New — Amazon Athena for Apache Spark

2022-11-30 Donnie Prakoso

Post Syndicated from Donnie Prakoso original https://aws.amazon.com/blogs/aws/new-amazon-athena-for-apache-spark/

When Jeff Barr first announced Amazon Athena in 2016, it changed my perspective on interacting with data. With Amazon Athena, I can interact with my data in just a few steps—starting from creating a table in Athena, loading data using connectors, and querying using the ANSI SQL standard.

Over time, various industries, such as financial services, healthcare, and retail, have needed to run more complex analyses for a variety of formats and sizes of data. To facilitate complex data analysis, organizations adopted Apache Spark. Apache Spark is a popular, open-source, distributed processing system designed to run fast analytics workloads for data of any size.

However, building the infrastructure to run Apache Spark for interactive applications is not easy. Customers need to provision, configure, and maintain the infrastructure on top of the applications. Not to mention performing optimal tuning resources to avoid slow application starts and suffering from idle costs.

Introducing Amazon Athena for Apache Spark
Today, I’m pleased to announce Amazon Athena for Apache Spark. With this feature, we can run Apache Spark workloads, use Jupyter Notebook as the interface to perform data processing on Athena, and programmatically interact with Spark applications using Athena APIs. We can start Apache Spark in under a second without having to manually provision the infrastructure.

Here’s a quick preview:

Quick preview of Amazon Athena for Apache Spark

How It Works
Since Amazon Athena for Apache Spark runs serverless, this benefits customers in performing interactive data exploration to gain insights without the need to provision and maintain resources to run Apache Spark. With this feature, customers can now build Apache Spark applications using the notebook experience directly from the Athena console or programmatically using APIs.

The following figure explains how this feature works:

How Amazon Athena for Apache Spark works

On the Athena console, you can now run notebooks and run Spark applications with Python using Jupyter notebooks. In this Jupyter notebook, customers can query data from various sources and perform multiple calculations and data visualizations using Spark applications without context switching.

Amazon Athena integrates with AWS Glue Data Catalog, which helps customers to work with any data source in AWS Glue Data Catalog, including data in Amazon S3. This opens possibilities for customers in building applications to analyze and visualize data to explore data to prepare data sets for machine learning pipelines.

As I demonstrated in the demo preview section, the initialization for the workgroup running the Apache Spark engine takes under a second to run resources for interactive workloads. To make this possible, Amazon Athena for Apache Spark uses Firecracker, a lightweight micro-virtual machine, which allows for instant startup time and eliminates the need to maintain warm pools of resources. This benefits customers who want to perform interactive data exploration to get insights without having to prepare resources to run Apache Spark.

Get Started with Amazon Athena for Apache Spark
Let’s see how we can use Amazon Athena for Apache Spark. In this post, I will explain step-by-step how to get started with this feature.

The first step is to create a workgroup. In the context of Athena, a workgroup helps us to separate workloads between users and applications.

To create a workgroup, from the Athena dashboard, select Create Workgroup.

Select Create Workgroup

On the next page, I give the name and description for this workgroup.

Creating a workgroup

On the same page, I can choose Apache Spark as the engine for Athena. In addition, I also need to specify a service role with appropriate permissions to be used inside a Jupyter notebook. Then, I check Turn on example notebook, which makes it easy for me to get started with Apache Spark inside Athena. I also have the option to encrypt Jupyter notebooks managed by Athena or use the key I have configured in AWS Key Management Service (AWS KMS).

After that, I need to define an Amazon Simple Storage Service (Amazon S3) bucket to store calculation results from the Jupyter notebook. Once I’m sure of all the configurations for this workgroup, I just have to select Create workgroup.

Configure Calculation Results Settings

Now, I can see the workgroup already created in Athena.

Select newly created workgroup

To see the details of this workgroup, I can select the link from the workgroup. Since I also checked the Turn on example notebook when creating this workgroup, I have a Jupyter notebook to help me get started. Amazon Athena also provides flexibility for me to import existing notebooks that I can upload from my laptop with Import file or create new notebooks from scratch by selecting Create notebook.

Example notebook is available in the workgroup

When I select the Jupyter notebook example, I can start building my Apache Spark application.

When I run a Jupyter notebook, it automatically creates a session in the workgroup. Subsequently, each time I run a calculation inside the Jupyter notebook, all results will be recorded in the session. This way, Athena provides me with full information to review each calculation by selecting Calculation ID, which took me to the Calculation details page. Here, I can review the Code and also Results for the calculation.

Review code and results of a calculation

In the session, I can adjust the Coordinator size and Executor size, with 1 data processing unit (DPU) by default. A DPU consists of 4 vCPU and 16 GB of RAM. Changing to a larger DPU allows me to process tasks faster if I have complex calculations.

Configuring session parameters

Programmatic API Access
In addition to using the Athena console, I can also use programmatic access to interact with the Spark application inside Athena. For example, I can create a workgroup with the create-work-group command, start a notebook with create-notebook, and run a notebook session with start-session.

Using programmatic access is useful when I need to execute commands such as building reports or computing data without having to open the Jupyter notebook.

With my Jupyter notebook that I’ve created before, I can start a session by running the following command with the AWS CLI:

$> aws athena start-session \
    --work-group <WORKGROUP_NAME>\
    --engine-configuration '{"CoordinatorDpuSize": 1, "MaxConcurrentDpus":20, "DefaultExecutorDpuSize": 1, "AdditionalConfigs":{"NotebookId":"<NOTEBOOK_ID>"}}'
    --notebook-version "Jupyter 1"
    --description "Starting session from CLI"

{
    "SessionId":"<SESSION_ID>",
    "State":"CREATED"
}

Then, I can run a calculation using the start-calculation-execution API.

$ aws athena start-calculation-execution \
    --session-id "<SESSION_ID>"
    --description "Demo"
    --code-block "print(5+6)"

{
    "CalculationExecutionId":"<CALCULATION_EXECUTION_ID>",
    "State":"CREATING"
}

In addition to using code inline, with the --code-block flag, I can also pass input from a Python file using the following command:

$ aws athena start-calculation-execution \
    --session-id "<SESSION_ID>"
    --description "Demo"
    --code-block file://<PYTHON FILE>

{
    "CalculationExecutionId":"<CALCULATION_EXECUTION_ID>",
    "State":"CREATING"
}

Pricing and Availability
Amazon Athena for Apache Spark is available today in the following AWS Regions: US East (Ohio), US East (N. Virginia), US West (Oregon), Asia Pacific (Tokyo), and Europe (Ireland). To use this feature, you are charged based on the amount of compute usage defined by the data processing unit or DPU per hour. For more information see our pricing page here.

To get started with this feature, see Amazon Athena for Apache Spark to learn more from the documentation, understand the pricing, and follow the step-by-step walkthrough.

Happy building,

— Donnie

Music Assistant for complete media control

2022-11-30 BeardedTinker

Post Syndicated from BeardedTinker original https://www.youtube.com/watch?v=YfoJqHDhNdE

Rapid7 Integration For AWS Verified Access

2022-11-30 Aaron Sawitsky

Post Syndicated from Aaron Sawitsky original https://blog.rapid7.com/2022/11/30/rapid7-integration-for-aws-verified-access/

Rapid7 Integration For AWS Verified Access

Today at re:invent, Amazon Web Services (AWS) unveiled its new AWS Verified Access service, and we are thrilled to announce that InsightIDR — Rapid7’s next-gen SIEM and XDR — will support log ingestion from this new service when it is made generally available.

What Is AWS Verified Access?

AWS Verified Access is a new service that allows AWS customers to simplify secure access to private applications running on AWS, without requiring the use of a VPN. Verified Access also lets customers easily implement Zero Trust policies for each application reached via the service. The data needed for these policies is provided by integrations between Verified Access and third-party solutions like IdPs and device management tools. For example:

Access to a low-risk application might be granted to any employee who is logged into the organization’s IdP solution
Access to a highly sensitive application might only be granted to employees who are logged into the organization’s IdP solution, are part of a specific team at the company, are accessing from a company-managed computer that is fully updated, and have an IP address coming from a country on an allowlist

For customers who already have IdP and device management solutions, Verified Access can integrate with many of these vendors, allowing the customer to use their existing provider to define policies while still getting the convenience of VPN-less access to their private applications through Verified Access.

Unlock a Complete Picture of Your Cloud Security with InsightIDR

Verified Access generates detailed logs for every authorization attempt. InsightIDR will be able to ingest these logs from AWS’s just-announced Amazon Security Lake. InsightIDR customers will be able to see ingress activity from Verified Access alongside ingress events from sources like AWS Identity Access Management (IAM), VPNs, productivity apps, and more — not to mention telemetry from their broader cloud and on-premises environments. Like all ingress activity logs sent to InsightIDR, logs from Verified Access will be able to be used to detect suspicious activity, as well as be brought into investigations to help establish a complete timeline and blast radius of an incident. In addition, customers will have the ability to create custom alerts off of Verified Access logs to further scrutinize and monitor access to sensitive applications.

