Cloud Computing Design Patterns

Thomas Erl is a top-selling IT author, founder of Arcitura Education Inc., and series editor of the Prentice Hall Service Technology Series from Thomas Erl. With more than 200,000 copies in print worldwide, his books have become international bestsellers and have been formally endorsed by senior members of major IT organizations, such as IBM, Microsoft, Oracle, Intel, Accenture, IEEE, HL7, MITRE, SAP, CISCO, HP, and many others. As CEO of Arcitura Education Inc., Thomas has led the development of curricula for the internationally recognized Big Data Science Certified Professional (BDSCP), Cloud Certified Professional (CCP), and SOA Certified Professional (SOACP) accreditation programs, which have established a series of formal, vendor-neutral industry certifications obtained by thousands of IT professionals around the world. Thomas has toured more than 20 countries as a speaker and instructor. More than 100 articles and interviews by Thomas have been published in numerous publications, including The Wall Street Journal and CIO Magazine.

Robert Cope has more than 25 years of experience in mission-critical systems development, spanning all aspects of the software system engineering lifecycle from architectural development, experimentation and prototyping, requirements development, design, implementation, and operations to acquisition program management for large systems. With more than 10 years in research, development, and implementation of security architecture, Public Key Infrastructure (PKI) security technology, and security services for large organizations, he has vast experience in information assurance, identity management deployment, operations, and maintenance of large-scale high assurance identity management enclaves. Robert is the CEO of Homeland Security Consultants, a Federal Risk and Authorization Management Program (FedRAMP)-approved Third Party Assessment Organization (3PAO) for certifying cloud services. He led the development of the virtualization and cloud computing architecture for a large organization and was the chief architect responsible for the development of an enterprise authentication service, leading a team to integrate the organization's identity and access management service architecture using Model Based System Engineering (MBSE) and the System Modeling Language (SysML). Robert is a Certified Trainer for Arcitura's Cloud School and SOA School. He has been a contributing member of the National Institute of Standards and Technology (NIST) Cloud-adapted Risk Management Framework (CRMF) and a contributing member of the Organization for the Advancement of Structured Information Standards (OASIS) IdCloud Technical Committee. He is also a member of the International Council on Systems Engineering (INCOSE).

A certified IT professional with over 14 years of experience in solution architecture and design, engineering, and consultation, Amin Naserpour specializes in designing medium to enterprise-level complex solutions for partially to fully virtualized front-end infrastructures. His portfolio includes clients such as VMware, Microsoft, and Citrix, and his work consists of integrating front-ends with back-end infrastructure-layer solutions. Amin designed a unified, vendor-independent cloud computing framework that he presented at the 5th International SOA, Cloud + Service Technology Symposium in 2012. Certified in cloud computing, virtualization, and storage, Amin currently holds Technical Consultant and Cloud Operations Lead positions for Hewlett-Packard, Australia.

