This week's roundup of all the cloud news.
Here's a cloud round up of all things Hava, GCP, Azure and AWS for the week ending Friday August 26th 2022.
This week saw the release of Hava's github action, making it possible to refresh and retrieve network diagrams as a step in your github deployments.
See https://github.com/marketplace/actions/hava-sync-action and keep an eye out for an upcoming blog post
To stay in the loop, make sure you subscribe using the box on the right of this page.
Of course we'd love to keep in touch at the usual places. Come and say hello on:
AWS Updates and Releases
Amazon QuickSight now supports fine-grained visual embedding, allowing you to embed individual visuals from QuickSight dashboards in applications and portals to provide key insights to users where they’re needed most.
Visual embedding lets independent software vendors (ISVs) and developers bring insights to users anywhere in their applications through APIs. Enterprises and public entities can use the 1-click embedding feature to embed visuals in their internal portals and public sites. This can be accomplished without any infrastructure setup or management, while scaling to millions of users. You simply copy the embed code, paste it in your site, and start consuming the insights right away.
AWS IoT TwinMaker is launching enhancements to simplify their customers’ experience as they scale their digital twins and build data connectors. AWS IoT TwinMaker makes it easier for developers to create digital twins of real-world systems such as buildings, factories, industrial equipment, and production lines. Digital twins are virtual representations of physical systems that can be regularly updated with real-world data to mimic the structure, state, and behaviour of the systems they represent to drive business outcomes.
Prior to this launch, customers had to submit a request in order to support more than 1k entities per workspace. To make it easier for AWS customers to scale their digital twins, they have increased the service quota to support up to 10k entities per workspace. You can review the new AWS IoT TwinMaker service quotas here.
AWS have also have created a new guide to provide customers detailed instructions on developing time-series data connectors and how to connect that data to their digital twins faster. Lastly, they added a new built-in component for Amazon Kinesis Video Streams to help customers quickly connect and easily steam video to their digital twin.
Amazon CloudFront now offers Origin Access Control, a new feature that enables CloudFront customers to easily secure their S3 origins by permitting only designated CloudFront distributions to access their S3 buckets. Customers can now enable AWS Signature Version 4 (SigV4) on CloudFront requests to S3 buckets with the ability to set when and if CloudFront should sign requests. Additionally, customers can now use SSE-KMS when performing uploads and downloads through CloudFront.
Until now, customers were limited to using Origin Access Identity to restrict access to their S3 origins to CloudFront. Origin Access Control improves upon Origin Access Identity by strengthening security and deepening feature integrations. Origin Access Control provides stronger security posture with short term credentials, and more frequent credential rotations as compared to Origin Access Identity.
With Origin Access Control, customers can create granular policy configurations through resource-based policies, which provides better protection against confused deputy attacks. Customers can use Origin Access Control to fetch and put data into S3 origins in regions that require SigV4. Also, Origin Access Control allows customer to use SSE-KMS with their S3 origins, which was not possible using Origin Access Identity.
CloudFront supports both the new Origin Access Control and legacy Origin Access Identity. If you have a distribution configured to use Origin Access Identity, you can easily migrate the distribution to Origin Access Control with few simple clicks. Any distributions using Origin Access Identity will continue to work and you can continue to use Origin Access Identity for new distributions. Refer to CloudFront origin access migration documentation for upcoming region restrictions.
Amazon Connect now enables you to select and manage which days the contact center is open for the purpose of capacity planning. This new feature is part of Amazon Connect forecasting, capacity planning, and scheduling (preview) that helps you predict contact volumes and average handling time, determine optimal staffing levels, and plan agent schedules to ensure you have the right agents working at the right time.
Not every contact center is open for the same days. The ability to select working days in the capacity planning user interface (UI) reduces the manual process to adjust the number of required full time equivalent (FTE) agents. When checking the business operation days drop down list, you can select which days the contact center is open. The capacity planning module automatically adjusts the FTE requirement estimation and updates other related metrics, such as required overtime percent or required voluntary time off percent.
AWS Outposts rack can now be shipped and installed at your data center and on-premises locations in Kenya and Oman.
