What are
/r/aws'
favorite Products & Services?
From 3.5 billion Reddit comments
The most popular Products mentioned in /r/aws:
The most popular Services mentioned in /r/aws:
Amazon Web Services
Amazon Elastic Compute Cloud
SlideShare
elasticsearch
DEV Community
Cloudflare
AWS Route 53
Rclone
Server Fault
Auth0
MxToolBox
Stack Overflow
AWS Cloud9
Kubernetes
Let's Encrypt
The most popular Android Apps mentioned in /r/aws:
FolderSync
JuiceSSH - SSH Client
Authy 2-Factor Authentication
Cloud Pros- AWS Certified Arch
The most popular VPNs mentioned in /r/aws:
The most popular reviews in /r/aws:
The first thing you need to do is make sure you've turned off the service completely. AWS won't offer a refund for anything that's still running.
Next, contact support and tell them what happened. They're the only ones who can sort this out.
Check out Macie's pricing here, they have an example of what real world usage would cost: https://aws.amazon.com/macie/pricing/
Use roles instead of keys wherever possible.
Create billing alerts.
Call your AWS rep to ask if they can forgive some of the fees.
Trace how the keys got out - a common vector is pushing stuff to github with keys in it. If you can't find it, check the admin's work and personal emails on https://haveibeenpwned.com/ - they might be reusing their passwords elsewhere.
Do the admins have their own accounts, so you know which one caused the leak?
- NAT traversal
- 4-byte ASN (in addition to 2-byte ASN)
- CloudWatch metrics
- Reusable IP addresses for your customer gateways
- Additional encryption options; including AES 256-bit encryption, SHA-2 hashing, and additional Diffie-Hellman groups
- Configurable tunnel options
- Custom private ASN for the Amazon side of a BGP session
vpn-categories
- We are on our way to reserve more instances, so release of C5 instances would be great.
- Python 3 and Go in Lambda
- RDS encryption on smaller instances
- ES vpc support
- ES Data encryption at rest
Edit:
- for loops in CF as OP mentioned
Edit2:
- RDS snapshot events (Just like the EBS snapshot events; https://aws.amazon.com/about-aws/whats-new/2016/11/introducing-cloudwatch-events-for-amazon-ebs-snapshots/)
- EIP tagging
Edit3:
- API Gateway custom domain names support ACM.
- Ability to add trusted CA/trusted cert to API gateway. Eg, we're using RapidSSL certs and Lets Encrypt, but they're not a trusted CA according to: http://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-supported-certificate-authorities-for-http-endpoints.html
- A way to use ACM certs inside EC2 instances. This is probably a hard one, but the cert key could be retrieved via Metadata, parameter store or similar.
- SG rules tagging
t2.micro is like Raspberry Pi. You want to run production database on t2.micro and then scale/expand it? Expand to where? Vertically? Take it down to change instance type? Horizontally? Sharding? I don't believe you know what it takes to run databases.
You aren't going to get a better bang for a buck with a dedicated server. To get anything close to Hetzner SX1 at ~$80 p/m you'd need something like a c5.4xlarge which'll cost $576 p/m on-demand (eu-west-1). Again, the dedicated server will run circles around the virtualised c5.4xlarge. Don't forget the 4 x 6 TB SATA 3 Gb/s hard drives the Hetzner comes with. How much is that additional cost with Magnetic EBS at $50 per 1TB? Wanna check how much 30TB traffic costs on AWS that's included in the Hetzner's price $80 p/m price?
My point is not that anyway. If you say "I won't use AWS service, I'd rather build it myself because look at EC2 pricing", then you're doing it wrong. People don't use AWS because it's cheaper, cloud is always much much more expensive compared to dedicated hosting as in my example above. People use AWS, and pay premium for it to take away the operational burden and focus on their core competencies - build, ship, deliver service/product or whatever it is.
Great question! You can use SAM to build your Serverless applications locally. See: https://github.com/awslabs/aws-sam-local/ SAM helps you generate your Lambda deployment packages and export them. Also check out our Code Star service for automated deployments: https://aws.amazon.com/codestar/ -George
So you need to pay for storage space in S3, then the additional cost of data transfer.
250GB... US$6/mo. https://aws.amazon.com/s3/pricing/
Data transfer... 1GB/day or 30GB/mo.
S3 on its own, in Europe, 30x.09 = US$2.70.
Putting Cloudfront in front of S3, counterintuitively, actually looks to be cheaper. 30*.085=US$2.55.
So your ~US$130/mo for your current hosting is... not great.
EDIT: I misread. Corrected numbers.
From Amazon RDS Supports Stopping and Starting of Database Instances:
> You can stop an instance for up to 7 days at a time. After 7 days, it will be automatically started.
> The code that contributors gave in the past is still Apache licensed and always will be.
Take a look here
You can see as of 7.11 the code is not apache 2.0. This is the whole point. This is a move against open source.
Set up a cross-account access role rather than using the root account credentials. The top-right corner of your console will indicate the name of the account (you choose an arbitrary name + color coding).
https://aws.amazon.com/blogs/aws/new-cross-account-access-in-the-aws-management-console/
You can do all of this troubleshooting and mucking around, or you can just look at the free cloudwatch metric: https://aws.amazon.com/blogs/aws/new-burst-balance-metric-for-ec2s-general-purpose-ssd-gp2-volumes/
Also, provisioned iops aren't the only solution. Increasing the size of the EBS volume (over 100 GB) increases your performance threshold.
Docker doesn't really come into play here, you would see the same issue without it. Whatever process he's running on that server is exhausting the available storage throughput.