InsightIDR’s support for Verified Access is just the latest capability to come out of our never-ending dedication to support our customers as they adopt the newest cloud technologies. To learn more about how InsightIDR helps organizations using AWS, click here.

The BPF extensible scheduler class

2022-11-30

Post Syndicated from original https://lwn.net/Articles/916291/

It was only a matter of time before somebody found a way to inject BPF into
the CPU scheduler. This patch
series, posted by Tejun Heo and containing work by David Vernet, Josh
Don, and Barret Rhoden, does exactly that. The cover letter covers the
motivation behind this work in detail:

One of our main goals was to lower the barrier to entry for
experimenting with the scheduler. sched_ext provides ergonomic
callbacks and helpers to ease common operations such as managing
idle CPUs, scheduling tasks on arbitrary CPUs, handling preemptions
from other scheduling classes, and more. While sched_ext does
require some ramp-up, the complexity is self-contained, and the
learning curve gradual. Developers can ramp up by first
implementing simple policies such as global FIFO in only tens of
lines of code, and then continue to learn the APIs and building
blocks available with sched_ext as they build more featureful and
complex schedulers.

There is a bit more documentation in this
patch.

Security updates for Wednesday

2022-11-30

Post Syndicated from original https://lwn.net/Articles/916346/

Security updates have been issued by Debian (krb5), Fedora (galera, mariadb, and mingw-python3), Red Hat (389-ds:1.4, kernel, kernel-rt, kpatch-patch, krb5, and usbguard), Scientific Linux (krb5), Slackware (kernel), SUSE (binutils, dbus-1, exiv2, freerdp, git, java-1_8_0-ibm, kernel, libarchive, libdb-4_8, libmspack, nginx, opencc, python, python3, rxvt-unicode, sudo, supportutils, systemd, vim, and webkit2gtk3), and Ubuntu (bind9, gnutls28, libsamplerate, linux-gcp-5.4, perl, pixman, shadow, and sysstat).

The Presidents’ Mammoth Cheeses

2022-11-30 The History Guy: History Deserves to Be Remembered

Post Syndicated from The History Guy: History Deserves to Be Remembered original https://www.youtube.com/watch?v=PAKICZREGQA

Кривият портрет на украинския бежанец

2022-11-30 Петър Георгиев

Post Syndicated from Петър Георгиев original https://toest.bg/kriviyat-portret-na-ukrainskiya-bezhanets/

Това не са бежанците, с които сме свикнали.

На 25 февруари, ден след като руската армия нахлу в Украйна, бившият министър-председател Кирил Петков се обърна към българския народ след извънредно заседание на Европейския съвет. В опита си да внесе яснота за изхода от конфликта Петков погрешно предрече, че съпротивата на Киев вероятно ще падне до дни. Междувременно само през първото денонощие от войната над 82 000 украинци вече търсеха спасение извън страната. А премиерът призова българите за гостоприемност в очакване на бежанската криза:

Това са европейци, интелигентни, образовани хора. Ние, както и всички други, сме готови да ги посрещнем. Това не е обичайната бежанска вълна от хора с неясно минало. Никоя от европейските страни не се притеснява от тях.

Вместо да стопли сърцата на българите, сравнението на Петков с мигрантите от Близкия изток му донесе обвинения в расизъм. И ако в първите седмици на войната страните от Централна и Източна Европа приветстваха бежанците с оптимизъм, то следващите месеци постепенно опровергаха втората неточна прогноза на Петков. Грижата за милионите новодошли предизвика разногласия между България и европейските ѝ партньори, а криворазбраната стратегия на четворната коалиция рязко промени публичния им образ. Някои украинци откриха кирка, забита в автомобила си, а други – бележка с обиди. През това време буря от фалшиви новини и дезинформация в социалните мрежи превърна търсещите закрила във врагове на обществото.

Митът за богатите украинци

Правителството на Петков отвърна на бежанската криза с програма за хуманитарна помощ в синхрон с Европейския съюз. Но подвеждащо изказване на тогавашната началничка на кабинета Лена Бориславова при представянето на мерките за социално подпомагане сложи началото на продължителна атака срещу властите. На брифинг през март Бориславова съобщи, че в рамките на три месеца на украински граждани ще се предоставя помощ „в размер на до 40 лв. на ден“. Тези средства не се раздаваха в брой на самите бежанци, а трябваше да осигурят тяхното изхранване и настаняване в хотели. Важната подробност обаче остана изгубена в превода. Журналисти се опитаха да поправят комуникационната грешка на правителството, но това не предотврати острата реакция на обществото.

За украинец – 1200 лв. на месец. За български пенсионер – 400 лв. Това заблуждаващо сравнение започна да очертава демоничния образ на разселените от войната. Бежанците наистина може да кандидатстват за помощ на стойност 375 лв., но тя е еднократна, и то на семейство, а не на човек. Публикации в интернет разпалиха несъществуващо противопоставяне между грижата за гражданите със статут на временна закрила и тази за бедните жители на България. Първата до голяма степен беше осигурена благодарение на средства от кохезионните фондове на ЕС, от които се възползваха и други европейски държави. Подкрепата за украинците не спира повишаването на пенсиите у нас.

Междувременно от началото на руската инвазия в Украйна се разпространяват слухове, че бежанците всъщност изобщо нямат нужда от подкрепа, защото масово карат скъпи автомобили, тъпчат с тях плажовете ни и даже не си плащат за гориво. В очите на обществото подобни единични примери неоснователно прераснаха в представителна извадка на десетките хиляди украинци у нас.

В несъответствие с първоначалния си призив за съпричастност, в края на май самият премиер Петков подхрани вече популярния образ на твърде обгрижвания бежанец, като се обяви против „луксозното пребиваване в България“. Думите му дойдоха в защита на бившата вицепремиерка по ефективно управление Калина Константинова, която беше разкритикувана за назидателния тон в противоречивото си видеообръщение предишния ден. Впоследствие Константинова се извини на бежанците, но този епизод затвърди пропастта между търсещите убежище и част от българското население.

Застрашеното българско общество

Освен като неудобна тежест, украинските бежанци многократно бяха обрисувани и като заплаха за обществото. Миналата седмица новината за въоръжен грабеж от инкасо автомобил окупира заглавията в пресата. Извършителите са управлявали коли с украински регистрационни табели. Въпреки че табелите се оказаха фалшиви, инцидентът беше използван, за да подсили тезата, че у нас тайно влизат престъпници, прикрити като бежанци.

Наративът за опасните мигранти от Украйна започна да набира скорост още през април с публикации като зле направения, но доста споделян колаж на измислено оскверняване на Паметника на свободата на Шипка. Вандалският стереотип обаче не изглежда толкова популярен в България, колкото в други държави от Централна и Източна Европа. Мащабно разследване на украинската медия „Детектор“ разкрива, че в социалните мрежи на 11 страни бежанците най-често са обвинявани в корупция, неблагодарност и дестабилизиране на обществото.

През април полското издание за проверка на факти „Демагог“ публикува задълбочен анализ на основните типове дезинформация в Полша, Словакия, Унгария и Румъния. Тези държави са приели общо над 1,7 млн. бежанци. В анализа централно място заемат примери за фалшиви новини от Полша и Унгария за агресивни украинци, които нападат местното население и повишават нивата на насилие. Проучването на „Демагог“ показва, че източници на подобни слухове основно са анонимни потребители в Twitter, сайтове с псевдонаучно съдържание, крайнодесни политици или профили, имитиращи реални личности. Чрез тях в полското интернет пространство се разпространяват и разкази за предполагаеми случаи на кражби или изнасилвания, извършени от мигранти от Африка или Близкия изток, пресекли границата с Украйна. Междувременно украинският народ често е представян и като враждебен спрямо малцинства.

Според анализ на Factcheck.bg над един милион потребители в България вероятно са попаднали на неверни твърдения, че българите в Украйна са системно тормозени и дори убивани. Антимигрантската реторика обаче не се изчерпва със заплахата от насилие. Като продължение на дезинформационната вълна от времето на пандемията сред потребители във Facebook и в сайтове с неясна собственост се заговори за наплив от ХИВ-позитивни украински бежанци. Тази теория беше отречена от Factcheck.bg и БНР. Общественото радио изобличи и друго невярно твърдение в сферата на здравеопазването, а именно че Специализираната болница в Панчарево е спряла животоспасяващи рехабилитации, за да настани украинци.

Опасен чар

Атмосферата на безпокойство от бежанския наплив у нас беше подплатена и с митове за покваряващото влияние на неустоимата украинска красота. Седмици преди началото на летния сезон мрежата се напълни с предупреждения за млади разкрепостени украинки, които предлагат „масаж с освобождаване“ по Черноморието. Статията е публикувана в Lupa.bg и препечатана в други сайтове, търсещи сензация, като Bradva.bg и Skafeto.com. В нея няма нито един конкретен източник или легитимни данни. Анализ с платформата Crowdtangle показва, че над половин милион потребители във Facebook са попаднали на този текст.