Chapter 1: Introduction 1 Objective of This Book 2 What This Book Does Not Cover 2 Who This Book Is For 2 Origin of This Book 3 Recommended Reading 3 How This Book Is Organized 3 Chapter 3: Sharing, Scaling and Elasticity Patterns 4 Chapter 4: Reliability, Resiliency and Recovery Patterns 4 Chapter 5: Data Management and Storage Device Patterns 4 Chapter 6: Virtual Server and Hypervisor Connectivity and Management Patterns 4 Chapter 7: Monitoring, Provisioning and Administration Patterns 4 Chapter 8: Cloud Service and Storage Security Patterns 4 Chapter 9: Network Security, Identity & Access Management and Trust Assurance Patterns 4 Chapter 10: Common Compound Patterns 5 Appendix A: Cloud Computing Mechanisms Glossary 5 Appendix B: Alphabetical Design Patterns Reference 5 Additional Information 5 Symbol Legend 5 Pattern Documentation Conventions 5 Updates, Errata, and Resources (www.servicetechbooks.com) 6 Cloud Computing Design Patterns (www.cloudpatterns.org) 6 What Is Cloud? (www.whatiscloud.com) 6 Referenced Specifications (www.servicetechspecs.com) 6 The Service Technology Magazine (www.servicetechmag.com) 6 CloudSchool.com Certified Cloud (CCP) Professional (www.cloudschool.com) 6 Social Media and Notification 7 Chapter 2: Understanding Design Patterns 9 About Pattern Profiles 11 Requirement 11 Icon 11 Problem 11 Solution 12 Application 12 Mechanisms 12 About Compound Patterns 12 Design Pattern Notation 13 Capitalization 13 Page Number References 13 Measures of Design Pattern Application 13 Working with This Catalog 14 Chapter 3: Sharing, Scaling and Elasticity Patterns 15 Shared Resources 17 Problem 17 Solution 18 Application 19 Mechanisms 21 Workload Distribution 22 Problem 22 Solution 22 Application 22 Mechanisms 24 Dynamic Scalability 25 Problem 25 Solution 27 Application 28 Mechanisms 31 Service Load Balancing 32 Problem 32 Solution 33 Application 34 Mechanisms 36 Elastic Resource Capacity 37 Problem 37 Solution 37 Application 38 Mechanisms 40 Elastic Network Capacity 42 Problem 42 Solution 43 Application 43 Mechanisms 43 Elastic Disk Provisioning 45 Problem 45 Solution 46 Application 48 Mechanisms 49 Load Balanced Virtual Server Instances 51 Problem 51 Solution 52 Application 53 Mechanisms 55 Load Balanced Virtual Switches 57 Problem 57 Solution 58 Application 58 Mechanisms 60 Service State Management 61 Problem 61 Solution 61 Application 62 Mechanisms 63 Storage Workload Management 64 Problem 64 Solution 64 Application 66 Mechanisms 69 Dynamic Data Normalization 71 Problem 71 Solution 72 Application 72 Mechanisms 73 Cross-Storage Device Vertical Tiering 74 Problem 74 Solution 76 Application 76 Mechanisms 79 Intra-Storage Device Vertical Data Tiering 81 Problem 81 Solution 81 Application 82 Mechanisms 85 Memory Over-Committing 86 Problem 86 Solution 87 Application 88 Mechanisms 89 NIC Teaming 90 Problem 90 Solution 90 Application 91 Mechanisms 92 Broad Access 93 Problem 93 Solution 93 Application 94 Mechanisms 94 Chapter 4: Reliability, Resiliency and Recovery Patterns 97 Resource Pooling 99 Problem 99 Solution 99 Application 100 Mechanisms 103 Resource Reservation 106 Problem 106 Solution 107 Application 107 Mechanisms 110 Hypervisor Clustering 112 Problem 112 Solution 112 Application 114 Mechanisms 117 Redundant Storage 119 Problem 119 Solution 121 Application 121 Mechanisms 122 Dynamic Failure Detection and Recovery 123 Problem 123 Solution 123 Application 123 Mechanisms 126 Multipath Resource Access 127 Problem 127 Solution 128 Application 129 Mechanisms 131 Redundant Physical Connection for Virtual Servers 132 Problem 132 Solution 133 Application 134 Mechanisms 136 Synchronized Operating State 138 Problem 138 Solution 138 Application 139 Mechanisms 142 Zero Downtime 143 Problem 143 Solution 143 Application 144 Mechanisms 144 Storage Maintenance Window 147 Problem 147 Solution 148 Application 148 Mechanisms 154 Virtual Server Auto Crash Recovery 155 Problem 155 Solution 156 Application 157 Mechanisms 158 Non-Disruptive Service Relocation 159 Problem 159 Solution 160 Application 160 Mechanisms 164 Chapter 5: Data Management and Storage Device Patterns 167 Direct I/O Access 169 Problem 169 Solution 169 Application 169 Mechanisms 171 Direct LUN Access 173 Problem 173 Solution 174 Application 174 Mechanisms 176 Single Root I/O Virtualization 178 Problem 178 Solution 179 Application 179 Mechanisms 180 Cloud Storage Data at Rest Encryption 181 Problem 181 Solution 182 Application 182 Mechanisms 183 Cloud Storage Data Lifecycle Management 184 Problem 184 Solution 185 Application 185 Mechanisms 186 Cloud Storage Data Management 187 Problem 187 Solution 188 Application 188 Mechanisms 189 Cloud Storage Data Placement Compliance Check 190 Problem 190 Solution 191 Application 191 Mechanisms 192 Cloud Storage Device Masking 194 Problem 194 Solution 194 Application 195 Mechanisms 197 Cloud Storage Device Path Masking 198 Problem 198 Solution 198 Application 199 Mechanisms 200 Cloud Storage Device Performance Enforcement 201 Problem 201 Solution 202 Application 202 Mechanisms 203 Virtual Disk Splitting 204 Problem 204 Solution 205 Application 206 Mechanisms 209 Sub-LUN Tiering 210 Problem 210 Solution 210 Application 211 Mechanisms 213 RAID-Based Data Placement 214 Problem 214 Solution 214 Application 215 Mechanisms 217 IP Storage Isolation 218 Problem 218 Solution 218 Application 218 Mechanisms 220 Chapter 6: Virtual Server and