ADVANCED

Intro

Welcome

This Level 200 ADVANCED Course is where your Exoscale cloud architect journey begins. It will help you learn the core technical concepts, dive into networking components and configuration, and introduce you to critical cloud topics.

You learn about the Exoscale platform products, fundamental technology concepts (VMs, cloud-init, automation, scaling, data traffic, object storage, block storage, backup), and the necessary networking themes (switching, routing, network load balancing, and private networking). Furthermore, we look into more advanced topics like CDNs, database as a service, container orchestration, and cloud challenges.

This course targets people who do not need to sell cloud services or develop software for cloud platforms; it is aimed at cloud architects. So, we are talking about people with the to-be-build skillset of defining and implementing cloud infrastructure. Architects keep the cloud infrastructure up-to-date, scaling it up or down and saving operational costs.

IaaS+

Infrastructure as a Service is the cloud service model we support with the Exoscale platform and a bit more, hence, IaaS+.

Platform

A state-of-the-art IaaS platform providing the building blocks for your application infrastructure.

Data Centers

Getting the necessary cloud infrastructure components is easy. In Europe, there is always an Exoscale data center near you.

Before we start the Solution Architect journey, we need a quick overview of the main benefits of using the cloud infrastructure provided by the Exoscale platform and the portfolio of products it consists of.

Exoscale Benefits

The real beauty of the cloud is that everything is customizable and automatable in a variety of ways:

OpenAPI with all platform functions available
Exoscale CLI a flexible command-line interface
Terraform plugins for extensive automation
IAM/Keys for extensive configuration and access control
Custom Templates for the ultimate support in OS version choice

Exosscale Products

Compute

Details

Exoscale offers a range of products related to cloud servers, also known as virtual machines or Compute Instances. These products allow users to easily manage virtual machines, create instance pools, and ensure fault tolerance through anti-affinity groups. SKS and Block Storage options provide scalability, increased computational power, and storage flexibility. IAM and organization management tools allow for secure access control and user management. With various networking products available, users can configure workloads to meet their specific requirements, including secure private networking, firewall management, Network Load Balancer, Elastic IP addresses, and IPv6 support.

Exoscale’s cloud infrastructure is simple, fast-performing, and can scale with businesses’ needs. Overall, Exoscale offers a comprehensive and flexible cloud computing platform suitable for organizations of all sizes and industries.

NOTE! Here, you can find all the details in the online documentation for COMPUTE.

Instances

For better requirement matching, various instance types are available to use:

Standard: Provide a balanced mix of CPU cores, RAM, and SSD local storage to cover a variety of use cases and allow you to implement your architecture.
CPU Optimized: These are optimized for CPU-intensive applications, offering a higher CPU-to-memory ratio. They offer a more significant computational advantage for workloads like batch processing, media decoding and encoding, network appliances, or high-performance web servers.
Memory Optimized: These are the best performance-to-cost ratio for memory-intensive workloads and are ideal for RAM-intensive applications. They double the memory per core with a price reduction of up to almost 25 % compared to Standard Instances.
Storage Optimized: These are the same mix of CPU and RAM as our Standard Instances but use larger drives, greatly expanding the overall data capacity. Consequently, they lower the cost per GB by more than 60 %.
GPU1: Provides up to 4 dedicated NVIDIA Tesla P100 graphic cards to perform deep learning, high-performance computing, or other types of intensive computation. Save up to 75% compared to the competition, and no long-term commitment.
GPU2: Based on Tesla V100, offers nearly double single-precision and double-precision teraflops compared to GPU1, as well as 640 dedicated Tensor Cores to train AI models that would consume weeks of computing resources in a few days.
GPU3: Is the all-rounder for AR, VR, Simulations, Rendering, AI, and more. Combining the latest Ampere RT Cores, Tensor Cores, and CUDA Cores with 48 GB of graphics memory allows the A40 to deliver a unique set for visual computing workloads.

Instance Pools

Exoscale Instance Pools are a service to automatically provision groups of identical Compute instances. You can define several instances in the pool, and the service will keep the required number up and running for you to achieve.

High Availability: Using an Instance Pool ensures that the target quantity of instances is running.
Elasticity: Instance Pools can be scaled up and down dynamically. Hence, the number of instances matches the actual load for better cost efficiency.

NOTE! Here, you can find more details on Instance Pools.

SKS (Scalable Kubernetes Service)

Exoscale’s SKS is a managed Kubernetes offering, which consists of:

Managed Kubernetes control planes
Dynamic Nodepool attachment
Control Plane access management facilities
Full API support

Exoscale’s Scalable Kubernetes Service (SKS) provides a powerful and efficient way to deploy and manage your applications quickly. With this fully managed K8s service, you can quickly scale up and down your worker nodes and have complete control over the entire life cycle of your cluster.

Exoscale provides various integration options, including CLI, API, portal, Terraform support, and deep NLB integration.

NOTE! Here, you can find more details on SKS.

Block Storage

Exoscale’s Block Storage offers a robust and distributed block device solution for Exoscale Compute instances, known for its redundancy and reliability. A Volume, a singular storage unit, can be partitioned and formatted to accommodate directories and files. One of the critical features of Block Storage is the Snapshot, which captures the state of a volume at a specific moment, allowing users to create new volumes based on that state.

NOTE! Here, you can find more details on Block Storage.

Templates

Exoscale provides various Compute instance templates from which to choose. However, you can customize templates to suit your needs further. In addition to using a Cloud-Init configuration via an instance’s user data or a configuration management tool such as Puppet, Ansible, or Terraform, you can also create customized templates. You can use custom templates to launch a custom operating system or custom template configuration on Exoscale, which allows you to deploy ready-to-go instances with minimal startup configuration.

NOTE! Here, you can find more details on Custom Templates.

Security Groups

Exoscale Security Groups provide a modular way to define and compose firewall rules. The rules are managed at the hypervisor level to restrict incoming and outgoing network traffic.

NOTE! Here, you can find more details on Security Groups.

Elastic IP

All Exoscale instances include a native IPv4 address leased from a global pool. This address is strongly coupled to the Compute instance itself. When you destroy the instance, you release the IP address to the global pool without guarantee that you will ever get the same IP address again. However, there are various cases where you may want an IP address to persist. By creating an Elastic IP, you can have a specific IP address for your organization. You can then attach it to one or several instances besides their native IP address.