Друг материал в сайта „Флагман“ предупреждава, че „горещите украинки“ са подбили цените на българските еротични танцьорки в Слънчев бряг. Статията се позовава на разказ на анонимно „разгневено момиче от балет на водеща дискотека по морето“. Този текст също намира място и в други медии с подобен профил, като например сайта „Втори фронт“. Двете публикации са генерирали общо почти 10 000 реакции във Facebook. Страховете на българските жени пък бяха разпалени от статия на вестник „Стандарт“, че родните ергени са „пощурели по украинките“. Публикацията се позовава на „статистиката на сключените граждански бракове с украински граждани у нас от началото на войната“. В същото време цитираната статистика в самата статия не дава категорични доказателства в подкрепа на тази теория.

Разследване на киевската медия „Детектор“ показва, че стереотипът за украинските сексуални работнички също изобщо не се ограничава до България, а се превръща в основа на дезинформационни кампании в Централна и Източна Европа. Според изданието проруски източници се опитват да дискредитират украинските бежанки, като твърдят, че масово предават полови болести и се интересуват само от пари.

Кампания за очерняне на украински жени имаше и в Полша. В чат приложението Signal някои потребители получиха линк към статия, която предупреждава, че повечето бежанки са „в детеродна възраст“ и ще бъдат щастливи да получат „постоянен статут на полски съпруги“. Митът за крадящите мъже украинки беше подсилен от история за британец, напуснал семейството си заради млада жена, избягала от Лвов. Разказ на полски за тази афера предизвика хиляди реакции във Facebook.

В сянката на войната

Разнообразието от слухове и конспиративни теории за злите намерения на бежанците не спря множеството граждански инициативи за подкрепа на пострадалите от войната на Русия в Украйна. Доброволци съдействаха на търсещи закрила да намерят работа и събираха средства за медицинска помощ. Но съпричастността може да отстъпи на агресията в дългосрочен план под натиска на продължаващата война и вълната от дезинформация.

В по-широк план насаждането на омраза срещу украинските бежанци е още един инструмент за оправдаване на руската агресия и за влияние върху обществените нагласи в България спрямо инвазията на Владимир Путин в Украйна. Медии и публични фигури насърчават умишленото демонизиране на бежанците с цел да ограничат подкрепата за Киев, а предстоящият скъп отоплителен сезон допълнително подхранва опитите за характеризиране на украинските граждани като нацисти, терористи или неблагодарни гости. В ситуация на продължаваща политическа криза с неясен изход потърсилите убежище в България може да се окажат жертви не само на войната, но и на борбата за власт.

Заглавна илюстрация: © Пеню Кирацов

„Тоест“ е официален партньор за публикуването на материалите от поредицата „Хроники на инфодемията“, реализирана от АЕЖ-България съвместно с Фондация „Фридрих Науман“.

Източник

Кривият портрет на украинския бежанец

2022-11-30 Петър Георгиев

Post Syndicated from Петър Георгиев original https://www.toest.bg/kriviyat-portret-na-ukrainskiya-bezhanets/

Това не са бежанците, с които сме свикнали.

Кривият портрет на украинския бежанец

Това са европейци, интелигентни, образовани хора. Ние, както и всички други, сме готови да ги посрещнем. Това не е обичайната бежанска вълна от хора с неясно минало. Никоя от европейските страни не се притеснява от тях.

Митът за богатите украинци

Застрашеното българско общество

Опасен чар

В сянката на войната

Заглавна илюстрация: © Пеню Кирацов

Кривият портрет на украинския бежанец

2022-11-30 Петър Георгиев

Post Syndicated from Петър Георгиев original https://www.toest.bg/kriviyat-portret-na-ukrainskiya-bezhanets/

Това не са бежанците, с които сме свикнали.

Кривият портрет на украинския бежанец

Това са европейци, интелигентни, образовани хора. Ние, както и всички други, сме готови да ги посрещнем. Това не е обичайната бежанска вълна от хора с неясно минало. Никоя от европейските страни не се притеснява от тях.

Митът за богатите украинци

Застрашеното българско общество

Опасен чар

В сянката на войната

Заглавна илюстрация: © Пеню Кирацов

768 teams of young people have entered Astro Pi Mission Space Lab 2022/23

2022-11-30 Sam Duffy

Post Syndicated from Sam Duffy original https://www.raspberrypi.org/blog/768-teams-entered-astro-pi-mission-space-lab-2022-23/

This year, 768 teams made up of 3086 young people from 23 countries sent us their ideas for experiments to run on board the International Space Station (ISS) for Astro Pi Mission Space Lab.

Mission Space Lab is part of the European Astro Pi Challenge, an ESA Education programme run in collaboration with us at the Raspberry Pi Foundation. Mission Space Lab teams can choose between ‘Life on Earth’ and ‘Life in space’ for their experiment idea. As in previous years, ‘Life on Earth’ was the most popular experiment theme: three quarters of the teams chose to submit an idea with this theme, for experiments using one of the Astro Pi’s High Quality Cameras. Half of these experiments involved using the near-infrared sensitive camera to investigate topics such as deforestation. Across both themes, over 40% of teams expressed an interest in using machine learning in their experiment.

Mission Space Lab teams are now getting ready to write and test their code

A panel of 25 judges from the Raspberry Pi Foundation and ESA Education assessed the submitted ideas. We are restricted in how many teams we can accommodate, as time to run experiments on board the ISS is limited, especially for ‘Life on Earth’ experiments which need time in a nadir window. The standard of the submitted ideas was higher than ever, making this the toughest judging yet. We are delighted to announce that 486 teams will move on to Phase 2 of Mission Space Lab: writing the code for their experiments.

An Astro Pi unit at a window on board the International Space Station. — A Mark II Astro Pi in the NODE window on the ISS. Credit: ESA/NASA

If your experiment idea was unsuccessful this time, we understand that this will be disappointing news for your team. We encourage them to submit a new experiment idea in next year’s Mission Space Lab. We will let you know when Mission Space Lab 23/24 will be launching.

All the teams whose experiment ideas we’ve selected will receive a special Astro Pi hardware kit, customised to their idea, to help them write and test the Python programs to execute their experiments. Once the teams of young people have received their kits, they can familiarise themselves with the Astro Pi hardware and then create and test (and re-test!) their programs.

Young people’s Mission Space Lab code will run in space next year

The deadline for Mission Space Lab teams to submit the code for their experiments to us is Thursday 24 February 2023. Once their program code has been through our rigorous checks and tests, it will be ready to run on the Astro Pis on board the ISS during April/May 2023.

Astro Pi computers on the ISS. — The Mark I and Mark II Astro Pi computers on board the ISS earlier this year. Credit: ESA/NASA

Congratulations to the successful teams, and thank you to everyone who sent us their ideas for Mission Space Lab this year. And a special thank you to all the teachers, educators, club volunteers, and other wonderful people who are acting as mentors for Mission Space Lab teams. You are helping your young people do something remarkable that they will remember for the rest of their lives, and the Astro Pi Challenge would not happen without you.

Welcome back, Ed and Izzy!

Every year since 2015, thanks to our annual Astro Pi Challenge, teams of young people have written computer programs to run scientific experiments on two Astro Pi computers on the ISS.

Mark I Astro Pi computers Ed and Izzy back on Earth on a desk, after 5 years on board the International Space Station. — Mark I Astro Pi computers Ed and Izzy back on Earth after five years on board the International Space Station. Credit: ESA

This is the second year that experiments will run on the Mark II Astro Pi computers, named after Nikola Tesla and Marie Curie, but lots of people have been wondering what would happen to their predecessors. After running over 50,000 young people’s computer programs, the Mark I Astro Pi computers, Ed and Izzy, have safely returned to Earth for a well-earned rest.

Young people can take part in Astro Pi Mission Zero

Astro Pi Mission Zero is a one-hour beginners’ programming activity. In Mission Zero, young people, in teams or as individuals, write a program to display an image or series of images of their own design on one of the Astro Pi computers, to remind the astronauts on the ISS of home.

Samantha Cristoforetti. — ESA astronaut Samantha Cristoforetti with an Astro Pi computer. Credit: ESA/NASA

In their Mission Zero programs, young people get to use a reading from the Astro Pi’s colour and luminosity sensor to set the colour of their image background. Young people up to age 19 from eligible countries can take part in Mission Zero 2022/23 until 17 March. Visit the Astro Pi website for more details.

I want to get involved in Mission Zero

The post 768 teams of young people have entered Astro Pi Mission Space Lab 2022/23 appeared first on Raspberry Pi.

Weather Sealing my Camera for Iceland

2022-11-30 Matt Granger

Post Syndicated from Matt Granger original https://www.youtube.com/watch?v=cacxnqX-_4I

Adjusting pricing, introducing annual plans, and accelerating innovation

2022-11-30 Matthew Prince

Post Syndicated from Matthew Prince original https://blog.cloudflare.com/adjusting-pricing-introducing-annual-plans-and-accelerating-innovation/

Adjusting pricing, introducing annual plans, and accelerating innovation

This post is also available in 繁體中文, 简体中文, 日本語, 한국어, Deutsch, Français, Pусский, Español, Português.