Hypervisor Connectivity and Management Patterns 221 Virtual Server Folder Migration 223 Problem 223 Solution 225 Application 225 Mechanisms 226 Persistent Virtual Network Configuration 227 Problem 227 Solution 227 Application 228 Mechanisms 229 Virtual Server Connectivity Isolation 231 Problem 231 Solution 232 Application 233 Mechanisms 234 Virtual Switch Isolation 235 Problem 235 Solution 236 Application 236 Mechanisms 238 Virtual Server NAT Connectivity 240 Problem 240 Solution 240 Application 240 Mechanisms 243 External Virtual Server Accessibility 244 Problem 244 Solution 245 Application 245 Mechanisms 246 Cross-Hypervisor Workload Mobility 247 Problem 247 Solution 248 Application 250 Mechanisms 250 Virtual Server-to-Host Affinity 252 Problem 252 Solution 253 Application 254 Mechanisms 257 Virtual Server-to-Host Anti-Affinity 258 Problem 258 Solution 261 Application 261 Mechanisms 264 Virtual Server-to-Host Connectivity 265 Problem 265 Solution 266 Application 266 Mechanisms 266 Virtual Server-to-Virtual Server Affinity 267 Problem 267 Solution 269 Application 269 Mechanisms 271 Virtual Server-to-Virtual Server Anti-Affinity 272 Problem 272 Solution 275 Application 275 Mechanisms 277 Stateless Hypervisor 278 Problem 278 Solution 278 Application 279 Mechanisms 282 Chapter 7: Monitoring, Provisioning and Administration Patterns 283 Usage Monitoring 285 Problem 285 Solution 285 Application 286 Mechanisms 287 Pay-as-You-Go 288 Problem 288 Solution 288 Application 289 Mechanisms 291 Realtime Resource Availability 292 Problem 292 Solution 292 Application 293 Mechanisms 294 Rapid Provisioning 295 Problem 295 Solution 296 Application 296 Mechanisms 299 Platform Provisioning 301 Problem 301 Solution 301 Application 302 Mechanisms 304 Bare-Metal Provisioning 305 Problem 305 Solution 305 Application 305 Mechanisms 308 Automated Administration 310 Problem 310 Solution 310 Application 311 Mechanisms 314 Centralized Remote Administration 315 Problem 315 Solution 317 Application 317 Mechanisms 318 Resource Management 320 Problem 320 Solution 320 Application 321 Mechanisms 323 Self-Provisioning 324 Problem 324 Solution 325 Application 325 Mechanisms 329 Power Consumption Reduction 330 Problem 330 Solution 330 Application 331 Mechanisms 334 Chapter 8: Cloud Service and Storage Security Patterns 335 Trusted Platform BIOS 337 Problem 337 Solution 338 Application 339 Mechanisms 340 Geotagging 341 Problem 341 Solution 341 Application 342 Mechanisms 343 Hypervisor Protection 344 Problem 344 Solution 346 Application 347 Mechanisms 349 Cloud VM Platform Encryption 350 Problem 350 Solution 350 Application 352 Mechanisms 353 Trusted Cloud Resource Pools 354 Problem 354 Solution 354 Application 356 Mechanisms 358 Secure Cloud Interfaces and APIs 360 Problem 360 Solution 361 Application 361 Mechanisms 363 Cloud Resource Access Control 364 Problem 364 Solution 366 Application 368 Mechanisms 368 Detecting and Mitigating User-Installed VMs 369 Problem 369 Solution 371 Application 372 Mechanisms 374 Mobile BYOD Security 376 Problem 376 Solution 378 Application 380 Mechanisms 381 Cloud Data Breach Protection 382 Problem 382 Solution 384 Application 384 Mechanisms 386 Permanent Data Loss Protection 387 Problem 387 Solution 388 Application 389 Mechanisms 390 In-Transit Cloud Data Encryption 391 Problem 391 Solution 391 Application 392 Mechanisms 394 Chapter 9: Network Security, Identity & Access Management and Trust Assurance Patterns 395 Secure On-Premise Internet Access 397 Problem 397 Solution 398 Application 400 Mechanisms 403 Secure External Cloud Connection 404 Problem 404 Solution 404 Application 405 Mechanisms 408 Secure Connection for Scaled VMs 409 Problem 409 Solution 412 Application 414 Mechanisms 415 Cloud Denial-of-Service Protection 416 Problem 416 Solution 418 Application 419 Mechanisms 420 Cloud Traffic Hijacking Protection 421 Problem 421 Solution 423 Application 423 Mechanisms 424 Automatically Defined Perimeter 425 Problem 425 Solution 426 Application 427 Mechanisms 429 Cloud Authentication Gateway 430 Problem 430 Solution 431 Application 432 Mechanisms 435 Federated Cloud Authentication 436 Problem 436 Solution 438 Application 439 Mechanisms 443 Cloud Key Management 444 Problem 444 Solution 445 Application 446 Mechanisms 447 Trust Attestation Service 448 Problem 448 Solution 449 Application 449 Mechanisms 451 Collaborative Monitoring and Logging 452 Problem 452 Solution 455 Application 455 Mechanisms 459 Independent Cloud Auditing 460 Problem 460 Solution 461 Application 463 Mechanisms 464 Threat Intelligence Processing 465 Problem 465 Solution 466 Application 468 Mechanisms 469 Chapter 10: Common Compound Patterns 471 "Compound Pattern" vs. "Composite Pattern" 472 Compound Pattern Members 472 Joint Application vs. Coexistent Application 472 Private Cloud 474 Public Cloud 476 Software-as-a-Service (SaaS) 478 Platform-as-a-Service (PaaS) 480 Infrastructure-as-a-Service (IaaS) 482 Elastic Environment 484 Multitenant Environment 486 Resilient Environment 490 Cloud Bursting 492 Burst Out to Private Cloud 493 Burst Out to Public Cloud 496 Burst In 499 Secure Burst Out to Private Cloud/Public Cloud 501 Cloud Balancing 503 Cloud Authentication 505 Resource Workload Management 506 Isolated Trust Boundary 508 Appendix A: Cloud Computing Mechanisms Glossary 511 Appendix B: Alphabetical Design Patterns Reference 535 About the Authors 541 Index 543