As always, remember the USE method of troubleshooting. Utilization, Saturation, Errors: http://www.brendangregg.com/usemethod.html
Same thing, here. Also in Australia.
In the Personal Health Dashboard, there is now this clarification:
> You recently received an email from us regarding "Free Tier Limit Alert", the forecasted numbers are based on the Service usage for December 2017 and are for the Billing Period December 2017, this does not mean that you will be charged. > > Please access your AWS account to review your service usage and, where necessary, adjust your usage. You can find more information on AWS Free Tier here: https://aws.amazon.com/free/ > > Should you have closed your AWS Account within the last month you can ignore the previously sent email. > > Apologies for any inconvenience caused due to this. >
> Amazon S3 Standard and Standard - IA are designed to provide 99.999999999% durability of objects over a given year. This durability level corresponds to an average annual expected loss of 0.000000001% of objects. For example, if you store 10,000 objects with Amazon S3, you can on average expect to incur a loss of a single object once every 10,000,000 years. In addition, Amazon S3 is designed to sustain the concurrent loss of data in two facilities.
https://aws.amazon.com/s3/faqs/
Note durability != availability.
Mostly re:Invent talks!
This one talks about some of the internal AWS deployment processes, including their internal use of CodeCommit and CodeDeploy:
https://www.youtube.com/watch?v=I61KKO1rAQ8
For the RDS example I cited, see this deck, which mentions it:
Some of the outage summaries AWS has done in the past shows how tied together various AWS services are.
The wildcard field type is a part of Elastics X-Pack feature set: https://www.elastic.co/subscriptions
OpenDistro, which AWS develops and are the base of the AWS ES service does not include any of the X-Pack features, as they're license incompatible.
It would be silly for Amazon to go after Microsoft on the application layer. Google has been unsuccessful with its office suite outside of education. MS Office is still the king in the enterprise by a wide margin.
As far as Chime, I’m not aware of anyone that uses the Chime application (as opposed to the SDK) outside of Amazon. Heck even Amazon is moving away from Chime for chat to Slack internally (https://slack.com/blog/news/slack-aws-drive-development-agility). The only thing Chime is good for is meetings. Once you add Chime to the invite, it auto calls you a minute before the meeting.
Not every company needs to compete in every field.
This might be more for the creative side — but I use this Figma template for building diagrams for my not-tech people at work. For me it’s easy to just search the name of the asset I’m looking for (cause like you I don’t really know the icons, but pretty familiar with the resources themselves), and then add text to it in the diagram like normal. Hope this helps someone and as a side note I don’t know if that template is/will be updated.
I am sorry, where are you getting this information? Serverless Aurora is just an auto-scaling Aurora configuration that can go down to 0 resource utilization. Aurora allows for Postgres or MySQL. It might add additional options in the future but there is nothing to suggest they are dropping these already existing options.
You can see my blog which has some gifs and a walkthrough here: https://aws.amazon.com/blogs/aws/launch-aws-glue-now-generally-available/
My major beef right now is that it can deal with compression but not archives so if you have multiple files in one .zip gotta decompress that.
Other than that I'm loving it. 11GB of BSON to Parquet in <5 mins.
The "1 GB normal data" to the internet has always been free forever. The post doesn't say "no longer limited to the first 12 months" because it never was limited like that.
See here: https://aws.amazon.com/ec2/pricing/on-demand/ or here: https://aws.amazon.com/s3/pricing/
The first 1GB of egress to the internet is free as part of the individual service's ongoing pricing. It's never been part of the 12 months "Free Tier".
How your business model works should be reflected carefully into your AWS architecture and I have to respectfully agree with others that if you're asking questions like this you are very, very, very behind the curve necessary to make this a successful venture. Even companies with millions of dollars to spend just building out an AWS environment alone get this stuff wrong all the time (and takes years to fix)
The competition is extremely stiff and margins are slim. Most companies that are able to sustain this business in developed countries (perhaps possible in Eastern Europe) don't even do hosting as their primary value - they up-sell to marketing departments and integrate with Salesforce and Pardot, for example, as something important for a company. Look at companies like Pantheon or arguably Squarespace, for example.
Furthermore, you should be able to do some math quickly (< 5 minutes unless your native language isn't English but the AWS website is in many different languages) and realize how much you'd have to charge customers just to break even on costs for an unused Wordpress site without doing tricks like reserved instances [1] - AWS instances are billed by the hour and so are RDS instances. Even for a barebones site you'd be looking at $80 / mo which almost nobody will pay for a basic Wordpress site. So the only way the economics could work out for you is to charge a lot more than $80 / mo for a Wordpress site (which nobody does for just a Wordpress site like I said unless they're truly ignorant and can be swindled - usually like in Pantheon's case it's marketing tools bundled), or you have to stuff a lot of customers onto each RDS database and EC2 instance. This immediately destroys the one-customer-per-account schema that others have been talking about with Control Tower and AWS Organizations.
[1] https://aws.amazon.com/ec2/pricing/ [2] https://aws.amazon.com/rds/mysql/pricing/
If you're only doing this for testing purposes, consider using spot instances. You should receive a significant discount on the price and if Amazon terminates the instance because you're outbid, you won't be charged for the partial hour. You can also specify defined durations with your bid, so it can guarantee the running instance in hourly increments up to 6 hours, with a decent discount still included. I'm not sure what your use case is or how long you're planning to run the instance, but something to consider.
Play around with the spot bid advisor.