Cloudflare is raising prices for the first time in the last 12 years. Beginning January 15, 2023, new sign ups will be charged \$25 per month for our Pro Plan (up from \$20 per month) and \$250 per month for our Business Plan (up from \$200 per month). Any paying customers who sign up before January 15, 2023, including any currently paying customers who signed up at any point over the last 12 years, will be grandfathered at the old monthly price until May 14, 2023.

We are also introducing an option to pay annually, rather than monthly, that we hope most customers will choose to switch to. Annual plans are available today and discounted from the new monthly rate to \$240 per year for the Pro Plan (the equivalent of \$20 per month, saving \$60 per year) and \$2,400 per year for the Business Plan (the equivalent of \$200 per month, saving \$600 per year). In other words, if you choose to pay annually for Cloudflare you can lock in our old monthly prices.

After not raising prices in our history, this was something we thought carefully about before deciding to do. While we have over a decade of network expansion and innovation under our belts, what may not be intuitive is that our goal is not to increase revenue from this change. We need to invest up front in building out our network, and the main reason we’re making this change is to more closely map our business with the timing of our underlying costs. Doing so will enable us to further accelerate our network expansion and pace of innovation — which all of our customers will benefit from. Since this is a big change for us, I wanted to take the time to walk through how we came to this decision.

Cloudflare’s history

Cloudflare launched on September 27, 2010. At the time we had two plans: one Free Plan that was free, and a Pro Plan that cost $20 per month. Our network at the time consisted of “four and a half” data centers: Chicago, Illinois; Ashburn, Virginia; San Jose, California; Amsterdam, Netherlands; and Tokyo, Japan. The routing to Tokyo was so flaky that we’d turn it off for half the day to not mess up routing around the rest of the world. The biggest difference for the first couple years between our Free and Pro Plans was that only the latter included HTTPS support.

In June 2012, we introduced our Business Plan for $200 per month and our Enterprise Plan which was customized for our largest customers. By then we’d not only gotten Tokyo to work reliably but added 18 more data centers around the world for a total of 23. Our Business plan added DDoS mitigation as the primary benefit, something prior to then we’d been terrified to offer.

My how you’ve grown

Fast-forward to today and a lot has changed. We’re up to presence in more than 275 cities in more than 100 countries worldwide. We included HTTPS support in our Free Plan with the launch of Universal SSL in September 2014. We included unlimited DDoS mitigation in our Free Plan with the launch of Unmetered DDoS Mitigation in September 2017. Today, we stop attacks for Free Plan customers on a daily basis that are more than 10-times as big as what was headline news back in 2013.

Our strategy has always been to roll features out, limit them at first to higher tiers of paying customers, but, over time, roll them down through our plans and eventually to even our Free Plan customers. We believe everyone should be fast, reliable, and secure online regardless of their budget. And we believe our continued success should be primarily driven by new innovation, not by milking old features for revenue.

And we’ve delivered on that promise, accelerating our roll out of new features across our platform and bundling them into our existing plans without increasing prices. What you get for our Free, Pro, and Business Plans today is orders of magnitude more valuable across every dimension — performance, reliability, and security — than those plans were when they launched.

And yet we know we are our customers’ infrastructure. You rely on us. And therefore we have been very reluctant to ever raise prices just to take price and capture more revenue.

Annual plans for even faster innovation

Early on, we only charged monthly because we were an unproven service we knew customers were taking a risk on. Today, that’s no longer the case. The majority of our customers have been using us for years and, from our conversations with them, plan to continue using us for the foreseeable future. In fact, one of the top requests we receive is from customers who want to pay once per year rather than getting billed every month.

While I’m proud of our pace of innovation, one of the challenges we have is managing the cash flow to fund those investments as quickly as we’d like. We invest up front in building out our network or developing a new feature, but then only get paid monthly by our customers. That, inherently, is a governor on our pace of innovation. We can invest even faster — hire more engineers, deploy more servers — if those customers who know they’re going to use us for the next year pay for us up front. We have no shortage of things we know customers want us to build, so by collecting revenue earlier we know we can unlock even faster innovation.

In other words, we are making this change hoping most of you won’t pay us anything more than you did before. Instead, our hope is that most of you will adopt our annual plans — you’ll get to lock in the existing pricing, and you’ll help us further accelerate our network growth and pace of innovation.

Finally, I wanted to mention that something isn’t changing: our Free Plan. It will still be free. It will still have all the features it has today. And we’re still committed to, over time, rolling many more features that are only available in paid plans today down to the Free Plan over time. Our mission is to help build a better Internet. We want to win by being the most innovative company in the world. And that means making our services available to as many people as possible, even those who can’t afford to pay us right now.

But, for those of you who can pay: thank you. You’ve funded our innovation to date. And I hope you’ll opt to switch to our annual billing, so we can further accelerate our network expansion and pace of innovation.

Spacetime Soccer

2022-11-30

Post Syndicated from original https://xkcd.com/2705/

Spacetime Soccer, known outside the United States as '4D Football' is a now-defunct sport. Infamous for referee decisions hinging on inconsistent definitions of simultaneity, it is also known for the disappearance of many top players during... [more]

AWS Verified Access Preview — VPN-less Secure Network Access to Corporate Applications

2022-11-30 Sébastien Stormacq

Post Syndicated from Sébastien Stormacq original https://aws.amazon.com/blogs/aws/aws-verified-access-preview-vpn-less-secure-network-access-to-corporate-applications/

Today, we announced the preview of AWS Verified Access, a new secure connectivity service that allows enterprises to enable local or remote secure access for their corporate applications without requiring a VPN.

Traditionally, remote access to applications when on the road or working from home is granted by a VPN. Once the remote workforce is authenticated on the VPN, they have access to a broad range of applications depending on multiple policies defined in siloed systems, such as the VPN gateway, the firewalls, the identity provider, the enterprise device management solution, etc. These policies are typically managed by different teams, potentially creating overlaps, making it difficult to diagnose application access issues. Internal applications often rely on older authentication protocols, like Kerberos, that were built with the LAN in mind, instead of modern protocols, like OIDC, that are better tuned to modern enterprise patterns. Customers told us that policy updates can take months to roll out.

Verified Access is built using the AWS Zero Trust security principles. Zero Trust is a conceptual model and an associated set of mechanisms that focus on providing security controls around digital assets that do not solely or fundamentally depend on traditional network controls or network perimeters.

Verified Access improves your organization’s security posture by leveraging multiple security inputs to grant access to applications. It grants access to applications only when users and their devices meet the specified security requirements. Examples of inputs are the user identity and role or the device security posture, among others. Verified Access validates each application request, regardless of user or network, before granting access. Having each application access request evaluated allows Verified Access to adapt the security posture based on changing conditions. For example, if the device security signals that your device posture is out of compliance, then Verified Access will not allow you to access the application anymore.

In my opinion, there are three main benefits when adopting Verified Access:

It is easy to use for IT administrators. As an IT Administrator, you can now easily set up applications for secure remote access. It provides a single configuration point to manage and enforce a multisystem security policy to allow or deny access to your corporate applications.

It provides an open ecosystem that allows you to retain your existing identity provider and device management system. I listed all our partners at the end of this post.

It is easy to use for end users. This is my preferred one. Your workforce is not required to use a VPN client anymore. A simple browser plugin is enough to securely grant access when the user and the device are identified and verified. As of today, we support Chrome and Firefox web browsers. This is something about which I can share my personal experience. Amazon adopted a VPN-less strategy a few years ago. It’s been a relief for my colleagues and me to be able to access most of our internal web applications without having to start a VPN client and keep it connected all day long.

Let’s See It in Action
I deployed a web server in a private VPC and exposed it to my end users through a private application load balancer (https://demo.seb.go-aws.com). I created a TLS certificate for the application external endpoint (secured.seb.go-aws.com). I also set up AWS Identity Center (successor of AWS SSO). In this demo, I will use it as a source for user identities. Now I am ready to expose this application to my remote workforce.

Creating a Verified Access endpoint is a four-step process. To get started, I navigate to the VPC page of the AWS Management Console. I first create the trust provider. A trust provider maintains and manages identity information for users and devices. When an application request is made, the identity information sent by the trust provider will be evaluated by Verified Access before allowing or denying the application request. I select Verified Access trust provider on the left-side navigation pane.

On the Create Verified Access trust provider page, I enter a Name and an optional Description. I enter the Policy reference name, an identifier that will be used when working with policy rules. I select the source of trust: User trust provider. For this demo, I select IAM Identity Center as the source of trust for user identities. Verified Access also works with other OpenID Connect-compliant providers. Finally, I select Create Verified Access trust provider.

I may repeat the operation when I have multiple trust providers. For example, I might have an identity-based trust provider to verify the identity of my end users and a device-based trust provider to verify the security posture of their devices.

I then create the Verified Identity instance. A Verified Access instance is a Regional AWS entity that evaluates application requests and grants access only when your security requirements are met.

