Skip to content

Commit

Permalink
Merge to resolve conflicts
Browse files Browse the repository at this point in the history
  • Loading branch information
@ArsHaider
ArsHaider committed Sep 5, 2023
2 parents 52bedbd + 89fc4e5 commit 61be941
Show file tree
Hide file tree
Showing 4 changed files with 117 additions and 24 deletions.
19 changes: 11 additions & 8 deletions _docs/compliance/compliance-community.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,18 +30,21 @@ Email us at [[email protected]](mailto:[email protected]) to report an alleg

## Who can join?

Open to compliance staff at CSPs listed in the [FedRAMP Marketplace](https://marketplace.fedramp.gov) as authorized or in-process, or a CSP that has retained a 3PAO to pursue authorization.
The cloud.gov compliance team will approve memberships.
The community is open to:

## How to join?
* compliance staff at CSPs listed in the [FedRAMP Marketplace](https://marketplace.fedramp.gov) as authorized or in-process
* compliance staff at CSPs pursuing authorization per their public statements (website, pdf)
* contracted staff dedicated to supporting FedRAMP authorization for client CSPs

The cloud.gov compliance team will approve memberships based on eligibility evidence.

Send an email to [[email protected]](mailto:[email protected]) from the domain of your FedRAMP CSP.
## How to join?

If you're unable to use that domain for this community, email from your preferred address
and provide an explanation and alternate means of
validation, such as an CSP-based address you can use for confirmation.
Send an email to [[email protected]](mailto:[email protected]) providing:

If your CSP has retained a 3PAO, provide a contact at the 3PAO who can affirm that they've been retained, and CC: them on your email.
* Your name and role
* CSP name and FedRAMP status
* Statement of interest (required if your CSP is not on the marketplace)

## Your communications are not private

Expand Down
9 changes: 6 additions & 3 deletions _docs/compliance/domain-standards.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,21 +30,24 @@ The SSL/TLS implementation depends on how your client is reaching cloud.gov, whi
* [AWS load balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#tls13-security-policies) implement the `ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06` SSL/TLS policy.
* [Amazon CloudFront distributions](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html#secure-connections-supported-ciphers) implement the `TLSv1.2_2018` policy.

Our TLS implementation and cipher suites are consistent with [White House Office of Management and Budget's M-15-13](https://https.cio.gov/), the Department of Homeland Security's [Binding Operational Directive 18-01](https://cyber.dhs.gov/bod/18-01/), and the [NIST Guidelines for TLS Implementations](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf). Some SSL/TLS scanners will nonetheless return results flagging the following ciphers as "weak":
Our TLS implementation and cipher suites are consistent with [White House Office of Management and Budget's M-15-13](https://https.cio.gov/), the Department of Homeland Security's [Binding Operational Directive 18-01](https://cyber.dhs.gov/bod/18-01/), and [NIST's 800-52r2 Guidelines for TLS Implementations](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf).

Some SSL/TLS scanners will nonetheless return results flagging the following ciphers as "weak":

```txt
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003C)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xC027)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xC028)
```

These are false positives. While the CBC cipher modes of operation are being phased out (they are theoretically subject to padding oracle attacks), our cipher implementation is consistent with all relevant guidance, as noted above.
These are false positives. At cloud.gov we leverage TLS implementations from Amazon Web Services, which use [s2n-tls](https://github.com/aws/s2n-tls) to inject random timing variations to mitigate CBC attacks like [LUCKY13](https://aws.amazon.com/blogs/security/s2n-and-lucky-13/). Further, these ciphersuites are still acceptable per [NIST 800-52r2, Appendix D](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf#%5B%7B%22num%22%3A174%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C70%2C719%2C0%5D).
While the CBC cipher modes of operation are being phased out (they are theoretically subject to padding oracle attacks), we support them so we can serve members of the public who are unable to adopt newer technology.