My concern is that creating your own rules is impractical and expensive. Blocking by IP Address? Fools errand in the world on botnets. Creating my own string matching for SQL injection? There are so many ways for these to be written. Maybe I'm missing something but I prefer how CloudFlare does this.
Exactly. CloudWatch replaced almost all of logging and monitoring needs. Looked into 3rd parties like DataDog, but found CloudWatch can do almost all what they offer.
Side note, I would highly recommend using Grafana as a front end for CloudWatch. It offers a sweet CloudWatch data source that allows you to easily create dashboards from any CloudWatch metric - even custom ones.
Quick snapshot from our ECS cluster of workers all pulling metrics from CloudWatch. http://i.imgur.com/lwfRW5p.png
Read and fill out the form linked at https://aws.amazon.com/blogs/aws/reverse-dns-for-ec2s-elastic-ip-addresses/
Setting up reverse DNS also unblocks SMTP as they add your IP to spam whitelists too I did this recently. They are pretty quick with it but the whitelists can take a few days to be updated.
You will need some sort of email connected to the domain, regardless. Try using SES inbound on the domain. I set it up recently to deliver the mails to an s3 bucket, and felt like it was very straightforward. https://aws.amazon.com/about-aws/whats-new/2015/09/amazon-ses-now-supports-inbound-email/
> That is technically pointless, is it not?
Nope. Companies (and even Countries) can decide to inject their own scripts into every unencrypted page. They could put a bitcoin miner on all your pages. First pass, you will get the blame, and it's up to you to figure out where those scripts are really coming from.
AWS Organisations is due "soon" which might help/change things. Check the FAQ for details (as much as there are right now).
DNS changes usually take a while to propagate. In top of that, you might have it cached in your browser or OS.
Use tools like https://mxtoolbox.com/DNSLookup.aspx to check where is the DNS actually pointing (but again, it might take a while to propagate).
Also, to check properly, delete the cache of your browser, and restart it just in case.
Here's the post you're waiting on: https://aws.amazon.com/blogs/aws/new-managed-nat-network-address-translation-gateway-for-aws/ Ahhhhh this will improve my life. How soon till we have cloudformation support?
>At the meeting, we were immediately met with opposition
Oh boy im going through the exact same thing with a client's internal team. It is hilarious
>he meeting started with all of the Exec's telling how long they had been working at the university (for everyone 15+ years) and how they had been in the industry longer than we had been alive.
So buckle up and prepare for a battle. This is gonna be a long painful process but if you keep up with it and work with the guys you might be able make some head ways. The goal is to sit down with these guys and get their concerns and address the concerns. You need these people to be on your side if you want this to work so while as much as of a pain its gonna be, you are gonna need to work closely with this team that is pushing back. That means meeting with them often teaching them about cloud and how the old mindset of "its not secure" is just plain wrong.
Start here:
https://aws.amazon.com/whitepapers/
DOD, CIA, FBI, NSA, etc etc etc are already utilizing cloud environments like AWS.
Costs will vary slightly, based on what region your infrastructure is in. For purposes of this estimate, we'll assume N. Virginia. Pro-tip: Don't host anything in N. Virginia. It is the oldest region, and experiences issues frequently.
Get requests (assumes maximum traffic)
The charge is $0.004 per 10,000 GET requests. (source). Based on your requirements (300 x 6 x 20,000), you'll have 36 million GET requests/day. This equates to $14.40/day or $432.00/month. Look into AWS' CDN (CloudFront) to reduce cost.
Storage costs
0.023 per GB. Insignificant for your purposes.
Here you go.
Currently, you can store or transmit PHI using the following services:
- Amazon API Gateway excluding the use of Amazon API Gateway caching
- Amazon Aurora [MySQL-compatible edition only]
- AWS Database Migration Service
- AWS Direct Connect
- Amazon DynamoDB
- Amazon Elastic Block Store (Amazon EBS)
- Amazon Elastic Compute Cloud (Amazon EC2)
- Elastic Load Balancing
- Amazon Elastic MapReduce (Amazon EMR)
- Amazon Glacier
- Amazon Redshift
- Amazon Relational Database Service (Amazon RDS) [MySQL, Oracle, and PostgreSQL engines only]
- Amazon Simple Storage Service (Amazon S3) excluding use of Amazon S3 Transfer Acceleration)
- AWS Snowball
AWS has a nice white paper on architecting your platform for HIPAA compliance right here
> Q: Can I create HTTPS endpoints? > >Yes, all of the APIs created with Amazon API Gateway expose HTTPS endpoints only. Amazon API Gateway does not support unencrypted (HTTP) endpoints. By default, Amazon API Gateway assigns an internal domain to the API that automatically uses the Amazon API Gateway certificate. When configuring your APIs to run under a custom domain name, you can provide your own certificate for the domain.
From the FAQ
Check out http://php.net/manual/en/function.date.php on how to format dates in PHP.
The format you should be using (if saving to a datetime type in mysql) is date("Y-m-d H:i:s").
In your code you are using the month as the minute.
I haven't used it personally, but it looks like this project has code for automating the creation of AWS accounts and linking them for consolidated billing.
The way you'd (probably) want to do this is have a "master" IAM user in your main account, and then create IAM roles in each of the child accounts that allow switching to them from the "master" IAM user. Then to do things in those child accounts, you'd switch to the child account's role and do whatever you need to do.
Depending on the timing, you may be able to use AWS Organizations, which is currently in preview, but was made specifically to do this kind of thing.