AWS Outposts rack, a part of the AWS Outposts family, is a fully managed service that extends AWS infrastructure, AWS services, APIs, and tools to virtually any data center or co-location space for a truly consistent hybrid experience. Outposts rack is ideal for workloads that require low latency access to on-premises systems, local data processing, and migration of applications with local system interdependencies. Outposts rack can also help meet data residency requirements.
With the availability of Outposts rack in Kenya and Oman, you can use AWS services to run your workloads and data in country in your on-premises facilities and connect to your nearest AWS Region for management and operations.
This week, AWS are excited to announce the general availability of the Amazon Elastic Kubernetes Service (EKS) Anywhere Curated Packages, which are software packages that extend the core functionalities of Kubernetes. You can now install the Harbor package as a local container registry, the Emissary-Ingress package as the ingress controller, and the MetalLB package as the service type load balancer.
While these software packages are open-source projects you can freely access, the EKS Anywhere Curated Packages are container images that Amazon builds from open-source source code and tests for compatibility at each new EKS Anywhere release. The images also undergo Amazon security scanning and are signed by Amazon. All Amazon-signed curated packages are supported by Amazon under the Amazon EKS Anywhere Enterprise Subscription. The EKS Anywhere Curated Packages are only available to customers with the Amazon EKS Anywhere Enterprise Subscription.
AWS Application Migration Service (AWS MGN) is now available in the Asia Pacific (Jakarta) Region. With this launch, Application Migration Service is available in all commercial AWS Regions.
Application Migration Service helps minimize time-intensive, error-prone manual processes by automating the conversion of your source servers from physical, virtual, and cloud infrastructure to run natively on AWS. It further simplifies your migration by allowing you to use the same automated process for a wide range of applications.
You can also use Application Migration Service to modernize your applications during the migration process by selecting built-in actions such as disaster recovery, CentOS to Rocky Linux conversion, and SUSE subscription conversion.
Starting this week, memory optimized Amazon EC2 X2idn and X2iedn instances are available in Asia Pacific (Jakarta) region. X2idn and X2iedn instances, powered by 3rd generation Intel Xeon Scalable Processors (Ice Lake), are designed for memory-intensive workloads and deliver improvements in performance, price performance, and cost per GiB of memory compared to previous generation X1 instances. X2idn has a 16:1 ratio of memory to vCPU and X2iedn has a 32:1 ratio, making these instances a great fit for workloads such as in-memory databases and analytics, big data processing engines, and Electronic Design Automation (EDA) workloads. X2idn and X2iedn deliver up to 45% more SAPS than comparable X1 instances and are SAP-Certified for running Business Suite on HANA, SAP S/4HANA, Data Mart Solutions on HANA, Business Warehouse on HANA, SAP BW/4HANA, and SAP NetWeaver workloads on anyDB. You can view the certification data on the Certified and Supported SAP HANA Hardware Directory.
EC2 X2idn and X2iedn instances offer the highest Amazon Elastic Block Store (EBS) performance of Amazon EC2 instances with up to 80 Gbps bandwidth and 260k IOPS, and are designed to meet the reliability needs of mission-critical workloads. X2idn and X2iedn will also be available in bare metal. Workloads on bare metal instances will be able to take advantage of all the comprehensive services and features of the AWS Cloud, such as Amazon Elastic Block Store (EBS), Elastic Load Balancer (ELB), and Amazon Virtual Private Cloud (VPC).
X2idn and X2iedn instances offer a new 24xlarge size with 1.5TiB and 3TiB of memory respectively, enabling customers to right-size workloads and lower cost. X2idn and X2iedn instances offer 100Gbps networking throughput with EFA support, and are ideal for workloads like EDA and HPC that need high network performance. Amazon EC2 X2idn and X2iedn instances are built on the AWS Nitro System that offloads many of the traditional virtualization functions to dedicated hardware, delivering high performance, high availability, and highly-secure cloud instances.
With this launch, X2idn and X2iedn instances are available in the following AWS Regions: US East (Ohio, N. Virginia), US West (Oregon), Asia Pacific (Jakarta, Mumbai, Seoul, Singapore, Sydney, Tokyo), Canada (Central), Europe (Frankfurt, Ireland, London, Milan, Stockholm), South America (São Paulo) and AWS GovCloud (US). X2idn and X2iedn will be available for purchase with Savings Plans, Reserved Instances, Convertible Reserved, On-Demand, and Spot instances, or as Dedicated instances or Dedicated hosts.