The simplest use case for this feature is to use an Elastic IP as a persistent IP address you can move between instances. This allows you to circumvent the IP address change when destroying an instance. You can always switch the underlying instance and point traffic to the same address with an Elastic IP.

NOTE! Here, you can find more details on Elastic IPs.

Load Balancers

A Network Load Balancer (or NLB) is a Layer 4 (TCP/UDP) load balancer that distributes incoming traffic to Compute instances managed by an Instance Pool. An NLB comprises several services, each bound to an Instance Pool in the same zone as the NLB. Services will efficiently forward connections reaching the NLB’s IP address to the member instances of the Instance Pool.

While the instances remain individually accessible through their public IP, the NLB will expose a single IP address for all services and distribute the incoming traffic across the members of the Instance Pool following the service’s rules. NLB services will update automatically when the Instance Pool scales up or down, distributing traffic across all reachable member instances of the pool and excluding unreachable ones using an integrated health check functionality.

NLB acts only on incoming traffic, so all return traffic from the backend to the client that originated the request goes out directly from the pool member instance.

NOTE! Here, you can find more details on Network Load Balancer.

Private Networks

The Private Network is a classic layer 2 segment: it is as if your instances were attached to a dedicated switch. This means:

You can use any ethernet-compatible protocol (IPv4, IPv6, NetBIOS).
Security group rules do not apply to traffic inside private networks.
Multicast and broadcast are authorized.
Only your instances are attached to the segment.
No encryption is performed, but your packets do not leave our data center.
Private Networks can be managed.
Private Networks do not span across several zones.

Each instance may provision one or more additional unmanaged and managed network interfaces. This interface is bound to a private network segment shared only with your other instances.

NOTE! Here, you can find more details on Private Networks.

SSH Keypairs

SSH keypairs can authenticate to your Compute instances running Linux without a password, leveraging SSH Public-Key authentication’s added security. Public-key authentication is both:

Secure: Breaking an SSH key requires so much time and computational power that these attacks are impractical in the real world. SSH keys are much more secure than even very strong passwords.
Convenient: Instead of managing per-instance passwords or sharing them across your organization, every person who needs access to your servers gives you their public key. You can then set up granular access control by adding those keys only to the relevant instances. Suppose you need to revoke someone’s access. In that case, simply revoking their key prevents them from logging in without affecting other people’s workflow.

NOTE! Here, you can find more details on SSH Keypairs.

Anti-Affinity

Anti-Affinity groups let you specify which instances should run on separate hosts. For example, in an HA (high availability) cluster, you could keep your instances on distinct hypervisors to ensure more reliable fault tolerance.

NOTE! Here, you can find more details on Anti-Affinity Groups.

Storage

Object Storage

Exoscale’s Simple Object Storage (SOS) is a scalable and cost-effective solution for storing and managing large amounts of data. It offers highly available multi-redundancy storage, ensuring data safety and accessibility. You can store various files and objects, such as assets, backups, and media files. Your data remains in the exact location you store it, and Exoscale replicates it in at least three physical copies for maximum safety.

Features Overview:

S3 compatible
Direct HTTP/S access
Metadata support
ACL and CORS support
For any data
Pay for what you use
Free inbound traffic

The S3-compatible API allows for easy integration with existing workflows and applications. SOS provides low latency, high bandwidth, and secure HTTP(s) access, allowing fast and secure data management from any location. You can enhance this with Exoscale’s CDN integration.

NOTE! Here, you can find all the details in the online documentation for STORAGE.

CDN

Exoscale’s CDN service, developed with Ducksify, makes distributing your assets globally with Akamai’s delivery network simple. It improves performance and user experience by caching assets in multiple locations. You can easily integrate it with our SOS service to make content available through the CDN endpoint.

Features Overview:

Modern protocol support
World-class delivery availability
Improved download completion rates
Leveraging the Akamai Intelligent Platform
QUIC (Quick UDP Internet Connections) support
Enable on your SOS bucket
Volume-based pricing
Powered by Ducksify

The CDN offers predictable pricing and is a reliable solution for enhancing your application’s performance.

NOTE! Here, you can find all the details in the online documentation for CDN.

DBaaS

Details

Exoscale’s end-to-end encrypted database as a service (DBaaS) offering is a powerful solution for businesses to host their data and databases in the cloud securely. With this service, users can start within minutes, making it easy to quickly deploy and manage their databases without any delays or downtime. In addition, Exoscale’s DBaaS offering is entirely GDPR-compliant, ensuring businesses can meet regulatory requirements and keep their data safe and secure. Furthermore, as a fully managed service, Exoscale takes care of all the maintenance and management of the databases, allowing users to focus on their core business activities.

Features Overview:

Full lifecycle management
Termination protection
Automatic backup policy
Available in all zones
Dedicated instances

Finally, Exoscale’s DBaaS offering supports a wide range of open-source databases, allowing users to choose the best database and providing a robust and secure solution for businesses that host their data and databases in the cloud.

DBaaS Overview

Managed PostgreSQL Service often referred to as Postgres is an advanced, open-source relational database management system (RDBMS). Renowned for its robustness, performance, and extensive feature set, it supports complex queries, transactions, and advanced data types. PostgreSQL is highly extensible and standards-compliant with SQL. Due to its reliability, data integrity, and concurrency features, it is widely used in various environments, from small-scale applications to large-scale enterprise systems. Additionally, it supports numerous programming languages and can handle massive amounts of data efficiently.

Managed MySQL Service is a widely used, open-source relational database management system (RDBMS) known for its speed, reliability, and ease of use. MySQL, developed by Oracle Corporation, supports standard SQL and provides a powerful, flexible, scalable database management solution. It is commonly used for web applications, often in conjunction with PHP, due to its integration with various platforms and ability to handle large volumes of data efficiently. MySQL offers strong support for transactional processing, data replication, and security, making it a popular choice for developers and enterprises seeking robust database performance.

Managed Kafka Service is an open-source stream-processing platform developed by the Apache Software Foundation. It is designed to build real-time data pipelines and streaming applications. Kafka efficiently handles high-throughput, low-latency data transfer and can process millions of messages per second. It operates as a distributed system that ensures fault tolerance and scalability. Kafka’s core components—producers, consumers, brokers, topics, and partitions—enable the reliable streaming and storage of data across various systems. It is widely used for log aggregation, event sourcing, real-time analytics, and integrating disparate systems.