This book continues the very high standard we have come to expect from ServiceTech Press. The book provides well-explained vendor-agnostic patterns to the challenges of providing or using cloud solutions from PaaS to SaaS. The book is not only a great patterns reference, but also worth reading from cover to cover as the patterns are thought-provoking, drawing out points that you should consider and ask of a potential vendor if you're adopting a cloud solution." --Phil Wilkins, Enterprise Integration Architect, Specsavers "Thomas Erl's text provides a unique and comprehensive perspective on cloud design patterns that is clearly and concisely explained for the technical professional and layman alike. It is an informative, knowledgeable, and powerful insight that may guide cloud experts in achieving extraordinary results based on extraordinary expertise identified in this text. I will use this text as a resource in future cloud designs and architectural considerations. Dr. Nancy M.Landreville, CEO/CISO, NML Computer Consulting

This book continues the very high standard we have come to expect from ServiceTech Press. The book provides well explained vendor agnostic patterns to the challenges of providing or using cloud solutions from PaaS to SaaS. The book is not only a great patterns reference, but also a worth reading from cover to cover as the patterns are thought provoking, drawing out points that you should consider and ask of a potential vendor if you're adopting a cloud solution. Phil Wilkins, Enterprise Integration Architect, Specsavers

The models seem to be consistent and thorough, which should make them approachable and of value in scoping the design of reliable implementations. Overall, this is a good basis for progressing a common understanding of the vision of cloud practice – well done. Tom Cleary, Australian Computer Society (ACS)

I thoroughly reviewed the mechanisms with stakeholders from our Identity and Access Management working group, and I have no critical comments or suggestions for new mechanisms. They are consistent with the security mechanisms that we have documented for enterprise security architectural guidance that we have completed in the Department of Veterans Affairs. Michael Dance Jr, Booze Allen Hamilton

Readers will find it easy to read, comprehend and apply the cloud pattern principles in practice that have already been adopted by the industry. Matt Lorrain, Greg Ponto & Michael E. Young (Security Standards & Architecture team), Esri

Cloud Computing Design Patterns takes a disciplined approach which to categorising cloud design building blocks and simplifying inherent technology complexities. It explains, in a lucid manner, why a particular design pattern is needed and how to approach a pertinent solution. I found the security patterns sections more versatile in covering examples, such as hypervisor attack vectors, threat mitigation strategies, and mobile device management security. Written in a catalogue style, this book takes you through a journey of development which is intuitive as well comprehensive enough. Anant Mahajan

Cloud Computing Design Patterns is an excellent book to use when building or maintaining your cloud. The book is vendor neutral which ensures that there are no conflicts of interest as far as the authors and publisher go. I think that the diagrams and illustrations are particularly helpful since some people seem challenged with trying to visualize virtual machines. Laura Taylor, Relevant Technologies

A very well written book, providing details of how to achieve the characteristics of a cloud, and hence enable businesses to achieve its benefits. Kumail Morawala, Combustec

This book provides an excellent read for anyone wanting to grasp the fundamentals and advanced concepts of cloud computing. The easy to understand format provides the reader with a clear direction on how to enable a more robust, dynamic, and efficient cloud environment while also providing vital information on how to effectively secure core components of the cloud. The reader who might not have a full understanding of cybersecurity implications as it relates to cloud will have the foundational knowledge to build out secure cloud environments. I would recommend this book to anyone serious about cloud security. Sean Cope, CISSP CEH CNDA, FedRAMP Assessment Lead, Homeland Security Consultants