AWS Glue is now available in the AWS Asia Pacific (Jakarta) Region.
AWS Glue is a serverless data integration service that makes it easy to discover, prepare, and combine data for analytics, machine learning, and application development. AWS Glue provides both visual and code-based interfaces to make data integration simpler so you can start analyzing your data and putting it to use in minutes instead of months.
You can now pay your experts upfront or with scheduled payments on AWS IQ. With scheduling, you pay experts based on a preset schedule that is set in the proposal. With upfront, you pay for work in advance upon accepting the proposal. You can also pay as you go with milestone payments. As a customer, you review these different payment types in the proposal and can work with your expert to select the option that best fits your project needs.
Experts can now select a payment type while creating a proposal. After setting the proposal amount, select one of three payment types: milestone, upfront, or schedule. Milestone will allow you to send custom payments requests to your customer as work is completed throughout the length of the proposal. Upfront will request payment from your customer upon acceptance of the proposal. Schedule will request on-going payments based on the schedule you set in the proposal.
AWS WAF Fraud Control - Account Takeover Prevention now supports Amazon CloudFront. AWS WAF Fraud Control - Account Takeover Prevention protects your application’s login page against credential stuffing attacks, brute force attempts, and other anomalous login activities. Account Takeover Prevention enables you to proactively stop account takeover attempts at the network edge. With Account Takeover Prevention, you can prevent unauthorized access that may lead to fraudulent activities, or you can inform affected users so that they can take preventative action.
AWS WAF Fraud Control - Account Takeover Protection is available in all commercial AWS regions (except the Asia Pacific (Jakarta) region) and AWS GovCloud (US) Regions and, with this launch, can now be used to protect Amazon CloudFront resources.
Amazon SageMaker Automatic Model Tuning now reduces the start-up time of each training job launched to tune your models by 20x on average (from 2.5 minutes to 8 seconds). In scenarios where you have a large number of hyperparameter evaluations, the reuse of training instances can cumulatively save 2 hours for every 50 sequential evaluations.
SageMaker Automatic Model Tuning finds the best version of a model by running many training jobs on your dataset using specific ranges of hyperparameters that you choose for your algorithm. SageMaker Automatic Model Tuning then chooses the most optimal hyperparameter values that result in a model that performs the best.
Before this launch, every training job launched as part of the tuning would incur on average 2.5 minutes of overhead to spin up and prepare a new cluster of SageMaker Training instances. This could become a bottleneck especially when training jobs would take only a few minutes to complete and overall slow down your tuning job. Starting today, SageMaker Automatic Model Tuning automatically re-uses a fixed cluster of training instances within each tuning job, thus reducing the average start-up time of each training job by 20x.
Starting this week, Amazon Relational Database Service (Amazon RDS) for Oracle supports Oracle Data Guard Switchover and Automated Backups for replica instances (read-only and mounted) deployed within an Availability Zone, or in separate Availability Zones of a given Region, or in separate AWS Regions.
The Oracle Data Guard Switchover feature allows you to reverse the roles between the primary database and one of its standby databases (replicas) with no data loss and a brief outage. It provides a complete automation to reliably perform periodic disaster recovery drills when the primary is active, as well as any infrastructure maintenance of the primary environment. Once a switchover is initiated, the primary database transitions to a standby role, and the standby database transitions to the primary role. Bystander replicas that are not part of the switchover are reconfigured for replication from the new primary database.
Until today, with RDS for Oracle read and mounted replicas, in order to perform a disaster recovery drill, you needed to promote the replica as a new standalone database and then create a new replica to maintain the replication configuration. Managed Oracle Data Guard Switchover enhances the customer experience by simply reversing the roles of the databases without having to recreate the replicas.
You can also now create Automated Backups and manual DB snapshots of an RDS for Oracle replica, which reduces the time spent taking backups following a role transition. Furthermore, you can create a new DB instance by restoring from such DB snapshot or perform a point-in-time recovery.
Oracle Data Guard Switchover operation is available in all AWS Regions and incurs no additional cost.