Managed OpenSearch Service is an open-source search and analytics engine derived initially from Elasticsearch and maintained by the OpenSearch community and Amazon Web Services (AWS). It provides capabilities for indexing, searching, and analyzing large volumes of data in real-time. OpenSearch is designed to be scalable, highly available, and secure, supporting full-text search, structured search, and complex data analysis. It includes OpenSearch Dashboards for data visualization, enabling users to create interactive charts, graphs, and dashboards. OpenSearch is widely used in log and event data analysis, monitoring, and business intelligence applications.

Managed Caching Service (Redis compatible - Remote Dictionary Server) is an open-source, in-memory data structure store used as a database, cache, and message broker. Known for its high performance, Redis supports various data structures such as strings, lists, sets, hashes, and more. It offers sub-millisecond latency, making it ideal for real-time applications like caching, session management, and analytics. Exoscale for Caching includes features like replication, persistence, and clustering to ensure reliability and scalability. Its versatility and efficiency make it popular for developers aiming to improve application speed and responsiveness.

Managed Grafana Service is an open-source analytics and monitoring platform that allows users to visualize, analyze, and alert on data from multiple sources. Known for its customizable and interactive dashboards, Grafana supports a wide range of data sources, including Prometheus, Graphite, InfluxDB, and Elasticsearch. It provides powerful query capabilities, real-time alerting, and flexible visualization options like graphs, heatmaps, and histograms. Commonly used for monitoring system performance, application metrics, and business KPIs, Grafana helps teams make data-driven decisions by providing clear, comprehensive insights into their data.

NOTE! Here, you can find all the details in the online documentation for DBAAS.

DNS

Details

Exoscale’s cloud-native DNS provides a powerful solution for businesses looking to take complete control of their DNS and automate deployments. With Exoscale’s DNS, users can easily manage new records and zones, giving them complete control over their infrastructure. Exoscale’s DNS is also built on an anycast network, providing low-latency resolution for users worldwide. This ensures users can access their applications quickly and easily without delays or interruptions.

Features Overview:

All common records available
GEO replication
Easy redirects
ALIAS support
Anycast DNS
Per zone pricing
Powered by DNSimple
Easily integrate with Let’s Encrypt

Exoscale’s DNS also offers geo-replicated redundancy, providing optimal uptime and ensuring that users’ applications are always available, even in a failure. Overall, Exoscale’s cloud-native DNS is a robust and reliable solution for businesses looking to manage their DNS and ensure the availability of their applications.

NOTE! Here, you can find all the details in the online documentation for DNS.

IAM

Details

Exoscale provides various interaction methods with its platform, including programmatic access via the command line, your preferred programming language, integrations with third-party tools, and a user-friendly web portal. Regardless of the method, Identity and Access Management (IAM) will define permissions and actions for individuals and services on your platform.

IAM is composed of 2 primary building blocks:

Roles act as a container for a single policy and add some options.
Policies are rules describing what can and cannot be done.

Exoscale IAM, or Identity and Access Management, is a system that manages access to resources within the Exoscale cloud environment. Exoscale is a cloud service provider that offers various services, including computing, storage, and network solutions.

Exoscale IAM enables administrators to control who has access to specific resources, manage user permissions, and enforce security policies. Here are some key features and functions of Exoscale IAM:

User Management
Roles and Policies
Access Control
Security and Compliance
API Access

Using Exoscale IAM, organizations can effectively safeguard their cloud resources, comply with regulatory requirements, and streamline user access management, ultimately enhancing the security and efficiency of their cloud operations.

IAM Users

So far, IAM has allowed you to create keys that could be restricted and fine-tuned according to their permissions. While practical and powerful, IAM Keys have always been intended for programmatic usage, while users could not be limited in scope beyond the predefined roles:

Owner
Tech
Billing (former Admin)

Now, we are enhancing the IAM functionality, bringing the same powerful features to organizations’ users, offering you more control and flexibility. This means you can now limit a user’s scope of action in the web portal like you would for an IAM Key, with precise and fine-grained IAM Roles.

Typical use cases include:

give a user read-only access
generally, fine-tune what a user can see or do in the web portal

It is important to note that:

All new organizations will immediately start with IAM users
All existing organizations will be migrated

NOTE! Here, you can find all the details in the online documentation for IAM.

Marketplace

Details

Scale up your applications
Access a curated collection of solution templates
Leverage ready-to-use managed services

Web

The compplete marketplace portfolio with description can be found here: exoscale.com/marketplace

Portal

The tighly integrated marketplace products are easy to reach in the product portal: portal.exoscale.com/marketplace

NOTE! You need to be logged in to your portal account!

Organization

Overview

In this section of the Portal, you find:

Billing
Credit Cards
Invoices
Subscriptions
Audit-Trail
Quotas
Legal

Billing Info

Billing Details

The organization display name is used for invoices. It must be between 4 and 225 characters, cannot be composed of only numbers, and cannot be a UUID. It is not currently possible to modify the country associated with your organization. Please contact support if you need assistance. It is not currently possible to modify your organization’s VAT number.

Credit Threshold

You will receive an email notification when your credit balance drops below the specified threshold, set by default to 15 CHF/EUR/UDS. To avoid service disruptions, top up your balance regularly according to your consumption needs.

Usage Overview & Detail

Usage Overview: outlines your consumption for a specific time frame and your current billing mode. If your billing mode is set to Post-Paid, you will receive an invoice based on your monthly consumption, and your default credit card will be charged for the due amount.

Usage Detail: provides itemized views of your consumption for the same time frame stated under Usage Overview.

Billing Mode

Post-Paid: You will receive an invoice based on your consumption every month. Your default credit card will then be charged for the due amount. To activate the Post-Paid billing mode, you need to meet the following requirements:

Your account must be older than 90 days
All your invoices must be paid
You need to have a saved credit card and set it as the default

Wire-Transfer: You will receive an invoice based on your consumption every month. You have 30 days to pay your invoice by wire transfer.

NOTE! The Wire-Transfer billing mode is activated upon request after a case-by-case examination.

Redeem Coupon

If you have a promotional coupon, you can redeem it by entering the code in the Coupon Code field.