**TLS 1.3**: TLS 1.3 has been implemented with `ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06` security policies on our load balancers. All new Cloudfront domains are created with the `TLSv1.2_2018` security policy, which supports TLS 1.3. The TLS versions supported by other AWS service endpoints, like S3, are controlled by AWS itself.

**Cipher suite names**: The AWS documentation uses the OpenSSL cipher names which are different from IANA/RFC cipher names returned by scanners. For example, `ECDHE-RSA-AES128-SHA256` on the documentation page will be called `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256` by scanners and other tools.

**Cipher suite count**: The `ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06` has 15 ciphers, but your scanner may only show 11 results. That's because our certificates are signed with RSA keys, not Elliptic Curve (ECDSA) keys, so those cipher suites are not in use.
**Cipher suite count**: The `ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06` has 15 ciphers, but your scanner may only show 11 results. That's because our certificates are signed with RSA keys, not Elliptic Curve (ECDSA) keys, so those cipher suites are not in use. In June, 2023, a switch to ECDSA caused an [outage for a significant percentage of cloud.gov users](https://cloudgov.statuspage.io/incidents/vz9t74zm7zw8), so we will support RSA for the foreseeable future.

## DNSSEC

Expand Down
53 changes: 41 additions & 12 deletions _docs/services/relational-database.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,13 +116,11 @@ Name | Description
A couple of notes regarding the optional `version` parameter:

- It is currently only supported for dedicated MySQL and PostgreSQL instances; if you specify it for any other type of instance it is ignored.
- It only supports major version numbers (e.g. "8.0"); if you specify a minor/patch level version (e.g., "11.8" for PostgreSQL or "8.0.32" for MySQL), the command will fail.
- It only supports major version numbers (e.g. "8.0"); if you specify a minor/patch level version (e.g., "12.8" for PostgreSQL or "8.0.32" for MySQL), the command will fail.
- The version number must be provided in double quotes (`"`); this is because the value is treated as a string to account for different engine types and version schemes.

These are the current supported major versions for PostgreSQL:

- 10
- 11
- 12
- 13
- 14
Expand Down Expand Up @@ -174,13 +172,13 @@ cf create-service aws-rds \

After running this command, you must [finish setting up pg_cron on your instance](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/PostgreSQL_pg_cron.html#PostgreSQL_pg_cron.enable). You can use [cf-service-connect](https://github.com/cloud-gov/cf-service-connect) to connect to your instance, or connect via an application. Note that you must target the `postgres` database. To do this via `cf-service-connect`, run `\c postgres` in the psql shell.

To specify a major version of a new instance, e.g., PostgreSQL version 11 (please note the double quotes (`"`) around the version number; they are required):
To specify a major version of a new instance, e.g., PostgreSQL version 14 (please note the double quotes (`"`) around the version number; they are required):

```sh
cf create-service aws-rds \
micro-psql \
my-test-service \
-c '{"version": "11"}'
-c '{"version": "14"}'
```

To extend the backup retention period for a database to 30 days:
Expand All @@ -206,15 +204,15 @@ cf create-service aws-rds \
Dedicated RDS instance provisioning can take anywhere between 5 minutes and 60
minutes. During instance provisioning, the results of `cf services` or `cf service SERVICE_NAME` will show status as `create in progress`, as in the following example:

```
```shell
> cf services
name service plan bound apps last operation
test-oracle aws-rds medium-oracle-se2 create in progress
```

Once the instance is ready for use, it will show `create succeeded` as below:

```
```shell
> cf services
name service plan bound apps last operation
test-oracle aws-rds medium-oracle-se2 create succeeded
Expand Down Expand Up @@ -445,6 +443,38 @@ Continuing with the PostgreSQL example and the `backup.pg` file, load the dump i
pg_restore --clean --no-owner --no-acl --dbname={database name} backup.pg
```

### Importing to a service instance - Windows

> Note: you can find all the information for accessing your database (username, password, host, database name) by running `cf env app_name` for your app and looking at the `credentials` for your RDS database
Open an SSH tunnel to your database:

```shell
cf ssh -N -L port:host:port application_name
```

with these values:

- `port` - port for accessing your database
- `host` - AWS host for accessing your database
- `application_name` - your application name

Once the SSH tunnel is open, your database should be available for connections on `localhost:<port>`.