On the Create Verified Access instance page, I enter a Name and an optional Description. I select the trust provider I just created. I can add additional trust provider types once the Verified Access instance is created.

Third, I create a Verified Access group.

A Verified Access group is a collection of applications that have similar security requirements. Each application within a Verified Access group shares a group-level policy. For example, you can group together all applications for “finance” users and use one common policy. This simplifies your policy management. You can use a single policy for a group of applications with similar access needs.

On the Create Verified Access group page, I enter a Name only. I will enter a policy at a later stage.

The fourth and last step before testing my setup is to create the endpoint.

A Verified Access endpoint is a regional resource that specifies the application that Verified Access will be providing access to. This is where your end users connect to. Each endpoint has its own DNS name and TLS certificate. After having evaluated incoming requests, the endpoint forwards authorized requests to your internal application, either an internal load balancer or a network interface. Verified Access supports network-level and application-level load balancers.

On the Create Verified Access endpoint page, I enter a Name and Description. I reference the Verified Access group that I just created.

In the Application details section, under Application domain, I enter the DNS name end users will use to access the application. For this demo, I use secured.seb.go-aws.com. Under Domain certificate ARN, I select a TLS certificate matching the DNS name. I created the certificate using AWS Certificate Manager.

On the Endpoint details section, I select VPC as Attachment type. I select one or multiple Security groups to attach to this endpoint. I enter awsnewsblog as Endpoint domain prefix. I select load balancer as Endpoint type. I select the Protocol (HTTP), then I enter the Port (80). I select the Load balancer ARN and the private Subnets where my load balancer is deployed.

Again, I leave the Policy details section empty. I will define a policy in the group instead. When I am done, I select Create Verified Access endpoint. It might take a few minutes to create.

Now it is time to grab a coffee and stretch my legs. When I return, I see the Verified Access endpoint is Active. I copy the Endpoint domain and add it as a CNAME record to my application DNS name (secured.seb.go-aws.com). I use Amazon Route 53 for this, but you can use your existing DNS server as well.

Then, I point my favorite browser to https://secured.seb.go-aws.com. The browser is redirected to IAM Identity Center (formerly AWS SSO). I enter the username and password of my test user. I am not adding a screenshot for this. After the redirection, I receive the error message : Unauthorized. This is expected because there is no policy defined on the Verified Access endpoint. It denies every request by default.

On the Verified Access groups page, I select the Policy tab. Then I select the Modify Verified Access endpoint policy button to create an access policy.

I enter a policy allowing anybody authenticated and having an email address ending with @amazon.com. This is the email address I used for the user defined in AWS Identity Center. Note that the name after context is the name I entered as Policy reference name when I created the Verified Access trust provider. The documentation page has the details of the policy syntax, the attributes, and the operators I can use.

permit(principal, action, resource)
when {
    context.awsnewsblog.user.email.address like "*@amazon.com"
};

After a few minutes, Verified Access updates the policy and becomes Active again. I force my browser to refresh, and I see the internal application now available to my authenticated user.

Pricing and Availability

AWS Verified Access is now available in preview in 10 AWS Regions: US East (Ohio, N. Virginia), US West (N. California, Oregon), Asia Pacific (Sydney), Canada (Central), Europe (Ireland, London, Paris), and South America (São Paulo).

As usual, pricing is based on your usage. There is no upfront or fixed price. We charge per application (Verified Access endpoint) per hour, with tiers depending on the number of applications. Prices start in US East (N. Virginia) Region at $0.27 per verified Access endpoint and per hour. This price goes down to $0.20 per endpoint per hour when you have more than 200 applications.

On top of this, there is a charge of $0.02 per GB for data processed by Verified Access. You also incur standard AWS data transfer charges for all data transferred using Verified Access.

This billing model makes it easy to start small and then grow at your own pace.

Go and configure your first Verified Access access point today.

— seb

New – Announcing Automated Data Preparation for Amazon QuickSight Q

2022-11-30 Veliswa Boya

Post Syndicated from Veliswa Boya original https://aws.amazon.com/blogs/aws/new-announcing-automated-data-preparation-for-amazon-quicksight-q/

In this post that was published in September 2021, Jeff Barr announced general availability of Amazon QuickSight Q. To recap, Amazon QuickSight Q is a natural language query capability that lets business users ask simple questions of their data.

QuickSight Q is powered by machine learning (ML), providing self-service analytics by allowing you to query your data using plain language and therefore eliminating the need to fiddle with dashboards, controls, and calculations. With last year’s announcement of QuickSight Q, you can ask simple questions like “who had the highest sales in EMEA in 2021” and get your answers (with relevant visualizations like graphs, maps, or tables) in seconds.

Data used for analytics is often stored in a data warehouse like Amazon Redshift, and these unfortunately tend to be optimized for programmatic access via SQL rather than for natural language interaction. Furthermore, BI teams, understandably, tend to optimize data sources for consumption by dashboard authors, BI engineers, and other data teams, therefore using technical naming conventions that are optimized for dashboards (for example, “CUST_ID” instead of “Customer”) and SQL queries. These technical naming conventions are not intuitive to be used by business users.
To solve this, BI teams spend hours manually translating technical names into commonly used business language names to prepare the data for natural language questions.

Today, I’m excited to announce automated data preparation for Amazon QuickSight Q. Automated data preparation utilizes machine learning to infer semantic information about data and adds it to datasets as metadata about the columns (fields), making it faster for you to prepare data in order to support natural language questions.

A Quick Overview of Topics in QuickSight Q
Topics became available with the introduction of QuickSight Q. Topics are a collection of one or more datasets that represent a subject area that your business users can ask questions about. Looking at the example mentioned earlier (“who had the highest sales in EMEA in 2021”), one or more datasets (for example, a Sales/Regional Sales dataset) would be selected during the creation of this Topic.

As the author, once the Topic is created:

You would spend time selecting the most relevant columns from the dataset to add to the Topic (for example, excluding time_stamp, date_stamp columns, etc.). This can be challenging because without visibility to usage data of columns in dashboards and reports, you can find it hard to objectively decide which columns are most relevant to your business users to include in a Topic.
You would then spend hours reviewing the data and manually curating it to set configurations that are specific to natural language (for example, add “Area” as a synonym for the “Region” column).
Lastly, you would spend time formatting the data in order to ensure that it is more useful when presented.
QuickSight Q Topic

How Does Automated Data Preparation for Amazon QuickSight Q Work?
Creating from Analysis: The new automated data preparation for Amazon QuickSight Q saves time by enabling the capability to create a Topic from analysis and therefore saving you the hours that you would spend doing all the translation by automatically choosing user-friendly names and synonyms based on ML-trained models that seek to find synonyms and common terms for the data field in question. Moreover, instead of you selecting the most relevant columns, automated data preparation for Amazon QuickSight Q automatically selects high-value columns based on how they are used in the analysis. It then binds the Topic to this existing analysis’ dataset and prepares an index of unique string values within the data to enable natural language search.

Automated Field Selection and Classification: I mentioned earlier that automated data preparation for Amazon QuickSight Q selects high value columns, but how does it know which columns are high-value? Automated data preparation for Amazon QuickSight Q automates column selection based on signals from existing QuickSight assets, such as reports or dashboards, to help you create a Topic that is relevant to your business users. In addition to selecting high-value fields from a dataset, automated data preparation for Amazon QuickSight Q also imports new calculated fields that the author has created in the analysis, thereby not requiring them to recreate these in a Topic.

Automated Language Settings: At the beginning of this article, I talked about technical naming conventions that are not intuitive for business users. Now, instead of you spending time translating these technical names, column names are automatically updated with friendly names and synonyms using common terms. Looking at our Sales dataset example, CUST_ID has been assigned a friendly name, “Customer”, and a number of synonyms. Synonyms will now be added automatically to columns (with the option to customize further) to support a wide vocabulary that may be relevant to your business users.

Friendly Names & Synonyms for Columns

Automated Metadata Settings: Automated data preparation for Amazon QuickSight Q detects Semantic Type of a column based on the column values and updates the corresponding configuration automatically. Formats for values will now be set to be used if a particular column is presented in the answer. These formats are derived from formats that you may have defined in an analysis.

Semantic Type Settings

Available Today
Automated Data Preparation for Amazon QuickSight Q is available today in all AWS Regions where QuickSight Q is available. To learn more, visit the Amazon QuickSight Q page. Join the QuickSight Community to ask, answer, and learn with others in the QuickSight Community.

– Veliswa x

Introducing VPC Lattice – Simplify Networking for Service-to-Service Communication (Preview)

2022-11-30 Danilo Poccia

Post Syndicated from Danilo Poccia original https://aws.amazon.com/blogs/aws/introducing-vpc-lattice-simplify-networking-for-service-to-service-communication-preview/

Modern applications are built using modular and distributed components. Each component is a service that implements its own subset of functionalities. To make these services communicate with each other, you need a way to let them discover where they are, authorize access, and route traffic. When troubleshooting issues, you need to keep communication configurations under control so that you can quickly understand what is happening at the application, service, and network levels. This can take a lot of your time.

