Welcome to episode 263 of the Cloud Pod Podcast – where the forecast is always cloudy! This week we’re diving into the world of Snowflake, including announcements from their latest conference and details about their recent breach. Seriously – MFA is important! Plus we look at updates to Terraform, Claude 3, and OCI pushing the IOPS limits and much more. Join us! 

Titles we almost went with this week:

• ❄️Snowflake Announces State-of-the-Art way for hackers to Talk to your Data
• 🌨️Ticketmaster gets a snow job – MFA matters! 
• 🔮The CloudPod wouldn’t use Oracle even for a million IOPS
• 🐻Azure finally wakes up to hibernation support JJB
• 🪙No one ever called a Bastion Host Premium until Today – JPB MK
• 📠I look forward to connecting Kinesis to Pub Sub to Event Hub in the most rube   
•     goldberg eventing architecture ever
• 🗺️Hashicorp shows you the way
• 🧑‍🦰10 ways to say I want you Matt (I’m not bias with the name)
• 🧸Can we just hibernate ourselves on AI announcements
• 👁️Sus is how i feel about the new Susscanner from AWS
• 🔋OCI has enough power to run Oracle databases with 1 MIllion IOPS
• 🦹OCI wants 1 Million IOPS (dr evil voice)
• 🦈Monday, Tuesday, Hashidays…

General News 

Terraform AWS Cloud Control API provider is now generally available 

• The AWS Cloud Control Provider (AWSCC), built around the AWS Cloud Control API and designed to bring new services to Terraform faster, is now generally available. 
  • The 1.0 release represents a step in their effort to provide launch-day support of AWS services.  
• This service was put into tech preview in 2021. 
• Glad it’s finally here; although we thought this effort was abandoned, honestly. 
• Interesting that you can mix HCL Terraform and AWSCC, but specify the different resource types in the configurations.  

00:53 New Vault and Boundary offerings advance Security Lifecycle Management at HashiDays 2024  

• Hashicorp held their “Hashidays” event in London this last week, and announced improvements to their Security Lifecycle Management (SLM) products: Vault and Boundary
• Vault will be getting Workload Identify Federation, coming soon to Vault Enterprise which enables secretless configuration for vault plugins that integrate with external systems supporting WIF, such as AWS, Azure and Google Cloud. 
  • By enabling secretless configuration, organizations reduce security concerns that can come with using long-lived and highly privileged security credentials. 
  • With WIF, Vault no longer needs access to highly sensitive root credentials for cloud providers, giving operators a solution to the “secret zero” problem. 
• Secrets Sync – which we talked about on a previous show.
• Vault Secrets Operator – provides native K8 integration with Vault, and now supports Openshift OLM and secret templating, with instant updates coming in June. 
• For apps that require precisely formatted secret data that does not align with how it’s stored in Vault, VSO can now transform the raw secret data into a format compatible with the application using templating, reducing custom code and complications for developers. 
• HCP Vault Radar is helping you detect security vulnerabilities and exposed credentials. 

01:35 📢 Justin – “I’m pretty sure when you want to switch from the CC version to the HL version, it’s gonna destroy everything you did and blow it away. But maybe they’ll now think about a way to migrate things.”

5:09 HCP Waypoint to add actions, enhances golden pattern capabilities, and more

• HCP Waypoint Actions will be entering public beta soon. 
• Actions enable platform teams to seamlessly expose Day 2+ operations and workflows to developers. 
• HCP Waypoint is designed to empower platform teams to define golden patterns and workflows for developers to enable the management of applications at scale. 
  • Adding actions helps organizations define and execute golden workflows, such as building an application, performing a rollback, or executing operations in private environments. 
• In addition, they are enhancing waypoint templates and add-ons. 

07:18 Cloudflare acquires BastionZero to extend Zero Trust access to IT infrastructure

• Cloudflare announced they are acquiring BastionZero, a zero trust infrastructure access platform.  
• This extends their zero trust network access, or ZTNA, flows with native access management for infrastructure like servers, Kubernetes clusters and databases. 
• Cloudflare’s goal for years has been to replace your VPN, and BastionZero helps further that vision beyond apps and networks to provide the same level of simplicity for Infrastructure resources.  
• BastionZero provides native integrations to major infrastructure protocols and targets like SSH, RDP, K8, database servers and more to ensure that a target resource is configured to accept connections for that specific user, instead of relying on network level controls. 