> Q. After my data has been imported to AWS, what happens to the copy on Snowmobile? > > When the data import has been processed and verified, AWS performs a software erasure of the Snowmobile that follows the National Institute of Standards and Technology (NIST) guidelines for media sanitization (NIST 800-88). >
> Q. How is Snowmobile designed to keep data secure digitally?
>
> Your data is encrypted with keys you provided before it is written to the Snowmobile. All data is encrypted with 256-bit encryption. You can manage your encryption keys with the AWS Key Management Service (AWS KMS). Your keys are never permanently stored on the Snowmobile, and are erased as soon as power is removed from the Snowmobile.
So pretty much the same as any other service they provide.
Ok, here we go. What you're seeing is the full Smartmontools drive database, it can also be found on their Sourceforge page: https://sourceforge.net/p/smartmontools/code/HEAD/tree/trunk/smartmontools/drivedb.h
The command is outputting all possible drive types for /dev/xvdf which it has in it's database, not drives currently attached.
You might also want to try SoftEther VPN. It's an open-source P2TP VPN server written by the University of Tsukuba in Japan. It is free, easy to use and most importantly it supports clustering and thereby scaling horizontally.
Billed on number of characters Polly processes. So as soon as you upload it and Polly processes you are charged. In regards to pricing around the downloading AFAIK that would just be standard data transfer charges and probably very little in your case compared to the cost of Polly processing https://aws.amazon.com/polly/pricing/
you can do this with elastic search pretty easily
https://www.elastic.co/guide/en/elasticsearch/reference/current/search-suggesters-completion.html
AWS have managed elastic search, its a piece of cake to maintain and setup.
There are a number of basic approaches:
The most straightforward method to simply get more instances is to create an AMI out of your wordpress instance, and use an RDS instance for all the data.
Then you can setup autoscaling with this AMI, and have it scale up to more instances when CPU usage crosses a certain threshold.
If your site is mostly static data, you can heavily cache it with cloudfront. This will allow your single server to offload most read requests to cloudfront. Check this out: https://aws.amazon.com/blogs/startups/how-to-accelerate-your-wordpress-site-with-amazon-cloudfront/
You can also do something like this: https://getshifter.io/
The lambda free tier is forever (or until they change it).
"The Lambda free tier includes 1M free requests per month and 400,000 GB-seconds of compute time per month.
[---]
The Lambda free tier does not automatically expire at the end of your 12 month AWS Free Tier term, but is available to both existing and new AWS customers indefinitely."
We have over a thousand instances in 40 AWS accounts and we have not encountered any scaling limits. IAM EC2 role permissions are typical of any snapshot based backup product (to backup it needs to read the volume data and create snapshots, to restore it needs to read snapshots and create volumes/instances).
CPM is just scheduled EC2 snapshots, so it is easy to understand and can be used even without CPM. For example here is a snapshot created by CPM:
snap-0dbfc89a105aaaaaaa,2017-07-31T11:57:09.000Z,8,CPM policy Atlassian| vol: vol-6350fbbbb instance: i-154bcccc,vol-63ddddd,completed,100%
Can see CPM snapshots like all other snapshots in console or with describe-snapshots. So easy to understand and restore even without CPM.
Lamba based backups are great too, AWS even provide EBS Snapshot Scheduler Lambda function:
https://aws.amazon.com/answers/infrastructure-management/ebs-snapshot-scheduler/ but for easy of managements my experience is CPM is hard to beat. Furthermore we needed a) consistent backups and b) cross-account backups (data bunker) and CPM provides this out of the box.
Make sure you have valid e-mail addresses in the WHOIS record for the domain that aren't hosted on your domain. The verification e-mails are sent to those in addition to the domain's own special addresses (hostmaster, admin, etc.).
You can't generate two separate invoices for one account, but here are two options:
* Use Cost Allocation Tags
* Separate account for each project - This would give you separate invoices. You can setup cross-account users to easily switch between the accounts.
Official announcement here: https://aws.amazon.com/about-aws/whats-new/2017/06/amazon-rds-supports-stopping-and-starting-of-database-instances/
I found this part to be weird: "You can stop an instance for up to 7 days at a time. After 7 days, it will be automatically started."
This covers off what's covered by free tier down to the swevrice level. To answer your question , 15gb of aggregate transfer out bandwidth across all services is the limit.
Also remember the free tier is limited to 12 months for many services. You'll need to start paying at that point.
Huh. Spot checking the Standard prices against the Reduced Redundancy prices, it seems that in some regions like Sao Paolo, RRS is cheaper than Standard. Others, like the US regions, RRS is more expensive. Infrequent Access is always far cheaper than either.
RRS has the lowest durability of any tier. IA has the same durability SLA as Standard, with a lower availability SLA, at a much lower price. I'm struggling to think of a use case where I'd want RRS over IA.
The process is still not as graceful as it should be. AWS is improving ECS, but autoscaling currently will kill an instance with tasks still running on it.
However AWS just announced a new way to mark an instance as draining which will remove a container instance from a cluster without impacting tasks in your cluster. One day this will likely be apart of autoscaling, but until then you'll need to create a custom process that's triggered by autoscaling lifecycle hooks which marks the instances as draining. This tells ECS to move all the tasks off the container and prevents autoscaling from terminating the instances until they are moved.
Here's a quick tutorial on how to do this: https://aws.amazon.com/blogs/compute/how-to-automate-container-instance-draining-in-amazon-ecs/
Hope to have some time soon to dive into this myself since this is a huge pain point for us at the moment too.
Overwrite PUT is eventually consistent so it's possible the old object would be returned. Shouldn't return an error.