Today, we are making available in preview Amazon VPC Lattice, a new capability of Amazon Virtual Private Cloud (Amazon VPC) that gives you a consistent way to connect, secure, and monitor communication between your services. With VPC Lattice, you can define policies for traffic management, network access, and monitoring so you can connect applications in a simple and consistent way across AWS compute services (instances, containers, and serverless functions). VPC Lattice automatically handles network connectivity between VPCs and accounts and network address translation between IPv4, IPv6, and overlapping IP addresses. VPC Lattice integrates with AWS Identity and Access Management (IAM) to give you the same authentication and authorization capabilities you are familiar with when interacting with AWS services today, but for your own service-to-service communication. With VPC Lattice, you have common controls to route traffic based on request characteristics and weighted routing for blue/green and canary-style deployments. For example, VPC Lattice allows you to mix and match compute types for a given service, which helps you modernize a monolith application architecture to microservices.

VPC Lattice is designed to be noninvasive, allowing teams across your organization to incrementally opt in over time. In this way, you are able to deliver applications faster by focusing on your application logic, while VPC Lattice handles service-to-service networking, security, and monitoring requirements.

How Amazon VPC Lattice Works
With VPC Lattice, you create a logical application layer network, called a service network, that connects clients and services across different VPCs and accounts, abstracting network complexity. A service network is a logical boundary that is used to automatically implement service discovery and connectivity as well as apply access and observability policies to a collection of services. It offers inter-application connectivity over HTTP/HTTPS and gRPC protocols within a VPC.

Once a VPC has been enabled for a service network, clients in the VPC will automatically be able to discover the services in the service network through DNS and will direct all inter-application traffic through VPC Lattice. You can use AWS Resource Access Manager (RAM) to control which accounts, VPCs, and applications can establish communication via VPC Lattice.

A service is an independently deployable unit of software that delivers a specific task or function. In VPC Lattice, a service is a logical component that can live in any VPC or account and can run on a mixture of compute types (virtual machines, containers, and serverless functions). A service configuration consists of:

One or two listeners that define the port and protocol that the service is expecting traffic on. Supported protocols are HTTP/1.1, HTTP/2, and gRPC, including HTTPS for TLS-enabled services.
Listeners have rules that consist of a priority, which specifies the order in which rules should be processed, one or more conditions that define when to apply the rule, and actions that forward traffic to target groups. Each listener has a default rule that takes effect when no additional rules are configured, or no conditions are met.
A target group is a collection of targets, or compute resources, that are running a specific workload you are trying to route toward. Targets can be Amazon Elastic Compute Cloud (Amazon EC2) instances, IP addresses, and Lambda functions. For Kubernetes workloads, VPC Lattice can target services and pods via the AWS Gateway Controller for Kubernetes. To have access to the AWS Gateway Controller for Kubernetes, you can join the preview.

To configure service access controls, you can use access policies. An access policy is an IAM resource policy that can be associated with a service network and individual services. With access policies, you can use the “PARC” (principal, action, resource, and condition) model to enforce context-specific access controls for services. For example, you can use an access policy to define which services can access a service you own. If you use AWS Organizations, you can limit access to a service network to a specific organization.

VPC Lattice also provides a service directory, a centralized view of the services that you own or have been shared with you via AWS RAM.

Using Amazon VPC Lattice
We expect people with different roles can use VPC Lattice. For example:

The service network administrator can:
- Create and manage a service network.
- Define access and monitoring for the service network.
- Associate client and services.
- Share the service network with other AWS accounts.
The service owner can:
- Create and manage a service, including access and monitoring.
- Define routing, for example, configuring listeners and rules that point to the target groups where the service is running.
- Associate a service to service networks.

Let’s see how this works in practice. In this quick walkthrough, I am covering both roles.

Creating Two Backend Services
There is nothing specific to VPC Lattice in this section. I am just creating a couple of services, one running on Amazon EC2 and one on AWS Lambda, that I’ll use later when I configure networking with VPC Lattice.

In an Amazon Linux EC2 instance, I create a web app that replies “Hello from the instance” to HTTP requests. To allow access to the instance from clients coming via VPC Lattice, I add an inbound rule to the security group to allow TCP traffic on port 8080 from the VPC Lattice AWS-managed prefix list.

Here’s the app.py file. I am using Python and Flask for this app, but you don’t need to know them to follow along with the post.

from flask import Flask

app = Flask(__name__)

@app.route('/')
def index():
  return 'Hello from the instance'

@app.route('/<path>')
def somePath(path):
  return 'Hello from the instance at path "{}"'.format(path)

app.run(host='0.0.0.0', port=8080)

Here’s the requirements.txt file with the Python dependencies. There’s only one line because the only module I need is flask:

flask

I install the dependencies:

pip3 install -r requirements.txt

Then, I start the web app using the nohup command to keep it running in case I log out of the instance:

nohup flask run --host=0.0.0.0 --port 8080 &

On the EC2 instance, the web service is now listening to HTTP traffic on port 8080.

In the Lambda console, I create a simple function using the Node.js 18.x runtime that replies “Hello from the function” to all invocations.

exports.handler = async (event) => {
    const response = {
        statusCode: 200,
        body: JSON.stringify('Hello from the function'),
    };
    return response;
};

The two services are now both ready. Let’s use VPC Lattice to configure networking.

Creating VPC Lattice Target Groups
I start by creating two target groups, one for the EC2 instance and one for the Lambda function. In the VPC console, there is a new VPC Lattice section in the navigation pane. There, I choose Target groups and then Create target group.

For the first target group, I choose the Instances target type and enter a name.

I choose the protocol (HTTP) and port (8080) used by the web app running on the instance. I select the VPC where the instance is running and the protocol version (HTTP1).

Now I can configure the health check that will be used to test the target status. In this case, I use the default values proposed by the console.

In the next step, I can register the targets. I select the instance on which the web app is running from the list and choose to include it.

I review the selected targets (one instance in this case) and choose Submit.

In a similar way, I create a target group for the Lambda function. This time, I select the function from the list. I can choose which function version or function alias to use. For simplicity, I use the $LATEST version.

Creating VPC Lattice Services
Now that the target groups are ready, I choose Services in the navigation pane and then Create service. I enter a name and a description.

Now, I can choose the authentication type. If I choose None, the service network does not authenticate or authorize client access, and the auth policy, if present, is not used. I select AWS IAM and then, from the Apply policy template dropdown, the template that allows both authenticated and unauthenticated access.

In the Monitoring section, I turn on Access logs. As the destination for the access logs, I use an Amazon CloudWatch Log group that I created before. I also have the option to use an Amazon Simple Storage Service (Amazon S3) bucket or a Amazon Kinesis Data Firehose delivery stream.

In the next step, I define routing for the service. I choose Add listener. For the protocol, I configure the service to listen using HTTPS. In the default action, I choose to send two-thirds (Weight 20) of the requests to the instance target group and one-third (Weight 10) to the function target group.

Then, I add two additional rules. The first rule (Priority 10) sends all requests where the path is /to-instance to the instance target group.

The second rule (Priority 20) sends all traffic where the path is /to-function to the function target group.

In the next step, I am asked to associate the service with one or more service networks. I didn’t create a service network yet, so I skip this step for now and choose Next. I review the configuration and create the service.

Creating VPC Lattice Service Networks
Now, I create the service network so that I can associate the service and the VPCs I want to use. I choose Service network from the navigation pane and then Create service network. I enter a name and a description for the service network.

In the Associate services, I select the service I just created.

In the VPC associations, I select the VPC used by the instance where the web app runs. This can help in the future because it allows the web app to call other services associated with the service network.

Then, I select a second VPC where I have another EC2 instance that I want to use to run some tests.

For simplicity, in the Access section, I select the None auth type.

In the Monitoring section, I choose to send the access logs for the whole service network to an S3 bucket.

I review the summary of the configuration and create the service network. After a few seconds all service and VPC associations are active, and I can start using the service.

I write down the domain name of the service from the list of service associations.

Testing Access to the Service Using VPC Lattice
I look at the Routing tab of the service to find a nice recap of how the listener is handling routing towards the different target groups.

Then, I log into the EC2 instance in my second VPC and use curl to call the service domain name. As expected, I get about two-thirds of the responses from the instance and one-third from the function.

curl https://my-service-03e92ee54968d87ca.7d67968.vpc-lattice-svcs.us-west-2.on.aws
Hello from the instance

curl https://my-service-03e92ee54968d87ca.7d67968.vpc-lattice-svcs.us-west-2.on.aws
Hello from the instance

curl https://my-service-03e92ee54968d87ca.7d67968.vpc-lattice-svcs.us-west-2.on.aws
"Hello from the function"

When I call the /to-instance and /to-function paths, the additional rules forward the requests to the instance and the function, respectively.

curl https://my-service-03e92ee54968d87ca.7d67968.vpc-lattice-svcs.us-west-2.on.aws/to-instance
Hello from the instance "to-instance" path

curl https://my-service-03e92ee54968d87ca.7d67968.vpc-lattice-svcs.us-west-2.on.aws/to-function
"Hello from the function"

I can now review access to my service using the access log subscriptions I configured before.

