Blog

IP Filtering Made Easy With Enclave Endpoints

Thomas Orozco on February 22, 2017

We’re proud to announce that as of this week, Enclave Endpoints support IP filtering. Using this new feature, you can restrict access to apps hosted on Enclave to a set of whitelisted IP addresses or networks and block other incoming incoming traffic.

Use Cases

While IP filtering is no substitute for strong authentication, this feature is useful to:

  • Further lock down access to sensitive apps and interfaces, such as admin dashboards or third party apps you’re hosting on Aptible for internal use only (e.g. Kibana, Sentry).

  • Restrict access to your apps and APIs to a set of trusted customers or data partners.

And if you’re hosting development apps on Aptible, IP filtering can also help you make sure no one outside your company can view your latest and greatest before you’re ready to release it the world.

Note that IP filtering only applies to Endpoints (i.e. traffic directed to your app), not to aptible ssh, aptible logs, and other backend access functionality provided by the Aptible CLI (this access is secured by strong mutual authentication, as we covered in our Q1 2017 webinar).

Getting Started with IP Filtering

IP filtering is configured via the Aptible Dashboard on a per-Endpoint basis.

You can enable it when creating a new Endpoint, or after the fact for an existing Endpoint by editing it.

Enjoy! As usual, let us know if you have any feedback or questions!

Read more

Logentries and Sumo Logic setup now a breeze

Thomas Orozco on February 14, 2017

We’re happy to announce that Aptible Log Drains now provide more flexible configuration, making it much easier to forward your Aptible logs to two logging providers that are becoming increasingly popular with Aptible customers (in large part because they sign BAAs):

  • Logentries

  • Sumo Logic

For Logentries, you can now use token-based logging. This makes configuration much, much easier than before: create a new Token TCP Log in Logentries then copy the Logging Token you’re provided with in Aptible, and you’re done!

Log Drain to Logentries

For Sumo Logic, we now support full HTTPS URLs. Here again, this means setup is greatly simplified: all you need to do is create a new Hosted HTTP Collector in Sumo Logic, then copy the URL you’re provided with in Aptible.

2017-02-14 Log Drain to Sumo Logic

Enjoy! As usual, if you have any questions or feedback, feel free to contact us.

Read more

ALB Endpoints Now Support SSL_PROTOCOLS_OVERRIDE

Thomas Orozco on February 14, 2017

As of last week; ALB Endpoints respect the SSL_PROTOCOLS_OVERRIDE app configuration variable, which was — until now — only applicable to ELB Endpoints.

In a nutshell, setting SSL_PROTOCOLS_OVERRIDE lets you customize the protocols exposed by your Endpoint for encrypted traffic.

For example, if you have a regulatory requirement to only expose TLSv1.2, you can do so using the following command (via the Aptible CLI):

aptible config:set FORCE_SSL=true "SSL_PROTOCOLS_OVERRIDE=TLSv1.2" --app my-app

Note that by default (i.e. if you don’t set SSL_PROTOCOLS_OVERRIDE), Aptible Endpoints accept connections over TLSv1, TLSv1.1, and TLSv1.2. This configuration will evolve over time as best practices in the industry continue to evolve.

You can learn more about the SSL_PROTOCOLS_OVERRIDE configuration variable (and other variables available) on our support website: How can I modify the way my app handles SSL?

Read more

Database Encryption now defaults to AES-256

Thomas Orozco on February 14, 2017

Until recently, Aptible has used AES-192 for disk encryption, but as of last week, Aptible databases (and their backups) now default to AES-256 instead.

While there is no security concern whatsoever regarding AES-192 as an encryption standard, it has become increasingly common for Aptible customers to have their own partners request 256-bit encryption everywhere from a compliance perspective, which is why we’re making this change.

If you’re curious to know which encryption algorithm is used for a given database, you can find that information on the Dashboard page for the database in question (along with the disk size and database credentials).

Read more

Redis + SSL

Thomas Orozco on January 20, 2017

We’re proud to announce that as of today, new Redis databases provisioned on Aptible Enclave support SSL/TLS in addition to the regular Redis protocol. Because both AWS and Aptible require that you encrypt HIPAA Protected Health Information in transit, even within a private, dedicated Enclave stack, starting today you can now use Redis to store and process PHI on Enclave.

How does it work?

Redis doesn’t support SSL natively, but the solution the Redis community settled on is to run an SSL termination layer in front of Redis. On Enclave, we use stunnel, an industry standard. This means a good number of Redis clients just work and support it out of the box, including:

  • redis-rb (Ruby)
  • redis-py (Python)
  • Jedis (Java)
  • predis (PHP)
  • node_redis (Node.js)
  • StackExchange.Redis (.NET)

How do I use it?

