONPROD.
The NONPROD infrastructure has EKS Enabled.
A Tenant with the name dev01 has been created.
A Host with the name host01 has been created.
A Service with the name demo-service has been created.
An HTTPS Application Load Balancer has been created.
In the Tenant list box, on the upper-left side of the DuploCloud Portal, select the dev01 Tenant that you created.
Note that if you skipped Step 7 and/or Step 8, the configuration in the Other Settings and DNS cards appears slightly different from the configuration depicted in the screenshot below. These changes do not impact you in testing your application, as these steps are optional. You can proceed to test your app with no visible change in the output of the deployable application.
In the DuploCloud Portal, navigate to Kubernetes -> Services. The Services page displays.
From the Name column, select demo-service.
Click the Load Balancers tab. The Application Load Balancer configuration is displayed.
Open a browser instance and Paste the DNS in the URL field of your browser.
Press ENTER. A web page with the text Hello World! is displayed, from the JavaScript program residing in your Docker Container that is running in demo-service, which is exposed to the web by your Load Balancer.
It can take from five to fifteen (5-15) minutes for the DNS Name to become active once you launch your browser instance to test your application.
Congratulations! You have just launched your first web service on DuploCloud!
In this tutorial, your objective was to create a cloud environment to deploy an application for testing purposes, and to understand how the various components of DuploCloud work together.
The application rendered a simple web page with text, coded in JavaScript, from software application code residing in a Docker container. You can use this same procedure to deploy much more complex cloud applications.
In the previous steps, you:
Created a DuploCloud Infrastructure named NONPROD, a Virtual Private Cloud instance, backed by an AKS-enabled Kubernetes cluster.
Created a Tenant named dev01 in Infrastructure NONPROD. While generating the Infrastructure, DuploCloud created a set of templates (Plan) to configure multiple Azure and Kubernetes components needed for your environment.
Created an EC2 host named host01, so that your application has storage resources with which to run.
Created a Service named demo-service to connect the Docker containers and associated images, in which your application code resides, to the DuploCloud Tenant environment.
Created an ALB Load Balancer Listener to expose your application via ports and backend network configurations.
Verified that your web page rendered as expected by testing the DNS Name exposed by the Load Balancer Listener.
In this tutorial, you created many artifacts for testing purposes. When you are ready, clean them up so that another person can run this tutorial from the start, using the same names for Infrastructure and Tenant.
To delete the dev01 tenant follow these instructions and then return to this page. As you learned, the Tenant segregates all work in one isolated environment, so deleting the Tenant that you created cleans up most of your artifacts.
The NONPROD Infrastructure is deleted and you have completed the clean-up of your test environment.
Thanks for completing this tutorial and proceed to the next section to learn more about using DuploCloud with AWS.
Create a Task Definition for your application in AWS ECS
Once you create a Task Definition, you can run it as a Task or as a Service. In this tutorial, we run the Task Definition as a Service.
Estimated time to complete Step 4: 10 minutes.
Before creating an RDS, verify that you accomplished the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:
In the DuploCloud Portal's Tenant list box. select Tenant dev01.
Navigate to Cloud Services -> ECS.
In the Task Definition tab, click Add. The Add Task Definition page displays.
In the Name field, enter sample-task-def.
In the Container - 1 section, in the Container Name field, enter sample-task-def-c1. Container names are required for Docker images in AWS ECS.
In the Image field, enter duplocloud/nodejs-hello:latest.
From the vCPU list box, select 0.50 vCPU.
From the Memory list box, select 1 GB.
In the Port Mappings section, in the Port field, enter 3000. Port mappings allow containers to access ports for the host container instance to send or receive traffic.
Click Submit.
Test the application to ensure you get the results you expect
You can test your application directly from the Services page using the DNS status card.
Estimated time to complete Step 6 and finish tutorial: 5 minutes.
Before testing your application, verify that you accomplished the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:
In the Tenant list box, on the upper-left side of the DuploCloud Portal, select the dev01 Tenant that you created.
In the DuploCloud Portal, navigate to Cloud Services -> ECS.
Click the Service Details tab. The Application Load Balancer configuration is displayed.
Open a browser instance and Paste the DNS address in the URL field of your browser.
Press ENTER. A web page with the text It works! displays, from the JavaScript program residing in your Docker Container that is running in sample-httpd-app, which is exposed to the web by your Application Load Balancer.
It can take from five to fifteen (5-15) minutes for the Domain Name to become active once you launch your browser instance to test your application.
Congratulations! You have just launched your first web service on DuploCloud!
In this tutorial, your objective was to create a cloud environment to deploy an application for testing purposes, and to understand how the various components of DuploCloud work together.
The application rendered a simple web page with text, coded in JavaScript, from software application code residing in a Docker container. You can use this same procedure to deploy much more complex cloud applications.
In the previous steps, you:
In this tutorial, you created many artifacts for testing purposes. When you are ready, clean them up so that another person can run this tutorial from the start, using the same names for Infrastructure and Tenant.
The NONPROD Infrastructure is deleted and you have completed the clean-up of your test environment.
In the DNS status card on the right side of the Portal, click the Copy Icon ( ) to copy the DNS address displayed to your clipboard.
Finish by deleting the NONPROD Infrastructure. In the DuploCloud Portal, navigate to Administrator -> Infrastructure. Click the Action menu icon () for the NONPROD row and select Delete.
You enabled ECS cluster creation when you created the . In order to create a Service using ECS, you first need to create a that serves as a blueprint for your application.
An exist, both with the name NONPROD.
The NONPROD infrastructure has .
A Tenant with the name .
An exist, both with the name NONPROD.
The NONPROD infrastructure has .
A Tenant with the name .
A named sample-task-def has been created.
The sample-httpd-app) and Load Balancer have been created.
In the DNS Name card, click the Copy Icon ( ) to copy the DNS address to your clipboard.
named NONPROD, a Virtual Private Cloud instance, backed by an AKS-enabled Kubernetes cluster.
named dev01 in Infrastructure NONPROD. While generating the Infrastructure, DuploCloud created a set of templates () to configure multiple Azure and Kubernetes components needed for your environment.
named sample-task-def, used to create a service to run your application.
named sample-httpd-app to connect the Docker containers and associated images, in which your application code resides, to the DuploCloud Tenant environment. In the same step, you c to expose your application via ports and backend network configurations.
as expected by testing the DNS Name exposed by the Load Balancer Listener.
To delete the dev01 tenant and then return to this page. As you learned, the Tenant segregates all work in one isolated environment, so deleting the Tenant that you created cleans up most of your artifacts.
Finish by deleting the NONPROD Infrastructure. In the DuploCloud Portal, navigate to Administrator -> Infrastructure. Click the Action menu icon () for the NONPROD row and select Delete.
Thanks for completing this tutorial and proceed to the next section to learn more about .
Create an EC2 Host in DuploCloud
Before you create your application and service using native Docker, create an EC2 Host for storage in DuploCloud.
Estimated time to complete Step 4: 5 minutes.
Before creating a Host (essentially a Virtual Machine), verify that you accomplished the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:
An Infrastructure and Plan exist, both with the name NONPROD.
A Tenant with the name dev01 has been created.
In the Tenant list box, on the upper-left side of the DuploCloud Portal, select the dev01 Tenant that you created.
In the DuploCloud Portal, navigate to Cloud Services -> Hosts. The Hosts page displays.
In the EC2 tab, click Add. The Add Hosts page displays.
In the Friendly Name field, enter host01.
From the Instance Type list box, select 2 CPU 4 GB - t3.medium.