Credit Cards

It is the location for determining which credit card is associated with the organization. Our payment processing partner, Adyen, safely stores credit card details.

Invoices

You can look up all your invoices in excellent tabular form (Invoice Number, Total, Emission Date, Due Date, Status, Actions). Clicking on the table headers enables a different sorted view of the invoices.

Subscriptions

It is the location where you can view and manage your DNS Zones and Support Plans subscriptions in excellent tabular form.

Audit-Trail

You can see all the tracked security-relevant user activity and API usage here. The tool allows you to list and search for events that interact with Exoscale resources.

Quotas

Is the location where you can view and manage quotas on the following specific resources:

Instances
Custom Templates
Snapshots
GPUs
SKS Clusters
Elastic IPs
Private Networks
Network Load Balancers
IAM Access Keys
DBaaS Services
Object Storage Buckets
Block Storage Volumes
Block Storage cumulative size (GiB)
Max size of a Block Storage Volume (GiB)

Legal

It is structured into two Tabs:

Terms: Here, you find the Legal Documents for your organization, including the Terms & Conditions you excepted and when, as well as the version of the Data Processing Addendum you excepted and when.
Compliance Center: Exoscale is committed to helping our customers comply with industry and government regulations. Our Compliance Center contains all the information you need about our compliance posture, including information about our security controls, policies, procedures, certificates, attestations, and compliance reports. We will continue to update this center as our compliance posture evolves. For some of the reports, a Non-Disclosure Agreement (NDA) is necessary, which can be done by clicking the REVIEW AND ACCEPT button.

Support

Details

In this section of the Portal, you can view and manage your support tickets by status (All, New, Waiting, Open, Closed). Exoscale’s support services are designed to cater to various customer needs, from developers and testers to enterprises running critical workloads. Here’s a breakdown of what each support plan includes:

Built-In Support

Built-In Support is included for all customers at no additional cost. It is ideal for testers, developers, and non-critical applications.

Initial Response Time: Best-effort
Support Hours: Office Hours
Limited Audit Trail: 1 month of mutation events
Limited Monthly Usage Reports: Aggregated by resource type
Ticket Support

Starter Plan

Starter Plan is suited for startups and SMEs running production infrastructures. It includes everything in the Built-In plan plus additional features.

Initial Response Time: 4 hours
Support Hours: Office Hours
Two-Factor Authentication (2FA)
Single Sign-On (SSO)
Limited Audit Trail: 1 month of mutation events
Monthly Usage Reports: Reporting per resource
Ticket Support

Price: 100.00 EUR/CHF/USD per month

Pro Plan

Pro Plan is tailored for companies running sensitive production infrastructures. It includes everything from the Starter plan plus faster response times and event tracking.

Initial Response Time: 1 hour
Support Hours: Extended Office Hours
Two-Factor Authentication (2FA)
Single Sign-On (SSO)
Comprehensive Audit Trail: All API traffic, retention at customer discretion
Monthly Usage Reports: Reporting per resource
Ticket Support
Phone Support

Price: 500.00 EUR/CHF/USD per month

Enterprise Plan

Enterprise Plan is designed for companies running critical workloads, offering the highest level of support and fastest response times.

Initial Response Time: 30 minutes (24/7)
Support Hours: 24/7
Two-Factor Authentication (2FA)
Single Sign-On (SSO)
Comprehensive Audit Trail: All API traffic, retention at customer discretion
Monthly Usage Reports: Reporting per resource
Dedicated Customer Success Manager
Custom Compliance Form
Ticket Support
Phone Support

Price: 5% of IaaS consumption (minimum 2,500 EUR/CHF/USD per month)

Overview: Support Features & Plans

Feature	Built-In	Starter	Pro	Enterprise
Initial Response Time	Best-effort	4 hours	1 hour	30 minutes
Support Hours	Office Hours	Office Hours	Extended Office Hours	24/7
Ticket Support	✔️	✔️	✔️	✔️
Chat Support	-	-	Coming soon	Coming soon
Phone Support	-	-	✔️	✔️
Two-Factor Authentication	✔️	✔️	✔️	✔️
Single Sign-On (SSO)	-	✔️	✔️	✔️
Audit Trail	Limited	Limited	✔️	✔️
Monthly Usage Reports	Limited	✔️	✔️	✔️
Custom Compliance Form	-	-	-	✔️
Customer Success Manager	-	-	-	✔️
Price/month (EUR/CHF/USD)	Included	100.00	500.00	Usage *)

*) 5% of IaaS consumption (minimum 2,500 EUR/CHF/USD per month)

Additional Information

Office Hours: Mon-Fri, 8 am to 6 pm CET/CEST
Extended Office Hours: Mon-Fri, 7 am to 8 pm CET/CEST
PEN-Testing & Right to Audit: Available across all plans

By choosing the right support plan, you can ensure that your needs are met effectively and promptly, allowing you to focus on what matters most—growing your business.

NOTE! Here, you can find details on the case priority schema in the online documentation for SUPPORT.

Compute

Overview

The Compute product is for scalable, on-demand cloud servers in a privacy-minded public cloud setting to host everything from simple applications to complex architectures. Start a virtual machine (VM) in seconds, and integrate current on-premises or hybrid-cloud deployments using standard DevOps tooling, would that be Terraform, Kubernetes, Ansible, or the tools of your choice.

VM Creation – Essential Properties

Name - Easier Server Identification
Template - Linux, Windows, Custom, Marketplace
Zone - Data Center Locations
Instance type - RAM, CPU Core Configurations (T-Shirt Sizes)
Disk size - Size Configurations

VM Creation - Further Properties

SSH Keys
Public IP Assignemnt
Private Networks
Security Groups
Anti-Affinity Groups
User Data

VIDEO

VM Creation Process

EXAMPLE - create a Linux VM and install a web server

Walking through a step-by-step example for creating a new cloud server (VM) with a web server manually:

Create Security-Group for HTTP and SSH access
Create SSH Keyfile for access
Start a Virtual Machine
Install a Web Server via SSH

VIDEO

EXAMPLE

Security Group

Security Groups are the VMs firewall, all VMs are linked to at least one Security Group (default).

default

BLOCK all incoming traffic
ALLOW all outgoing traffic

Security Group - configure a new sample-group

For our example:

ALLOW 22 for everyone
ALLOW 80 for everyone

VIDEO

Security Groups

SSH Keys

How-to create an ssh key pair

Linux and Mac

Use the command line tool ssh-keygen

Windows

Use the program PuTTYgen (puttygen.exe) and export the OpenSSH public key

Create SSH Key - my-key

Import SSH Key - public key

NOTE: NEVER share the PRIVATE KEY with anyone !!!