For the service, I look in the CloudWatch Log group. There, I find a log stream containing detailed access information about the service.

The access log for all services associated with the service network is on the S3 bucket. I have only one service for now, but more are coming.

Available in Preview
Amazon VPC Lattice is available in preview in the US West (Oregon) Region.

VPC Lattice provides deployment consistency across AWS compute types so that you can connect your services across instances, containers, and serverless functions. You can use VPC Lattice to apply granular and rich traffic controls, such as policy-based routing and weighted targets to support blue/green and canary-style deployments.

VPC Lattice allows monitoring and troubleshooting service-to-service communication with detailed access logs and metrics that capture request type, volume of traffic, error rates, response time, and more. In this blog post, I only scratched the surface of what you can do with VPC Lattice.

Simplify the way you connect, secure, and monitor service-to-service communication with Amazon VPC Lattice.

Introducing new AWS Serverless digital learning badges

2022-11-30 James Beswick

Post Syndicated from James Beswick original https://aws.amazon.com/blogs/compute/introducing-new-aws-serverless-digital-learning-badges/

This post is written by Josh Kahn, Tech Leader, Serverless.

Today, we are excited to announce an all-new way to demonstrate your AWS Serverless knowledge and skills: a verifiable, digital badge. The new digital badge is aligned with our Serverless Learning Plan now available in AWS Skill Builder.

You can earn the digital badge by scoring at least 80 percent on the assessment associated with the Learning Plan. The badge proves your knowledge and skills for AWS Lambda, Amazon API Gateway, and designing serverless applications. You can celebrate your achievement on your resume, social media, and AWS re:Post with the verifiable badge distributed and managed by Credly. The badge includes metadata to verify the issuer and skills demonstrated by the holder. The Serverless Learning Plan and digital badge assessment are now available, for free.

Ready to get started or want to jump immediately to the assessment? Start here. Continue reading to learn more about the details of AWS Skill Builder and our Serverless Learning Plan.

The Serverless Learning Plan

Our Serverless Learning Plan has been designed to help you get started building with Serverless technology. AWS experts designed the content to provide a clear learning path to help you develop the skills you need quickly.

The Learning Plan starts with an introduction to the “Serverless Mindset” and introduces key concepts to help you design architectures and applications. It discusses how to best take advantage of the event-driven orientation of serverless computing.

Next, the course “AWS Lambda Foundations” covers the fundamentals of AWS Lambda, an event-driven compute service that lets you run code without provisioning or managing servers. You’ll learn foundational concepts, including how Lambda works, security and permission models, and best practices for writing Lambda functions.

The Learning Plan also includes four courses that span the lifecycle of building Lambda-based applications. In “Architecting Serverless Applications,” you learn about common architectures and patterns for serverless applications. We explore how to build microservices, data processing workloads, Alexa skills, mobile backends, and automate tasks in your AWS account. The course also discusses the trade-offs in selecting from the various compute options available to you.

The “Scaling Serverless Architectures” course discusses concepts such as Lambda concurrency and how Lambda-based applications scale. We briefly explore optimization opportunities for Lambda functions and trade-offs. While this course is not a deep dive in optimization across all supported runtimes, it offers a starting point.

In “Security and Observability for Serverless Applications,” you’ll learn how to use services such as AWS CloudTrail, AWS Config, and AWS X-Ray in concert with Lambda-based applications. We also discuss the built-in logging to Amazon CloudWatch and considerations. This course also touches on how the Lambda service creates isolation and a security boundary between functions.

There are a number of popular options for deploying and managing serverless applications. In “Deploying Serverless Applications,” we explore the AWS Serverless Application Model (AWS SAM) and the AWS suite of developer tools. You’ll learn best practices for deployment, including how to automate deployment using a CI/CD pipeline. This course also covers concepts such as Lambda versions and aliases, Lambda environment variables, and other deployment features.

Serverless is more than Lambda. During the Learning Plan, you also learn how to use Amazon API Gateway to create and deploy serverless APIs. “Amazon API Gateway for Serverless Applications” discusses REST and WebSocket options available from API Gateway and how to integrate with Lambda and other backends. The course also discusses the rich set of API Gateway features available, including caching, various authorization modes, usage plans, API keys, and deployment stages.

To complete the Learning Plan, we also provide an introduction to event-driven architectures built using services such as AWS Step Functions and Amazon Simple Queue Service (SQS). This course compliments the “Serverless Mindset” course to help you think about how asynchronous processing can improve the resiliency and scalability of your serverless applications.

All courses are available in a variety of languages.

After completing the Learning Plan, take the online assessment and score over 80 percent to earn the digital badge. Our badge assessments are linked to curriculum standards and have been developed by field subject matter experts (SMEs) and content/curriculum SMEs. If you are already familiar with AWS Serverless, you can also jump right to the assessment. If you don’t pass, you’ll be guided on how to fill knowledge gaps and can retake the assessment after 24 hours.

We’re also working to add more courses on topics, such as Amazon EventBridge, and more extensive course work on event-driven architectures next year. Stay tuned.

Our Learning Plan has been designed for you to move at your own pace, from wherever you are. It’s a great opportunity to build new skills or refresh your knowledge. Employers seeking to build knowledge in Serverless can also use the Learning Plan and digital badge to build critical knowledge in the space.

AWS Skill Builder

Beyond our recommended Serverless curriculum, Skill Builder offers a bevy of digital courses developed for different roles (e.g., developer, architect, data engineer) and domains (e.g., storage, databases). Skill Builder offers free learning content as well as subscription plans for individuals and teams. Skill Builder is a great way to advance your skills in areas that often touch serverless applications, including security, observability / monitoring, and DevOps.

We encourage you to check out these other expert-designed courses to help advance your knowledge of AWS. Subscription plans include hands-on labs and certification practice exams. The free content includes over 500 courses and learning plans, all available on-demand so that you can learn at your own pace.

Dive deeper with the AWS Serverless Ramp-up Guide

If you want to dive deeper after completing the AWS Serverless Learning Plan, download the AWS Ramp-Up Guide for Serverless. The guide includes a listing of courses, hands-on workshops, classroom training, and other resources to enrich your serverless knowledge.

Think of the Ramp-Up Guide as a menu of options. Pick and choose the topics that are most interesting to you and move at your own pace. We’ve included digital courses, reading, videos, and workshops to help you learn however is most effective for you.

We’re working to continually update the Ramp-up Guide so that you can easily find up-to-date content to deepen your skills. Check back for updates.

Conclusion

We’re excited to share the newly updated Serverless Learning Plan and all-new digital badge with you. To our knowledge, this is one of the first ways (if not the first) that Serverless builders can verifiably demonstrate their knowledge to the community and employers. Our team of SMEs across AWS Serverless and Training & Certification are excited to hear your feedback on the Learning Plan as well as where you would like to see us develop training next.

The AWS Serverless Learning Plan and digital badge are available now. All courses are available on-demand. Both the learning plan courses and the assessment are free for everyone.

Share your accomplishment by posting on social media with the hashtag #AWSTraining! Get started today at https://aws.amazon.com/training/learn-about/serverless/.

For more serverless learning resources, visit Serverless Land.

Reducing Java cold starts on AWS Lambda functions with SnapStart

2022-11-30 Eric Johnson

Post Syndicated from Eric Johnson original https://aws.amazon.com/blogs/compute/reducing-java-cold-starts-on-aws-lambda-functions-with-snapstart/

Written by Mark Sailes, Senior Serverless Solutions Architect, AWS.

At AWS re:Invent 2022, AWS announced SnapStart for AWS Lambda functions running on Java Corretto 11. This feature enables customers to achieve up to 10x faster function startup performance for Java functions, at no additional cost, and typically with minimal or no code changes.

Overview

Today, for Lambda’s function invocations, the largest contributor to startup latency is the time spent initializing a function. This includes loading the function’s code and initializing dependencies. For interactive workloads that are sensitive to start-up latencies, this can cause suboptimal end user experience.

To address this challenge, customers either provision resources ahead of time, or spend effort building relatively complex performance optimizations, such as compiling with GraalVM native-image. Although these workarounds help reduce the startup latency, users must spend time on some heavy lifting instead of focusing on delivering business value. SnapStart addresses this concern directly for Java-based Lambda functions.

How SnapStart works

With SnapStart, when a customer publishes a function version, the Lambda service initializes the function’s code. It takes an encrypted snapshot of the initialized execution environment, and persists the snapshot in a tiered cache for low latency access.

When the function is first invoked and then scaled, Lambda resumes the execution environment from the persisted snapshot instead of initializing from scratch. This results in a lower startup latency.

