3.1.2 IaC, Serverless & Microservices
Modern application development and deployment rely on automated infrastructure and modular architectures to ensure consistency, scalability, and enhanced security posture.
Infrastructure as Code (IaC) IaC is the practice of managing and provisioning computing infrastructure through machine-readable definition files rather than manual hardware configuration or interactive configuration tools.
- Automation and Consistency: Eliminates "configuration drift" by ensuring every environment (Dev, Test, Prod) is identical, reducing the human error associated with manual setups.
- Version Control: IaC templates (YAML, JSON) are stored in repositories like Git, allowing teams to track changes, perform audits, and roll back to known-secure states.
- Immutable Infrastructure: Instead of patching a running server, a new instance is deployed from the updated IaC template and the old one is decommissioned, ensuring no unauthorized changes persist.
- Orchestration: Tools like Terraform or CloudFormation manage the lifecycle of resources across complex environments.
Microservices Architecture Microservices break a monolithic application into a collection of small, independent services that communicate over a network using lightweight protocols like HTTP/REST.
- Decoupling: Each service performs a single function, allowing for granular scaling and easier updates without affecting the entire system.
- Attack Surface: While it increases the number of endpoints to secure, it allows for segmentation and specialized security controls for sensitive services (e.g., a payment service).
- APIs: The primary communication method; securing these requires robust authentication (OAuth2) and rigorous input validation.
- Service Mesh: A dedicated infrastructure layer (like Istio) that handles service-to-service communication, providing built-in encryption (mTLS) and observability.
Serverless Computing Serverless (Function as a Service or FaaS) allows developers to run code without managing the underlying physical or virtual servers.
- Abstraction: Cloud providers (AWS Lambda, Azure Functions) handle all patching, scaling, and hardware security, shifting the operational burden away from the organization.
- Ephemeral Environments: Functions are short-lived, executing only when triggered by an event, which limits the time an attacker has for persistence.
- Resource Limits: Configurable timeouts and memory limits prevent "denial of service" attacks from consuming excessive resources.
- Logging/Monitoring: Since there is no OS to log into, security relies heavily on robust application-level logging through cloud-native tools (CloudWatch, Stackdriver).
Quick Recall - Configuration Drift: The primary problem IaC solves by maintaining a "single source of truth." - Immutable Support: The concept of replacing resources rather than modifying them. - API Gateway: The "front door" for microservices that manages traffic, throttling, and authentication. - Horizontal Scaling: Adding more instances of a service or function to handle load. - Orchestration: The automated coordination and management of complex computer systems and services.