Select the Advanced Options checkbox to display advanced configuration fields.
From the Agent Platform list box, select Linux/Docker Native.
From the Image ID list box, select any Docker-Duplo or Ubuntu image.
Click Add. The Host is created, initialized, and started. In a few minutes, when the Status displays Running, the Host is available for use.
Verify that host01 has a Status of Running.
Create a native Docker Service in the DuploCloud Portal
You can use the DuploCloud Portal to create a native Docker service without leaving the DuploCloud interface.
Estimated time to complete Step 5: 10 minutes.
Before creating a Service, verify that you accomplished the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:
An Infrastructure and Plan exist, both with the name NONPROD.
A Tenant with the name dev01 has been created.
An EC2 Host with the name host01 has been created.
In the Tenant list box, on the upper-left side of the DuploCloud Portal, select the dev01 Tenant that you created.
In the DuploCloud Portal, navigate to Docker -> Services.
Click Add. The Add Service Basic Options page displays.
In the Service Name field, enter demo-service-d01.
From the Platform list box, select Linux/Docker Native.
In the Docker Image field, enter duplocloud/nodejs-hello:latest.
From the Docker Networks list box, select Docker Default.
Click Next. The Advanced Options page displays.
Click Create.
On the Add Service Basic Options page, you can also specify optional Environment Variables (EVs) such as database Host, port, and so on. You can also pass Docker credentials using EVs for testing purposes.
Verify that demo-service-d01 has a Current Status of Running.
Create a Load Balancer to expose the native Docker Service
Now that your DuploCloud Service is running, you have a mechanism to expose the containers and images in which your application resides. But because your containers are running inside a private network, you also need a load balancer to listen on the correct ports in order to access the application.
In this step, we add a Load Balancer Listener to complete this network configuration.
Estimated time to complete Step 6: 15 minutes.
Before creating a Service, verify that you accomplished the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:
In the Tenant list box, on the upper-left side of the DuploCloud Portal, select the dev01 Tenant that you created.
In the DuploCloud Portal, navigate to Docker -> Services.
Click the Load Balancers tab.
Click the Configure Load Balancer link. The Add Load Balancer Listener pane displays.
From the Select Type list box, select Application LB.
In the Container Port field, enter 3000, the port on which the application running inside the container image (duplocloud/nodejs-hello:latest) is running.
In the External Port field, enter 80.
From the Visibility list box, select Public.
From the Application list box, select Docker Mode.
In the Health Check field, enter /, indicating that you want the Kubernetes Health Check logs written to the root directory.
From the Backend Protocol list box, select HTTP.
Click Add.
When the LB Status card displays Ready, your Load Balancer is running and ready for use.
Once the Service is Running, you can check logs for informational messages by clicking the menu icon ( ) to the left of the running Service Name on the Service page and selecting the Logs option.
An exist, both with the name NONPROD.
A Tenant with the name .
An EC2 Host with the name .
A Service with the name .
Select the Service demo-service-d01 .
If you want to secure the load balancer created, you can follow the steps specified
You can modify the DNS name by clicking Edit in the DNS Name card in the Load Balancers tab. For additional information see .
Test the application to ensure you get the results you expect
You can test your application directly from the Services page using the DNS status card.
Estimated time to complete Step 7 and finish tutorial: 5 minutes.
Before testing your application, verify that you accomplished the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:
An Infrastructure and Plan exist, both with the name NONPROD.
A Tenant with the name dev01 has been created.
An EC2 Host with the name host01 has been created.
A Service with the name demo-service-d01 has been created.
A Load Balancer configured to listen on port xxxx has been created.
In the Tenant list box, on the upper-left side of the DuploCloud Portal, select the dev01 Tenant that you created.
In the DuploCloud Portal, navigate to Docker -> Services. The Services page displays.
From the Name column, select demo-service-d01.
Click the Load Balancers tab. The Application Load Balancer configuration is displayed.
Open a browser instance and Paste the DNS in the URL field of your browser.
Press ENTER. A web page with the text Hello World! is displayed, from the JavaScript program residing in your Docker Container that is running in demo-service-d01, which is exposed to the web by your Load Balancer.
It can take from five to fifteen (5-15) minutes for the DNS Name to become active once you launch your browser instance to test your application.
Congratulations! You have just launched your first web service on DuploCloud!
In this tutorial, your objective was to create a cloud environment to deploy an application for testing purposes, and to understand how the various components of DuploCloud work together.
The application rendered a simple web page with text, coded in JavaScript, from software application code residing in a Docker container. You can use this same procedure to deploy much more complex cloud applications.
In the previous steps, you:
Created a DuploCloud Infrastructure named NONPROD, a Virtual Private Cloud instance, backed by an AKS-enabled Kubernetes cluster.
Created a Tenant named dev01 in Infrastructure NONPROD. While generating the Infrastructure, DuploCloud created a set of templates (Plan) to configure multiple Azure and Kubernetes components needed for your environment.
Created an EC2 host named host01, so that your application has storage resources with which to run.
Created a Service named demo-service-d01 to connect the Docker containers and associated images, in which your application code resides, to the DuploCloud Tenant environment.
Created an ALB Load Balancer Listener to expose your application via ports and backend network configurations.
Verified that your web page rendered as expected by testing the DNS Name exposed by the Load Balancer Listener.
In this tutorial, you created many artifacts for testing purposes. When you are ready, clean them up so that another person can run this tutorial from the start, using the same names for Infrastructure and Tenant.
To delete the dev01 tenant follow these instructions and then return to this page. As you learned, the Tenant segregates all work in one isolated environment, so deleting the Tenant that you created cleans up most of your artifacts.
The NONPROD Infrastructure is deleted and you have completed the clean-up of your test environment.
Thanks for completing this tutorial and proceed to the next section to learn more about using DuploCloud with AWS.
Use Cases supported for DuploCloud AWS
This section details common use cases for DuploCloud AWS.
Topics in this section are covered in the order of typical usage. Use cases that are foundational to DuploCloud such as Infrastructure, Tenant, and Hosts are listed at the beginning of this section; while supporting use cases such as Cost management for billing, JIT Access, Resource Quotas, and Custom Resource tags appear near the end.
How Infrastructures and Plans work together to create a VPC
Infrastructures are abstractions that allow you to create a Virtual Private Cloud (VPC) instance in the DuploCloud Portal. When you create an Infrastructure, a Plan is automatically generated to supply the network configuration necessary for your Infrastructure to run.
You can customize your EKS configuration:
When you create a DuploCloud Infrastructure, you create an isolated environment that maps to a Kubernetes cluster.
Create a DuploCloud Infrastructure in the DuploCloud Portal:
Select Administrator -> Infrastructure from the navigation menu.
Click Add.
Define the Infrastructure by completing the fields on the Add Infrastructure form.
Select Enable EKS to enable EKS for the Infrastructure, or select Enable ECS Cluster to enable an ECS Cluster during Infrastructure creation.
Click Create. The Infrastructure is created and is listed on the Infrastructure page.
When you create the Infrastructure, DuploCloud creates the following components:
VPC with 2 subnets (private, public) in each availability zone
Required security groups
NAT Gateway
Internet Gateway
Route tables
Cloud providers limit the number of Infrastructures that can run in each region. Refer to your cloud provider for further guidelines on the number of Infrastructures you can create.
In the DuploCloud Portal, navigate to Administrator -> Infrastructure. The Infrastructure page displays.
From the Name column, select the Infrastructure containing settings that you want to view.
Click the Settings tab. The Infrastructure settings display.
Up to one instance (0 or 1) of an EKS or ECS is supported for each DuploCloud Infrastructure.