Now you can run a command in a separate prompt to import a data backup into the database. For example, using the [`mysqlsh` tool](https://dev.mysql.com/doc/mysql-shell/8.0/en/):

```shell
mysqlsh -u username -p -h host -P port -D db_name -f path-to-file.sql
```

with these values:

- `username` - username for accessing your database
- `host` - AWS host for accessing your database
- `port` - port for accessing your database
- `db_name` - database name for accessing your database
- `path-to-file.sql` - Full path to the database backup file on your machine

## Encryption

Every RDS instance configured through cloud.gov is [encrypted at rest](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html). We use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your RDS instance. The RDS then handles authenticating access and decrypting your data, with minimal performance impact and without requiring you to modify your applications.
Expand Down Expand Up @@ -477,7 +507,7 @@ Copy the downloaded `ojdbc8.jar` to the `libs/` directory of `spring-music`.

Edit `build.gradle`, look for the following near line 60:

```
```java
// Oracle - uncomment one of the following after placing driver in ./libs
// compile files('libs/ojdbc8.jar')
// compile files('libs/ojdbc7.jar')
Expand Down Expand Up @@ -532,7 +562,7 @@ cf ssh -N -L 15210:cg-aws-broker-prod.RANDOMSTRING.us-gov-west-1.rds.amazonaws.c

Now connect using `sqlplus random-username/secretpassword@host:port/ORCL`, where host is `localhost` and `port` is the first part of the `-L` connection string above. e.g.:

```
```shell
./sqlplus random-username/secretpassword@localhost:15210/ORCL
```

Expand All @@ -542,7 +572,7 @@ Then you can use SQLPLUS commands like `SELECT table_name FROM user_tables;`

Example for app name `hello-doe`

```
```shell
myapp_guid=$(cf app --guid hello-doe)

tunnel=$(cf curl /v2/apps/$myapp_guid/env \
Expand All @@ -555,7 +585,7 @@ cf ssh -N -L 5432:$tunnel hello-doe

Another window:

```
```shell
myapp_guid=$(cf app --guid hello-doe)

creds=$(cf curl /v2/apps/$myapp_guid/env \
Expand All @@ -568,7 +598,6 @@ dbname=$(cf curl /v2/apps/$myapp_guid/env \
| .name')

psql postgres://$creds@localhost:5432/$dbname
```

## Version information
Expand Down
60 changes: 59 additions & 1 deletion _kbarticles/2023-08-07-advantages-of-multiple-application-instances.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
<<<<<<< HEAD
## Importance of multiple application instances
One of the benefits of Cloud.gov is the underlying ability to deploy applications, it allows you to very simply take an application’s source code and [launch an application in the Cloud.gov environment with a command](https://cloud.gov/docs/deployment/deployment/#how-deployment-works).

Expand All @@ -18,6 +19,43 @@ Example pushing an application with 2 instances:
Additionally you can also define the number of application instances in your application manifest.yml file with the [instance manifest attribute](https://docs.cloudfoundry.org/devguide/deploy-apps/manifest-attributes.html#instances).

Example for defining an application with 2 instances in your manifest.yml file:
=======
---
layout: post
title: "Scaling your cloud.gov applications"
date: August 7, 2023
excerpt: How and why to scale your cloud.gov applications by adding more application instances
---

### Importance of multiple application instances

One of the benefits of Cloud.gov is the ability to [deploy applications with a simple command](https://cloud.gov/docs/deployment/deployment/#how-deployment-works).

By default, applications are deployed with a single instance which handles all traffic and load for your application. The downside of a single application instance is that if you have unexpected surges in application load, it is likely that your instance may run out of available CPU or memory or both, leading to an outage for your application.