Lambda function lifecycle

A function version activated with SnapStart transitions to an inactive state if it remains idle for 14 days, after which Lambda deletes the snapshot. When you try to invoke a function version that is inactive, the invocation fails. Lambda sends a SnapStartNotReadyException and begins initializing a new snapshot in the background, during which the function version remains in Pending state. Wait until the function reaches the Active state, and then invoke it again. To learn more about this process and the function states, read the documentation.

Using SnapStart

Application frameworks such as Spring give developers an enormous productivity gain by reducing the amount of boilerplate code they write to accomplish common tasks. When first created, frameworks didn’t have to consider startup time because they run on application servers, which run for long periods of time. The startup time is minimal compared to the running duration. You often only restart them when there is an application version change.

If the functionality that these frameworks bring is implemented at runtime, then they often contribute to latency in startup time. SnapStart allows you to use frameworks like Spring and not compromise tail latency.

To demonstrate SnapStart, I use a sample application that saves records into Amazon DynamoDB. This Spring Boot application (TODO Link) uses a REST controller to handle CRUD requests. This sample includes infrastructure as code to deploy the application using the AWS Serverless Application Model (AWS SAM). You must install the AWS SAM CLI to deploy this example.

To deploy:

Clone the git repository and change to project directory:

git clone https://github.com/aws-samples/serverless-patterns.git
cd serverless-patterns/apigw-lambda-snapstart

Use the AWS SAM CLI to build the application:
```
sam build
```
Use the AWS SAM CLI to deploy the resources to your AWS account:
```
sam deploy -g
```

This project deploys with SnapStart already enabled. To enable or disable this functionality in the AWS Management Console:

Navigate to your Lambda function.
Select the Configuration tab.
Choose Edit and change the SnapStart attribute to PublishedVersions.
Choose Save.

Lambda Console confoguration
Select the Versions tab and choose Publish new.
Choose Publish.

Once you’ve enabled SnapStart, Lambda publishes all subsequent versions with snapshots. The time to run your publish version depends on your init code. You can run init up to 15 minutes with this feature.

Considerations

Stale credentials

Using SnapStart and restoring from a snapshot often changes how you create functions. With on-demand functions, you might access one time data in the init phase, and then reuse it during future invokes. If this data is ephemeral, a database password for example, then there might be a time between fetching the secret and using it, that the password has changed leading to an error. You must write code to handle this error case.

With SnapStart, if you follow the same approach, your database password is persisted in an encrypted snapshot. All future execution environments have the same state. This can be days, weeks, or longer after the snapshot is taken. This makes it more likely that your function has the incorrect password stored. To improve this, you could move the functionality to fetch the password to the post-snapshot hook. With each approach, it is important to understand your application’s needs and handle errors when they occur.

Demo application architecture

A second challenge in sharing the initial state is with randomness and uniqueness. If random seeds are stored in the snapshot during the initialization phase, then it may cause random numbers to be predictable.

Cryptography

AWS has changed the managed runtime to help customers handle the effects of uniqueness and randomness when restoring functions.

Lambda has already incorporated updates to Amazon Linux 2 and one of the commonly used cryptographic libraries, OpenSSL (1.0.2), to make them resilient to snapshot operations. AWS has also validated that Java runtime’s built-in RNG java.security.SecureRandom maintains uniqueness when resuming from a snapshot.

Software that always gets random numbers from the operating system (for example, from /dev/random or /dev/urandom) is already resilient to snapshot operations. It does not need updates to restore uniqueness. However, customers who prefer to implement uniqueness using custom code for their Lambda functions must verify that their code restores uniqueness when using SnapStart.

For more details, read Starting up faster with AWS Lambda SnapStart and refer to Lambda documentation on SnapStart uniqueness.

Runtime hooks

These pre- and post-hooks give developers a way to react to the snapshotting process.

For example, a function that must always preload large amounts of data from Amazon S3 should do this before Lambda takes the snapshot. This embeds the data in the snapshot so that it does not need fetching repeatedly. However, in some cases, you may not want to keep ephemeral data. A password to a database may be rotated frequently and cause unnecessary errors. I discuss this in greater detail in a later section.

The Java managed runtime uses the open-source Coordinated Restore at Checkpoint (CRaC) project to provide hook support. The managed Java runtime contains a customized CRaC context implementation that calls your Lambda function’s runtime hooks before completing snapshot creation and after restoring the execution environment from a snapshot.

The following function example shows how you can create a function handler with runtime hooks. The handler implements the CRaC Resource and the Lambda RequestHandler interface.

...
import org.crac.Resource;
import org.crac.Core;
...

public class HelloHandler implements RequestHandler<String, String>, Resource {

    public HelloHandler() {
        Core.getGlobalContext().register(this);
    }

    public String handleRequest(String name, Context context) throws IOException {
        System.out.println("Handler execution");
        return "Hello " + name;
    }

    @Override
    public void beforeCheckpoint(org.crac.Context<? extends Resource> context) throws Exception {
        System.out.println("Before Checkpoint");
    }

    @Override
    public void afterRestore(org.crac.Context<? extends Resource> context) throws Exception {
        System.out.println("After Restore");
    }
}

For the classes required to write runtime hooks, add the following dependency to your project:

Maven

<dependency>
  <groupId>io.github.crac</groupId>
  <artifactId>org-crac</artifactId>
  <version>0.1.3</version>
</dependency>

Gradle

implementation 'io.github.crac:org-crac:0.1.3'

Priming

SnapStart and runtime hooks give you new ways to build your Lambda functions for low startup latency. You can use the pre-snapshot hook to make your Java application as ready as possible for the first invoke. Do as much as possible within your function before the snapshot is taken. This is called priming.

When you upload your zip file of Java code to Lambda, the zip contains .class files of bytecode. This can be run on any machine with a JVM. When the JVM executes your bytecode, it is initially interpreted, then compiled into native machine code. This compilation stage is relatively CPU intensive and happens just in time (JIT Compiler).

You can use the before snapshot hook to run code paths before the snapshot is taken. The JVM compiles these code paths and the optimization is kept for future restores. For example, if you have a function that integrates with DynamoDB, you can make a read operation in your before snapshot hook.

This means that your function code, the AWS SDK for Java, and any other libraries used in that action are compiled and kept within the snapshot. The JVM then won’t need to compile this code when your function is invoked, meaning your latency is less the first time an execution environment is invoked.

Priming requires that you understand your application code and the consequences of executing it. The sample application includes a before snapshot hook, which primes the application by making a read operation from DynamoDB. (TODO Link)

Metrics

The following chart reflects invoking the sample application Lambda function 100 times per second for 10 minutes. This test is based on this function, both with and without SnapStart.

	p50	p99.9
On-demand	7.87ms	5,114ms
SnapStart	7.87ms	488ms

Conclusion

This blog shows how SnapStart reduces startup (cold-start) latencies times for Java-based Lambda functions. You can configure SnapStart using AWS SDK, AWS CloudFormation, AWS SAM, and CDK.

To learn more, see Configuring function options in the AWS documentation. This functionality may require some minimal code changes. In most cases, the existing code is already compatible with SnapStart. You can now bring your latency-sensitive Java-based workloads to Lambda and run with improved tail latencies.

This feature allows developers to use the on-demand model in Lambda with low-latency response times, without incurring extra cost. To read more about how to use SnapStart with partner frameworks, find out more from Quarkus and Micronaut. To read more about this and other features, visit Serverless Land.

[$] Microblogging with ActivityPub

2022-11-29

Post Syndicated from original https://lwn.net/Articles/916154/

As of late, concerns about the future of Twitter have caused many of its
users to seek alternatives. Amid this upheaval, an open-source
microblogging service called Mastodon has received a great deal of
attention. Mastodon is not reliant on any single company or central
authority to run its servers; anyone can run their own. Servers communicate
with each other, allowing people on different servers to send each other
messages and follow each other’s posts. Mastodon doesn’t just talk to
itself, though; it can exchange messages with anything that speaks the ActivityPub protocol.
There are many such implementations, so someone who wants to deploy their own
microblogging service enjoys a variety of choices.

What Is AWS Verified Access?

Unlock a Complete Picture of Your Cloud Security with InsightIDR

Митът за богатите украинци

Застрашеното българско общество

Опасен чар

В сянката на войната

Заглавна илюстрация: © Пеню Кирацов

Митът за богатите украинци

Застрашеното българско общество

Опасен чар

В сянката на войната

Заглавна илюстрация: © Пеню Кирацов

Митът за богатите украинци

Застрашеното българско общество

Опасен чар

В сянката на войната

Заглавна илюстрация: © Пеню Кирацов

Mission Space Lab teams are now getting ready to write and test their code

Young people’s Mission Space Lab code will run in space next year

Welcome back, Ed and Izzy!

Young people can take part in Astro Pi Mission Zero

Cloudflare’s history

My how you’ve grown

Annual plans for even faster innovation

The Serverless Learning Plan

AWS Skill Builder

Dive deeper with the AWS Serverless Ramp-up Guide

Conclusion

Overview

How SnapStart works

Using SnapStart

Considerations

Stale credentials

Cryptography

Runtime hooks

Priming

Metrics

Conclusion

The collective thoughts of the interwebz