In the DNS status card on the right side of the Portal, click the Copy Icon ( ) to copy the DNS address displayed to your clipboard.
Finish by deleting the NONPROD Infrastructure. In the DuploCloud Portal, navigate to Administrator -> Infrastructure. Click the Action menu icon () for the NONPROD row and select Delete.
and
and
and
link
DuploCloud automatically deploys across availability zones (AZs) for all Infrastructures that you create with DuploCloud.
.
Enable EKS endpoints, logs, Cluster Autoscaler, and more. See the topics for information about configuration options.
You can customize your ECS configuration. See the topic for information about configuration options.
Optionally, select Advanced Options to specify additional configurations (such as ).
with the master VPC, which is initially configured in DuploCloud
Once the Infrastructure is created, DuploCloud automatically creates a (with the same Infrastructure name) with the Infrastructure configuration. The Plan is used to create .
Enable Elastic Kubernetes Service (EKS) for AWS by creating a DuploCloud Infrastructure
In the DuploCloud platform, a Kubernetes Cluster maps to a DuploCloud Infrastructure.
Start by creating a new Infrastructure in DuploCloud. When prompted to provide details for the new Infrastructure, select Enable EKS. In the EKS Version field, select the desired release.
Optionally, enable logging and custom EKS endpoints.
The worker nodes and remaining workload setup are described in the Tenant topic.
Up to one instance (0 or 1) of an EKS is supported for each DuploCloud Infrastructure.
Creating an Infrastructure with EKS can take some time. See the Infrastructure section for details about other elements on the Add Infrastructure form.
When the Infrastructure is in the ready state, as indicated by a Status of Complete, select the Name of the Infrastructure page to view the Kubernetes configuration details, including the token and configuration for kubectl
.
When you create Tenants in an Infrastructure, a namespace is created in the Kubernetes cluster with the name duploservices-TENANT_NAME
Specify EKS endpoints for an Infrastructure
AWS SDKs and the AWS Command Line Interface (AWS CLI) automatically use the default public endpoint for each service in an AWS Region. However, when you create an Infrastructure in DuploCloud, you can specify a custom Private endpoint, a custom Public endpoint, or Both public and private custom endpoints. If you specify no endpoints, the default Public endpoint is used.
For more information about AWS Endpoints, see the AWS documentation.
Follow the steps in the section Creating an Infrastructure. Before clicking Create, specify EKS Endpoint Visibility.
From the EKS Endpoint Visibility list box, select Public, Private, or Both public and private. If you select private or Both public and private, the Allow VPN Access to the EKS Cluster option is enabled.
Click Advanced Options.
Using the Private Subnet CIDR and Public Subnet CIDR fields, specify CIDRs for alternate public and private endpoints.
Click Create.
If you want to enable private visibility after you have previously created an Infrastructure with only public visibility, follow these steps to enable private visibility and VPN access.
In the DuploCloud Portal, navigate to Administrator -> Infrastructure. The Infrastructure page displays.
From the Name column, select the Infrastructure.
Click the Settings tab.
From the Setting Name list box, select Enable VPN Access to EKS Cluster.
Select Enable to enable VPN.
Click Set. When you create an Infrastructure, the Allow VPN Access to the EKS Cluster option will be enabled.
In the DuploCloud Portal, navigate to Administrator -> Infrastructure. The Infrastructure page displays.
From the Name column, select the Infrastructure containing settings that you want to view.
Click the Settings tab. The Infrastructure settings display.
Modifying endpoints can incur an outage of up to thirty (30) minutes in your EKS cluster. Plan your update accordingly to minimize disruption for your users.
To modify the visibility for EKS endpoints you have already created:
In the DuploCloud Portal, navigate to Administrator -> Infrastructure. The Infrastructure page displays.
From the Name column, select the Infrastructure for which you want to modify EKS endpoints.
Click the Settings tab.
From the Setting Value list box, select the desired type of visibility for endpoints (private, public, or both).
Click Set.
In the EKS Endpoint Visibility row, in the Actions column, click the ( ) icon and select Update Setting. The Infra - Set Custom Data pane displays.
In the EKS Endpoint Visibility row, in the Actions column, click the ( ) icon and select Update Setting. The Infra - Set Custom Data pane displays.
Enable autoscaler for the K8 cluster
The Cluster AutoScaler automatically adjusts the number of nodes in your cluster when Pods fail or are rescheduled onto other nodes.
In the DuploCloud Portal, navigate to Administrator -> Infrastructure. The Infrastructure page displays.
Select the Infrastructure with which you want to use Cluster AutoScaler.
Click the Settings tab.
Click Add. The Add Infra - Set Custom Data pane displays.
From the Setting Name list box, select Cluster Autoscaler.
Select Enable to enable EKS.
Click Set. Your configuration is displayed in the Settings tab.
Enable logging functionality for EKS
Follow the steps in the section Creating an Infrastructure. Before clicking Create, select the EKS Logging list box and select one or more ControlPlane Log types.
Enable EKS logging for an Infrastructure that you have created.
In the DuploCloud Portal, navigate to Administrator -> Infrastructure.
From the Name column, select the Infrastructure for which you want to enable EKS logging.
Click the Settings tab.
Click Add. The Infra - Set Custom Data pane displays.
From the Setting Name list box, select EKS ControlPlane Logs.
In the Setting Value field, enter: api;audit;authenticator;controllerManager;scheduler
Click Set. The EKS ControlPlane Logs setting is displayed in the Settings tab.
Using Tenants in DuploCloud
For information about granting Cross-Tenant access to resources, see this section in the User Administration section.
In AWS, cloud features such as AWS resource groups, AWS IAM, AWS security groups, KMS keys, as well as Kubernetes Namespaces, are exposed in Tenants which reference their configurations.
When you create Tenants in an Infrastructure, a namespace is created in the Kubernetes cluster with the name duploservices-TENANT_NAME.
Each Tenant is mapped to a Namespace in Kubernetes. For example, if a Tenant is called Analytics in DuploCloud, the Kubernetes Namespace is called duploservices-analytics
.
All application components within the Analytics Tenant are placed in the duploservices-analytics
namespace. Since nodes cannot be part of a Kubernetes Namespace, DuploCloud creates a tenantname
label for all the nodes that are launched within the Tenant. For example, a node launched in the Analytics Tenant is labeledtenantname: duploservices-analytics
.
Any Pods that are launched using the DuploCloud UI have an appropriate Kubernetes nodeSelector
that ties the Pod to the nodes within the Tenant. If you are deploying via kubectl,
ensure that your deployment is using the proper nodeSelector
.
At the logical level, the Tenant is:
A Container of resources: All resources (except ones corresponding to the Infrastructure) are created within the Tenant. If a tenant is deleted, all the resources in the Tenant are terminated.
A Security Boundary: All resources within a Tenant can talk to each other. For example, a Docker container deployed in an EKS instance within the tenant will have access to S# storage and RDS databases within the same tenant. RDS database instances in another tenant cannot be reached, for example, by default. Tenants expose endpoints to each other using load balancers or explicit inter-Tenant security groups and identity management policies.
User Access Control: Self-service is the bedrock of the DuploCloud platform. To that end, users can be granted Tenant level access. For example, John and Jim are developers who can be granted access to the DEV01 tenant, Joe is an administrator who has access to all tenants, and Anna is a data scientist who has access only to the DATASCI tenant.
A Billing Unit: Because the Tenant is a container of resources, all resources in the Tenant are tagged with the Tenant's name in the cloud provider, making it easy to segregate usage by Tenant.
