Devops

Cloud Hosting IaaS vs PaaS

A topic I hear from clients fairly regularly these days is a plan to move to "the cloud", or we take over a site built by someone else that's hosted in "the cloud". However in virtually every case it's an IaaS setup and they don't really know what the difference between IaaS and PaaS is.

What is IaaS?

So what is infrastructure as a service (IaaS for short)? To put it quite simply, IaaS in the cloud, be that Azure or AWS takes away the burden of managing your own or rented servers.

Anyone who's worked in a corporate environment can tell you getting some new servers can be a lengthy process. Someone needs to arrange for them to be purchased, placed in a physical location, software installed etc. Even when the management of this has been outsourced to another company, it still remains a lengthy process.

Equally anyone working for a small company can tell you its not much better. There may be a lot less approval processes to jump through, but your on your own trying to buy and set up this kit from somewhere.

IaaS solves this by providing a very very quick service where you request a specific setup and a VM gets created for you ready to go in a couple of minutes. You can pick from a range of locations around the world and when you don't need it any more you turn it off. There's no large commitments to keeping a server for 6 months, you pay by the minute scaling up and down as needed.

IaaS is very simple to replace your current setup as its essentially the same thing just with much better management control around it.

What is PaaS?

Platform as a service (PaaS), is what people really mean when they talk about the future and the cloud. If you go to a conference and hear Microsoft talk about Azure, you can be 99% certain its a PaaS service they're talking about.

To understand it think about the process of getting some office space. You could buy a plot of land, have a building placed on it and turn it into your office. But when the roof leaks you'll need to arrange for that to be fixed, you'll need to arrange regular fire alarm tests to make sure everyone remains safe, and when an issue is discovered in the buildings security you'll need to get that fixed to. You didn't really want to be a building manager, but that's what's happened.

The alternative is to rent some office space and leave the management to somebody else. All you have to do is follow some rules like don't go on the roof and don't go in that cupboard where all the fire alarm equipment is.

PaaS is a bit like this, we didn't really want a box running Windows Server that we need to keep secure and up to date. We just want a SQL Server DB and that traditionally comes with a need to have a server to run it on. Equally for hosting a website we really just want somewhere our sites going to run, in the same way that for office space we just want somewhere for our staff to sit. It's unlikely that we're ever going to use these servers for more than one purpose so we don't really need a generic system that allows us to install a multitude of things.

So with PaaS rather than buying a server your buying a service, which could be a web application, a db or many other things. As this is no longer just buying server space there are a number of restrictions. For example with a web application saving anything on the file system is rules out. Your application is going to be there but part of what makes it possible for all the server updates to be done for you is that at any time your application could be moved to a brand new server, anything not in the package to set it up will be lost.

The importance of build numbers

If I were to make a prediction, I would say that build numbers are something that are rarely treated as being important in the agency world of web development. That's not to say milestone releases aren't given names like "Phase 2", "August Release" or a major feature name, but every build / release of a project in between, I'd sense largely have build numbers either ignored or never created.

It's also easy to see why, after all it's not like we're producing software that's going out to the masses to be installed. The solution is essentially just ending up having 1 install on a set of servers. When a new version is built, that replaces everything that came before it and if a bug is found we generally roll forward and fix the bug rather than ever reverting back.

Why use build numbers?

So when we're constantly coding and improving applications in an agile world why should we care about and use build numbers?

To put it quite simply its just an easy way to identify a snapshot of code that could have actually have been built and then released to a server. This becomes hugely useful in scenarios such as:

  • A bug being reported by an end user
  • An issue being identified by some performance monitoring
  • An issue being picked up in some functionality further on from the site. e.g. in an integration

Without build numbers the only way to react to these scenarios is to look at commit dates in source control or manual release notes that may have been created to try and work out where an issue may have been created and what changed at that time. If the issue had subsequently been fixed you also can't really give a version description when it was fixed other than a rough date.

Other advantages of build numbers can include:

  • Being able to reference a specific version that has been pen tested
  • Referencing a version that's been tested with integrations
  • Having approval to release a specific version rather than just the latest on master
  • Anywhere you want to have a conversation referencing releases

Build numbers for deploys

The first step to use build numbers and with the rise in CI, possibly the one thing most people are doing is to start creating build numbers via a build server. By using any type of build server you will end up with build numbers. This instantly gives you a way to know when a build was created and what commits were new within the build.