> Q: What data consistency model does Amazon S3 employ?
> Amazon S3 buckets in all Regions provide read-after-write consistency for PUTS of new objects and eventual consistency for overwrite PUTS and DELETES.
AWS hasn't given us guidance, AFAIK, on the consistency "settling time" at 99.99+ percentiles, whether milliseconds or possibly much longer.
Only new object PUT gives read after write consistency.
I'm interested to see how it's priced, although I can't imagine it'd be cheap. Off-hand, I'd expect it to cost at least as much as dedicated hosts plus some amount to cover VMware's support / software / licensing.
Still, I imagine it'll be pretty attractive to some just because of this: > I believe one of the strengths of VMware Cloud on AWS service is that it allows administrators, operation teams and architects to use their existing skill set and tools to consume AWS infrastructure.
If you're already built on VMware stuff, this means you basically get a lot of the elasticity of the cloud without having to do anything different. I can see how that's huge, but I'm expecting the pricing to show just how different this is (on the backend) than the public cloud model.
Its in the documentation, https://aws.amazon.com/route53/faqs/#associate_multiple_ip_with_single_record
You need a single record with multiple values, also see here https://stackoverflow.com/questions/40841273/multiple-ip-addresses-for-resource-record-sets-of-route-53
> I know that building a mechanism to guarantee that something is only processed once is not trivial
You're severely underestimating how difficult it is.
> In my particular use case I'm dumping messages into elastic search and so I don't ever want to double up on documents and determining if a "document" already exists in this case would be a difficult and expensive proposition because there is no unique is aside from a timestamp but that could legitimately doubled up on this situation as many events can happen within a second.
If you don't want to insert duplicates into ElasticSearch, then you should use the ID field to identify the document. You could simply take a hash of the document and use that as the ID.
Building exactly once delivery is something most people consider to be impossible. I'm not entirely sure that's true, Kafka recently announced that they have achieved this, but for most mere mortals I think we should just pretend it is because it's so difficult to achieve it might as well be.
https://aws.amazon.com/premiumsupport/knowledge-center/close-aws-account/
>AWS Account Deletion AWS does not fully delete account information. This preserves an accurate customer history and makes it possible to reopen previously closed accounts. After your account is closed, you won't incur charges (other than those on the final monthly bill). If you are concerned about your personal information, you can log in and change information on the Account Settings page.
>Orphaned Resources Hardware used by a closed account is eventually allocated to other accounts. No other accounts will ever have access to the specific AWS resources that were associated with your account. If you are concerned about this, you can manually terminate or delete resources before closing the account. To determine the AWS resources that are associated with your account, visit Cost Explorer, Custom View.
This article immediately gets -5 points for calling it "Linux 2" like it's groundbreaking. It's "Amazon Linux 2" in all AWS literature. Following this articles logic Red Hat release "Linux 7" a few years ago and Ubuntu just release "Linux 18" now. Amazon, why are you only on "Linux 2"?
There's a dedicated network specifically for S3 transfers that you should be using all the time. This will eliminate the speed variance.
Something to consider here, if you're relying on automated snapshots for your RDS instances, then you may not actually have the data backed up in a way that's acceptable for your business requirements.
You may want to consider backing up important RDS data to S3, potentially in another region and another limited access account.
Don't use ELB. You don't need it if you're running a single instance.
Look up how to do SSL termination with Apache and use that instead. Quick search got me this guide: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04
Also, if you really want to reduce costs, try changing your provider. AWS's cost is really only justified by their advanced features, but as you don't use them, I really wouldn't recommend it.
Scaleway for example might get you some really good prices.
You can see the rate card here: https://aws.amazon.com/s3/pricing/
1GB or less should cost you a few cents for storage. You pay about half a cent for 1k writes/10k reads.
I store a couple hundred megs of images and such in S3 for a website, along with a domain in route53.
My AWS bill averages about 56 cents a month. 50 cents for the Route53 domain and 6 cents for the website hosted in S3. It's pretty low traffic though.
If you desperately need it to be in an S3 bucket, you can write a shell script to use the aws cli to periodically sync a bucket with a local directory.
$ aws s3 sync help
This is safer anyway -- what if your network connection goes down? ...There goes your security camera footage.
After a full and complete investigation it turns out that a new hire set the "Destination Date & Time" dial in our DeLorean to the wrong time and the feature was accidentally beamed into the past. We have added some precautions to the AWS Time Travel Technology to prevent this from happening again. We also went back to before we wrote the launch procedure and inserted step "3A: Convert time from GMT to PDT." Not only will this never happen again, it never actually happened.
The feature is now public and you can read my blog post at https://aws.amazon.com/blogs/aws/use-cloudformation-stacksets-to-provision-resources-across-multiple-aws-accounts-and-regions/ to learn more!
The sqlite issue was fixed a few weeks ago: https://aws.amazon.com/about-aws/whats-new/2017/03/amazon-elastic-file-system-amazon-efs-now-supports-nfsv4-lock-upgrading-and-downgrading/
I only had a quick glance through the article, but I didn't see the author mention how large his EFS volume was. Like ELB, EFS scales performance based on the size of your volume. I notice the performance chart on that blog doesn't match the current throughput published by AWS (author lists 0.5 MiB/s where AWS lists 5 MiB/s).
EFS has a number of performance and tuning recommendations. I can't tell from the blog if the author followed them, but they seem to help. http://docs.aws.amazon.com/efs/latest/ug/performance.html
> What happens if I keep sending after I’ve used up my quota?