For new Redis databases, select your Redis database in the Aptible Dashboard, and click "Reveal" under "Credentials" at the top. Aptible will provide two URLs:

  • A regular Redis URL using the redis:// protocol
  • A SSL Redis URL using the rediss:// protocol (note the two "s"!)

Most Redis clients will automatically recognize a rediss:// URL and connect over SSL, but review your client’s documentation if you run into any trouble.

What about existing Redis databases?

For existing Redis databases, Aptible can enable SSL/TLS following a short downtime (about 30 seconds). If you'd like to do that, or have any feedback or questions, just let us know!

Read more

RabbitMQ Management Interface

Thomas Orozco on January 20, 2017

We’re happy to announce that the RabbitMQ management interface is now available for RabbitMQ databases deployed on Aptible Enclave. Until now, only the AMQP port was exposed, so you could push messages to queues, but managing queues was more difficult.

There’s a lot the RabbitMQ management interface can be used for, but for the most part it’s useful to review and manipulate the queues that exist in your RabbitMQ container.

How do I access it?

The RabbitMQ management interface is exposed by default on new RabbitMQ databases provisioned on Enclave. In the Aptible Dashboard, select your database, then select the "Credentials" link at the top. A modal will reveal all connection strings for that database, named by function:

For existing RabbitMQ databases, we can enable the management interface following a short downtime (about 30 seconds). If you'd like to do that, or have any feedback or questions, just let us know!

Read more

Aptible CLI for Windows

Thomas Orozco on January 9, 2017

We’re proud to announce that the Aptible CLI is now supported on Windows!

More than a CLI: a Toolbelt!

We distribute the Aptible CLI as a package called the "Aptible Toolbelt." The Toolbelt is available for several platforms, including macOS, Ubuntu, Debian, and CentOS. On Windows, it is available as an MSI installer.

On all platforms, the toolbelt includes:

  • The Aptible CLI itself, in the form of the aptible-cli Ruby gem; and

  • System dependencies the CLI needs to function properly. This includes Ruby (which the CLI is written in) and dependencies like OpenSSH (which the CLI uses for functionality like database tunnels).

The toolbelt integrates with your system to ensure that the aptible command lands on your PATH, so that when you type aptible in your command prompt, things just work. On Windows, this is done by modifying your PATH, and on OSX and Linux this is done by placing a symlink in /usr/local/bin.

Supported Platforms

The Windows package targets Windows 8.1 and up on the PC side, and Windows Server 2012r2 and up on the server side. In other words, it targets Windows NT 6.3 and up, which is why you’ll see that number in the installer name.

Download and Installation

To get the Aptible CLI on Windows, download it directly from the Aptible website, then run the installer.

You might receive a SmartScreen prompt indicating that the publisher (that’s us!) isn’t known. Because this is the first time we've shipped software for Windows, we don’t have a reputation with Microsoft yet. The installer is properly signed, so to proceed, click through "More Info" and verify that the reported publisher is Aptible, Inc.

Enjoy! Since this is still early days for the Windows version of the CLI, make sure to let us know if you hit any snags!

Read more

Cancel Running Deployments

Thomas Orozco on December 13, 2016

We're happy to announce that as of this week, you can now cancel running
deployments on Aptible Enclave!

When is cancelling a deployment useful?

1. Your app is failing the HTTP health check, and you know why

As described in this support article, Enclave performs an automatic health
check on any app service with an endpoint attached to it. During this health
check, the platform makes an HTTP request to the port exposed by your Docker
container, and waits for an HTTP response (though not necessarily a successful
HTTP status code).

When your app is failing the HTTP health check, Enclave waits for 10 minutes
before giving up and cancelling the deployment.

But, if you know the health check is never going to succeed, that's wasted
time! In this case, just cancel the deployment, and the health check will stop
immediately.

2. You need to stop your pre-release commands immediately

Running database migrations in a pre-release command is convenient, but it can
sometimes backfire if you end up running a migration that's unexpectedly
expensive and impacts your live app.

In this case, you often want to just stop the pre-release command dead in its
tracks. Cancelling the deployment will do that.

However, do note that Enclave cannot rollback whatever your pre-release command
did before you cancelled it, so use this capability wisely!

How does it work?

When deploying an app on Enclave, you'll be presented with an informational
banner explaining how you might cancel that deployment if needed:

$ git push aptible master
Counting objects: 15, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (10/10), done.
Writing objects: 100% (15/15), 1.20 KiB | 0 bytes/s, done.
Total 15 (delta 5), reused 0 (delta 0)
remote: (8ミ | INFO: Authorizing...
remote: (8ミ | INFO: Initiating deploy...
remote: (8ミ | INFO: Deploying 5e173381...
remote:
remote: (8ミ | INFO: Pressing CTRL + C now will NOT interrupt this deploy
remote: (8ミ | INFO: (it will continue in the background)
remote:
remote: (8ミ | INFO: However, you can cancel this deploy using the Aptible CLI with:
remote: (8ミ | INFO:     aptible operation:cancel 15489
remote: (8ミ | INFO: (you might need to update your Aptible CLI)

At this point, running aptible operation:cancel .... in another terminal
window will advise Enclave that you'd like to cancel this deployment.