VM Creation - Example

Hostename = my-new-vm
Template = Linux Ubuntu 20.04 LTS 64-bit
Zone = DE-FRA-1
Instance Type = STANDARD - Tiny
Disk = 10 GB
Keypair = my-key
Security Groups = sample-group

VIDEO

VM Creation

VM Usage

Connecting to the Server depends on your client OS used to access your VM. Adding the SSH Key and accessing your VM follows a different sequence of tools used. Below you see examples of the most common access scenarios.

Access from Linux or Mac

Run the following commands:

> ssh-add id_rsa
> ssh root@SERVER-IP

Access from Windows

Start the PuTTY authentication agent program Pageant and add the SSH Key
Start the program PuTTY and enter the Server IP

VIDEO

VM Usage

Web Server Install

Installing NGINX web server via the apt-get package manager:

> apt install -y nginx
> systemctl start nginx

Web Server accessible via server IP:

EXAMPLE - create a Windows Server VM and access it

Creating a Windows VM follows the same Step-by-Step pattern as a Linux VM; you select an appropriate Windows Server template. The creation process runs in the same way.

To access the Windows Server VM, you must configure a Security Group that allows port 3389/TCP. This is the port for the remote access protocol used by the Microsoft Remote Desktop application. To connect as administrator to the Windows Server VM, use the shown password and the Microsoft Remote Desktop application.

Virtual Machines (VMs)

Frequently used applications of VMs on Exoscale are:

Web Servers
Machine Learning
Processing/Storing Data
Firewalls/Gateways
Terminal Servers
…

Anti-Affinity Groups

How can you increase availability and fault tolerance for your application?

Using more than one instance is the start of redundancy running them on different hosts = different hypervisors increases the availability. The feature for controlling this behavior is called Anti-Affinity Group. Instances in one Anti-Affinity group are all placed by the platform on different hosts, which increases the resilience against the failure of your application.

Anti-Affinity Group Specs:

Anti-Affinity Groups can be freely created and VMs assigned to it
Anti-Affinity Groups support also Instance-Pools
Up to 8 VMs can be in the same Anti-Affinity Group
All 8 VMs will then be on different hypervisors

VIDEO

COMPUTE - Recap & Summary

Cloud-Init

Explained

Cloud-Init is the industry-standard method for cross-platform cloud instance initialization and supports all major public cloud providers and provisioning systems for cloud infrastructure installations. During boot, Cloud-Init identifies the cloud it runs on and initializes the system accordingly. Cloud instances will automatically be provisioned during the first boot with networking, storage, SSH keys, packages, and other system aspects already configured. Cloud-Init provides the necessary glue between launching a cloud instance and connecting to it so that it works as expected.

User Data

The User Data field can be used for configurations after the cloud instance has been booted. You can use either distribution-specific scripting languages (bash, PowerShell, etc.) or the distribution-independent method of cloud-config. For example, you want to install the web server nginx automated after the cloud instance finishes booting.

Simple Example - distribution-specific

#!/bin/bash

sudo apt-get update
sudo apt-get upgrade –y
sudo apt-get install –y nginx
sudo systemctl start nginx

This example is specific for a Linux distribution.

Simple Example - distribution-independent

#cloud-config

package_upgrade: true
packages: 
   - nginx
runcmd:
   - systemctl start nginx

This example is independent and works cross-platforms.

VIDEO

Intro

Complex Example

Install and configure Web Server
Download our application from an SOS bucket using a presigned key
Install the application
Run the application

#cloud-config
package_upgrade: true
packages:
  - nginx
  - nodejs
  - npm
write_files:
  - owner: www-data:www-data
    path: /etc/nginx/sites-available/default
    content: |
      server {
        listen 80;
        location / {
          proxy_pass http://localhost:3000;
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection keep-alive;
          proxy_set_header Host $host;
          proxy_cache_bypass $http_upgrade;
        }
      }
runcmd:
  - systemctl restart nginx
  - cd "/home/webapp/myapp"
  - [ wget, "https://sos-de-muc-1.exo.io/demo-webinar/application.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=....", -O, /home/webapp/myapp/app.zip ]
  - unzip app.zip
  - npm init
  - nodejs index.js

VIDEO

Complex Example - Theory

VIDEO

Complex Example - Demo

Overview

LINK Cloud-Init Documentation

cloudinit.readthedocs.io

Automation

Overview

Taking the basic concept of cloud-init to the next level by using methods like:

CLI … Command Line Interface
API … Application Programming Interface
IaC … Infrastructure as Code

Infrastructure as Code

Infrastructure as Code (IaC) manages and provides computer data centers through machine-readable definition files rather than physical hardware configuration or interactive configuration tools.

Specify your whole infrastructure as programming code
Automated infrastructure management
Quickly start, modify or delete your whole infrastructure
Code is also documentation
Terraform Plugin provided by Exoscale

The approach of immutable infrastructure is practiced in this concept by never updating and always replacing.

Example

data "exoscale_compute_template" "ubuntu" {
  zone = local.zone
  name = "Linux Ubuntu 20.04 LTS 64-bit"
}

resource "exoscale_security_group" "web" {
  name = "web"
}

resource "exoscale_compute_instance" ”webserver" {
  zone               = local.zone
  name               = "webserver"
  type               = "standard.medium"
  template_id        = data.exoscale_compute_template.ubuntu.id
  disk_size          = 10
  security_group_ids = [
    data.exoscale_security_group.default.id, 
    exoscale_security_group.web.id,
  ]
  user_data          = <<EOF
#cloud-config

package_upgrade: true
packages:
  - nginx
write_files:
  - owner: www-data:www-data
    path: /var/www/html/index.html
    content: |
      Hello world!
runcmd:
  - systemctl restart nginx
EOF
}

VIDEO

Infrastructure as Code

VIDEO

Infrastructure as Code - DEMO

Application Programming Interface

Exoscale Public API

https://openapi-v2.exoscale.com

Everything on Exoscale can be controlled via the API
Full potential for automation
Implementable in every programming language
Specifically limit access using IAM

Example

import requests
from exoscale_auth import ExoscaleV2Auth
import secret
auth = ExoscaleV2Auth(secret.api, secret.key)
response = requests.get("https://api-de-fra-1.exoscale.com/v2/instance", auth=auth)
print(response.text)

VIDEO

Application Programming Interface

Command Line Interface

Exoscale CLI – exo

https://community.exoscale.com/documentation/tools/exoscale-command-line-interface/

exo is Exoscale’s official command line interface to access all platform services. It allows you to manage your infrastructure from a user-friendly command line tool with the benefits of being scriptable.