> If you have exceeded your quota, any additional attempts to send will result in an error.
750 hours per month of Linux, RHEL, or SLES t2.micro instance usage
The reason is says you get charged if you go over, is because you can spend your 750 hours the way you want. You can run 1 instance for 750 hours or 10 instances for 75 hours. So that is how you could exceed the limit.
So pricing - wise, yes: you can run a single t2.micro instance for 1 year at no cost. Not sure how the performance will be for rendering though. The t2.micro instances are quite low on CPU.
As an alternative, you could look into spot instances: https://aws.amazon.com/ec2/spot/. Not free, but cheap... with a few caveats.
Yes, ELBs for a single instance app are common, but often you'd have the app hosted with an autoscaling group that could be minimum 1, maximum 1 to allow for instance failure.
The DMZ is the public facing subnet, which may be sparsely populated to avoid just the attacks you're thinking off. The firewalls are stateful security groups or, less likely, stateless network access control lists.
Take a look at AWS Single VPC Design: Public and Privately Routed VPC, which explains this AWS design pattern as well as some additional context to the helpful answers that /u/Thundernick and /u/freddit123 provided
Keep in mind that different instance types have different network connections. You can pretty easily overpower the pipe on a t2.micro. Take a look at this Instance Types Matrix to compare network peformance (about halfway down): https://aws.amazon.com/ec2/instance-types/
> 1.4. If we reasonably believe any of Your Content violates the law, infringes or misappropriates the rights of any third party or otherwise violates a material term of the Agreement (including the documentation, the Service Terms, or the Acceptable Use Policy) (“Prohibited Content”), we will notify you of the Prohibited Content and may request that such content be removed from the Services or access to it be disabled. If you do not remove or disable access to the Prohibited Content within 2 business days of our notice, we may remove or disable access to the Prohibited Content or suspend the Services to the extent we are not able to remove or disable access to the Prohibited Content. Notwithstanding the foregoing, we may remove or disable access to any Prohibited Content without prior notice in connection with illegal content, where the content may disrupt or threaten the Services, pursuant to the Digital Millennium Copyright Act or as required to comply with law or any judicial, regulatory or other governmental order or request. In the event that we remove content without prior notice, we will provide prompt notice to you unless prohibited by law.
https://aws.amazon.com/service-terms/
Amazon staff read this reddit
Why exactly is using different accounts an anti-pattern?
Even /u/jeffbarr assumes that on his posts: https://aws.amazon.com/blogs/aws/new-cross-account-access-in-the-aws-management-console/
And cross-account IAM is there for a reason, also consolidated billing.
By the way, how do you differentiate traffic costs for your environments when they are under the same account? (You can't tag traffic). How do you tag specific S3 resources besides buckets? How do you tag REQUESTS to S3?
Bonus track: https://d0.awsstatic.com/aws-answers/AWS_Multi_Account_Billing_Strategy.pdf
First, make sure your really "need to failover to another region", as for most applications, failover to another availability zone is quite enough. Then, consider using snapshots and alarms instead of live replication, as that is significantly cheaper. Also, consider using AWS Data Migration Services: https://aws.amazon.com/dms/
There are many other solutions, from native and third-party replication tools to DRDB, but i'd keep away from that.
For people's info (relevant if you're thinking about lambda) -- the author claims that lambda functions > are stateless pieces of code that can't run for longer than 30 seconds
while in reality,
> All calls made to AWS Lambda must complete execution within 300 seconds. The default timeout is 3 seconds, but you can set the timeout to any value between 1 and 300 seconds. Since the post is from today, this seems erroneous rather than dated.
In order to run another virtualization platform in AWS (Hyper-V, VMWare, etc) you have to run a bare-metal instance. These are expensive because you're essentially paying for a dedicated server all for yourself. Bare-metal instances (any instance type ending in .metal, like z1d.metal, i3.metal, etc) can range anywhere from $0.41 per hour to $11 per hour depending on the kind of resources you're looking for. https://aws.amazon.com/ec2/pricing/on-demand/
You only pay for the bare metal instance, AWS doesn't care (or even know) how many VMWare servers you're running, all they see is the bare metal EC2 instance that's running.
EC2 pricing works similar to how you described, you're only charged for the time that an instance is running.
Can I ask what your plans are? Why use VMware instead of just using EC2? That would be likely more expensive and you'd lose a lot of the advantage of using AWS native services
Hi - thanks for joining today! On Demand instances always take precedence over Spot regardless of price. Even if your Spot max. price is set higher than On Demand, On Demand will still take priority. Check out this blog post to get a better understanding of the Spot pricing model: https://aws.amazon.com/blogs/aws/amazon-ec2-update-streamlined-access-to-spot-capacity-smooth-price-changes-instance-hibernation/
Regarding Cloudwatch, Cloudwatch events will trigger for every Spot instance interruption with the 2-minute warning. Keep in mind, interruptions happen less than 4% of the time. Check the Spot Instance Advisor page for average interruption rates per instance type: https://aws.amazon.com/ec2/spot/instance-advisor/ - Stephanie
You cannot launch EC2 instances directly from VMDKs stored in Glacier. You must use VM Import to save your images to S3/Glacier. Also check VMware Cloud on AWS
Open a ticket with support and provide the bucket in question along with CloudBerry results.
CloudWatch metrics, since July, allow you to create metrics on S3 usage.
Using the CLI, you can get sum of bytes consumed:
aws s3api list-objects --bucket BUCKETNAME --output json --query "[sum(Contents[].Size), length(Contents[])]"
I use the metric along with a CloudWatch alarm to make sure S3 is within norms, then use the CLI to get more specifics.