Amazon Polly is a service that turns text into lifelike speech. This week, AWS are excited to announce the general availability of a neural version of Zhiyu, Polly’s Mandarin Chinese female text to speech (TTS) voice.
TTS voices simplify the way you can create, implement, update, and maintain your speech-enabled applications and products. You can use Amazon Polly to enhance the user experience and improve the accessibility of your text content with the power of voice. Common use cases include interactive voice response (IVR) systems, audiobooks, newsreaders, eLearning content, and virtual assistants.
Amazon Polly launched the Mandarin Chinese voice Zhiyu using standard technology in 2018, and as of today a neural version of Zhiyu is also available. The new voice offers a more natural intonation and better performance on English in code-mixing scenario. With this launch, the Amazon Polly portfolio now includes 95 voices across 33 languages and language variants, out of which 21 are supported by the neural engine.
AWS IoT SiteWise now supports non-unique asset names under different hierarchies, allowing asset name reusability. The new feature simplifies scaling for companies creating asset hierarchies for more than one hierarchy tree within the same AWS account and AWS IoT SiteWise installation.
Before, asset names had to be unique across all models. This would require users to add a prefix in order to distinguish assets in different hierarchies, making it impossible to reuse the asset names for a new hierarchy. This feature will allow companies to use asset names as unique identifiers across different systems, avoiding the need to keep different code paths for engineering efficiency. However, customers are still required to have unique asset name under the same parent asset.
Now with Amazon Forecast, you can seamlessly conduct what-if analyses to quantify the potential impact of business scenarios on your demand forecasts. Amazon Forecast is a fully managed service that uses machine learning (ML) algorithms to deliver highly accurate time series forecasts. Simulating hypothetical scenarios through what-if analyses is a powerful business tool to stress test your planning assumptions by capturing possible outcomes. It is a common practice to assess the impact of business decisions on revenue or profitability, quantify the risk associated with market trends, or evaluate how to respond to logistics and workforce changes to meet customer demand.
With this launch, we combine Amazon Forecasts’ predictive power with a seamless experience to help you answer what-if questions and quantify the impact of hypothetical scenarios on forecasts. Now, you can define a scenario by transforming your initial dataset through simple operations such as multiplying price for Product A by 90% or decreasing the price for Product B by $10. These transformations can also be combined with conditions to control the parameters that the scenario applies in (e.g. reducing product A’s price in one location only). You can also view forecast predictions across all scenarios in the same graph or bulk export the data for offline review.
Amazon Connect now provides a new API to search for security profiles in your Amazon Connect instance. This new API provides a programmatic and flexible way to search for security profiles by name, description, permissions, or tags. For example, you can now use this API to search for all security profiles that have permissions to edit contact flows.
Amazon SageMaker is now available in the AWS Asia Pacific (Jakarta) Region. Starting today, you can build, train, and deploy machine learning (ML) models in the region.
Amazon SageMaker is a fully managed platform that provides every developer and data scientist with the ability to build, train, and deploy machine learning (ML) models quickly. SageMaker removes the heavy lifting from each step of the machine learning process to make it easier to develop high quality models.
Starting this week, you have the option to automatically set up connectivity from Amazon Relational Database Services (Amazon RDS) and Amazon Aurora databases to an Amazon Elastic Compute Cloud (Amazon EC2) compute instance during database creation. When provisioning a database using the Amazon RDS console, you now have the option to select an EC2 instance and with a single click establish connectivity between the database and the EC2 instance, following AWS recommended best practices. Amazon RDS automatically sets up your VPC and related network settings during database creation to enable a secure connection between the EC2 instance and the RDS database.
This eliminates the additional networking tasks such as setting up a VPC, security groups, subnets, and ingress/egress rules manually to establish a connection between your application and database. It improves productivity for new users and application developers who can now quickly launch a database instance and seamlessly connect to an application on a compute instance within minutes.
Google Cloud Releases and Updates
AlloyDB supports customer-managed encryption keys (CMEK), an alternative to its default Google-managed encryption. CMEK is especially useful for AlloyDB users who need to manage their own data encryption keys in order to satisfy specific compliance or regulatory requirements.
You can view which zones host a primary instance's active or standby VMs.