Example

> exo compute instance create my-new-vm
 ✔ Creating instance "my-new-vm"... 16s
┼──────────────────────┼──────────────────────────────────────┼
│   COMPUTE INSTANCE   │                                      │
┼──────────────────────┼──────────────────────────────────────┼
│ ID                   │ xxx-xxx-xxx-xxx                      │
│ Name                 │ my-new-vm                            │
│ Creation Date        │ 2022-11-30 14:39:19 +0000 UTC        │
│ Instance Type        │ standard.medium                      │
│ Template             │ Linux Ubuntu 22.04 LTS 64-bit        │
│ Zone                 │ ch-gva-2                             │
│ Anti-Affinity Groups │ n/a                                  │
│ Security Groups      │ default                              │
│ Private Networks     │ n/a                                  │
│ Elastic IPs          │ n/a                                  │
│ IP Address           │ 159.100.242.231                      │
│ IPv6 Address         │ -                                    │
│ SSH Key              │ -                                    │
│ Disk Size            │ 50 GiB                               │
│ State                │ running                              │
│ Labels               │ n/a                                  │
┼──────────────────────┼──────────────────────────────────────┼

> exo compute instance list
┼─────────────────┼───────────┼──────────┼─────────────────┼─────────────────┼─────────┼
│        ID       │   NAME    │   ZONE   │      TYPE       │   IP ADDRESS    │  STATE  │
┼─────────────────┼───────────┼──────────┼─────────────────┼─────────────────┼─────────┼
│ xxx-xxx-xxx-xxx │ my-new-vm │ ch-gva-2 │ standard.medium │ 159.100.242.231 │ running │
┼─────────────────┼───────────┼──────────┼─────────────────┼─────────────────┼─────────┼

> exo compute instance delete my-new-vm
[+] Are you sure you want to delete instance "my-new-vm"? [yN]: y
 ✔ Deleting instance "my-new-vm"... 12s

VIDEO

Command Line Interface

Scaling

Overview

The Exoscale Platform provides two ways of scaling:

Vertical
Horizontal

Which way should be used also depends on your app’s architecture, and there is an impact on the operational procedures as well.

Vertical

Can be done any time, while the instance is stopped
Billing is always by the second

Horizontal

Can be done any time, no instance stopping necessary
Billing is always by the second

VIDEO

Scaling

Instance Pools

Multiple compute instances with the same configuration in a group:

Increase or decrease the amount of compute instances in an Instance Pool any time
Increasing
- will automatically boot up an instance with the same parameters again (template, cloud-init, …)
Decreasing
- will destroy the oldest VM in the Pool this way the whole pool can be cycled
Often used together with cloud-init to provision the instances with an application.

Automation

Can be scaled down and up by sending commands to the Exoscale API or CLI
Easily and fully automatable out of the box using Kubernetes

VIDEO

Instance Pools

Traffic

Overview

Data exchange between computers is called traffic, and in cloud computing, this is an important topic at least from two angles:

performance
- throughput
- latency
cost
- data volume
- timeframe

So let’s look into it.

Internal Traffic

Definition Internal:

Between all Exoscale Services inside a zone
Between all Exoscale Services beyond zone borders

Internal traffic is free!

Incoming Traffic

Traffic coming from the internet is free.

Outgoing Traffic

Traffic towards the Internet is billed. BUT, it comes with a free tier at Exoscale:

1.42 GB per instance in the period of one hour
Free traffic is shared in the organization
Free traffic is only available in the hour created

Example

Two examples to illustrate the free tier and the billing aspects:

Instance A and B
- A creates 2 GB of outgoing traffic
- B creates 0.5 GB of outgoing traffic
- Completely under free tier, as both together have 2.84 of free traffic
Instance A exist inside one hour
- A creates 2 GB of outgoing traffic
- 1.42 GB are free, 580 MB are to be paid

VIDEO

Traffic

Storage

Overview

Simple Object Storage (SOS) is an S3-compatible object storage to store your assets, files, and metadata. Furthermore, it is a cost-effective solution to support your application and backup or serve your data from any Exoscale zone with no hidden fees, using your existing S3-compatible tooling and a familiar API.

Simple to use
High-available, replicated 3 copies of each object
URLs to files can be configured with ACLs
ACLs (Access Control List) permission control:
- private - only with API key accessible
- public-read - everyone can read, e.g. for static files
- public-read-write - everyone can read and write -> NOT RECOMMENDED
- manual edit - grant specific permissions to other orgs

VIDEO

Simple Object Storage

Use Cases

Case – Static Files:

Backups
HTML-Files
Pictures
Videos
Archives of various files (e.g., *.zip, *.tar, and for boot-strapping an app on a server)
Best suitable for
- Integrated in the app itself (S3)
Not suitable for
- Shared File Systems
- Storage under Databases

Case – Static Web Files:

Upload static files to S3
Set ACL public-read either manually or automatically (e.g., WordPress plugin)
Embed links to files directly in HTML
Users will download files from SOS bucket
Providing fast access and high-availability

Case – Backup Files:

Install a backup agent on a VM (e.g., CloudBerry)
Configure S3 bucket as target
If restore needed:
Create VM
Install agent
Configure as restore from S3 bucket
Backup Files are saved securely and privately in the Storage Bucket

Access Methods

Access Interfaces for SOS:

Exoscale UI
Exoscale CLI
S3 CLI

Every programming library which supports S3:

Easy to embed in existing apps
- PHP
- Java
- NodeJS
- Python
- …

Every Application which supports S3:

Cyberduck … browse files with a GUI, delete files, upload large files
CloudBerry, Acronis, Veeam, … Backup Software
Flexify.IO … is a great way to migrate data back and from on-premises or other cloud storage
MountainDuck … mount SOS as Windows Drive
rclone … Linux CLI to copy whole directories, synchronize multiple buckets/zones

VIDEO

Uses Cases / Access Methods

VIDEO

SOS - DEMO

Content Delivery Network

CDN:

Automatically distributed all public-read files to the Akamai network if activated
120 locations worldwide
Users can download static files with low latency from the nearest server
Used when high scalability and low latency are requirements
Easy to use; just the read-URL of the files changes
Files must be set to public-read

VIDEO

CDN

COMPONENT ==========

{: type=“html” display_name=“Pre-signed Keys " }

Pre-signed keys can be used to:

Give temporary access to private files
Give unique access to private files (e.g., for cloud-init scripts)
Key included in the URL
Must be created using the CLI or a S3 library

VIDEO

Pre-signed Keys

VIDEO

Pre-signed Keys - DEMO

Backup

Explained

Solutions:

Backup solutions existed well before cloud services were invented
Companies or teams had their specific preferred backup solution
Exoscale does not impose a specific solution
Multiple possibilities available

VIDEO

Backup

Snapshots

Do a full snapshot of a VM

Easy to implement and automate
Easy to fully restore Restores
Easily create a template from a Snapshot

Hard to do partial restores

Always the full disk is snapshotted -> Consumes a lot of space and incurs cost
When a VM is deleted, Snapshots are also deleted
Can be inconsistent, e.g., recovery of a Database might not be possible.

VIDEO

Snapshots

Agent Based Backup

Backup the filesystem to an S3 bucket (potentially in a different zone):

Incremental
Partial restores
Great flexibility
Economical
Harder to implement -> Requires a third-party application

Restoring – Option A:

Restore file system directly (i.e., using Restic)

Restoring – Option B:

Restore whole system (i.e., using UrBackup, Bareos)

Networking

Overview

This topic has many layers and can be intimidating and complex sometimes. Therefore, we break it down into smaller pieces to convey the cloud-relevant parts of it and introduce Exoscale networking features. If the diagram below looks intimidating to you, don’t worry. After completing this section of the course, it will feel very natural.

The next steps are to look into the following topics and demystify networking:

Switching/Routing
Load Balancing
Private Networks

and at the same time refere to the network layer model and match our topics to it.

Switching/Routing

Explained

Layer 2 - Switching

Uses Mac Addresses (hardcoded into devices)
Only for traffic in a local or private network
Done by switches

Example Mac address: f8:4d:89:84:eb:8e

Layer 3 - Routing

Uses IP Addresses
For traffic and routing in a global matter
Done by routers

Example IP address: 10.55.22.1/32

Local Network

Switches don’t care for IP-Addresses - only Mac-Addresses – Layer 2 !!!
Each computer can talk to the other on the same local network
And it must be on the same subnet

VIDEO

Switching / Routing - Part 1

IP Addresses

A subnet for one IP address

A subnet for two IP addresses

More subnets

A subnet for 256 IP addresses

VIDEO

Switching / Routing - Part 2

Routing Subnets

Talk to different subnets –> router (gateway) must be used
Gateway IP needs to be specified –> Gateway IP must be usually on same subnet

VIDEO

Networking

Private Network

Explained

Local Network between Instances
Private networks can be freely created
Instances must be in the same zone
No Security Groups are in between
Layer 2 - like a simple Switch connecting all instances
Private IP Addresses/Subnets can be freely chosen best from reserved IP ranges
IP Addresses must be configured via SSH/RDP or Cloud-Init
Managed Private Networks can automatically provide IPs via DHCP

Reserved Subnets - can be used for private networks:

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

Granular DHCP Support via the CLI

Exoscale’s Managed Private Networks support granular DHCP configurations, providing enhanced control over network settings through the CLI.

[DHCP Option 3] Default Gateway (Router): Sets the IP of the default gateway for external traffic.
[DHCP Option 6] DNS Servers: Specifies DNS server IPs for domain name resolution.
[DHCP Option 42] NTP Servers: Defines IPs for time synchronization with NTP servers.
[DHCP Option 119] Domain Search List: Supplies a list of domain suffixes supporting multi-domain environments (limited to 255 octets).

VIDEO

Private Network

VIDEO

Private Network - DEMO

Gateway Considerations

An additional Gateway is required when:

Connecting private networks over different zones
Connecting private networks to the company network
Connecting a private network to the internet
Connecting private networks together

As Gateway, another instance can be used:

Ubuntu with routing configuration
VyOS Router templates

VIDEO

Gateway Considerations

Load Balancing

Explained

Network Load Balancer

Can forward ports/services to different Instance Pools.
Traffic will be only forwarded to Instance Pool members with a successful health check.
If you want to allow access from the Internet, you need to open the Ingress Rules for target-port and healthcheck for all (0.0.0.0) in the Instance-Pools Security Group.
- If you only want to enable load balancing from specific subnets, you can just let that subnet or security group access the target-port. Additionally, you need to add a rule with Source Type being Security-Group-Public and select public-nlb-healthcheck-sources for the healthcheck.
Healthchecks can be observed via API.
Strategies
- Round-Robin - Incoming traffic will be forwarded to each member in equal proportions and circular order.
- Source-Hash - A given source address will always be forwarded to the same instance.