EDIT: Added CLI info.
Are you storing lots of little files?
S3 has a minimum object size of 128KB. Stick a 64KB file in there, you get charged for 128KB. (update: article refers to Infrequent Access pricing, not sure if same limitation applies for 'normal' S3).
AWS has a Cost Calculator that's accurate. Keep in mind you'll probably need to know the lingo, what you want, and some idea on usage before you can get a true monthly cost. That should get you close though.
- For MySQL I recommend RDS. This is AWS's hosted MySQL option, and it's been rock solid for me. You can schedule automated backups ("snapshots"), and even have a standby in another availability zone if up time is critical.
- For a quad-core Zeon type of processor, I'd look at the M4.large series of instances. You may want 2+ of these machines for high availability though, just in case. If you want to auto-scale, AWS also has some autoscaling functionality you can look into.
- Depending on what you're looking for as far as data backup goes, take a look at S3, or Glacier for more long-term disaster recovery type storage.
Thats against their terms:
1.3. Promotional Credit you receive is personal to you. You may not sell, license, rent, or otherwise transfer Promotional Credit. Promotional Credit may be applied only to your AWS account, and may not be applied to any other account. AWS Promotional Credit has no intrinsic value, is not redeemable for cash, has no cash value, and serves merely as a means to recognize and provide an incentive to use our Services. Promotional Credit may not be purchased for cash and AWS does not sell Promotional Credit. Promotional Credit is nonrefundable.
I undestand you need your instances behind ELB to connect to a remote payment service, not the other way arround as other commenters understood?
If that's the case, assuming your instances behind ELB are in private subnet, your best bet would be to spin up a NAT instance with an Elastic IP in the public subnet and route all your requests to the payment service through there.
There's several ways to achieve NAT high availability. The most popular are either Autoscaling with min & max set to 1 or keeping a hot standby in another Availability Zone with health checks and automated route and EIP swap.
You can find more info about 2nd option here - https://aws.amazon.com/articles/2781451301784570
Any issues or assistance you need, just let me know.
you need to have several pieces: you need a shared storage for your database (RDS) you need to have shared storage for the uploaded files (S3 or EFS), you need to have a load balancer to have a single point in the frontend and distribute load if you need more than 1 instance, You also need an autoscale group to hold all your instances and manage the creation/deletion of app servers.
Read these two things: https://d0.awsstatic.com/whitepapers/wordpress-best-practices-on-aws.pdf https://aws.amazon.com/getting-started/projects/build-wordpress-website/
You'll find cloudformation to be a very important tool to reliably do this multiple times and it should be pretty simple to find a ready made template that you can use out of the box
> upload to S3 is free, no matter the amount.
No, if you look at s3 pricing page and scroll down to "Request Pricing" You'll see that there are charged for puts and gets.
If your backup is a single 2TB file, then puts is negligible, but if that 2tb is milliions of small files, then you may want to pay attention. even still 1,000,000 puts is only like $10/month. So still not too much, but it's not free.
Depends a lot on your location and current networking setup. If you already happen to have fibre from one of those ISPs that work with a DC partner, you get it for AWS port fees only. 200 bucks/mo for a 1gbit.
If you have fiber with someone else, you pay for peering. Another few hundred for the traffic.
If you don't have fibre, expect to drop a few hundred to a few thousand a month for the link.
If your office is far out for the city centre, expect to pay 10's of thousands for laying fibre.
I'd put 1000-1500 euros a month as a starter rate for 100mbit to any office park in a large city in europe.
For 10gb out in bumfuck, nowhere you'd be looking at 100k+ for setup costs and 10k+ for monthly fees.
If you're making backups, the cost will be no different if you're storing them in the primary account versus a dedicated backup account. Cost shouldn't be an issue here (while complexity certainly is). You can back your data up to an S3 bucket in any account (for example). It's not about AWS making money, it's about letting you choose what your data retention policy should be (some customers may not let their data leave the country, for example).
You don't need to assume what AWS handles versus what you're responsible for. AWS lays it out in what they call the "Shared responsibility model": https://aws.amazon.com/compliance/shared-responsibility-model/
Lastly, it's easy to make mistakes that lead to data loss. There are plenty of posts here on /r/aws from people who accidentally deleted their RDS backups, or leaked their API keys on their blog. I would recommend you plan for human error, and build systems that can recover accordingly.
That is not recommended practice but if you want, use aws:MultiFactorAuthPresentIfExists as the condition in the last statement block of the policy. You can still use CLI with MFA. You have to call get-session-token first. https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/
First off - if you sign up for a new account, you'll be in the 12 month free usage tier. That would give you a free micro and 30 GB EBS. https://aws.amazon.com/free/
Here are some rough pricing without the free tier:
- t2.nano 1 year reserved no upfront is $2.92
- EBS is $.10 per GB/month (so 30 GB would be $3.00 per month)
- Bandwidth is pretty cheap at $.02 per GB in most popular regions
No. Almost all new development inside of Amazon and AWS itself runs on DynamoDB. It is a big component in allowing Amazon to scale.
You can see a tiny sampling of what runs on DynamoDB here, but this is just the tip of the iceberg.