Anthos clusters on AWS (previous generation) aws-1.12.2-gke.1 is now available.
You can now launch clusters with the following Kubernetes versions:
bmctl backup clustercommand to use the disk instead of the in-memory buffer to back up a cluster. Use this option when available RAM is limited on your admin workstation.
bmctl check cluster -- snapshotcommand to suppress logging to the console during the snapshot creation.
Anthos VM Runtime is Generally Available (GA). Some features and capabilities are available for Preview only, as indicated in the following descriptions:
- Upgraded Kubevirt to version 0.49.
- Upgraded Containerized Data Importer (CDI) to version 1.43.0.
bmctlcommand to enable or disable Anthos VM Runtime on user clusters.
- Added automatic upgrade of Anthos VM Runtime when upgrading Anthos clusters on bare metal.
- Preview: Added ability to configure an eviction policy that controls how VMs automatically migrate to other hosts during maintenance events.
- Preview: Added non-disruptive upgrading of VM runtime during live migration (that is, when VMs are unobtrusively migrated from one node to another).
- Simplified VM Compute API.
- Added ability to create and manage disk resources for VMs that use Anthos VM Runtime.
- Added ability to schedule VMs using standard Kubernetes scheduling primitives.
- Preview: Added ability to use GPUs in VMs.
- Added more access management capabilities to VM Guest Environment.
- Preview: Added support for guest OS booting of UEFI. Previously, only BIOS was supported.
- Integrated VM telemetry and console logs into Google Cloud console. Telemetry information and log data are critical for monitoring the status of VMs and for troubleshooting problems with your cluster VMs.
- Added VM CPU and memory metrics to Cloud Monitoring. These metrics can be viewed in the Anthos clusters VM status dashboard.
- Added ability to view console logs for VMs that use Anthos VM Runtime.
- Added logs that audit VM pods.
Guest OS support:
Added support for the following guest OS versions running on a Virtual Machine:
- Windows Server 2019
- Windows Server 2016
- Windows 10
- Red Hat Enterprise Linux (RHEL) 8
- RHEL 7
- CentOS 8
- CentOS 7
- Ubuntu 20.04
- Ubuntu 18.04
VM networking features:
- IPAMv4: Static IP Allocation for VM interfaces.
- IP and MAC Stickiness for VM interfaces.
- IPAMv4: DHCP for VM interfaces.
- VLAN tagging support for VM Interfaces.
- Multi-NIC for VM interfaces through native Dataplane V2 support (macvtap + Dataplane V2).
- Static routes and DNS configurations at per-network basis.
- NetworkPolicy enforcement at per-network basis.
- Validating admission webhooks for Network and NetworkInterface object.
- Network Mutation, allow the mutations of Gateway, DNS and the customized network routes in the network custom resource. The parent interface for the VM and the VLAN ID are not mutable. VMs that were already running before the network configuration change need to be restarted to pick up the change.
- Added command to restart all VMs in a network.
Graceful IP release for VMs:
- During VM migration, the IP isn't released.
- IP addresses are released for VMs that are deleted or stopped.
For more information on networking, see Create and use virtual networks for Anthos VM Runtime.
API Keys API
API Keys API is now available in GA.
On August 22, 2022 GCP released an updated version of the Apigee hybrid software, v1.8.0.
For information on upgrading, see Upgrading Apigee hybrid to version 1.8.
Apigee Ingress gateway
Starting in version 1.8, Apigee hybrid offers a new feature to manage the ingress gateway for your hybrid installation, Apigee ingress gateway. Anthos Service Mesh is no longer a prerequisite for hybrid installation. With Apigee ingress gateway, Apigee will stop supplying routing configuration to Anthos Service Mesh. See Managing Apigee ingress.
Apigee hybrid now supports setting UDCA at the org level instead of at the environment level. See
orgScopedUDCA in the Configuration property reference.
Support for newer versions of Anthos, Anthos Service Mesh, and Kubernetes
Starting in version 1.8, Apigee hybrid supports Anthos version 1.12, Anthos Service Mesh version 1.13, and Kubernetes version 1.23 on specific platforms. See Apigee hybrid supported platforms and versions for details.