VIDEO

Load Balancing

VIDEO

Load Balancing - DEMO

Managed Elastic IP

Can forward traffic to one instance or distribute traffic across multiple instances
Traffic distribution is not necessarily even
No configuration on target instances is necessary
Traffic on all ports is forwarded
Healthchecks are done – but cannot be observed
To be reachable, ports from the EIP must be opened for all

NOTE: Cannot be used for outgoing traffic

VIDEO

Managed Elastic IP

Comparison - Network Load Balancer / Managed Elastic IP

Network Load Balancer

Routes to Instance-Pools
Even traffic distribution
Route single ports (services)
Healthchecks can be observed

Managed Elastic IP

Routes to individual Virtual Machines
Even traffic distribution is not guaranteed
Route whole IP/all ports
Healthchecks done but cannot be observed

VIDEO

Comparison

Unmanaged Elastic IP

Simple Fail-Over IP Address
It needs to be configured on the instance itself
It can be used as an outgoing IP via a loopback interface
Security Groups apply normally

cloud-init configuration

#cloud-config
write_files:
  - path: /etc/netplan/51-eip.yaml
    content: |
      network:
        version: 2
        renderer: networkd
        ethernets:
        lo:
          match:
            name: lo
          addresses:
            - 159.100.241.235/32
runcmd:
  - [ netplan, apply ]

VIDEO

Unmanaged Elastic IP

Security Groups

Allow defining and composing firewall rules:

Power of VLANs
Block incoming traffic by default
Allow outgoing traffic by default
Traffic to and from the Internet can be blocked entirely (private instance)
Source address can be specified as a subnet or as another Security Group, or as a Public Security Group (which simply are Security Groups defined by Exoscale for specific purposes)

Security Groups Examples

Frontend Security Group

Allow 0.0.0.0/0 for port 80/tcp
Allow 0.0.0.0/0 for port 443/tcp
Allow 90.80.60.0/24 for port 22/tcp *

*) allow clients originating from the given subnet – e.g., company network - to connect to SSH; not on the diagram

Backend Security Group

Allow Security Group Frontend for port 8080/tcp
Allow Security Group Backend for port 8080/tcp *

*) without this rule, backend instances cannot access each other on 8080

VIDEO

Security Groups

VIDEO

Security Groups - DEMO

Cloud Challenges

Overview

This section highlights the most common problems you can face on your cloud journey. Awareness of those topics should lead to better architecture decisions and storage technology selections. Therefore, the last two sections in this course are dedicated to these topics in more detail. But first, let’s jump into the area of cloud problems and build a better understanding of common pitfalls.

Special Snowflake

Issue Description

A single server – installed by hand – undocumented
IP Addresses or credentials hard-coded in several systems
Also, cannot transfer IP Addresses to the cloud
Should only be migrated with planned downtime and roll-back scenario

VIDEO

Special Snowflake

Huge Instance

Issue Description

A customer wants …

512 GB of RAM
A huge disk (> 15 TB)
A small instance (i.e., 2 cores) with a big disk (i.e., 512 GB)

It rarely makes sense, especially for databases. Very expensive in the cloud. Sometimes not possible.

VIDEO

Huge Instance

Backup

Issue Description

On-premises backups are often done on a full VM image basis. This works poorly in the cloud and will get expensive.
Backups must be re-tooled to be done on a software basis for at least parts of the recovery process.

VIDEO

Backup

Migration

Issue Description

Possibilities:

Transfer of the files of the server themselves (i.e., using rsync on Linux) – the most straightforward solution
Using a backup tool

Convert an existing image (i.e., VMware) to QCOW2 and create a template:

For advanced users
Cannot delete template as long as instances boot from it
Custom Templates
Must install *.iso files locally first, and the resulting image will then be provided as QCOW2

VIDEO

Migration

Network Throughput

Issue Description

No cloud provider has SLAs for bandwidth or latency between two VMs.
On-premises, this SLA is easy to guarantee thanks to a dedicated network infrastructure.
Services need to be built smaller and fault-tolerant.

VIDEO

Network Throughput

Licensing

Issue Description

Some software is not licensed in a cloud-friendly way
Software that requires purchasing a license for every possible CPU core the software COULD run on
Software that restricts the license or support to officially certified hypervisors only

VIDEO

Licensing

Architecture

Explained

There are challenges in the cloud. We just have reviewed to most common ones. Building reliable, scalable, and well-performing cloud-based solutions is down to leveraging proven architectures and best practices and thinking of cloud-native approaches to the challenges you want to solve.

Simple Architecture

Quickly scale up for more performance and easily scale down to safe cost or serve a scenario with fewer performance needs. It is also important to safely store all data and configurations in backups and enable applications to be highly available. All of those requirements are reflected in your architecture.

VIDEO

Architecture

Stateless Architecture

Applications with stateless architecture (stateless apps) allow you to easily scale:

Keep data in a database or S3 storage
Don’t save data locally on a disk
Don’t save session-states locally inside the apps RAM, instead:
- Use JWT (JSON Web Tokens)
- Save session state in a database (e.g., Redis)

-> Stateless Apps can be booted multiple times in conjunction with a Load Balancer & Cloud-Init.

VIDEO

Stateless Architecture

Monolith vs Microservices

Two very common application architecture used for designing solution on-permises and in the cloud, but also very different ones.

VIDEO

Monolith vs Microservices

Kubernetes

Scalable Kubernetes Service (SKS)

Potential requirements for your application:

High-Availability
Automated vertical and horizontal scaling
Updates without downtime
Self-Healing
Load balancing
Cost Effectiveness
Simple development and release process

-> Consider our Managed Kubernetes SKS

-> Courses available: SKS Starter & SKS Advanced

VIDEO

Kubernetes

High Availability & Disaster Recovery

Expect the Unexpected

Design and develop plans before things happen
Plan how you want to achieve High-Availability use e.g., Kubernetes, Load-Balancers
Backup your files, preferably in a different zone than your main infrastructure
Weigh out recovery time vs. effort
- Having a zone-failover in a matter of seconds is a very elaborate and expensive behaviour
- As a zone-failure is very unlikely, a plan is still needed, but planning in more downtime makes things easier
Have a disaster recovery plan

Database

Overview

Looking at databases, we see that the managed version delivers the benefits of simplifying the tasks associated with provisioning and maintaining a database. However, you will still need some experience working with databases to interact with them as you build and scale your app.

Exoscale DBaaS is an excellent solution for everyone looking for a diverse portfolio of open-source data services used in all applications and business solutions and gaining the following benefits:

Daily Backups included - backups are done on a daily basis and are included with every DBaaS offering.
Completely Integrated - integrated DBaaS for your instances. Easily manage your database, instance, or storage from the same interface.
Automate Everything - easily automate everything with our simple web portal, CLI, API, or tools like Terraform.
99.99% Uptime SLA - all DBaaS (cluster) offerings come with an uptime SLA of 99.99%.
No Vendor Lock-In - keep your cloud infrastructure independent and flexible with our offering of open-source databases.
Your Data Stays In Europe - all data is stored in the country of your chosen zone, fully GDPR compliant. DBaaS is available across European zones.