所以 HiNet DNS Resolver 至少有三段...?

剛剛看到「HiNet DNS系統設備維護作業」:

範圍:苗栗(含)以南至雲林(含)以北HiNet上網用戶

加上之前在「中華的 DNS 架構」提到的公告,這樣看起來 HiNet DNS Resolver 至少是切成三段?

靠著公告在猜架構...

Amazon Kinesis Streams 的 Video 版本:Amazon Kinesis Video Streams

這次 AWS 推出的 Amazon Kinesis Video Streams 在技術上看起來跟 Amazon Media Services 有不少重疊 (參考先前提到的文章「AWS Media Services 推出一卡車與影音相關的服務...」),但產品面上區隔開的服務:「Amazon Kinesis Video Streams – Serverless Video Ingestion and Storage for Vision-Enabled Apps」。

開頭介紹就有提到適合用在各種 IoT 裝置,用在一直有影像資料產生的設備上:

Cell phones, security cameras, baby monitors, drones, webcams, dashboard cameras, and even satellites can all generate high-intensity, high-quality video streams. Homes, offices, factories, cities, streets, and highways are now host to massive numbers of cameras.

像這張圖的所介紹的流程,以及可以保留天數的設計:

底層用了不少與 Amazon Media Services 相同的技術,但是包裝成不同的產品...

Password Spray:用同個密碼暴力打所有的 username

在「Simplifying Password Spraying」這篇看到,原來這個叫做 Password Spray...

To give a little background, traditional brute force attacks of one username with multiple passwords don't work very well against Windows services. This is because they employ lockout functionality after a set number of login attempts. A Password Spray circumvents the lockout functionality by trying only a few of the most common passwords against multiple user accounts, trying to identify that one person who is using 'Password1' or 'Summer2017'.

這個方法可以避開在同一個帳號的防禦機制...

AWS 的翻譯服務:Amazon Translate

Google 的應該是做的最早的,MicrosoftMicrosoft Translator Text API 也出來一陣子了,而 AWS 在這次 re:Invent 推出了自家的翻譯服務 Amazon Translate:「Introducing Amazon Translate – Real-time Language Translation」。

目前還在 Preview,需要申請才能用,不過價目表「Amazon Translate Pricing」已經先出來了 (畢竟已經有競爭對手,可以參考他們的價錢):

Sign up for the Amazon Translate preview today and try the translation service. Learn more about the service by checking out the preview product page or reviewing the technical guides provided in the AWS documentation.

然後目前支援的語言有這些,都是對英文轉換:

At Preview, Amazon Translate supports translation between English and any of the following languages: Arabic, Chinese (Simplified), French, German, Portuguese, and Spanish. Support for more languages is coming soon.

AWS Lambda 可使用的記憶體空間從 1.5GB 變成 3GB

AWS 是說 AWS Lambda 可用的記憶體空間 double 啦,不過 3008MB 這個數字有點怪...:「AWS Lambda Doubles Maximum Memory Capacity for Lambda Functions」。

You can now allocate 3008MB of memory to your AWS Lambda functions. Previously, the maximum amount of memory available to your functions was 1536MB. Now, it's easier to process workloads with higher memory or denser compute requirements, such as big data analysis, large file processing, and statistical computations.

這個就真的全區都生效了,包括一般人不能註冊的 AWS GovCloud (US) 與中國區:

This feature is available in US East (N. Virginia), US East (Ohio), US West (N. California), US West (Oregon), AWS GovCloud (US), Canada (Central), South America (São Paulo), EU (Frankfurt), EU (Ireland), EU (London), Asia Pacific (Mumbai), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), and China (Beijing).

Amazon API Gateway 可以透過 NLB 接進 VPC 內了

AWS 宣佈可以透過 Network Load BalancerAPI Gateway 接進 VPC 內了:「Amazon API Gateway Supports Endpoint Integrations with Private VPCs」。

You can use API Gateway to create an API endpoint that is integrated with your VPC. You create an endpoint to your VPC by setting up a VPC link between your VPC and a Network Load Balancer (NLB), which is provided by Elastic Load Balancing.

基本上是所有的區域都有了,除了美國政府的區域外:

This feature is now available in US East (N. Virginia), US East (Ohio), US West (Oregon), US West (N. California), Canada (Central), South America (São Paulo), EU (Ireland), EU (Frankfurt), EU (London), Asia Pacific (Singapore), Asia Pacific (Tokyo), Asia Pacific (Sydney), Asia Pacific (Seoul), and Asia Pacific (Mumbai) AWS regions.

是透過 NLB 接進去,而不是 ELB Classic 或是 ALB,可以來想像網路架構是怎麼做的...

Microsoft 虛擬化的兩個消息:Azure 被打臉以及 AWS 推出轉移工具

首先是 VMware 發文打臉 Microsoft 說他們所宣稱的轉移工具 (從 VMware 轉到 Azure 上) 並沒有 VMware 原廠支援:「VMware – The Platform of Choice in the Cloud」。

然後 AWS 則是推出了從 Hyper-V 轉移到 AWS 的工具:「Migrate Hyper-V VMs to AWS with AWS Server Migration Service」,這邊倒是沒提到官方支援...

這臉不只是腫腫的而已了,有種連續技的感覺 XD

LinkedIn 忘記續約導致 SSL Certificate 過期

Netcraft 上看到 LinkedIn 出包的消息,這次是 country-mixed 的版本出包:「LinkedIn certificate blunder leaves users LockedOut!」。

在 DNS 上也可以看出來這兩個 CNAME 到不一樣的 load balancer 上:

;; ANSWER SECTION:
www.linkedin.com.       260     IN      CNAME   2-01-2c3e-003c.cdx.cedexis.net.
2-01-2c3e-003c.cdx.cedexis.net. 93 IN   CNAME   pop-ehk1.www.linkedin.com.
pop-ehk1.www.linkedin.com. 3560 IN      A       144.2.3.1
;; ANSWER SECTION:
de.linkedin.com.        86400   IN      CNAME   cctld.linkedin.com.
cctld.linkedin.com.     86400   IN      CNAME   mix.linkedin.com.
mix.linkedin.com.       213     IN      CNAME   pop-ehk1.mix.linkedin.com.
pop-ehk1.mix.linkedin.com. 3546 IN      A       144.2.3.5

SSL Labs 上也看得出來在 Alternative names 的地方是不一樣的:「SSL Server Test: www.linkedin.com (Powered by Qualys SSL Labs)」、「SSL Server Test: de.linkedin.com (Powered by Qualys SSL Labs)」。

然後因為 LinkedIn 有設定 HSTS,所以使用者在界面上完全無法登入:

Google Chrome 上可以用 badidea 繞過 (參考「在 Google Chrome 連上因 HSTS 而無法連線的網站」),但在 Mozilla Firefox 上的話目前沒找到方法可以在界面上 bypass,而是需要改 SiteSecurityServiceState.txt 這個檔案:「HTTP Strict Transport Security prevents me from accessing a server that I'm doing development on」。

不過也因為兩個 cluster 獨立運作,網址改一下應該就會動了...

這幾年比較很少看到大公司出這種包,還蠻有趣的 XD

Etsy 介紹的 Cache Smearing

Etsy 的 engineering blog 上提到了他們怎麼設計 cache 機制:「How Etsy caches: hashing, Ketama, and cache smearing」。

使用 consistent hash 已經是基本款了,文章裡花了一些篇幅介紹為什麼要用 consistent hash。

後半段則是有了 consistent hash 後會遇到的問題,也就是講 hot key 怎麼處理:有些資料非常熱 (常常被存取),就算用 consistent hash 也還是有可能搞爆單一機器。

他們做了幾件事情,第一件事情是設計 cache smearing 機制,把單一資料加上 random key,使得不同的 key 會打散到不同的機器上:

Let’s take an example of a hot key popular_user_data. This key is read often (since the user is popular) and is hashed to pool member 3. Cache smearing appends a random number in a small range (say, [0, 8)) to the key before each read or write. For instance, successive reads might look up popular_user_data3, popular_user_data1, and popular_user_data6. Because the keys are different, they will be hashed to different hosts. One or more may still be on pool member 3, but not all of them will be, sharing the load among the pool.

第二件事情則是監控哪些 key 比較熱門:

We’ve seen this problem many times over the years, using mctop, memkeys, and our distributed tracing tools to track down hot keys.

第三件事情是維護 hot key 的清單 (不是每個 key 都會上 cache smearing):

We manually add cache smearing to only our hottest keys, leaving keys that are less read-heavy efficiently stored on a single host.

是個當規模大到單一 hot key 會讓單台伺服器撐不住時的 workaround...

Amazon API Gateway 支援 Canary Release 了

Amazon API Gateway 支援 Canary Release 了:「Amazon API Gateway Supports Canary Release Deployments」。

Canary Release 重點在於逐步轉移,而不是直接硬切,大致上可以分成三個階段。

首先是一開始的情況:

切到一半的情境:

最後完全使用新版本:

這個方法可以避免新的 code 有效能問題,造成後端壓力過大... 不過這樣就要確定新舊版本的程式碼可以同時跑 (像是後端資料庫的 schema 必須相容這兩個版本)。

前幾天提到的「AWS CodeDeploy 支援在 AWS Lambda 上跑更多奇怪花樣」算是相關的功能,讓 AWS CodeDeploy 參與其中做出各種變化。