Architect Tips

  To secure your Api Gateway, there is the option to add Cognito as Authorizer. It is very easy to setup especially if you will follow the GUI instruction from console. This is a very common setup: you have your Cognito User Pool where you have create the UI to admit clients to login and check their credentials. The UI can be easily managed because you can integrate it and setup your home Application as redirect URI, so they can be see the home page right after login submit. Now let's suppose you have an Api Gateway and the same user pool from Cognito is used to allow users to access that. This means that: users have to insert credentials obtain the auth code call the oauth2 obtain the token add it to Authorization header Usually we do this using SDK from AWS, but I want to experiment an alternative way of do this. POSTMAN     If you check on the internet you will see that there are many examples of Postman Cognito Oauth, where you can set up all the configuration and cli...

  The Problem Application that becomes unresponsive is always a pain and find what is going wrong is one of the hardest activity that developers, architects and operators have to deal with. Recently I had the "plaesure" to see all the VM where an application was deployed crashing for unknown reason: the application did not respond anymore and tomcat was not able to serve any request. Usually if we look just at the machine, we do not have any information about what is wrong: log stop to be written..we just see that CPU is increasing its usage (and RAM of course). To really understand what is going wrong, it is important to have a Thread Dump of the JVM to see effectively what each thread is doing at the moment. But there is a problem on that: if you just take one thread dump you have just a snapshot of the application at a specific time while you are missing the "evolution" of the application Thread dump overview For example just looking on the first Thread Dump rece...

  I know that many of you probably don't use Tomcat for your applications deployment, but as you know there are tons of systems that currently run on this specific Application Server. Most of the existing Monoliths around the world are deployed on Tomcat (or Weblogic or whatever) where the classloader is - of course - managed by the Application Server itself. THE PROBLEM We have this very old application that is working without any problem on Tomcat7. This application has an extensive use of class scanning due to Jaxb implementation that search on every Jar file and create a JaxbContext of known classes. There was a request from customer to move the application from Tomcat7 to other Tomcat8 or Tomcat9, because the seven is out of standard for the company. Ehi: there are no problem. There are just fews properties in catalina.properties that we need to copy and "le jeux sont faits", we can easily deploy. And this is was we did but... Wait....whaaaaaat????? we have the corre...

  There are many ways to administrate resources in your AWS accounts because you have the power of IAC, which means that you can deploy/start/stop any services just using Code. To do it, we usually use templates and CloudFormation or other tools that can enable the interaction with your accounts, maybe directly from a bash console, maybe using AWS pipeline. Using a joke from a friend of mine, it is always funny to use AWS against AWS: this is the case when you need to stop resources that AWS starts and you don't want to pay for unused resources (and you don't have all the scripts to recreate all the instances). Let's see it CONDITION Suppose you have created a simple DocumentDB cluster which you need to stops. You don't have all the ability to recreate the instances each time using external disks as backup. You just stop the cluster when you don't use it. If you wait too much, AWS will restart the cluster (after a week) and you will pay for it, even if you don't...

  Everybody loves MongoDB and there are a lot of way to use it: deploy it in an EKS or K8s, an Atlas installation or even deploy on premis. Only the Atlas way gives you the power of easy management, because the service is totally owned by the vendor. There is another solution if you want to use it in AWS: DocumentDB, which is a partially managed service Database totally compatible with MongoDB. It gives you the power to have patching managed by Amazon but requires - believe or not - a little bit of confidence on networking. ASSUMPTIONS To create the cluster AWS needs to be sure that if an instance can be added, there is a chance to work in an high availability zone. It means that you need to create a VPC spanned into multiple AZ and different subnets should work in different AZ. VPC We will use aws cli for all. In our case we will create a VPC with just 2 subnets, each in a different Availability zone.  We will save vpc id and subnet id: the first is important for querying, th...

  AWS gives you the ability to create an EKS cluster inside a VPC, but it is so important to expose the web service on Internet trying to automate as much as possible. To expose on internet, the best way is to use the Application Load Balancer that points to an internal Service to EKS. To create it with a CI/CD it is important of course to have as much script automation as possible. So let's explore each stage. THE VPC The first step is of course to create a VPC inside your account. To be as fast as possible, it is essential to have a VPC with 2 Public Subnet and a security group that allows the machines to access and be accessed from all. This is intended of course for just testing purpose, it means that you need to create the rules properly in the feature, allow each subnet to be accessed only by your Control Node of EKS So create it and take apart the value of the subnet, they will be used in the future THE EKS To create the EKS we will use of course the existing AWS cli feature...