A mechanism for alerting: All alerts represent Faults in any resource within the Tenants.
A mechanism for logging: Each Tenant has its unique set of logs.
A mechanism for metrics: Each Tenant has its unique set of metrics.
Many DuploCloud customers create at least two Tenants for both their production and non-production cloud environments (Infrastructures).
You can map Tenants in each or all of your development, testing, staging, Quality Assurance (QA), and production environments.
For example:
Production Infrastructure
Pre-production Tenant - for preparing or reviewing production code
Production Tenant - for deploying tested code
Non-production Infrastructure
Development Tenant - for writing and reviewing code
Quality Assurance Tenant - for automated testing
In larger organizations, some customers create Tenants based on application environments, such as creating a tenant for Data Science applications, another for web applications, etc.
Tenants are sometimes created to isolate a single customer workload, allowing more granular monitoring of performance, the flexibility of scaling, or tighter security. This is referred to as a single-Tenant setup. In this case, a DuploCloud Tenant maps to an environment used exclusively by the end client.
When you have a large set of applications that different teams access, it is helpful to map Tenants to team workloads. For example, you could create Tenants for Dev-analytics, Stage-analytics, and so on.
While Infrastructure provides abstraction and isolation at the Virtual Private Cloud (VPC) and Kubernetes level, the Tenant supplies the next level of isolation implemented in EKS by segregating Tenants using the following construct per Tenant
A set of security groups
An identity management role and profile
A Kubernetes Namespace, a read-only service account, and a write service account
KMS Key
PEM file
EKS Worker nodes or virtual machines (VMs) created within a Tenant are given a label with the Tenant Name, as are the node selectors and namespaces. Consequently, even at the worker node level, two tenants achieve complete isolation and independence, even though they may be sharing the same Kubernetes cluster by a shared Infrastructure.
To add a Tenant, navigate to Administrator -> Tenant in the DuploCloud Portal and click Add.
Each Tenant is mapped to a Namespace in Kubernetes. For example, if a Tenant is called Analytics in DuploCloud, the Kubernetes Namespace is called duploservices-analytics
.
All application components within the Analytics Tenant are placed in the duploservices-analytics
namespace. Since nodes cannot be part of a Kubernetes Namespace, DuploCloud creates a tenantname
label for all the nodes that are launched within the Tenant. For example, a node launched in the Analytics Tenant is labeledtenantname: duploservices-analytics
.
Any Pods that are launched using the DuploCloud UI have an appropriate Kubernetes nodeSelector
that ties the Pod to the nodes within the Tenant. If you are deploying via kubectl,
ensure that your deployment is using the proper nodeSelector
.
Enable ECS Elasticsearch logging for containers at the Tenant level
To generate logs for AWS ECS clusters, you must first create an Elasticsearch logging container. Once auditing is enabled, your container logging data can be captured for analysis.
Define at least one service and container.
Enable the Audit feature.
In the DuploCloud Portal, navigate to Administrator -> Tenant. The Tenant page displays.
From the Name column, select the Tenant that is running the container for which you want to enable logging.
Click the Settings tab.
Click Add. The Add Tenant Feature pane displays.
From the Select Feature list box, select Other. The Configuration field displays.
In the Configuration field, enter Enable ECS ElasticSearch Logging.
In the field below the Configuration field, enter True.
Click Add. In the Settings tab, Enable ECS ElasticSearch Logging displays a Value of True.
You can verify that ECS logging is enabled for a specific container.
In the DuploCloud Portal, navigate to Cloud Services -> ECS.
In the Task Definitions tab, select the Task Definition Family Name in which your container is defined.
Click the Task Definitions tab.
In the Container - 1 area, in the Container Other Config field, your LogConfiguration
is displayed.
In the Container-2 area, another container is created by DuploCloud with the name log_router
.
Enable Elastic Container Service (ECS) for AWS when creating a DuploCloud Infrastructure
Up to one instance (0 or 1) of an ECS is supported for each DuploCloud Infrastructure.
Menu icon ( ) in the row of the task definition and select Edit Task Definition. The Edit Task Definition page displays your defined Containers.
Setting up an Infrastructure that uses ECS is similar to creating an , except that during creation, instead of selecting Enable EKS, you select Enable ECS Cluster.
For information about ECS Services, see the documentation.
Creating an Infrastructure with ECS can take some time. See the section for details about other elements on the Add Infrastructure form.
Upgrade the Elastic Kubernetes Service (EKS) version for AWS
AWS frequently updates the EKS version based on new features that are available in the Kubernetes platform. DuploCloud automates this upgrade in the DuploCloud Portal.
IMPORTANT: An EKS version upgrade can cause downtime to your application depending on the number of replicas you have configured for your services. Schedule this upgrade outside of your business hours to minimize disruption.
DuploCloud notifies users when an upgrade is planned. The upgrade process follows these steps:
A new EKS version is released.
DuploCloud adds support for the new EKS version.
DuploCloud tests all changes and new features thoroughly.
DuploCloud rolls out support for the new EKS version in a platform release.
The user updates the EKS version.
Updating the EKS version:
Updates the EKS Control Plane to the latest version.
Updates all add-ons and components.
Relaunches all Hosts to deploy the latest version on all nodes.
After the upgrade process completes successfully, you can assign allocation tags to Hosts.
Click Administrator -> Infrastructure.
Select the Infrastructure that you want to upgrade to the latest EKS version.
Select the EKS tab. If an upgrade is available for the Infrastructure, an Upgrade link appears in the Value column.
Click the Upgrade link. The Upgrade EKS Cluster pane displays.
From the Target Version list box, select the version to which you want to upgrade.
From the Host Upgrade Action, select the method by which you want to upgrade hosts.
Click Start. The upgrade process begins.
Click Administrator -> Infrastructure.
Select the Infrastructure with components you want to upgrade.
Select the EKS tab. If an upgrade is available for the Infrastructure components, an Upgrade Components link appears in the Value column.
Click the Upgrade link. The Upgrade EKS Cluster Components pane displays.
From the Host Upgrade Action, select the method by which you want to upgrade hosts.
Click Start. The upgrade process begins.
The EKS Upgrade Details page displays that the upgrade is In Progress.
Find more details about the upgrade by selecting your Infrastructure from the Infrastructure page. Click the EKS tab, and then click Show Details.
When you click Show Details, the EKS Upgrade Details page displays the progress of updates for all versions and Hosts. Green checkmarks indicate successful completion in the Status list. Red Xs indicate Actions you must take to complete the upgrade process.
If any of your Hosts use allocation tags, you must assign allocation tags to the Hosts:
After your Hosts are online and available, navigate to Cloud Services -> Hosts.
Select the host group tab (EC2, ASG, etc.) on the Hosts screen.
Click the Add button.
Name the Host and provide other configuration details on the Add Host form.
Select Advanced Options.
Edit the Allocation Tag field.
Click Create and define your allocation tags.
Click Add to assign the allocation tags to the Host.
For additional information about the EKS version upgrade process with DuploCloud, see the AWS FAQs section on EKS version upgrades.
Adding EC2 hosts in DuploCloud AWS
Once you have the Infrastructure (Networking, Kubernetes cluster, and other common configurations) and an environment (Tenant) set up, the next step is to launch EC2 virtual machines (VMs). You create VMs to be:
EKS Worker Nodes
Worker Nodes (Docker Host), if the built-in container orchestration is used.
DuploCloud AWS requires at least one Host (VM) to be defined per AWS account.
You also create VMs if Regular nodes are not part of any container orchestration; for example, where a user manually connects and installs apps, as when using Microsoft SQL Server in a VM, Running an IIS application, and such custom use cases.