Up to t2.large, AWS indicates that networking speed is low to moderate. Except for r4.large, you pretty much have to go with an .xlarge to get high bandwidth. You can see the chart here by scrolling down to the Instance Type Matrix section about 1/2 way. https://aws.amazon.com/ec2/instance-types/
Seems like it if hate speech is considered defamatory for them
Now if you run a completely locked down website and all questionable content is locked down from public access, that's a different story because it'd be hard to prove. Not condoning, just giving my 0.02
Look into a transit VPC
>Leverage multiple dynamically routed, rather than statically routed, connections to the transit VPC. This allows the transit network infrastructure to automatically fail over between available connections as necessary, creating a highly available, resilient, and more scalable network.
https://aws.amazon.com/answers/networking/transit-vpc/
AWS pimps out the Cisco CSR 1000v for this which might be outside your budget since you are learning
For peering I think the static routing was something put into place as a protective measure for the environment as you can peer with other AWS accounts that you dont own and it requires manual intervention to get it working. Situation that comes to mind: if you peer with a third party and it tries to push out the same routes as you. I think I read that somewhere or I was talking with someone at AWS so dont quote me on that.
TLDR: Transit VPCs
You started a company to resell AWS, and don't have contacts at AWS already? Good luck!
> To learn more, please connect with your Public Sector Partner Development Manager. If you don’t have a Public Sector Partner Development Manager, send a request to
On mobile, so short response...
Look at https://aws.amazon.com/blogs/aws/new-vpc-endpoint-for-amazon-s3/ for an overview from AWS directly.
In short, you add an "endpoint" to your route table so that requests to S3 don't go out to the public internet, so network connection is significantly faster.
I do however believe you're likely running out of CPU credits, and bumping the instance to a t2.large for an hour would cost $1 and be faster than figuring out the rest...
Workspaces wouldn't be suitable for this.
From the pricing doc (https://aws.amazon.com/workspaces/pricing/): > Hourly billing consists of an hourly rate charged while your Amazon WorkSpaces are running, and a monthly fee for fixed infrastructure costs. With hourly billing, Amazon WorkSpaces that are not being used automatically stop after a specified period of inactivity, and hourly charges are suspended.
In addition, from the FAQ (https://aws.amazon.com/workspaces/faqs/): > Q: Does the Amazon WorkSpaces service have maintenance windows?
> Yes. The current maintenance window is a four hour period from 00h00 – 04h00 (this time window will be based on the time zone of the AWS region where your Amazon WorkSpaces are located) each Sunday morning. During this time your WorkSpaces may not be available. The maintenance window is currently not configurable.
>Q: When do I stop incurring charges for my Amazon WorkSpaces when paying by the hour?
>Hourly usage charges are suspended when your Amazon WorkSpaces stop. AutoStop automatically stops your WorkSpaces a specified period of time after users disconnect, or when scheduled maintenance is completed. The specified time period is configurable and is set to 60 minutes by default. Note that partial hours are billed as a full hour, and the monthly portion of hourly pricing does not suspend when your Amazon WorkSpaces stop.
EC2 is probably your best option here, but I have no idea why you're using an AMI with SQL Server Standard. There are AMIs available that are Windows 2012 R2 Base, which do not include SQL Server Standard. This will significantly lower your costs.
us-east-1 used to have 5 AZs. Then years ago new customers only got access to 3, until a few months ago when you started getting 4. And now it seems that everyone has access to 5 again. https://aws.amazon.com/about-aws/global-infrastructure/ is again showing us-east-1 with 5 AZs for everyone. I just checked the Internet Archive and sometime between January 28th and February 17th it was changed. I never saw any announcement either.
As for how many physical AZs they have, I have no idea. I have a feeling you're right and they have either 6 or 7 AZs now in us-east-1.
> can have hidden costs
Not so much...they lay it out pretty clearly.
> if used improperly
Bingo. Read what's covered in the free tier, abide by those limits, and set up billing alerts.
> Data Export – The initial launch is aimed at data import (on-premises to AWS). We do know that some of our customers are interested in data export, with a particular focus on disaster recovery (DR) use cases.
See https://aws.amazon.com/aup/
> Offensive Content. Content that is defamatory, obscene, abusive, invasive of privacy, or otherwise objectionable, including content that constitutes child pornography, relates to bestiality, or depicts non-consensual sex acts.
So you're fine.
The problem you describe doesn't seem to be an AWS issue but a MySQL + Wordpress issue. If you are using a single instance use the Bitnami WordPress instance in the marketplace which has most everything configured pretty well for you. However, if you are doing WP on AWS for the learning experience and free tier benefits that is cool but I'd just pay the money and use a web host provider.
This might be relevant to your interests. The talk I'm in right now said his slides would be uploaded tomorrow, so I don't know if anything from today is up anywhere yet.
It seems like you only have a single instance on AWS -- so why the desire to add VPN to protect SSH? Your just replacing one authentication method with another. Just harden SSH...
- Move the port to another privileged port (no security but less noisy logs)
- Run fail2ban to block attacks directly on 22 and on the new port. You could block 22 at the security group but you lose the ability to block those knocking on 22. As a bonus it can also work on web server logs.
- Use key based authentication
- Have users use their own accounts and their own private keys -- don't use "ubuntu" user
- disable root login
- Add 2FA through PAM -- http://serverfault.com/questions/629883/trying-to-get-ssh-with-public-key-no-password-google-authenticator-working-o
In an ideal world you have a static IP and could just limit SSH to your static IP but you should still probably harden SSH anyways.
VPNs have their place; not questioning that but for a single ec2 instance it is just overkill. How will you setup/manage the VPN server -- probably over SSH so your back to square one.
If you aren't connecting frequently you could selectively open/close 22 as needed to the current IP.
As an aside; don't forget to harden your AWS credentials.