To increase your application's ability to respond to requests, also known as availability, you can horizontally scale your application by running multiple application instances. When you have multiple application instances, your application requests are load-balanced among them to ensure that no single instance is prematurely overloaded, thus maximizing your availability.

By default, the routing infrastructure in cloud.gov [distributes requests to application instances using a `round-robin` algorithm](https://docs.cloudfoundry.org/concepts/http-routing.html#balancing-algorithm).

Running multiple application instances also increases the chances that your application will be [balanced across availability zones](https://docs.cloudfoundry.org/concepts/diego/diego-auction.html#auction).

The benefits of running multiple application instances are [exemplified in the EPA AirNow.gov customer story]({{ site.baseurl }}{% link _docs/customer-stories/epa-airnow-gov.md %}), which details how the EPA utilized the ability to quickly and easily scale up their number of application instances to handle increased customer traffic for AirNow.gov.

### How to scale your application instances

Using the [cf push command](https://docs.cloudfoundry.org/devguide/deploy-apps/deploy-app.html#custom-cf-push), you can use the `-i` flag to indicate the number of application instances you would like.

For example, pushing an application with 2 instances:

```shell
cf push myapp -i 2
```

Additionally, you can also define the number of application instances in your application `manifest.yml` file with the [`instances` manifest attribute](https://docs.cloudfoundry.org/devguide/deploy-apps/manifest-attributes.html#instances).

An example for defining an application with 2 instances in your `manifest.yml` file:

>>>>>>> main
```shell
memory: 512mb
instances: 2
Expand All @@ -30,6 +68,7 @@ Please note the default number of instances is 1 instance.

You can also use the [cf scale](http://docs.cloudfoundry.org/devguide/deploy-apps/cf-scale.html) command to increase the number of instances for a running app.

<<<<<<< HEAD
`cf scale myapp -i 2`

Please note, running multiple instances may sometimes cause scheduled tasks or data loads to run multiple times. This issue can be prevented by using the [cf-instance-index](http://docs.cloudfoundry.org/devguide/deploy-apps/environment-variable.html#CF-INSTANCE-INDEX) environment variable. This variable denotes the specific instance number.
Expand All @@ -41,4 +80,23 @@ For example if the org `my-example-org` had a memory quota of 3 GB and were host

If the org wanted to scale up their number of running application instances they could use the cf scale command to increase their number of instances to 6 instances `cf scale myapp -i 6` which would then increase their number of running application instances to 6 instances. Which should increase their org memory being used from 1 GB to 1.5 GB and leaving 1.5 GB free.

If `my-example-org` wanted to later decrease their number of running application instances from 6 instances down to 4 instances, they could also use `cf scale myapp -i 4` which would result in 1 GB of org memory being used and leaving 2 GB available for the org to otherwise use.
If `my-example-org` wanted to later decrease their number of running application instances from 6 instances down to 4 instances, they could also use `cf scale myapp -i 4` which would result in 1 GB of org memory being used and leaving 2 GB available for the org to otherwise use.
=======
```shell
cf scale myapp -i 2
```

Please note that running multiple instances may sometimes cause scheduled tasks or data loads to run multiple times. This issue can be prevented by updating scheduled tasks to use the [`CF_INSTANCE_INDEX` environment variable]({{ site.baseurl }}{% link _docs/management/multiple-instances.md %}#managing-multiple-instances-with-cf-instance-index), which denotes a specific application instance number.

### Application instances and memory usage

Each individual application instance utilizes the same amount of memory that is specified in the application manifest or indicated in the `cf push` command. Please note that the application cannot use more than the [defined memory quota for your org]({{ site.baseurl }}{% link _docs/management/limits.md %}).

For example, if the org `my-example-org` had:

- a memory quota of 3 GB and were hosting a single application `myapp`
- 256 MB of memory per application instance
- 4 application instances

Then, the application would be utilizing 1 GB (256 MB * 4 instances) of the org’s 3 GB total memory quota. This would leave 2 GB available for the org to otherwise use.
>>>>>>> main

0 comments on commit 61be941

Please sign in to comment.