While all the lower-level details like IAM roles, Security groups, and others are abstracted away from the user (as they are derived from the Tenant), standard application-centric inputs are required to be provided. This includes a Name, Instance size, Availability Zone choice, Disk size, Image ID, etc. Most of these are optional, some are published as a list of user-friendly choices by the admin in the plan (Image or AMI ID is one such example). Other than these AWS centric parameter there is two DuploCloud platform-specific value to be provided:
Agent Platform: This is applicable if the VM is going to be used as a host for container orchestration by the platform. The choices are:
EKS Linux: If this is to be added to the EKS cluster i.e. EKS is the chosen approach for container orchestration
Linux Docker: If this is to be used for hosting Linux containers using the Builtin Container orchestration
Docker Windows: If this is to be used for hosting Windows containers using the Builtin Container orchestration
None: If the VM is going to be used for non-Container Orchestration purposes and contents inside the VM will be self-managed by the user
Allocation Tags (Optional): If the VM is being used for containers, then you have the option to set a label on the VM. This label can be then specified during docker app deployment to ensure that the application containers are pinned to a specific set of nodes. Thus you get the ability to split a tenant further into separate pools of servers and deploy applications on them.
If a VM is being used for container orchestration make sure that the Image ID corresponds to an Image for that container orchestration. This should be already set up for you and the list box will have self-descriptive Image IDs for example "EKS Worker", "Duplo-Docker", "Windows Docker" etc. Anything that starts with Duplo would be an image for the Built-in container orchestration
Securely access AWS Services using VPC endpoints
An AWS VPC endpoint creates a private connection to supported AWS services and VPC endpoint services powered by AWS PrivateLink. Amazon VPC instances do not require public IP addresses to communicate with the resources of the service. Traffic between an Amazon VPC and a service does not leave the Amazon network.
VPC endpoints are virtual devices. They are horizontally scaled, redundant, and highly available Amazon VPC components that allow communication between instances in an Amazon VPC and services without imposing availability risks or bandwidth constraints on network traffic. There are two types of VPC endpoints, Interface Endpoints, and Gateway Endpoints.
DuploCloud allows you to specify predefined AWS endpoints for your Infrastructure in the DuploCloud Portal.
In the DuploCloud Portal, navigate to Administrator -> Infrastructure. The Infrastructure page displays.
Select the Infrastructure to which you want to add VPC endpoints.
Click the Endpoints tab.
Click Add. The Infra - Create VPC Endpoints pane displays.
From the VPC Endpoint Service list box, select the endpoint service you want to add.
Click Create. In the Endpoints tab, the VPC Endpoint ID of your selected service displays.
Add rules to custom configure your AWS Security Groups in the DuploCloud Portal
In the DuploCloud Portal, navigate to Administrator -> Infrastructure. The Infrastructure page displays.
Select the Infrastructure for which you want to add or view Security Group rules from the Name column.
Click the Security Group Rules tab.
Click Add. The Add Infrastructure Security pane displays.
From the Source Type list box, select Tenant or IP Address.
From the Tenant list box, select the Tenant for which you want to set up the Security Rule.
Select the protocol from the Protocol list box.
In the Port Range field, specify the range of ports for access (for example, 1-65535).
Optionally, add a Description of the rule you are adding.
Click Add.
In the DuploCloud Portal, navigate to Administrator -> Infrastructure.
Select the Infrastructure from the Name column.
Click the Security Group Rules tab. Security Rules are displayed.
In the DuploCloud Portal, navigate to Administrator -> Infrastructure.
Select the Infrastructure from the Name column.
Click the Security Group Rules tab. Security Rules are displayed in rows.
In the first column of the Security Group row, click the Options Menu Icon ( ) and select Delete.
Manage Tenant expiry settings in the DuploCloud Portal
In the DuploCloud Portal, configure an expiration time for a Tenant. At the set expiration time, the Tenant and associated resources are deleted.
In the DuploCloud Portal, navigate to Administrator -> Tenants. The Tenants page displays.
From the Name column, select the Tenant for which you want to configure an expiration time.
From the Actions list box, select Set Tenant Expiration. The Tenant - Set Tenant Expiration pane displays.
Select the date and time (using your local time zone) when you want the Tenant to expire.
Click Set. At the configured day and time, the Tenant and associated resources will be deleted.
The Set Tenant Expiration option is not available for Default or Compliance Tenants.
Deploy Hosts in one Tenant that can be accessed by Kubernetes (K8s) Pods in a separate Tenant.
You can enable shared Hosts in the DuploCloud Portal. First, configure one Tenant to allow K8s Pods from other Tenants to run on its Host(s). Then, configure another Tenant to run its K8s Pods on Hosts in other Tenants. This allows you to break Tenant boundaries for greater flexibility.
In the DuploCloud Portal, navigate to Administrator -> Tenant.
From the Tenant list, select the name of the Tenant to which the Host is defined.
Click the Settings tab.
Click Add. The Add Tenant Feature pane displays.
From the Select Feature item list, select Allow hosts to run K8S pods from other tenants.
Select Enable.
Click Add. This Tenant's hosts can now run Pods from other Tenants.
In the DuploCloud Portal, navigate to Administrator -> Tenant.
From the Tenant list, select the name of the Tenant that will access the other Tenant's Host (the Tenant not associated with a Host).
Click the Settings tab.
Click Add. The Add Tenant Feature pane displays.
From the Select Feature item list, select Enable option to run K8S pods on any host.
Select Enable.
Click Add. This Tenant can now run Pods on other Tenant's Hosts.
From the Tenant list box at the top of the DuploCloud Portal, select the name of the Tenant that will run K8s Pods on the shared Host.
In the DuploCloud Portal, navigate to Kubernetes -> Services.
In the Services tab, click Add. The Add Service window displays.
Fill in the Service Name, Cloud, Platform, and Docker Image fields. Click Next.
In the Advanced Options window, from the Run on Any Host item list, select Yes.
Click Create. A Service running the shared Host is created.
Connect an EC2 instance with SSH by Session ID or by downloading a key
Once an EC2 Instance is created, you connect it with SSH either by using Session ID or by downloading a key.
In the DuploCloud Portal, navigate to Cloud Services -> Hosts and select the host to which you want to connect.
After you select the Host, on the Host's page click the Actions menu and select SSH. A new browser tab opens and you can connect your Host using SSH with by session ID. Connection to the host launches in a new browser tab.
After you select the Host, on the Host's page click the Actions menu and select Connect -> Connection Details. The Connection Info for Host window opens. Follow the instructions to connect to the server.
Click Download Key.
If you don't want to display the Download Key button, disable the button's visibility.
In the DuploCloud Portal, navigate to Administrator -> System Settings.
Click the System Config tab.
Click Add. The Add Config pane displays.
From the Config Type list box, select Flags.
From the Key list box, select Disable SSH Key Download.
From the Value list box, select true.
Click Submit.
Add a Host (virtual machine) in the DuploCloud Portal.
DuploCloud AWS supports EC2, ASG, and BYOH (Bring Your Own Host) types. Use BYOH for any VMs that are not EC2 or ASG.
Ensure you have selected the appropriate Tenant from the Tenant list box at the top of the DuploCloud Portal.
In the DuploCloud Portal, navigate to Cloud Services -> Hosts.
Click the tab that corresponds to the type of Host you want to create (EC2, ASG, or BYOH).
Click Add. The Host that you added is displayed in the appropriate tab (EC2, ASG, or BYOH).
To connect to the Host using SSH, follow this procedure.