Note that you'll need version 0.8.0 of the Aptible CLI or greater to use
this command. If you haven't installed the CLI, or have an older version, then
download the latest here. You can check your version from the CLI using
aptible version.

Is it safe to cancel a deployment?

Yes! Under the hood, cancelling an Enclave operation initiates a rollback at
the next safe point in your deployment. This ensures your app isn't left in an
inconsistent state when you cancel.

There are two considerations to keep in mind:

  1. You cannot cancel a deployment between safe points. Notably, this means
    you can't cancel the deployment during the Docker build step, which is
    still one big step with no safe points. (We would like to change this in
    the future.)

  2. Cancelling your deployment may not take effect immediately, or at all. For
    example, if your deployment is already being rolled back, asking to cancel
    won't do anything.

Enjoy!

Read more

Database Logs

Thomas Orozco on November 30, 2016

We’re proud to announce that as of this week, you can now route database logs to a Log Drain, just like you’d do with app logs! This option is available when you create a new Log Drain; you can opt to send either app or database logs, or both:

If you already have a Log Drain set up for apps (you should!), you can opt to either recreate it to capture both app and database logs, or simply create a new one that only captures database logs.

Why Capture Database Logs?

Aptible customers have asked for database logs for two main use cases: compliance and operations.

From a compliance perspective, you can use database logs to facilitate audit logging, for example by logging sensitive queries made to your database (or all queries for that matter, if that’s a realistic option for you).

From an operations standpoint, you can use them to identify new performance problems (e.g. by logging slow queries made to your database), or to better understand problems you’ve already identified (e.g. by correlating database log entries with issues you’ve experienced).

What Does My Database Log?

Your database may not log what you care about out of the box. For example, Postgres is pretty quiet by default. You can usually modify logging parameters by connecting to your database and issuing re-configuration statements.

For example, to enable slow query logging in Postgres >= 9.4, you’d create a database tunnel and run the following commands:

ALTER SYSTEM SET log_min_duration_statement = 200;
ALTER SYSTEM SET log_min_messages = 'INFO';
SELECT pg_reload_conf();

Refer to your database’s documentation for more information, or contact support and we’ll be happy to help.

How Do I Differentiate Database Logs From App Logs?

For Elasticsearch and HTTPS Log Drains, log entries sent to your Log Drain now include a "layer" field that indicates whether the log came from an app or a database.

Here’s an example comparing app and database logs using Kibana. Most of the logs here came from the app (respectively from a web and a background service), but we also have a slow query logged by Postgres:

For Syslog Log Drains, the database handle and type is included as the source program (that’s the service field you can see reported in Kibana above).

CLI Support, and Aptible Legacy Infrastructure.

At this time, database logs are not available via the CLI, and are not available on Aptible legacy infrastructure. We’re working on adding support in the CLI, so this will be available very soon!

Update: aptible logs now supports databases! Download the latest CLI and use aptible logs --database HANDLE.

If you are still running on Aptible legacy infrastructure (as indicated in the Aptible Dashboard when you provision a Log Drain), we encourage you to contact Aptible Support to coordinate a migration. This will give you access to database logs, as well as a growing number of other new features (such as ALB Endpoints, support for deploying directly from a Docker image and on-demand database restores).

Enjoy!

Read more

October 2016 Updates + Webinar

Chas Ballew on November 2, 2016

The Aptible Update Webinar Series is a new quarterly presentation that covers recent features and changes to the Enclave deployment platform and Gridiron security management products.

We hosted the first Update Webinar on October 25. In it, we covered:

  • Deploying from Private Docker Registries: How to configure a private container deployment pipeline
  • Advanced Memory Management: How to plan for and easily manage container memory issues
  • New ALB Endpoints: More resilient zero-downtime deployments
  • HTTP Health Checks: Smart, safe app container routing
  • Platform Events: How to get more from the Enclave API and your logging
  • Container Metrics: Live telemetry and dashboards for monitoring
  • Working with Database Backups: On-demand backups and restoration
  • Two-factor Authentication: Securing your Aptible accounts

The next Aptible Update Webinar will be on January 25, 2017, at 11am PST/2pm EST.

Register Now

Webinars are recorded and made available for viewing if you cannot attend the live session.

October 2016

Video: https://www.youtube.com/watch?v=SIV0uPnz7i4
Slides: https://speakerdeck.com/aptible/aptible-update-webinar-series-october-2016

Read more