AI Is Going Great (Or How ML Makes All It’s Money)

08:54 Snowflake Clients Targeted With Credential Attacks

• Hackers are targeting clients of AI intelligence data platform provider Snowflake, which lacks multifactor authentication. 
• Snowflake on Friday (a few days before their user conference) told customers that it observed an increase in cyber threat activity targeting some of their customer accounts.  
• The Australian Cyber Security Center published an alert on Saturday warning about the threat. 
• Techcrunch reported that Ticketmaster spokesperson said that stolen Ticketmaster data advertised for sale by criminals originated with Snowflake. 
• Ticketmaster confirmed the breach but didn’t mention Snowflake by name. 
• Snowflake said it identified evidence suggesting the activity was caused by compromised credentials of current or former Snowflake personnel; the threat actor accessed a demo account belonging to a former Snowflake employee. Crowdstrike and Mandiant have supported this assessment. 
• Come on Snowflake… you don’t enforce MFA authentication or disable a former employee’s Demo account? Super sloppy! 

10:08 📢 Justin – “I’ve dealt with it before. I think we all have. That’s not an uncommon pattern, because no one wants to integrate your demo accounts with single sign -on and things that they should. And so that’ll burn people all the time.”

13:08 Snowflake Announces State-of-the-Art AI to Talk to your Data, Securely Customize LLMs and Streamline Model

• Snowflake, at their user conference, announced state of the art AI to talk to your data, securely customize LLms and streamline model operations. 
• Please note: All of these things are in preview. Nothing in GA. 
• Cortex search will make it easier to talk to documents and other text-based data sets such as wiki and FAQs, as easy as running a SQL function. 
• Cortext Analyst, will allow app developers to create applications on top of analytical data stored in Snowflake, so business users can get the data insights they need by simply asking their questions in natural language. 
• Snowflake AI & ML Studio brings you no-code, AI development to Snowflake. Studio is accessible within Snowsight to access interactive interfaces for teams to quickly combine multiple models with their data and compare results to accelerate deployment to applications in production. 
• Snowflake Notebooks are available to empower data teams, proficient in SQL, Python or both, to run interactive analytics, train models or evaluate LLMs in an integrated Cell-based environment. This interactive development experience eliminates the processing limits of local development as well as the security and operational risks of moving data to a separate tool. 
• Document AI is available soon and provides a new framework to easily extract content like invoice amounts or contract terms from documents using Arctic TILT, a state of the art built in, multimodal LLM. 
• Cortex Guard is GA for users to filter harmful content associated with violence and hate, self harm and criminal activities.  Safety controls can be effortlessly applied to any LLM in Cortex AI by using the guardrails setting that is now part of the COMPLETE function. 
• Snowflake Horizon ML Lineage in preview, helps teams trace end to end lineage of features, data sets and models from data to insight for seamless reproducibility. 
• Feature store integrated and centralized lineage of features, data sets and models from data to insight for seamless reproducibility. 
• Model registry to govern all your ML models from those trained in Snowflake or other ML systems. 

15:16 📢 Jonathan – “I’m surprised that we’ve gone into document analysis when you’re already hosted on cloud search, you already provide those as services. It’s a weird market to go after.”

*User poll: Have you noticed an increase in keynote announcements that are in beta or private preview? Let us know on X or our Slack channel.*

19:01 Simplified End-to-End Development for Production-Ready Data Pipelines, Applications, and ML Models 

• We already mentioned the Snowflake Notebooks, but there are more developer goodies from Snowflake.  
• New CLI and Python API making it easier than ever to do upgrades, automate CI/CD and work with objects directly via Python. 
• Snowflake Tasks have been improved to provide better pipeline orchestration and job scheduling. 
• You can leverage serverless tasks for python. Serverless tasks flex and event-driven trigger tasks.  As well as new dynamic tables that can be used at every stage of the processing pipeline.
• To simplify delivery lifecycle, Database Change Management makes it easy to declaratively manage changes across Snowflake objects at scale, directly from your Git repo. 
• Finally, they have Snowflake Trail, a rich set of curated observability capabilities that provide enhanced visibility into data quality, pipelines and applications, empowering developers to monitor, troubleshoot and optimize their workflows

20:05 Snowflake Massively Expands Types of Applications That Can Be Built, Deployed and Distributed on Snowflake 

• Snowflake continues to expand the abilities to build rich applications.  
• New Snowpark Container Service, soon to be GA on AWS and in preview on Azure, empowers app providers to efficiently build and operate sophisticated generative AI aps. 
• With containers running in Snowflake, there is no need to move governed data outside of Snowflake in order to be used as part of AI/ML models and apps. 
• For those of you looking for an alternative to Elasticsearch, the Snowflake Full Text Search capabilities gives you a new token based search function to use for log analytics and other high volume data search applications.  
• Finally to make it easy to deploy, they are announcing the Snowflake Native App Framework is now GA on GCP, making it available on AWS, Azure and GCP.  
• Providers can build their app once and publish it to customers across all three major clouds and multiple regions with a single listing, removing the operational burden of keeping your app updated in various clouds. 

21:56 📢 Justin – “The Snowflake Native app framework was kind of cool. I was doing a little bit of research on it after I read the article because I hadn’t heard of it. But basically, if you think about applications and selling on Marketplace where you want to build infrastructure on a customer’s own accounts or things, this basically allows you to build those applications and be managed through your control. There’s basically a control plane for those. So you can basically deploy Snowflake components into other cloud accounts and projects that aren’t owned by them, but they are still managed by Snowflake remotely with this capability.”

AWS

22:57 @awscloud 10 things you need to know about Matt Garman, the incoming CEO of AWS 

• AWS wrote a X blog posts on 10 things you should know about Matt Garman
• 1. Andy Jassy Sold Garman on AWS when he was an Intern (God, Justin is old.)
• 2. When Garman was hired full-time as a product manager in 2006, AWS had three people in Sales
• 3. Amazon taught him the importance of knowing things in depth and in detail.
• 4. He sees it as his job to remove blockers.
• 5. Garman loves a good debate.
  • Yeah, we all fought over politics at Thanksgiving. You’re not special. 
• 6. Diving deep is one of his skills, Garman thanks family for that.
• 7. Security will always be AWS’s and Garman’s number on priority.
  • A good copywriter could have pointed out that this should have been number one on the list. 👀
• 8. Garman wants to make sure AWS customers can take advantage of generative AI.
• 9. He enjoys entering new situations to understand what makes things tick.
• 10. Garman wants to pay it forward.
  • You got cash. We get it. 

28:39 📢 Jonathan – “Yeah, I wonder what leadership development advice I’ll offer to kids who have very different prospects of jobs when they’re older, given what AI is doing to the world.”

29:13 AWS analytics services streamline user access to data, permissions setting, and auditing

• You can now use BI tools like Tableau, to propagate end-user identity down to Amazon Redshift.  
• This simplifies the sign-in experience, allows data owners to define access based on real end-user identity and it allows auditors to verify data access by users. 
• Trusted identity propagation relies on standard mechanisms like Oauth2 and JWT.  

29:47 📢 Jonathan – “That’s pretty cool. I thought that’s how SSO was supposed to work in general though. If you SSO’d into Tableau and Octa was the provider of that, then you would, and you redirected to Redshift for example, you would automatically be logged in. Isn’t that the point of checking the box that says stop pestering me to log in? I don’t know.”

31:51 Build More Sustainable AWS Workloads with the Sustainability Scanner   

• AWS is releasing a new sustainability scanner to fit easily into a developer workflow.  
• It provides a sustainability score and a report with sustainability improvements that can be readily implemented in ocde.  
  • This can be run on your local machine or part of a CI/CD Pipeline. 
• The susscanner (no, this isn’t something your kid uses in Among Us) can be run locally against your cloudformation template and provides a report with recommendations right in the console. 
• I would love to see this get expanded to Terraform or CDK. 

25:28 📢 Matthew – “I think this is nice that people are hopefully are starting to think about sustainability day one, like security and moving all this. And I say this as I vomit a little bit my mouth to the left a little bit more. But also at one point when you throw every single tool in front of a developer, all they’re going to do is just get mad at the tools. So you should make sure that if you are implementing this, it is at the right time in your actual software development lifecycle. Otherwise, it’s another thing to ignore.”

GCP

34:36 Anthropic’s Claude 3 Opus and tool use are generally available on Vertex AI

• Claude 3 Opus is now GA on Vertex AI.  
• With vertex AI you can enable subscription based pricing with guaranteed performance and cost predictability. 
• The existing pay as you go option remains available.
• Want to check out the other members of the Claude 3 family? There’s Opus, Sonnet, and Haiku. Please tell us that Limerick is next?

34:55 📢 Jonathan – “I have used Opus, I subscribe through Anthropics website to Opus, $20 a month. And I wanted it for a very specific use case. I had some large documents, which were medical reports actually. And I also had some legal documents and some California education board guidelines and things. Anyway, I ingested all those things into Claude and asked it to write me some very interesting emails and kind of legal arguments. And it was fantastic. And I obviously read through what it said and verified everything that it said was good. And I was incredibly impressed by the size of the context window and the amount of context it can keep in mind. That’s a questionable word to use when answering questions. It was super impressive.”

37:54 Easily stream data from AWS Kinesis to Google Cloud with Pub/Sub import topics

• Google is announcing external source support for Pub/Sub with the first one being Amazon Kinesis Data Streams. 
• One of the uses cases that Google is excited about is taking your business with variable volume residing in Kinesis data streams, and using this capability to ingest the data to BigQuery, making it easier and faster than ever to analyze the data that impacts your business without ETL or other transform methods to BigQuery. 
• I can’t wait to see them add Kafka and other messaging buses to this. 

38:34 📢 Jonathan – “This kind of screams we’ve got a new product coming and we want to take data from other clouds.”

41:48 Introducing Google Cloud NetApp Volumes Flex volumes, auto-tiering, and more 

• In August 2023 Google launched Google Cloud NetApp Volumes which provided fully managed file storage service and offered robust-yet-simple data management capabilities. 
• They continue to innovate on this capability with several new features this week.
• Flex Storage Service level of 99.9% zonal or regional at 99.99% SLA’s. 
• NetApp Volumes has been certified as a datastore for google cloud vmware engine, making it easier to scale storage and compute, and migrate VM-based applications. 
• Expansion of Auto-tiering for NetApp Volumes now in preview. 

Azure

44:08 Azure Virtual Network Manager’s virtual network verifier is now in public preview

• When everything is virtual, you have to do that thing (that my mom totally doesn’t do that drives me insane) where you get to the airport and pass all the shops and food to verify that your gate exists…AND THEN go get your overpriced snacks. 
• That’s what Azure is giving you this week with the Azure Virtual Network Manager Virtual Network Verifier.  
• Virtual network verifier enables you to check if your network policies allow or disallow traffic between your Azure network resources. It helps you answer simple diagnostic questions, triage why reachability isn’t working as expected and prove the conformance of your Azure setup to your organization’s security compliance requirements. 

45:38 General Availability: VM Hibernation for General Purpose VMs    

• VM Hibernation for general-purpose VMs is now GA in all public regions. Hibernative is supported on both Windows and Linux operating systems, allowing you to hibernate and save compute costs.

45:55 📢 Jonathan – “It’s even better for spinning up machines quickly.” 

46:25 Enhance your security capabilities with Azure Bastion Premium  

• Azure Bastion Premium is a new SKU for customers that handle highly sensitive virtual machine workloads. 
• Its mission is to offer enhanced security features that ensure virtual machines are connected securely and to monitor virtual machines for anomalies. 
• The first set of features includes ensuring private connectivity and graphical recordings of virtual machines connected through Azure Bastion. 
• The advantages are enhanced security, with the previous Sku providing a public ip address as the point of entry to their target virtual machines. 
• However, Azure Bastion Premium SKU takes security to the next level by eliminating the public IP. instead of relying on the public IP address, customers can now connect to a private endpoint on Azure Bastion. This eliminates the need to secure a public IP. 
• Graphically recording virtual machine sessions aligns with internal policies and compliance needs. 
• Additionally, keeping a recording of virtual machine sessions allows customers to identify anomalies or unexpected behavior. 
• No pricing was published on the day of recording. 

47:44 📢 Matthew- “So the normal one for Azure Bastions, 29 cents per hour per instance. I believe you have to have two of them. So really it’s 58 cents an hour. This one is 45 cents an hour time too, so 90 cents. So it’s not a massive increase. It’s, I think it’s a couple hundred dollars a month, but I think it’s actually a really nice increase.”

50:53 Microsoft and Broadcom to support license portability for VMware Cloud Foundation on Azure VMware Solution 

• Microsoft and Broadcom are expanding their partnership with plans to support VMWare Cloud Foundation subscriptions on Azure VMWare Solution.  
• Customers that own or purchase licenses on Azure VMWare solution and their data centers giving them the flexibility to meet changing business needs. 
• This provides an additional purchase option for Azure VMware Solution, which Microsoft has sold and operated since 2019, which Justin remembers because he likes to point out how old he is. 

Oracle

52:03 Shatter the Million IOPS Barrier in the Cloud with OCI Block Storage 

• If you need to achieve an aggregate 1.3 million I/O operations per second up to 12GB per second throughput per OCI compute instance (because you can’t do math and realize this better run in your datacenter) OCI Block Volume service has you covered. 
• You can now attach up to 32 Ultra High Performance volumes to a single compute instance.  
• This is great for high performance I/O workloads, such as AI/ML, 3D modeling and simulation as well as demanding blockchain processing. 
• 1.3M is a 63% increase over their prior industry-leading 800,000 IOPS limit without any changes to CI storage pricing. 

53:45 📢 Justin – “I did go look this up because I knew you were going to ask this question. The previous 800 ,000 IOPS was achieved with 24 of the ultra -high performance disks. So they added more, and that’s how they got here.”

Closing

And that is the week in the cloud! Go check out our sponsor, Sonrai and get your 14 day free trial. Also visit  our website, the home of the Cloud Pod where you can join our newsletter, slack team, send feedback or ask questions at theCloud Pod.net or tweet at us with hashtag #theCloud Pod

And to close this week’s show – can we just reiterate – MFA. Please and thank you.