The EKS Image ID is the image published by AWS specifically for an EKS worker in the version of Kubernetes deployed at Infrastructure creation time.
If no Image ID is available with a prefix of EKS, copy the AMI ID for the desired EKS version by referring to this AWS documentation. Select Other from the Image ID list box and paste the copied AMI ID in the Other Image ID field. Contact the DuploCloud Support team via your Slack channel if you have questions or issues.
See Kubernetes StorageClass and PVC.
From the DuploCloud Portal, navigate to Cloud Services -> Hosts.
Select the Host name from the list.
From the Actions list box, you can select Connect, Host Settings, or Host State to perform the following supported actions:
If you add custom code for EC2 or ASG Hosts using the Base64 Data field, your custom code overrides the code needed to start the EC2 or ASG Hosts and the Hosts cannot connect to EKS. Instead, use this procedure to add custom code directly in EKS.
Control placement of EC2 instances on a physical server with a Dedicated Host
Use Dedicated Hosts to launch Amazon EC2 instances and provide additional visibility and control over how EC2 instances are placed on a physical server; enabling you to use the same physical server, if needed.
Configure the DuploCloud Portal to allow for the creation of Dedicated Hosts.
In the DuploCloud Portal, navigate to Administrator -> System Settings.
Click the System Config tab.
Click Add. The Add Config pane displays.
In the Config Type field, select Flags.
In the Key field, select Allow Dedicated Host Sharing.
In the Value field, select true.
Click Submit. The configuration is displayed in the System Config tab.
In the DuploCloud Portal, navigate to Cloud Services -> Hosts.
In the EC2 tab, click Add. The Add Host page displays.
After completing the required fields to configure your Host, select Advanced Options. The advanced options display.
In the Dedicated Host ID field, enter the ID of the Dedicated Host. The ID is used to launch a specific instance on a Dedicated Host. See the screenshot below for an example.
Click Add. The Dedicated Host is displayed in the EC2 tab.
After you create Dedicated Hosts, view them by doing the following:
In the DuploCloud Portal, navigate to Cloud Services -> Hosts.
In the EC2 tab, select the Host from the Name column. The Dedicated Host ID card on the Host page displays the ID of the Dedicated Host.
SSH
Establish an SSH connection to work directly in the AWS Console.
Connection Details
View connection details (connection type, address, user name, visibility) and download the key.
Host Details
View Host details in the Host Details YAML screen.
Create AMI
Set the AMI.
Create Snapshot
Create a snapshot of the Host at a specific point.
Update User Data
Update the Host user data.
Change Instance Size
Resize a Host instance to accommodate the workload.
Update Auto Reboot Status Check
Enable or disable Auto Reboot. Set the number of minutes after the AWS Instance Status Check fails before automatically rebooting.
Start
Start the Host.
Reboot
Reboot the Host.
Stop
Stop the Host.
Hibernate
Hibernate (temporarily freeze) the Host.
Terminate Host
Terminate the Host.
Create Autoscaling groups to scale EC2 instances to your workload
Configure Autoscaling Groups (ASG) to ensure the application load is scaled based on the number of EC2 instances configured. Autoscaling detects unhealthy instances and launches new EC2 instances. ASG is also cost-effective as EC2 Instances are dynamically created per the application requirement within minimum and maximum count limits.
The Use for Cluster Autoscaling option will not be available until you enable the Cluster Autoscaler option in your Infrastructure.
In the DuploCloud Portal, navigate to Cloud Services -> Hosts.
In the ASG tab, click Add. The Add ASG page is displayed.
In the Friendly Name field, enter the name of the ASG.
Select Availability Zone and Instance Type.
In the Instance Count field, enter the desired capacity for the Autoscaling group.
In the Minimum Instances field, enter the minimum number of instances. The Autoscaling group ensures that the total number of instances is always greater than or equal to the minimum number of instances.
In the Maximum Instances field, enter the maximum number of instances. The Autoscaling group ensures that the total number of instances is always less than or equal to the maximum number of instances.
Select Use for Cluster Autoscaling.
Select Advanced Options.
Select the appropriate Image ID.
From the Agent Platform list box, select Linux Docker/Native to run a Docker service or select EKS Linux to run services using EKS. Fill in additional fields as needed for your ASG.
Optionally, enable Spot Instances.
Optionally, for EKS only, enable Scale from zero.
Click Add. Your ASG is added and displayed in the ASG tab.
View the Hosts created as part of ASG creation from the ASG Hosts tab.
Refer to AWS Documentation for detailed steps on creating Scaling policies for the Autoscaling Group.
The DuploCloud Portal provides the ability to configure Services based on the platforms EKS Linux and Linux Docker/Native. Select the ASG based on the platform used when creating services and Autoscaling groups. Optionally, if you previously enabled Spot Instances in the ASG, you can configure the Service to use Spot Instances by selecting Tolerate spot instances.
Scale to or from zero when creating Autoscaling Groups in DuploCloud
Scaling to or from zero with AWS Autoscaling Groups (ASG) offers several advantages depending on the context and requirements of your application:
Cost Savings: By scaling down to zero instances during periods of low demand, you minimize costs associated with running and maintaining instances. This pay-as-you-go model ensures you only pay for resources when they are actively being used.
Resource Efficiency: Scaling to zero ensures that resources are not wasted during periods of low demand. By terminating instances when they are not needed, you optimize resource utilization and prevent over-provisioning, leading to improved efficiency and reduced infrastructure costs.
Flexibility: Scaling to zero provides the flexibility to dynamically adjust your infrastructure in response to changes in workload. It allows you to efficiently allocate resources based on demand, ensuring that your application can scale up or down seamlessly to meet varying levels of traffic.
Simplified Management: With automatic scaling to zero, you can streamline management tasks associated with provisioning and de-provisioning instances. The ASG handles scaling operations automatically, reducing the need for manual intervention and simplifying infrastructure management.
Rapid Response to Increased Demand: Scaling from zero allows your infrastructure to quickly respond to spikes in traffic or sudden increases in workload. By automatically launching instances as needed, you ensure that your application can handle surges in demand without experiencing performance degradation or downtime.
Improved Availability: Scaling from zero helps maintain optimal availability and performance for your application by ensuring that sufficient resources are available to handle incoming requests. This proactive approach to scaling helps prevent resource constraints and ensures a consistent user experience even during peak usage periods.
Enhanced Scalability: Scaling from zero enables your infrastructure to scale out horizontally, adding additional instances as demand grows. This horizontal scalability allows you to seamlessly handle increases in workload and accommodate a growing user base without experiencing bottlenecks or performance issues.
Elasticity: Scaling from zero provides elasticity to your infrastructure, allowing it to expand and contract based on demand. This elasticity ensures that you can efficiently allocate resources to match changing workload patterns, resulting in optimal resource utilization and cost efficiency.
Create Autoscaling Groups (ASG) with Spot Instances in the DuploCloud platform
DuploCloud allows you to scale to or from zero in EKS clusters by enabling the Scale from zero option in the Advanced Options when creating an .
are spare capacity priced at a significant discount compared to On-Demand Instances. Users specify the maximum price (bid) they will pay per hour for a Spot Instance. The instance is launched if the current Spot price is below the user's bid. Since Spot Instances can be interrupted when spare capacity is unavailable, applications using Spot Instances must be fault-tolerant and able to handle interruptions.
Follow the steps in the section . Before clicking Add, Click the box to access Advanced Options. Enable Use Spot Instances and enter your bid, in dollars, in the Maximum Spot Price field.
Follow the steps in . In the Add Service page, Basic Options, Select Tolerate spot instances.