Apigee hybrid now supports KVM pagination (introduced in Apigee X on March 10, 2022). See REST Resource:
organizations.keyvaluemaps and REST Resource:
apigeectl now supports the
--v option to set the log verbosity level
Starting in version 1.8,
apigeectl includes a
--v option to set log verbosity levels in the format
--v=int, for example
apigeectl apply --v=5. This option replaces the
--verbose option (now deprecated). This is the same as the
--v option. See
apigeectl for details.
tools/apigee-pull-push.sh includes a
–list option to list all images
Starting in version 1.8, The
tools/apigee-pull-push.sh utility has a
-l option that will list all images in the gcr repo. See
apigee-pull-push.sh for details.
Container Analysis automatic scanning for Java and Go vulnerabilities in container images is now in Preview. If the Container Scanning API is enabled, it scans container images pushed to Artifact Registry for Java and Go vulnerabilities, in addition to operating system vulnerabilities.
Container Analysis returns Java and Go vulnerability results for images that have a supported or unsupported operating system. When you push new versions of images to the registry, you might see more successful vulnerability scans and corresponding charges against images without a supported operating system.
For more information, see the Types of scanning in the Container Analysis documentation.
update dependency com.google.errorprone:error_prone_annotations to v2.15.0
update dependency org.junit.vintage:junit-vintage-engine to v5.9.0
Cloud SQL for SQL Server
Preview: You can double the default size limit for a managed instance group (MIG): Zonal MIGs now support up to 2,000 VMs and regional MIGs support up to 4,000 VMs. For more information, see Increase the group's size limit
Dataflow now uses Regional Managed Instance Groups (MIGs). Previously, Dataflow used zonal MIGs.
If this change causes you to exceed your quota, set your Regional managed instance groups quota to the same limit assigned to your Managed instance groups quota. For more information, see Working with quotas.
- Spark 3.3.0
- Cloud Storage Connector 2.2.7
- Java 17
- Conda 4.13
- Python 3.10
- R 4.1
- Scala 2.13
For VPC-native clusters, the user-managed secondary range for Services can now be shared among clusters in the same subnet. The Services range no longer needs to be unique for clusters on the same subnet. Shared Services ranges are backwards-compatible with all GKE versions.
Organization Policy custom constraints has launched into public preview. Custom constraints can allow or restrict access to API calls in the same way that predefined constraints do, but allow administrators to configure conditions based on request parameters and other metadata. For more information, see Creating and managing custom constraints.
Security Command Center
The following attributes were added to the
Finding object of the Security Command Center API:
Databaseprovides information about access to a database that is related to a finding.
principalSubjectattributes were added to the existing
accessattribute. These new attributes provide additional context about the principals that are associated with a finding.
uris, a new attribute within the
indicatorattribute, lists any malicious URIs that are associated with a finding.
For more information, see the Security Command Center API documentation for the
Microsoft Azure Releases And Updates
Azure Data Explorer (ADX) now supports bringing data from S3 natively without complex ETL pipelines.
Azure Availability Zones are now generally available in the UAE. These three new zones provide you with options for additional resiliency and tolerance to infrastructure impact.
Explore four new features in the no code editor in Azure Event Hubs. This editor allows you to easily develop a Stream Analytics job without writing a single line of code.
Public IP capability on Azure VMware Solution provides internet connectivity for Azure VMware Solution workloads. You can now use NSX-T manager as your security terminating point.
vRealize Log Insights Cloud with Azure VMware Solution support is now generally available.
Azure VMware Solution has now expanded to Sweden Central. This is in addition to multiple regions across US, Europe, Australia, Japan, UK, Canada, Singapore, and Hong Kong.
Have you tried Hava automated diagrams for AWS, Azure, GCP and Kubernetes. Get back your precious time and sanity and rid yourself of manual drag and drop diagram builders forever.
Hava automatically generates accurate fully interactive cloud infrastructure and security diagrams when connected to your AWS, Azure, GCP accounts or stand alone K8s clusters. Once diagrams are created, they are kept up to date, hands free.
When changes are detected, new diagrams are auto-generated and the superseded documentation is moved to a version history. Older diagrams are also interactive, so can be opened and individual resources inspected interactively, just like the live diagrams.
Check out the 14 day free trial here: