A lot has changed in cloud security. The basics have not.
AI workloads, Kubernetes platforms, multi-cloud setups, serverless services, and managed databases all add complexity. But the same core questions still decide whether your environment is reasonably secure:
Who has access? What data is sensitive? What is encrypted? What is logged? Who owns each security responsibility? How often are settings reviewed? What happens during an incident?
That is exactly what a good cloud security checklist should force you to answer.
We put together 7 essential steps for reducing cloud security risk, from data classification and IAM to monitoring, automated audits, and tested response plans.
If your cloud setup has grown faster than your security process, this is a good place to start.
https://mkdev.me/posts/cloud-security-checklist-7-essential-steps
AI workloads, Kubernetes platforms, multi-cloud setups, serverless services, and managed databases all add complexity. But the same core questions still decide whether your environment is reasonably secure:
Who has access? What data is sensitive? What is encrypted? What is logged? Who owns each security responsibility? How often are settings reviewed? What happens during an incident?
That is exactly what a good cloud security checklist should force you to answer.
We put together 7 essential steps for reducing cloud security risk, from data classification and IAM to monitoring, automated audits, and tested response plans.
If your cloud setup has grown faster than your security process, this is a good place to start.
https://mkdev.me/posts/cloud-security-checklist-7-essential-steps
mkdev.me
Reduce Cloud Security Risks with 7 Essential Steps | mkdev
Cloud security isn't just a tech problem—it's a human one, with 99% of breaches caused by simple user mistakes. In this article, Kirill Shirinkin offers a no-nonsense 7-step checklist that any team can follow to dramatically reduce cloud security risks, plus…
Good infrastructure code should be like good application code: clear, tested, versioned and automatically deployed.
That’s the mindset behind mkdev’s Infrastructure as Code & GitOps consulting.
Check out the page and schedule a call: https://mkdev.me/b/consulting/iac
That’s the mindset behind mkdev’s Infrastructure as Code & GitOps consulting.
Check out the page and schedule a call: https://mkdev.me/b/consulting/iac
mkdev.me
Infrastructure as Code & GitOps consultation for business | mkdev
Schedule a call to receive the Infrastructure Deployment consultation for Advanced level developers from industry experts
Prompt engineering is not security engineering.
This is one of the hardest lessons for product managers building with GenAI. A system prompt may look like a clean set of rules, but it is not the same as traditional application logic. It does not guarantee behavior. It is more like a very strongly worded suggestion to the model.
That matters when your AI feature is exposed to users. A customer-facing assistant might be told not to reveal sensitive data, not to generate illegal content, not to override company policies, and not to take dangerous actions. But malicious users can still try to bypass those instructions through jailbreaks or prompt injection attacks.
The business impact is not theoretical. A badly controlled AI system can create reputational damage, legal exposure, data leakage, or operational incidents. For PMs, that means AI features need proper boundaries beyond “we wrote a careful prompt.”
Good GenAI product management means asking: What can the model access? What actions can it trigger? What happens if the user tries to manipulate it? What checks exist outside the model itself?
We covered the practical risks product managers should understand in this article.
Read it here: https://mkdev.me/posts/genai-security-risks-for-product-managers-dd73bdc2-4f2e-4227-93b3-375da081d906
This is one of the hardest lessons for product managers building with GenAI. A system prompt may look like a clean set of rules, but it is not the same as traditional application logic. It does not guarantee behavior. It is more like a very strongly worded suggestion to the model.
That matters when your AI feature is exposed to users. A customer-facing assistant might be told not to reveal sensitive data, not to generate illegal content, not to override company policies, and not to take dangerous actions. But malicious users can still try to bypass those instructions through jailbreaks or prompt injection attacks.
The business impact is not theoretical. A badly controlled AI system can create reputational damage, legal exposure, data leakage, or operational incidents. For PMs, that means AI features need proper boundaries beyond “we wrote a careful prompt.”
Good GenAI product management means asking: What can the model access? What actions can it trigger? What happens if the user tries to manipulate it? What checks exist outside the model itself?
We covered the practical risks product managers should understand in this article.
Read it here: https://mkdev.me/posts/genai-security-risks-for-product-managers-dd73bdc2-4f2e-4227-93b3-375da081d906
mkdev.me
GenAI Security Risks for Product Managers
The third article of this series by Paul Larsen warns product managers about the major cybersecurity risks of GenAI—like data leaks, prompt jailbreaks, and injection attacks—and offers practical steps to keep AI use productive without endangering company…
Trying to reduce your Google Cloud Run costs?
Start with the less obvious places: VPC connectors, direct egress, and whether CPU really needs to be always allocated.
We explain both tips with a real billing example here: https://mkdev.me/posts/2-simple-tips-to-reduce-your-google-cloud-run-costs
Start with the less obvious places: VPC connectors, direct egress, and whether CPU really needs to be always allocated.
We explain both tips with a real billing example here: https://mkdev.me/posts/2-simple-tips-to-reduce-your-google-cloud-run-costs
mkdev.me
Cut Google Cloud Run Costs: 2 Proven Tips | mkdev
Discover key strategies to optimize costs with Google Cloud Run, including committed use discounts, reducing Compute Engine expenses through VPC connector adjustments, and managing CPU allocation. Learn how to cut cloud costs by up to 50% with practical examples.
This free course is all about understanding ArgoCD from the ground up. We will look at what ArgoCD does, why it matters, and how it organizes projects, applications, and deployments through its main features.
Articles: https://mkdev.me/posts/what-is-argo-cd-and-why-would-you-need-gitops
Video: https://www.youtube.com/playlist?list=PLozcbFx8FoPHUHoKfuSrkMO0ulZD-CHHu
Articles: https://mkdev.me/posts/what-is-argo-cd-and-why-would-you-need-gitops
Video: https://www.youtube.com/playlist?list=PLozcbFx8FoPHUHoKfuSrkMO0ulZD-CHHu
mkdev.me
ArgoCD & GitOps: Lightning Course for Kubernetes | mkdev
Dive into the introductory lesson of our ArgoCD Lightning Course. Designed for Kubernetes and Helm users, this article outlines ArgoCD's basics, explaining its role as a declarative GitOps deployment tool. Understand the difference between imperative and…
At small scale, microservices feel manageable.
At larger scale, every service needs to find other services, communicate securely, expose useful telemetry, support traffic shifting, and follow consistent authorization rules. Doing this separately in every application quickly becomes a mess.
That is where service mesh comes in. It gives platform teams a common layer for service-to-service communication, usually through a control plane and a data plane made of proxies.
Google Cloud’s Anthos Service Mesh, now Cloud Service Mesh, is one way to bring this model into GKE. It can simplify parts of the operational story, especially if you want managed mesh capabilities. But it also introduces important tradeoffs around sidecars, Envoy, Istio APIs, GKE Dataplane V2, eBPF, and Cilium.
The article is a good reminder that “managed” does not mean “you do not need to understand it”.
In 2026, service mesh is still powerful. It is also still something you should adopt deliberately.
https://mkdev.me/posts/is-google-cloud-anthos-service-mesh-a-mess
At larger scale, every service needs to find other services, communicate securely, expose useful telemetry, support traffic shifting, and follow consistent authorization rules. Doing this separately in every application quickly becomes a mess.
That is where service mesh comes in. It gives platform teams a common layer for service-to-service communication, usually through a control plane and a data plane made of proxies.
Google Cloud’s Anthos Service Mesh, now Cloud Service Mesh, is one way to bring this model into GKE. It can simplify parts of the operational story, especially if you want managed mesh capabilities. But it also introduces important tradeoffs around sidecars, Envoy, Istio APIs, GKE Dataplane V2, eBPF, and Cilium.
The article is a good reminder that “managed” does not mean “you do not need to understand it”.
In 2026, service mesh is still powerful. It is also still something you should adopt deliberately.
https://mkdev.me/posts/is-google-cloud-anthos-service-mesh-a-mess
mkdev.me
Google Cloud Anthos: Demystifying Service Mesh | mkdev
Explore how Google Cloud harnesses the power of service mesh for managing microservices in GCP. Pablo Inigo Sanchez's article breaks down the complexity of implementing service mesh in GKE using Anthos, highlighting the use of Istio and the potential of eBPF…
Infrastructure problems rarely announce themselves early. mkdev audits look into your cloud, Kubernetes and security setup, identify what needs improvement, and turn it into a practical action plan for your team. Check out the page and schedule a call: https://mkdev.me/b/audits
mkdev.me
mkdev audits and assessments for business
A full scope audit and analysis of your infrastructure and applications, including cost analysis and data protection, with a detailed report on how to improve your infrastructure
ClickOps is annoying when you have one project. It becomes dangerous when you have many.
That applies to OpenAI as much as it applies to AWS, Kubernetes or any other infrastructure platform. Once you have multiple teams, multiple projects, service accounts, API keys, limits and access rules, manual configuration becomes a source of inconsistency.
The Open Source Terraform Provider for OpenAI was built around that problem. It brings OpenAI administration into Terraform, so teams can manage resources in code instead of relying on screenshots, tribal knowledge and “who created this key?” conversations.
There is also a more experimental side: using OpenAI platform APIs inside Terraform workflows, including model responses and image generation, and even combining them with cloud providers like AWS.
It is a fun example, but the larger point is serious: GenAI platforms need the same engineering discipline as the rest of your infrastructure.
https://mkdev.me/posts/announcing-the-open-source-terraform-provider-for-openai
That applies to OpenAI as much as it applies to AWS, Kubernetes or any other infrastructure platform. Once you have multiple teams, multiple projects, service accounts, API keys, limits and access rules, manual configuration becomes a source of inconsistency.
The Open Source Terraform Provider for OpenAI was built around that problem. It brings OpenAI administration into Terraform, so teams can manage resources in code instead of relying on screenshots, tribal knowledge and “who created this key?” conversations.
There is also a more experimental side: using OpenAI platform APIs inside Terraform workflows, including model responses and image generation, and even combining them with cloud providers like AWS.
It is a fun example, but the larger point is serious: GenAI platforms need the same engineering discipline as the rest of your infrastructure.
https://mkdev.me/posts/announcing-the-open-source-terraform-provider-for-openai
mkdev.me
Introducing Open Source OpenAI Terraform Provider | mkdev
Tired of managing OpenAI configs by hand? mkdev just open-sourced a Terraform provider that lets you automate everything—from API keys to generative AI workflows—all as code. Read the article to see how it turns infrastructure and AI into one seamless experience.
Public IP, private IP, Cloud Run, Cloud SQL, Serverless VPC Connector… Google Cloud networking can get confusing fast. This video breaks down one practical setup step by step. Watch it now.
https://www.youtube.com/watch?v=MeynQIt3TD8
https://www.youtube.com/watch?v=MeynQIt3TD8
YouTube
How to connect Cloud Run and Cloud SQL internally
In this video we are going to learn how to change a Cloud SQL that it is using an external IP to connect to Cloud Run to an internal IP and a serverless Cloud Connector.
* https://mkdev.me/b/audits
*
If you or your company need consulting and training…
* https://mkdev.me/b/audits
*
If you or your company need consulting and training…
From DevOps and Cloud to AI: get the latest thoughts by Pablo and Kirill on all the news topics + a collection of personally curated interesting links, every other week in your Inbox! Subscribe to mkdev dispatch here: https://mkdev.me/categories/newsletter
mkdev.me
mkdev Dispatch – Bi-Weekly Newsletter on DevOps, AI & Cloud Native
Subscribe to mkdev dispatch, your go-to bi-weekly newsletter for insightful articles and essays on DevOps, Public Cloud, and Cloud Native technologies.
Cloud cost optimization usually starts with quick wins: delete unused resources, rightsize oversized instances, clean up old snapshots, shut down non-production environments outside working hours, and add budget alerts.
But the bigger savings usually come later, when teams start treating cost as an architectural constraint.
That means choosing the right purchase model for steady workloads, using spot capacity where interruptions are acceptable, moving rarely accessed data to cheaper storage tiers, avoiding unnecessary cross-region traffic, and designing systems that scale with demand instead of running at peak capacity all the time.
The goal is not to spend as little as possible. The goal is to stop paying for waste while keeping reliability and performance where they need to be.
https://mkdev.me/posts/the-ultimate-guide-to-cloud-cost-optimization
But the bigger savings usually come later, when teams start treating cost as an architectural constraint.
That means choosing the right purchase model for steady workloads, using spot capacity where interruptions are acceptable, moving rarely accessed data to cheaper storage tiers, avoiding unnecessary cross-region traffic, and designing systems that scale with demand instead of running at peak capacity all the time.
The goal is not to spend as little as possible. The goal is to stop paying for waste while keeping reliability and performance where they need to be.
https://mkdev.me/posts/the-ultimate-guide-to-cloud-cost-optimization
mkdev.me
Cloud Cost Optimization: Proven Tactics for Savings | mkdev
Most companies are bleeding money in the cloud without realizing it — but it doesn’t have to be this way. In this article, Kirill Shirinkin breaks down practical, no-nonsense strategies that can cut cloud costs by up to 72% without sacrificing performance.…
Cloud projects don’t fail because AWS or GCP lack options. They fail because there are too many options, too many shortcuts and not enough clarity. mkdev helps teams design practical cloud solutions that fit their business. Check out the page and schedule a call: https://mkdev.me/b/consulting/public-cloud
mkdev.me
Public Cloud (AWS and GCP) Consulting | mkdev
Schedule a call to get a first consultion about your AWS or GCP project with us
A vector database can help your AI system understand “what the user means.” But your business probably also needs to know “which records are allowed,” “from which period,” “under which category,” and “according to which rules.”
That is why choosing a database for AI should not be a trend-driven decision. Vector databases, relational databases, NoSQL systems, and data warehouses all have their place. The difficult part is understanding where semantic search ends and structured retrieval begins.
The more serious the AI product, the more important this distinction becomes.
Before building another RAG prototype, it is worth asking whether the problem is actually semantic, structured, or a combination of both.
https://mkdev.me/posts/which-database-when-for-ai-are-vector-databases-all-you-need
That is why choosing a database for AI should not be a trend-driven decision. Vector databases, relational databases, NoSQL systems, and data warehouses all have their place. The difficult part is understanding where semantic search ends and structured retrieval begins.
The more serious the AI product, the more important this distinction becomes.
Before building another RAG prototype, it is worth asking whether the problem is actually semantic, structured, or a combination of both.
https://mkdev.me/posts/which-database-when-for-ai-are-vector-databases-all-you-need
mkdev.me
AI Databases: When to Choose Vector vs SQL | mkdev
Paul Larsen explores semantic search with Generative AI and LLMs, discussing Retrieval-Augmented Generation (RAG). He compares vector and relational databases using German Masters Swimming data and provides insights on selecting the right database for business…
Custom customer domains are a common SaaS feature, but SSL automation can become painful fast. This article shows how to handle it with Cloudflare, AWS ALB and a setup that can scale beyond a few domains. Read the full guide: https://mkdev.me/posts/how-to-setup-dynamic-customer-domains-with-ssl-cloudflare-and-aws-alb
mkdev.me
Automate SSL for Dynamic Domains with CloudFlare & AWS ALB
In his new article, Pablo Inigo Sanchez tackles the complexities of managing SSL and DNS for SaaS products that use a customer's domain name. Let's discusses the inherent issues with AWS's 25 SSL Certificates limit per ALB. Pablo suggests an efficient alternative…
Need practical cloud and AI knowledge?
mkdev webinars cover Google Cloud Run & Databases, AWS Load Balancer Controller 101, and Scaling AI Across Your Business.
Check them out and register here: https://mkdev.me/webinars
mkdev webinars cover Google Cloud Run & Databases, AWS Load Balancer Controller 101, and Scaling AI Across Your Business.
Check them out and register here: https://mkdev.me/webinars
mkdev.me
Free DevOps, Cloud and AI Webinars from industry experts
Master DevOps and Cloud Native technologies and AI with mkdev's free webinars.
👍1
AWS Fargate is still one of the most practical ways to run containers on AWS when you want production infrastructure without managing EC2 instances, node groups, patching, or cluster capacity.
You still need to understand the pieces around it: ECR for the image, ECS task definitions for CPU, memory, ports and IAM roles, an Application Load Balancer for routing traffic, Route 53 or Cloud Map for service discovery, and CloudWatch for logs. Fargate removes server management, but it does not remove architecture.
This mkdev article walks through the full path using a simple Spring Boot application, from local build to a running ECS service behind a load balancer.
Useful if you want to understand what “serverless containers” actually means in AWS.
Read the article here: https://mkdev.me/posts/aws-fargate-101-run-production-applications-without-servers
You still need to understand the pieces around it: ECR for the image, ECS task definitions for CPU, memory, ports and IAM roles, an Application Load Balancer for routing traffic, Route 53 or Cloud Map for service discovery, and CloudWatch for logs. Fargate removes server management, but it does not remove architecture.
This mkdev article walks through the full path using a simple Spring Boot application, from local build to a running ECS service behind a load balancer.
Useful if you want to understand what “serverless containers” actually means in AWS.
Read the article here: https://mkdev.me/posts/aws-fargate-101-run-production-applications-without-servers
mkdev.me
Deploy Production Apps on AWS Fargate: Step-by-Step Guide
With AWS Fargate you can run your applications in containers and in production without thinking about servers at all. In this article, Pablo will show you how to run a simple Spring Boot application in Fargate, put it behind an Application Load Balancer and…
Security audits should not end with a PDF nobody uses.
mkdev’s Kubernetes Security Audit combines interviews, hands-on cluster analysis and concrete recommendations, including backlog-ready user stories your team can actually act on.
Check out the page and schedule a call: https://mkdev.me/b/audits/kubernetes-security-audit
mkdev’s Kubernetes Security Audit combines interviews, hands-on cluster analysis and concrete recommendations, including backlog-ready user stories your team can actually act on.
Check out the page and schedule a call: https://mkdev.me/b/audits/kubernetes-security-audit
mkdev.me
Kubernetes Security Audit | mkdev audits for business
Navigating the web of Kubernetes security demands a nuanced understanding and a meticulous eye for detail. That's where our expert team comes into play.
A lot of AI demos look impressive because they solve the easy part: getting a plausible answer from a small example.
The harder part comes later. How do you load the data reliably? How do you test the retrieval pipeline? How do you version the data? How do you handle access control, governance, and domain-specific terminology? How do you know that the system is still working next month, not just in today’s demo?
That is where the database choice starts to matter. A dedicated vector database may be excellent for fast experimentation, especially for pure semantic search. But if your company already has mature relational data, existing governance processes, and a team comfortable with SQL, jumping straight into a new vector database may create more complexity than value.
For many AI use cases, the best first step is not “add another database”. It is “look at what your current database can already do”.
That is less exciting than demo-ware, but much closer to production reality.
Read the article: https://mkdev.me/posts/which-database-when-for-ai-vector-and-relational-databases-in-practice
The harder part comes later. How do you load the data reliably? How do you test the retrieval pipeline? How do you version the data? How do you handle access control, governance, and domain-specific terminology? How do you know that the system is still working next month, not just in today’s demo?
That is where the database choice starts to matter. A dedicated vector database may be excellent for fast experimentation, especially for pure semantic search. But if your company already has mature relational data, existing governance processes, and a team comfortable with SQL, jumping straight into a new vector database may create more complexity than value.
For many AI use cases, the best first step is not “add another database”. It is “look at what your current database can already do”.
That is less exciting than demo-ware, but much closer to production reality.
Read the article: https://mkdev.me/posts/which-database-when-for-ai-vector-and-relational-databases-in-practice
mkdev.me
AI Databases: Vector vs. Relational in Practice | mkdev
Part 2 of Paul Larsen's series dives into the mechanics of relational and vector databases for AI. Discover how combining these tools enhances data retrieval, linking theory to practical solutions for business applications.
In this practical video, we deploy an HTTP-triggered Google Cloud Function using GitHub Actions instead of the UI or gcloud.
Push to main, run the pipeline, deploy the function, test it with curl.
Watch the video to see the full workflow: https://www.youtube.com/watch?v=B2VhvYZDXvM
Push to main, run the pipeline, deploy the function, test it with curl.
Watch the video to see the full workflow: https://www.youtube.com/watch?v=B2VhvYZDXvM
YouTube
How to deploy Google Cloud Functions with GitHub Actions
Cloud Functions is the serverless compute platform created by Google to be used in the Google cloud. Is an event-driven model and in our example, we are going to use an HTTP call to trigger our function example.
GitHub Actions is the way used by GitHub to…
GitHub Actions is the way used by GitHub to…
🔥1
In the 94th mkdev dispatch Kirill discusses the short rise and the quick fall of AI browsers development: https://mkdev.me/posts/ai-browsers-are-dead-94
mkdev.me
Why AI Browsers Fail to Innovate | mkdev
In the 94th mkdev dispatch Kirill discusses the short rise and the quick fall of AI browsers development.
There is no universal winner between Terraform and Pulumi.
For many companies, Terraform is still the safer default. It is familiar, widely adopted, easy to hire for, and well suited for teams that want infrastructure described in a predictable declarative format.
Pulumi shines in a different situation: when your infrastructure logic becomes too awkward to express cleanly in HCL. If you need complex conditionals, loops, reusable abstractions or developer-style testing, using a real programming language can be a big advantage.
But that advantage only matters if the team maintaining the infrastructure is comfortable with that language. Otherwise, you may just move the complexity from HCL into Python or TypeScript.
That is the real decision: not “which tool is better?”, but “which tool matches the way this team actually works?”
We covered the trade-offs in this article: https://mkdev.me/posts/should-you-use-terraform-or-pulumi
For many companies, Terraform is still the safer default. It is familiar, widely adopted, easy to hire for, and well suited for teams that want infrastructure described in a predictable declarative format.
Pulumi shines in a different situation: when your infrastructure logic becomes too awkward to express cleanly in HCL. If you need complex conditionals, loops, reusable abstractions or developer-style testing, using a real programming language can be a big advantage.
But that advantage only matters if the team maintaining the infrastructure is comfortable with that language. Otherwise, you may just move the complexity from HCL into Python or TypeScript.
That is the real decision: not “which tool is better?”, but “which tool matches the way this team actually works?”
We covered the trade-offs in this article: https://mkdev.me/posts/should-you-use-terraform-or-pulumi
mkdev.me
Terraform vs Pulumi: Which IaC Tool Fits Your Needs?
Explore an article by Pablo Inigo Sanchez discussing the differences between Terraform and Pulumi, two popular infrastructure-as-code tools. Learn about their strengths, weaknesses, and key distinctions to make an informed decision for your project.