Today, technology organizations typically have people with two distinct skill sets: Software Engineers and DevOps Engineers. Further, some may have DevOps and compliance functions managed within the same or separate teams. In startups and smaller companies, there may just be the same engineers wearing all three hats.
Software engineers come up with the high level application architecture. The business provides compliance requirements. These two are passed on to the DevOps team who use their subject matter expertise to realize what needs to be done for the cloud infrastructure. There are other elements of operations in scope, such as CI/CD and diagnostics that include central logging, monitoring and alerting.
ECS Autoscaling has the ability to scale the desired count of tasks for the ECS Service configured in your infrastructure. Average CPU/Memory metrics of your tasks are used to increase/decrease the desired count value.
Navigate to Cloud Services -> ECS. Select the ECS Task Definition where Autoscaling needs to be enabled > Add Scaling Target
Set the MinCapacity (minimum value 2) and MaxCapacity to complete the configuration.
Once Autoscaling for Targets is configured, Next we have to add Scaling Policy
Provide details below:
Policy Name - The name of the scaling policy.
Policy Dimension - The metric type tracked by the target tracking scaling policy.. Select from the dropdown
Target Value - The target value for the metric.
Scalein Cooldown - The amount of time, in seconds, after a scale in activity completes before another scale in activity can start.
ScaleOut Cooldown -The amount of time, in seconds, after a scale out activity completes before another scale out activity can start.
Disable ScaleIn - Disabling scale-in makes sure this target tracking scaling policy will never be used to scale in the Autoscaling group
This step creates the target tracking scaling policy and attaches it to the Autoscaling group
View the Scaling Target and Policy Details from the DuploCloud Portal. Update and Delete Operations are also supported from this view
Setting, mounting, and managing Kubernetes ConfigMaps and Kubernetes Secrets in DuploCloud environments.
In DuploCloud environments, you can pass configurations and Kubernetes Secrets using Kubernetes ConfigMaps or through various strategies tailored to enhance security and management efficiency:
Setting Kubernetes Secrets directly in DuploCloud: This involves creating secrets under Kubernetes > Secrets in the DuploCloud console. These secrets are then available in the Kubernetes environment and can be utilized as either files or environment variables. This method is straightforward, incurs no additional cost, and allows for the visibility of both secret keys and values within the DuploCloud console. For detailed instructions, see Setting Kubernetes Secrets in DuploCloud.
Settings Environment Variables (EVs) from a K8s ConfigMap or Secret: This traditional method continues to be supported, offering a familiar approach to those accustomed to Kubernetes' native secrets management.
Mounting ConfigMaps and Secrets as files: This method provides a seamless way to integrate configuration data directly into your application's file system.
Additionally, DuploCloud supports advanced secrets management strategies, including:
Using AWS as the Source of Truth: By creating secrets in AWS Secrets Manager or Parameter Store and integrating them into Kubernetes secrets with SecretProviderClass, you benefit from advanced features like automatic rotation. This method displays only the secret keys in the DuploCloud console and involves a more complex setup but is ideal for centralizing secrets management across DuploCloud and non-DuploCloud resources. For more on this setup, visit Adding SecretProviderClass Custom Resource in DuploCloud.
Application Directly Reads Secrets from AWS: This approach allows the application code to directly fetch secrets from AWS Secret Manager or Parameter Store, managed via IAM roles facilitated by DuploCloud. It provides an added layer of protection and is particularly beneficial for development environments, though it requires modifications to the application code. Implementation guidance can be found in AWS SDK for PHP - Managing Secrets.
By leveraging these strategies, DuploCloud offers flexible and secure options for managing Kubernetes ConfigMaps and Secrets, catering to a variety of operational needs and security requirements.
Set up KubeCtl within the DuploCloud Portal by downloading the token
DuploCloud provides a way to connect directly to the Cluster namespace using the kubectl
token.
If you attempt to start a KubeCtl Shell instance and receive a 503 in your web browser, ensure that the duplo-shell service in the Default Tenant is running and that the Hosts which support it are running, as well.
In the DuploCloud Portal, navigate to Kubernetes -> Services.
From the KubeCtl list box, select KubeCtl Token. The Token window displays. Copy the contents to your clipboard.
Mounting application configuration maps and secrets as files
In Kubernetes, you can mount application configurations or secrets as files.
Before you create and mount the Kubernetes ConfigMap, you must create a DuploCloud Service.
In the DuploCloud Portal, navigate to Kubernetes -> Config Maps.
Click Add. The Add Kubernetes Config Map pane displays.
Name the ConfigMap you want to create, such as my-config-map.
Add a Data key/value pair for each file in your config map, separated by a colon (:
). The key is the file name, and the value is the file's contents.
Click Create.
In the DuploCloud Portal, navigate to Kubernetes -> Services.
Select the service you want to modify from the Name column.
Click the Actions menu and select Edit.
On the Edit Service: service_name Basic Options page, click Next to navigate to the Advanced Options page.
On the Advanced Options page, in the Volumes field, enter the configuration YAML to mount the ConfigMap as a volume.
For example, to mount a config map named my-config-map
to a directory named /app/my-config
, enter the following YAML code block in the Volumes field:
If you want to select individual ConfigMap items, specifying the subpath for mounting, you can use a different configuration. For example, if you want the key named my-file-name
to be mounted to /app/my-config/config-file
, use the following YAML:
Before you create and mount a Kubernetes Secret, you must create a DuploCloud Service.
In the DuploCloud Portal, navigate to Kubernetes -> Secrets.
Click Add. The Add Kubernetes Secret pane displays.
Enter the Secret Name that you want to create, such as my-secret-files.
Add Secret Details such as a data key/value pair for each file in your secret. The key is the file name, and the value is the file's contents, separated by a colon (:
).
Click Add to create the secret.
Follow the steps in Creating a Kubernetes Secret, defining a Key value using the PRIVATE_KEY_FILENAME
in the Secret Details field, as shown below.
Click Add to create the multi-line secret.
In the DuploCloud Portal, edit the DuploCloud Service.
On the Edit Service: service_name Basic Options page, click Next to navigate to the Advanced Options page.
On the Advanced Options page, in the Volumes field, enter the configuration YAML to mount the Secret as a volume.
For example, to mount a Secret named my-secret-files
to a directory named /app/my-config
, enter the following YAML code block in the Volumes field:
If you want to select individual Secret items, specifying the subpath for mounting, you can use a different configuration. For example, if you want the key named secret-file
to be mounted to /app/my-config/config-file
, use the following YAML:
DuploCloud Portal provides the ability to create Custom Resource SecretProvider
Class.
This capability allows Kubernetes to mount secrets stored in external secrets stores into the pods as volumes. After the volumes are attached, the data is mounted into the container’s file system.
As a pre-requisite, Administrator needs to set the Infrastructure setting for Enable Secrets CSI Driver
as True
. This setting is available by navigating to Administrator -> Infrastructure, selecting your Infrastructure, and clicking Settings).
Navigate to Kubernetes -> Sec. Provider Class.
You can map the AWS Secrets
and SSM Parameters
configured in DuploCloud Portal (Cloud Services -> App Integration) under the Parameters section of the configuration.
Use the optional Secret Objects field to define the desired state of the synced Kubernetes secret objects.
The following is an example SecretProviderClass configuration where AWS secrets and Kubernetes Secret Objects are configured.
To ensure your application is using the Secrets Store CSI driver, you need to configure your deployment to use the reference of the SecretProviderClass
resource created in the previous step.
The following is an example of how to configure a pod to mount a volume based on the SecretProviderClass created in prior steps to retrieve secrets from Secrets Manager.