Start involving an automated deployment setup either using your build server or with other tools like Octopus Deploy and you will now start to get a record of when each build was deployed to each server.

Now you have an easy way to not only reference what build was on each environment and when through the deploy history, but also a way to see what went into a build through the build servers change log.

Tag builds in source control

Being able to see the changes that went into each build on your build server is all very good, but it's still not an ideal situation for finding the exact code version a build relates to.

Thankfully if your using Team City it's really easy to set it up to create a tag in your source control with each build number. Simply go to the build features section of your projects configuration and add a feature called "VCS Labeling". This is a step that happens post build in the background and will create a tag in source control including the build number. It has lots of other configuration options, so if you need different tag formats for different branches its got you covered.

If your using GitHub once this is turned on you will be able to see a list of all the tags in the releases section.

Update Assembly info

Being able to identify a build in source control and view a history of what should have been on a server at a particular time is all very good, but its also a good idea to be able to easily identify a build for a published version of code. That way just by looking at the code on a server you can tell which build version it is, and not rely on your deployment tool to be correct.

If your using Team City this also also made super simple through a build feature called "Assembly info patcher". When using this the build number will automatically get patched in without having to edit AssemblyInfo.cs.

Conclusion

By following these tips you will now be able to identify a version by looking at the published code, see a history of when each version was not only built but also released to each environment and also have an easy way to find the exact source for that build.

The build number can then be used in any conversations around when a bug was introduced and also be referenced in release notes so everyone can keep track of what versions included what fix's in a simple to understand format.

Setting IP restrictions in IIS

It's a frequent scenario that a website your in the process of building needs to be accessible over the internet before it should actually be publicly available over the internet. This can come in the form of clients needing to review staging sites before there live, test sites needing to be accessible to testers who may not be in a location that can access private servers, or working jointly with other suppliers.

This scenario presents a lot of dangers such as, the URL of a site could get leaked early ruining a marketing strategy, or the site could end up in Google destroying the SEO value on the clients current site and even worse, actually get real customers visiting it.

There are only 2 real methods of protecting test/staging sites. One is adding authentication to the site restricting access to people with a valid username and password. The other is IP white-listing so only people from a valid IP can access the site.

In the past I've seen people suggest using a robots.txt to tell search engines to ignore the site. This is guaranteed to fail, Google will index a site with a robots file saying not to. Your robot's file may say don't crawl, but that auto generated Sitemap will be obeyed an the files indexed. There will also come a time the robots file gets copied live de-indexing the live site, or someone forgets the file on staging and the staging site is indexed.

Using IIS to set up IP restrictions

Using IIS to set up IP restrictions is quick and easy, and what's best about it is you can set it at the server level and not worry about people forgetting to add it to new sites. Better still you can also easily add configuration at a website level to allow certain people to see certain sites rather than the whole box.

Installing the Feature

First you need to make sure you have the feature installed on IIS. To do this on Windows Server 2012:

  1. Go to Server Manager and click "Add roles and features"
  2. Click next to take you from the Before you begin page to Installation Type
  3. Leave Role-based selected and click next
  4. On the Server Selection screen the server your on should be auto selected. Click next
  5. On the Server Roles screen scroll down to "Web Server (IIS)". IP and Domain Restrictions is located under Web Server (IIS) > Web Server > Security
  6. Click the check box on IP and Domain Restrictions if its not already selected and complete the wizard to install the features.

Configuring IIS

The set up an IP restriction in IIS do the following:

Open IIS and select your server in the left hand treeview. Alternatively if you wanted to add the restrictions to an individual site, select that site.

Within the IIS section you should have an item titled IP Address and Domain Restrictions

The configured IP address will be listed out. To add a new one click the "Add Allow Entry" action on the right.

This screen allows you to set up allow and deny lists, but the restrictions don't actually have an effect until you edit the feature settings.

On this screen you need to set the access for unspecified clients to deny. You can also specify a deny action type which alters the status code between unauthorized, forbidden, not found and abort.

What this doesn't do

What this won't do is block all traffic not in the allow list to your server. It will only cover IIS, so if you have other services running on your box like SQL Server, Mongo, Apache etc this will all still be publicly available.