While creating Service (Kubernetes -> Service),
Select Cloud Credentials value as From Kubernetes
Add Other Pod Config field as the following example.
Add mount details in Other Container Config field
You can use the optional secretObjects field to define the desired state of your synced Kubernetes secret objects. The volume mount is required for the sync.
Referring to the example which we are following from prior steps, we have defined SecretObjects
in Secret Object field (K8s Secret Provider Class).
The following is an example SecretProviderClass custom resource that will sync a secret from AWS Secrets Manager to a Kubernetes secret:
Create Service with all the configurations specified in Step 3
In Other Container Config field, you can specify mount details with the object name. Refer following example.
Set environment variables in your deployment to refer your new Kubernetes secrets.
Refer following example. Specify below in Environment Variables field
Integrate with OpenVPN by provisioning VPN users
DuploCloud integrates natively with OpenVPN by provisioning VPN users that you add to the Duplocloud Portal. OpenVPN setup is a two-step process.
Accept OpenVPN Free tier (Bring Your Own License) in the AWS marketplace:
Accept the agreement. Other than the regular EC2 instance cost, no additional license cost is added.
In the DuploCloud Portal, navigate to Administrator -> System Settings.
Click the VPN tab.
Click Provision VPN.
After the OpenVPN is provisioned, it is ready to use. Behind the scenes, DuploCloud launches a CloudFormation script to provision the OpenVPN.
You can find the OpenVPN admin password in the CloudFormation stack in your AWS console.
Provision a VPN while creating a user:
In the DuploCloud Portal, navigate to Administrator -> Users.
Click Add. The Create User pane displays.
Enter a valid email address in the Username field.
In the Roles field, select the appropriate role for the User.
Select Provision VPN.
Click Submit.
By default, users connected to a VPN can SSH or RDP into EC2 instances. Users can also connect to internal load balancers and endpoints of the applications. However, to connect to other services, such as databases and ElastiCache, you must open the port to the VPN:
In the DuploCloud Portal, navigate to Administrator -> Tenants.
Select the Tenant in the Name column.
Click the Security tab.
Click Add. The Add Tenant Security pane displays.
In the Source Type field, select Ip Address.
In the IP CIDR field, enter the name of your VPN.
Click Add.
DuploCloud integrates natively with OpenVPN by provisioning VPN users added in the Duplocloud portal. As a DuploCloud user, you can access resources in the private network by connecting to the VPN with the OpenVPN client.
The OpenVPN Access Server is set to forward only traffic destined for network resources in the DuploCloud-managed private networks. Traffic accessing other resources on the internet does not pass through the tunnel.
User VPN credentials are accessible on the user profile page. It can be accessed through the menu on the upper right of the page or through the User menu option on the left.
Follow the VPN URL link in the VPN Details section of your user profile. Modern browsers will call the link unsafe since it is using a self-signed certificate. Proceed to it.
Finish the Quick Start Tutorial by running a native Docker Service
This section of the tutorial shows you how to deploy a web application with a DuploCloud Docker Service, by leveraging DuploCloud platform in-built container management capability.
Instead of creating a DuploCloud Docker Service, you can alternatively finish the tutorial by:
Instead of creating a DuploCloud service using EKS or ECS, you can deploy your application with native Docker containers and services and DuploCloud.
To deploy your app with a DuploCloud Docker Service in this tutorial, you:
Create an EC2 host instance in DuploCloud.
Create a native Docker application and service.
Expose the app to the web with an Application Load Balancer in DuploCloud.
Complete the tutorial by testing your application.
Estimated time to complete remaining tutorial steps: 30-40 minutes
Behind the scenes, the topology that DuploCloud creates resembles this low-level configuration in AWS.
Creating a Load Balancer to configure network ports to access the application
Now that your DuploCloud Service is running, you have a mechanism to expose the containers and images in which your application resides. But because your containers are running inside a private network, you also need a load balancer to listen on the correct ports in order to access the application.
In this step, we add a Load Balancer Listener to complete this network configuration.
Estimated time to complete Step 6: 10 minutes.
Before creating a Load Balancer, verify that you accomplished the tasks in the previous tutorial steps. Using the DuploCloud Portal, confirm that:
In the Tenant list box, on the upper-left side of the DuploCloud Portal, select the dev01 Tenant that you created.
In the DuploCloud Portal, navigate to Kubernetes -> Services. The Services page displays.
From the Name column, select demo-service.
Click the Load Balancers tab.
Click the Configure Load Balancer link. The Add Load Balancer Listener pane displays.
From the Type list box, select Application LB.
In the Container Port field, enter 3000. This is the configured port on which the application inside the Docker Container Image duplocloud/nodejs-hello:latest
is running.
In the External Port field, enter 80. This is the port through which users will access the web application.
From the Visibility list box, select Public.
From the Application Mode list box, select Docker Mode.
Type / (forward-slash) in the Health Check field to indicate that the cluster we want Kubernetes to perform Health Checks on is located at the root
level.
In the Backend Protocol list box, select HTTP.
Click Add. The Load Balancer is created and initialized. Monitor the LB Status card on the Services page. When the Load Balancer is ready for use the LB Status card displays Ready.
Verify that the Load Balancer has an LB Status of Ready.
On the Services page, note the DNS Name of the Load Balancer that you created.
In the LB Listeners area of the Services page, note the configuration details of the Load Balancer's HTTP protocol, which you specified, when you added it above.
Log into your AWS account. In the console, navigate to: .
For information about removing VPN access for a user, see . To delete VPN access, you must have administrator privileges.
Log in to the OpenVPN Access Server user portal using the credentials from the DuploCloud user profile section.
Install the OpenVPN Connect app for your local machine.
Download the OpenVPN user profile for your account from the link labeled Yourself (user-locked profile).
Open the .ovpn file and click OK at the Import profile dialog. Then click Connect.
running Docker containers or
running Docker containers.
An exist, both with the name NONPROD.
The NONPROD infrastructure has .
A Tenant with the name .
A Host with the name .
A Service with the name .
Autoscale your Host workloads in DuploCloud
DuploCloud supports various ways to scale Host workloads, depending on the underlying AWS services being used.
Manage Tenant session duration settings in the DuploCloud Portal
In the DuploCloud Portal, configure the session duration time for all Tenants or a single Tenant. At the end of a session, the Tenants or Tenant ceases to be active for a particular user, application, or Service.
For more information about IAM roles and session times in relation to a user, application, or Service, see the AWS Documentation.
In the DuploCloud Portal, navigate to Administrator -> System Settings. The System Settings page displays.
Click the System Config tab.
Click Add. The App Config pane displays.
From the Config Type list box, select AppConfig.
From the Key list box, select AWS Role Max Session Duration.
From the Select Duration Hour list box, select the maximum session time in hours or set a Custom Duration in seconds.
Click Submit. The AWS Role Max Session Duration and Value are displayed in the System Config tab. Note that the Value you set for maximum session time in hours is displayed in seconds. You can Delete or Update the setting in the row's Actions menu.
In the DuploCloud Portal, navigate to Administrator -> Tenants. The Tenants page displays.
From the Name column, select the Tenant for which you want to configure session duration time.
Click the Settings tab.
Click Add. The Add Tenant Feature pane displays.
From the Select Feature list box, select AWS Role Max Session Duration.
From the Select Duration Hour list box, select the maximum session time in hours or set a Custom Duration in seconds.
Click Add. The AWS Role Max Session Duration and Value are displayed in the Settings tab. Note that the Value you set for maximum session time in hours is displayed in seconds. You can Delete or Update the setting in the row's Actions menu.